Language Selection

English French German Italian Portuguese Spanish

Security

Critical Linux Kernel Vulnerability Patched in Ubuntu 19.10 and 18.04.4 LTS

Filed under
Linux
Security
Ubuntu

Discovered by Manfred Paul, the security vulnerability (CVE-2020-8835) was found in Linux kernel’s BPF (Berkeley Packet Filter) verifier, which incorrectly calculated register bounds for certain operations.

This could allow a local attacker to either expose sensitive information (kernel memory) or gain administrative privileges and run programs as root user.

The security issue affects all Ubuntu 19.10 (Eoan Ermine) and Ubuntu 18.04.4 LTS (Bionic Beaver) releases running Linux kernel 5.3 on 64-bit, Raspberry Pi, KVM, as well as cloud environments like AWS, Azure, GCP, GKE, and Oracle Cloud.

Read more

WireGuard 1.0.0 for Linux 5.6 Released

Filed under
Linux
Security

Hi folks,

Earlier this evening, Linus released [1] Linus 5.6, which contains our
first release of WireGuard. This is quite exciting. It means that
kernels from here on out will have WireGuard built-in by default. And
for those of you who were scared away prior by the "dOnT uSe tHiS
k0de!!1!" warnings everywhere, you now have something more stable to
work with.

The last several weeks of 5.6 development and stabilization have been
exciting, with our codebase undergoing a quick security audit [3], and
some real headway in terms of getting into distributions.

We'll also continue to maintain our wireguard-linux-compat [2]
backports repo for older kernels. On the backports front, WireGuard
was backported to Ubuntu 20.04 (via wireguard-linux-compat) [4] and
Debian Buster (via a real backport to 5.5.y) [5]. I'm also maintaining
real backports, not via the compat layer, to 5.4.y [6] and 5.5.y [7],
and we'll see where those wind up; 5.4.y is an LTS release.

Meanwhile, the usual up-to-date distributions like Arch, Gentoo, and
Fedora 32 will be getting WireGuard automatically by virtue of having
5.6, and I expect these to increase in number over time.

Enjoy!
Jason

Read more

Also: WireGuard 1.0.0 Christened As A Modern Secure VPN Alternative To OpenVPN/IPsec

Security and FUD

Filed under
Security
  • Surviving the Frequency of Open Source Vulnerabilities

    One hurdle in any roll-your-own Linux platform development project is getting the necessary tools to build system software, application software, and the Linux kernel for your target embedded device. Many developers use a set of tools based on the GNU Compiler Collection, which requires two other software packages: a C library used by the compiler; and a set of tools required to create executable programs and associated libraries for your target device. The end result is a toolchain.

    [...]

    In preference to working on features or product differentiation, developers often spend valuable time supporting, maintaining, and updating a cross-compilation environment, Linux kernel, and root file system. All of which, requires a significant investment of personnel and wide range of expertise.

  • Netgate® Extends Free pfSense® Support and Lowers pfSense Support Subscription Pricing to Aid in COVID-19 Relief

    Free zero-to-ping support, free VPN configuration and connection support, free direct assistance for first responder | front line healthcare agencies, and reduced pfSense TAC support subscription prices all introduced

  • How the hackers are using Open Source Libraries to their advantage [Ed: Conflating hackers with crackers]

    Ben Porter, Chief Product Officer at Instaclustr, writes about how the potential of Open Source Libraries must be balanced with the growing risk of library jacking by hackers.

  • Three Cases Where the Open Source Model Didn't Work [Ed: Lots of anti-GPL FUD and not taking any account of Microsoft crimes, monopoly abuse, bribes and blackmail]

    So, why didn’t the open source model work in these three cases?

    The main reason is that in all of these cases, data structure specs and the description of algorithms are not the most important piece of the picture.

    The root of the problem is in the variety of real-life situations where bugs and failures may occur and lead to a data-loss situations, which is a total no-go in the real world. 

    The open source community is successful, though it has been in create open source programs and platforms, is still no guarantee of industrial-grade software development(3). The core to success in developing a highly reliable solution is a carefully nurtured auto-test environment. This assures a careful track record and in-depth analysis for every failure, as well as effective work-flow, making sure any given bug or failure never repeats. It’s obvious that building such an environment can take years, if not decades, and the main thing here is not to know how something should work according to specs, but to know how and where exactly it fails. In other words, the main problem is not the resources needed to develop the code, the main problem is time needed to build up a reliable test-coverage that will provide a sufficient barrier for data-loss bugs.

    Another problem with open source is that it is usually accompanied by a GPL license. This limits the contribution to such projects almost solely to the open source community itself. One of the major requirements of the GPL license is to disclose changes to source code in case of further distribution, making it pointless for commercial players to participate.

Gresecurity maker finally coughs up $300k to foot open-source pioneer Bruce Perens' legal bill in row over GPL

Filed under
Linux
Security
Legal

After three years of legal wrangling, the defamation lawsuit brought by Brad Spengler and his company Open Source Security (OSS) against open-source pioneer Bruce Perens has finally concluded.

It was clear that the end was nigh last month when California's Ninth Circuit Court of Appeals affirmed a lower court ruling against the plaintiffs.

Spengler and OSS sued Perens for a June 2017 blog post in which Perens ventured the opinion that grsecurity, Open Source Security's Linux kernel security enhancements, could expose customers to potential liability under the terms of the General Public License (GPL).

OSS says that customers who exercise their rights to redistribute its software under the GPL will no longer receive software updates – the biz wants to be paid for its work, a problem not really addressed by the GPL. Perens, the creator of the open-source definition, pointed out that section six of the GPLv2 prohibits modifications of the license terms.

Read more

Security Leftovers

Filed under
Security
  • Russian [Attackers] Exploited Windows Flaws in Attacks on European Firms

    Analysis of the infrastructure used by the [attackers] led to the discovery of an executable named comahawk.exe that incorporated two local privilege escalation exploits targeting Windows.

    The vulnerabilities, tracked as CVE-2019-1405 and CVE-2019-1322, were patched by Microsoft in November 2019 and October 2019, respectively. Microsoft’s advisories for both these flaws say “exploitation [is] less likely”

    In mid-November 2019, NCC Group, whose researchers reported the vulnerabilities to Microsoft, published a blog post describing the weaknesses. Shortly after, someone made public an exploit named COMahawk that weaponizes CVE-2019-1405 and CVE-2019-1322.

  • Global insurer Chubb hit by Maze ransomware: claim [iophk: Windows TCO]

    According to its own website, Chubb had more than US$177 billion (A$291 billion) in assets and reported US$40 billion of gross premiums in 2019. The company says it has offices in Zurich, New York, London, Paris and other locations, and has more than 30,000 employees.

    iTWire contacted Chubb's Australian office for comment. A spokesperson responded: "We are currently investigating a computer security incident that may involve unauthorised access to data held by a third-party service provider.

  • Operation Poisoned News: Hong Kong Users Targeted With Mobile Malware via Local News Links

    A recently discovered watering hole attack has been targeting iOS users in Hong Kong. The campaign uses links posted on multiple forums that supposedly lead to various news stories. While these links lead users to the actual news sites, they also use a hidden iframe to load and execute malicious code. The malicious code contains exploits that target vulnerabilities present in iOS 12.1 and 12.2. Users that click on these links with at-risk devices will download a new iOS malware variant, which we have called lightSpy (detected as IOS_LightSpy.A).

Security: The Keyring Concept in Ubuntu, Phishing and Malicious JavaScript

Filed under
Security

Tails Call for testing: 4.5~rc1

Filed under
Security
Web
Debian

Tails 4.5, scheduled for April 7, will be the first version of Tails to support Secure Boot.

You can help Tails by testing the release candidate for Tails 4.5 now.

Read more

Security: Free Software Patches, Microsoft and Apple Failures and FSCRYPT in Linux

Filed under
Security
  • Security updates for Friday

    Security updates have been issued by Debian (bluez and php5), Fedora (chromium, kernel, and PyYAML), Gentoo (adobe-flash, libvpx, php, qtcore, and unzip), openSUSE (chromium, kernel, and mcpp), Oracle (ipmitool and libvncserver), Red Hat (ipmitool and rh-postgresql10-postgresql), Slackware (kernel), and SUSE (ldns and tomcat6).

  • Unpatched bug in iOS 13.3.1 and later stops VPNs from encrypting all connections

    An ongoing security vulnerability in iPhones and iPads is keeping VPN applications from doing their job. For iOS versions 13.3.1 and later, this bug remains unpatched and has been rated with a 5.3 CVSS v3.1 base score. When a VPN connection is initiated on iOS, all existing internet connections by the operating system and other applications are supposed to be terminated and then restarted inside the VPN app’s encrypted tunnel as a proxy so no third parties are able to see your IP address. The VPN bypass bug in iOS 13.3.1 and later causes some internet connections to continue with their original, unencrypted connection – which is a security and privacy concern. This means that people on the same network could snoop on the unencrypted data stream and the endpoint of the unprotected connections are still able to see your device’s IP address.

  • Microsoft Issues Windows 10 Update Warning

    Picked up by the always-excellent Bleeping Computer and Windows Latest, Microsoft has announced that both its big March 2020 update and a new patch issued to fix buggy antivirus scans within Windows 10 have severe side-effects which users need to know about.

  • FSCRYPT Inline Encryption Revised For Better Encryption Performance On Modern SoCs

    It remains to be seen if it will make it for the upcoming Linux 5.7 kernel merge window, but the FSCRYPT inline encryption functionality has now made it up to its ninth revision for offering better file-system encryption performance on modern mobile SoCs.

    FSCRYPT inline encryption came out at the end of last summer and compared to the existing FSCRYPT file-system encryption/decryption where the work is left to the file-system and Linux's crypto API, this inline encryption/description shifts the work off to the block layer as part of the bio.

pfSense 2.4.5-RELEASE Now Available

Filed under
Security
BSD

We are pleased to announce the release of pfSense® software version 2.4.5, now available for new installations and upgrades!

pfSense software version 2.4.5 brings security patches, several new features, support for new Netgate hardware models, and stability fixes for issues present in previous pfSense 2.4.x branch releases.

pfSense 2.4.5-RELEASE updates and installation images are available now!

To see a complete detailed list of changes, see the Release Notes.

Read more

Security Leftovers

Filed under
Security
  • Security updates for Thursday

    Security updates have been issued by CentOS (firefox, icu, kernel-rt, libvncserver, python-imaging, python-pip, python-virtualenv, thunderbird, tomcat, tomcat6, and zsh), Debian (icu and okular), Fedora (libxslt and php), Gentoo (bluez, chromium, pure-ftpd, samba, tor, weechat, xen, and zsh), Oracle (libvncserver), Red Hat (ipmitool and zsh), and SUSE (python-cffi, python-cryptography and python-cffi, python-cryptography, python-xattr).

  • Senator sounds alarm on cyber threats to internet connectivity during coronavirus crisis [iophk: Windows TCO]

    He emphasized that “during this time, the security of consumer devices and networks will be of heightened importance. It is also imperative that consumer Internet infrastructure not be used as attack vectors to consumer systems and workplace networks accessed from home.”

  • Internet Voting in Puerto Rico

    Puerto Rico is considered allowing for Internet voting. I have joined a group of security experts in a letter opposing the bill.

  • Security 101: X-Forwarded-For vs. Forwarded vs PROXY

    Over time, there have been a number of approaches to indicating the original client and the route that a request took when forwarded across multiple proxy servers. For HTTP(S), the three most common approaches you’re likely to encounter are the X-Forwarded-For and Forwarded HTTP headers, and the PROXY protocol. They’re all a little bit different, but also the same in many ways.

  • ESET Launches Linux Antivirus Because Malware Isn’t Just for Windows [Ed: Microsoft proponents spreading those familiar talking points]

    Security company ESET has recently launched the Endpoint Antivirus for Linux, thus completing its suite of endpoint solutions already protecting Windows and macOS.

Syndicate content