DATA STREAM – IT, Security, and Coding Blog

Arch Linux and Ubuntu Security Advisories, WordPress version 4.7.4 released, and Pegasus spyware found on Android Devices

Arch Linux ASA-201704-6

Date: 2017-04-21

CVE ID:

CVE-2017-5429 CVE-2017-5430 CVE-2017-5432 CVE-2017-5433
CVE-2017-5434 CVE-2017-5435 CVE-2017-5436 CVE-2017-5437
CVE-2017-5438 CVE-2017-5439 CVE-2017-5440 CVE-2017-5441
CVE-2017-5442 CVE-2017-5443 CVE-2017-5444 CVE-2017-5445
CVE-2017-5446 CVE-2017-5447 CVE-2017-5448 CVE-2017-5449
CVE-2017-5451 CVE-2017-5453 CVE-2017-5454 CVE-2017-5455
CVE-2017-5456 CVE-2017-5458 CVE-2017-5459 CVE-2017-5460
CVE-2017-5461 CVE-2017-5464 CVE-2017-5465 CVE-2017-5466
CVE-2017-5467 CVE-2017-5468 CVE-2017-5469

Firefox versions before 53.0-1 vulnerable to multiple issues including arbitrary code execution, cross-site scripting, access restriction bypass, file system access, denial service, information disclosure, and content spoofing.

Resolution


pacman -Syu firefox>=53.0-1

Link:AVG-249

Ubuntu has released a similar advisory.

Arch Linux Security Advisory ASA-201704-4

Date: 2017-04-20

CVE ID: CVE-2017-5461

The package nss (Network Security Services) before version 3.30.1-1 is vulnerable to arbitrary code
execution.

Link: AVG-247

Ubuntu Bind

Date: April 17, 2017

CVE ID: CVE-2017-3136, CVE-2017-3137, CVE-2017-3138

Several security issues have been fixed on the bind9 Internet Domain Name Server package on affected Ubuntu versions.

Link:Ubuntu Bind Security Notice

Pegasus Spyware Found on Android Devices

A variant of the pegasus spyware is being found on some Android devices.

Link:Pegasus Spyware on Android

WordPress 4.7.4 Update

Released April 20th 2017

Link:WordPress Change Log

Ubuntu 18.04 switching back to GNOME, Broadcom WiFi chip vulnerabilities, and Brickerbot malware

Ubuntu 18.04 Default Desktop

In a post on the 5th of April, Canonical and Ubuntu founder Mark Shuttleworth announced the end of investments in Unity8, the phone and convergence shell, as well as Ubuntu 18.04 to ship out with GNOME desktop by default.

Further in the post, it states, Canonical’s focus will be IoT and the cloud.

For more;

Mark Shuttleworth:Growing Ubuntu for cloud and IoT, rather than phone and convergence

Broadcom Vulnerabilities

Millions of Apple and Android devices, which carry the Broadcom wifi chip, are vulnerable to over the air hacking.

Described as a stack buffer overflow, the vulnerability was discovered by Google’s project zero and is said to allow the execution of remote code on the affected devices.

For more;

TheHackerNews:Smart Phones Broadcom Wifi Chip Vulnerabilities

Brickerbot Malware Kills IoT Devices

Similar to Miria, the botnet malware that targets vulnerable IoT devices, Brickerbot uses the same TELNET bruteforce attack vector.

Brickerbot targets Linux based IoT devices running the BusyBox toolkit. Once inside the operating system, the code scrambles onboard memory, flushes IP and NAT tables, sets the outbound firewall rule to drop, and for the final nail in the coffin; tries to wipe all code on the affected devices.

For more;

TheRegister:Forget Miria, Here’s Brickerbot

Arch Linux Security Advisory:jasper multiple vulnerabilities, Ubuntu 12.04 end of life

Arch Linux put a security advisory on March 14 for multiple vulnerabilities found in jasper. The vulnerabilities have been patched. You can update your Arch machine by running;

pacman -Syu “jasper>=2.0.12-1”

For more;
Arch Linux: ASA-201703-9

Ubuntu announces end of life for Precise Pangolin which will be on April 28, 2017. But if you wanted to keep getting security and essential package updates for your Pangolin machines that just can’t be upgraded you can join the Ubuntu Advantage program.
For more;
Ubuntu:12.04 End of Life and Ubuntu Advantage

QEMU Kernel Debugging, Python script for multiple hashes, Top 20 Mobile Malware

Some good stuff on using QEMU for Linux kernel development.
Linuxtoday.com:QEMU for Kernel Development

Python script for calculating multiple hashes.
isc.sans:sigs.py

Kaspersky Labs released a list of the top malicious mobile programs. Are you using one?
Kaspersky:Top 20 Mobile Malware

Wikileaks:Anti-Virus Fix Following Vault7, Apache Security Bulletin

AP Reports on Anti-virus fix following Vault7 leak.
APNews:What the CIA thinks of your anti-virus

Apache bulletin on a fix for a remote code execution vulnerability.
Apache Software Foundation:Security Bulletin

Google: First SHA1 Collision, Cloudflare Memory Leak Incident Report

At security.googleblog.com they went over the sha-1 collision from last week;
“Hash functions compress large amounts of data into a small message digest. As a cryptographic requirement for wide-spread use, finding two messages that lead to the same digest should be computationally infeasible. Over time however, this requirement can fail due to attacks on the mathematical underpinnings of hash functions or to increases in computational power.

Today, more than 20 years after of SHA-1 was first introduced, we are announcing the first practical technique for generating a collision.”
for more:
security.googleblog

Cloudflare released a report on the memory leak incident from late last week.
In some circumstances, their edge servers were running past the edge of a buffer and returning memory that contained private information such as, HTTP cookies, authentication tokens and more. Cloudflare went on in the report about the fix and details about the issue. For more:
Cloudflare:Incident Report on Memory Leak Caused by Cloudflare Parser Bug

Kernel Vulnerabilities Fixed In Ubuntu, Virgina Supreme Court:License Plate Surveillance, and Supertux Racer on Steam Greenlight

Multiple vulnerabilities have been found in the Ubuntu 16.04 LTS Linux 4.4 kernel. The recent update to 16.04.2 uses the 16.10 (Yakkety) Linux 4.8 kernel. So if you made the jump to 16.04.2 then check this out:
Ubuntu 16.10 Security issue
CVE-2016-9588 Discovered by Jim Mattson and Dmitry Vyukov, a flaw in the kernel’s implementation of KVM.
UbuntuFree:New Ubuntu Vulnerabilities

EFF Reports VA Supreme Court Should Protect Drivers from License Plate Surveillance

You can vote for Supertux Racer now at Steam Greenlight below.
Steam:Supertux Racer

Ubuntu 16.04.2 LTS released, Arch Linux ending i686 support, AnC side-channel attack, and OpenSSL update.

Arch Linux’s February ISO is to be the last release with i686 support, and will only receive updates for the next nine months. According to Archlinux.org it is due to a decreasing lack of popularity among devs and the community. The people at Arch are encouraging anyone still interested to “keep it alive” with some guidance from the Arch team.

Arch:Phasing out i686

Over at Vusec they document a side-channel attack, which can detect which locations in the page table are accessed by the memory management unit. The attack takes advantage of the cache hierarchy of modern processors being shared by untrusted applications. More details in the link below.

Vusec:AnC attack

OpenSSL 1.1.0 updates to 1.1.0e.

OpenSSL:1.1.0e update

Ubuntu releases 16.04.2 LTS.

Ubuntu:16.04.2 released