Language Selection

English French German Italian Portuguese Spanish

Security: Updates, SS7, Docker, Thunderbolt, Django

Filed under
Security
  • Security updates for Monday
  • SS7 Cellular Network Flaw Nobody Wants To Fix Now Being Exploited To Drain Bank Accounts

    Back in 2017, you might recall how hackers and security researchers highlighted long-standing vulnerabilities in Signaling System 7 (SS7, or Common Channel Signalling System 7 in the US), a series of protocols first built in 1975 to help connect phone carriers around the world. While the problem isn't new, a 2016 60 minutes report brought wider attention to the fact that the flaw can allow a hacker to track user location, dodge encryption, and even record private conversations. All while the intrusion looks like ordinary carrier to carrier chatter among a sea of other, "privileged peering relationships."

    Telecom lobbyists have routinely tried to downplay the flaw after carriers have failed to do enough to stop hackers from exploiting it. In Canada for example, the CBC recently noted how Bell and Rogers weren't even willing to talk about the flaw after the news outlet published an investigation showing how, using only the number of his mobile phone, it was possible to intercept the calls and movements of Quebec NDP MP Matthew Dubé.

    But while major telecom carriers try to downplay the scale of the problem, news reports keep indicating how the flaw is abused far more widely than previously believed. This Motherboard investigation by Joseph Cox, for example, showed how, while the attacks were originally only surmised to be within the reach of intelligence operators (perhaps part of the reason intelligence-tied telcos have been so slow to address the issue), hackers have increasingly been using the flaw to siphon money out of targets' bank accounts, thus far predominately in Europe...

  • Doomsday Docker Security Hole Uncovered

    Red Hat technical product manager for containers, Scott McCarty, warned: "The disclosure of a security flaw (CVE-2019-5736) in runc and docker illustrates a bad scenario for many IT administrators, managers, and CxOs. Containers represent a move back toward shared systems where applications from many different users all run on the same Linux host. Exploiting this vulnerability means that malicious code could potentially break containment, impacting not just a single container, but the entire container host, ultimately compromising the hundreds-to-thousands of other containers running on it. While there are very few incidents that could qualify as a doomsday scenario for enterprise IT, a cascading set of exploits affecting a wide range of interconnected production systems qualifies...and that's exactly what this vulnerability represents."

  • Doomsday Docker security hole uncovered
  • It starts with Linux: How Red Hat is helping to counter Linux container security flaws

    The disclosure of a security flaw (CVE-2019-5736) in runc and docker illustrates a bad scenario for many IT administrators, managers, and CxOs. Containers represent a move back toward shared systems where applications from many different users all run on the same Linux host. Exploiting this vulnerability means that malicious code could potentially break containment, impacting not just a single container, but the entire container host, ultimately compromising the hundreds-to-thousands of other containers running on it. A cascading set of exploits affecting a wide range of interconnected production systems qualifies as a difficult scenario for any IT organization and that’s exactly what this vulnerability represents.

    For many Red Hat end users, it’s unlikely that this flaw gets that far. IT organizations using Red Hat Enterprise Linux to underpin their Linux container and cloud-native deployments are likely protected, thanks to SELinux. This vulnerability is mitigated by the use of SELinux in targeted enforcing mode, which prevents this vulnerability from being exploited. The default for SELinux on Red Hat Enterprise Linux 7 is targeted enforcing mode and it is rarely disabled in a containerized environment.

  • Kubernetes, Docker, ContainerD Impacted by RunC Container Runtime Bug

    The Linux community is dealing with another security flaw, with the latest bug impacting the runC container runtime that underpins Docker, cri-o, containerd, and Kubernetes.

    The bug, dubbed CVE-2019-5736, allows an infected container to overwrite the host runC binary and gain root-level code access on the host. This would basically allow the infected container to gain control of the overarching host container and allow an attacker to execute any command.

  • Thunderbolt preboot access control list support in bolt

    Recent BIOS versions enabled support for storing a limited list of UUIDs directly in the thunderbolt controller. This is called the pre-boot access control list (or preboot ACL), in bolt simply called "bootacl". The devices corresponding to the devices in the bootacl will be authorized during pre-boot (and only then) by the firmware. One big caveat about this feature should be become obvious now: No device verification can happen because only the UUIDs are stored but not the key, so if you are using SECURE mode but enable preboot ACL in the BIOS you effectively will get USER mode during boot.

    The kernel exposes the bootacl via a per-domain sysfs attribute boot_acl. Every time a device is enrolled, boltd will automatically add it to the bootacl as well. Conversely if the device is forgotten and it is in the bootacl, boltd will automatically remove it from the bootacl. There are is small complication to these seemingly straight forward operations: in BIOS assist mode, the thunderbolt controller is powered down by the firmware if no device is connected to it. Therefore when devices are forgotten boltd might not be able to directly write to the boot_acl sysfs attribute. In a dual boot scenario this is complicated by the fact that another operating system might also modify the bootacl and thus we might be out of sync. As the solution to this boltd will write individual changes to a journal file if the thunderbolt controller is powered down and re-apply these changes (as good as possible) the next time the controller is powered up.

  • Django security releases issued: 2.1.6, 2.0.11 and 1.11.19

Django bugfix releases: 2.1.7, 2.0.12 and 1.11.20

IDG on Docker/CVE-2019-5736

Patch this run(DM)c Docker flaw or you be illin'...

And the obligatory daily FUD

Bogdan Popa at It Again...

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

Events: Fedora at CLT 2019, LF's Open Networking Summit and Cloud Foundry Summit on Serverless, Knative, Microservices

  • Fedora will be at CLT 2019
    The Fedora Project will be at the Chemnitzer Linux Tage 2019. So far, Robert Scheck and I will make it happen. As we pretty much did it for the last 10 years.
  • The Linux Foundation Announces the 2019 Open Networking Summit North America Speaking Schedule
    The Linux Foundation, the nonprofit organization enabling mass innovation through open source, has announced the keynote speakers and session line-up for Open Networking Summit North America (ONS), taking place April 3-5 in San Jose, Calif. The full lineup of sessions can be viewed here, and features speakers from AT&T, China Mobile, Ericsson, Google, Huawei, Intel, KPMG, Nokia, Red Hat, Target, and more. “The Open Networking Summit is a chance to bring together the entire open networking community – from telco providers to cloud providers – to share best practices and discuss how we can work together to advance networking technology,” said Arpit Joshipura, General Manager, Networking, Edge & IoT, the Linux Foundation. “Gathering the industry’s foremost innovators and technologists, ONS is a must-attend event for collaboration and knowledge sharing.”
  • 6 Must-Attend Talks at Cloud Foundry Summit on Serverless, Knative, Microservices
    That’s a lot of technical content, so make sure to also get your ideal ratio of business impact content and check out the User Stories track.

Graphics: TuxClocker and VK_EXT_depth_clip_enable

  • TuxClocker: Another GPU Overclocking GUI For Linux
    Adding to the list of third-party GPU overclocking utilities for Linux is TuxClocker, a Qt5-based user-interface currently with support for NVIDIA graphics cards and experimental support for AMD GPUs.  TuxClocker is a Qt5 overclocking tool that supports adjusting not only the memory/core frequencies but also the power limit, fan speed, and other tunables based upon the GPU/driver in use. There is also graph monitors to show the power and temperature limit, where supported, among other features.  TuxClocker offers similar functionality to other third-party, open-source Linux GPU overclocking software though where as most utilities focus just on NVIDIA or AMD hardware, TuxClocker is pursuing both. Currently their stable release supports just NVIDIA GPUs but the development code has AMD Radeon support in the works.
  • Intel Wires VK_EXT_depth_clip_enable Into Their Vulkan Driver, Helping DXVK
    Intel's open-source ANV Vulkan driver now supports the VK_EXT_depth_clip_enable that was designed in part to help the DXVK project for mapping Direct3D atop of the Vulkan API.

Programming Leftovers

  • Packaging PyQt5 apps with fbs
    fbs is a cross-platform PyQt5 packaging system which supports building desktop applications for Windows, Mac and Linux (Ubuntu, Fedora and Arch). Built on top of PyInstaller it wraps some of the rough edges and defines a standard project structure which allows the build process to be entirely automated. The included resource API is particularly useful, simplifying the handling of external data files, images or third-party libraries — a common pain point when bundling apps.
  • Infrastructure monitoring: Defense against surprise downtime
    There are a number of tools available that can build a viable and strong monitoring system. The only decision to make is which to use; your answer lies in what you want to achieve with monitoring as well as various financial and business factors you must consider. While some monitoring tools are proprietary, many open source tools, either unmanaged or community-managed software, will do the job even better than the closed source options. In this article, I will focus on open source tools and how to use them to create a strong monitoring architecture.
  • GSlice considerations and possible improvements
    The paper Mesh: Compacting Memory Management for C/C++ Applications is about moving memory allocations for compaction, even though the memory pointers are exposed. The idea is to merge allocation blocks from different pages that are not overlapping at page offsets, and then letting multiple virtual page pointers point to the same physical page. Some have asked about the applicability to the GSlice allocator.
  • plprofiler – Getting a Handy Tool for Profiling Your PL/pgSQL Code
  • Reading and Writing Files in Python (Guide)
  • Today is a Good Day to Learn Python

Security Leftovers

  • Wi-Fi ‘Hiding’ Inside USB Cable: A New Security Threat On The Rise?
    Today, the world has become heavily reliant on computers owing to the various advantages they offer. It has thus become imperative that we, as users, remain updated about the various threats that can compromise the security of our data and privacy. A recent report published by Hackaday details a new threat that might just compromise the integrity of devices. At first glance, the O.MG cable (Offensive MG Kit) looks like any other USB cable available in the market. It is what lurks within that is a cause for concern.
  • WiFi Hides Inside a USB Cable [Ed: There are far worse things, like USB devices that send a high-voltage payload to burn your whole motherboard. Do not use/insert untrusted devices from dodgy people.]
  • The Insights into Linux Security You May Be Surprised About
    Linux has a strong reputation for being the most secure operating system on the market. It’s been like that for many years, and it doesn’t seem like Windows or macOS are going to overtake it anytime soon. And while the operating system’s reputation is well-deserved, it can also be harmless experienced users. The problem is that some seem to put too much trust in the capabilities of Linux by default. As a result, they often don’t pay enough attention to the manual aspect of their security. Linux can help you automate your workflow to a large extent, but it still requires a manual touch to keep things going well. This is even truer when it comes to security.
  • One Identity Bolsters Unix Security with New Release of Authentication Services
    Unix systems (including Linux and Mac OS), by their very nature, have distinct challenges when it comes to security and administration. Because native Unix-based systems are not linked to one another, each server or OS instance requires its own source of authentication and authorization.
  • Book Review – Linux Basics for Hackers
    With countless job openings and growth with no end in sight, InfoSec is the place to be. Many pose the question, “Where do I start?” Over his years of training hackers and eventual security experts across a wide array of industries and occupations, the author ascertains that one of the biggest hurdles that many up-and-coming professional hackers face is the lack of a foundational knowledge or experience with Linux. In an effort to help new practitioners grow, he made the decision to pen a basic ‘How To’ manual, of sorts, to introduce foundational concepts, commands and tricks in order to provide instruction to ease their transition into the world of Linux. Out of this effort, “Linux Basics for Hackers” was born.
  • Security updates for Wednesday