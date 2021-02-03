Security: GRUB, Thycotic, and 'Spectre' Ubuntu Blog: GRUB2 Secure Boot Bypass 2021 In August 2020, a set of security vulnerabilities in GRUB2 (the GRand Unified Bootloader version 2) collectively known as BootHole were disclosed. Today, another set of vulnerabilities in GRUB2 were disclosed, with similar implications. Because GRUB2 is a key component of the boot process, vulnerabilities in it can permit attackers to violate the integrity promises of UEFI Secure Boot. In this blog post we will discuss these vulnerabilities as well as the changes that have been made to Ubuntu to both mitigate them, and to make the update process easier for any future similar scenarios. As discussed back in August 2020, the UEFI Secure Boot process in Ubuntu is supported by a number of different components, all working together to ensure that only trusted bootloaders and operating systems are able to run. These consist of the UEFI platform firmware (aka UEFI BIOS), shim, the GRUB2 bootloader and the Linux kernel. The latter 3 of these are Ubuntu components, while the former is provided by the device OEM. In this case, both shim and GRUB2 have (or will soon receive updates) to mitigate these vulnerabilities and to help ensure older vulnerable versions of GRUB2 are not trusted by the secure boot process and cannot be used to load malicious code. [...] To ensure a unified approach, the version of GRUB2 for UEFI systems used in older Ubuntu releases is updated so that a single GRUB2 version can be used for all – this ensures that both the latest security fixes and mitigation features can be more easily adopted in these older releases. As this has the potential to cause issues in what is a fundamental component of the boot process (due to the large number of changes in both GRUB2 itself as well as the way this is distributed in Ubuntu), this update will be carefully rolled out via the Updates pocket of the Ubuntu package archive. Because Secure Boot does not apply to BIOS based boot environments, we will not be publishing updates for GRUB2 on those systems.

Multiple New Security Issues Hit GRUB Bootloader Around Secure Boot A new set of GRUB2 security vulnerabilities were made public today affecting its UEFI Secure Boot support. A set of eight CVEs were issued in 2020 and this year for the new issues. The issues include the possibility of specially crafted ACPI tables being loaded even if Secure Boot is active, memory corruption in GRUB's menu rendering, use-after-free in rmmod functionality, the cutmem command allowing privileged users to disable certain memory regions and in turn Secure Boot protections, arbitrary code execution even if Secure Boot is enabled, GRUB 2.05 accidentally re-introducing one of last year's vulnerabilities, and memory corruption from crafted USB device descriptors that could lead to arbitrary code execution.

Thycotic Announces Endpoint Privilege Management Solution for Unix/Linux Thycotic, provider of privileged access management (PAM) solutions for more than 12,500 organizations worldwide, including 25 of the Fortune 100, announced new privilege management capabilities for workstations running Unix and Linux. The latest release of Thycotic’s Privilege Manager solution includes a Sudo plugin that saves Unix/Linux administrators time, while still providing granular control over privileged activities. According to the Verizon 2020 Data Breach Investigations Report, eighty percent of breaches involve compromised credentials, making them one of the most common entry points for threats. Unix and Linux endpoints are typically the most valuable targets because they rely on “root” accounts, which provide unrestricted access to all commands, files, directories, and resources.

Spectre returns as exploits for Windows and Linux devices found Remember Spectre, the infamous vulnerability that had all major chip manufacturers scrambling for a fix? Three years after its initial emergence, two new working exploits have been identified. According to a report from Bleeping Computer, security researcher Julien Voisin has discovered a pair of exploits targeting unpatched Linux and Windows systems, on the VirusTotal platform. VirusTotal gathers all antivirus scans in one place and checks for potential malware missed by different solutions, and these exploits were uploaded a month ago.

Linux Foundation: RISC-V ISA and New Mobile Native Foundation Learn About the RISC-V ISA with Two Free Training Courses from The Linux Foundation and RISC-V International The Linux Foundation, the non-profit organization enabling mass innovation through open source, and RISC-V International, a non-profit corporation controlled by its members to drive the adoption and implementation of the free and open RISC-V instruction set architecture (ISA), have announced the release of two new free online training courses to help individuals get started with the RISC-V ISA. The courses are available on edX.org, the online learning platform founded by Harvard and MIT. “RISC-V International is committed to providing opportunities for people to gain a deeper understanding of the RISC-V ISA and expand their skills,” shared Calista Redmond, CEO, RISC-V International. “These courses will allow everyone to build deeper technical insight, learn more about the benefits of open collaboration, and engage with RISC-V for design freedom.” With the recent market momentum of RISC-V cores, systems-on-chips (SoCs), developer boards, and software and tools across computing from embedded to enterprise, there is a strong community need to empower individuals who understand how to implement and utilize RISC-V. In order to help meet that demand, The Linux Foundation and RISC-V International designed these free online courses to significantly reduce the barrier to entry for those interested in gaining RISC-V skills.

Linux Foundation and RISC-V International launch free RISC-V training classes | ZDNet RISC-V, the emerging open-source instruction set processor architecture, is growing up. Sure, most of the attention has come from hardware hackers playing on RISC-V processors on development boards from companies such as SiFive. SparkFun, and BeagleBoard. There's even a BBC Doctor Who-branded RISC-V mini-computer for kids. But, according to RISC-V CTO Mark Himelstein, RISC-V processors have already found a home in data centers and Alibaba cloud servers. So, it's high time for classes on how to use this new open-source hardware architecture.

New Mobile Native Foundation to Foster Development Collaboration

New Mobile Native Foundation to Foster Development Collaboration The Linux Foundation, the nonprofit organization enabling mass innovation through open source, today announced the Mobile Native Foundation (MNF). The MNF will bring developers together to improve processes and technologies that support large-scale Android and iOS applications. Organizations contributing to this effort include Airbnb, Capital One, Corellium, Elotl, Flare.build, GitHub, GogoApps, Haystack, Line, LinkedIn, Lyft, Microsoft, Peloton, Robinhood, Sauce Labs, Screenplay.dev, Slack, Solid Software, Spotify, Square and Uber.