6

I work in a place that only supports windows, and the folks in charge of IT are (1) very conservative, and (2) not at the bleeding edge of their profession.

I want the Windows Subsystem for Linux (WSL) to be enabled in order to facilitate data science work -- stuff that simply works better on linux. I'm thinking specifically of forking for parallel processing, but also basic utilities like curl, tmux, htop, sed, awk, etc.

In trying to make the case to these people that WSL isn't a threat, I see conflicting things online. Google "WSL security" and you come across articles about bashware. Apparently a hacker who has gained access to a system can run WSL, install wine, and use it to install windows malware.

According to this FOSS article however, WSL is now integrated into defender. Does that mean that the malware problem is solved?

I'd appreciate arguments for or against enabling WSL in a conservative, risk averse windows IT shop. Is it actually risky? Why or why not?

Mike Ounsworth
  • 57,707
  • 21
  • 150
  • 207
generic_user
  • 161
  • 1
  • 3
  • Great question! For my learning: I assume the bash in WSL runs as your low-privilege user? Meaning that the fundamental security difference between Powershell and WSL/bash is possible privilege escalations due to sloppy mappings from Linux system calls to Windows system calls? (I'm asking out of curiosity because I don't know the answer) – Mike Ounsworth Oct 31 '18 at 19:10
  • @MikeOunsworth I really don't know how to properly understand your question, much less the answer. I do know that you need admin rights to enable WSL, but a non-admin can access it once enabled. – generic_user Oct 31 '18 at 19:29
  • @MikeOunsworth WSL runs as a low-privilege user but with `sudo` access by default, so root privileges are `sudo su -` away. How much, or little, root privileges map to Windows Administrator privileges, is another question. – gowenfawr Oct 31 '18 at 19:32
  • 1
    Funny story: some helpdesk guys installed it on my computer before general approval was decided. I *can not* `sudo cd` into a directory to which I don't have access in the windows file explorer. – generic_user Oct 31 '18 at 19:39
  • @generic_user `sudo cd` should not work anyway, since `cd` is a shell builtin, not a utility. – forest Nov 01 '18 at 07:42
  • Right, I meant `sudo su` and then `cd` – generic_user Nov 01 '18 at 08:29

3 Answers3

6

Depends how much they're trying to lock down Windows users, and how. If they limit which programs you can run, then WSL is a bypass for that; most tools that filter Windows programs will ignore Linux ones running on the same kernel. If they give you local admin, though, they may as well let you run WSL; you can't do anything in WSL that you can't do in Win32, with enough effort.

It's worth noting that WSL doesn't actually give any additional privileges. A WSL process launched as (Windows) Administrator has Admin privileges on the Windows filesystem (and any Windows processes it launches will inherit those Admin privileges), whether or not the WSL shell is running as root. Similarly, a non-admin WSL shell, even if elevated to root, has no more privileges on the Windows filesystem or kernel than the non-admin user that launched it. This actually caused bugs in early versions of WSL, where you got things like ping not working because its setuid root bit didn't actually give it the ability do anything extra with network sockets (which are controlled by the NT kernel's permissions).

Every Windows user gets their own, isolated WSL installation (if they use it), with its own users; you can't even attack other users on the same physical box using WSL (unless you'd be able to do that from within Win32 anyhow). The main things that WSL does for security impact are to confuse or bypass some monitoring and/or software restriction tools, and open up some additional kernel attack surface (as far as I know, nobody has used WSL as an exploit vector into the kernel, but I'd be surprised if there isn't one in there somewhere... just like I'm sure there's still more vulns to be found in Win32k.sys).

CBHacking
  • 40,303
  • 3
  • 74
  • 98
2

First, welcome to Security Stackexchange,

In trying to make the case to these people that WSL isn't a threat, I see conflicting things online. Google "WSL security" and you come across articles about bashware.

The fact security experts and other It professionals are in fact talking about WSL and that it was developed in conjuction with (among others) cannonical (the guys that brought you Ubuntu) is in fact showing that there is a good and proper security climate around WSL. a Better one than is around just Windows. (IMHO)

Apparently a hacker who has gained access to a system can run WSL, install wine, and use it to install windows malware.

This is true for any 'hacker' that gets access to your system. Also you do not need wine to infect the windows once your inside the WSL.

Linux has a proper permission system in place, one you can leverage inside your WSL. (things like using sudo and limiting how you can sudo and who). Also Linux services are constructed (mostly) on a least amount of permission bases. an average there more secure than windows services due to that basis.

You do need to learn more about how linux and the WSL work and how they interact. The company would be wise to expend there knowledge and start (on limited scale) to learn about what WSL is and how it works.

The main diffrence for you between a Linux system and a Windows system is how much you have worked in it. Working in WSL allows you yo learn more about linux and its security systems without sacrificing your windows basis.

As always knowing more about computers and computer systems makes you better in security, getting exposed to different paradigms makes you think about diffrent possibilities.

Tl;Dr I would recommand any company (worth there salt) that operates in an environment where security matters, (so everywhere) to learn and get hands on expierience with Linux and the WSL is the best way to get started with it as it has the lowest barrier of them all. This expends from them tall the way up to end users

LvB
  • 8,217
  • 1
  • 26
  • 43
2

"Running Sensitive Apps in WSL: (SAFE + SAFE) < SAFE" presents several significant security issues that are fundamentally a part of WSL:

  • WSL is a Windows utility that allows users to run Linux applications under Windows.
  • Any standard (non-admin) Windows process has full access rights to all the files that make up the WSL machine.
  • If a malicious program runs as this standard process, it can steal sensitive static data (e.g., SSH keys) by simply copying them from the WSL file system.
  • By modifying the programs in the WSL file system, our malicious program can also capture sensitive dynamic data (e.g., usernames, passwords, passphrases).
  • The WSL design allows the activation of Windows processes by programs running inside the Linux machine. Therefore, a standard (non-root) Linux program can completely take over the Linux machine.
  • WSL 2, designed as a “lightweight Utility VM”, has markedly diminished the attack surfaces of WSL, but is still vulnerable to the security weakness described here.
  • Bottom line: Running sensitive applications inside WSL is significantly less secure than running the equivalent applications in a standalone Windows or Linux Desktop system.

Also, as of October 2020, WSL 2 bypasses Windows Firewall, so you would have to make sure to have the same firewall rules in Linux itself as well as in Windows.

mic
  • 163
  • 4