“Looney Tunables” allows bad actors to exploit a buffer overflow within the ld.so dynamic loader of the GNU C Library (glibc). This exploitation path provides local attackers with a mechanism to elevate their privileges to root level, thereby gaining unparalleled access and control over the system. Given that root privileges allow complete control over a system, attackers can execute a variety of malicious activities, from accessing sensitive information to altering system settings and functionalities, underscoring the critical nature of this security flaw.

The GNU C Library, or glibc, is fundamentally integral to the operation of a majority of systems based on the Linux kernel. This crucial library facilitates numerous system calls, from elementary functions like open, malloc, and printf to more complex ones such as exit, serving as the operational backbone for these systems. As such, glibc plays a pivotal role in the functionality and performance of Linux-based systems, making any vulnerability within this library particularly concerning for system administrators and users alike.

Within glibc, the ld.so dynamic loader is an element of paramount importance. This component is tasked with the significant responsibility of initializing and running programs on Linux systems that rely on glibc for their operation. Its role is crucial as it ensures the smooth execution of various applications and services on a Linux system, making it an indispensable part of the operating environment. Given its central function, any vulnerability within the ld.so dynamic loader is a matter of serious concern as it could potentially compromise the security and stability of a wide range of systems.

In light of the discovery of “Looney Tunables”, it is imperative for organizations and users utilizing Linux-based systems to acknowledge and address this security vulnerability swiftly to safeguard their systems against potential exploits. Immediate mitigation steps, including the application of security patches and updates, should be undertaken to protect systems from the risks associated with this high-severity vulnerability. Users and administrators should stay vigilant and monitor any security advisories and updates issued by the Linux community and cybersecurity experts to ensure timely and effective protection against this newly identified threat.

Furthermore, it would be prudent for organizations to adopt and enforce a set of security best practices. These might include the regular updating and patching of systems, the use of reliable security solutions, conducting cybersecurity awareness and training programs for employees, and implementing network segmentation strategies. These proactive measures can significantly enhance the security posture of an organization, providing robust defense mechanisms against “Looney Tunables” and other similar security threats that might emerge in the future.

The GNU C Library’s ld.so dynamic loader was found to include the security flaw, which exposed a crack in the armor. During the processing of the ‘GLIBC_TUNABLES’ environment variable, this security hole might manifest itself. To put it more simply, a hostile attacker on the local network who has some dexterity and cunning may insert text into the ‘GLIBC_TUNABLES’ environment variable. The attacker is able to execute code with dangerously high privileges if they do this while beginning binaries that have the SUID permission.

This vulnerability was discovered by the observant members of the Qualys Threat Research Unit. According to an investigation into the origin of the vulnerability, it was first discovered in April 2021, when glibc version 2.34 was being distributed. Ironically, the commit was made with the intention of improving security by correcting the behavior of SXID_ERASE in setuid applications.

It is important to keep in mind that attackers, even those with just the most basic privileges, are able to take advantage of this severe gap. since of their simplicity and since they don’t need any input from the user, these assaults are particularly alarming.

There is a solution available for those who are unable to update their software promptly and do not have the Secure Boot capability. A SystemTap script has been made available, and once it is enabled, it will immediately stop any setuid application that has been launched with the ‘GLIBC_TUNABLES’ environment variable present. To securely call the setuid program thereafter, one just has to unset or remove the ‘GLIBC_TUNABLES’ environment variable, for instance by executing the command ‘GLIBC_TUNABLES= sudo’.

According to Saeed Abbasi, who is the Product Manager at Qualys’ Threat Research Unit, “Our successful exploitation, leading to full root privileges on major distributions like Fedora, Ubuntu, and Debian, underscores the profound and ubiquitous nature of this vulnerability.”

While the Qualys team has indicated that they will not release its exploit code at this time, the inherent simplicity of transforming the buffer overflow into a data-only assault suggests that other research teams may soon take up the challenge.

Systems that are running Debian 12 and 13, Ubuntu 22.04 and 23.04, or Fedora 37 and 38 are vulnerable to the CVE-2023-4911 flaw and should be avoided at all costs. The extent of the possible harm might be enormous due to the widespread use of the glibc library in Linux’s many different distributions. Distributions such as Alpine Linux, which use the musl libc library instead of the glibc library, are given a little bit of wiggle room.

The post Hacking Debian 12, 13, Ubuntu 22.04, 23.04 & Fedora 37, 38 servers using a single vulnerability appeared first on Information Security Newspaper | Hacking News.

Security researchers Piotr Krysiuk and Piotr Krysiuk found the vulnerability and built an attack for it. The exploit makes it possible for local users without administrative privileges to launch a root shell by exploiting the problem. This attack was discussed in confidence with the Linux kernel security developers so that they may get assistance in developing a solution.

An adversary might take advantage of this vulnerability in a particular situation by constructing an erroneous batch request that includes actions that lead to a corruption of the internal state of Netfilter nf_tables. Because of this, the attacker is granted the ability to obtain root access to the system and further elevate their privileges.

The mainline kernel git repository now provides a patch that may be used to resolve the vulnerability that was discovered. Administrators and users of the system are strongly encouraged to deploy the patch as quickly as they can in order to prevent their systems from the possibility of being exploited.

Multiple versions of the Linux kernel, including the most recent stable release, Linux 6.3.1, have been used to successfully replicate the issue. If this vulnerability is not fixed, it may be used by hostile actors to obtain unauthorized access to the system with elevated privileges. As a result, sensitive data may be compromised, and serious disruption may occur.

The post Easily get root user privileges in Linux 6.3.1 using this vulnerability via exploit code appeared first on Information Security Newspaper | Hacking News.

The Linux kernel has a framework known as netfilter that enables a variety of networking-related actions to be performed in the form of individualized handlers. This may be accomplished by filtering incoming network packets. Netfilter provides the functionality necessary for directing packets through a network and preventing packets from reaching sensitive locations within a network by offering a variety of functions and operations for packet filtering, network address translation, and port translation. [1] These features allow Netfilter to provide the functionality required for directing packets through a network.

“The vulnerability consists of a stack buffer overflow caused by an integer underflow vulnerability within the nft payload copy vlan function,” which is triggered with nft payload expressions “as long as a VLAN tag is present in the current skb,” according to the description of the flaw.

Linux kernel 6.2.0-rc1 is vulnerable to the CVE-2023-0179 flaw. The vulnerability might be exploited to cause the disclosure of both the stack and heap addresses, as well as the possibility of a Local Privilege Escalation to the root user through the execution of arbitrary code. Users are strongly encouraged to upgrade their Linux servers as soon as possible and to apply fixes to distributions as soon as they become available. It is also advised that they only let trustworthy people access local systems and that they constantly check the systems that have been compromised.

The post A new privilege escalation vulnerability in the Linux kernel, enables a local attacker to execute malware on vulnerable systems appeared first on Information Security Newspaper | Hacking News.

In order to take advantage of the vulnerability, you will need to transmit corrupted packets to the server, personal computer, tablet, or smartphone that you are targeting. The attack causes what is known as “a memory overflow flaw in ksmbd decodentlmssp auth blob,” which states that nt len may be less than CIFS ENCPWD SIZE in some circumstances. Because of this, the blen parameter that is sent to ksmbd authntlmv2, which runs memcpy using blen on memory that was allocated by kmalloc(blen + CIFS CRYPTO KEY SIZE), is now negative. It is important to take note that the CIFS ENCPWD SIZE value is 16, and the CIFS CRYPTO KEY SIZE value is 8. As the heap overflow happens when blen is in the range [-8, -1], we think that the only possible outcome of this problem is a remote denial of service and not a privilege escalation or a remote code execution.

The vulnerability is caused by the way that the Linux kernel handles NTLMv2 authentication in versions 5.15-rc1 and later. The developers of the Linux kernel have not made a fix available.

A security researcher found this vulnerability, which indicates that the Linux kernel is susceptible to a potentially critical vulnerability. This vulnerability may be used by an unauthenticated attacker operating from a remote location to perform denial-of-service (DoS) attacks.

The fact that proof of concept code is presently accessible online brings the immediate threat to device owners to a somewhat higher level. Users are strongly encouraged to upgrade their Linux servers as soon as possible and to install patches for other distributions as soon as they become available.

The post Critical zero day vulnerability in Linux Kernel Allows DoS Attack appeared first on Information Security Newspaper | Hacking News.

The processing of SMB2 TREE DISCONNECT instructions is where the security weakness may be found.
“Any arbitrary code may be executed by remote attackers thanks to this vulnerability, which affects certain installations of the Linux Kernel. Exploitation of this vulnerability does not need authentication; nonetheless, the vulnerability is only present on systems that have ksmbd enabled. reads the advice that was just released by ZDI. “The exact flaw may be found in the processing of SMB2 TREE DISCONNECT instructions,” the researcher said. The problem stems from the fact that there was no attempt made to verify that an object really existed before conducting actions on the object. This vulnerability allows an attacker to execute code in the context of the kernel, which may be exploited by the attacker.

Late in the month of July, the engineers working on the Linux kernel released a patch to address the problem of remote code execution, and they patched the vulnerability in the Linux kernel version 5.15.61.

According to the researcher Shir Tamari, who is the Head of Research at Wiz IO, SMB servers that use Samba are not impacted. However, he stated that SMB servers that use ksmbd are susceptible to read access, which might result in memory leakage on the server.

Another vulnerability that allows for the remote execution of code exists in the Linux kernel (ZDI-22-1688). This vulnerability likewise affects ksmbd and was given a high severity base score of 8.5 by NIST’s NVD. To take advantage of this vulnerability would need authentication.

These three flaws have the potential to cause information disclosures as well as service disruptions:

ZDI-22-1691 is a Linux Kernel ksmbd Out-of-Bounds Read Information Disclosure Vulnerability with a CVSS score of 9.6.
ZDI-22-1689 is an Out-Of-Bounds vulnerability in the Linux Kernel ksmbd (CVSS score: 6.5). Please refer to the Denial-of-Service Vulnerability report.
Memory exhaustion denial-of-service vulnerability was discovered in the Linux Kernel ksmbd (ZDI-22-1687; CVSS score: 5.3).

If you have previously installed the Linux kernel 5.15.61 versions and applied the commit, then an attack that takes use of these vulnerabilities will not be able to compromise your device.

The post Linux Kernel has a Remote Code Execution Zero Day Vulnerability with CVSS score of 10 appeared first on Information Security Newspaper | Hacking News.

The vulnerability, which has been assigned the tracking number CVE-2022-4139 and received a CVSS score of 7.0, affects impacted Linux kernel stable branches (all of which were released after 5.4) and is the consequence of a security vulnerability in the Linux kernel’s GPU i915 kernel driver.

In order for attackers to properly exploit this vulnerability, they require access to the system that is being targeted so that they can execute their exploit, which either results in the getting of sensitive information or the cause of random memory corruption.

CVE-2022-4139 affects all Intel integrated and discrete GPUs Gen12, including Tiger Lake, Rocket Lake, Alder Lake, DG1, Raptor Lake, DG2, Arctic Sound, and Meteor Lake. This flaw might allow remote attackers to take control of an affected system.

Despite the fact that a researcher has backported the fixes to all impacted stable branches in order to solve the problem, Red Hat Enterprise Linux, Ubuntu, CentOS, and Debian have not yet adopted the improvements and are consequently susceptible to the attacks. Apply the patch and rebuild the kernel on your own if you are an experienced Linux user. Alternately, you might wait for the next kernel upgrade that is made available by your distribution provider and then implement it as quickly as you can.

The researcher claims that

In some circumstances (Gen12 hardware equipped with certain varieties of engine), the TLB of the engine is not drained at all. Due to stale TLB mapping, there are two different outcomes that might occur depending on whether or not the GPU is operating in front of an active IOMMU. These outcomes are as follows: 1. Even without IOMMU, the GPU is still able to access physical memory, which the operating system may have previously allocated to other processes. 2. If IOMMU is present, the GPU will be able to access any memory, provided that the malicious process is able to construct and reuse the appropriate IOMMU mappings.

At this time, it is unknown whether or not particular memory might be targeted; nonetheless, random memory corruption or data breaches are known to be possible outcomes.

All Intel integrated and discrete GPUs Gen12, such as Tiger Lake, Rocket Lake, Alder Lake, DG1, Raptor Lake, DG2, Arctic Sound, and Meteor Lake, are impacted by this issue. Fix has already been created and comprises of correcting the way of writing to certain registers in the computer.

The post Zero day Privilege escalation flaw CVE-2022-4139 (CVSS score: 7.0), impacts Linux kernel appeared first on Information Security Newspaper | Hacking News.

CVE-2022-3910

A Use-After-Free vulnerability and a Local Privilege Escalation may be caused in the Linux kernel by incorrectly updating the reference count in the io uring function. When io msg ring is called with a fixed file, it invokes io fput file(), which incorrectly lowers its reference count.   Fixed files are those that are permanently registered to the ring and must not be stored in a separate location.

According to the official RedHat website, “When io msg ring is executed with a fixed file, it calleds io fput file(), which wrongly lowers its reference count (leading to Use-After-Free and Local Privilege Escalation).”

With this release, the vulnerability known as CVE-2022-3910 in the Linux kernel was patched. At the moment, the people who maintain the Linux kernel have published formal fixes to address security issues. Users are strongly encouraged to upgrade their Linux servers as soon as possible and to install patches for other distributions as soon as they become available. It is also advised that they only let trustworthy people access local systems and that they constantly check the systems that have been compromised.

The post Use After Free vulnerability in Linux Kernel allows Privilege Escalation. Patch your kernel appeared first on Information Security Newspaper | Hacking News.

PwnKit, also known as CVE-2021-4034, affects Polkit’s Pkexec, an SUID-root software that is included in all Linux variants. When Shikitega’s existence was revealed, press stories centered on the malware rather than the fact that this could have been the first known case of CVE-2021-3493 being used maliciously.

Users and administrators were recommended by CISA and the MS-ISAC to implement mitigations to protect their organization’s systems from hostile cyber activity. In order to lower the possibility of compromise, it also suggested the following best practices:

Keep an incident response strategy current and test it.

Make sure your company has a vulnerability management program in place, and that it gives patch management and vulnerability screening for known exploited vulnerabilities top priority.
Disable unwanted or superfluous network ports and protocols, as well as disable/remove unused network services and devices. This will prevent management interfaces from being exposed to the internet.

Use zero-trust architecture and concepts, such as micro-segmenting networks and features, phishing-resistant multi-factor authentication (MFA) for all users, and restricting access to trusted devices and virtual private networks (VPNs).

The post Patch CVE-2021-3493 critical Linux vulnerability immediately says CISA appeared first on Information Security Newspaper | Hacking News.

The second flaw tracked as CVE-2022-41848 (CVSS score: 6.8), is also a use-after-free flaw due to a race condition between mgslpc_ioctl and mgslpc_detach in drivers/char/pcmcia/synclink_cs.c. By removing a PCMCIA device while calling ioctl, an attacker could exploit this vulnerability to execute arbitrary code on the system. The bug affects Linux Kernel 5.19.12 and was fixed via this patch.

Due to a compatibility issues between mgslpc ioctl and mgslpc detach in drivers/char/pcmcia/synclink cs.c, the second vulnerability, tagged as CVE-2022-41848 (CVSS score: 6.8), is likewise a use-after-free vulnerability. An adversary might use this flaw to run malicious script on the computer by deleting a PCMCIA device while executing ioctl. There is a patch that corrects this flaw that was present in the Linux Kernel 5.19.12.

The third vulnerability is identified as CVE-2022-41849. Due to a race situation between ufx ops open and ufx usb disconnect in drivers/video/fbdev/smscufx.c, (CVSS score: 6.8) causes a use-after-free vulnerability. A physical adversary might use this flaw to execute malicious code on the machine by removing a USB device while running open(). There is patch that rectifies this vulnerability that was present in the Linux Kernel 5.19.12.

Administrators are urged to upgrade their Linux machines as soon as their different distros send them the necessary updates. Additionally, it is advised that they only permit trustworthy people to access local systems and always keep an eye on any compromised ones.

The post 3 critical malicious code execution vulnerabilities in Linux kernel appeared first on Information Security Newspaper | Hacking News.

An adversary might utilize the CVE-2022-2964 flaw to run arbitrary code or bring about a DoS attack on the system by delivering a specifically designed request.

Currently, security fixes have been formally released by Linux kernel maintainers. It is advised that users update Linux servers right away and install other distro’s fixes as soon as they become available. Make sure your Linux distribution is running Linux kernel 5.16.10 or a later version.

Reason Behind the flaw

Multiple out-of-bounds reads and potentially out-of-bounds write flaws in the driver for ASIX AX88179 178A-based USB 2.0/3.0 Gigabit Ethernet Devices were the root of the problem. The ax88179 rx fixup() method in the Linux kernel’s driver for “ASIX AX88179 178A based USB 2.0/3.0 Gigabit Ethernet Devices” has several out-of-bounds reads and potential writes.

Several out-of-bounds accesses in x88179 rx fixup() can be caused by a malicious  USB device, specifically:

Out of bounds reads and OOB endianness flips can result from the metadata array  being too large.

An overlapping packet can damage data utilized by a cloned SKB that has already been sent into the network stack due to a subsequent OOB endianness flip.

Out-of-bounds heap data can be included in a packet SKB by creating one with a tail that extends long past its end.

The post Critical flaw CVE-2022-2964 with CVSS score: 7.8 affects Linux kernel and allows arbitrary code execution appeared first on Information Security Newspaper | Hacking News.

About the UnRAR vulnerability

As CVE-2022-30333, this is a path traversal vulnerability in the version of RAR for Linux and UNIX systems. If successfully exploited, a malicious actor is capable of downloading arbitrary files to the victim’s system just by decompressing a RAR file.

The vulnerability, which affects any version of Linux and UNIX that uses UnRAR, received a score of 7.5 on the CVSS severity scale and was disclosed in June.

SonarSOurce researchers were the ones who discovered the flaw and published a report explaining how it could be used to compromise a Zimbra webmail service server and gain access to the mail server.

In the specific case of Zimbra, because the service uses UnRAR to automatically extract attachments and scan them for malware or spam, an attacker could send an email with a RAR file attached and compromise the victim without the need for interaction with Zimbra. the attachment. For its part, Rarlab released version 6.12 in May, which contains the patch that repairs CVE-2022-30333 in all versions of RAR for Linux and UNIX.

The post Vulenerblity in UnRAR affects Linux & Unix Servers is being actively exploited by threat actors appeared first on Information Security Newspaper | Hacking News.

The main feature of Symbiote is that it requires infecting other running processes to achieve a successful engagement. Instead of using an executable as any conventional malware variant would, hackers use a shared object (SO) library loaded into running processes through LD_PRELOAD, thus infecting vulnerable systems.

After infecting running processes on the system, Symbiote provides its operators with rootkit functionalities, in addition to remote access and credential collection capabilities.

Origins

Researchers first detected the malware in November 2021, attributing its development to hacking groups against the financial sector in Latin America. By infecting a target system, Symbiote hides any hint of malicious activity, making infections virtually undetectable, even using forensic analysis techniques.

In addition to rootkit tactics, the malware also implants a backdoor in the system so that operators can log in like any user using an encrypted password and thus execute commands with high privileges.  

Another interesting feature about Symbiote is its Berkely Packet Filter (BPF) hook functionality, employed by other malware variants to cover up your C&C communications. However, Symbiote uses BPF to hide malicious network traffic on infected systems.

If an administrator launches any packet capture tool on the affected Linux system, the BPF bytecode is injected into the kernel that defines which packets should be captured. In this process, Symbiote first adds its bytecode so that it can filter the network traffic it wants to hide.

Evasion tactics

This malware is highly stealthy. According to experts, Symbiote is designed to be loaded through the LD_PRELOAD directive, allowing it to be loaded before any other shared object. Thanks to it loading first, it can hijack imports from other library files uploaded for the application.

Symbiote uses this to hide its presence on the machine by connecting the libc and libpcap functions. The following screenshot shows the various malware evasion tactics:

Because Symbiote works as a user-level rootkit, it can be difficult to detect an infection. Network telemetry can be used to detect anomalous DNS requests, and security tools such as antivirus must be statically linked to ensure that they are not “infected” by user rootkits. Infection vectors are still unknown, so Linux system administrators should remain vigilant for any hint of infection.

Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.

The post New rootkit malware for Linux is undetectable and is quickly spreading throughout Latin America. Protect your servers before it’s too late appeared first on Information Security Newspaper | Hacking News.