Language Selection

English French German Italian Portuguese Spanish

Security: Updates, SS7, Docker, Thunderbolt, Django

Filed under
Security
  • Security updates for Monday
  • SS7 Cellular Network Flaw Nobody Wants To Fix Now Being Exploited To Drain Bank Accounts

    Back in 2017, you might recall how hackers and security researchers highlighted long-standing vulnerabilities in Signaling System 7 (SS7, or Common Channel Signalling System 7 in the US), a series of protocols first built in 1975 to help connect phone carriers around the world. While the problem isn't new, a 2016 60 minutes report brought wider attention to the fact that the flaw can allow a hacker to track user location, dodge encryption, and even record private conversations. All while the intrusion looks like ordinary carrier to carrier chatter among a sea of other, "privileged peering relationships."

    Telecom lobbyists have routinely tried to downplay the flaw after carriers have failed to do enough to stop hackers from exploiting it. In Canada for example, the CBC recently noted how Bell and Rogers weren't even willing to talk about the flaw after the news outlet published an investigation showing how, using only the number of his mobile phone, it was possible to intercept the calls and movements of Quebec NDP MP Matthew Dubé.

    But while major telecom carriers try to downplay the scale of the problem, news reports keep indicating how the flaw is abused far more widely than previously believed. This Motherboard investigation by Joseph Cox, for example, showed how, while the attacks were originally only surmised to be within the reach of intelligence operators (perhaps part of the reason intelligence-tied telcos have been so slow to address the issue), hackers have increasingly been using the flaw to siphon money out of targets' bank accounts, thus far predominately in Europe...

  • Doomsday Docker Security Hole Uncovered

    Red Hat technical product manager for containers, Scott McCarty, warned: "The disclosure of a security flaw (CVE-2019-5736) in runc and docker illustrates a bad scenario for many IT administrators, managers, and CxOs. Containers represent a move back toward shared systems where applications from many different users all run on the same Linux host. Exploiting this vulnerability means that malicious code could potentially break containment, impacting not just a single container, but the entire container host, ultimately compromising the hundreds-to-thousands of other containers running on it. While there are very few incidents that could qualify as a doomsday scenario for enterprise IT, a cascading set of exploits affecting a wide range of interconnected production systems qualifies...and that's exactly what this vulnerability represents."

  • Doomsday Docker security hole uncovered
  • It starts with Linux: How Red Hat is helping to counter Linux container security flaws

    The disclosure of a security flaw (CVE-2019-5736) in runc and docker illustrates a bad scenario for many IT administrators, managers, and CxOs. Containers represent a move back toward shared systems where applications from many different users all run on the same Linux host. Exploiting this vulnerability means that malicious code could potentially break containment, impacting not just a single container, but the entire container host, ultimately compromising the hundreds-to-thousands of other containers running on it. A cascading set of exploits affecting a wide range of interconnected production systems qualifies as a difficult scenario for any IT organization and that’s exactly what this vulnerability represents.

    For many Red Hat end users, it’s unlikely that this flaw gets that far. IT organizations using Red Hat Enterprise Linux to underpin their Linux container and cloud-native deployments are likely protected, thanks to SELinux. This vulnerability is mitigated by the use of SELinux in targeted enforcing mode, which prevents this vulnerability from being exploited. The default for SELinux on Red Hat Enterprise Linux 7 is targeted enforcing mode and it is rarely disabled in a containerized environment.

  • Kubernetes, Docker, ContainerD Impacted by RunC Container Runtime Bug

    The Linux community is dealing with another security flaw, with the latest bug impacting the runC container runtime that underpins Docker, cri-o, containerd, and Kubernetes.

    The bug, dubbed CVE-2019-5736, allows an infected container to overwrite the host runC binary and gain root-level code access on the host. This would basically allow the infected container to gain control of the overarching host container and allow an attacker to execute any command.

  • Thunderbolt preboot access control list support in bolt

    Recent BIOS versions enabled support for storing a limited list of UUIDs directly in the thunderbolt controller. This is called the pre-boot access control list (or preboot ACL), in bolt simply called "bootacl". The devices corresponding to the devices in the bootacl will be authorized during pre-boot (and only then) by the firmware. One big caveat about this feature should be become obvious now: No device verification can happen because only the UUIDs are stored but not the key, so if you are using SECURE mode but enable preboot ACL in the BIOS you effectively will get USER mode during boot.

    The kernel exposes the bootacl via a per-domain sysfs attribute boot_acl. Every time a device is enrolled, boltd will automatically add it to the bootacl as well. Conversely if the device is forgotten and it is in the bootacl, boltd will automatically remove it from the bootacl. There are is small complication to these seemingly straight forward operations: in BIOS assist mode, the thunderbolt controller is powered down by the firmware if no device is connected to it. Therefore when devices are forgotten boltd might not be able to directly write to the boot_acl sysfs attribute. In a dual boot scenario this is complicated by the fact that another operating system might also modify the bootacl and thus we might be out of sync. As the solution to this boltd will write individual changes to a journal file if the thunderbolt controller is powered down and re-apply these changes (as good as possible) the next time the controller is powered up.

  • Django security releases issued: 2.1.6, 2.0.11 and 1.11.19

Django bugfix releases: 2.1.7, 2.0.12 and 1.11.20

IDG on Docker/CVE-2019-5736

Patch this run(DM)c Docker flaw or you be illin'...

And the obligatory daily FUD

Bogdan Popa at It Again...

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

Radeon Developments

  • The Radeon "RADV" Driver Now Exposes Vulkan 1.1 On Android
    While the Mesa-based Radeon "RADV" Vulkan driver has been exposing Vulkan 1.1 since last year, the upcoming Mesa 19.1 will bring support for Vulkan 1.1 when this driver is active on Android systems. While the intersection of RADV driver usage on Android systems is quite low, this RADV Vulkan 1.1 support on Android comes following the merging of the YCbCr support into Mesa Git for the upcoming 19.1 release. Of the many additions to Vulkan 1.1 was YCbCr color formatted textures handling
  • Radeon Software for Linux 19.10 Adds Ubuntu 18.04.2 Support
    Radeon Software for Linux 19.10 was quietly released at the end of last week and seemed to go unnoticed until a Phoronix reader pointed out the existence of this updated hybrid driver featuring the AMDGPU All-Open and AMDGPU-PRO components. While being the first new release stream in quite a while to succeed the 18.50 series, the changes aren't all that noteworthy for what has been made public. The main change of Radeon Software for Linux 19.10 is now supporting Ubuntu 18.04.2 LTS, the latest Ubuntu LTS point release pulling in the graphics/kernel components from Ubuntu 18.10. So this should also allow the AMDGPU-PRO driver to work on Ubuntu 18.10 thanks to the shared components. This new driver release does not support the newly-minted Ubuntu 19.04 with AMD not supporting the non-LTS releases at least until those bits end up being found in an Ubuntu LTS point release.

Android Leftovers

GNU/Linux Domination in Devices

  • Survey reveals IoT developers' most-used tools
    The survey was carried out by the Eclipse IoT Working Group, a not-for-profit open source software organisation, in conjunction with its members – including Bosch Software Innovations and Red Hat. About three quarters of survey respondents used Linux for edge and gateway IoT devices, while about half used Windows. Debian and its derivatives Raspbian, Ubuntu and Ubuntu Core were the most-used Linux distributions.
  • Ubuntu is #1 for embedded & IoT
    The results are in! Eclipse.org recently published their 2019 IoT Developer Survey. Ubuntu is again the top choice for embedded & IoT, with our cousins Raspbian and Debian taking 2nd and 3rd respectively. The numbers fall off pretty steeply after that.
  • Development board with triple DP++ ports runs on Ryzen R1000
    Sapphire has launched an “AMD FS-FP5R 5×5” SBC with an AMD Ryzen Embedded R1000 SoC plus 2x GbE, 3x DP++, USB 3.1, SATA III, and M.2 expansion. Sapphire also sells two Ryzen V1000 based SBCs. Hong Kong based Sapphire Embedded Solutions is primarily known for its gaming and graphics cards, but it also has an embedded product line that runs on AMD embedded processors like the G-series and R-series. Now, the company has launched an AMD FS-FP5R 5×5 SBC with AMD’s new R-series successor, the Ryzen Embedded R1000. No OS details were listed, but Linux and Windows 10 are supported on two Sapphire SBCs built around the more powerful Ryzen Embedded V1000: the AMD FS-FP5V and more recent, Mini-ITX form factor AMD IPC-FP5V 10GbE (see farther below).

What's New In Xubuntu 19.04?

April is one of the months awaited by Ubuntu fans. Because this month is the schedule for the release of the latest version. Usually, in every 2 years, we will find Ubuntu releasing the LTS version with longer support. Ubuntu has released version 19.04 with code name Disco Dingo. This distribution is not included in the LTS category, so it only gets support for the next 9 months. However, many features are added in this version. You can see the detailed features added in here! Besides Ubuntu, other variants such as Xubuntu, Kubuntu and Lubuntu also released 19.04. And in this article I want to discuss about Xubuntu 19.04. Read more