Linkstrain-ng Slideshow

Docker security advisory about multiple vulnerabilities in runc, BuildKit, and Moby: We will publish patched versions of runc, BuildKit, and Moby on January 31 and release an update for Docker Desktop on February 1 to address these vulnerabilities. Additionally, our latest Moby and BuildKit releases will include fixes for CVE-2024-23650 and CVE-2024-24557, discovered respectively by an independent researcher and through Docker’s internal research initiatives.

...more

I’m looking into implementing CORS (again, it seems like this is something that comes up every few years, and every few years I have to re-orient myself about how it all works), and as always it’s so confusing. (Here I’m talking about Access-Control-Allow-Origin type stuff, primarily, as CORS was initially a structured way to relax the same-origin policy on requests. I’m not as familiar or concerned with some of the newer headers for mitigating Spectre-type attacks. Should I be?) Any CORS experts out there with “best practice” recommendations? The security and threat model is so counterintuitive. Is the whole point of the CORS model basically to handle the browser’s decision to send cookies on every request? If the browser just refused to send cookies by default on non-same-origin requests and prompted the user to “Allow Once” or “Allow Always” like it does for saving passwords, wouldn’t that also solve the problem (and not to mention CSRF as well, which CORS doesn’t address). The server needs to handle arbitrary traffic from arbitrary clients, so resources should be protected appropriately. The only thing particularly unique about the browser is that it chooses to send cookie credentials, possibly against the user’s intentions. With all that in mind, it seems like these are maybe best practices (somewhat counterintuitively): When possible always set Access-Control-Allow-Origin: *. Everywhere online seems to recommend not including the header, if it’s not necessary, or being as specific as possible with the origins you allow and validating against a regex or an allowlist. But, since ACAO * does not allow credentials, then that’s actually safer, right? And if your backend has to expect traffic from, say, curl, or whatever, then you might as well acknowledge that fact fundamentally and say arbitrary JS scripts out there can also hit the endpoint (as long as, similarly to curl, they don’t include a cookie). Is there a downside to this approach? Access-Control-Allow-Credentials: true - this is the truly dangerous one, since the whole threat model of CORS is about a malicious website sending an authenticated request to your server without the user’s consent. So in this case, you do need to carefully set ACAO to specifically the origin that your own real site is at. What should you do about CORP, COEP, etc - all the new headers?

...more

Hi everyone, I’m one of the co-authors behind Have I Been Squatted (HIBS?). HIBS is a small side project in Rust & React that allows users to search whether domains have been typosquatted (an increasing security risk). It’s meant to be a platform to eventually enable users to continuously (and freely) monitor their domains similar to ;–have i been pwned?. The current version is very much in an alpha state but we released it in order to gauge community interest and receive your feedback on what can be added and improved. Hope you have fun with it and feel free to ask any questions! Comments

...more

Official announcement blog post - https://blog.exein.io/pulsar Comments

...more

Earlier this week the Jenkins infrastructure team identified a successful attack against our deprecated Confluence service. We responded immediately by taking the affected server offline while we investigated the potential impact. At this time we have no reason to believe that any Jenkins releases, plugins, or source code have been affected. Thus far in our investigation, we have learned that the Confluence CVE-2021-26084 exploit was used to install what we believe was a Monero miner in the container running the service. From there an attacker would not be able to access much of our other infrastructure. Confluence did integrate with our integrated identity system which...

...more

Interesting analysis: open code + open data makes for open bugs. Add in some user controlled data and in this case it led to a (possibly temporary) $600M loss. Comments

...more

Rowhammer attacks exploit electromagnetic interference among nearby DRAM cells to flip bits, corrupting data and altering system behavior. Unfortunately, DRAM vendors have opted for a blackbox approach to preventing these bit flips, exposing little information about in-DRAM mitigations. Despite vendor claims that their mitigations prevent Rowhammer, recent work bypasses these defenses to corrupt data. Further work shows that the Rowhammer problem is actually worsening in emerging DRAM and posits that system-level support is needed to produce adaptable and scalable defenses. Accordingly, we argue that the systems community can and must drive a fundamental change in Rowhammer mitigation techniques. In the short term, cloud providers and CPU vendors must work together to supplement limited in-DRAM mitigations—ill-equipped to handle rising susceptibility— with their own mitigations. We propose novel hardware primitives in the CPU’s integrated memory controller that would enable a variety of efficient software defenses, offering flexible safeguards against future attacks. In the long term, we assert that major consumers of DRAM must persuade DRAM vendors to provide precise information on their defenses, limitations, and necessary supplemental solutions. Comments

...more

See also: Exim 4.94.2 - security update released (oss-security) Comments

...more

In this paper we introduce partitioning oracles, a new class of decryption error oracles which, conceptually, take a ciphertext as input and output whether the decryption key belongs to some known subset of keys. Partitioning oracles can arise when encryption schemes are not committing with respect to their keys. We detail adaptive chosen ciphertext attacks that exploit partitioning oracles to efficiently recover passwords and de-anonymize anonymous communications. The attacks utilize efficient key multi-collision algorithms—a cryptanalytic goal that we define—against widely used authenticated encryption with associated data (AEAD) schemes, including AES-GCM, XSalsa20/Poly1305, and ChaCha20/Poly1305. We build a practical partitioning oracle attack that quickly recovers passwords from Shadowsocks proxy servers. We also survey early implementations of the OPAQUE protocol for password-based key exchange, and show how many could be vulnerable to partitioning oracle attacks due to incorrectly using non-committing AEAD. Our results suggest that the community should standardize and make widely available key-committing AEAD to avoid such vulnerabilities. Comments

...more

https://nvd.nist.gov/vuln/detail/CVE-2020-13777 https://github.com/0xxon/cve-2020-13777 Comments

...more

DNS over HTTPS will make it harder for ISPs to monitor or modify DNS queries.

...more

Linksys said it fixed flaw in 2014. Researcher Troy Mursch disagrees.

...more

A range of fixes and workarounds have been published.

...more

This is a follow up to https://lobste.rs/s/cy9i87/how_empty_s3_bucket_can_make_your_aws_bill. Comments

...more

https://lobste.rs/s/t2hj6o/crowdstrike_timeline_mystery https://www.bitsight.com/blog/crowdstrike-timeline-mystery In the comments on this article, I asked a question that no one answered and it’s still bugging me so I’ll ask it again: How does one company know so much about another company’s traffic?

...more

Show HN: Permify 1.0 - Open-source fine-grained authorization service Permify was born out of our repeated struggles with authorization. Like any other piece of software, authorization starts small but as things grow scaling it becomes a real pain and begins to hinder product development processes. Ad-hoc authorization systems scattered throughout your app’s codebase are hard to manage, reason about, and iterate on as the company grows. Also you will need to have more specific access controls as things grow. Traditional approaches like RBAC is inefficient for defining granular permissions such as resource-specific, hierarchical, or context-aware permissions. Architecture is another problem, in a distributed system you’re going to need a solid plan to manage permissions between your services — all while ensuring high availability and providing low latency in access checks for sure. We’ve created an open-source project to eliminate the authorization burden for devs. It’s Permify, an Authorization-as-a-Service to help developers build and manage their authorization in a scalable, secure, and extendable manner. And last week, we released the first major version (v1.0.0) of it! Here is how Permify helps you handle authorization. - Centralize & Standardize Your Authorization: Abstract your authorization logic from your codebase and application logic to easily reason, test, and debug your authorization. Treat your authorization as a sole entity and move faster within your core development. - Build Granular Permissions For Any Case You Have: You can create granular (resource-specific, hierarchical, context aware, etc) permissions and policies using Permify’s domain specific language that is compatible with RBAC, ReBAC and ABAC. - Set Custom Authorization For Your Tenants: Set up isolated authorization logic and custom permissions for your vendors/organizations (tenants) and manage them in a single place. - Scale Your Authorization As You Wish: Achieve lightning-fast response times down to 10ms for access checks with a proven infrastructure inspired by Google Zanzibar, Google’s Consistent, Global Authorization System. Try it out and send any feedback our way! Comments

...more

Summary

More Memory Safety for Let’s Encrypt: Deploying ntpd-rs

LLM Says: ""Security patch""

On Kernel’s Safety in the Spectre Era (And KASLR is Formally Dead)

LLM Says: ""Spectre's shadow""

GitHub Copilot Chat: From Prompt Injection to Data Exfiltration

LLM Says: ""Code red alert""

SSH as a sudo replacement

LLM Says: "SSH me"

Encryption At Rest: Whose Threat Model Is It Anyway?

LLM Says: "Data breach"

DOM Purify - untrusted Node bypass

Unpatchable vulnerability in Apple chip leaks secret encryption keys

Introducing Sunlight, a CT implementation built for scalability, ease of operation, and reduced cost

The Linux Kernel Key Retention Service and why you should use it in your next application

Leaky Vessels: Docker and runc Container Breakout Vulnerabilities

Docker Security Advisory: Multiple Vulnerabilities in runc, BuildKit, and Moby

container breakout through process.cwd trickery and leaked fds

Exploiting 0-click Android Bluetooth vulnerability to inject keystrokes without pairing

Linux & TPMs

How I built a fully offline smart home, and why you should too

Notes on OpenPGP

SSH3: ssh using HTTP/3 and QUIC

commit signing in 2023 is kinda wack

LLM spews nonsense in CVE report for curl

Tor Browser & OONI Security Audit Findings

Exploiting DNS response parsing on the Wii U

How it works: The novel HTTP/2 ‘Rapid Reset’ DDoS attack

Encrypted traffic interception on Hetzner and Linode targeting the largest Russian Jabber server

Exploiting Zenbleed from Chrome

iLeakage: Browser-based Timerless Speculative Execution Attacks on Apple Devices

Multi-modal prompt injection image attacks against GPT-4V

Supply Chain Issues in PyPI

How Equifax Was Breached in 2017

Rustless sudo: running (some) suid binaries safely

Updated GPG key for signing Firefox Releases

An Introduction to Dm-verity in Embedded Device Security

Removing PGP from PyPI

Breaking SHA256: length extension attacks in practice (with Go)

Infecting SSH Public Keys with backdoors

Securing PyPI accounts via Two-Factor Authentication

SHA-3 Buffer Overflow (Part 2)

We've learned nothing from the SolarWinds hack

Releasing Systrap - A high-performance gVisor platform

CORS is such a mess. What are current best practices?

Python and SLSA

Why 111-1111111 is a valid Windows 95 key

Prompt Injection on Bing Chat triggered by search content

87% of Container Images in Production Have Critical or High-Severity Vulnerabilities

Vanity RSA public key

Bizarre and Unusual Uses of DNS

Rustproofing Linux (Part 1/4 Leaking Addresses)

mast1c0re: Part 1 - Modifying PS2 game save files

cURL audit: How a joke led to significant findings

Bitwarden design flaw: Server side iterations

A dead man's switch for full but responsible disclosure of vulnerabilities

I scanned every package on PyPi and found 57 live AWS keys

Meet your new two-factor authenticator: your Commodore 64

Casper-fs is a Custom Hidden Linux Kernel Module generator

Cracking encrypted Lastpass vaults

Clientless Oblivious DNS

Get root on macOS 13.0.1 with CVE-2022-46689, the macOS Dirty Cow bug

I Hope This Sticks: Analyzing ClipboardEvent Listeners for Stored XSS

What’s in a PR statement: LastPass breach explained

Turning Google smart speakers into wiretaps for $100k

EntryBleed: Breaking KASLR under KPTI with Prefetch (CVE-2022-4543)

Invisible npm malware - evading security checks with crafted versions

VS Code Sandboxing

Towards End-to-End Encryption for Direct Messages in the Fediverse

Don't store TOTP in Bitwarden for your online accounts

LLM Says: "Don't get burned"

Introducing fine-grained personal access tokens for GitHub

The feasibility of pledge() on Linux

LLM Says: "Pledge fail"

SHA-3 Buffer Overflow

LLM Says: "Crashing bad!"

Brave New Trusted Boot World

LLM Says: "Trusted boot camp"

Using VBA Macros (from a Word Document) to Exploit Vulnerable Drivers

OpenSSL gave everyone alarm fatigue