Building

Setting up Secure Boot on Gentoo Linux

The purpose of this blog post is to explain how Secure Boot works. In particular, we will explain where current implementations of Secure Boot by Linux distributors fall short compared to Microsoft Windows and Apple macOS.

Major distributors like Canonical, Debian, openSUSE, and Red Hat place a high priority on making their operating systems work out of the box. Given the current Linux landscape with out-of-tree drivers and incompatible licenses, providing the end user with all the drivers possibly needed to boot the system can be challenging.

In this post we will describe how to set up Secure Boot on Gentoo Linux. Gentoo Linux is sometimes described as a meta-distribution. It leaves many decisions up to its users—and with that, a fair amount of work. The upside is that users can decide exactly how to set up the boot chain without having to work “against” the distributor. For this reason, we chose Gentoo Linux to demonstrate the different ways to set up Secure Boot.

On a hardened system, Secure Boot should be deployed along with full disk encryption1.

Continue reading “Setting up Secure Boot on Gentoo Linux”

Continue reading
Building

Insecure Boot: Injecting initramfs from a debug shell

Many Linux hardening guides focus on well-known protections: full-disk encryption, Secure Boot, and password-protected bootloaders. While these measures are critical, they often overlook a subtle but serious attack vector: the ability to drop into a debug shell via the Initial RAM Filesystem (initramfs). This oversight can enable an attacker with brief physical access to bypass conventional boot protections and inject persistent malware into the system.

In this post, it is demonstrated how this attack works on modern Linux distributions, such as Ubuntu and Fedora, and explained why existing guidance often fails to mention it.

Continue reading “Insecure Boot: Injecting initramfs from a debug shell”

Continue reading
Breaking

Disclosure: Potential Limitations of Apple ADE in Corporate Usage Scenarios

Apple Automated Device Enrollment (ADE) is presented as a way to automate and simplify the enrollment process of Apple devices within Mobile Device Management (MDE) solutions. This blog post is aimed at organizations currently planning or even already using this feature and making you, the reader, aware of potential limitations of this process that might otherwise not be clearly addressed in your companies’ device management process.

Continue reading “Disclosure: Potential Limitations of Apple ADE in Corporate Usage Scenarios”

Continue reading
Breaking

Disclosure: Apple ADE – Network Based Provisioning Bypass

Mobile Device Management (MDM) solutions are used to centrally manage mobile devices in corporate environments. This includes the monitoring of the device, automatic installation/removal of apps or certificates and restrict the functionality. Even though MDM solutions exist for multiple vendors, we will look specifically on Apple devices enrolled via Intune. When an Apple device is registered for Automated Device Enrollment (ADE), it will automatically download and apply these policies during the initial setup and prior to the first boot.

During a customer project, we identified a network-based provisioning bypass which prevents the iPad to fetch and apply the provisioning profiles. Continue reading “Disclosure: Apple ADE – Network Based Provisioning Bypass”

Continue reading
Building

ERNW Hardening Repository

Today we started publishing several of our hardening documents to a dedicated GitHub repository — and we’re quite excited about it! It took a while to develop a suitable markdown template to support all the requirements you have when you write a hardening guide, but we’re online now!

At the moment, only a few hardening guides are online, but that should continuously increase in the future.

Click here for the GitHub ERNW Hardening Repository!

Cheers,

Matthias

Continue reading
Building

Internet Information Service 7.5 Hardening Guide

Internet Information Services (IIS) contains several components that perform important functions for the application and Web server roles in Windows Server. As it is designed to be used in an enterprise environment, the security of this system must be kept at a high level.

By default IIS implements a lot of basic security measures, but are these the relevant ones to protect your business? Continue reading “Internet Information Service 7.5 Hardening Guide”

Continue reading