Critical Linux Kernel Bug Discovered
Security researchers at Perception Point Software have identified a zero-day privilege escalation vulnerability in the Linux kernel. According to the report, the problem has existed since 2012. The report states that the vulnerability "could affect tens of millions of Linux PCs and servers and 66 percent of all Android devices."
The problem, numbered CVE-2016-0728, is related to the keyring facility in the Linux kernel, which is "… a primary way for drivers to cache security data, authentication keys, encryption keys, and other data in the kernel." All Linux users are urged to install the necessary patches as they become available. Refer to the security bulletin for your Linux distro. For more information, see the full report at the Perception Point website [http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-kernel-vulnerability-cve-2016-0728/].
One Third of All IT Infrastructure Expenditure is Going to the Cloud
According to a report from IDC, one third of all IT infrastructure money is now spent on the cloud. The Worldwide Quarterly Cloud IT Infrastructure Tracker says a total of $7.6 billion was spent in the third quarter of 2015. The total cloud expenditure was up 23 percent since this time a year ago. The report does not track direct cloud space allocations but measures server, disk storage, and Ethernet switch spending for cloud environments. In other words, the study shows how much companies are investing in building data centers to support public and private cloud operations.
Dell sold the most cloud infrastructure, with a little over 15 percent share of the total vendor revenue, followed by Dell, Cisco, EMC, and NetApp. Unlike in some areas of high tech, the big players didn't own the whole market. Original Design Manufactures (ODMs) had 29.4 percent of the market share, and 17.5 percent went to smaller vendors grouped together in the "Other" category.
New Attack Sucks Information from HTTPS
Security expert Guido Vranken has published a paper on an attack that can successfully extract meaningful information from a captured TLS traffic session. Although the so-called HTTPS Bicycle attack does not provide direct access to encrypted data, it can determine the length of parts of the data, such as the cookie header or the payload of an HTTP POST request. An attacker can even employ this technique to determine the length of a password used to access an online account. Knowing the length of the password can greatly simplify a dictionary attack.
The attack has no known antidote; however, a high-quality password, some form of two-factor authentication, or both will make it more difficult for the attacker to succeed. See Guido Vranken's blog [https://guidovranken.wordpress.com/2015/12/30/https-bicycle-attack/] for a summary of the attack technique.
Allocation Proposals for Time on Blue Waters
The US National Science Foundation's Petascale Computing Resource Allocations (PRAC) program is soliciting proposals for projects to run on the NSF-funded Blue Waters supercomputer at the University of Illinois. The goal of the project is to "open up new possibilities in science and engineering by providing computational capability that makes it possible for investigators to tackle much larger and more complex research challenges across a wide spectrum of domains."
According to the announcement from PRAC, "Proposers must show compelling science or engineering challenges that require petascale computing resources. Proposers must also be prepared to demonstrate that they have science or engineering research problems that require and can effectively exploit the petascale computing capabilities offered by Blue Waters. Proposals from or including junior researchers are encouraged, as one of the goals of this solicitation is to build a community capable of using petascale computing."
The proposal deadline for the next round of allocations is April 4, 2016. See the announcement at the NSF website [http://www.nsf.gov].
Microsoft Announces New PowerShell
Microsoft has announced the release of Windows Management Framework (WMF) 5.0. The best known component of WMF is the PowerShell command shell and scripting language.
The preview version of WMF 5.0 has been around since February, so many users are already familiar with it. According to Microsoft, new features in the latest edition include the Just Enough Admin (JEA) role-based access control system, PowerShell classes, and a new package management tool. The latest version also comes with enhancements to PowerShell script debugging and software inventory logging.
You can download WMF 5.0 from the Microsoft Download Center. Current versions run on Windows Server 2012 R2, Windows Server 2012, Windows 2008 R2 SP1, Windows 8.1, and Windows 7 SP1. You'll also need .NET Framework 4.5.
Secret Backdoor Affects More Fortinet Firewalls
Security hardware vendor Fortinet has announced that the hidden backdoor in its FortiGate firewall devices, which was revealed earlier this month, affects more systems than previously thought. In a recent post, the company said the hidden backdoor with a hard-coded password, which the company described as a "remote management feature," had been removed in July 2014.
A later blog entry at the Fortinet site (dated January 20) admits the backdoor is still present in several current models. The company strongly recommends an immediate software update for users with the following Fortinet devices:
- FortiAnalyzer: 5.0.5 to 5.0.11 and 5.2.0 to 5.2.4 (branch 4.3 is not affected)
- FortiSwitch: 3.3.0 to 3.3.2
- FortiCache: 3.0.0 to 3.0.7 (branch 3.1 is not affected)
- FortiOS 4.1.0 to 4.1.10
- FortiOS 4.2.0 to 4.2.15
- FortiOS 4.3.0 to 4.3.16
- FortiOS 5.0.0 to 5.0.7
The company claims it created the backdoor to access its own products for management purposes, although they now acknowledge that building an undocumented backdoor with a hard-coded password was not an inspired choice for a security company. Sample code for exploiting the backdoor has already been posted online.
The announcement comes a month after the discovery of a backdoor in Juniper NetScreen firewall systems. According to reports, the Juniper backdoor was not created by the vendor but was slipped in without the knowledge of Juniper – possibly as a malicious refinement of an earlier exploit created by the NSA.
Users should upgrade their Fortinet and Juniper systems as soon as possible. If you own a different firewall device, you might want to take this as a wake-up call also to install any vendor updates – and keep an eye on your vendor's security blog. Something tells me we haven't seen the last of these secret firewall backdoors.