LSN-0103-1: Kernel Live Patch Security Notice

Read Time:1 Minute, 37 Second

Lonial Con discovered that the netfilter subsystem in the Linux kernel
contained a memory leak when handling certain element flush operations. A
local attacker could use this to expose sensitive information (kernel
memory).(CVE-2023-4569)

Xingyuan Mo discovered that the netfilter subsystem in the Linux kernel did
not properly handle inactive elements in its PIPAPO data structure, leading
to a use-after-free vulnerability. A local attacker could use this to cause
a denial of service (system crash) or possibly execute arbitrary code.(CVE-2023-6817)

It was discovered that a race condition existed in the AppleTalk networking
subsystem of the Linux kernel, leading to a use-after-free vulnerability. A
local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code.(CVE-2023-51781)

Kevin Rich discovered that the netfilter subsystem in the Linux kernel did
not properly check deactivated elements in certain situations, leading to a
use-after-free vulnerability. A local attacker could use this to cause a
denial of service (system crash) or possibly execute arbitrary code.(CVE-2024-0193)

Lonial Con discovered that the netfilter subsystem in the Linux kernel did
not properly handle element deactivation in certain cases, leading to a
use-after-free vulnerability. A local attacker could use this to cause a
denial of service (system crash) or possibly execute arbitrary code.(CVE-2024-1085)

Notselwyn discovered that the netfilter subsystem in the Linux kernel did
not properly handle verdict parameters in certain cases, leading to a use-
after-free vulnerability. A local attacker could use this to cause a denial
of service (system crash) or possibly execute arbitrary code.(CVE-2024-1086)

In the Linux kernel, the following vulnerability has been
resolved: net: qualcomm: rmnet: fix global oob in rmnet_policy The variable
rmnet_link_ops assign a *bigger* maxtype which leads to a global out-of-
bounds read when parsing the netlink attributes. (CVE-2024-26597)

Read More

USN-6758-1: JSON5 vulnerability

Read Time:18 Second

It was discovered that the JSON5 parse method incorrectly handled the parsing
of keys named __proto__. An attacker could possibly use this issue to pollute
the prototype of the returned object, setting arbitrary or unexpected keys, and
cause a denial of service, allow unintended access to network services or have
other unspecified impact, depending on the application’s use of the module.

Read More

Volatile Data Acquisition from Live Linux Systems: Part I

Read Time:3 Minute, 43 Second

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

In the domain of digital forensics, volatile data assumes a paramount role, characterized by its ephemeral nature. Analogous to fleeting whispers in a bustling city, volatile data in Linux systems resides transiently within the Random Access Memory (RAM), encapsulating critical system configurations, active network connections, running processes, and traces of user activities. Once a Linux machine powers down, this ephemeral reservoir of information dissipates swiftly, rendering it irretrievable.

Recognizing the significance of timely incident response and the imperative of constructing a detailed timeline of events, this blog embarks on an exhaustive journey, delineating a systematic approach fortified with best practices and indispensable tools tailored for the acquisition of volatile data within the Linux ecosystem.

Conceptually, volatile data serves as a mirror reflecting the real-time operational landscape of a system. It embodies a dynamic tapestry of insights, ranging from system settings and network connectivity to program execution and user interactions. However, the transient nature of this data necessitates proactive measures to capture and analyse it before it evaporates into the digital void.

In pursuit of elucidating this intricate process, we delve into a meticulous exploration, elucidating each facet with precision and clarity. Through a curated synthesis of established methodologies and cutting-edge tools, we equip forensic practitioners with the requisite knowledge and skills to navigate the complexities of volatile data acquisition in live Linux environments.

Join us as we unravel the intricacies of digital forensics, embark on a journey of discovery, and empower ourselves with the tools and techniques necessary to unlock the secrets concealed within live Linux systems.

Before proceeding, it’s vital to grasp what volatile data encompasses and why it’s so important in investigations:

System Essentials:

Hostname: Identifies the system ·
Date and Time: Contextualizes events ·
Timezone: Helps correlate activities across regions
Uptime: Reveals system state duration

Network Footprint:

Network Interfaces: Active connections and configurations
Open Ports: Potential entry points and services exposed
Active Connections: Shows live communication channels

Process Ecosystem:

Running Processes: Active programs and their dependencies
Process Memory: May uncover hidden execution or sensitive data

Open Files:

Accessed Files: Sheds light on user actions
Deleted Files: Potential evidence recovery point

Kernel Insights

Loaded Modules: Core extensions and potential rootkits
Kernel Ring Buffers (dmesg): Reveals driver or hardware events

User Traces

Login History: User activity tracking
Command History: Executed commands provide insights

Before diving into the acquisition process, it’s essential to equip yourself with the necessary tools and commands for gathering volatile data effectively, for purpose of demonstration I will be using Linux Mint:

Hostname, Date, and Time:

hostname: Retrieves the system’s hostname.

date: Displays the current date and time.

cat /etc/timezone:

Shows the system’s timezone configuration.

System Uptime:

uptime: Provides information on system uptime since the last restart.

Network Footprint:

ip addr show: Lists active network interfaces and their configurations.

netstat -rn: Displays routing tables, aiding in understanding network connections.

Open Ports and Active Connections:

netstat -tulpn: Lists open TCP and UDP ports along with associated processes.

lsof -i -P -n | grep LISTEN: Identifies processes listening on open ports.

Running Processes and Memory:

ps aux: Lists all running processes, including their details.

/proc//maps: Accesses memory mappings for a specific process, revealing potentially sensitive information.

Open Files:

lsof: Lists all open files and their associated processes.

/proc//fd/: Provides information about file descriptors for a specific process. To utilise this, we can take pid’s from ps aux utility used above. In the below snapshot I used cd /proc/27/fd |ls -l

Kernel Insights:

lsmod: Lists loaded kernel modules, including potential rootkits.

dmesg: Displays kernel ring buffer messages, uncovering hardware or driver events.

User Activity:

/var/log/auth.log: Contains user login history.

~/.bash_history: Stores command history for each user, offering insights into executed commands.

It is advisable to try and test the given commands and corelate the findings to understand the Linux volatile memory in depth. Armed with this understanding and equipped with the necessary commands and tools, forensic investigators can proceed with the acquisition of volatile data from live Linux systems. In the next blog post, we will explore how to perform acquisition using the Volatility framework and other tools on linux machines, further enhancing our forensic capabilities. Stay tuned for more insights into the fascinating world of digital forensics!

Read More

chromium-124.0.6367.91-1.fc40

Read Time:17 Second

FEDORA-2024-0539d2c8b0

Packages in this update:

chromium-124.0.6367.91-1.fc40

Update description:

update to 124.0.6367.91

update to 124.0.6367.78

* Critical CVE-2024-4058: Type Confusion in ANGLE
* High CVE-2024-4059: Out of bounds read in V8 API
* High CVE-2024-4060: Use after free in Dawn

Read More

chromium-124.0.6367.91-1.el9

Read Time:1 Minute, 6 Second

FEDORA-EPEL-2024-68b6d0dafe

Packages in this update:

chromium-124.0.6367.91-1.el9

Update description:

update to 124.0.6367.91

update to 124.0.6367.78

* Critical CVE-2024-4058: Type Confusion in ANGLE
* High CVE-2024-4059: Out of bounds read in V8 API
* High CVE-2024-4060: Use after free in Dawn

update to 124.0.6367.60

High CVE-2024-3832: Object corruption in V8
High CVE-2024-3833: Object corruption in WebAssembly
High CVE-2024-3914: Use after free in V8
High CVE-2024-3834: Use after free in Downloads
Medium CVE-2024-3837: Use after free in QUIC
Medium CVE-2024-3838: Inappropriate implementation in Autofill
Medium CVE-2024-3839: Out of bounds read in Fonts
Medium CVE-2024-3840: Insufficient policy enforcement in Site Isolation
Medium CVE-2024-3841: Insufficient data validation in Browser Switcher
Medium CVE-2024-3843: Insufficient data validation in Downloads
Low CVE-2024-3844: Inappropriate implementation in Extensions
Low CVE-2024-3845: Inappropriate implementation in Network
Low CVE-2024-3846: Inappropriate implementation in Prompts
Low CVE-2024-3847: Insufficient policy enforcement in WebUI

update to 123.0.6312.122

High CVE-2024-3157: Out of bounds write in Compositing
High CVE-2024-3516: Heap buffer overflow in ANGLE
High CVE-2024-3515: Use after free in Dawn

Read More