Security Leftovers

posted by Roy Schestowitz on Sep 22, 2022,
updated Sep 24, 2022

• Security updates for Thursday [LWN.net]

  Security updates have been issued by Debian (e17, fish, mako, and tinygltf), Fedora (mingw-poppler), Mageia (firefox, google-gson, libxslt, open-vm-tools, redis, and sofia-sip), Oracle (dbus-broker, kernel, kernel-container, mysql, and nodejs and nodejs-nodemon), Slackware (bind), SUSE (cdi-apiserver-container, cdi-cloner-container, cdi-controller-container, cdi-importer-container, cdi-operator-container, cdi-uploadproxy-container, cdi-uploadserver-container, containerized-data-importer, go1.18, go1.19, kubevirt, virt-api-container, virt-controller-container, virt-handler-container, virt-launcher-container, virt-libguestfs-tools-container, virt-operator-container, libconfuse0, and oniguruma), and Ubuntu (bind9 and pcre2).

• Wolfi Linux is designed to safeguard the software supply chain

  The desire for software supply chain integrity and transparency has left many organizations struggling to build in software security measures like signatures, provenance, and SBOMs to legacy systems and existing Linux distributions.

  This has prompted Chainguard to produce Wolfi, a new Linux '(un)distribution' and build toolchain, that's been designed from the ground up to produce container images that meet the requirements of a secure software supply chain.

  It's called an (un)distribution because it isn't a full Linux distro designed to run on bare-metal, but a stripped-down one designed for the cloud-native era.

• Software supply chain security gets first Linux distro, Wolfi | TechRepublic

  From software signing, to container images, to a new Linux distro, an emerging OSS stack is giving developers guardrails for managing the integrity of build systems and software artifacts.

• Docker, Inc. to Integrate Free SBOM Generation Tool - Container Journal

  Docker, Inc. plans to embed the ability to dynamically generate a software bill of materials (SBOM) using the Docker Build command that developers use to build Docker images from a Dockerfile.

  Company CEO Scott Johnston says when it comes to building cloud-native applications, existing SBOM tools can’t keep pace with the rate at which developers are ripping and replacing containers. Docker, Inc. will address the need to provide more visibility into what components are being used to construct an application for no additional cost, he adds.

• A Python security fix breaks (some) bignums [LWN.net]

  Typically, an urgent security release of a project is not for a two-year-old CVE, but such is the case for a recent Python release of four versions of the language. The bug is a denial of service (DoS) that can be caused by converting enormous numbers to strings—or vice versa—but it was not deemed serious enough to fix when it was first reported. Evidently more recent reports, including a remote exploit of the bug, have raised its importance—causing a rushed-out fix. But the fix breaks some existing Python code, and the process of handling the incident has left something to be desired, leading the project to look at ways to improve its processes.

  Python integers can have an arbitrary size; once they are larger than can be stored in a native integer, they are stored as arbitrary-length "bignum" values. So Python can generally handle much larger integer values than some other languages. Up until recently, Python would happily output a one followed by 10,000 zeroes for print(10**10000). But as a GitHub issue describes, that behavior has been changed to address CVE-2020-10735, which can be triggered by converting large values to and from strings in bases other than those that are a power of two—the default is base 10, of course.

  The fix is to restrict the number of digits in strings that are being converted to integers (or that can result from the conversion of integers) to 4300 digits for those bases. If the limit is exceeded, a ValueError is raised. There are mechanisms that can be used to change the limit, as described in the documentation for the Python standard types. The value for the maximum allowable digits can be set with an environment variable (PYTHONINTMAXSTRDIGITS), a command-line argument (-X int_max_str_digits), or from within code using sys.set_int_max_str_digits(). It can be set to zero, meaning there is no limit, or any number greater than or equal to a lower-limit threshold value, which is set to 640.

Update

3 more regarding Wolfi:

• Wolfi: A Linux undistro with security measures for the software supply chain - Help Net Security

  Software supply chain security is unique – you’ve got a whole lot of different types of attacks that can target a lot of different points in the software lifecycle. You can’t just take one piece of security software, turn it on, and get protected from everything.

  The ecosystem’s push for software supply chain integrity and transparency has left organizations struggling to build software security measures like signatures, provenance, and SBOMs into legacy systems and existing Linux distributions.

  Recently, the U.S.’s most prestigious security agencies (NSA, CISA, and ODNI) tried to add to the conversation and released a 60+ page recommended practice guide, Securing the Software Supply Chain for Developers.

• Chainguard releases Wolfi, a Linux 'undistribution' | ZDNET

  There are many Linux distributions designed expressly for containers. Even Microsoft has one, Common Base Linux (CBL)-Mariner. Others include Alpine Linux, Flatcar Container Linux, Red Hat Enterprise Linux CoreOS (RHCOS), and RancherOS. Now Chainguard, a cloud-native software security company, has a new take on this popular cloud-friendly kind of Linux: Wolfi, an "undistribution."

  I asked Chainguard CEO and founder Dan Lorenc at Open Source Summit Europe in Dublin what he meant by an "undistrbution." He explained, "We call it an undistribution because that's technically correct. Inside of a container, you have everything but Linux, right? So, even though it's based on Linux, it's not really correct to call it a Linux distribution."

• A New Linux Tool Aims to Guard Against Supply Chain Attacks | WIRED

  IN THE WAKE of alarming incidents like Russia’s massive 2017 NotPetya malware attack and the Kremlin’s 2020 SolarWinds cyberespionage campaign—both pulled off by poisoning wells for software distribution—organizations around the world have been scrambling to get a handle on software supply chain security. In general, and for open source software in particular, stronger defense rests in knowing what software you’re actually running, with a crucial focus on enumerating all the little pieces that make up the whole and validating that they are what they should be. That way, when you pack a box of software heirlooms and store it on a shelf, you know there isn’t a live microphone or a Tupperware full of deviled eggs sitting in the box for years.

  Creating a system to generate a manifest of what’s inside every box in every basement and garage is a massive effort, but a new tool from security firm Chainguard aims to do just that for the software "containers” that underly almost all digital services today.

  On Thursday, Chainguard launched a Linux distribution called Wolfi that is designed specifically for how digital systems are actually built today in the cloud. Most consumers don’t use Linux, the famed open source operating system, on their personal computers. (If they do, they don’t necessarily know it, as is the case with Android, which is built on a modified version of Linux.) But the open source operating system is widely used in servers and cloud infrastructure around the world, partly because it can be deployed in such flexible ways. Unlike operating systems from Microsoft and Apple, where your only choice is whatever ice cream flavor they release, the open nature of Linux allows developers to create all sorts of flavors—known as “distributions”—to suit specific cravings and needs. But the developers at Chainguard, who have all been working in open source software for years, including on other Linux distributions, felt that a key flavor was missing.

4 new posts from CISA:

• CISA Has Added One Known Exploited Vulnerability to Catalog

  CISA has added one new vulnerability to it's Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise.

• CISA and NSA Publish Joint Cybersecurity Advisory on Control System Defense

  CISA and the National Security Agency (NSA) have published a joint cybersecurity advisory about control system defense for operational technology (OT) and industrial control systems (ICSs). Control System Defense: Know the Opponent is intended to provide critical infrastructure owners and operators with an understanding of the tactics, techniques, and procedures (TTPs) used by malicious cyber actors. This advisory builds on NSA and CISA 2021 guidance provided to stop malicious ICS activity against connect OT, and 2020 guidance to reduce OT exposure.

• ISC Releases Security Advisories for Multiple Versions of BIND 9

  The Internet Systems Consortium (ISC) has released security advisories that address vulnerabilities affecting multiple versions of the ISC’s Berkeley Internet Name Domain (BIND) 9. A remote attacker could exploit these vulnerabilities to potentially cause denial-of-service conditions. For advisories addressing lower severity vulnerabilities, see the BIND 9 Security Vulnerability Matrix.

• CISA Releases Three Industrial Control Systems Advisories

  CISA has released three Industrial Control Systems (ICS) advisories on September 22, 2022. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

A late go at coverage:

• Wolfi is a Linux Un(distro) Built for Software Supply Chain Security

  The software supply chain includes everything that goes into developing, building, storing, and running it and its dependencies.

  As per the State of the Software Supply Chain 2021 report, between 2020 and 2021 alone, attacks on the software supply chain increased by a shocking 650%.

  [...]

  📢 To join the efforts, Chainguard, a security firm specializing in open-source software and cloud-native development, has introduced a Linux distro designed to secure the software supply chain. 💡 They call it an "Undistro" because it is not a full-fledged Linux distribution to run on bare metal.