Linux and FreeBSD Kernel: Multiple TCP-based remote denial of service vulnerabilities
Netflix has identified several TCP networking vulnerabilities in FreeBSD and Linux kernels.
The vulnerabilities specifically relate to the minimum segment size (MSS) and TCP Selective Acknowledgement (SACK) capabilities. The most serious, dubbed βSACK Panic,β allows a remotely-triggered kernel panic on recent Linux kernels.
There are patches that address most of these vulnerabilities. If patches can not be applied, certain mitigations will be effective. We recommend that affected parties enact one of those described below, based on their environment.
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md
#Linux #security #FreeBSD #Kernel #vulnerabilities #netflix #patches #alert
π‘@cRyPtHoN_INFOSEC_DE
π‘@cRyPtHoN_INFOSEC_EN
π‘@cRyPtHoN_INFOSEC_ES
π‘@FLOSSb0xIN
Netflix has identified several TCP networking vulnerabilities in FreeBSD and Linux kernels.
The vulnerabilities specifically relate to the minimum segment size (MSS) and TCP Selective Acknowledgement (SACK) capabilities. The most serious, dubbed βSACK Panic,β allows a remotely-triggered kernel panic on recent Linux kernels.
There are patches that address most of these vulnerabilities. If patches can not be applied, certain mitigations will be effective. We recommend that affected parties enact one of those described below, based on their environment.
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md
#Linux #security #FreeBSD #Kernel #vulnerabilities #netflix #patches #alert
π‘@cRyPtHoN_INFOSEC_DE
π‘@cRyPtHoN_INFOSEC_EN
π‘@cRyPtHoN_INFOSEC_ES
π‘@FLOSSb0xIN
Huawei HKSP Introduces Trivially Exploitable Vulnerability
5/11/2020 Update: We were contacted this morning by Huawei PSIRT who referenced an email by the patch author to the KSPP list: https://www.openwall.com/lists/kernel-hardening/2020/05/10/3 and stated that "The patchset is not provided by Huawei official but an individual. And also not used in any Huawei devices." They asked if we would update the description of the article to correct this information.
Based on publicly-available information, we know the author of the patch is a Huawei employee, and despite attempts now to distance itself from the code after publication of this post, it still retains the Huawei naming. Further, on information from our sources, the employee is a Level 20 Principal Security staffer, the highest technical level within Huawei.
The Github repository mentioned in the article had a commit added to it this morning that inserted a notice to the top of the README file, distancing the code from Huawei. This commit was (intentionally or not) backdated to Friday when the repository was created, creating the impression that we somehow intentionally ignored pertinent information that was readily available. This is obviously untrue, and examining the contents of https://api.github.com/repos/cloudsec/hksp/events proves the commit was pushed to the repo this morning.
We replied to Huawei PSIRT's mail and mentioned that we'd be fine with mentioning the patches aren't shipping on any Huawei devices (I believed it already to be unlikely given the poor code quality), but regarding the other claim (particularly due to the surreptitious Github repo edit), we'd have to also include the additional information we discovered.
ππΌ Read more:
https://grsecurity.net/huawei_hksp_introduces_trivially_exploitable_vulnerability
https://www.openwall.com/lists/kernel-hardening/2020/05/10/3
https://api.github.com/repos/cloudsec/hksp/events
#huawei #PSIRT #hksp #exploitable #kernel #hardening #vulnerability
π‘@cRyPtHoN_INFOSEC_DE
π‘@cRyPtHoN_INFOSEC_EN
π‘@BlackBox_Archiv
π‘@FLOSSb0xIN
5/11/2020 Update: We were contacted this morning by Huawei PSIRT who referenced an email by the patch author to the KSPP list: https://www.openwall.com/lists/kernel-hardening/2020/05/10/3 and stated that "The patchset is not provided by Huawei official but an individual. And also not used in any Huawei devices." They asked if we would update the description of the article to correct this information.
Based on publicly-available information, we know the author of the patch is a Huawei employee, and despite attempts now to distance itself from the code after publication of this post, it still retains the Huawei naming. Further, on information from our sources, the employee is a Level 20 Principal Security staffer, the highest technical level within Huawei.
The Github repository mentioned in the article had a commit added to it this morning that inserted a notice to the top of the README file, distancing the code from Huawei. This commit was (intentionally or not) backdated to Friday when the repository was created, creating the impression that we somehow intentionally ignored pertinent information that was readily available. This is obviously untrue, and examining the contents of https://api.github.com/repos/cloudsec/hksp/events proves the commit was pushed to the repo this morning.
We replied to Huawei PSIRT's mail and mentioned that we'd be fine with mentioning the patches aren't shipping on any Huawei devices (I believed it already to be unlikely given the poor code quality), but regarding the other claim (particularly due to the surreptitious Github repo edit), we'd have to also include the additional information we discovered.
ππΌ Read more:
https://grsecurity.net/huawei_hksp_introduces_trivially_exploitable_vulnerability
https://www.openwall.com/lists/kernel-hardening/2020/05/10/3
https://api.github.com/repos/cloudsec/hksp/events
#huawei #PSIRT #hksp #exploitable #kernel #hardening #vulnerability
π‘@cRyPtHoN_INFOSEC_DE
π‘@cRyPtHoN_INFOSEC_EN
π‘@BlackBox_Archiv
π‘@FLOSSb0xIN
Researcher finds 5 privilege escalation vulnerabilities in Linux kernel
A researcher at Positive Technologies found five similar vulnerabilities in the kernel of Linux operating systems that can allow an attacker to escalate local privileges on a victimβs network.
The flaws, discovered by security researcher Alexander Popov, could allow an attacker to potentially steal data, run administrative commands or install malware on operating systems or server applications. Popov was able to successfully test an exploit of one of the vulnerabilities on Fedora Server 33, notifying the Linux Foundation, a non-profit consortium designed to standardize support for the open-source Linux system, and other parties through email on February 5.
βHello! Let me inform you about the Linux kernel vulnerabilities that Iβve found in AF_VSOCK implementation. I managed to exploit one of them for a local privilege escalation on Fedora Server 33 for x86_64, bypassing SMEP and SMAP,β Popov wrote to the group, adding he planned to share more details about the exploit techniques with them βlater.β
Popov said in the email that he had already developed a patch and followed responsible disclosure guidelines throughout the process. He submitted his findings to the National Institute of Standards and Technologiesβ National Vulnerability Database, which developed them into CVE-2021-26708.
The vulnerabilities received a 7.0 out of 10 for severity by the Common Vulnerability Scoring System. According to Popov, the vulnerable kernel modules are race conditions that are present in all major GNU/Linux distributions and automatically load when creating a socket through the AF_VSOCK core, which is designed to communicate between guest virtual machines and their host.
https://www.scmagazine.com/home/security-news/vulnerabilities/researcher-finds-5-privilege-escalation-vulnerabilities-in-linux-kernel/
#linux #kernel #vulnerabilities #privilege #escalation
π‘@cRyPtHoN_INFOSEC_FR
π‘@cRyPtHoN_INFOSEC_EN
π‘@cRyPtHoN_INFOSEC_DE
π‘@BlackBox_Archiv
π‘@NoGoolag
A researcher at Positive Technologies found five similar vulnerabilities in the kernel of Linux operating systems that can allow an attacker to escalate local privileges on a victimβs network.
The flaws, discovered by security researcher Alexander Popov, could allow an attacker to potentially steal data, run administrative commands or install malware on operating systems or server applications. Popov was able to successfully test an exploit of one of the vulnerabilities on Fedora Server 33, notifying the Linux Foundation, a non-profit consortium designed to standardize support for the open-source Linux system, and other parties through email on February 5.
βHello! Let me inform you about the Linux kernel vulnerabilities that Iβve found in AF_VSOCK implementation. I managed to exploit one of them for a local privilege escalation on Fedora Server 33 for x86_64, bypassing SMEP and SMAP,β Popov wrote to the group, adding he planned to share more details about the exploit techniques with them βlater.β
Popov said in the email that he had already developed a patch and followed responsible disclosure guidelines throughout the process. He submitted his findings to the National Institute of Standards and Technologiesβ National Vulnerability Database, which developed them into CVE-2021-26708.
The vulnerabilities received a 7.0 out of 10 for severity by the Common Vulnerability Scoring System. According to Popov, the vulnerable kernel modules are race conditions that are present in all major GNU/Linux distributions and automatically load when creating a socket through the AF_VSOCK core, which is designed to communicate between guest virtual machines and their host.
https://www.scmagazine.com/home/security-news/vulnerabilities/researcher-finds-5-privilege-escalation-vulnerabilities-in-linux-kernel/
#linux #kernel #vulnerabilities #privilege #escalation
π‘@cRyPtHoN_INFOSEC_FR
π‘@cRyPtHoN_INFOSEC_EN
π‘@cRyPtHoN_INFOSEC_DE
π‘@BlackBox_Archiv
π‘@NoGoolag
SC Media
Researcher finds 5 privilege escalation vulnerabilities in Linux kernel
The vulnerabilities, which were patched before public disclosure, could have allowed an attacker to potentially steal data, run administrative commands or install malware on operating systems or server applications.
Servicing the Windows Subsystem for Linux (WSL) 2 Linux kernel
Note: This blog post is co-authored by the awesome WSL dev Pierre Boulay. Thanks Pierre! π
Weβve just shipped the 5.10.16.3 WSL 2 Linux kernel version to Windows Insiders which brings exciting new changes: Support for the LUKS disk encryption, and some long-awaited bug fixes. Weβd like to seize this opportunity to highlight these improvements and show you how these changes land on your Windows machine no matter your Windows version.
New feature addition: Support for LUKS disk encryption
This kernel update adds support for LUKS disk format. Such disks can now we accessed using wsl βmount.
LUKS disks can be mounted through the following steps: (Refer to distro specific instructions to install cryptsetup if needed).
https://devblogs.microsoft.com/commandline/servicing-the-windows-subsystem-for-linux-wsl-2-linux-kernel/
#microsoft #linux #kernel #wsl
π‘@cRyPtHoN_INFOSEC_FR
π‘@cRyPtHoN_INFOSEC_EN
π‘@cRyPtHoN_INFOSEC_DE
π‘@BlackBox_Archiv
π‘@NoGoolag
Note: This blog post is co-authored by the awesome WSL dev Pierre Boulay. Thanks Pierre! π
Weβve just shipped the 5.10.16.3 WSL 2 Linux kernel version to Windows Insiders which brings exciting new changes: Support for the LUKS disk encryption, and some long-awaited bug fixes. Weβd like to seize this opportunity to highlight these improvements and show you how these changes land on your Windows machine no matter your Windows version.
New feature addition: Support for LUKS disk encryption
This kernel update adds support for LUKS disk format. Such disks can now we accessed using wsl βmount.
LUKS disks can be mounted through the following steps: (Refer to distro specific instructions to install cryptsetup if needed).
https://devblogs.microsoft.com/commandline/servicing-the-windows-subsystem-for-linux-wsl-2-linux-kernel/
#microsoft #linux #kernel #wsl
π‘@cRyPtHoN_INFOSEC_FR
π‘@cRyPtHoN_INFOSEC_EN
π‘@cRyPtHoN_INFOSEC_DE
π‘@BlackBox_Archiv
π‘@NoGoolag
Microsoft News
Servicing the Windows Subsystem for Linux (WSL) 2 Linux kernel
Note: This blog post is co-authored by the awesome WSL dev Pierre Boulay. Thanks Pierre! π Weβve just shipped the 5.10.16.3 WSL 2 Linux kernel version to Windows Insiders which brings exciting new changes: Support for the LUKS disk encryption, and some longβ¦
Report on University of Minnesota Breach-of-Trust Incident
On April 20, 2021, in response to the perception that a group of University of Minnesota (UMN) researchers had resumed sending compromised code submissions to the Linux kernel, Greg Kroah-Hartman asked the community to stop accepting patches from UMN and began a re-review of all submissions previously accepted from the University.
This report summarizes the events that led to this point, reviews the "Hypocrite Commits" paper that had been submitted for publication, and reviews all known prior kernel commits from UMN paper authors that had been accepted into our source repository.
https://lwn.net/ml/linux-kernel/202105051005.49BFABCE@keescook/
#linux #kernel #university #minnesota #breach #trust
π‘@cRyPtHoN_INFOSEC_FR
π‘@cRyPtHoN_INFOSEC_EN
π‘@cRyPtHoN_INFOSEC_DE
π‘@BlackBox_Archiv
π‘@NoGoolag
On April 20, 2021, in response to the perception that a group of University of Minnesota (UMN) researchers had resumed sending compromised code submissions to the Linux kernel, Greg Kroah-Hartman asked the community to stop accepting patches from UMN and began a re-review of all submissions previously accepted from the University.
This report summarizes the events that led to this point, reviews the "Hypocrite Commits" paper that had been submitted for publication, and reviews all known prior kernel commits from UMN paper authors that had been accepted into our source repository.
https://lwn.net/ml/linux-kernel/202105051005.49BFABCE@keescook/
#linux #kernel #university #minnesota #breach #trust
π‘@cRyPtHoN_INFOSEC_FR
π‘@cRyPtHoN_INFOSEC_EN
π‘@cRyPtHoN_INFOSEC_DE
π‘@BlackBox_Archiv
π‘@NoGoolag
Kernel Pwning with eBPF: a Love Story
At Grapl we believe that in order to build the best defensive system we need to deeply understand attacker behaviors. As part of that goal we're investing in offensive security research. Keep up with our blog for new research on high risk vulnerabilities, exploitation, and advanced threat tactics.
Find the released local privilege escalation (LPE) Proof-of-Concept for CVE-2021-3490 here: https://github.com/chompie1337/Linux_LPE_eBPF_CVE-2021-3490. It targets Ubuntu 20.10 (Groovy Gorilla) kernels 5.8.0-25.26 through 5.8.0-52.58. and Ubuntu 21.04 (Hirsute Hippo) 5.11.0-16.17.
This blog post is intended to give a detailed overview of eBPF from the perspective of an exploit developer.
https://www.graplsecurity.com/post/kernel-pwning-with-ebpf-a-love-story
#linux #kernel #pwning #ebpf
π‘@cRyPtHoN_INFOSEC_FR
π‘@cRyPtHoN_INFOSEC_EN
π‘@cRyPtHoN_INFOSEC_DE
π‘@BlackBox_Archiv
At Grapl we believe that in order to build the best defensive system we need to deeply understand attacker behaviors. As part of that goal we're investing in offensive security research. Keep up with our blog for new research on high risk vulnerabilities, exploitation, and advanced threat tactics.
Find the released local privilege escalation (LPE) Proof-of-Concept for CVE-2021-3490 here: https://github.com/chompie1337/Linux_LPE_eBPF_CVE-2021-3490. It targets Ubuntu 20.10 (Groovy Gorilla) kernels 5.8.0-25.26 through 5.8.0-52.58. and Ubuntu 21.04 (Hirsute Hippo) 5.11.0-16.17.
This blog post is intended to give a detailed overview of eBPF from the perspective of an exploit developer.
https://www.graplsecurity.com/post/kernel-pwning-with-ebpf-a-love-story
#linux #kernel #pwning #ebpf
π‘@cRyPtHoN_INFOSEC_FR
π‘@cRyPtHoN_INFOSEC_EN
π‘@cRyPtHoN_INFOSEC_DE
π‘@BlackBox_Archiv
GitHub
GitHub - chompie1337/Linux_LPE_eBPF_CVE-2021-3490
Contribute to chompie1337/Linux_LPE_eBPF_CVE-2021-3490 development by creating an account on GitHub.