cyber is on heightened alarm levels
… ya’ll know why.
timeline of a successful attack on the most basic tools like: exiftool
- cve-2021-22204 (failed to properly validate parsed input)
- This was reported by a security researcher on April 7, 2021, initially confidentially via the bug bounty platform HackerOne at the affected GitLab.
- They reacted quickly, passed this on to the exiftool maintainers, who already provided a patched version 12.24 on April 13 and on April 14, the researcher received a $19,000 reward.
- But the story wasn’t over.
- On April 30 – more than two weeks later – CySrc filed a report with Google’s Vulnerability Reward Program.
- They had found that DjVu images uploaded to Virustotal gave them access to scan servers.
- Had the operators of these servers overslept the patches?
- Probably not. I rather think that they simply relied on the security updates of their Linux distribution.
- And with Debian, for example, that didn’t happen until May 2nd; at Fedora even on May 4th.
- So, after the release of the patch that exposed the problem, there was a window of over 2 weeks in which Linux systems with exiftool were vulnerable to a known, easy-to-exploit vulnerability.
- CySrc used this window of opportunity to score points on Google’s Vulnerability Reward Program (although it’s not clear if they got a reward).
- But just as well, state APT or cybercrime hackers could have exploited this gateway for their own purposes and caused real harm.
possibly mitigation: Debian need to push updates more frequently
maybe even like a “hotline” to put together, updates/patches that are URGENT on track to be published IMMEDIATELY.
kernel-live patching?
ubuntu does it already.
https://ubuntu.com/blog/an-overview-of-live-kernel-patching
possibly mitigation:
/usr/bin/unshare
“For exiftool it would therefore have been the right approach not to start it with root rights (!), but rather to run it with unshare (/usr/bin/unshare) in an extremely downtripped context. Linux comes with a lot of security features that you just have to use.”
(src)
possibly mitigation:
- only run programs with the privileges they absolutely need
- that is sometimes a bit cumbersome, like users having to be in the right group, then completely log out to make changes effective (example: virtualbox’s user vboxuser (the setup ideally should ask the user “what users should be allowed to run virtual machines on this host?” (list of user appears -> checkbox those that are allowed))
- monitor the network for illicit connections to strange places and strange hosts
another: possibly mitigation:
Yes C++ is “ugly”.
So is RUST.
But RUST comes with “build-in” safety (hardware control might be lacking somewhat).
So yes it is an hard-to-understand-and-what-is-actually-going-on-syntax-language… but unless there comes the “C with safety build in” RUST is the best option for Open Source to be secure, reliable and fast in the future.
Links:
Rust Dev Lang – how to view onboard html based documentation (man page) – The Rust Standard Library
java had it’s oopsi time
liked this article?
- only together we can create a truly free world
- plz support dwaves to keep it up & running!
- (yes the info on the internet is (mostly) free but beer is still not free (still have to work on that))
- really really hate advertisement
- contribute: whenever a solution was found, blog about it for others to find!
- talk about, recommend & link to this blog and articles
- thanks to all who contribute!