Security Leftovers

posted by Roy Schestowitz on Oct 17, 2022

• Sven Hoexter: CentOS 9, stunnel, an openssl memory leak and a VirtualBox crash

  OpenSSL 3.0.1 leaks memory in ssl3_setup_write_buffer(), seems to be fixed in 3.0.5. The issue manifests at least in stunnel and keepalived on CentOS 9. In addition I learned the hard way that running a not so recent VirtualBox version on Debian bullseye let to dh parameter generation crashing in libcrypto in bn_sqr8x_internal().

  A recent rabbit hole I went down. The actual bug in openssl was nailed down and documented by Quentin Armitage on GitHub in keepalived My bugreport with all back and forth in the RedHat Bugzilla is #2128412.

• Hackers Can Use 'App Mode' in Chromium Browsers' for Stealth Phishing Attacks

  Application Mode is designed to offer native-like experiences in a manner that causes the website to be launched in a separate browser window, while also displaying the website's favicon and hiding the address bar.

• Microsoft 365 Message Encryption found to leak structural information in messages

  “Attackers who are able to get their hands on multiple messages can use the leaked ECB info to figure out the encrypted contents,” WithSecure consultant and security researcher Harry Sintonen explained. “More emails make this process easier and more accurate, so it’s something attackers can perform after getting their hands on e-mail archives stolen during a data breach, or by breaking into someone’s email account, e-mail server, or gaining access to backups.”

• Baker & Taylor Ransomware Attack [iophk: Windows TCO]

  Distributor Baker & Taylor spent over two weeks with their operations offline after they were targeted in a ransomware attack around August 20, 2022, crippling their ability to process orders. Their sys­tems were restored in September, with a statement saying, [...]