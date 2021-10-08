Security Leftovers
Security updates for Friday [LWN.net]
Security updates have been issued by CentOS (krb5 and mailman), Debian (gmp and librecad), Fedora (php-symfony4 and wireshark), Mageia (bluez, busybox, docker-containerd, gfbgraph, hivex, nss, perl/perl-Encode, and udisks2/libblockdev), openSUSE (permissions), Oracle (mailman and mailman:2.1), Red Hat (mailman, mailman:2.1, and nss), Scientific Linux (mailman and nss), and SUSE (nodejs14).
New Payment Data Stealing Malware Hides in Nginx Process on Linux Servers
E-commerce platforms in the U.S., Germany, and France have come under attack from a new form of malware that targets Nginx servers in an attempt to masquerade its presence and slip past detection by security solutions.
"This novel code injects itself into a host Nginx application and is nearly invisible," Sansec Threat Research team said in a new report. "The parasite is used to steal data from eCommerce servers, also known as 'server-side Magecart.'"
FGKASLR Appears Closer To Mainline For Improving Linux Security
Kernel Address Space Layout Randomization has been common on Linux for a decade and a half now while more recently has been Function-Granular (or sometimes referred to as Finer-Grained) KASLR for further upping the security benefits by making it much harder to predict kernel address positions for attacks.
Posted in early 2020 by Intel's Kristen Carlson Accardi was the initial FGKASLR code for improving security. While KASLR helps make memory addresses less predictable, once an attacker determines the base address it's not as effective. Function-Granular/Finer-Grained KASLR applies function-reordering on top of KASLR. The functions are reordered at boot time and thus much harder for attacks relying on known kernel memory locations.
This Week In Security: GoDaddy, Tardigrade, Monox, And BigSig | Hackaday
After the Thanksgiving break, we have two weeks of news to cover, so hang on for an extra-long entry. First up is GoDaddy, who suffered a breach starting on September 6th. According to an SEC filing, they noticed the problem on November 17th, and determined that there was unauthorized access to their provisioning system for their WordPress hosting service. For those keeping track at home, that’s two months and eleven days that a malicious actor had access. And what all was compromised? The email address and customer number of the approximate 1.2 million GoDaddy WordPress users; the initial WordPress password, in the clear; the SFTP and database passwords, also in the clear; and for some customers, their private SSL key.
The saving grace is that it seems that GoDaddy’s systems are segregated well enough that this breach doesn’t seem to have led to further widespread compromise. It’s unclear why passwords were stored in the clear beyond the initial setup procedure. To be safe, if you have a WordPress instance hosted by GoDaddy, you should examine it very carefully for signs of compromise, and rotate associated passwords. The SSL keys may be the most troubling, as this would allow an attacker to impersonate the domain. Given the length of time the attack had access, it would not surprise me to learn that more of GoDaddy’s infrastructure was actually compromised.
Bangladesh, South African and Iraqi Government sites have been found to be hosting web shells | Netcraft News
Netcraft recently confirmed that a Bangladesh Army site was hosting an Outlook Web Access (OWA) web shell. Additionally, an OWA web shell was found on the Department of Arts and Culture site for the South-African Kwazulu-Natal province and an Iraqi government site was found to be hosting a PHP shell. Web shells are a common tool used by attackers to maintain control of a compromised web server, providing a web interface from which arbitrary commands can be executed on the server hosting the shell. OWA provides remote access to Microsoft Exchange mailboxes; since the disclosure of the ProxyLogon vulnerabilities in March, Microsoft Exchange has become a popular target for cyberattacks.
When using a browser to visit the web shell installed on the Department of Arts and Culture’s site, the malicious activity was not immediately obvious, with the shell masquerading as a variable dump. Web shells are often buried in the filesystem alongside benign files, making it difficult for webmasters to detect and take them down. Even after patching the vulnerabilities used to install a shell, the shell itself also needs to be removed to stop further malicious activity. Sites containing web shells can often remain compromised for long periods of time.
Blender 3.0 Released as a Massive Update with Many New Features and Improvements
Blender 3.0 is a massive update that introduces numerous new features and dozens of enhancements to the 3D modeling software. One huge change in this release is the fact that Blender now uses the Vulkan next generation graphics and compute API by default for better graphics performance with lower power consumption. Another big change in the 3.x series is the replacement of the BGL module with the GPU module. Also, Blender’s Cycles received a major revamp that leads to significantly improved GPU rendering performance and interactivity in Blender 3.0.
"New" old functionality with Raspberry Pi OS (Legacy)
Over the past nine years, Raspberry Pi has only ever supported a single release of the Raspberry Pi OS (formerly known as Raspbian). This can cause significant problems when we move to a new upstream branch (for example when we moved from Jessie to Stretch or from Stretch to Buster, or the recent move from Buster to Bullseye). With the new branches come new versions of libraries and new interfaces. Old software and interfaces become unsupported, and the way to do specific things changes. Some of those come from the upstream and some from our own desire to move to open-source interfaces. Of course, we understand this isn’t always the right decision for particular users. For example, some of you are educational users who would like to follow instructions and tutorials online. Others are industrial users, who’ve developed software to use particular library versions; or who value a stable unchanging operating system. Some of you have asked for an option to roll back certain parts of the OS to restore some functionality that you have been relying on. Also: Raspberry Pi OS gets a legacy version to offer extended stability - Liliputing
IBM/Red Hat/Fedora Leftovers
openSUSE Tumbleweed Rolls into December
November provided a robust month of openSUSE Tumbleweed snapshots, which included 21 releases from Nov. 1 to Nov. 29. December, which is traditionally a slower month for Tumbleweed releases due to the holiday season, has already produced a snapshot. Snapshot 20211201 gave a major update of the Linux user-space application for modifying Intel’s Extensible Firmware Interface (EFI) Boot Manager. The efibootmgr package updated from version 14 to 17; the changes included fixes for GNU Compiler Collection 7, better parsing and now efibootmgr uses EFIDIR / efibootmgr.efidir like fwupdate had. Scrolling issues when pressing Home and Page Down keys were fixed with the webkit2gtk3 2.34.2 update. Four patches for bash were added in the 5.1.12 version, which fixes a couple trapped signals. The 2.34.1 git version fixed an issue that arose from the 20211125 snapshot; git grep that have a non-UTF8 payload were broke when linked with certain versions of pcre2’s latest release. Other packages to update in the month’s first snapshot were glslang 11.7.1, graphviz 2.49.3, libstorage-ng 4.4.61, mtools 4.0.36 and yast2-update 4.4.5. Snapshot 20211129 provided an update of the 5.15.5 Linux Kernel, which had some arm fixes for Broadcom’s StrataGX communications processor. Tumbleweed started the month off with the 5.14 kernel. An update of iso-codes 4.8.0 added flag emojis to countries and a new translation for Chinese. LibreOffice also had some translations with the 7.2.3.2 update. Image viewer ristretto 0.12.1 fixed pointer behavior in fullscreen mode as well as a fix for a memory leak when closing the window directly. Other packages to update in the snapshot were Microsoft’s theorem prover z3 4.8.13, libsoup 3.0.3, libsoup2 2.74.2, libwpe 1.12.0 and more. Also: openSUSE Tumbleweed – Review of the week 2021/48 – Dominique a.k.a. DimStar (Dim*)
