Comment by m3nu

15 hours ago

I wasn't able to unload algif_aead on RHEL 9/10 because it's built in, rather than a module.

So here the next-best thing I found: Disable AF_ALG via systemd. Needs drop-ins for all exposed services. Here an Ansible playbook that covers ssdh and user@, which are the main ones usually.

https://gist.github.com/m3nu/c19269ef4fd6fa53b03eb388f77464d...

6 comments

m3nu

byron3256 13 hours ago

How about blacklisting algif_aead initialization function on RHEL 9/10? I added "initcall_blacklist=algif_aead_init" to the kernel boot options and rebooted. The exploit is not working anymore.

m3nu 6 hours ago

Good idea. Added to the playbook for RHEL only.
On Debian normal unloading of the module works.

yrro 4 hours ago

FYI RHEL's SELinux policy blocks AF_ALG socket creation for confined services out of the box. But disabling via RestrictAddressFamilies= unit option, or initcall_blacklist= kernel parameter, seems to be a good mitigation for unconfined services, users and containers.

pkoiralap 14 hours ago

I was coming up with the same intuition. However, it's like a whack-a-mole. What about cronjobs and slurmjobs and other services? Is there a way to do this directly on systemd so that all other processes inherit it rather than doing it on each one?

chucky_z 14 hours ago

https://www.freedesktop.org/software/systemd/man/latest/syst...
`/etc/systemd/system/service.d/${...}.conf`
I think this is what you're looking for.