| 1 |
On 2020/08/14 at 07:27am, Dale wrote: |
| 2 |
|
| 3 |
> Peter Humphrey wrote: |
| 4 |
> > I saw this today: |
| 5 |
> > |
| 6 |
> > https://linux.slashdot.org/story/20/08/13/174237/fbi-and-nsa-expose-new-linux-malware-drovorub-used-by-russian-state-hackers? |
| 7 |
> > utm_source=slashdot&utm_medium=twitter |
| 8 |
> > |
| 9 |
> > Has anyone any more info? |
| 10 |
|
| 11 |
> It seems to affect only older kernels, before 3.7. So if you are |
| 12 |
> above that, which I would think most Gentoo users would at least be in |
| 13 |
> the 4 range or higher, then you should be OK. I checked and the oldest |
| 14 |
> kernel version is 4.4 here. That's for gentoo-sources. Of course, |
| 15 |
> one could download the original kernel sources I guess. |
| 16 |
|
| 17 |
I think the 3.7 version is just because that was when kernel module |
| 18 |
signing was introduced? |
| 19 |
|
| 20 |
According to Ars: |
| 21 |
|
| 22 |
The advisory also urged that, at a minimum, servers run Linux kernel |
| 23 |
version 3.7 or later so that organizations can use improved |
| 24 |
code-signing protections, which use cryptographic certificates to |
| 25 |
ensure that an app, driver, or module comes from a known and trusted |
| 26 |
source and hasn’t been tampered with by anyone else. |
| 27 |
|
| 28 |
Additionally, system owners are advised to configure systems to load |
| 29 |
only modules with a valid digital signature making it more difficult |
| 30 |
for an actor to introduce a malicious kernel module into the system,” |
| 31 |
the advisory stated. |
| 32 |
|
| 33 |
https://arstechnica.com/information-technology/2020/08/nsa-and-fbi-warn-that-new-linux-malware-threatens-national-security/ |
| 34 |
|
| 35 |
So, it sounds like you are not immune if you have 3.7+, just that you do |
| 36 |
have some additional tools you could use to protect yourself. I use |
| 37 |
Gentoo just at home for personal use, and it never even occurred to me |
| 38 |
to use digital sigs for kernel modules. |
| 39 |
|
| 40 |
I found this: https://wiki.gentoo.org/wiki/Signed_kernel_module_support |
| 41 |
but haven't had time to try it yet. Does anyone have experience with |
| 42 |
digitally signing kernel modules on Gentoo? |
| 43 |
|
| 44 |
-- |
| 45 |
Chris Spackman (he/him) chris@××××××××××.com |
| 46 |
|
| 47 |
ESL Coordinator The Graham Family of Schools |
| 48 |
ESL Instructor Columbus State Community College |
| 49 |
Japan Exchange and Teaching Program Wajima, Ishikawa 1995-1998 |
| 50 |
Linux user since 1998 Linux User #137532 |
Archives