Security Leftovers

posted by Roy Schestowitz on Mar 22, 2024

• LWN ☛ Security updates for Wednesday

  Security updates have been issued by Debian (fontforge and imagemagick), Fedora (firefox), Mageia (cherrytree, python-django, qpdf, and sqlite3), Red Hat (bind, cups, emacs, fwupd, gmp, kernel, libreoffice, libX11, nodejs, opencryptoki, postgresql-jdbc, postgresql:10, postgresql:13, and ruby:3.1), Slackware (gnutls and mozilla), and Ubuntu (firefox, linux, linux-bluefield, linux-gcp, linux-gkeop, linux-hwe-5.4, linux-ibm,

  linux-ibm-5.4, linux-iot, linux-kvm, linux-oracle, linux-oracle-5.4, linux-aws, linux-aws-5.4, linux-aws, linux-aws-6.5, and linux-oracle, linux-oracle-5.15).

• Security Week ☛ Chrome 123, Firefox 124 Patch Serious Vulnerabilities

  Chrome and Firefox security updates released on Tuesday resolve a critical-severity and multiple high-severity vulnerabilities.

• LWN ☛ Python announces first security releases since becoming a CNA

  The Python project has announced three security releases, 3.10.14, 3.9.19, and 3.8.19. In addition to the security fixes, these releases are notable for two reasons; they are the first to make use of Microsoft's proprietary prison GitHub Actions to perform public builds instead of building artifacts "on a local computer of one of the release managers", and the first since Python became a CVE Numbering Authority (CNA).

  Python release team member Łukasz Langa said that being a CNA means Python is able to "ensure the quality of the vulnerability reports is high, and that the severity estimates are accurate." It also allows Python to coordinate CVE announcements with the patched versions of Python, as it has with two CVEs addressed in these releases. CVE-2023-6597 CVE-2024-0450 describes a flaw in CPython's zipfile module that made it vulnerable to a zip-bomb exploit. CVE-2024-0450 CVE-2023-6597 is an issue with Python's tempfile.TemporaryDirectory class which could be exploited to modify permissions of files referenced by symbolic links. Users of affected versions should upgrade soon.

• LWN ☛ Insecurity and Python pickles

  Serialization is the process of transforming Python objects into a sequence of bytes which can be used to recreate a copy of the object later — or on another machine. pickle is Python's native serialization module. It can store complex Python objects, making it an appealing prospect for moving data without having to write custom serialization code. For example, pickle is an integral component of several file formats used for machine learning. However, using pickle to deserialize untrusted files is a major security risk, because doing so can invoke arbitrary Python functions. Consequently, the machine-learning community is working to address the security issues caused by widespread use of pickle.

• Med-Data data leak $7M class action settlement

  There is an update to a data leak incident discovered and reported by independent researcher Jelle Ursem and DataBreaches.net in April 2021. Top Class Actions reports that Med-Data, a business associate that handles health insurance claims data, has agreed to pay $7 million to resolve claims that one of its employees publicly posted patient information on GitHub in 2018 and 2019 and that Med-Data failed to timely notify those affected once they learned of the leak.

  As reported previously, Ursem discovered the exposed data on GitHub in 2020, but attempts to engage in responsible disclosure initially failed multiple times, with Med-Data even blocking him on LinkedIn and failing to respond to DataBreaches.net. Eventually, a call to their lawyer got them to take our messages seriously. The exposed data included patients’ names, in combination with one or more of the following data elements: physical address, date of birth, Social Security number, diagnosis, condition, claim information, date of service, subscriber ID (subscriber IDs may be Social Security numbers), medical procedure codes, provider name, and health insurance policy number.

• SANS ☛ Scans for Fortinet FortiOS and the CVE-2024-21762 vulnerability, (Wed, Mar 20th)

  Late last week, an exploit surfaced on Microsoft's proprietary prison GitHub for CVE-2024-21762...

• Security Week ☛ 300,000 Systems Vulnerable to New Loop DoS Attack

  Academic researchers describe a new application-layer loop DoS attack affecting Broadcom, Honeywell, Abusive Monopolist Microsoft and MikroTik.

• Security Week ☛ 1 in 4 Organizations Shut Down OT Operations Due to Cyberattacks: Survey

  A Palo Alto Networks survey shows many industrial organizations experience cyberattacks and 1 out of 4 has shut down OT operations.

• Security Week ☛ Hacker Caught Stealing Personal Data of 132,000 Individuals Pleads Guilty

  Idaho man pleads guilty to hacking charges over cyberattacks he conducted in 2017 and 2018, which involved data theft and extortion.

• Security Week ☛ Five Eyes Agencies Issue New Alert on Chinese APT Volt Typhoon

  Government agencies in the Five Eyes countries warn critical infrastructure entities of Chinese state-sponsored hacking group Volt Typhoon.

• Security Week ☛ Atlassian Patches Critical Vulnerability in Bamboo Data Center and Server

  Atlassian releases patches for two dozen vulnerabilities, including a critical-severity bug in Bamboo Data Center and Server.

• OpenSSF (Linux Foundation) ☛ How OpenSSF Technical Initiatives Can Receive Strategic Funding

  The OpenSSF is pleased to announce an exciting new process that will help connect impactful Technical Initiatives (TIs) with strategic funding. The OpenSSF Technical Advisory Council and Governing Board have defined a process by which OpenSSF TI’s can apply for funding and we’re confident that unlocking this new process will help create a sustainable secure open source software ecosystem.

• OpenSSF (Linux Foundation) ☛ Join OpenSSF for our First Tabletop Exercise (TTX) at SOSS Community Day North America

  We're excited to announce the agenda for the Tabletop Exercise (TTX) at Secure Open Source Software (SOSS) Community Day NA in now live which will take place on April 15, 2024 in Seattle, WA.

• OpenSSF (Linux Foundation) ☛ Sigstore Graduates: A Monumental Step Towards Secure Software Supply Chains [Ed: Pushing lockdown and censorship of software]

  Supply chain security took a giant leap forward this month as Sigstore officially became a graduated project within the Open Source Security Foundation (OpenSSF). This milestone is a testament to Sigstore's maturity, adoption, and its undeniable impact on making the creation and distribution of software more trustworthy.

• Security Week ☛ White House Calls on States to Boost Cybersecurity in Water Sector

  The White House is calling on state environmental, health, and homeland security agencies to convene on safeguarding water systems.

• TechRadar ☛ A new data wiper is targeting Linux x86 network devices [Ed: They need to specify which holes actually get it there, not focus on "linux"]

  Hackers have been observed targeting Linux x86 networking devices and Internet of Things (IoT) appliances with a new data wiper called AcidPour.

  Data wipers are arguably among the most destructive forms of malware. Their goal is to simply destroy, or wipe, all of the data found on the compromised endpoint.