The importance of patch management after serious Linux vulnerabilities 0 222

  • The open-source Linux operating system is used by most of the servers on the internet as well as in smartphones, with an ever-growing desktop user base as well.
  • The bug known as Dirty Cow (CVE-2016-5195) – named as such since it exploits a mechanism called “copy-on-write” and falls within the class of vulnerabilities known as privilege escalation. This would allow an attacker to effectively take control of the system.
  • Patch management should be a core consideration for all IT systems, whether they are servers or workstations, and of course regardless of the operating systems used.
Serious Linux vulnerabilities

In recent news there have been a number of serious vulnerabilities found in various Linux systems. Whilst OS vulnerabilities are a common occurrence, it’s the nature of these that have garnered so much interest.

The open-source Linux operating system is used by most of the servers on the internet as well as in smartphones, with an ever-growing desktop user base as well.

Open-source software is typically considered to increase the security of an operating system, since anyone can read, re-use and suggest modifications to the source code – part of the idea being that many people involved would increase the chances of someone finding and hopefully fixing any bugs.

With that in mind let’s turn our sights on the bug known as Dirty Cow (CVE-2016-5195) found in October – named as such since it exploits a mechanism called “copy-on-write” and falls within the class of vulnerabilities known as privilege escalation. This would allow an attacker to effectively take control of the system.

What makes this particular vulnerability so concerning however isn’t the fact that it’s a privilege escalation bug, but rather that it was introduced into the kernel around nine years ago. Exploits already taking advantage of Dirty Cow were also found after the discovery of the bug by Phil Oester. This means that a reliable means of exploitation is readily available, and due to its age, it will be applicable to millions of systems.

Whilst Red Hat, Debian and Ubuntu have already released patches, millions of other devices are still vulnerable – worse still is the fact that between embedded versions of the operating and older Android devices, there are difficulties in applying the updates, or they may not receive any at all, leaving them vulnerable.

Next, let’s have a look at a more recent vulnerability which was found in Cryptsetup (CVE-2016-4484), which is used to set up encrypted partitions on Linux using LUKS (Linux Unified Key Setup). It allows an attacker to obtain a root initramfs shell on affected systems. At this point, depending on the system in question, it could be used for a number of exploitation strategies according to the researchers whom discovered the bug, namely:

  • Privilege escalation: if the boot partition is not encrypted:
    • It can be used to store an executable file with the bit “SetUID” enabled. Which can later be used to escalate privileges by a local user.
    • If the boot is not secured, then it would be possible to replace the kernel and the initrd image.
  • Information disclosure: It is possible to access all the disks. Although the system partition is encrypted it can be copied to an external device, where it can be later be brute forced. Obviously, it is possible to access to non-encrypted information in other devices.
  • Denial of service: The attacker can delete the information on all the disks, causing downtime of the system in question.

Whilst many believe the severity and/or likely impact of this vulnerability has been exaggerated considering you need physical or remote console access (which many cloud platforms provide these days), what makes it so interesting is just how it is exploited.

All you need to do is repeatedly hit the Enter key at the LUKS password prompt until a shell appears (approximately 70 seconds later) – the vulnerability is as a result of incorrect handling of password retries once the user exceeds the maximum number (by default 3).

The researchers also made several notes regarding physical access and explained why this and similar vulnerabilities remain of concern. It’s generally accepted that once an attacker has physical access to a computer, it’s pwned. However, they highlighted that with the use of technology today, there are many levels of what can be referred to as physical access, namely:

  • Access to components within a computer – where an attacker can remove/replace/insert anything including disks, RAM etc. like your own computer
  • Access to all interfaces – where an attacker can plug in any devices including USB, Ethernet, Firewire etc. such as computers used in public facilities like libraries and internet cafes.
  • Access to front interfaces – usually USB and the keyboard, such as systems used to print photos.
  • Access to a limited keyboard or other interface – like a smart doorbell, alarm, fridge, ATM etc.

Their point is that the risks are not limited to traditional computer systems, and that the growing trends around IoT devices will increase the potential reach of similar attacks – look no further than our last article on DDoS attacks since IoT devices like printers, IP cameras and routers have been used for some of the largest DDoS attacks ever recorded.

This brings us back around to the fact that now, more than ever, it’s of critical importance that you keep an eye on your systems and ensure any vulnerabilities are patched accordingly, and more importantly – in a timeous manner. Patch management should be a core consideration for all IT systems, whether they are servers or workstations, and of course regardless of the operating systems used.

To this end ESET formed another Technology Alliance with software vendor Flexera, whom recently acquired the well-known security vendor, Secunia. Through this partnership, ESET now also offers Corporate Software Inspector, one of the most popular and established patch management solutions on the market. Their 2016 review indicated that the number of vulnerabilities detected in 2015 was 16081, which were “discovered in 2484 applications from 263 vendors” and shows a worrying “39% increase over the course of the five-year trend and a 2% increase from 2014 to 2015.”

Keep an eye out for coming news, material and demos regarding Corporate Software Inspector, or contact us.

Previous ArticleNext Article

Breached site notifications tested by Firefox 0 353

Firefox is testing an in-browser notification to alert users when they are visiting a site that has experienced a data breach.

This project is in collaboration with  “Have I Been Pwned” the popular site that allows users to check their email to find out if their credentials have been stolen by hackers.

“Firefox is just looking at which sites have been been breached and we’re discussing other ways of using the data in the future,” Security researcher and creator of Have I Been Pwned Troy Hunt “They’ve got a broad reach and surfacing this info via Firefox is a great way to get more exposure around data breaches.”

Troy Hunt Tweet

While the ‘Breach Alerts’ feature will issue a warning about a website, it won’t actually prevent users from visiting it, only alert them. The extension currently includes an input field that users can use to subscribe an email address in order to receive an alert when they may be affected by a future breach. This feature has received some criticism as it collects users email data which poses an opportunity for a data breach of their own.

It has not yet been announced when the alerts will be baked into a standard Firefox release. Once the feature is rolled out en masse, however, it is poised to act as a constant reminder of hacks suffered by particular websites. Given their frequent occurrence, security breaches aren’t easy to keep track of, which is also where Firefox intends to come in.

In the latest in a long list of hacked websites, image-hosting website Imgur confirmed last week that the email addresses and passwords of 1.7 million user accounts had been stolen back in 2014.

 

ICT ministers reiterate need for Africa to be involved in cyber security 0 512

ICT ministers reiterate need for Africa to be actively involved in cyber-security, cybercrime

On Thursday 23rd November, African Ministers of Communication and Information Technologies gathered in Addis Ababa for their second ordinary session of the Specialized Technical Committee on Communication and ICT (STC CICT-2) to discuss and make decisions regarding continental and regional programmes that impact Africans in the communications and ICT sectors.

The Ministerial Conference was officially opened by Mr Cheikh Bedda, Director, Infrastructure and Energy Department, on behalf of the Commissioner, Dr. Amani Abou-Zeid Commissioner for Infrastructure and Energy of the African Union, under the chairmanship of Honorable H.E. Mr Modibo Arouna Touré, Minister of Digital Economy and Communication of the Republic of Mali.

Mr Bedda emphasized “The AU Commission strongly believes that the building of Africa’s information society requires a secure and safe Cyber space, an appropriate infrastructure and efficient coordination and adequate harmonized legal and regulatory frameworks”. He went on to mention that “The AU Commission developed a Convention on Cyber legislation for the continent that adheres to the legal and regulatory requirements on electronic transactions, cyber security, and personal data protection. The Convention was adopted by AU Assembly in June 2014,”

The main topics discussed in this conference centered around the evolution of the information society in Africa and its ongoing digital transformation, namely: the intra Africa connectivity; access to broadband Internet; delivery of digital services and digital literacy of the African citizens.

“The Governance of the Internet is a concern to all of us because it is in the heart of economic, political, geopolitical stakes at the national level. For this particular reason it becomes imperative for Africa to become actively involved in the dynamics of Internet Governance, Cybersecurity, and Cybercrime” – Minister Modibo Arouna Touré, Chair of the STC on Communication and ICT

 

The meeting elected the following Members to the Bureau of the CCICT-2 for the next 2 years:

  • Eastern Africa: Ethiopia- Chair of the Bureau;
  • Central Africa: Congo- 1st Vice Chair of the Bureau;
  • Northern Africa: Tunisia- 2nd Vice Chair of the Bureau;
  • Southern Africa: South Africa- 3rd Vice Chair of the Bureau;
  • Western Africa: Ghana- Rapporteur of the Bureau

This second 2017 ordinary session of the Specialized Technical Committee (STC) on Communication and ICT ended on Friday November 24, 2017.