This Week In Security: The Geopolitical Kernel, Roundcube, And The Archive

Leading off the week is the controversy around the Linux kernel and an unexpected change in maintainership. The exact change was that over a dozen developers with ties to or employment by Russian entities were removed as maintainers. The unfortunate thing about this patch was that it was merged without any discussion or real explanation, other than being “due to various compliance requirements”. We eventually got more answers, that this was due to US sanctions against certain Russian businesses, and that the Linux Foundation lawyers gave guidance that:

If your company is on the U.S. OFAC SDN lists, subject to an OFAC sanctions program, or owned/controlled by a company on the list, our ability to collaborate with you will be subject to restrictions, and you cannot be in the MAINTAINERS file.

So that’s that. One might observe that it’s unfortunate that a single government has that much control over the kernel’s development process. There were some questions about why Russian entities were targeted and not sanctioned Chinese companies like Huawei. [Ted Ts’o] spoke to that, explaining that in the US there are exemptions and different rules for each country and business. This was all fairly standard compliance stuff, up until a very surprising statement from [James Bottomley], a very core Kernel maintainer:

We are hoping that this action alone will be sufficient to satisfy the US Treasury department in charge of sanctions and we won’t also have to remove any existing patches.

I can only conclude from this that the US Treasury has in fact made this threat, that code would need to be removed. Now this is genuinely surprising, given the legal precedent that code is 1st Amendment protected speech. That precedent was established when dealing with encryption code that was being export restricted in the 90s. It seems particularly problematic that the US government believes it can specify what code does and does not belong in the Linux kernel.

SELinux

Since we’re in Kernel land, let’s talk SELinux. Many modern Linux systems, and Android in particular, use SELinux to provide an extra security layer. It’s not an uncommon troubleshooting step, to turn off SELinux to see if that helps with mysterious issues. What we have here in the klecko Blog is an intro to bypassing SELinux. The setup is that an exploit has achieved root, but is in a unprivileged context. What options does an attacker have to try to bypass SELinux?

The first, most obvious solution is to just disable SELinux altogether. If you can write to memory, the SELinux enabled bit can just be set to false. But that might not work, if you can’t write to memory, or have a hypervisor to wrestle with, like some Android systems. Another option is the set of permissive flags that can be overwritten, or the AVC cache that can be poisoned, both approaches resulting in every SELinux request being approved. It’s an interesting overview.

Printer Root

Xerox printers with the “Network Troubleshooting” feature have some unintended hidden functionality. The troubleshooting is done by calling tcpdump as root, and the configuration allows setting the IP address to use for the troubleshooting process. And as you might expect, that IP address was used to create a command line string, and it isn’t properly escaped. You can sneak a $(bash ...) in as part of the address, allowing code execution. The good news is that access to this troubleshooting function is locked behind the web admin account. Xerox has made fixed firmware available for this issue.

Fix Your Roundcube

The Roundcube email web client has a Cross-Site Scripting (XSS) vulnerability that is actively being exploited. The flaw is the processing of SVGs, and the addition of an extra space in an href tag, that the browser ignores. Sneaking this inside an SVG allows for arbitrary Javascript to run when opening this malicious email.

Roundcube has released 1.5.7 and 1.6.7 that address the issue. This is under active exploitation, currently being used against the Russian aligned CIS countries. It’s a simple exploit, so expect to see it more widely used soon.

The Archive

The Internet Archive continues to be under siege. The Distributed Denial of Service (DDoS) attacks were apparently done by SN-Blackmeta. But the hacker behind the data breach is still a mystery. But the news this week is that there is still someone with access to Internet Archive API keys. Specifically Zendesk, illustrated by the fact that when Mashable reached out via email, the hacker answered, “It’s dispiriting to see that even after being made aware of the breach 2 weeks ago, IA has still not done the due diligence of rotating many of the API keys that were exposed in their gitlab secrets.”

It’s obviously been a terrible, horrible, no good, and very bad month for the Internet Archive. As it’s such an important resource, we’re hoping for some additional support, and getting the service back to 100%.

Quantum Errata

You may remember last week, that we talked about a Quantum Annealing machine making progress on solving RSA cryptography. In the comments, it was pointed out that some coverage on this talks about RSA, and some talks about AES, a cryptography thought to be quantum-resistant. At least one source is claiming that this confusion is because there were actually two papers from the same team, one discussing RSA, and the other techniques that could be used against AES. This isn’t confirmed yet, and there are outstanding questions about both papers.

Bits and Bytes

SQL injection attacks are old hat by this point. [NastyStereo] has an interesting idea: Polyglot SQL injection attacks. The idea is simple. A SQL query might be escapable with a single quote or a double quote. To test it, just include both: OR 1#"OR"'OR''='"="'OR''='. There are more examples and some analysis at the link.

Kaspersky researchers found a Chrome exploit, that was being delivered in the form of an online tank battle game. In reality, the game was stolen from its original developers, and the web site was a crypto stealing scam, making use of the browser 0-day. This campaign has been pinned on Lazarus, the APT from North Korea.

And yet another example of fake software, researchers at kandji discovered a fake Cloudflare Authenticator campaign. This one is a MacOS malware dropper that does a reasonably good job of looking like it’s an official Cloudflare app. It’s malware, and places itself in the system crontab, to get launched on every boot. Follow the link for Indicators of Compromise if you need them.

12 thoughts on “This Week In Security: The Geopolitical Kernel, Roundcube, And The Archive

  1. Visiting the website was all it took to get infected ā€” the game was just a distraction.

    So, the Giggle Chromo is the new Internut Sexplorer when it comes to exploits eh? I remember fun days of Windows XP (happy b-day btw!) and IE6 when it was possible to put keyloggers into images and we were using it to steal Tibia accounts.

    decentralized finance (DeFi) NFT-based (non-fungible token) multiplayer online battle arena (MOBA) tank game

    LOLOLOL, the only thing missing here is AI… and maybe some yaoi dating simulator.

  2. Not removing Russians from the MAINTAINERS puts those Russians in danger. Russia is known for getting what it wants or you go out the window, literally. On top of that, it is a national security issue. Anyone thinking that is some sort of government overreach should try living in a country where the government can disappear you without cause. National security is a real thing and it really matters.

    1. Taking actions for reasons of “compliance” was very much the wrong move, a healthy contempt for legislation is something we must all strive to maintain, but any move which coulld leave the kernel open to being backdoored if russias thugs threatened a developer would also be wrong. A route forward which achieves both these aims is difficult, but there must surely be one. Better to protect maintainers by making sure everyone is anonymous, if Putin’s thugs don’t know that russian people are involved in maintaining software projects then they cannot threaten those russia people. Open source projects should not be cpaitulating to american government demands, but you raise an important consideration, they must ensure they are able to resist russian kleptocracy demands too. Total anyonmity for everyone, plausibly deniable encryption, and compensating for all this by having much greater crowd auditing of code sounds a good route forward. We must not, as a community comply with governmental demands from anywhere, but at the same time must find other ways to protect members of our community from whichever government they have the misfortune to live within reach of. It is undoubtedly a tough thing to balance.

      1. So much of any opensource project is the community – you can’t really have anonymous in a way that actually is a good defence against a nation state level of resources and still be open to expanding the community and building the trust.

        So yeah I think this is probably the right move under the circumstances, nobody under the thumb of a dictator who is actively crushing the freedoms of his own people, the same freedom opensource rather requires should be let in – you can’t really trust ‘their’ contributions even if you do trust them as an individual having met at many conferences or something in the before times. Though as the USA looks like it might be on the way to having their own dictator…

    2. You can tell russia is already riled up with the sheer number of astroturf trollfarm accounts that came out of the woodwork and flooded torvald’s inbox, the lkml, and the comment section every major linux outlet covering it (eg. phoronix). According to Torvalds they even had the gal to send him reversion patches directly.

        1. I actually see this as a problem a lot of organizations have. After a controversial decision, people come out of the woodwork to criticize. Rather than accept criticism, the org dismisses it as brigading, bots, trolls, etc. Those things do happen, and it’s sometimes difficult to tell the real from the manufactured. To Torvalds’ credit, he did call out the legitimate people that were concerned, and responded to the concern.

  3. Re the Linux Maintainers list, I’m reading the results correctly, only certain names and email addresses needed to be removed, not code… although there’s the complication that US sanctions against Russia include economic goods (“contributions”) from those employed by. sanctioned companies (ie. Baikal Electronics). A nice summary has been posted on Stack Exchange: https://opensource.stackexchange.com/a/15127

  4. I just get amused by people who think public disclosure about the state of quantum computing is going to be current whether from the private sector or “public” sector..

    NSA, DGSE, SVR, and MSS will probably be implementing attacks with it at least a decade before it’s even remotely disclosed.. FIPS 203/204/205 also won’t be much use if you’re still using EdDSA

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.