It was discovered that NFS client’s access cache implementation in the
Linux kernel caused a severe NFS performance degradation in certain
conditions. This updated makes the NFS file-access stale cache behavior
to be optional.
Daily Archives: June 8, 2023
USN-6151-1: Linux kernel (Xilinx ZynqMP) vulnerabilities
It was discovered that the System V IPC implementation in the Linux kernel
did not properly handle large shared memory counts. A local attacker could
use this to cause a denial of service (memory exhaustion). (CVE-2021-3669)
It was discovered that the KVM VMX implementation in the Linux kernel did
not properly handle indirect branch prediction isolation between L1 and L2
VMs. An attacker in a guest VM could use this to expose sensitive
information from the host OS or other guest VMs. (CVE-2022-2196)
Gerald Lee discovered that the USB Gadget file system implementation in the
Linux kernel contained a race condition, leading to a use-after-free
vulnerability in some situations. A local attacker could use this to cause
a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2022-4382)
It was discovered that the RNDIS USB driver in the Linux kernel contained
an integer overflow vulnerability. A local attacker with physical access
could plug in a malicious USB device to cause a denial of service (system
crash) or possibly execute arbitrary code. (CVE-2023-23559)
USN-6150-1: Linux kernel vulnerabilities
Patryk Sondej and Piotr Krysiuk discovered that a race condition existed in
the netfilter subsystem of the Linux kernel when processing batch requests,
leading to a use-after-free vulnerability. A local attacker could use this
to cause a denial of service (system crash) or possibly execute arbitrary
code. (CVE-2023-32233)
Gwangun Jung discovered that the Quick Fair Queueing scheduler
implementation in the Linux kernel contained an out-of-bounds write
vulnerability. A local attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code. (CVE-2023-31436)
Reima Ishii discovered that the nested KVM implementation for Intel x86
processors in the Linux kernel did not properly validate control registers
in certain situations. An attacker in a guest VM could use this to cause a
denial of service (guest crash). (CVE-2023-30456)
It was discovered that the Broadcom FullMAC USB WiFi driver in the Linux
kernel did not properly perform data buffer size validation in some
situations. A physically proximate attacker could use this to craft a
malicious USB device that when inserted, could cause a denial of service
(system crash) or possibly expose sensitive information. (CVE-2023-1380)
Jean-Baptiste Cayrou discovered that the shiftfs file system in the Ubuntu
Linux kernel contained a race condition when handling inode locking in some
situations. A local attacker could use this to cause a denial of service
(kernel deadlock). (CVE-2023-2612)
North Korean APT group targets email credentials in social engineering campaign
Researchers warn of a social engineering campaign by the North Korean APT group known as Kimsuky that attempts to steal email credentials and plant malware. The campaign, focused on experts in North Korean affairs, is part of this group’s larger intelligence gathering operations that target research centers, think tanks, academic institutions, and news outlets globally.
“Kimsuky, a suspected North Korean advanced persistent threat (APT) group whose activities align with the interests of the North Korean government, is known for its global targeting of organizations and individuals,” researchers from security firm SentinelOne said in a report. “Operating since at least 2012, the group often employs targeted phishing and social engineering tactics to gather intelligence and access sensitive information.”
Barracuda Urges Replacing — Not Patching — Its Email Security Gateways
It’s not often that a zero-day vulnerability causes a network security vendor to urge customers to physically remove and decommission an entire line of affected hardware — as opposed to just applying software updates. But experts say that is exactly what transpired this week with Barracuda Networks, as the company struggled to combat a sprawling malware threat which appears to have undermined its email security appliances in such a fundamental way that they can no longer be safely updated with software fixes.
Campbell, Calif. based Barracuda said it hired incident response firm Mandiant on May 18 after receiving reports about unusual traffic originating from its Email Security Gateway (ESG) devices, which are designed to sit at the edge of an organization’s network and scan all incoming and outgoing email for malware.
On May 19, Barracuda identified that the malicious traffic was taking advantage of a previously unknown vulnerability in its ESG appliances, and on May 20 the company pushed a patch for the flaw to all affected appliances (CVE-2023-2868).
In its security advisory, Barracuda said the vulnerability existed in the Barracuda software component responsible for screening attachments for malware. More alarmingly, the company said it appears attackers first started exploiting the flaw in October 2022.
But on June 6, Barracuda suddenly began urging its ESG customers to wholesale rip out and replace — not patch — affected appliances.
“Impacted ESG appliances must be immediately replaced regardless of patch version level,” the company’s advisory warned. “Barracuda’s recommendation at this time is full replacement of the impacted ESG.”
Rapid7‘s Caitlin Condon called this remarkable turn of events “fairly stunning,” and said there appear to be roughly 11,000 vulnerable ESG devices still connected to the Internet worldwide.
“The pivot from patch to total replacement of affected devices is fairly stunning and implies the malware the threat actors deployed somehow achieves persistence at a low enough level that even wiping the device wouldn’t eradicate attacker access,” Condon wrote.
Barracuda said the malware was identified on a subset of appliances that allowed the attackers persistent backdoor access to the devices, and that evidence of data exfiltration was identified on some systems.
Rapid7 said it has seen no evidence that attackers are using the flaw to move laterally within victim networks. But that may be small consolation for Barracuda customers now coming to terms with the notion that foreign cyberspies probably have been hoovering up all their email for months.
Nicholas Weaver, a researcher at University of California, Berkeley’s International Computer Science Institute (ICSI), said it is likely that the malware was able to corrupt the underlying firmware that powers the ESG devices in some irreparable way.
“One of the goals of malware is to be hard to remove, and this suggests the malware compromised the firmware itself to make it really hard to remove and really stealthy,” Weaver said. “That’s not a ransomware actor, that’s a state actor. Why? Because a ransomware actor doesn’t care about that level of access. They don’t need it. If they’re going for data extortion, it’s more like a smash-and-grab. If they’re going for data ransoming, they’re encrypting the data itself — not the machines.”
In addition to replacing devices, Barracuda says ESG customers should also rotate any credentials connected to the appliance(s), and check for signs of compromise dating back to at least October 2022 using the network and endpoint indicators the company has released publicly.
Multiple Vulnerabilities in ChromeOS Could Allow for Arbitrary Code Execution
Multiple vulnerabilities have been discovered in ChromeOS, the most severe of which could allow for arbitrary code execution. ChromeOS is a Linux-based operating system developed and designed by Google. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
matrix-synapse-1.85.2-1.fc38
FEDORA-2023-56760afca8
Packages in this update:
matrix-synapse-1.85.2-1.fc38
Update description:
Update to v1.85.2
Update to v1.85.1
Update to v1.85.0
Fixes CVE-2023-32682, CVE-2023-32683
Update to v1.84.1
Espionage Attacks in North Africa Linked to “Stealth Soldier” Backdoor
The malware focuses on surveillance operations, according to a new advisory by Check Point Research
Pharmaceutical Giant Eisai Hit By Ransomware Incident
Several systems, including logistics systems, have been temporarily taken offline
Malware menaces Minecraft mods
If you, or your kids, are fans of Minecraft – you might be wise to not download any new mods of plugins for a while.
Read more in my article on the Tripwire State of Security blog.