Tag: bug

Linux had a killer flaw for 11 years and no one noticed

One of the key advantages of Open sauce software is that it is supposed to be easier to spot and fix software flaws, however Linux has had a  local privilege escalation flaw for 11 years and no-one has noticed.

The vulnerability, tracked as CVE-2017-6074, is over 11 years old and was likely introduced in 2005 when the Linux kernel gained support for the Datagram Congestion Control Protocol (DCCP). It was discovered last week and was patched by the kernel developers on Friday.

The flaw can be exploited locally by using heap spraying techniques to execute arbitrary code inside the kernel, the most privileged part of the OS. Andrey Konovalov, the Google researcher who found the vulnerability, plans to publish an exploit for it a few days.

While it cannot be exploited remotely, this sort of bug can be combined with other flaws that give remote hackers access to a lower privileged account on a system.

For the flaw to be exploitable, the kernel needs to be built with the CONFIG_IP_DCCP option. Many distributions use kernels built with this option, but some don’t.

Red Hat announced that Red Hat Enterprise Linux 5, 6, 7, and Red Hat Enterprise MRG 2 kernels are affected. The company has released patches for Red Hat Enterprise Linux 6 and 7 and for the Red Hat Enterprise Linux for Real Time for NFV (v. 7) (kernel-rt).

The Debian project released fixed kernel packages for Debian 7 Wheezy and Debian 8 Jessie, the “old stable” and “stable” versions of the distribution. Debian Stretch (testing) and Sid (unstable) have not been patched yet.

Patches are also available for Ubuntu 12.04 LTS, Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10. As far as SUSE goes, only SUSE Linux Enterprise Server 10 is affected and patches for it are only available to customers with long term service pack support. The kernels in SUSE Linux Enterprise Server 11 SP 1 to 4 and SUSE Linux Enterprise Server 12 SP 1 and 2 are not built with support for the DCCP protocol.

Bug researcher found himself deep in the US army network

US Army - Wikimedia CommonsA security bug researcher who was invited by the US Army to look for holes in the system found himself rather a little deeper into the network that he, or the army expected.

The US Army shared some surprising results from its first bug bounty programme — a three-week trial in which they invite 371 security researchers “trained in figuring out how to break into computer networks they’re not supposed to”.

The Army said the experiment was a success and it received more than 400 bug reports, 118 of which were unique and actionable.

Participants who found and reported unique bugs that were fixed were paid upwards of $100,000…

The Army also shared high-level details on one issue that was uncovered through the bounty by a researcher who discovered that two vulnerabilities on the goarmy.com website could be chained together to access, without authentication, an internal Department of Défense website.

The researcher got in through an open proxy, meaning the routing wasn’t shut down the way it should have been. But the researcher, without even knowing it, could get to this internal network, because there was a vulnerability with the proxy, and with the actual system.

On its own, neither vulnerability was particularly interesting, but when you pair them together, it’s serious.

Microsoft fixes huge Windows 10 bug

bugSoftware King of the World, Microsoft has fixed a rather juicy security flaw in its Windows 10 operating system, which it found only last week.

The security flaw itself allowed for attackers to take advantage of privilege settings which would allow them to potentially install and run applications. Apparently Russian hackers were already taking advantage of the situation. Vole said the security update resolves vulnerabilities in Microsoft Windows.

“The most severe of the vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application that could exploit the vulnerabilities and take control of an affected system. This security update is rated Important for all supported releases of Windows. The security update addresses the vulnerabilities by correcting how the Windows kernel-mode driver handles objects in memory.”

The security update should have already installed in the background on most Windows 10 devices. If not, an update can be force by opening up Settings, Update & security, and clicking on ‘Check for updates’.

Linux has had a huge bug for nine years

bugA huge bug has been sitting in the Linux kernel for nearly nine years which gives untrusted users unfettered root access and no one noticed.

Now it seems the hole is under active exploit, according to researchers who are advising users to install a patch as soon as possible.

Dan Rosenberg, a senior researcher at Azimuth Security, told Ars Technica that it was the most serious Linux local privilege escalation ever.

The underlying bug was patched this week by the maintainers of the official Linux kernel and downstream distributors are in the process of releasing updates that incorporate the fix. Red Hat has classified the vulnerability as “important”.

Attacks exploiting this specific vulnerability were found by Linux developer Phil Oester who discovered it using an HTTP packet capture.

It took him less than five seconds to get total control.

Bugs got into new Linux

Mr SwearySoftware’s Mr Sweary, Linus Torvalds, is furious that some “buggy crap” got under the bonnet of his nice new Linux kernal.

Torvalds released Linux 4.8 earlier this week, but now it turns out that it contains some code he thinks can “kill the kernel”.

Torvalds a said sorry yesterday on the  Linux Kernel Mailing list for a bug fix gone bad.

“I’m really sorry I applied that last series from Andrew just before doing the 4.8 release, because they cause problems, and now it is in 4.8 (and that buggy crap is marked for stable too).”

The “crap” was fixing a bug that’s been present in Linux since version 3.15. Torvalds rates the fix for that bug “clearly worse than the bug it tried to fix, since that original bug has never killed my machine!”

Torvalds is fuming at kernel contributor Andrew Morton, who he says is debugging with a known bad use of BUG_ON().

“I’ve ranted against people using BUG_ON() for debugging in the past. Why the f*ck does this still happen?” Torvalds writes, pointing to a 2002 post to the kernel mailing list outlining how to do BUG_ON() right. He later adds “so excuse me for being upset that people still do this shit almost 15 years later.”

Morton seems to have put his hand up for the Torvalds’ criticisms. But Torvalds also thinks he could and should have done better, as he writes:

“I should have reacted to the damn added BUG_ON() lines. I suspect I will have to finally just remove the idiotic BUG_ON() concept once and for all, because there is NO F*CKING EXCUSE to knowingly kill the kernel.”


SAP “patched” bug still has holes

bugThe expensive esoteric management software company which no-one is really sure what it does, SAP, is the subject of a US security alert over a vulnerability the firm disabled six years ago.

Apparently the hole still gives outside attackers remote control over older SAP systems if the software is not properly patched.

SAP fixed the problem, but left the decision over whether to switch off an easy access setting up to its customers.

The U.S. Department of Homeland Security’s Computer Emergency Response Team (US-CERT) issued an alert to the security industry warning SAP customers what they need to do to plug the holes.

Onapsis, a firm that specialises in securing business applications from SAP and  Oracle said that dozens of companies have been exposed to these security gaps in recent years, and a far larger number of SAP customers remain vulnerable.

Onapsis chief executive Mariano Nunez said that most SAP customers are unaware that this is going on.

SAP, whose software acts as the corporate plumbing for many multinationals and which claims 87 percent of the top 2000 global companies as customers, disclosed the vulnerability in 2010 and has offered software patches to fix the flaw.

SAP issued a statement that the vulnerable feature was fixed when the company introduced the software update six years ago. All SAP applications released since then are free of this vulnerability.

However, SAP acknowledged that these changes were known to break customised software developments that many customers had implemented using older versions of SAP’s programming language.

The problem continues because a sizeable number of big SAP customers are known to depend on these older versions of the software that in many cases date back years, or in extreme examples, even decades.


Adobe rushes out a flash update

flash_superhero_running-t2Adobe has issued an emergency update for Flash after researchers discovered a security flaw that was being exploited to deliver ransomware to Windows PCs.

The software maker urged the more than a billion users of Flash on Windows, Mac, Chrome and Linux computers to update the product as quickly as possible.

The bug was being exploited in “drive-by” attacks that infect computers with ransomware and poisoned websites.

Ransomware encrypts data, locking up computers, then demands payments that often range from $200 to $600 to unlock each infected PC.

Japanese security software maker Trend Micro Inc said that it had warned Adobe that it had seen attackers exploiting the flaw to infect computers with a type of ransomware known as ‘Cerber’ as early as March 31.

Cerber “has a ‘voice’ tactic that reads aloud the ransom note to create a sense of urgency and stir users to pay,” Trend Micro said on its blog.

Adobe’s new patch fixes a previously unknown “zero day” security flaw.

FireEye said that the bug was being used to deliver ransomware in what is known as the Magnitude Exploit Kit. This is an automated tool sold on underground forums that hackers use to infect PCs with viruses through tainted websites.

Sharks swim in Intel’s Skylake

shark-week-2015-promoChipzilla’s great white chip hope Skylake has a bug which causes it to freeze up when it has to add up too many prime numbers.

The bug was discovered by the Great Internet Mersenne Prime Search (GIMPS) and occurs when using the GIMPS Prime95 application to find Mersenne primes.  To be fair to Intel this is not the sort of thing that most users have to bother about, but Prime95 worked fine before Skylake and there might be other situations where it might break.

A spokesIntel has said that the outfit has identified an issue that potentially affects the 6th Gen Intel Core family of products.

“This issue only occurs under certain complex workload conditions, like those that may be encountered when running applications like Prime95. In those cases, the processor may hang or cause unpredictable system behaviour.”

Intel has developed a fix, and is working with hardware partners to distribute it via a BIOS update.

It is still not clear why the bug occurs, but it’s confirmed to affect both Linux and Windows-based systems. Prime95 has been used to benchmark and stress-test computers, uses Fast Fourier Transforms to multiply extremely large numbers. A particular exponent size, 14,942,209, has been found to cause the system crashes.

While the bug was discovered using Prime95,  GIMPS noted that its Prime95 software “works perfectly normal” on all other Intel processors of past generations.

The bug can be fixed using a BIOS update,

GM shows that car manufacturers don’t get tech

ElectrobatThere are signs might be a few problems as car manufacturers get their heads around technology.

Worried that people might be able to hack their cars, GM motors have issued a bug bounty. There is nothing wrong with that, in fact it is a normal and sensible way to find flaws in your software.

The only problem is that GM’s bounty is fixed at nothing, not a sausage, and bugger all. Apparently GM thinks that people will do its job for LOLs. On the plus side, if you do find a bug, GM will kindly agree not to sue you.

The company launched its bug “bounty” on January 5th on the web site of Hackerone, a firm that manages bounty programs on top of other firms, promising “eternal glory” to security experts who relay information on “security vulnerabilities of General Motors products and services”.

The page on Hackerone detailing how vulnerability reporters will be thanked reads “Be the first to receive eternal glory.” I other words God will love you so much you will go to heaven when you die. It is a pretty good deal and has worked for the Roman Catholic church for a couple of millennium, but it is not so sure if white hat hackers will buy it.

It is being seen as the first attempt by “old economy” giant to delve into the world of bug bounties for information on software flaws and vulnerabilities. United Airlines recently launched a similar programme on the Hackerone platform. At least it offered up to one million airmiles to researchers who find remotely executable vulnerabilities in the company’s web properties .

Researchers must also promise to hold the details of their finding until GM confirms its existence and fixes the issue.

Still, some researchers are skeptical that firms are willing to “walk the walk” when it comes to addressing and fixing reported vulnerabilities. “If we waited for Chrysler before disclosing the jeep hack, I bet it still wouldn’t be fixed,” wrote Valasek’s research partner Charlie Miller (@0xCharlie) on Twitter.

Pink iPhone turkey switches itself off

pink-turkeyThe pink “iPhone 6S” is turning out to be a real turkey and packed full of bugs… er features.

The latest bug is one which turns off the phone for no apparent reason.

Owners have been reporting that the iPhones are turning off randomly when left alone . It happens when the phones have a ton of battery life and no particular reason to switch off.

This odd behavior has been talked about on reddit and the official Apple Support Communities. “New Phone 6s 128GB turned off for no reason the last two nights,” wrote Joachim Frey in an Apple discussion thread. “In the morning you then have to push the power-on button for a long time to get it started.”

“I’ve had my phone since Friday and it has powered off/refused to come out of sleep at least once a day since,” added Todd Sizemore. “I set mine up from scratch so I at least know its not a problem stemming from an iCloud backup.”

There have been a few problems with the phone running a little hot too. The Home/Touch ID button on the iPhones felt hot when experiencing the power-off issues and that it takes a longer than expected amount of time to awake the iPhone from its deep sleep.

Apple has not said anything about the problem. Those who do contact Apple support are being told to bring their iPhones in to have them looked at. We guess after a few months Jobs Mob will pretend that the problem only affects a “ small number of users”.

There have been a number of bug reports associated with the phone, but it is not clear if these are caused by the phone or the equally buggy new operating system..

Reporting of the problem in the Tame Apple Press is about what you would expect. A small mention of the problem with a cut and paste advert for the iPhone slapped in high up the story.