USN-6956-1: Linux kernel (Azure) vulnerabilities

Read Time:1 Minute, 40 Second

Benedict Schlüter, Supraja Sridhara, Andrin Bertschi, and Shweta Shinde
discovered that an untrusted hypervisor could inject malicious #VC
interrupts and compromise the security guarantees of AMD SEV-SNP. This flaw
is known as WeSee. A local attacker in control of the hypervisor could use
this to expose sensitive information or possibly execute arbitrary code in
the trusted execution environment. (CVE-2024-25742)

Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
– ARM32 architecture;
– ARM64 architecture;
– Block layer subsystem;
– Bluetooth drivers;
– Clock framework and drivers;
– FireWire subsystem;
– GPU drivers;
– InfiniBand drivers;
– Multiple devices driver;
– EEPROM drivers;
– Network drivers;
– Pin controllers subsystem;
– Remote Processor subsystem;
– S/390 drivers;
– SCSI drivers;
– TTY drivers;
– 9P distributed file system;
– Network file system client;
– SMB network file system;
– Socket messages infrastructure;
– Dynamic debug library;
– Bluetooth subsystem;
– Networking core;
– IPv4 networking;
– IPv6 networking;
– Multipath TCP;
– Netfilter;
– NSH protocol;
– Phonet protocol;
– TIPC protocol;
– Wireless networking;
– Key management;
– ALSA framework;
– HD-audio driver;
(CVE-2024-36933, CVE-2024-36960, CVE-2024-26936, CVE-2024-36975,
CVE-2023-52882, CVE-2024-27401, CVE-2024-36929, CVE-2024-36939,
CVE-2024-35947, CVE-2024-36883, CVE-2024-26886, CVE-2024-36952,
CVE-2024-36950, CVE-2024-36940, CVE-2024-36897, CVE-2023-52585,
CVE-2024-26900, CVE-2024-36959, CVE-2024-36928, CVE-2024-36938,
CVE-2024-36016, CVE-2024-36965, CVE-2024-36967, CVE-2024-36889,
CVE-2024-36905, CVE-2024-36969, CVE-2024-36916, CVE-2024-36954,
CVE-2024-27017, CVE-2024-36941, CVE-2024-36957, CVE-2024-27399,
CVE-2024-36937, CVE-2024-36955, CVE-2024-38600, CVE-2023-52752,
CVE-2024-36953, CVE-2024-26980, CVE-2024-36902, CVE-2024-26952,
CVE-2024-36904, CVE-2024-36964, CVE-2024-36946, CVE-2024-36880,
CVE-2024-36906, CVE-2024-36947, CVE-2024-36886, CVE-2024-36934,
CVE-2024-35848, CVE-2024-36919, CVE-2024-36017, CVE-2024-36944,
CVE-2024-36931, CVE-2024-27398)

Read More

USN-6955-1: Linux kernel (OEM) vulnerabilities

Read Time:4 Minute, 48 Second

Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
– ARM32 architecture;
– ARM64 architecture;
– M68K architecture;
– OpenRISC architecture;
– PowerPC architecture;
– RISC-V architecture;
– x86 architecture;
– Block layer subsystem;
– Accessibility subsystem;
– Bluetooth drivers;
– Clock framework and drivers;
– CPU frequency scaling framework;
– Hardware crypto device drivers;
– DMA engine subsystem;
– DPLL subsystem;
– FireWire subsystem;
– EFI core;
– Qualcomm firmware drivers;
– GPIO subsystem;
– GPU drivers;
– Microsoft Hyper-V drivers;
– InfiniBand drivers;
– IOMMU subsystem;
– IRQ chip drivers;
– Macintosh device drivers;
– Multiple devices driver;
– Media drivers;
– EEPROM drivers;
– MMC subsystem;
– Network drivers;
– STMicroelectronics network drivers;
– Device tree and open firmware driver;
– HiSilicon SoC PMU drivers;
– PHY drivers;
– Pin controllers subsystem;
– Remote Processor subsystem;
– S/390 drivers;
– SCSI drivers;
– SPI subsystem;
– Media staging drivers;
– Thermal drivers;
– Userspace I/O drivers;
– USB subsystem;
– DesignWare USB3 driver;
– ACRN Hypervisor Service Module driver;
– Virtio drivers;
– 9P distributed file system;
– BTRFS file system;
– eCrypt file system;
– EROFS file system;
– File systems infrastructure;
– GFS2 file system;
– JFFS2 file system;
– Network file systems library;
– Network file system client;
– Network file system server daemon;
– NILFS2 file system;
– Proc file system;
– SMB network file system;
– Tracing file system;
– Mellanox drivers;
– Memory management;
– Socket messages infrastructure;
– Slab allocator;
– Tracing infrastructure;
– User-space API (UAPI);
– Core kernel;
– BPF subsystem;
– DMA mapping infrastructure;
– RCU subsystem;
– Dynamic debug library;
– KUnit library;
– Maple Tree data structure library;
– Heterogeneous memory management;
– Amateur Radio drivers;
– Bluetooth subsystem;
– Ethernet bridge;
– Networking core;
– IPv4 networking;
– IPv6 networking;
– Multipath TCP;
– Netfilter;
– NET/ROM layer;
– NFC subsystem;
– NSH protocol;
– Open vSwitch;
– Phonet protocol;
– SMC sockets;
– TIPC protocol;
– Unix domain sockets;
– Wireless networking;
– Key management;
– ALSA framework;
– HD-audio driver;
– Kirkwood ASoC drivers;
– MediaTek ASoC drivers;
(CVE-2024-35987, CVE-2024-36931, CVE-2024-38614, CVE-2024-35857,
CVE-2024-36949, CVE-2024-38599, CVE-2024-35994, CVE-2024-35849,
CVE-2024-36916, CVE-2024-38590, CVE-2024-36944, CVE-2024-38561,
CVE-2024-38538, CVE-2024-36017, CVE-2024-38593, CVE-2024-36028,
CVE-2024-36960, CVE-2024-36002, CVE-2024-36967, CVE-2024-36898,
CVE-2024-35989, CVE-2024-36975, CVE-2024-38578, CVE-2024-38582,
CVE-2024-38588, CVE-2024-38579, CVE-2024-38617, CVE-2024-36901,
CVE-2024-38550, CVE-2023-52882, CVE-2024-38603, CVE-2024-38620,
CVE-2024-36956, CVE-2024-36880, CVE-2024-36895, CVE-2024-36979,
CVE-2024-36887, CVE-2024-27396, CVE-2024-27400, CVE-2024-36952,
CVE-2024-36886, CVE-2024-36905, CVE-2024-36883, CVE-2024-38540,
CVE-2024-38605, CVE-2024-36029, CVE-2024-36934, CVE-2024-27395,
CVE-2024-36000, CVE-2024-38549, CVE-2024-35999, CVE-2024-38585,
CVE-2024-38589, CVE-2024-38565, CVE-2024-36917, CVE-2024-36930,
CVE-2024-36940, CVE-2024-36900, CVE-2024-35850, CVE-2024-38592,
CVE-2024-38553, CVE-2024-36929, CVE-2024-36915, CVE-2024-36004,
CVE-2024-38573, CVE-2024-36941, CVE-2024-38607, CVE-2024-36009,
CVE-2024-27398, CVE-2024-36909, CVE-2024-35848, CVE-2024-36950,
CVE-2024-38564, CVE-2024-36947, CVE-2024-38613, CVE-2024-38570,
CVE-2024-38612, CVE-2024-38580, CVE-2024-38557, CVE-2024-36959,
CVE-2024-27399, CVE-2024-41011, CVE-2024-36928, CVE-2024-38543,
CVE-2024-38541, CVE-2024-38583, CVE-2024-35855, CVE-2024-38611,
CVE-2024-36891, CVE-2024-38587, CVE-2024-35851, CVE-2024-38546,
CVE-2024-38596, CVE-2024-35998, CVE-2024-35991, CVE-2024-36965,
CVE-2024-36925, CVE-2024-36894, CVE-2024-38567, CVE-2024-38572,
CVE-2024-36882, CVE-2024-38594, CVE-2024-38563, CVE-2024-38616,
CVE-2024-36951, CVE-2024-36005, CVE-2024-42134, CVE-2024-38602,
CVE-2024-36014, CVE-2024-38601, CVE-2024-36001, CVE-2024-38575,
CVE-2024-27401, CVE-2024-36961, CVE-2024-38576, CVE-2024-36935,
CVE-2024-36893, CVE-2024-38562, CVE-2024-36904, CVE-2024-36939,
CVE-2024-38591, CVE-2024-38539, CVE-2024-36030, CVE-2024-36920,
CVE-2024-39482, CVE-2024-36977, CVE-2024-36013, CVE-2024-35856,
CVE-2024-36922, CVE-2024-36033, CVE-2024-35859, CVE-2024-36919,
CVE-2024-35846, CVE-2024-36913, CVE-2024-35854, CVE-2024-36924,
CVE-2024-38547, CVE-2024-38551, CVE-2024-36899, CVE-2024-36932,
CVE-2024-38545, CVE-2024-36966, CVE-2024-36911, CVE-2024-36946,
CVE-2024-36906, CVE-2024-38595, CVE-2024-36012, CVE-2024-38552,
CVE-2024-36933, CVE-2024-36936, CVE-2024-38548, CVE-2024-38558,
CVE-2024-36006, CVE-2024-36908, CVE-2024-36892, CVE-2024-35988,
CVE-2024-35993, CVE-2024-36914, CVE-2024-36896, CVE-2024-38615,
CVE-2024-36890, CVE-2024-36969, CVE-2024-38559, CVE-2024-36964,
CVE-2024-38560, CVE-2024-38574, CVE-2024-36962, CVE-2024-38542,
CVE-2024-36926, CVE-2024-36968, CVE-2024-36032, CVE-2024-38544,
CVE-2024-36938, CVE-2024-38597, CVE-2024-38577, CVE-2024-36958,
CVE-2024-36945, CVE-2024-36943, CVE-2024-38610, CVE-2024-36927,
CVE-2024-38554, CVE-2024-38555, CVE-2024-36031, CVE-2024-36011,
CVE-2024-38569, CVE-2024-35847, CVE-2024-36921, CVE-2024-38606,
CVE-2024-35949, CVE-2024-35947, CVE-2024-36889, CVE-2024-36884,
CVE-2024-36954, CVE-2024-36902, CVE-2024-36007, CVE-2024-38586,
CVE-2024-36918, CVE-2024-38571, CVE-2024-36955, CVE-2024-36888,
CVE-2024-38556, CVE-2024-38604, CVE-2024-27394, CVE-2024-38600,
CVE-2024-35983, CVE-2024-38568, CVE-2024-38566, CVE-2024-35853,
CVE-2024-35858, CVE-2024-36910, CVE-2024-36903, CVE-2024-36881,
CVE-2024-36937, CVE-2024-36957, CVE-2024-36912, CVE-2024-36948,
CVE-2024-36953, CVE-2024-35996, CVE-2024-36963, CVE-2024-36923,
CVE-2024-35852, CVE-2024-38598, CVE-2024-36003, CVE-2024-35986,
CVE-2024-38584)

Read More

Taxonomy of Generative AI Misuse

Read Time:47 Second

Interesting paper: “Generative AI Misuse: A Taxonomy of Tactics and Insights from Real-World Data“:

Generative, multimodal artificial intelligence (GenAI) offers transformative potential across industries, but its misuse poses significant risks. Prior research has shed light on the potential of advanced AI systems to be exploited for malicious purposes. However, we still lack a concrete understanding of how GenAI models are specifically exploited or abused in practice, including the tactics employed to inflict harm. In this paper, we present a taxonomy of GenAI misuse tactics, informed by existing academic literature and a qualitative analysis of approximately 200 observed incidents of misuse reported between January 2023 and March 2024. Through this analysis, we illuminate key and novel patterns in misuse during this time period, including potential motivations, strategies, and how attackers leverage and abuse system capabilities across modalities (e.g. image, text, audio, video) in the wild.

Blog post. Note the graphic mapping goals with strategies.

Read More

Why DCAP is Essential for Modern Data Security (A Closer Look)

Read Time:7 Minute, 5 Second

The content of this post is solely the responsibility of the author.  LevelBlue does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

Almost every company has a system for organizing file storage, which employees use regularly. Streamlining data storage in a corporate environment is not just about improving business processes; it is also about ensuring security. It is challenging to protect data if you do not know where it is stored, what it contains, its value, who owns it, who has access to it, and what its most significant threats are. This is where Data-Centric Audit and Protection (DCAP) systems come into play.

The Role of DCAP in Data Security

Data-Centric Audit and Protection (DCAP) is a security approach that focuses on protecting data as its primary objective. Often, the goal of DCAP is to safeguard data that is at rest and not actively processed. This method uses content-based access control, prioritizing the content itself rather than the file system objects.

Frequent news about data breaches often stems from violations of sensitive data storage laws. This is a very common occurrence. Data is constantly in motion and being reorganized, which is a typical part of business operations. For example, a company might add new drives, copy data, forget to delete or export it, and so on. DCAP helps identify such cases, control the storage of sensitive data, and manage it effectively within the organization. Moreover, every organization now must conduct a thorough audit of its handling of personal data, which is impossible without a DCAP. By implementing DCAP, organizations can showcase their strong security posture, which can help them when applying for cyber insurance or meeting compliance requirements.

The Five Stages of Data-Centric Audit and Protection

It makes sense to divide the work of a DCAP system into several interconnected stages, during which the system identifies violations of corporate policies and helps to eliminate them.

1. Data Collection

DCAP system can monitor data on file servers, local hosts, and shared folders. It integrates with information from Active Directory and other sources. While DCAP can gather information over the network and parse logs from other systems, its primary method of data collection is through agents installed on workstations, servers, and network storage. The completeness and quality of this original data are crucial for effective auditing and secure storage of information.

2. Data Classification and Sorting

After scanning the sources, DCAP classifies the information to identify data that may be valuable to the company. It uses over a dozen content analysis technologies, such as dictionaries, morphology, digital fingerprints, the Bayesian method, and others, to accurately classify the information.

3. Analysis

Classification is just the foundation for collecting information security events and identifying threats. During the information collection stage, DCAP records access rights for each object in its database. This allows it to identify common risks, such as documents with shared access or unusual sets of permissions. DCAP can determine the real owners of files, highlight frequent users of specific data, and identify areas with redundant access.

Dynamic analysis offers even more capabilities: it monitors changes, movements, and openings of documents containing critical data, as well as modifications to access rights for documents or folders and the creation or alteration of permissions. These events, along with many others, are not only recorded by the system but also evaluated for information security risks.

4. Response

DCAP offers several response options. At a basic level, it can send notifications through various channels. Additionally, the DCAP system can execute scripts and transmit data to external systems.

In addition to the standard response functions, DCAP systems can offer expanded capabilities, such as shadow copying of data. This means that the security officer not only receives a record of the incident but also a complete copy of the data related to the event. This allows for a quick assessment of the incident’s severity and enables immediate action if necessary.

DCAP can block a user’s account if there is reason to believe it has been compromised. A similar approach is applied to identified threats. DCAP owners do not need external tools, as DCAP includes its own incident response module, where information about the incident can be sent for analysis. Incident response can be automated based on pre-defined rules or triggered by anomaly detection. Here, DCAP could potentially integrate AI capabilities to enable even faster and more sophisticated incident response capabilities.

5. Reporting

A good DCAP system includes a well-developed reporting feature, complete with a convenient dashboard featuring tables and graphic widgets. Users typically have access to several dozen preset reports covering all necessary aspects of the collected database. Each template can be customized to meet individual needs. If further customization is required, users can create their own reports from scratch using the report designer.

Technical Aspects of DCAP Implementation

Experience shows that even large IT companies often avoid writing their own software for specific tasks. Instead, they typically turn to highly specialized organizations for ready-made solutions. They receive an out-of-the-box tool that includes custom scripts tailored to their specific needs. The pilot project helps better evaluate these needs and plan the exact implementation configuration.

Modern DCAP systems support both hardware and software storage, primarily focusing on local storage. The choice of the physical form of storage is not as important; what matters is that all data is comprehensively covered and protected.

DCAP systems collect metadata, including standard metadata contained within files and specific metadata for formats like DOC, XLS, and JPG. DCAP owners often request vendor support for file marks, such as watermarks, which DCAP systems must be able to detect.

A sound DCAP system stores metadata in the most efficient and compressed way, and it supports the option to upload data. The archive of events for a year occupies a fixed amount of space. It is important to note that the files themselves are not stored; only metadata, links, and tags are kept. The disk space consumed by a DCAP database can be easily scaled.

DCAP can also track access rights to other systems and sites, as well as audit data usage, such as who opened which files, from where, and in what context the user interacts with the data. This creates a comprehensive view of user actions displayed in an easy-to-use interface. Additionally, DCAP is an effective countermeasure against ransomware, as it reduces the attack surface by strictly limiting data access.

DCAP integrates with various systems, depending on the customer’s needs. Basic information is collected from the infrastructure, such as files, accounts, and events. The rest depends on the specific tasks and cases. This data can be sent to a SIEM or access control system or retrieved from them. Integration with DLP and other systems is also supported by most vendors.

Experts highlight the importance of this integration as well as the acquisition of external data to enrich the information already collected by DCAP. The more data sources DCAP supports, the more complete and clear the picture becomes.

DCAP is very flexible, capable of sending and receiving data from various systems and processing it based on specific cases. At the same time, the system consistently works accurately without disrupting business processes.

Trends and Future Directions in DCAP Development

Today, many customers purchase DCAP but only use about half of its capabilities because they lack the resources to quickly prepare the entire infrastructure, resulting in a gradual implementation process. Increased automation and higher customer maturity are anticipated, as DCAP systems are a crucial part of a company’s cyber defense.

The market is evolving towards automation, aiming for a “one button” solution that, when pressed, ensures everything is correctly configured. Over time, DCAP will likely incorporate all DLP features and transition entirely to cloud services. Eventually, DCAP functions may be integrated into the operating system, much like firewalls and antivirus software have been.

Conclusion

DCAP systems implement “zero trust” policies, rights minimization, and auditing of access and information flows. They enable professional, competent classification of any type of data. By collecting data from various sources, DCAP identifies and highlights problems and anomalies that are not visible in other systems. This ensures order in the company’s infrastructure and a transparent organization of employees’ interaction with valuable data. DCAP reveals the actual state of the infrastructure and the ideal order. If all recommendations are followed and risks are mitigated, the attack surface is significantly reduced.

Read More