Language Selection

English French German Italian Portuguese Spanish

Security: WireGuard, SafeBreach and More

Filed under
Security
  • WireGuard Snapshot `0.0.20191012` Available
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA256
    
    Hello,
    
    A new snapshot, `0.0.20191012`, has been tagged in the git repository.
    
    Please note that this snapshot is a snapshot rather than a final
    release that is considered secure and bug-free. WireGuard is generally
    thought to be fairly stable, and most likely will not crash your
    computer (though it may).  However, as this is a snapshot, it comes
    with no guarantees; it is not applicable for CVEs.
    
    With all that said, if you'd like to test this snapshot out, there are a
    few relevant changes.
    
    == Changes ==
    
      * qemu: bump default version
      * netns: add test for failing 5.3 FIB changes
      
      Kernels 5.3.0 - 5.3.3 crash (and are probably exploitable) via this one liner:
      
      unshare -rUn sh -c 'ip link add dummy1 type dummy && ip link set dummy1 up && ip -6 route add default dev dummy1 && ip -6 rule add table main suppress_prefixlength 0 && ping -f 1234::1'
      
      We fixed this upstream here:
      
      https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/commit/?id=ca7a03c4175366a92cee0ccc4fec0038c3266e26
      
      This is relevant to WireGuard because a very similar sequence of commands is
      used by wg-quick(8).
      
      So, we've now added some tests to catch this code path in the future. While
      the bug here was a random old use-after-free, the test checks the general
      policy routing setup used by wg-quick(8), so that we make sure this continues
      to work with future kernels.
      
      * noise: recompare stamps after taking write lock
      
      We now recompare counters while holding a write lock.
      
      * netlink: allow preventing creation of new peers when updating
      
      This is a small enhancement for wg-dynamic, so that we can update peers
      without readding them if they've already been removed.
      
      * wg-quick: android: use Binder for setting DNS on Android 10
      
      wg-quick(8) for Android now supports Android 10 (Q). We'll be releasing a new
      version of the app for this later today.
    
    This snapshot contains commits from: Jason A. Donenfeld and Nicolas Douma.
    
    As always, the source is available at https://git.zx2c4.com/WireGuard/ and
    information about the project is available at https://www.wireguard.com/ .
    
    This snapshot is available in compressed tarball form here:
      https://git.zx2c4.com/WireGuard/snapshot/WireGuard-0.0.20191012.tar.xz
      SHA2-256: 93573193c9c1c22fde31eb1729ad428ca39da77a603a3d81561a9816ccecfa8e
      BLAKE2b-256: d7979c453201b9fb6b1ad12092515b27ea6899397637a34f46e74b52b36ddf56
    
    A PGP signature of that file decompressed is available here:
      https://git.zx2c4.com/WireGuard/snapshot/WireGuard-0.0.20191012.tar.asc
      Signing key: AB9942E6D4A4CFC3412620A749FC7012A5DE03AE
    
    If you're a snapshot package maintainer, please bump your package version. If
    you're a user, the WireGuard team welcomes any and all feedback on this latest
    snapshot.
    
    Finally, WireGuard development thrives on donations. By popular demand, we
    have a webpage for this: https://www.wireguard.com/donations/
    
    Thank you,
    Jason Donenfeld
    
  • WireGuard 0.0.20191012 Released With Latest Fixes

    WireGuard is still working on transitioning to the Linux kernel's existing crypto API as a faster approach to finally make it into the mainline kernel, but for those using the out-of-tree WireGuard secure VPN tunnel support, a new development release is available.

  • SafeBreach catches vulnerability in controversial HP Touchpoint Analytics software

    Now the feature is embroiled in another minor controversy after security researchers at SafeBreach said they uncovered a new vulnerability. HP Touchpoint Analytics comes preinstalled on many HP devices that run Windows. Every version below 4.1.4.2827 is affected by what SafeBreach found.

    In a blog post, SafeBreach Labs security researcher Peleg Hadar said that because the service is executed as "NT AUTHORITY\SYSTEM," it is afforded extremely powerful permissions that give it wide access.

    "The CVE-2019-6333 vulnerability gives attackers the ability to load and execute malicious payloads using a signed service. This ability might be abused by an attacker for different purposes such as execution and evasion, for example: Application Whitelisting Bypass Signature Validation Bypassing," Hadar wrote.

    [...]

    The company has long had to defend HP Touchpoint Analytics against critics who say it gives HP unnecessary access to users' systems. When it first became widely noticed in 2017, dozens of users complained that they had not consented to adding the system.

  • Security Tool Sprawl Reaches Tipping Point
  • How trusted digital certificates complement open source security

    Application developers incorporating open source software into their designs may only discover later that elements of this software have left them (and their customers) exposed to cyber-attacks.

  • Securing the Container Supply Chain

More in Tux Machines

Intel: oneAPI and IWD 1.1

  • Intel Releases oneAPI Base Toolkit Beta For Performance-Focused, Cross-Device Software

    The oneAPI Base Toolkit is for writing code that runs across CPUs, GPUs, and FPGAs among other possible accelerators. The primary programming language is their Data Parallel C++ and SYCL fits into the toolchain as well. OpenMP and MPI are supported with the oneAPI HPC toolkit. While other components include the oneAPI IoT Toolkit for developing IoT software and the oneAPI rendering toolkit for ray-tracing and visual rendering. The different toolkits can be found here.

  • IWD 1.1 Released For Intel's Linux Wireless Daemon

    IWD 1.0 stabilized this wireless daemon's interfaces and made it ready for embedded and desktop use-cases as an alternative to the likes of WPA-Supplicant. With IWD 1.1 are just a few changes amounting to some basic fixes while the new feature is radio resource management.

Programming Leftovers

  • What is -pipe and should you use it?

    This argument may have been needed in the ye olden times of supporting tens of broken commercial unixes. Nowadays the only platform where this might make a difference is Windows, given that its file system is a lot slower than Linux's. But is its pipe implementation any faster? I don't know, and I'll let other people measure that. The "hindsight is perfect" design lesson to be learned Looking at this now, it is fairly easy to see that this command line option should not exist. Punting the responsibility of knowing whether files or pipes are faster (or even work) on any given platform to the user is poor usability. Most people don't know that and performance characteristics of operating systems change over time. Instead this should be handled inside the compiler with logic roughly like the following:

  • ABlog v0.10 released¶

    ABlog v0.10 is released with the main focus being to support the latest version of Sphinx as well as Python 3 only support. Ablog V0.9.X will no longer be supported as Python 2 comes to an end in a few months and it is time people upgraded.

  • How and why I built Sudoku Solver

    The process was pretty intensive first of all i went to the drawing board thinking of how to actually do this i drew a 3x3 matrix and thought how it could be done on this miniature matrix of 3x3.But figuring out the right path was difficult and to get inspiration or an idea as to how to solve this problem I started solving sudoku problems on my own easy to expert level but once I got a hang of them I got back to my project I noted down every technique or idea in the notebook that I always carried with me,I made sure not too look this up on google I wanted to build this thing from scratch on my own.Experimenting day after day lines of code stacking up it took me 15 days to complete the code and the moment correctly filled sudoku matrix was given out well I was on cloud nine.

  • Unconventional Secure and Asynchronous RESTful APIs using SSH

    Some time ago, in a desperate search for asynchronicity, I came across a Python package that changed the way I look at remote interfaces: AsyncSSH. Reading through their documentation and example code, you’ll find an interesting assortment of use cases. All of which take advantage of the authentication and encryption capabilities of SSH, while using Python’s asyncio to handle asynchronous communications. Thinking about various applications I’ve developed over the years, many included functions that could benefit from decoupling into separate services. But at times, I would avoid it due to security implications. I wanted to build informative dashboards that optimize maintenance tasks. But they bypassed business logic, so I wouldn’t dare expose them over the same interfaces. I even looked at using HTTPS client certs, but support from REST frameworks seemed limited.

Review: Emmabuntüs DE3-1.00

It was recently pointed out to me that I have never written a review of the Emmabuntüs distribution and I was asked to address this oversight. With that in mind, I downloaded the latest version of this Debian-based, desktop distribution. Emmabuntüs features the Xfce desktop and runs on packages provided by Debian 10 "Buster". The project, which is designed to be run on older or used computers in order to extended their usefulness, is available in 32-bit (x86) and 64-bit (x86_64) builds. The distribution strives to lower the bar for trying Linux by providing support for multiple languages and using the friendly Calamares installer to set up the operating system. I downloaded the 64-bit version of Emmabuntüs which is a hefty 3.1GB. Booting from the Emmabuntüs media brings up a boot menu asking us to pick our preferred language from a list. Then we are asked if we want to try the distribution's live desktop or launch either a text-based or graphical installer. The installer options launch Debian's text and graphical installers, respectively. The Try option launches a live desktop environment running the Xfce 4.12 desktop. I decided to use the live desktop to test the distribution before installing it. When the Xfce desktop first loads we are shown a series of welcome windows. The first one just displays a short greeting. The next one invites us to change our keyboard's layout (the default mapping is US). Another pop-up asks if we want to turn on a number of features. These include enabling a dock, activating the taskbar, activating the workspace, and enabling a dark theme. To be frank, I'm not sure what the utility means by activating the workspace and none of the options are explained. Enabling the dock gives us a macOS style launcher at the bottom of the screen and the other two options did not appear to have any significant effect whether turned on or not. The next window offers to install Flash and media codecs. It will then try to download and install these packages while we wait. When it is done, another welcome window appears. This one displays a grid of buttons that provide short-cuts to on-line documentation and a forum, a local PDF with tips on using Debian, and quick access to the software manager, settings panel, and some convenience tools. I will talk about these features later. A panel at the top of the Xfce desktop holds the application menu, task switcher, and the system tray. In the upper-right corner is a menu we can use to logout or shutdown the computer. Icons on the desktop offer to run the Calamares installer, run an uninstaller, launch the Disks utility to partition the hard drive, and open a tool to change the keyboard layout. There is also an icon for opening a tool to repair the boot loader. The concept of an uninstaller intrigued me since usually people do not remove operating systems so much as remove their partition or install over them. I tested this tool and found the uninstaller will search for partitions with an operating system installed and then offer to format the selected partition with either the NTFS or ext3 filesystem. The live environment, once we navigate through the welcome windows, worked well for me. Xfce was responsive and straight forward to use. My hardware was working well with the distribution and I was happy to move ahead with running the installer. Read more

OSMC's November update is here with Kodi 18.5

OSMC's November update is now here with Kodi v18.5. Please be aware that there are currently issues with the TVDB scraper. This is not related to the update and we expect these issues to be resolved shortly. We continue our development for 3D Frame Packed (MVC) output for Vero 4K / 4K + and a significantly improved video stack which will land before the end of the year. Our work on preparing Raspberry Pi 4 support continues. Team Kodi recently announced the 18.5 point release of Kodi Leia. We have now prepared this for all supported OSMC devices and added some improvements and fixes. Read more