=== chris14_ is now known as chris14
[05:01] <arraybolt3> Apparently there's a Secure Boot bypassing malware out that doesn't rely on the target system being unpatched. https://www.bleepingcomputer.com/news/security/blacklotus-bootkit-bypasses-uefi-secure-boot-on-patched-windows-11/
[05:02] <arraybolt3> The article above describes how the malware (BlackLotus) is able to infect Windows systems, however the mechanism they're using could just as easily be used against Ubuntu.
[05:02] <arraybolt3> Perhaps the vulnerable version of bootmgfw.efi used by BlackLotus could be blacklisted via SBAT?
[05:02] <arraybolt3> That would immunize Ubuntu systems against it.
[05:38] <amurray> arraybolt3: bootmgfw.efi is part of the windows bootloader - so I am not sure it is relevant / able to undermine an Ubuntu system (or any other Linux system)
[05:42] <arraybolt3> amurray: The problem is that the version of bootmgfw being used isn't part of Windows anymore. It's being used in BlackLotus separately and is shipped as part of the malware itself.
[05:42] <arraybolt3> Rather than thinking of it as a Windows component, think of it as a binary blob that system firmware happens to trust that can also be exploited.
[05:43] <arraybolt3> They've basically stolen an insecure part of Windows and are using it as a tool separately from Windows. That tool doesn't require Windows to run, and the job it does would undermine Ubuntu equally well.
[05:47] <arraybolt3> (More detailed explanation - say the Linux version of the BlackLotus installer runs on an Ubuntu system as root. It then copies a vulnerable bootmgfw.efi to /boot/efi, along with the payload, then reboots the system. The system boots the bootmgfw.efi file that BlackLotus loaded on, because it trusts bootmgfw.efi. The vulnerable bootmgfw then boots the BlackLotus MOK loader, which does its thing and reboots the system. Then shimx64.
[05:47] <arraybolt3> efi is loaded, it boots BlackLotus's grubx64.efi because the MOK makes it trusted, and then things go downhill from there.)
[05:53] <arraybolt3> The key part of all this is that the bootmgfw.efi file is introduced *by BlackLotus* - it doesn't even have to exist on the target system at install time.
[06:02] <amurray> arraybolt3: right, the real issue though is that microsoft have not revoked this vulnerable bootmgfw.efi - they could do this via a DBX update - but they have not chosen to do so, and so this vulnerable binary is still trusted
[06:03] <arraybolt3> True. I guess they'll hopefully do that pretty quickly now that this is a thing.
[06:04] <amurray> also wouldn't bootmgfw.efi need to have a global generation number encoded into it for it be able to be listed in sbat?
[06:04] <arraybolt3> Ugh. Yeah, probably. I didn't think about that.
[06:05] <arraybolt3> Right, because the binary itself has to have a .sbat section for that to work.
[06:05] <arraybolt3> Well so much for that idea :P
[17:06] <bancroft> thank you sarnold