Language Selection

English French German Italian Portuguese Spanish

Security: runc, Switzerland and More

Filed under
Security
  • Open Source Security Podcast: Episode 134 - What's up with the container runc security flaw?

    Josh and Kurt talk about the new runc container security flaw. How does the flaw work, what can you do about it, what should you do about it, and what the future of container security may look like.

  • Switzerland launches e-voting bug bounty

    The Swiss government is inviting hackers to test its electronic voting (e-voting) system for vulnerabilities, in a move aimed at improving the security and integrity of the country’s electoral process.

    The initiative was unveiled last week by Swiss Post, Switzerland’s national postal service and the organization tasked with deploying and managing the country’s e-voting platform.

    Ahead of the system’s planned nationwide rollout, a public intrusion test will take place between February 25 and March 24. A range of cash prizes are on offer for successful pen testers.

  • A Conversation about ZipSlip, NodeJS Security, and BBS Hacking

    Earlier this year, the popular Bower package manager was found vulnerable to archive extraction, allowing attackers to write arbitrary files on a user's disk. As Nodejs Security WG member and Snyk developer advocate Liran Tal wrote, the vector attacks used by this exploit have been known since the early days of BBS.

    As security researcher skyn3t reported on January 1st 2019, an attacker could craft a malicious zip archive to exploit improper validation of symlinks to write arbitrary files outside of the zip extraction directory. According to Tal, the culprit for enabling path transversal in Bower's case is a small Nodejs package, decompress-zip, but it is far from being an isolated case. In fact, this kind of vulnerability has been found in several ecosystems, including JavaScript, Ruby, .NET, Go, and Java, and seems to affect thousands of projects, making it deserve the ZipSlip moniker. What is even more striking is that the basic attack vector used by ZipSlip has been known, and potentially exploited many times, since the very early days of Bulletin Board Systems (BBS).

  • Vet third-party apps to reduce supply chain threats [Ed: At least NPM caught this; with proprietary software the back doors are there permanent, hidden, and you cannot remove them]

    Case in point: there was last fall's update to the event-stream Node Package Manager (NPM), which included cryptocurrency-stealing code, and which wasn't revealed until almost two months after the software was released. There have also been prior security issues identified in NPM packages.

    Jarrod Overson blogged about investigating the event-stream NPM package. The event-stream developer changed ownership of the project and the cryptocurrency-stealing code was added by the new developer in a subsequent update. The original developer hadn't used the module in years and agreed to give a new developer control of the package.

    Once the malicious code was added, the developer updated the version information so applications that used the module would install the updated version. The package was installed as a dependency to other modules and was reportedly downloaded two million times per week. NPM packages will follow best practices to determine if updates to dependencies are available and auto-install the updated modules, making these types of attacks difficult to combat.

More on RunC and other matters

  • RunC container vulnerability: What makes it so dangerous?

    First of all, what is runC? It is a command-line tool for spawning and running containers according to the OCI specification. It has the ability with run containers without root privileges using rootless.

    Researchers Adam Iwaniuk and Borys Popławski discovered the runC security vulnerability.

    An e-mail from Aleksa Sarai, Senior Software Engineer and developer at the open source software company SUSE, describes the runc Container breakout.

  • 'This collaboration is absolutely critical going forward'... One positive thing about Meltdown CPU hole? At least it put aside tech rivalries...

    The group met at the Churchill Club in San Francisco to reflect on 2018's big security story – the Spectre-Meltdown CPU flaws – and ponder how it could be better handled going forward. Although chip designers were alerted to the vulnerabilities around June 2017, and operating system developers soon after, an action plan for disclosure was still being formulated the week before they hoped to public on Tuesday, January 9, 2018. The Reg blew the lid off it on January 2, after hearing no response from vendors, forcing timetables to be torn up.

    Among the board of brains were Intel government and policy director Audrey Plonk, Semiconductor Industry Association CEO John Neuffer, UC Berkeley Law Prof Deidre Mulligan, and White House NSC bod turned Venable cybersec director Ari Schwartz.

    The talk centered on the CPU speculative execution holes that sent chip designers back to the drawing board, and kernel and toolchain programmers back to their IDEs, to solve and come up with mitigations. Now one year past the big reveal, the panel pondered how they could have done things differently.

    For Schwartz, the saga reaches back to 2014's Heartbleed, the data-leaking OpenSSL bug that was Meltdown before Meltdown. At the time, he was working in the White House, and had to actually play up the risk of the bug until it got the right attention.

    "When we looked at it we know this was very big," Schwartz recounted. "The chief of staff to the President walked into our office, and said: I want to know everything about this."

    The crisis of Heartbleed seemingly trained the tech giants on how to handle mass disclosure and patching of major security holes that affect the entire industry. Companies would learn how to cooperate with one another and set aside competitive differences for the greater good.

    Fast forward three years to late 2017, and researchers dotted around the world uncovered fundamental flaws in the way modern CPUs predicted which data or code would be needed next, flaws that could be exploited by malware to read memory that should be out of bounds – kernel memory or that of another application – and potentially steal passwords and other secrets.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

digiKam 7.7.0 is released

After three months of active maintenance and another bug triage, the digiKam team is proud to present version 7.7.0 of its open source digital photo manager. See below the list of most important features coming with this release. Read more

Dilution and Misuse of the "Linux" Brand

Samsung, Red Hat to Work on Linux Drivers for Future Tech

The metaverse is expected to uproot system design as we know it, and Samsung is one of many hardware vendors re-imagining data center infrastructure in preparation for a parallel 3D world. Samsung is working on new memory technologies that provide faster bandwidth inside hardware for data to travel between CPUs, storage and other computing resources. The company also announced it was partnering with Red Hat to ensure these technologies have Linux compatibility. Read more

today's howtos

  • How to install go1.19beta on Ubuntu 22.04 – NextGenTips

    In this tutorial, we are going to explore how to install go on Ubuntu 22.04 Golang is an open-source programming language that is easy to learn and use. It is built-in concurrency and has a robust standard library. It is reliable, builds fast, and efficient software that scales fast. Its concurrency mechanisms make it easy to write programs that get the most out of multicore and networked machines, while its novel-type systems enable flexible and modular program constructions. Go compiles quickly to machine code and has the convenience of garbage collection and the power of run-time reflection. In this guide, we are going to learn how to install golang 1.19beta on Ubuntu 22.04. Go 1.19beta1 is not yet released. There is so much work in progress with all the documentation.

  • molecule test: failed to connect to bus in systemd container - openQA bites

    Ansible Molecule is a project to help you test your ansible roles. I’m using molecule for automatically testing the ansible roles of geekoops.

  • How To Install MongoDB on AlmaLinux 9 - idroot

    In this tutorial, we will show you how to install MongoDB on AlmaLinux 9. For those of you who didn’t know, MongoDB is a high-performance, highly scalable document-oriented NoSQL database. Unlike in SQL databases where data is stored in rows and columns inside tables, in MongoDB, data is structured in JSON-like format inside records which are referred to as documents. The open-source attribute of MongoDB as a database software makes it an ideal candidate for almost any database-related project. This article assumes you have at least basic knowledge of Linux, know how to use the shell, and most importantly, you host your site on your own VPS. The installation is quite simple and assumes you are running in the root account, if not you may need to add ‘sudo‘ to the commands to get root privileges. I will show you the step-by-step installation of the MongoDB NoSQL database on AlmaLinux 9. You can follow the same instructions for CentOS and Rocky Linux.

  • An introduction (and how-to) to Plugin Loader for the Steam Deck. - Invidious
  • Self-host a Ghost Blog With Traefik

    Ghost is a very popular open-source content management system. Started as an alternative to WordPress and it went on to become an alternative to Substack by focusing on membership and newsletter. The creators of Ghost offer managed Pro hosting but it may not fit everyone's budget. Alternatively, you can self-host it on your own cloud servers. On Linux handbook, we already have a guide on deploying Ghost with Docker in a reverse proxy setup. Instead of Ngnix reverse proxy, you can also use another software called Traefik with Docker. It is a popular open-source cloud-native application proxy, API Gateway, Edge-router, and more. I use Traefik to secure my websites using an SSL certificate obtained from Let's Encrypt. Once deployed, Traefik can automatically manage your certificates and their renewals. In this tutorial, I'll share the necessary steps for deploying a Ghost blog with Docker and Traefik.