In short A Linux local privilege escalation flaw called Dirty Pipe has been discovered and disclosed with proof-of-concept exploit code.
The flaw, CVE-2022-0847, was introduced in kernel version 5.8 and patched in versions 5.16.11, 5.15.25, and 5.10.102.
It can be exploited by a normal logged in user or a running malicious program to gain root-level privileges; it can also be used by malicious apps to take control of vulnerable Android devices. Max Kellermann said he discovered the programming error and reported it to the kernel security team in February, which released fixes within days. Now these should filter to the affected Linux distributions.
The bug can be misused to append or overwrite data in sensitive read-only files, such as removing the root password from
/etc/passwd allowing anyone on the system to gain root access. The bug is quite fascinating: an error during a refactoring of the kernel’s pipe-handling code allows a user program to overwrite the contents of the page cache, which eventually finds its way into the filesystem.
If you are using Linux, check for security updates and install them.
- What exactly caused around 40,000 SATCOM terminals in Europe to go down when Russia invaded Ukraine? Here are some educated speculations.
- Google’s threat analysis group has documented phishing campaigns it allegedly saw recently launched by Kremlin-linked FancyBear against Ukrainian news outlet UkrNet, and by Belarusian team Ghostwriter against Polish and Polish governments and military organizations. Ukrainians. Additionally, Mustang Panda, a China-based gang, used the Ukraine invasion as a decoy for European brands, we are told.
- Akamai said in late February it detected TCP reflection denial-of-service attacks that peaked at 11 Gbps and 1.5 million packets per second against its customers.
- Resecurity reportedly claimed that miscreants in February gained access to computers belonging to past and current employees of Chevron, Cheniere Energy, Kinder Morgan and other natural gas suppliers and exporters.
- Google is reportedly in talks to buy IT security giant Mandiant.
Adafruit confirms a security blunder
Adafruit admitted this month that some of its customer information has been exposed to the public web.
In a blog post on Friday, the DIY electronics industry said the records relate to “certain user accounts in or before 2019,” which were used for staff training and were inadvertently made public in a GitHub repository by a former employee. The repo was quickly removed, according to Adafruit.
“The repository contained names, email addresses, shipping/billing addresses and/or whether orders were successfully placed through the credit card processor and/or PayPal, as well as details of certain orders,” said Phillip Torrone and Limor Fried of Adafruit. “There were no user passwords or financial information such as credit cards in the data analysis set.”
The duo said at the time that they were not going to email customers to let them know about the error after consulting with “privacy lawyers and legal experts”. It had irritated the people. Adafruit now says it will send an email alert to customers, citing “community feedback.”
Then came claims that Adafruit was blocking people on Twitter for mentioning the privacy error. One person said they were blocked only for posting “^This”, referencing an earlier comment that Adafruit should contact Troy Hunt to augment the Have I Been Pwned database with email addresses. mail exposed. After seeing the complaints, Hunt himself got involved.
I see a theme here – does anyone have the @adafruit violate the data they would like to send me? Looks like they want to do all Streisand on this. https://t.co/XuNBpfuNRU
— Troy Hunt (@troyhunt) March 7, 2022
Adafruit said it has not retaliated against netizens since the leak was disclosed on March 4; if you have been blocked by the biz, you have been blocked before the notice is claimed.
“There have been no blocks added in the last three days since the disclosure, and none due to a post/tweet data leak,” a spokesperson told Us Monday.
“We wouldn’t do that, we haven’t. We decided to remove all previous blocks today because we saw someone mention it after emailing us. Some people didn’t probably didn’t notice they were previously blocked until we were in the news for the past few days.”
CISA offers olive branch in fight against cybersecurity reports
An inter-agency fight over cybersecurity incident reports may have been defused.
Last week, the US Senate passed the Strengthening American Cybersecurity Act of 2022, which requires critical infrastructure to report details of cyberattacks within 72 hours. Basically, this data was only going to be forwarded to Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA).
This ruffled plumage to the FBI and the US Department of Justice, both of which have publicly declared their displeasure at being cut. With the bill pending in the House of Representatives, CISA boss Jen Easterly Free an olive branch on Friday.
“We have a tremendous operational partnership with our FBI teammates and will continue to do so,” she wrote on Twitter, “always ensuring that cyber incident reports received by CISA are immediately shared with them.” .
Keep Chrome up to date
In an alert this month, CISA urged Chrome users to update to version 99.0.4844.51 for Windows, Mac and Linux as soon as possible, citing a series of security bugs that need to be fixed.
According to Google, there are 28 such holes, none of which are critical. The chocolate factory paid more than $100,000 to independent researchers for reporting the programming errors, with bug hunter Samet Bekmezci raking in $15,000 for a single find.
CISA also added 95 additional bugs to its catalog of known exploited vulnerabilities, bringing the total to 478 actively attacked holes in the wild. Make sure you have applied patches for these security vulnerabilities.
Open source VoIP library needs fixing
JFrog has detailed five vulnerabilities in the open-source VoIP protocol library PJSIP that can be exploited to achieve remote code execution or denial of service.
WhatsApp, BlueJeans, and Asterisk use the library, for example, though that doesn’t mean they’re vulnerable. As JFrog said, “an application must use the PJSIP library in a specific way to be vulnerable”, i.e. passing external input to specific API arguments. So if a program passes attacker-provided data directly to the library API, it could be exploitable.
“In order to fully fix these vulnerabilities, we recommend upgrading PJSIP to version 2.12,” says JFrog. Which means that if you are a developer, you should migrate to this version for your project and release an update for your users, if your software is vulnerable.
Homomorphic encryption under the microscope
Homomorphic encryption – which allows operations to be performed on encrypted data without having to decrypt and re-encrypt it – has been probed by academics at North Carolina State University, who now claim to have developed a technique to spy on data. data as it is. be encrypted and introduced into a system.
Their approach requires physical access to the machine to measure power consumption as a side channel; specifically, an FPGA implementing a RISC-V processor core running Microsoft’s SEAL homomorphic cryptography library. Indeed, it is simply a matter of obtaining the data before it is even in the homomorphic system.
“We were not able to crack the homomorphic encryption using mathematical tools,” said Aydin Aysu, lead author of a paper. [PDF] on Labor and Assistant Professor of Computer Engineering at American University.
“Instead, we used side-channel attacks. Basically, by monitoring the power consumption in a device that encodes data for homomorphic encryption, we are able to read the data as it happens. ‘they are encrypted.’
The paper will be presented at the DATE22 virtual conference this month. Microsoft was an early adopter of homomorphic systems, and others have followed suit.
Security staff burnout crisis
Security operations center (SOC) analysts are feeling the heat and burning out, according to a survey by Irish security startup Tines.
“We found that even though SOC teams are passionate and committed to what they do, they struggle with endless manual tasks, understaffed teams, inefficient processes, and too many alerts. which prevents them from doing better quality work,” the CEO said. Eoin Hinchy.
More than two-thirds of respondents said they were likely to change jobs in the next year, and 71% said they were showing signs of burnout, according to the reports. Their biggest gripe was the manual coding of defenses and, unsurprisingly, this is the biggest job SOCs want automated.
Infosec staff are always valued, it seems, with 82% saying they feel respected by their industry colleagues. ®