Language Selection

English French German Italian Portuguese Spanish

Security: Updates, SS7, Docker, Thunderbolt, Django

Filed under
Security
  • Security updates for Monday
  • SS7 Cellular Network Flaw Nobody Wants To Fix Now Being Exploited To Drain Bank Accounts

    Back in 2017, you might recall how hackers and security researchers highlighted long-standing vulnerabilities in Signaling System 7 (SS7, or Common Channel Signalling System 7 in the US), a series of protocols first built in 1975 to help connect phone carriers around the world. While the problem isn't new, a 2016 60 minutes report brought wider attention to the fact that the flaw can allow a hacker to track user location, dodge encryption, and even record private conversations. All while the intrusion looks like ordinary carrier to carrier chatter among a sea of other, "privileged peering relationships."

    Telecom lobbyists have routinely tried to downplay the flaw after carriers have failed to do enough to stop hackers from exploiting it. In Canada for example, the CBC recently noted how Bell and Rogers weren't even willing to talk about the flaw after the news outlet published an investigation showing how, using only the number of his mobile phone, it was possible to intercept the calls and movements of Quebec NDP MP Matthew Dubé.

    But while major telecom carriers try to downplay the scale of the problem, news reports keep indicating how the flaw is abused far more widely than previously believed. This Motherboard investigation by Joseph Cox, for example, showed how, while the attacks were originally only surmised to be within the reach of intelligence operators (perhaps part of the reason intelligence-tied telcos have been so slow to address the issue), hackers have increasingly been using the flaw to siphon money out of targets' bank accounts, thus far predominately in Europe...

  • Doomsday Docker Security Hole Uncovered

    Red Hat technical product manager for containers, Scott McCarty, warned: "The disclosure of a security flaw (CVE-2019-5736) in runc and docker illustrates a bad scenario for many IT administrators, managers, and CxOs. Containers represent a move back toward shared systems where applications from many different users all run on the same Linux host. Exploiting this vulnerability means that malicious code could potentially break containment, impacting not just a single container, but the entire container host, ultimately compromising the hundreds-to-thousands of other containers running on it. While there are very few incidents that could qualify as a doomsday scenario for enterprise IT, a cascading set of exploits affecting a wide range of interconnected production systems qualifies...and that's exactly what this vulnerability represents."

  • Doomsday Docker security hole uncovered
  • It starts with Linux: How Red Hat is helping to counter Linux container security flaws

    The disclosure of a security flaw (CVE-2019-5736) in runc and docker illustrates a bad scenario for many IT administrators, managers, and CxOs. Containers represent a move back toward shared systems where applications from many different users all run on the same Linux host. Exploiting this vulnerability means that malicious code could potentially break containment, impacting not just a single container, but the entire container host, ultimately compromising the hundreds-to-thousands of other containers running on it. A cascading set of exploits affecting a wide range of interconnected production systems qualifies as a difficult scenario for any IT organization and that’s exactly what this vulnerability represents.

    For many Red Hat end users, it’s unlikely that this flaw gets that far. IT organizations using Red Hat Enterprise Linux to underpin their Linux container and cloud-native deployments are likely protected, thanks to SELinux. This vulnerability is mitigated by the use of SELinux in targeted enforcing mode, which prevents this vulnerability from being exploited. The default for SELinux on Red Hat Enterprise Linux 7 is targeted enforcing mode and it is rarely disabled in a containerized environment.

  • Kubernetes, Docker, ContainerD Impacted by RunC Container Runtime Bug

    The Linux community is dealing with another security flaw, with the latest bug impacting the runC container runtime that underpins Docker, cri-o, containerd, and Kubernetes.

    The bug, dubbed CVE-2019-5736, allows an infected container to overwrite the host runC binary and gain root-level code access on the host. This would basically allow the infected container to gain control of the overarching host container and allow an attacker to execute any command.

  • Thunderbolt preboot access control list support in bolt

    Recent BIOS versions enabled support for storing a limited list of UUIDs directly in the thunderbolt controller. This is called the pre-boot access control list (or preboot ACL), in bolt simply called "bootacl". The devices corresponding to the devices in the bootacl will be authorized during pre-boot (and only then) by the firmware. One big caveat about this feature should be become obvious now: No device verification can happen because only the UUIDs are stored but not the key, so if you are using SECURE mode but enable preboot ACL in the BIOS you effectively will get USER mode during boot.

    The kernel exposes the bootacl via a per-domain sysfs attribute boot_acl. Every time a device is enrolled, boltd will automatically add it to the bootacl as well. Conversely if the device is forgotten and it is in the bootacl, boltd will automatically remove it from the bootacl. There are is small complication to these seemingly straight forward operations: in BIOS assist mode, the thunderbolt controller is powered down by the firmware if no device is connected to it. Therefore when devices are forgotten boltd might not be able to directly write to the boot_acl sysfs attribute. In a dual boot scenario this is complicated by the fact that another operating system might also modify the bootacl and thus we might be out of sync. As the solution to this boltd will write individual changes to a journal file if the thunderbolt controller is powered down and re-apply these changes (as good as possible) the next time the controller is powered up.

  • Django security releases issued: 2.1.6, 2.0.11 and 1.11.19

Django bugfix releases: 2.1.7, 2.0.12 and 1.11.20

IDG on Docker/CVE-2019-5736

Patch this run(DM)c Docker flaw or you be illin'...

And the obligatory daily FUD

Bogdan Popa at It Again...

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

Open Source platforms to now help students

The technical institutes in the State are now asked to use free and open-source software developed by a team, headed by the Ministry of Human Resource Development (MHRD). The MHRD has also promoted their FOSSEE (Free and Open Source Software for Education) projects which uses tools so that students can easily use them. Recently, the MHRD made a decision that FOSSEE should be promoted amongst the student community so they can aim at reducing dependency on proprietary software in educational institutions. The MHRD Minister Ramesh Pokhriyal Nishank too took to twitter urging students to use FLOSS tools in various languages to meet academic and research requirements. Read more

today's howtos

  • A guided tour of Linux file system types

    While it may not be obvious to the casual user, Linux file systems have evolved significantly over the last decade or so to make them more resistant to corruption and performance problems. Most Linux systems today use a file system type called ext4. The “ext” part stands for “extended” and the 4 indicates that this is the 4th generation of this file system type. Features added over time include the ability to provide increasingly larger file systems (currently as large as 1,000,000 TiB) and much larger files (up to 16 TiB), more resistance to system crashes and less fragmentation (scattering single files as chunks in multiple locations) which improves performance.

  • Testing the Linux Malware Detect.
  • Kushal Das: Remember to mark drive as removable for tails vm install

    If you are installing Tails into a VM for testing or anything else, always remember to mark the drive as a removable USB drive. Otherwise, the installation step will finish properly, but, you will get errors like the following screenshot while booting from the drive.

  • How to Set DNS Nameservers on Ubuntu 18.04

Security Leftovers

  • NSA Researchers Talk Development, Release of Ghidra SRE Tool

    The National Security Agency released its classified Ghidra software reverse-engineering (SRE) tool as open source to the cybersecurity community on April 4. NSA researchers Brian Knighton and Chris Delikat shared how Ghidra was built and the process of releasing it at Black Hat 2019. Ghidra is a framework developed by the NSA’s Research Directorate for the agency’s cybersecurity mission. It’s designed to analyze malicious code to give security pros a better understanding of potential vulnerabilities in their networks and systems.

  • Linux Is Being Hit with Zero-Day Exploits/ Zero-Day Attacks [Ed: This is not news. If you have a system that is unpatched for months, despite many warnings, it is a risk, no matter the OS/kernel.]

    It was once the popular opinion that Linux was immune to zero-day exploits. However, even before the Equifax exploit, vulnerabilities were found in Linux distributions like Fedora and Ubuntu. In particular, back in 2016, a security researcher discovered that you could exploit a Linux system by playing a specific music file. Then, in 2017, a group of attackers used Struckshock vulnerability to carry on the attack on Equifax. These zero-day attacks are Advanced Persistent Attacks that exploit recently discovered vulnerabilities. Read on to learn more about what are zero-day exploits and how they can affect a Linux system.

  • Intel, Google, Microsoft, and Others Launch Confidential Computing Consortium for Data Security

    Major tech companies including Alibaba, Arm, Baidu, IBM, Intel, Google Cloud, Microsoft, and Red Hat today announced intent to form the Confidential Computing Consortium to improve security for data in use.

  • Intel, Google, Microsoft, and others launch Confidential Computing Consortium for data security

    Major tech companies including Alibaba, Arm, Baidu, IBM, Intel, Google Cloud, Microsoft, and Red Hat today announced intent to form the Confidential Computing Consortium to improve security for data in use. Established by the Linux Foundation, the organization plans to bring together hardware vendors, developers, open source experts, and others to promote the use of confidential computing, advance common open source standards, and better protect data. “Confidential computing focuses on securing data in use. Current approaches to securing data often address data at rest (storage) and in transit (network), but encrypting data in use is possibly the most challenging step to providing a fully encrypted lifecycle for sensitive data,” the Linux Foundation said today in a joint statement. “Confidential computing will enable encrypted data to be processed in memory without exposing it to the rest of the system and reduce exposure for sensitive data and provide greater control and transparency for users.”

Linux-driven modules to showcase new MediaTek AIoT SoCs

Innocomm is prepping an “SB30 SoM” with the new quad -A35 MediaTek i300 followed by an “SB50 SoM” with an AI-equipped, octa-core -A73 and -A53 MediaTek i500. Both modules ship with Linux/Android evaluation kits. Innocomm, which has produced NXP-based compute modules such as the i.MX8M Mini driven WB15 and i.MX8M powered WB10, will soon try on some MediaTek SoCs for size. First up is an SB30 SoM due to launch in October that will run Linux or Android on MediaTek’s 1.5GHz, quad-core, Cortex-A35 based MediaTek i300 (MT8362) SoC. In November, the company plans to introduce an SB50 SoM based on the MediaTek i500 (MT8385). Read more