In brief A Linux local privilege escalation flaw dubbed Dirty Pipe has been discovered and disclosed along with proof-of-concept exploit code.
The flaw, CVE-2022-0847, was introduced in kernel version 5.8 and fixed in versions 5.16.11, 5.15.25, and 5.10.102.
It can be exploited by a normal logged-in user or a rogue running program to gain root-level privileges; it can also be used by malicious apps to take over vulnerable Android devices. If your phone is running an affected Linux kernel version – which you can find under About Phone and software information in the Settings app, typically – be aware that a rogue application could exploit Dirty Pipe to hijack your handset, tablet, or gadget.
Max Kellermann said he found the programming blunder and reported it to the kernel security team in February, which issued patches within a few days. By now these should be filtering through to affected Linux distributions. Android will take longer: we’re not aware of any official updates yet.
The bug can be abused to add or overwrite data in sensitive read-only files, such as removing the root password from
/etc/passwd allowing anyone on the system to get superuser access, or temporarily altering a setuid binary to grant root privileges.
The bug is pretty fascinating: a screw-up during a refactoring of the kernel’s pipe handling code opens the door for allowing a user program to overwrite the contents of the page cache, which eventually makes its way into the file system. It’s similar to Dirty COW, and easier to exploit.
If you’re running Linux, check for security updates from your distro and install.
If you’re using Android, wait for Google (and potentially your manufacturer and/or carrier) to push an update to you. The latest version of Android for the Google Pixel 6 and the Samsung Galaxy S22 is right now at risk, for instance, as it uses a kernel later than 5.8.
- What exactly caused about 40,000 SATCOM terminals to conk out in Europe as Russia invaded Ukraine? Here’s some informed speculation.
- Google’s Threat Analysis Group has documented phishing campaigns it says it has seen lately launched by Kremlin-linked FancyBear against Ukrainian media biz UkrNet, and by Belarusian crew Ghostwriter against Polish and Ukrainian government and military organizations. Also, Mustang Panda, a China-based gang, has used the Ukraine invasion as a lure for European marks, we’re told.
- Akamai said at the end of February it detected TCP reflection denial-of-service attacks that peaked at 11 Gbps and 1.5 million packets-per-second against its customers.
- Resecurity reportedly claimed miscreants in February gained access to computers belonging to past and present employees at Chevron, Cheniere Energy, Kinder Morgan, and other natural gas suppliers and exporters.
- Google is reportedly in talks to buy infosec giant Mandiant.
Adafruit confirms security blunder
Adafruit this month admitted some of its customer information was exposed to the public web.
In a blog post on Friday, the DIY electronics biz said the records concerned “certain user accounts on or before 2019,” which were were used for staff training and had been inadvertently made public in a GitHub repository by a former employee. The repo was swiftly deleted, according to Adafruit.
“The repository contained some names, email addresses, shipping/billing addresses and/or whether orders were placed successfully via credit card processor and/or PayPal, as well as details for some orders,” Adafruit’s Phillip Torrone and Limor Fried said. “There were no user passwords or financial information such as credit cards in the data analysis set.”
The duo said at the time they were not going to email customers to let them know about the slip-up after consulting with “privacy lawyers and legal experts.” This had folks peeved. Adafruit now says it will email an alert to customers, citing “feedback from the community.”
Then came claims that Adafruit was blocking people on Twitter for mentioning the privacy error. One person said they were blocked just for posting “^This,” referring to an earlier comment that Adafruit should get in contact with Troy Hunt to augment the Have I Been Pwned database with the exposed email addresses. After seeing the complaints, Hunt himself got involved.
I’m seeing a theme here – does anyone have the @adafruit breach data they’d like to send me? Looks like they want to go all Streisand on this. https://t.co/XuNBpfuNRU
— Troy Hunt (@troyhunt) March 7, 2022
Adafruit said it had not retaliated against netizens since the leak disclosure on March 4; if you were blocked by the biz, you were blocked previous to the advisory, it is claimed.
“There were no blocks added in the last three days at all since the disclosure, and none because of any data leak post/tweet,” a spokesperson told us on Monday.
“We would not do that, we did not do that. We decided to remove all previous blocks today since we saw a person mention that after they had emailed us. Some people probably did not notice they were previously blocked until we were in the news in the last couple of days.”
CISA offers olive branch in fight over cybersecurity reports
An inter-agency fight over cybersecurity incident reports may have been defused.
Last week, the US Senate passed the Strengthening American Cybersecurity Act of 2022, which requires critical infrastructure to report details of cyber-attacks within 72 hours. Crucially, that data was only going to go to Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA).
This ruffled plumage at the FBI and US Department of Justice, both of which went on the record with their displeasure at being cut out. With the draft law now going through the House of Reps, CISA boss Jen Easterly offered an olive branch on Friday.
“We have a terrific operational partnership with out FBI teammates and will continue to do so,” she wrote on Twitter, “to include always ensuring that cyber-incident reporting received by CISA is immediately shared with them.”
Keep Chrome up to date
In an alert this month, CISA urged Chrome users to update ASAP to version 99.0.4844.51 for Windows, Mac, and Linux, citing a raft of security bugs that need to be fixed.
According to Google there are 28 such holes, none are critical. The Chocolate Factory paid out over $100,000 to independent researchers for reporting the programming blunders, with bug-hunter Samet Bekmezci scooping $15,000 for a single discovery.
CISA also added another 95 bugs to its Known Exploited Vulnerabilities Catalog, bringing the total to 478 actively attacked-in-the-wild holes. Make sure you’ve applied patches for these security shortcomings.
Open-source VoIP lib needs patching
JFrog has detailed five vulnerabilities in open-source VoIP protocol library PJSIP that can be exploited to achieve remote code execution or a denial of service.
WhatsApp, BlueJeans, and Asterisk use the library, for example, though that doesn’t mean they are vulnerable. As JFrog put it, “an application must use the PJSIP library in a specific manner in order to be vulnerable,” namely passing external input to specific API arguments. Thus, if a program hands attacker-supplied data direct to the library’s API, it could be exploitable.
“In order to fully fix these vulnerabilities, we recommend upgrading PJSIP to version 2.12,” says JFrog. Which means, if you’re a developer, you should migrate to that version for your project, and issue an update for your users, if your software is vulnerable.
Homomorphic encryption under the microscope
Homomorphic encryption – which allows operations to be performed on encrypted data without having to decrypt and re-encrypt it – has been probed by academics at North Carolina State University, who now claim they have come up with a technique to snoop on data as it is being encrypted and fed into a system.
Their approach requires physical access to the machine to measure power consumption as a side channel; specifically, an FPGA implementing a RISC-V CPU core running Microsoft’s SEAL homomorphic cryptography library. In effect, it’s really just obtaining the data before it’s even in the homomorphic system.
“We weren’t able to crack homomorphic encryption using mathematical tools,” said Aydin Aysu, senior author of a paper [PDF] on the work and an assistant professor of computer engineering at the US university.
“Instead, we used side-channel attacks. Basically, by monitoring power consumption in a device that is encoding data for homomorphic encryption, we are able to read the data as it is being encrypted.”
The paper will be presented at the virtual DATE22 conference this month. Microsoft has been an early adopter of homomorphic systems, and others have followed suit.
Security staff burnout crisis
Security operations center (SOC) analysts are feeling the heat and burning out, according to a survey by Irish security startup Tines.
“We found that while SOC teams are passionate and engaged in what they do, they’re challenged with endless manual tasks, understaffed teams, inefficient processes, and too many alerts – all preventing them from doing more high-quality work,” said CEO Eoin Hinchy.
Over two thirds of those polled said they were likely to switch jobs next year, and 71 per cent said they were exhibiting signs of burn out, it’s claimed. Their biggest gripe was manual coding of defenses, and, unsurprisingly, that’s the biggest job SOCs want to see automated.
Infosec staff are still valued, it seems, with 82 per cent saying they felt respected by their industry colleagues. ®