USN-6537-1: Linux kernel (GCP) vulnerabilities

Read Time:2 Minute, 37 Second

Yu Hao discovered that the UBI driver in the Linux kernel did not properly
check for MTD with zero erasesize during device attachment. A local
privileged attacker could use this to cause a denial of service (system
crash). (CVE-2023-31085)

Lucas Leong discovered that the netfilter subsystem in the Linux kernel did
not properly validate some attributes passed from userspace. A local
attacker could use this to cause a denial of service (system crash) or
possibly expose sensitive information (kernel memory). (CVE-2023-39189)

Bien Pham discovered that the netfiler subsystem in the Linux kernel
contained a race condition, leading to a use-after-free vulnerability. A
local user could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2023-4244)

Kyle Zeng discovered that the IPv4 implementation in the Linux kernel did
not properly handle socket buffers (skb) when performing IP routing in
certain circumstances, leading to a null pointer dereference vulnerability.
A privileged attacker could use this to cause a denial of service (system
crash). (CVE-2023-42754)

Yikebaer Aizezi discovered that the ext4 file system implementation in the
Linux kernel contained a use-after-free vulnerability when handling inode
extent metadata. An attacker could use this to construct a malicious ext4
file system image that, when mounted, could cause a denial of service
(system crash). (CVE-2023-45898)

Maxim Levitsky discovered that the KVM nested virtualization (SVM)
implementation for AMD processors in the Linux kernel did not properly
handle x2AVIC MSRs. An attacker in a guest VM could use this to cause a
denial of service (host kernel crash). (CVE-2023-5090)

Jason Wang discovered that the virtio ring implementation in the Linux
kernel did not properly handle iov buffers in some situations. A local
attacker in a guest VM could use this to cause a denial of service (host
system crash). (CVE-2023-5158)

Alon Zahavi discovered that the NVMe-oF/TCP subsystem in the Linux kernel
did not properly handle queue initialization failures in certain
situations, leading to a use-after-free vulnerability. A remote attacker
could use this to cause a denial of service (system crash) or possibly
execute arbitrary code. (CVE-2023-5178)

It was discovered that the SMB network file sharing protocol implementation
in the Linux kernel did not properly handle certain error conditions,
leading to a use-after-free vulnerability. A local attacker could use this
to cause a denial of service (system crash) or possibly execute arbitrary
code. (CVE-2023-5345)

Murray McAllister discovered that the VMware Virtual GPU DRM driver in the
Linux kernel did not properly handle memory objects when storing surfaces,
leading to a use-after-free vulnerability. A local attacker in a guest VM
could use this to cause a denial of service (system crash) or possibly
execute arbitrary code. (CVE-2023-5633)

Budimir Markovic discovered that the perf subsystem in the Linux kernel did
not properly handle event groups, leading to an out-of-bounds write
vulnerability. A local attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code. (CVE-2023-5717)

Read More

USN-6536-1: Linux kernel vulnerabilities

Read Time:1 Minute, 26 Second

Lucas Leong discovered that the netfilter subsystem in the Linux kernel did
not properly validate some attributes passed from userspace. A local
attacker could use this to cause a denial of service (system crash) or
possibly expose sensitive information (kernel memory). (CVE-2023-39189)

Kyle Zeng discovered that the IPv4 implementation in the Linux kernel did
not properly handle socket buffers (skb) when performing IP routing in
certain circumstances, leading to a null pointer dereference vulnerability.
A privileged attacker could use this to cause a denial of service (system
crash). (CVE-2023-42754)

Yikebaer Aizezi discovered that the ext4 file system implementation in the
Linux kernel contained a use-after-free vulnerability when handling inode
extent metadata. An attacker could use this to construct a malicious ext4
file system image that, when mounted, could cause a denial of service
(system crash). (CVE-2023-45898)

Jason Wang discovered that the virtio ring implementation in the Linux
kernel did not properly handle iov buffers in some situations. A local
attacker in a guest VM could use this to cause a denial of service (host
system crash). (CVE-2023-5158)

Alon Zahavi discovered that the NVMe-oF/TCP subsystem in the Linux kernel
did not properly handle queue initialization failures in certain
situations, leading to a use-after-free vulnerability. A remote attacker
could use this to cause a denial of service (system crash) or possibly
execute arbitrary code. (CVE-2023-5178)

Budimir Markovic discovered that the perf subsystem in the Linux kernel did
not properly handle event groups, leading to an out-of-bounds write
vulnerability. A local attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code. (CVE-2023-5717)

Read More

golang-1.20.12-1.fc38

Read Time:13 Second

FEDORA-2023-ace2655259

Packages in this update:

golang-1.20.12-1.fc38

Update description:

This release includes security fixes to the go command, and the net/http and path/filepath packages, as well as bug fixes to the compiler and the go command.

Read More

golang-1.21.5-1.fc39

Read Time:13 Second

FEDORA-2023-e57f5a2301

Packages in this update:

golang-1.21.5-1.fc39

Update description:

This release includes security fixes to the go command, and the net/http and path/filepath packages, as well as bug fixes to the compiler and the go command.

Read More

USN-6535-1: curl vulnerabilities

Read Time:26 Second

Harry Sintonen discovered that curl incorrectly handled mixed case cookie
domains. A remote attacker could possibly use this issue to set cookies
that get sent to different and unrelated sites and domains.
(CVE-2023-46218)

Maksymilian Arciemowicz discovered that curl incorrectly handled long file
names when saving HSTS data. This could result in curl losing HSTS data,
and subsequent requests to a site would be done without it, contrary to
expectations. This issue only affected Ubuntu 23.04 and Ubuntu 23.10.
(CVE-2023-46219)

Read More

Top 29 data security best practices for your enterprise

Read Time:7 Minute, 19 Second

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

In this digital era, as data is produced and gathered more than ever before, the importance of data security has surged. Given the widespread use of social media, e-commerce, and other online services, individuals are sharing their personal details with numerous entities.

In this blog, we’ll explore the key concepts of data security and highlight the best practices across various sectors. Many of these safeguarding measures are also mandated by data security legislation and standards. Without any further ado, let’s start discussing data security, its importance, benefits and steps to make your data more secure.

What is data security?

Data security refers to the practice of protecting digital data from unauthorized access, corruption, theft, or loss. It encompasses a wide range of techniques, tools, and measures that ensure data is safe from various threats. Data security is crucial for individuals, businesses, and governments, as it ensures the confidentiality, integrity, and availability of data.

Benefits of data security

Following are the key benefits of data security.

Protect your data – Ensuring your information is safe from both inside and outside threats offers peace of mind. This means you can focus more on advancing your business plans and less on potential data breaches.
Boost your credibility – Companies aiming for lasting collaborations often scrutinize the reputation of their prospective partners. Demonstrating solid data protection practices can also build trust with your clientele.
Meet data security standards – Adopting stringent security protocols ensures you adhere to data protection standards, helping you steer clear of hefty non-compliance penalties.
Minimize legal costs – Proactively securing data is far more cost-effective than addressing the aftermath of a breach. Investing in data security now can save significant expenses related to potential incidents later.
Ensure operational consistency – Strong data security measures pave the way for smooth business operations, decreasing the chances of interruptions that could impact profitability.

Top 29 data security best practices for your organization

Data discovery: Begin by identifying the types and sensitivity of the data your organization holds. This helps determine which data is critical and which must adhere to specific security regulations. By doing this, you’ll have a clear understanding of how to prioritize your data protection.
Limit sensitive data access: All employees don’t require access to all information. Broad access increases the risk of internal breaches and data theft.
Embrace the principle of least privilege (PoLP): Minimize risks by ensuring new accounts start with minimal data access, which can be expanded based on roles, needs, and seniority. This way, sensitive data is less exposed, even if a cyber attacker breaches an account.
Data encryption: With a surge in cyber threats, it’s essential to shield personal data. Encrypting data transforms readable information into coded text, challenging unauthorized users.
Equip with anti-malware: To guard against data breaches from malware, equip your devices with reliable anti-malware software.
Regular vulnerability checks: Since data resides on computers, it’s continuously exposed to potential threats. Keep data safe by routinely assessing and updating your software, mitigating risks of breaches.
Establish a data usage policy: Enhance your data security by implementing a clear policy that outlines the parameters for data access and usage.
Employee security training: While policies are essential, educating your staff on data security practices is equally crucial. Equip them with knowledge about the significance of data security and ways to combat potential threats.
Secure physical data: Not all critical information is digital. For essential documents or data stored on physical devices like USBs, ensure in-office security measures like cameras and ensure workspaces are locked when not in use.
Prioritize strong passwords: Avoid basic passwords as they’re easy prey for hackers. Also, it’s recommended to avoid using one password everywhere as it is tempting but risky. If one account is breached, others become vulnerable. Consider password management tools to generate and store unique passwords for different accounts, bolstering security.
Activate two-factor authentication (2FA): Even the most robust passwords can be breached. Boost your security by enabling 2FA, which provides an extra layer of protection. With 2FA, hackers would need additional personal information or access to your secondary device to breach your account.
Adhere to security regulations: Security standards like HIPAA, PIPEDA, and GDPR exist to safeguard personal data. Companies adhering to these regulations not only win their clients’ trust but also maximize data protection.
Avoid sharing sensitive information via email: Though emails are convenient for communication, they aren’t ideal for transmitting personal details. Emails aren’t encrypted, making them vulnerable during transit. If you need to send personal identifiers, opt for any encrypted file sharing platform.
Opt for secure cloud solutions: Invest in secure cloud services to store and retrieve your data online safely. This way, you can avoid risks associated with USBs or unprotected emails.
Dispose of redundant data: Holding onto data that’s no longer necessary poses a continuous security risk. When specific sensitive information (like PII or PHI) is no longer required, it’s best to remove it. Consider file-shredding tools or systems that auto-delete obsolete files.
Regularly update software: Outdated software can be an open door for security breaches. Ensure you routinely update your software. These updates often contain essential bug fixes, vulnerability patches, and features enhancing data protection.
Keep tabs on third-party data access: Not supervising third-party data access can lead to reputation damage, data breaches, or financial losses. While most vendors are transparent about accessing your data, it’s crucial to track how they gather, use, and disseminate it.
Stay alert to phishing red flags: Phishing remains one of the most common yet easy-to-fall-for cyber threats. It typically involves hackers sending deceptive emails with harmful attachments or impersonating trusted entities to extract personal data. Recognize the signs: odd domain names, suspicious email subjects, and more. Steer clear of unexpected pop-ups, unsolicited emails, and unknown links.
Avoid public Wi-Fi: Public Wi-Fi lacks robust security, making your personal data vulnerable. The next time you’re tempted to peek at your bank account while in a cafe queue, stick to your cellular connection.
Rely on a virtual private network (VPN) when needed: If you must use public Wi-Fi, ensure a VPN shields your device. VPNs not only create a secure connection over public networks but also cloak your IP address, making it tough for hackers to trace your activities. Here you can find more information about securing public Wi-Fi.
Embrace pseudonymization: Endorsed by GDPR, pseudonymization involves stripping data of direct identifiers. Think of it as replacing a person’s full name with a random code. While the data remains functional, tracing it back to an individual becomes extremely challenging. This method substantially lowers the risk during potential data breaches.
Data backups: Always backup your critical data. Ensure backups are conducted regularly and are stored in secure, preferably offsite, locations. Test backup recovery processes to ensure they work when needed.
Incident response plan: Have a clear incident response plan in place for potential data breaches or security issues. This should detail the steps to take immediately after discovering a breach, including communication strategies, containment efforts, and long-term measures.
Network security: Deploy firewalls, intrusion detection systems, and intrusion prevention systems to monitor and control incoming and outgoing network traffic based on predetermined security policies.
Mobile device management: As employees increasingly use personal devices for work purposes, ensure you have policies and tools in place to secure data on these devices. This might include remote wiping capabilities, strong encryption, and ensuring that lost devices don’t lead to data breaches.
Data masking: This involves displaying only a masked version of data, so even if someone has access to a data environment, they can’t view the actual sensitive data. This is particularly useful in non-production environments where developers or testers need to work with data.
Secure data transmission: Ensure that data, when transmitted, is secured using protocols like HTTPS, SFTP, or VPNs, especially when dealing with sensitive information.
Data retention policies: Define clear policies about how long different types of data should be retained and ensure mechanisms for secure and compliant data deletion after this period.
Secure configuration: Ensure that all systems and applications are configured securely by default. Disable unnecessary services, protocols, and ports, and use security benchmarks or guides for hardening.

Conclusion

Data security focuses on safeguarding data throughout its lifecycle, from creation and storage to management and transfer. Internal members of your organization can inadvertently put your data at risk, whether by intentional security breaches, careless handling, or through compromised accounts. It’s advisable to adopt the best practices outlined in this piece to bolster your data security.

Read More

USN-6463-2: Open VM Tools vulnerabilities

Read Time:27 Second

USN-6463-1 fixed vulnerabilities in Open VM Tools. This update provides
the corresponding updates for Ubuntu 16.04 LTS and Ubuntu 18.04 LTS.

Original advisory details:

It was discovered that Open VM Tools incorrectly handled SAML tokens. A
remote attacker with Guest Operations privileges could possibly use this
issue to elevate their privileges. (CVE-2023-34058)

Matthias Gerstner discovered that Open VM Tools incorrectly handled file
descriptors when dropping privileges. A local attacker could possibly use
this issue to hijack /dev/uinput and simulate user inputs. (CVE-2023-34059)

Read More