Description
Multiple Linux kernel local privilege escalation vulnerabilities (Copy Fail, Dirty Frag, Fragnesia) have been found recently in a very short time window. This increased pace of AI-aided vulnerability discovery is only expected to increase. Most of the recent vulnerabilities are in obscure kernel modules that almost body uses, but that can be autoloaded.
Solution
Extend the list of default kernel modules to block. Right now this only includes a handful of obscure filesystems, as recommended by CIS, but this small blocklist is clearly no longer enough.
Also allow whitelisting specific modules.
Attached: my personal list of modules to block by default. Optimized for common virtualized servers. Workstations and GPU servers will need to adjust this list.
kernel-modules-baseline-blocklist.yml
Alternatives
Block all modules that are not in active use. Modulejail uses this approach.
Additional information
No response
Description
Multiple Linux kernel local privilege escalation vulnerabilities (Copy Fail, Dirty Frag, Fragnesia) have been found recently in a very short time window. This increased pace of AI-aided vulnerability discovery is only expected to increase. Most of the recent vulnerabilities are in obscure kernel modules that almost body uses, but that can be autoloaded.
Solution
Extend the list of default kernel modules to block. Right now this only includes a handful of obscure filesystems, as recommended by CIS, but this small blocklist is clearly no longer enough.
Also allow whitelisting specific modules.
Attached: my personal list of modules to block by default. Optimized for common virtualized servers. Workstations and GPU servers will need to adjust this list.
kernel-modules-baseline-blocklist.yml
Alternatives
Block all modules that are not in active use. Modulejail uses this approach.
Additional information
No response