Security updates for Thursday

Security updates have been issued by Arch Linux (firefox, openjpeg2, openssl, qemu, tensorflow, and thunderbird) and Debian (highlight.js).

This Week In Security: Deeper Dive Into SolarWinds, Bouncy Castle, And Docker Images [Ed: Microsoft is, as usual, using spin and distortion to blame others for its own incompetence]

Microsoft has published their analysis of Solorigate, and the details are interesting. The added code was carefully written to blend in with the rest of the code, using the name OrionImprovementBusinessLayer.Initialize, which sounds like a perfectly boring-yet-legitimate function. The actual backdoor is obfuscated using zip compression and base64 encoding.

Once this bootstrap code begins, it runs a series of checks before actually doing anything malicious. It waits 2 weeks after installation to do anything, and then checks the system domain name for any indication it’s running in a test environment. It then checks for certain security applications, like Wireshark, and refuses to run if they are detected. This series of checks all seem to be an effort to avoid detection, and to only run in a deployed environment. Even the Command and Control URL that the backdoor uses is constructed to appear benign. Beyond this, it seems that the malware simply waited for instructions, and didn’t take any automated actions. All the attacks were performed manually.

One of the side-effects of the sudden attention given to SolarWinds devices is that a whole slew of other problems will be found and fixed, like CVE-2020-10148, an authentication bypass. The most surprising finding, however, is a *second* backdoor in the SolarWinds code, nicknamed Supernova. It’s possible that this was an earlier backdoor from the same actors as Solarigate, but the current theory is that it’s a backdoor installed by yet another, unrelated attacker.

Significant vulnerabilities that crippled IT world this decade (2010-2020)

he last ten years in the computer and IT security world are crippled with so many vulnerabilities. We saw massive cloud computing adoption and end-users using mobile devices with high speed 4G LTE networks. A threat actor may have exploited such weakness in modern computers and networks. Let us look into top vulnerabilities and the attack surface in this decade (2010-2020) that affected Linux/Unix, macOS, IT, cloud-computing, and computers in general.

James Bottomley: Deploying Encrypted Images for Confidential Computing

At its base, current confidential computing environments are about using encrypted memory to run the virtual machine and guarding the encryption key so that the owner of the host system (the cloud service provider) can’t get access to it. Both SEV and TDX have the encryption technology inside the main memory controller meaning the L1 cache isn’t encrypted (still vulnerable to cache side channels) and DMA to devices must also be done via unencryped memory. This latter also means that both the BIOS and the Operating System of the guest VM must be enlightened to understand which pages to encrypted and which must not. For this reason, all confidential VM systems use OVMF2 to boot because this contains the necessary enlightening. To a guest, the VM encryption looks identical to full memory encryption on a physical system, so as long as you have a kernel which supports Intel or AMD full memory encryption, it should boot.

Each confidential computing system has a security element which sits between the encrypted VM and the host. In SEV this is an aarch64 processor called the Platform Security Processor (PSP) and in TDX it is an SGX enclave running Intel proprietary code. The job of the PSP is to bootstrap the VM, including encrypting the initial OVMF and inserting the encrypted pages. The security element also includes a validation certificate, which incorporates a Diffie-Hellman (DH) key. Once the guest owner obtains and validates the DH key it can use it to construct a one time ECDH encrypted bundle that can be passed to the security element on bring up. This bundle includes an encryption key which can be used to encrypt secrets for the security element and a validation key which can be used to verify measurements from the security element.

The way QEMU boots a Q35 machine is to set up all the configuration (including a disk device attached to the VM Image) load up the OVMF into rom memory and start the system running. OVMF pulls in the QEMU configuration and constructs the necessary ACPI configuration tables before executing grub and the kernel from the attached storage device. In a confidential VM, the first task is to establish a Guest Owner (the person whose encrypted VM it is) which is usually different from the Host Owner (the person running or controlling the Physical System). Ownership is established by transferring an encrypted bundle to the Secure Element before the VM is constructed.

Chris Lamb: Free software activities in December 2020

One of the original promises of open source software is that distributed peer review and transparency of process results in enhanced end-user security. However, whilst anyone may inspect the source code of free and open source software for malicious flaws, almost all software today is distributed as pre-compiled binaries. This allows nefarious third-parties to compromise systems by injecting malicious code into ostensibly secure software during the various compilation and distribution processes.

The motivation behind the Reproducible Builds effort is to ensure no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.

The Future of Software Supply Chain Security – Purism

All indications are that software supply chain security will be the biggest issue for the security industry in 2021. The largest security story of 2020 was the supply chain compromise of SolarWinds Orion which allowed attackers to ship malicious updates with backdoors to Orion customers with perfectly valid signatures. Once these updates were applied and attackers were in these networks, this access allowed a large-scale attack of government agencies and tech and security companies, perhaps one of the single largest attacks of US networks in history. In some cases the level of compromise was so deep, including compromised administrator credentials, that the general guidance has been for victims to rebuild infrastructure from the ground up.

Supply chain security is not a new concept (I wrote about how Purism protects the digital supply chain over two years ago) and many researchers have recognized it as a legitimate threat for a long time. Yet the industry overall has been slow to recognize the risk and in fact perverse incentives have led to many in the industry doubling-down on security solutions that rely heavily (in many cases rely entirely) on the exact kind of security measures supply chain hacks defeat.

The proprietary software industry can’t fix the software supply chain problem because they largely created it and depend on it to maintain control over customers. In this article I’m going to explain how this happened, and what the future of supply chain security looks like.

[...]

To improve software supply chain security we need the ability to audit software like we audit food and this requires much more transparency–transparency beyond what proprietary software vendors allow. Tamper seals (code signing) are important, but not close to being sufficient to catch tainted software. As the SolarWinds Orion hack shows, food can be tainted at the factory before it gets into those tamper-sealed jars.

The software supply chain will get attacked, and third parties and motivated customers must have the ability to detect tainted code quickly, beyond simply relying on their vendor to notice, looking at a tamper seal, or waiting to see if their network gets sick. The best hope we have to improve supply chain security is in the combination of free software and Reproducible Builds.

[...]

This is one reason why Purism offers a 100% free software operating system, PureOS, on our computers. By only installing free software, all of the source code in the operating system can be audited by anyone for backdoors or other malicious code. For processed food to be labeled as organic, it must be made only from organic sources, and having our operating system certified as 100% free software means you can trust the software supply chain all the way to the source.

Reproducible Builds

Unlike proprietary software, free software can also address the risk from an attacker who can inject malicious code somewhere in the build process before it’s signed. With Reproducible Builds you can download the source code used to build your software, build it yourself, and compare your output with the output you get from a vendor. If the output matches, you can be assured that no malicious code was injected somewhere in the software supply chain and it 100% matches the public code that can be audited for backdoors. Think of it like the combination of a food safety inspector and an independent lab that verifies the nutrition claims on a box of cereal all rolled into one.

Much of PureOS is already reproducibly built, and we are working so that ultimately all software within PureOS can be reproducibly built starting with the base install and expanding from there. We not only intend on publishing our own reproducible build results, but also tools and guidance so third parties and customers can perform their own audits. That way, customers aren’t limited to learning about supply chain attacks from us, they can audit and detect attacks themselves.

Linux To Report MIPS Vulnerabilities But They Often Go Unreported Or Dead Vendors - Phoronix

The Linux kernel with the likes of ARM and x86 hardware leverage kernel infrastructure for reporting their relevant CPU security mitigations while only now the MIPS kernel code is seeing work to report such vulnerabilities. However, on the MIPS front it's more difficult with some vendors not publicly acknowledging vulnerabilities and other cases of MIPS hardware vendors no longer producing the hardware in question or even in business.

Sent out yesterday were patches providing MIPS vulnerabilities infrastructure for the Linux kernel, similar to that for other architectures.

New Golang worm turns Windows and Linux servers into monero miners [Ed: Typical FUD from clueless and/or dishonest media looking to blame "Linux" (or make it look as awful as back-doored Windows) because some admins misconfigure stuff or choose terrible passwords]

A new worm written in Golang turns Windows and Linux servers into miners of the cryptocurrency monero.

Windows and Linux servers turned into crypto miners [Ed: Same as above]