This week, I hosted the seventeenth Workshop on Security and Human Behavior at the Harvard Kennedy School. This is the first workshop since our co-founder, Ross Anderson, died unexpectedly.
SHB is a small, annual, invitational workshop of people studying various aspects of the human side of security. The fifty or so attendees include psychologists, economists, computer security researchers, criminologists, sociologists, political scientists, designers, lawyers, philosophers, anthropologists, geographers, neuroscientists, business school professors, and a smattering of others. It’s not just an interdisciplinary event; most of the people here are individually interdisciplinary.
Our goal is always to maximize discussion and interaction. We do that by putting everyone on panels, and limiting talks to six to eight minutes, with the rest of the time for open discussion. Short talks limit presenters’ ability to get into the boring details of their work, and the interdisciplinary audience discourages jargon.
Since the beginning, this workshop has been the most intellectually stimulating two days of my professional year. It influences my thinking in different and sometimes surprising ways—and has resulted in some new friendships and unexpected collaborations. This is why some of us have been coming back every year for over a decade.
This year’s schedule is here. This page lists the participants and includes links to some of their work. Kami Vaniea liveblogged both days.
Here are my posts on the first, second, third, fourth, fifth, sixth, seventh, eighth, ninth, tenth, eleventh, twelfth, thirteenth, fourteenth, fifteenth and sixteenth SHB workshops. Follow those links to find summaries, papers, and occasionally audio/video recordings of the sessions. Ross maintained a good webpage of psychology and security resources—it’s still up for now.
Next year we will be in Cambridge, UK, hosted by Frank Stajano.
Ziming Zhang discovered that the DRM driver for VMware Virtual GPU did not
properly handle certain error conditions, leading to a NULL pointer
dereference. A local attacker could possibly trigger this vulnerability to
cause a denial of service. (CVE-2022-38096)
Zheng Wang discovered that the Broadcom FullMAC WLAN driver in the Linux
kernel contained a race condition during device removal, leading to a use-
after-free vulnerability. A physically proximate attacker could possibly
use this to cause a denial of service (system crash). (CVE-2023-47233)
It was discovered that the ATA over Ethernet (AoE) driver in the Linux
kernel contained a race condition, leading to a use-after-free
vulnerability. An attacker could use this to cause a denial of service or
possibly execute arbitrary code. (CVE-2023-6270)
It was discovered that the Atheros 802.11ac wireless driver did not
properly validate certain data structures, leading to a NULL pointer
dereference. An attacker could possibly use this to cause a denial of
service. (CVE-2023-7042)
It was discovered that the Intel Data Streaming and Intel Analytics
Accelerator drivers in the Linux kernel allowed direct access to the
devices for unprivileged users and virtual machines. A local attacker could
use this to cause a denial of service. (CVE-2024-21823)
Gui-Dong Han discovered that the software RAID driver in the Linux kernel
contained a race condition, leading to an integer overflow vulnerability. A
privileged attacker could possibly use this to cause a denial of service
(system crash). (CVE-2024-23307)
Bai Jiaju discovered that the Xceive XC4000 silicon tuner device driver in
the Linux kernel contained a race condition, leading to an integer overflow
vulnerability. An attacker could possibly use this to cause a denial of
service (system crash). (CVE-2024-24861)
Chenyuan Yang discovered that the Unsorted Block Images (UBI) flash device
volume management subsystem did not properly validate logical eraseblock
sizes in certain situations. An attacker could possibly use this to cause a
denial of service (system crash). (CVE-2024-25739)
It was discovered that the MediaTek SoC Gigabit Ethernet driver in the
Linux kernel contained a race condition when stopping the device. A local
attacker could possibly use this to cause a denial of service (device
unavailability). (CVE-2024-27432)
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
– ARM32 architecture;
– PowerPC architecture;
– x86 architecture;
– Block layer subsystem;
– ACPI drivers;
– Bluetooth drivers;
– Clock framework and drivers;
– CPU frequency scaling framework;
– Cryptographic API;
– DPLL subsystem;
– ARM SCMI message protocol;
– EFI core;
– GPU drivers;
– InfiniBand drivers;
– IOMMU subsystem;
– LED subsystem;
– Multiple devices driver;
– Media drivers;
– MMC subsystem;
– Network drivers;
– NTB driver;
– NVME drivers;
– PCI subsystem;
– Powercap sysfs driver;
– SCSI drivers;
– Freescale SoC drivers;
– SPI subsystem;
– Media staging drivers;
– Thermal drivers;
– TTY drivers;
– USB subsystem;
– DesignWare USB3 driver;
– VFIO drivers;
– Backlight driver;
– Virtio drivers;
– Xen hypervisor drivers;
– AFS file system;
– File systems infrastructure;
– BTRFS file system;
– debug file system;
– Ext4 file system;
– F2FS file system;
– FAT file system;
– Network file system client;
– NILFS2 file system;
– Overlay file system;
– Pstore file system;
– Diskquota system;
– SMB network file system;
– UBI file system;
– io_uring subsystem;
– BPF subsystem;
– Core kernel;
– Memory management;
– Bluetooth subsystem;
– Networking core;
– HSR network protocol;
– IPv4 networking;
– IPv6 networking;
– MAC80211 subsystem;
– IEEE 802.15.4 subsystem;
– Netfilter;
– Packet sockets;
– Network traffic control;
– Sun RPC protocol;
– ALSA SH drivers;
– SOF drivers;
– USB sound devices;
– KVM core;
(CVE-2024-35822, CVE-2024-26859, CVE-2024-26967, CVE-2024-27053,
CVE-2024-27064, CVE-2024-27437, CVE-2024-26931, CVE-2024-26870,
CVE-2024-26927, CVE-2024-26880, CVE-2024-35789, CVE-2024-26929,
CVE-2024-27034, CVE-2024-26816, CVE-2024-26896, CVE-2024-26975,
CVE-2024-26972, CVE-2024-26937, CVE-2024-27032, CVE-2024-26871,
CVE-2024-26655, CVE-2024-35829, CVE-2024-26886, CVE-2023-52653,
CVE-2024-27028, CVE-2024-26877, CVE-2024-26898, CVE-2024-35796,
CVE-2024-27065, CVE-2024-35807, CVE-2024-26966, CVE-2024-35826,
CVE-2024-27067, CVE-2024-27039, CVE-2024-35811, CVE-2024-26895,
CVE-2024-26814, CVE-2024-26893, CVE-2023-52649, CVE-2024-35801,
CVE-2023-52648, CVE-2024-27048, CVE-2024-26934, CVE-2024-27049,
CVE-2024-26890, CVE-2024-26874, CVE-2022-48669, CVE-2023-52661,
CVE-2024-27436, CVE-2024-27058, CVE-2024-26935, CVE-2024-26956,
CVE-2024-26960, CVE-2024-26976, CVE-2024-27041, CVE-2024-26873,
CVE-2024-26946, CVE-2024-27080, CVE-2024-27432, CVE-2023-52650,
CVE-2024-26879, CVE-2023-52647, CVE-2024-27435, CVE-2024-27038,
CVE-2024-26951, CVE-2024-27390, CVE-2024-26863, CVE-2024-26959,
CVE-2024-35794, CVE-2024-26889, CVE-2024-35845, CVE-2024-27433,
CVE-2024-26961, CVE-2024-35803, CVE-2024-26653, CVE-2024-26939,
CVE-2024-26872, CVE-2024-26979, CVE-2024-26973, CVE-2024-27029,
CVE-2024-35831, CVE-2024-26892, CVE-2024-26888, CVE-2024-27074,
CVE-2024-35844, CVE-2024-26938, CVE-2024-26953, CVE-2024-27391,
CVE-2024-35843, CVE-2024-27040, CVE-2024-26875, CVE-2024-27026,
CVE-2024-26978, CVE-2024-26882, CVE-2023-52652, CVE-2023-52662,
CVE-2024-26963, CVE-2024-26962, CVE-2024-27051, CVE-2024-27068,
CVE-2024-26881, CVE-2024-35800, CVE-2024-26964, CVE-2024-27389,
CVE-2024-27043, CVE-2024-26901, CVE-2024-26941, CVE-2024-35798,
CVE-2024-35799, CVE-2024-26952, CVE-2024-26654, CVE-2024-27046,
CVE-2024-35810, CVE-2024-27050, CVE-2024-27063, CVE-2024-26954,
CVE-2024-26884, CVE-2024-27047, CVE-2024-26932, CVE-2024-26883,
CVE-2024-26943, CVE-2024-26651, CVE-2024-26815, CVE-2024-26948,
CVE-2024-27066, CVE-2024-27037, CVE-2024-35806, CVE-2024-26869,
CVE-2024-26878, CVE-2024-26810, CVE-2024-35797, CVE-2024-27073,
CVE-2024-26812, CVE-2024-26933, CVE-2024-26809, CVE-2024-26894,
CVE-2024-35813, CVE-2024-27033, CVE-2024-26876, CVE-2024-27076,
CVE-2024-27045, CVE-2024-27079, CVE-2024-26861, CVE-2024-26957,
CVE-2024-26864, CVE-2024-26866, CVE-2024-35814, CVE-2024-26813,
CVE-2024-27388, CVE-2024-27042, CVE-2024-26862, CVE-2024-26968,
CVE-2024-26940, CVE-2024-27027, CVE-2024-35793, CVE-2024-35874,
CVE-2024-27035, CVE-2024-26958, CVE-2024-26887, CVE-2024-35809,
CVE-2024-26930, CVE-2024-35819, CVE-2024-27392, CVE-2024-35808,
CVE-2023-52644, CVE-2024-35828, CVE-2024-26657, CVE-2024-26969,
CVE-2024-27434, CVE-2024-35821, CVE-2023-52663, CVE-2024-27078,
CVE-2024-35787, CVE-2024-27044, CVE-2024-26848, CVE-2024-26955,
CVE-2024-26899, CVE-2024-27077, CVE-2024-26897, CVE-2024-26945,
CVE-2024-26885, CVE-2024-27069, CVE-2024-27070, CVE-2024-27054,
CVE-2024-35795, CVE-2024-35817, CVE-2024-35827, CVE-2024-26656,
CVE-2024-26860, CVE-2024-26942, CVE-2023-52659, CVE-2024-26865,
CVE-2024-26868, CVE-2024-26947, CVE-2024-35788, CVE-2024-26950,
CVE-2024-27030, CVE-2024-26949, CVE-2024-26900, CVE-2024-26971,
CVE-2024-35805, CVE-2024-26977, CVE-2024-26944, CVE-2024-27036,
CVE-2024-26965, CVE-2024-26891, CVE-2024-27071, CVE-2024-27075,
CVE-2024-27072, CVE-2024-35830, CVE-2024-27052, CVE-2024-26970,
CVE-2024-27031)
A vulnerability has been discovered in SolarWinds Serv-U that could allow for path transversal that could lead to disclosure of sensitive information. SolarWinds Serv-U is a managed file transfer solution used to store and share files across an enterprise network. It can be hosted on both Windows and Linux-based servers. Successful exploitation of this vulnerability could allow for the disclosure of sensitive information in the context of the files and directories. Depending on the permissions associated with the files, an attacker could view content within them. Files with stricter access controls and file permissions could be less impacted than those without.
tomcat-9.0.89-1.fc40
This update includes a rebase from 9.0.83 to 9.0.89.
#2269611 CVE-2024-24549 tomcat: CVE-2024-24549: Apache Tomcat: HTTP/2 header handling DoS
#2269612 CVE-2024-23672 tomcat: Apache Tomcat: WebSocket DoS with incomplete closing handshake
Multiple vulnerabilities have been discovered in PHP which could allow for remote code execution. PHP is a programming language originally designed for use in web-based applications with HTML content. Successful exploitation could allow for remote code execution in the context of the affected service account. Depending on the privileges associated with the service account an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Service accounts that are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
A 16-year-old youth has been arrested in France on suspicion of having run a malware-for-rent business.
The unnamed Frenchman, who goes by online handles including “ChatNoir” and “Casquette”, is said to be a key member of the Epsilon hacking group, which has in the recent past stolen millions of records from hackd firms.
Read more in my article on the Hot for Security blog.
galera-26.4.18-1.fc40
mariadb10.11-10.11.8-1.fc40
MariaDB 10.11.8 & Galera 26.4.18
Release notes:
https://mariadb.com/kb/en/mariadb-10-11-7-release-notes/
https://mariadb.com/kb/en/mariadb-10-11-8-release-notes/
The flaw enables attackers to gain control over the AI service by submitting harmful prompts
The US Justice Department has dismantled an enormous botnet:
According to an indictment unsealed on May 24, from 2014 through July 2022, Wang and others are alleged to have created and disseminated malware to compromise and amass a network of millions of residential Windows computers worldwide. These devices were associated with more than 19 million unique IP addresses, including 613,841 IP addresses located in the United States. Wang then generated millions of dollars by offering cybercriminals access to these infected IP addresses for a fee.
[…]
This operation was a coordinated multiagency effort led by law enforcement in the United States, Singapore, Thailand, and Germany. Agents and officers searched residences, seized assets valued at approximately $30 million, and identified additional forfeitable property valued at approximately $30 million. The operation also seized 23 domains and over 70 servers constituting the backbone of Wang’s prior residential proxy service and the recent incarnation of the service. By seizing multiple domains tied to the historical 911 S5, as well as several new domains and services directly linked to an effort to reconstitute the service, the government has successfully terminated Wang’s efforts to further victimize individuals through his newly formed service Clourouter.io and closed the existing malicious backdoors.
The creator and operator of the botnet, YunHe Wang, was arrested in Singapore.
