BPFDoor - websites to read

2 Likes

This is bad.

Hi,

thank you for posting these articles.

As stated, abusing BPF and particularly eBPF is not an entirely new threat, with CN-based Pangu Lab uncovering a backdoor dubbed ‘Bvp47’ earlier this year, which they assessed to be part of NSA’s arsenal and having been used in the wild since 2007 at the latest. We now know a CN-based threat actor to have a similar backdoor deployed since at least five years.

IPFire’s sysctl and kernel settings regarding eBPF are hardened (see, for example, this commit), however, there are some security measures we currently cannot enable (LSM, for example). Also, the deployment of both backdoors requires an IPFire machine to be breached before, and in this case, I guess its curtains either way.

Given that BPFDoor is described as a “surveillance implant”, I guess it is safe to say that high-risk users and organizations should pay attention to proactive hardening of their infrastructure even more.

Hope to have helped.

Thanks, and best regards,
Peter Müller

4 Likes

Hi,

the other day, I stumbled across this one, which may be an interesting read/tool for Linux security folks:

Thanks, and best regards,
Peter Müller

4 Likes

What script?
What advantages are there in the other modes?
On a x64 system why would I need to flash firmware?
A button in WUI to turn it off.?

I am guessing it is the one in Figure 6 of the article

Probably this should have bin at the top of my list.
If you check the link.

More reading .
What LSM is ipfire using? Or not?

So it is not enabled.
Not even “integrity” mode
The lesser of the 2 -3 modes.
If off is a mode.

https://noise.getoto.net/2020/04/21/linux-kernel-lockdown-integrity-and-confidentiality/

If you enforce LSM you cannot flash the firmware/bios anymore.

2 Likes

I dont need to flash bios on my PC.
I know they do on those APU’s allot.
But after it is flashed could it be enabled?
Wouldn’t it make more sense to enable this feature
People that need to Flash Firmware could disable it first.
Does having LSM off protect more people or the few?
A enable/disable button with a reboot would be great. If that is the biggest issue.
Or on core update.
Just a thought.