New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Unauthenticated RCE on every Linux system? Take it with a grain of salt, but read up.
This just recently dropped: https://cybersecuritynews.com/critical-unauthenticated-rce-flaw/amp/
The reporter made their Twitter account private but there's a copy of them talking about it here: https://threadreaderapp.com/thread/1838169889330135132.html
We don't know what we don't know, which appears to be anything/everything other than the claim made. Obviously we'll all want to follow this to either be ready to patch or grab our pitchforks, whichever the developing situation dictates.
Comments
should have just dropped the PoC on twitter and watched the world burn
F
Do we have to switch to windows?
Kim Kardashian's Bathroom Sink
OpenBSD folks!
OpenBSD!!!
https://lowendtalk.com/discussion/197572/let-bsd-thread/p1
@FrankCastle
I hope one day - DirectAdmin comes back on *BSD as it was before.
To be fair, devs are sick of the security researchers saying stuff without actually understanding the code.
Like, in .NET, way too many security "experts" claim we must sign our assembly names (a .NET thing from when Microsoft gave ops teams the power to manage security variables, Microsoft has given control back to developers, because ops is notorious for being bad at security). First, we have no GAC, second, you obviously don't understand what strong signing does - just because we use asymmetrical keys does not mean we do so for security reasons (OSS projects tend to just publish the private key, unencrypted).
Another time we kept getting pinged because we had a possible evil maid attack that would grant arbitrary code execution as SYSTEM. After spending a lot of time to actually figure out the attack vector, the attacker would need local administrator roles and execute the attack within the few microseconds between us creating a folder and us achieving a lock on said folder (hard links are fun). We already had evil maid mitigations as a standard best practice.
The current climate is just insane - it would be like if nurses could double check doctors. Most security guys I've dealt with wouldn't even be able to even explain how TLS works or what a security boundary is...
/rant
Way to many "experts" are just trying to get those accolades and bounties, working in bad faith. Worse are the security companies that feel they need to report every little thing (a company's security department flagged one of our container images because it had a curl library that had a disputed CVE).
It's so hard to get these bad CVE's removed... worse when companies go after OSS software because of bad faith CVE's (which is also insane).
(not saying this could be the case here, just why devs and security have historically not worked well together - trying to merge a field that dislikes centralized power with a field that likes titles)
That just reminded me of the WideOpenBSD folks
Yeah I feel like everyone and their mother became a security researcher, and half of them are going off of checklists and don't actually understand their claims, meaning they're incapable of recognizing when they're wrong or when the appearance of a concern doesn't actually match a real concern. Basically they would report a convincing honeypot.
Though this particular reporter does appear to be of above average intelligence: https://www.evilsocket.net/
So I have to admit I'm sweating a little. The only thing making me feel better is the knowledge that if his disclosure matches his claim, and it's disclosed before it's patched, we'll have a lot of leaders we can choose to follow for a response strategy that will be defensible.
Ha! Yeah, the freaking checklists!
Regardless, I think it's best to run with the assumption there is an issue, it's the only ethical thing devs can do, even if a lot of the reports are invalid.
Sometimes I wonder if the computer science field should go the way of doctors/lawyers, where peers audit peers. But this breaks the founding idea that titles are meaningless, skill is all that matters.
I see no evidence whatsoever and the "evidence" screenshot isn't attributed. The major item I found was that the "expert" worked a few weeks in his spare time and encountered evil and stubborn developers * crying a river
And I found out that "evilsocket" (an organization? A company? A home page only church? a gopher sanctuary) and the guy are the same. A real heavyweight. And he has a mac!
And I found out that the "expert" has found out neither the common practice (in security circles) to provide evidence nor that it's in fact very easy to both make a point and to get developers' (or whole distros' being at that) attention by simply using the oh so deadly vulnerability one has found on a system of them.
So, I'll borrow the critical drinkers phrase and tell that guy "go away now!".
I get your point , and it's true that some newbie security researchers don't fully grasp the development context specifically from opensource code, leading to bad recommendations.
However, not all are chasing accolades. many genuinely want to help. Specifically, evilsocket is following the responsible disclosure policy which everyone from security supposed to follow.
It’s about finding a middle ground—developers understanding their code and researchers appreciating the development process and pointing the exploitable security problem impacting thousands of online assets is really worth of attention.
I would wait for POC appearing while this also gives time to fix the damn Unauthenticated exploitable bug!
He's a very well known security researcher and tool developer. This is likely very bad...
If I had to guess, it's probably an issue in the IPv6 stack because they're coming up a lot at the moment....and this guy's best tool is an MiTM solution, so that's probably the vector he's found for an Unauthenticated RCE
he specifically said its not ipv6 subsystem
inb4 PAM
Turns out I have access to the researchers tweets
Summary from the comments:
And I thought that the Crowdstrike mess will be the cherry on top this year.
Speculation: Looking at what has been said so far, and the types of systems it is claimed to affect (gnu/linux) of most variants. My 'guess' would be iptables/netfilter or something like this.
I can't do any speculation. I am waiting for more information and official disclosure.
If this turns out to be a catastrophe, I will try my best over time to switch to FreeBSD. Hopefully it's not that bad.
Reading comprehension fail confirmed. He took three weeks off (not spare time) specifically to deal with the disclosures, not finding the flaw. The irony is, you'd be flipping the fuck out if you presented a POC and they didn't treat it as a security vulnerability. He's done that many times over.
What are you getting on with? How the fuck can distros like Redhat confirm 9.9/10 severity without showing the flaw to fix? Did you read anything before personally attacking the researcher? Why would you be all butthurt that he's called an expert? Your incorrect use of air quotes implies that its a made up term, which it isn't.
Why do you bother.
To be fair there's still only one website reporting this that I've found, and I don't know how trustworthy that site is. I'm also reluctant to assign value to the word of someone I don't know, and I've not seen the evidence that they confirmed said 9.9 score..
The reporter does look to be quite intelligent at a glance, but I do think there's room for skepticism at this particular stage.
every NOG group is going fucking nuts rn i hope something with substance comes out soon
I’m on Ubuntu Pro so I don’t have to worry
firewall manipulation already requires CAP_NET_ADMIN or root, so I doubt that vulnerability in netfilter would cause such storm.
Do we have a statement from RedHat about this? I thought the only proof offered was a screenshot.
It's certainly possible that this is real, but as the sayings go about extraordinary claims...
DA was never on OpenBSD, was it? I thought just Free.
If so, the claimant is pretty loose about "all GNU/Linux" since not ever distro ships with a firewall (or at least I've had to install iptables with some providers' templates).
What else is common and remotely accessible? If this was an ssh vuln (again, not every...) then it would be beyond Linux. Maybe something in the network stack. Does Linux use a homegrown TCP/IP stack or BSD's like everyone else (including Windows, IIRC)?
I think it has to be something in the network stack, or else the claimant is playing fast and loose with words.
It would be funny if it was in the IPv6 stack and most sites were safe because they didn't have IPv6 turned on.
evilsocket said its not v6. i think its something non-standard or not commonly exposed to WAN
Having worked in the industry and been a part of some of the behind the scenes disclosures like this in the past it all sounds legit to me. For some of the DNS vulnerabilities in the past you had major corporations all knowing months in advance and working to fix the problems before they went public. This all seems pretty boiler plate for an issue of this magnitude and probably not overblown at all. I would be happy to be wrong though, if this turns out to be a nothing burger then we all win. If it is as bad as it sounds I think a lot of servers are going to end up exploited in the near future (if not already).
This is why everyone should have a defense in depth model. If you rely on Linux you can't just easily swap it out or get rid of it but if you have other operating systems or vendors upstream you can likely help mitigate these types of problems or at least be alerted when someone exploits it. Architect your infrastructure so that a major vulnerability in any OS or any server applications (Exim, Postfix, Unbound, Apache, Nginx, mysql, etc) won't leave you completely exposed with no mitigation strategies.