Language Selection

English French German Italian Portuguese Spanish

Security: WireGuard, SafeBreach and More

Filed under
Security
  • WireGuard Snapshot `0.0.20191012` Available
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA256
    
    Hello,
    
    A new snapshot, `0.0.20191012`, has been tagged in the git repository.
    
    Please note that this snapshot is a snapshot rather than a final
    release that is considered secure and bug-free. WireGuard is generally
    thought to be fairly stable, and most likely will not crash your
    computer (though it may).  However, as this is a snapshot, it comes
    with no guarantees; it is not applicable for CVEs.
    
    With all that said, if you'd like to test this snapshot out, there are a
    few relevant changes.
    
    == Changes ==
    
      * qemu: bump default version
      * netns: add test for failing 5.3 FIB changes
      
      Kernels 5.3.0 - 5.3.3 crash (and are probably exploitable) via this one liner:
      
      unshare -rUn sh -c 'ip link add dummy1 type dummy && ip link set dummy1 up && ip -6 route add default dev dummy1 && ip -6 rule add table main suppress_prefixlength 0 && ping -f 1234::1'
      
      We fixed this upstream here:
      
      https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/commit/?id=ca7a03c4175366a92cee0ccc4fec0038c3266e26
      
      This is relevant to WireGuard because a very similar sequence of commands is
      used by wg-quick(8).
      
      So, we've now added some tests to catch this code path in the future. While
      the bug here was a random old use-after-free, the test checks the general
      policy routing setup used by wg-quick(8), so that we make sure this continues
      to work with future kernels.
      
      * noise: recompare stamps after taking write lock
      
      We now recompare counters while holding a write lock.
      
      * netlink: allow preventing creation of new peers when updating
      
      This is a small enhancement for wg-dynamic, so that we can update peers
      without readding them if they've already been removed.
      
      * wg-quick: android: use Binder for setting DNS on Android 10
      
      wg-quick(8) for Android now supports Android 10 (Q). We'll be releasing a new
      version of the app for this later today.
    
    This snapshot contains commits from: Jason A. Donenfeld and Nicolas Douma.
    
    As always, the source is available at https://git.zx2c4.com/WireGuard/ and
    information about the project is available at https://www.wireguard.com/ .
    
    This snapshot is available in compressed tarball form here:
      https://git.zx2c4.com/WireGuard/snapshot/WireGuard-0.0.20191012.tar.xz
      SHA2-256: 93573193c9c1c22fde31eb1729ad428ca39da77a603a3d81561a9816ccecfa8e
      BLAKE2b-256: d7979c453201b9fb6b1ad12092515b27ea6899397637a34f46e74b52b36ddf56
    
    A PGP signature of that file decompressed is available here:
      https://git.zx2c4.com/WireGuard/snapshot/WireGuard-0.0.20191012.tar.asc
      Signing key: AB9942E6D4A4CFC3412620A749FC7012A5DE03AE
    
    If you're a snapshot package maintainer, please bump your package version. If
    you're a user, the WireGuard team welcomes any and all feedback on this latest
    snapshot.
    
    Finally, WireGuard development thrives on donations. By popular demand, we
    have a webpage for this: https://www.wireguard.com/donations/
    
    Thank you,
    Jason Donenfeld
    
  • WireGuard 0.0.20191012 Released With Latest Fixes

    WireGuard is still working on transitioning to the Linux kernel's existing crypto API as a faster approach to finally make it into the mainline kernel, but for those using the out-of-tree WireGuard secure VPN tunnel support, a new development release is available.

  • SafeBreach catches vulnerability in controversial HP Touchpoint Analytics software

    Now the feature is embroiled in another minor controversy after security researchers at SafeBreach said they uncovered a new vulnerability. HP Touchpoint Analytics comes preinstalled on many HP devices that run Windows. Every version below 4.1.4.2827 is affected by what SafeBreach found.

    In a blog post, SafeBreach Labs security researcher Peleg Hadar said that because the service is executed as "NT AUTHORITY\SYSTEM," it is afforded extremely powerful permissions that give it wide access.

    "The CVE-2019-6333 vulnerability gives attackers the ability to load and execute malicious payloads using a signed service. This ability might be abused by an attacker for different purposes such as execution and evasion, for example: Application Whitelisting Bypass Signature Validation Bypassing," Hadar wrote.

    [...]

    The company has long had to defend HP Touchpoint Analytics against critics who say it gives HP unnecessary access to users' systems. When it first became widely noticed in 2017, dozens of users complained that they had not consented to adding the system.

  • Security Tool Sprawl Reaches Tipping Point
  • How trusted digital certificates complement open source security

    Application developers incorporating open source software into their designs may only discover later that elements of this software have left them (and their customers) exposed to cyber-attacks.

  • Securing the Container Supply Chain

More in Tux Machines

Debian Adds Another Option For Its Init System Diversity General Resolution

A few days ago Debian Project Leader Sam Hartman laid out the proposals for the upcoming Debian General Resolution vote concerning "init system diversity" and just how much Debian developers still care in 2019 about supporting non-systemd init systems within the Linux distribution. The general resolution over init systems and systemd had three proposals: affirming init diversity, systemd but supporting the exploration of alternatives, and focusing upon systemd for the init system and its other facilities. Now though Debian Project Secretary Kurt Roeckx has relayed a fourth proposal. Read more

Intel Haswell To Ice Lake Laptop Performance Benchmarks On Ubuntu 19.10

With the many Intel Ice Lake Linux benchmarks we began publishing over the past month since picking up a Dell XPS with Core i7-1065G7, there have been many benchmarks compared to the likes of the Core i7 Whiskey Lake and Kaby Lake processors. For those curious how the performance stacks up going further back, here are some Ubuntu 19.10 laptop benchmarks putting it up against the likes of Core i7 Haswell and Broadwell processors. This article offers a look at the Ubuntu 19.10 + Linux 5.3 performance on six different laptops including the Dell XPS 7390 Ice Lake laptop and various other laptops I had available for testing. Read more

GitHub Aims to Make Open Source Code Apocalypse-Proof in Arctic Vault

One of the big risks with this plan is that code depends on a whole software stack: hardware, assembly language, and a certain form of electricity. The chips that code runs on are really incredibly complex, noted Skymind's Nicholson. "You would need all that underlying infrastructure to run the code GitHub stores. I hope GitHub will also include some model hardware in its vault. It would be too much to ask to include a fab," he said. For technology's survival, open source stands out for two reasons: First, you can increase the positive feedback loops between the people who write code and those who use it. That leads to much better code quality compared to closed-source projects with limited users looking over the source. "The importance of that cannot be understated," said Nicholson. Second, open source code minimizes legal risk. That is also extremely important, he added, noting that some great closed-source code probably should go into the vault. "But why risk a lawsuit?" Nicholson reasoned. "Open source code really is moving society forward in a lot of ways, based on the work of a few dedicated teams and a relatively small number of core committers." Read more

Android Leftovers