Full Disclosure mailing list archives
Re: OpenBSD kernel relinking is not transactional and a local exploit exists
From: jvoisin via Fulldisclosure <fulldisclosure () seclists org>
Date: Tue, 20 Jun 2023 20:32:29 +0200
On 6/17/23 11:40, Schech, C. W. ("Connor") wrote:
The automatic and mandatory-by-default reordering of OpenBSD kernels is NOT transactional and as a result, a local unpatched exploit exists which allows tampering or replacement of the kernel. Arbitrary build artifacts are cyclically relinked with no data integrity or provenance being maintained or verified for the objects being consumed with respect to the running kernel before and during the execution of the mandatory kernel_reorder process in the supplied /etc/rc and /usr/libexec scripts. The reordering occurs at the end of installation process and also automatically every reboot cycle thereafter unless manually bypassed by a knowledgable party.
I'm unsure I understand the threat model here: an attacker with root privileges is able to modify the kernel data about to be relinked? You're also mentioning SLSA, but as you also said, OpenBSD doesn't have reproducible builds and all the cool build hardening things(tm). So having a cryptographic path to the resulting relinked kernel won't really improve anything, given the current state of affairs. _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Current thread:
- OpenBSD kernel relinking is not transactional and a local exploit exists Schech, C. W. ("Connor") (Jun 19)
- Re: OpenBSD kernel relinking is not transactional and a local exploit exists jvoisin via Fulldisclosure (Jun 21)
- Re: OpenBSD kernel relinking is not transactional and a local exploit exists pesco (Jun 21)