Security Leftovers

posted by Roy Schestowitz on Jul 28, 2023,
updated Jul 28, 2023

• Almost 40% of Ubuntu users vulnerable to new privilege elevation flaws [Ed: Microsofters neglect to say that here, unlike with Windows, a patch exists already]

  Two Linux vulnerabilities introduced recently into the Ubuntu kernel create the potential for unprivileged local users to gain elevated privileges on a massive number of devices.

  Ubuntu is one of the most widely used Linux distributions, especially popular in the U.S., having an approximate user base of over 40 million.

  Two recent flaws tracked as CVE-2023-32629 and CVE-2023-2640 discovered by Wiz's researchers S. Tzadik and S. Tamari were recently introduced into the operating system, impacting roughly 40% of Ubuntu's userbase.

  CVE-2023-2640 is a high-severity (CVSS v3 score: 7.8) vulnerability in the Ubuntu Linux kernel caused by inadequate permission checks allowing a local attacker to gain elevated privileges.

  CVE-2023-32629 is a medium-severity (CVSS v3 score: 5.4) flaw in the Linux kernel memory management subsystem, where a race condition when accessing VMAs may lead to use-after-free, allowing a local attacker to perform arbitrary code execution.

• Two flaws in Linux Ubuntu affect 40% of Ubuntu users [Ed: Microsofers are now reading from the same anti-Linux script/screen while Azure is on fire and everything is compromised there]

  Wiz Research discovered two privilege escalation vulnerabilities, tracked as CVE-2023-2640 and CVE-2023-32629, in the OverlayFS module in the Linux distro Ubuntu. According to the researchers, the flaws impact 40% of the users of the popular Linux distribution. The researchers pointed out that impacted Ubuntu versions are prevalent in the cloud because they are the default operating systems for multiple CSPs.

  OverlayFS is a popular Linux filesystem that allows the deployment of dynamic filesystems based on pre-built images.

  Several changes to the OverlayFS module were introduced by Ubuntu in 2018. Wiz researchers noticed that modifications to the module introduced by the Linux kernel project in 2019 and 2022 conflicted with Ubuntu’s earlier changes.

• Kaspersky launches specialized solution for Linux-based embedded devices [Ed: Letting proprietary software linked to the Kremlin manage "security" in Linux is worse than insane/inane]

• Security updates for Thursday [LWN.net]

  Security updates have been issued by Debian (curl), Fedora (kitty, mingw-qt5-qtbase, and mingw-qt6-qtbase), Mageia (cri-o, kernel, kernel-linus, mediawiki, and microcode), SUSE (chromium, conmon, go1.20-openssl, iperf, java-11-openjdk, kernel-firmware, and mariadb), and Ubuntu (libvirt, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gke, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-dell300x, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux-snapdragon, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-aws-5.19, linux-gcp-5.19, linux-hwe-5.19, linux-intel-iotg-5.15, linux-iot, llvm-toolchain-13, llvm-toolchain-14, llvm-toolchain-15, open-iscsi, open-vm-tools, and xorg-server-hwe-16.04).

• Crooks pwned your servers? You’ve got four days to tell us, SEC tells public companies

  Public companies that suffer a computer crime likely to cause a “material” hit to an investor will soon face a four-day time limit to disclose the incident, according to rules approved today by the US Securities and Exchange Commission.

  The SEC proposed the changes last March, and on Wednesday the financial watchdog voted to adopt the requirements [PDF]. The rules, which take effect 30 days after being signed into the Federal Register later this year, will require publicly traded firms to openly disclose in a new section (Item 1.05) of Form 8-K any cybersecurity incident that has a material impact on their business.

• CardioComm, a provider of ECG monitoring devices, confirms cyberattack downed its services

  CardioComm Solutions, a Canadian provider of consumer and professional-grade heart monitoring technologies, has been downed by an ongoing cybersecurity incident.

  The Toronto-based organization said on Tuesday that its business operations will be “impacted for several days and potentially longer” following a “cybersecurity incident on the Company’s servers.” At the time of writing, CardioComm’s website is unavailable and displaying a text-based message advising customers that the company is “experiencing down time [sic] to our services.”

• Recent NYS audits of K-12 school districts’ infosecurity

• Leaking Someone’s Personal Data Will Cost You Up to $2 Million in Pakistan

  A fine which may extend to $2 million or an equivalent amount in Pakistani rupees would be levied on those who process or cause to be processed, disseminate, or disclose personal data in violation of any of the provisions of the “Personal Data Protection Bill, 2023”.

  The Ministry of Information, Technology and Telecommunication had submitted the “Personal Data Protection Bill, 2023”, to Federal Cabinet which was approved on Wednesday.

• Deloitte denies Cl0p data breach claims in wake of MOVEit attack

  Deloitte has refuted claims that the Cl0p ransomware gang has breached its systems and stolen company data amid speculation online.

  The accountancy firm was cited as a victim on Cl0p’s breach disclosure blog, sparking concerns that clients at the consultancy could be at risk.

  In its disclosure, Cl0p claimed “the company doesn’t care about its customers” and that it “ignored their security”.