| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <a3f8aa5e-d70f-e691-533c-d5f2929eb330@dustri.org>
Date: Tue, 20 Jun 2023 20:32:29 +0200
From: jvoisin via Fulldisclosure <fulldisclosure@...lists.org>
To: fulldisclosure@...lists.org
Subject: Re: [FD] OpenBSD kernel relinking is not transactional and a local
exploit exists
On 6/17/23 11:40, Schech, C. W. ("Connor") wrote:
> The automatic and mandatory-by-default reordering of OpenBSD kernels
> is NOT transactional and as a result, a local unpatched exploit exists
> which allows tampering or replacement of the kernel. Arbitrary build
> artifacts are cyclically relinked with no data integrity or provenance
> being maintained or verified for the objects being consumed with
> respect to the running kernel before and during the execution of the
> mandatory kernel_reorder process in the supplied /etc/rc and
> /usr/libexec scripts. The reordering occurs at the end of installation
> process and also automatically every reboot cycle thereafter unless
> manually bypassed by a knowledgable party.
I'm unsure I understand the threat model here: an attacker with root
privileges is able to modify the kernel data about to be relinked?
You're also mentioning SLSA, but as you also said, OpenBSD doesn't have
reproducible builds and all the cool build hardening things(tm). So
having a cryptographic path to the resulting relinked kernel won't
really improve anything, given the current state of affairs.
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
Powered by blists - more mailing lists