Language Selection

English French German Italian Portuguese Spanish

Security

Red Hat Enterprise Linux and CentOS Now Patched Against Latest Intel CPU Flaws

Filed under
Linux
Red Hat
Security

After responding to the latest security vulnerabilities affecting Intel CPU microarchitectures, Red Hat has released new Linux kernel security updates for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7 operating systems to address the well-known ZombieLoad v2 flaw and other issues. The CentOS community also ported the updates for their CentOS Linux 6 and CentOS Linux 7 systems.

The security vulnerabilities patched in this new Linux kernel security update are Machine Check Error on Page Size Change (IFU) (CVE-2018-12207), TSX Transaction Asynchronous Abort (TAA) (CVE-2019-11135), Intel GPU Denial Of Service while accessing MMIO in lower power state (CVE-2019-0154), and Intel GPU blitter manipulation that allows for arbitrary kernel memory write (CVE-2019-0155).

Read more

Leftovers: KPublicTransport, ONNX and Security

Filed under
KDE
OSS
Security
  • KPublicTransport Backend Selection

    At Akademy earlier this year I presented the current state of KPublicTransport, and mentioned a remaining privacy-relevant issue in there for giving its users full control about which backend service to query. This has now been addressed, with a way to list and chose backends globally or per request.

  • The ONNX format becomes the newest Linux Foundation project

    The Linux Foundation today announced that ONNX, the open format that makes machine learning models more portable, is now a graduate-level project inside of the organization’s AI Foundation. ONNX was originally developed and open-sourced by Microsoft and Facebook in 2017 and has since become somewhat of a standard, with companies ranging from AWS to AMD, ARM, Baudi, HPE, IBM, Nvidia and Qualcomm supporting it. In total, more than 30 companies now contribute to the ONNX code base.

  • IPFire 2.23 - Core Update 138 is available for testing

    Just with the release of IPFire 2.23 - Core Update 137, we are making the next update available to address and mitigate recently announced vulnerabilities in Intel processors.

  • White Screen of Death: Admins up in arms after experimental Google emission borks Chrome

    An experimental feature silently rolled out to the stable Chrome release on Tuesday caused chaos for IT admins this week after users complained of facing white, featureless tabs on Google's massively popular browser.

    The issue affected thousands of businesses' terminal servers, with multiple users on the same server experiencing "white screen of death" at the same time.

Top 15 Best Security-Centric Linux Distributions of 2019

Filed under
GNU
Linux
Security

Being anonymous on the Internet is not particularly the same as surging the web safely, however, they both involve keeping oneself and one’s data private and away from the prying eyes of entities that may otherwise take advantage of system vulnerabilities in order to harm targeted parties.

There is also the risk of surveillance from the NSA and several other top-level organizations and this is why it is good that developers have taken it upon themselves to build privacy-dedicated distros that host an aggregate of tools that enable users to achieve both online autonomy and privacy.

In as much as these privacy-centric Linux distros are targetted at a niche in the Linux community, many of them are robust enough to be used for general-purpose computing and many more can be tweaked to support requirements for virtually any specific user base.

A common factor across almost all privacy-centric Linux distros is their relationship with Tor given that many of them come with Tor’s solid anonymity network service built-in and this, in turn, gives users an environment for them to live in safely without any data logs whatsoever, unlike most VPN providers that will still log your real IP address while still being able to see whatever data you may be transmitting at the point of exit of VPN servers.

Read more

Security Leftovers

Filed under
Linux
Security
  • How the Linux kernel balances the risks of public bug disclosure

    Last month a serious Linux Wi-Fi flaw (CVE-2019-17666) was uncovered that could have enabled an attacker to take over a Linux device using its Wi-Fi interface. At the time it was disclosed Naked Security decided to wait until a patch was available before writing about it.

    Well, it’s been patched, but the journey from discovery to patch provides some insights into how the Linux open-source project (the world’s largest collaborative software development effort) manages bug fixes and the risks of disclosure.

  • New NextCry Ransomware Encrypts Data on NextCloud Linux Servers
  • Using Nmap For Port Scanning + Other Tools to Use

    Nmap is a well-known utility that is bundled with many Linux distributions and that is also available for Windows and several other platforms. Essentially a scanning and mapping tool, there’s a lot that Nmap can do for you.

    Today, we’re having a look as using Nmap for port scanning which, incidentally, is the tool’s primary usage. Port scanning is an essential task of network management as it ensures that no backdoors are left unaddressed. It is one of the most basic forms of securing the network.

    Before we get into the how-to part of this post, we’ll sidetrack a little and first introduce Nmap and its GUI cousin Zenmap. We’ll then explain what ports are and how you need to be careful not to leave unused ports open on your devices. Then, we’ll get to the essence of this post and show you how to use Nmap for port scanning. And since there are quite a few other tools that can be viable alternatives to Nmap for port scanning—some of them much better or easier to use tools—we’ll finally review some of the very best Nmap alternatives for port scanning.

Security: IPFire Update, Latest Patches and Freexian/Debian Report

Filed under
Security
  • IPFire 2.23 - Core Update 137 released

    We are happy to announce the release of IPFire 2.23 - Core Update 137. It comes with an updated kernel, a reworked Quality of Service and various bug and security fixes.

    Development around the Quality of Service and tackling some of the bugs required an exceptional amount of team effort in very short time and I am very happy that we are now able to deliver the result to you to improve your networks. Please help us to keep these things coming to you with your donation!

  • Security updates for Friday

    Security updates have been issued by CentOS (kernel), Debian (ghostscript, mesa, and postgresql-common), Fedora (chromium, php-robrichards-xmlseclibs, php-robrichards-xmlseclibs3, samba, scap-security-guide, and wpa_supplicant), Mageia (cpio, fribidi, libapreq2, python-numpy, webkit2, and zeromq), openSUSE (ImageMagick, kernel, libtomcrypt, qemu, ucode-intel, and xen), Oracle (kernel), Red Hat (ghostscript, kernel, and kernel-rt), Scientific Linux (ghostscript and kernel), SUSE (bash, enigmail, ghostscript, ImageMagick, kernel, libjpeg-turbo, openconnect, and squid), and Ubuntu (ghostscript, imagemagick, and postgresql-common).

  • Freexian’s [Raphaël Hertzog] report about Debian Long Term Support, October 2019

Security things in Linux v5.3

Filed under
Linux
Security

In the continuing work to remove “uninitialized” variables from the kernel, Alexander Potapenko added new “init_on_alloc” and “init_on_free” boot parameters (with associated Kconfig defaults) to perform zeroing of heap memory either at allocation time (i.e. all kmalloc()s effectively become kzalloc()s), at free time (i.e. all kfree()s effectively become kzfree()s), or both. The performance impact of the former under most workloads appears to be under 1%, if it’s measurable at all. The “init_on_free” option, however, is more costly but adds the benefit of reducing the lifetime of heap contents after they have been freed (which might be useful for some use-after-free attacks or side-channel attacks). Everyone should enable CONFIG_INIT_ON_ALLOC_DEFAULT_ON=1 (or boot with “init_on_alloc=1“), and the more paranoid system builders should add CONFIG_INIT_ON_FREE_DEFAULT_ON=1 (or “init_on_free=1” at boot). As workloads are found that cause performance concerns, tweaks to the initialization coverage can be added.

Read more

Debian Project Releases Linux Security Updates to Patch Latest Intel CPU Flaws

Filed under
Linux
Security
Debian

As reported earlier this week, four new security vulnerabilities have been discovered in the Linux kernel and with an impact on Intel CPUs, namely CVE-2019-11135, CVE-2018-12207, CVE-2019-0154 and CVE-2019-0155, which may lead to privilege escalation, information leak, as well as denial of service.

Following on the footsteps of Canonical and Red Hat, Debian Project has also released new Linux kernel security patches, along with new intel-microcode updates to mitigate all these new vulnerabilities in the Debian GNU/Linux 9 "Stretch" and Debian GNU/Linux 10 "Buster" operating systems.

Read more

Security: Scare, Onion and Listening Devices

Filed under
Security
  • Yes, if you install malicious programs, then they will likely do malicious things [Ed: Yes, if you install malicious programs, then they will likely do malicious things]

    The researchers determined that parts of a specific component used by Cobalt in the third stage of an attack are present in PureLocker. It is the JScript loader for the "more_eggs" backdoor, described by security researchers at Morphisec.

    In previous research, IBM X-Force revealed that FIN6, another cybercriminal group targeting financial organizations, also used the "more_eggs" malware kit.

    Most of the code in PureLocker is unique, though. This suggests that the malware is either a new one or an existent threat that has been heavily modified.

  • What is Security Onion? And is it better than a commercial IDS?

    Back in the early oughts, a common complaint about Linux was that while it was free/libre, it came with no support and you had to pay expensive senior sysadmins to run Linux systems. Fast forward to today, and Linux has conquered basically every field except for the desktop market.

    [...]

    Security Onion is looking more and more polished with every year that passes, and it may be worth considering if you've got a deep enough security bench to customize, deploy and maintain Security Onion for your enterprise.

  • Fooling Voice Assistants with Lasers

    Siri, Alexa, and Google Assistant are vulnerable to attacks that use lasers to inject inaudible—and sometimes invisible—commands into the devices and surreptitiously cause them to unlock doors, visit websites, and locate, unlock, and start vehicles, researchers report in a research paper published on Monday. Dubbed Light Commands, the attack works against Facebook Portal and a variety of phones.

    Shining a low-powered laser into these voice-activated systems allows attackers to inject commands of their choice from as far away as 360 feet (110m). Because voice-controlled systems often don’t require users to authenticate themselves, the attack can frequently be carried out without the need of a password or PIN. Even when the systems require authentication for certain actions, it may be feasible to brute force the PIN, since many devices don’t limit the number of guesses a user can make. Among other things, light-based commands can be sent from one building to another and penetrate glass when a vulnerable device is kept near a closed window.

    The attack exploits a vulnerability in microphones that use micro-electro-mechanical systems, or MEMS. The microscopic MEMS components of these microphones unintentionally respond to light as if it were sound. While the researchers tested only Siri, Alexa, Google Assistant, Facebook Portal, and a small number of tablets and phones, the researchers believe all devices that use MEMS microphones are susceptible to Light Commands attacks.

Security Updates and More Intel Defends

Filed under
Security
  • Security updates for Wednesday

    Security updates have been issued by Debian (dpdk, intel-microcode, kernel, libssh2, qemu, and webkit2gtk), Fedora (apache-commons-beanutils, bluez, iwd, kernel, kernel-headers, kernel-tools, libell, and microcode_ctl), openSUSE (gdb), Oracle (kernel), Red Hat (kernel and kernel-rt), SUSE (dhcp, evolution, kernel, libcaca, python, python-xdg, qemu, sysstat, ucode-intel, and xen), and Ubuntu (dpdk, intel-microcode, kernel, linux, linux-aws, linux-kvm, linux, linux-lts-trusty, linux-azure, linux-hwe, linux-kvm, linux-oem, linux-oracle, linux-kvm, linux-oem-osp1, linux-oracle, linux-raspi2, linux-lts-xenial, linux-aws, linux-raspi2, and webkit2gtk).

  • Fedora and the November 12 Hardware Vulnerabilities.

    As all of the news sites are picking up stories on the latest hardware vulnerabilities, I felt it best to give the Fedora update. I won't go into detail on the vulnerabilities themselves, as Red Hat has already done a good write up on each of the CVEs which I will link to below. There is one case to note where Fedora will differ from the Red Hat write ups. For "Transactional Synchronization Extensions (TSX) Asynchronous Abort" Fedora has chosen to default to "tsx=off Disable the TSX feature". This will likely be of no impact to most users, but as Fedora has taken a different stance from the Red Hat documentation here, it should be noted.

  • Intel's Linux Graphics Driver Updated For Denial Of Service + Privilege Escalation Bugs

    Of the 77 security advisories Intel is making public and the three big ones of the performance-sensitive JCC Erratum, the new ZombieLoad TAA (TSX Asynchronous Abort), and iTLB Multihit No eXcuses, there are also two fixes to their kernel graphics driver around security issues separate from the CPU woes.

    CVE-2019-0155 is about user-space writes to the blitter command streamer that could allow an unprivileged user to elevate their privileges on the system.

    CVE-2019-0154 is the other vulnerability and that could result in an unprivileged user being able to cause a denial of service by reading select memory regions when the graphics hardware is in certain low-power configurations.

Canonical Outs Major Linux Kernel Security Updates for All Supported Ubuntu OSes

Filed under
Security
Ubuntu

As announced the other day, Canonical was quick to respond to the latest security vulnerabilities affecting Intel CPU microarchitectures, so they now published Linux kernel updates to mitigate them. These are CVE-2019-11135, CVE-2018-12207, CVE-2019-0154, and CVE-2019-0155, which could allow local attackers to either expose sensitive information or possibly elevate privileges or cause a denial of service.

On top of these security issues affecting Intel CPUs, the new Linux kernel security updates also address three vulnerabilities (CVE-2019-15791, CVE-2019-15792, and CVE-2019-15793) discovered by Google Project Zero's Jann Horn in the shiftfs implementation, which could allow a local attacker to either execute arbitrary code, cause a denial of service (system crash), or bypass DAC permissions.

Read more

Syndicate content

More in Tux Machines

Type Title Author Replies Last Postsort icon
Story Updated Debian 10: 10.2 released Roy Schestowitz 4 17/11/2019 - 12:41am
Story today's howtos Roy Schestowitz 17/11/2019 - 12:32am
Story Games: Baba, Dicey Dungeons, Factorio and Enabling GameMode Roy Schestowitz 17/11/2019 - 12:30am
Story Red Hat Enterprise Linux and CentOS Now Patched Against Latest Intel CPU Flaws Rianne Schestowitz 16/11/2019 - 8:22pm
Story Red Hat: Oracle Linux 8 Update 1 (RHEL 8.1), SDNs and NFV Roy Schestowitz 1 16/11/2019 - 6:09pm
Story Android Leftovers Rianne Schestowitz 16/11/2019 - 6:04pm
Story Firefox vs. Chrome Browser Performance On Intel Ice Lake + Power/Memory Usage Tests Rianne Schestowitz 16/11/2019 - 5:55pm
Story Leftovers: KPublicTransport, ONNX and Security Roy Schestowitz 16/11/2019 - 5:01pm
Story GNOME Foundation is Being Sued Because of Shotwell Photo Manager itsfoss 26 16/11/2019 - 4:55pm
Story Debian reconsiders init-system diversity Roy Schestowitz 1 16/11/2019 - 4:48pm