** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2019. Notes: none.
Yearly Archives: 2022
Friday Squid Blogging: Legend of the Indiana Oil-Pit Squid
Existential Risk and the Fermi Paradox
We know that complexity is the worst enemy of security, because it makes attack easier and defense harder. This becomes catastrophic as the effects of that attack become greater.
In A Hacker’s Mind (coming in February 2023), I write:
Our societal systems, in general, may have grown fairer and more just over the centuries, but progress isn’t linear or equitable. The trajectory may appear to be upwards when viewed in hindsight, but from a more granular point of view there are a lot of ups and downs. It’s a “noisy” process.
Technology changes the amplitude of the noise. Those near-term ups and downs are getting more severe. And while that might not affect the long-term trajectories, they drastically affect all of us living in the short term. This is how the twentieth century could—statistically—both be the most peaceful in human history and also contain the most deadly wars.
Ignoring this noise was only possible when the damage wasn’t potentially fatal on a global scale; that is, if a world war didn’t have the potential to kill everybody or destroy society, or occur in places and to people that the West wasn’t especially worried about. We can’t be sure of that anymore. The risks we face today are existential in a way they never have been before. The magnifying effects of technology enable short-term damage to cause long-term planet-wide systemic damage. We’ve lived for half a century under the potential specter of nuclear war and the life-ending catastrophe that could have been. Fast global travel allowed local outbreaks to quickly become the COVID-19 pandemic, costing millions of lives and billions of dollars while increasing political and social instability. Our rapid, technologically enabled changes to the atmosphere, compounded through feedback loops and tipping points, may make Earth much less hospitable for the coming centuries. Today, individual hacking decisions can have planet-wide effects. Sociobiologist Edward O. Wilson once described the fundamental problem with humanity is that “we have Paleolithic emotions, medieval institutions, and godlike technology.”
Technology could easily get to the point where the effects of a successful attack could be existential. Think biotech, nanotech, global climate change, maybe someday cyberattack—everything that people like Nick Bostrom study. In these areas, like everywhere else in past and present society, the technologies of attack develop faster the technologies of defending against attack. But suddenly, our inability to be proactive becomes fatal. As the noise due to technological power increases, we reach a threshold where a small group of people can irrecoverably destroy the species. The six-sigma guy can ruin it for everyone. And if they can, sooner or later they will. It’s possible that I have just explained the Fermi paradox.
USN-5755-2: Linux kernel vulnerabilities
It was discovered that the NFSD implementation in the Linux kernel did not
properly handle some RPC messages, leading to a buffer overflow. A remote
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2022-43945)
Jann Horn discovered that the Linux kernel did not properly track memory
allocations for anonymous VMA mappings in some situations, leading to
potential data structure reuse. A local attacker could use this to cause a
denial of service (system crash) or possibly execute arbitrary code.
(CVE-2022-42703)
It was discovered that a memory leak existed in the IPv6 implementation of
the Linux kernel. A local attacker could use this to cause a denial of
service (memory exhaustion). (CVE-2022-3524)
It was discovered that a race condition existed in the Bluetooth subsystem
in the Linux kernel, leading to a use-after-free vulnerability. A local
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2022-3564)
It was discovered that the ISDN implementation of the Linux kernel
contained a use-after-free vulnerability. A privileged user could use this
to cause a denial of service (system crash) or possibly execute arbitrary
code. (CVE-2022-3565)
It was discovered that the TCP implementation in the Linux kernel contained
a data race condition. An attacker could possibly use this to cause
undesired behaviors. (CVE-2022-3566)
It was discovered that the IPv6 implementation in the Linux kernel
contained a data race condition. An attacker could possibly use this to
cause undesired behaviors. (CVE-2022-3567)
It was discovered that the Realtek RTL8152 USB Ethernet adapter driver in
the Linux kernel did not properly handle certain error conditions. A local
attacker with physical access could plug in a specially crafted USB device
to cause a denial of service (memory exhaustion). (CVE-2022-3594)
It was discovered that a null pointer dereference existed in the NILFS2
file system implementation in the Linux kernel. A local attacker could use
this to cause a denial of service (system crash). (CVE-2022-3621)
USN-5756-2: Linux kernel (GKE) vulnerabilities
Jann Horn discovered that the Linux kernel did not properly track memory
allocations for anonymous VMA mappings in some situations, leading to
potential data structure reuse. A local attacker could use this to cause a
denial of service (system crash) or possibly execute arbitrary code.
(CVE-2022-42703)
It was discovered that a memory leak existed in the IPv6 implementation of
the Linux kernel. A local attacker could use this to cause a denial of
service (memory exhaustion). (CVE-2022-3524)
It was discovered that a race condition existed in the Bluetooth subsystem
in the Linux kernel, leading to a use-after-free vulnerability. A local
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2022-3564)
It was discovered that the ISDN implementation of the Linux kernel
contained a use-after-free vulnerability. A privileged user could use this
to cause a denial of service (system crash) or possibly execute arbitrary
code. (CVE-2022-3565)
It was discovered that the TCP implementation in the Linux kernel contained
a data race condition. An attacker could possibly use this to cause
undesired behaviors. (CVE-2022-3566)
It was discovered that the IPv6 implementation in the Linux kernel
contained a data race condition. An attacker could possibly use this to
cause undesired behaviors. (CVE-2022-3567)
It was discovered that the Realtek RTL8152 USB Ethernet adapter driver in
the Linux kernel did not properly handle certain error conditions. A local
attacker with physical access could plug in a specially crafted USB device
to cause a denial of service (memory exhaustion). (CVE-2022-3594)
It was discovered that a null pointer dereference existed in the NILFS2
file system implementation in the Linux kernel. A local attacker could use
this to cause a denial of service (system crash). (CVE-2022-3621)
libtasn1-4.19.0-1.fc36
FEDORA-2022-3f9ee1ad91
Packages in this update:
libtasn1-4.19.0-1.fc36
Update description:
CVE-2021-46848 libtasn1: Out-of-bound access in ETYPE_OK
capnproto-0.7.1-1.el8 rr-5.6.0-2.el8
FEDORA-EPEL-2022-8108a34445
Packages in this update:
capnproto-0.7.1-1.el8
rr-5.6.0-2.el8
Update description:
Update capnproto to version 0.7.1 to address CVE-2022-46149.
Dependent packages were rebuilt for both the fix for the security issue and the capnproto SONAME bump.
capnproto-0.10.3-1.el9
FEDORA-EPEL-2022-4b56675171
Packages in this update:
capnproto-0.10.3-1.el9
Update description:
Update capnproto to version 0.10.3 to address CVE-2022-46149.
capnproto-0.9.2-1.fc36 fastnetmon-1.2.1-2.20220528git420e7b8.fc36 librime-1.7.3-2.fc36 rr-5.6.0-2.fc36 sonic-visualiser-4.5-2.fc36
FEDORA-2022-5d37367673
Packages in this update:
capnproto-0.9.2-1.fc36
fastnetmon-1.2.1-2.20220528git420e7b8.fc36
librime-1.7.3-2.fc36
rr-5.6.0-2.fc36
sonic-visualiser-4.5-2.fc36
Update description:
Update capnproto to version 0.9.2 to address CVE-2022-46149.
Dependent packages were rebuilt for both the fix for the security issue and the capnproto SONAME bump.
capnproto-0.9.2-1.fc37 fastnetmon-1.2.1-4.20220528git420e7b8.fc37 librime-1.7.3-3.fc37 rr-5.6.0-2.fc37 sonic-visualiser-4.5-3.fc37
FEDORA-2022-18023b665f
Packages in this update:
capnproto-0.9.2-1.fc37
fastnetmon-1.2.1-4.20220528git420e7b8.fc37
librime-1.7.3-3.fc37
rr-5.6.0-2.fc37
sonic-visualiser-4.5-3.fc37
Update description:
Update capnproto to version 0.9.2 to address CVE-2022-46149.
Dependent packages were rebuilt for both the fix for the security issue and the capnproto SONAME bump.