Security Leftovers

posted by Roy Schestowitz on Oct 06, 2022

• Security updates for Thursday [LWN.net]

  Security updates have been issued by Debian (bind9 and nodejs), Red Hat (prometheus-jmx-exporter and squid), Slackware (dhcp), SUSE (pngcheck and sendmail), and Ubuntu (isc-dhcp, kitty, and linux-gcp-5.4).

• Security Issues With Open Source In Today’s World [Ed: Seemingly a spammy site promoting FUD and stigma]

  Open source may be the most viable option for most companies today but it comes with its own set of problems too.

• 3 critical malicious code execution vulnerabilities in Linux kernel

  The roccat_report_event function in drivers/hid/hid-roccat.c has a use-after-free vulnerability identified as CVE-2022-41850 (CVSS score: 8.4). A local attacker might exploit this flaw to run malicious script on the system by submitting a report while copying a report->value . Patch has be released to addresses the Linux Kernel 5.19.12 vulnerability CVE-2022-41850.

• Cybersecurity Best Practices for Your Enterprise in 2022

  Day by day, cybercriminals devise new ways to gain unauthorized access to and manipulate data belonging to others. To maintain their shady practices, they’ve perfected methods to operate unseen, taking advantage of weaknesses in web infrastructure. Everybody with an online presence can be a target, either for monetary or other similar gains.

  Cybercrime can take many forms, targeting individuals and businesses across industry and geographical lines. And according to Statista, the cost of data breaches in the global healthcare sector alone between March 2021 and March 2022 amounted to over $10 million. There are similar figures in other industries, including technology, energy, research, finances, education, etc.

  While many businesses have always maintained a significant online presence, many others have only recently transitioned to the web space in the wake of the COVID-19 pandemic. While this helps industries to move the business forward in a changing world, it also increases the number of potential targets for cybercriminals.

• Cisco Releases Security Updates for Multiple Products | CISA

  A remote attacker could exploit some of these vulnerabilities to take control of an affected system.

• Veracode Adds Container Support to Security Tool for Developers [Ed: Very shallow marketing spam]

• CISA Releases Two Industrial Control Systems Advisories | CISA

  CISA released two (2) Industrial Control Systems (ICS) advisories on October 06, 2022. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

• Container Images: The Next Software Supply Chain Concern? [Ed: "Supply chain" has become a modern FUD term; they intentionally ignore the risk that is back doors (e.g. NSA) and China manufacturing a lot of boards at a whim]

• A Practical Guide to the SLSA Framework [Ed: FOSSA perpetuating anti-FOSS talking points]

  SLSA — which stands for Supply Chain Levels for Software Artifacts — is a framework designed to help organizations improve the integrity of their software supply chains. Along with automated testing tools, secure coding practices, and strong third-party software vetting, SLSA can be an important part of a comprehensive software supply chain security strategy.

• Understanding the SLSA Framework

  This FOSSA article breaks down the various levels of the SLSA framework and provides examples to help organizations meet related requirements.

• Finding bugs with sanitizers [LWN.net]

  Andrey Konovalov began his 2022 Linux Security Summit Europe (LSS EU) talk with a bold statement: "fuzzing is useless". As might be guessed, he qualified that assertion quickly by adding "without dynamic bug detectors". These bug detectors include "sanitizers" of various sorts, such as the Kernel Address Sanitizer (KASAN), but there are others. Konovalov looked in detail at KASAN and gave an overview of the sanitizer landscape along with some ideas of ways to push these bug detectors further—to find even more kernel bugs.

  Fuzzers are great for exercising new paths in the code, but without having some kind of bug detector, they typically end up causing some kind of hard-to-debug kernel crash, he said. The sanitizers and other bug detectors turn those bugs into something that can be tracked down—and fixed. These sanitizers make up a family of bug-detection tools. They were originally created for user-space applications, but were ported to the kernel and had a "K" prepended to their acronym. The AddressSanitizer (ASan) was not the first, but it became somewhat famous early on; others include the MemorySanitizer (MSan) and UndefinedBehaviorSanitizer (UBSan).

  There are a number of advantages that the sanitizers have, which have led to their popularity. They are easy to use; for user space it is just an extra compiler flag and for the kernel a build configuration option needs to be enabled. Compared to other tools that provide the same features, the sanitizers are fast as well. They are also precise since all of the bugs they report are true bugs and not false positives; occasionally a false positive does arise, but it is caused by a sanitizer bug that promptly gets fixed, he said. In addition, the sanitizers provide detailed reports on what caused a bug, which makes it much easier to track them down and fix them.

• Progress for unprivileged containers [LWN.net]

  Over the past few years, there has been quite a bit of progress in various kernel features that can be used to create containers without requiring privileges. Most of the containers these days run as root, which means that a vulnerability leading to an escape from the container can result in system compromise. Stéphane Graber gave a talk at the 2022 Linux Security Summit Europe (LSS EU) to fill in some of the details of work that he and others have been doing to run containers as unprivileged code.

  The talk was slated to have two speakers, as Christian Brauner had planned to co-present; unfortunately, Brauner got caught up in the travel woes that plagued Dublin around the time of the conference and was at the airport waiting for his plane home at the time of the talk. The presentation was something of a follow-up to their talk on system-call interception for unprivileged containers at LSS North America back in June. Graber is the project lead for the LXC and LXD container projects, which we recently looked at; Brauner is a kernel developer and one of the LXC/LXD maintainers.