firecracker-1.6.0-4.fc40 libkrun-1.7.2-2.fc40 rust-event-manager-0.4.0-1.fc40 rust-kvm-bindings-0.7.0-1.fc40 rust-kvm-ioctls-0.16.0-1.fc40 rust-linux-loader-0.10.0-2.fc40 rust-userfaultfd-0.8.1-1.fc40 rust-versionize-0.2.0-1.fc40 rust-vhost-0.10.0-1.fc40 rust-vhost-user-backend-0.13.1-1.fc40 rust-virtio-queue-0.11.0-1.fc40 rust-vm-memory-0.14.0-1.fc40 rust-vm-superio-0.7.0-3.fc40 rust-vmm-sys-util-0.12.1-1.fc40 virtiofsd-1.10.0-1.fc40

Read Time:40 Second

FEDORA-2024-9974808629

Packages in this update:

firecracker-1.6.0-4.fc40
libkrun-1.7.2-2.fc40
rust-event-manager-0.4.0-1.fc40
rust-kvm-bindings-0.7.0-1.fc40
rust-kvm-ioctls-0.16.0-1.fc40
rust-linux-loader-0.10.0-2.fc40
rust-userfaultfd-0.8.1-1.fc40
rust-versionize-0.2.0-1.fc40
rust-vhost-0.10.0-1.fc40
rust-vhost-user-backend-0.13.1-1.fc40
rust-virtio-queue-0.11.0-1.fc40
rust-vm-memory-0.14.0-1.fc40
rust-vmm-sys-util-0.12.1-1.fc40
rust-vm-superio-0.7.0-3.fc40
virtiofsd-1.10.0-1.fc40

Update description:

Update rust-vmm components and their consumers to address CVE-2023-50711

Read More

Cybersecurity for Industrial Control Systems: Best practices 

Read Time:4 Minute, 24 Second

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

Network segmentation, software patching, and continual threats monitoring are key cybersecurity best practices for Industrial Control Systems (ICS). Although ICSs significantly improve health and safety by automating dangerous tasks, facilitating remote monitoring and control, and activating safety protocols in the case of emergency, they’re increasingly exposed to cybersecurity threats. In 2022, there was a 2,000% increase in adversarial reconnaissance targeting Modbus/TCP port 502 — a widely-used industrial protocol — allowing malicious actors to exploit vulnerabilities in operational technology systems. Fortunately, by taking steps to improve and maintain ICS cybersecurity, manufacturers can successfully reduce the attack surface of their critical infrastructure and keep threats (including phishing, denial-of-service attacks, ransomware, and malware) at bay. 

ICS cyberattacks on the rise 

ICS cyberattacks are on the rise, with almost 27% of ICS systems affected by malicious objects in the second quarter of 2023, data from Kaspersky reveals. Cyberattacks have the power to devastate ICS systems, damage equipment and infrastructure, disrupt business, and endanger health and safety. For example, the U.S. government has warned of a malware strain called Pipedream: “a modular ICS attack framework that contains several components designed to give threat actors control of such systems, and either disrupt the environment or disable safety controls”. Although Pipedream has the ability to devastate industrial systems, it fortunately hasn’t yet been used to that effect. And, last year, a notorious hacking group called Predatory Sparrow launched a cyberattack on an Iranian steel manufacturer, resulting in a serious fire. In addition to causing equipment damage, the hackers caused a malfunctioning foundry to start spewing hot molten steel and fire. This breach only highlights the importance of safety protocols in the manufacturing and heavy industry sectors. By leveraging the latest safety tech and strengthening cybersecurity, safety, security, and operational efficiency can all be improved.

Segment networks

By separating critical systems from the internet and other non-critical systems, network segmentation plays a key role in improving ICS cybersecurity. Network segmentation is a security practice that divides a network into smaller, distinct subnetworks based on security level, functionality, or access control, for example. As a result, you can effectively prevent attacker lateral movement within your network — this is a common way hackers disguise themselves as legitimate users and their activities as expected traffic, making it hard to spot this method. Network segmentation also lets you create tailored and unique security policies and controls for each segment based on their defined profile. Each individual segment is therefore adequately protected. And, since network segmentation also provides you with increased visibility in terms of network activity, you’re also better able to spot and respond to problems with greater speed and efficiency. 

When it comes to effective network segmentation methods, these can be based either on physical boundaries — involving physical infrastructure like network hardware, routers, and firewalls — or logical boundaries established via logical means like virtual local area networks (VLANs), access control lists (ACLs), and virtual private networks (VPNs). To simplify the management of firewall rules, in particular, network teams should use different firewalls, particularly instead of dealing with numerous applications in one firewall — something that quickly becomes complicated and difficult to maintain. By opting to use separate firewalls based on virtual machine implementations, you can streamline and simplify the set rules for each firewall. In turn, you can facilitate easier auditing, and make it easier to change outdated rules when needed. 

Regularly patch and update software

Patching and updating software involves improving or repairing software to optimize performance and get rid of bugs and vulnerabilities. In addition to minimizing risk of cyberattack, software patches and updates can also ensure regulatory compliance, therefore helping you avoid fines and sanctions. When it comes to software patching best practices for ICS, it’s important to stay up-to-date with the latest vendor releases. The newest releases are designed to address newly-discovered security risks, allowing you to better protect your systems. Establishing a regular, scheduled patching cycle for ICS systems also helps ensure patches are applied on a consistent basis, further minimizing security vulnerabilities. You can also schedule downtime as needed in order to apply patches or updates without disrupting operations. 

Threats monitoring

Cyber threats are constantly evolving, which means ICS threats monitoring needs to be ongoing — you need to be able to quickly spot and respond to emerging threats before they have a chance to exploit vulnerabilities. Minimizing dwell times — the amount of time a malicious agent has access to a compromised system before detection — also works to limit potential damage and destruction. So, be sure to implement anomaly detection algorithms tailored to the unique needs of your ICS system. Designed to maintain operational stability, control loops should be paid particular consideration here. A baseline of expected behavior within control loops should be established, in turn making it easier to detect anomalies. 

By facilitating remote monitoring and control, automating dangerous tasks, and activating safety protocols, ICSs significantly improve health and safety in the manufacturing industry. By taking steps to strengthen cybersecurity, you can successfully keep ICS cyberthreats at bay.  

Read More

USN-6609-1: Linux kernel vulnerabilities

Read Time:1 Minute, 33 Second

Lin Ma discovered that the netfilter subsystem in the Linux kernel did not
properly validate network family support while creating a new netfilter
table. A local attacker could use this to cause a denial of service or
possibly execute arbitrary code. (CVE-2023-6040)

It was discovered that the CIFS network file system implementation in the
Linux kernel did not properly validate the server frame size in certain
situation, leading to an out-of-bounds read vulnerability. An attacker
could use this to construct a malicious CIFS image that, when operated on,
could cause a denial of service (system crash) or possibly expose sensitive
information. (CVE-2023-6606)

Xingyuan Mo discovered that the netfilter subsystem in the Linux kernel did
not properly handle inactive elements in its PIPAPO data structure, leading
to a use-after-free vulnerability. A local attacker could use this to cause
a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2023-6817)

Budimir Markovic, Lucas De Marchi, and Pengfei Xu discovered that the perf
subsystem in the Linux kernel did not properly validate all event sizes
when attaching new events, leading to an out-of-bounds write vulnerability.
A local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code. (CVE-2023-6931)

It was discovered that the IGMP protocol implementation in the Linux kernel
contained a race condition, leading to a use-after-free vulnerability. A
local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code. (CVE-2023-6932)

Kevin Rich discovered that the netfilter subsystem in the Linux kernel did
not properly check deactivated elements in certain situations, leading to a
use-after-free vulnerability. A local attacker could use this to cause a
denial of service (system crash) or possibly execute arbitrary code.
(CVE-2024-0193)

Read More

USN-6608-1: Linux kernel vulnerabilities

Read Time:1 Minute, 20 Second

It was discovered that the CIFS network file system implementation in the
Linux kernel did not properly validate the server frame size in certain
situation, leading to an out-of-bounds read vulnerability. An attacker
could use this to construct a malicious CIFS image that, when operated on,
could cause a denial of service (system crash) or possibly expose sensitive
information. (CVE-2023-6606)

Xingyuan Mo discovered that the netfilter subsystem in the Linux kernel did
not properly handle inactive elements in its PIPAPO data structure, leading
to a use-after-free vulnerability. A local attacker could use this to cause
a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2023-6817)

Budimir Markovic, Lucas De Marchi, and Pengfei Xu discovered that the perf
subsystem in the Linux kernel did not properly validate all event sizes
when attaching new events, leading to an out-of-bounds write vulnerability.
A local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code. (CVE-2023-6931)

It was discovered that the IGMP protocol implementation in the Linux kernel
contained a race condition, leading to a use-after-free vulnerability. A
local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code. (CVE-2023-6932)

Kevin Rich discovered that the netfilter subsystem in the Linux kernel did
not properly check deactivated elements in certain situations, leading to a
use-after-free vulnerability. A local attacker could use this to cause a
denial of service (system crash) or possibly execute arbitrary code.
(CVE-2024-0193)

Read More

USN-6607-1: Linux kernel (Azure) vulnerabilities

Read Time:1 Minute, 49 Second

It was discovered that the SMB network file sharing protocol implementation
in the Linux kernel did not properly handle certain error conditions,
leading to a use-after-free vulnerability. A local attacker could use this
to cause a denial of service (system crash) or possibly execute arbitrary
code. (CVE-2023-5345)

Lin Ma discovered that the netfilter subsystem in the Linux kernel did not
properly validate network family support while creating a new netfilter
table. A local attacker could use this to cause a denial of service or
possibly execute arbitrary code. (CVE-2023-6040)

It was discovered that the CIFS network file system implementation in the
Linux kernel did not properly validate the server frame size in certain
situation, leading to an out-of-bounds read vulnerability. An attacker
could use this to construct a malicious CIFS image that, when operated on,
could cause a denial of service (system crash) or possibly expose sensitive
information. (CVE-2023-6606)

Xingyuan Mo discovered that the netfilter subsystem in the Linux kernel did
not properly handle inactive elements in its PIPAPO data structure, leading
to a use-after-free vulnerability. A local attacker could use this to cause
a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2023-6817)

Budimir Markovic, Lucas De Marchi, and Pengfei Xu discovered that the perf
subsystem in the Linux kernel did not properly validate all event sizes
when attaching new events, leading to an out-of-bounds write vulnerability.
A local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code. (CVE-2023-6931)

It was discovered that the IGMP protocol implementation in the Linux kernel
contained a race condition, leading to a use-after-free vulnerability. A
local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code. (CVE-2023-6932)

Kevin Rich discovered that the netfilter subsystem in the Linux kernel did
not properly check deactivated elements in certain situations, leading to a
use-after-free vulnerability. A local attacker could use this to cause a
denial of service (system crash) or possibly execute arbitrary code.
(CVE-2024-0193)

Read More

USN-6606-1: Linux kernel (OEM) vulnerabilities

Read Time:1 Minute, 20 Second

It was discovered that a race condition existed in the Bluetooth subsystem
of the Linux kernel, leading to a use-after-free vulnerability. A local
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2023-51779)

It was discovered that the CIFS network file system implementation in the
Linux kernel did not properly validate the server frame size in certain
situation, leading to an out-of-bounds read vulnerability. An attacker
could use this to construct a malicious CIFS image that, when operated on,
could cause a denial of service (system crash) or possibly expose sensitive
information. (CVE-2023-6606)

Xingyuan Mo discovered that the netfilter subsystem in the Linux kernel did
not properly handle inactive elements in its PIPAPO data structure, leading
to a use-after-free vulnerability. A local attacker could use this to cause
a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2023-6817)

Budimir Markovic, Lucas De Marchi, and Pengfei Xu discovered that the perf
subsystem in the Linux kernel did not properly validate all event sizes
when attaching new events, leading to an out-of-bounds write vulnerability.
A local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code. (CVE-2023-6931)

Kevin Rich discovered that the netfilter subsystem in the Linux kernel did
not properly check deactivated elements in certain situations, leading to a
use-after-free vulnerability. A local attacker could use this to cause a
denial of service (system crash) or possibly execute arbitrary code.
(CVE-2024-0193)

Read More

USN-6605-1: Linux kernel vulnerabilities

Read Time:1 Minute, 3 Second

Lin Ma discovered that the netfilter subsystem in the Linux kernel did not
properly validate network family support while creating a new netfilter
table. A local attacker could use this to cause a denial of service or
possibly execute arbitrary code. (CVE-2023-6040)

It was discovered that the CIFS network file system implementation in the
Linux kernel did not properly validate the server frame size in certain
situation, leading to an out-of-bounds read vulnerability. An attacker
could use this to construct a malicious CIFS image that, when operated on,
could cause a denial of service (system crash) or possibly expose sensitive
information. (CVE-2023-6606)

Budimir Markovic, Lucas De Marchi, and Pengfei Xu discovered that the perf
subsystem in the Linux kernel did not properly validate all event sizes
when attaching new events, leading to an out-of-bounds write vulnerability.
A local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code. (CVE-2023-6931)

It was discovered that the IGMP protocol implementation in the Linux kernel
contained a race condition, leading to a use-after-free vulnerability. A
local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code. (CVE-2023-6932)

Read More

USN-6604-1: Linux kernel vulnerabilities

Read Time:1 Minute, 31 Second

It was discovered that the ASUS HID driver in the Linux kernel did not
properly handle device removal, leading to a use-after-free vulnerability.
A local attacker with physical access could plug in a specially crafted USB
device to cause a denial of service (system crash). (CVE-2023-1079)

Jana Hofmann, Emanuele Vannacci, Cedric Fournet, Boris Kopf, and Oleksii
Oleksenko discovered that some AMD processors could leak stale data from
division operations in certain situations. A local attacker could possibly
use this to expose sensitive information. (CVE-2023-20588)

It was discovered that a race condition existed in the Linux kernel when
performing operations with kernel objects, leading to an out-of-bounds
write. A local attacker could use this to cause a denial of service (system
crash) or execute arbitrary code. (CVE-2023-45863)

It was discovered that the CIFS network file system implementation in the
Linux kernel did not properly validate the server frame size in certain
situation, leading to an out-of-bounds read vulnerability. An attacker
could use this to construct a malicious CIFS image that, when operated on,
could cause a denial of service (system crash) or possibly expose sensitive
information. (CVE-2023-6606)

Budimir Markovic, Lucas De Marchi, and Pengfei Xu discovered that the perf
subsystem in the Linux kernel did not properly validate all event sizes
when attaching new events, leading to an out-of-bounds write vulnerability.
A local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code. (CVE-2023-6931)

It was discovered that the IGMP protocol implementation in the Linux kernel
contained a race condition, leading to a use-after-free vulnerability. A
local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code. (CVE-2023-6932)

Read More