OpenSSL, the widely used cryptography toolkit and library, has been the target of security researchers’ audits more than almost any other project, perhaps only excluding the Linux Kernel itself. This week was no exception, and again some issues were found.
[Update 20 April: Over the past weeks, KernelCare has released patches for CVE-2021-3449 covering AlmaLinux OS 8, RHEL 8, Ubuntu 18.04, Ubuntu 20.04, Centos 8, Debian 10, Oracle Linux 8, and for CVE-2021-3450 covering AlmaLinux OS 8, Centos 8, Oracle Linux 8, RHEL 8. If you’re running KernelCare on one of those systems, you have already received the patches.]
Continue reading “Two more vulnerabilities uncovered in OpenSSL”
Updating an OS seems like a trivial task. The type of activity a sysadmin instinctively knows how to perform. But have you ever actually considered the full scope of it? All the different threads that must be knit together to perform it successfully, safely and predictably? What if the operating system, on top of being old, is also no longer supported?
Shortly after exploit code was found in a public repository, two new vulnerabilities (CVE-2020-27170 and CVE-2020-27171) have been found in the Linux Kernel code that protects against it.
Both vulnerabilities allow a local user to read kernel memory which could contain sensitive information like encryption keys. Proof-of-concept code has also been made available privately, but it is safe to assume it will eventually reach public outlets.
Continue reading “Spectre just won’t remain dead”
Very recently, a long-known vulnerability called Spectre re-emerged due to an exploit that was made available publicly, and a lack of patching meant that this well known vulnerability poses a danger again.
And, yet again, something similar happened. This time, security researchers found three critical bugs in 15-year-old Linux kernel code. Code this old should have been thoroughly scrutinized for bugs by now – and it is anybody’s guess how often these vulnerabilities have been exploited by malicious actors in the meantime.
Patches have now been released for CentOS 8, Oracle EL8, RHEL8, CloudLinux 7h, CloudLinux 8, AlmaLinux OS, Ubuntu Bionic HWE, Debian 10, Debian 10 Cloud, Debian 9 Backports and Proxmox VE6.
Additionally, patches are now also available for CloudLinux 6h, CloudLinux 7, CentOS 7, CentOS 7-plus, Oracle EL7, and RHEL 7.
In this article, we outline the three vulnerabilities just discovered, explain why open-source code is not always scrutinized as well as it should be (or by the right people), and point to the importance of patching consistently.
Continue reading “Three more zombie kernel bugs prove why you must patch consistently”
Billions of IoT devices are transforming the capabilities of industrial control systems (ICS): delivering low cost, low power computing to achieve efficiency and automation. But the unique characteristics of these devices can also turn ICS into somewhat of a management and security headache.
As always, tools emerge to relieve these challenges – for example, take Microsoft Azure IoT Hub. It is common for IoT devices to proliferate and it makes tracking and managing IoT devices very challenging. Azure IoT Hub is a tool that helps organizations to catalog, manage and integrate large fleets of IoT devices.
Similarly, managing security patching across large IoT networks can be difficult – devices in ICS environments may be air-gapped and require 100% service availability. KernelCare live patching for IoT can help solve these challenges.
Today, we’re delighted to announce that KernelCare for IoT now fully integrates with Device Update for IoT Hub from Microsoft, which is currently in preview in select Azure regions. Let’s take a look.
Continue reading “KernelCare Live IoT Patching integrates with Microsoft Azure IoT Hub”
Cyber threats come and go, but some threats leave a lasting imprint due to their impact. Think of Spectre and the closely related Meltdown, for example, two of the most widely covered vulnerabilities in recent memory.
It is of course frustrating when a cyber threat simply refuses to go away, and even worse when it is a highly prominent vulnerability. That’s turning out to be the case with Spectre, one of the most dangerous exploits of recent times. While patched systems are protected against Spectre, the nature of Spectre patches and the resulting impact on performance means that a large number of systems have not been patched..
Continue reading “Thought Spectre is history? It’s still alive, and kicking”
A flaw in the way OpenSSL API function X509_issuer_and_serial_hash() has been disclosed that may lead applications using it to crash, causing a potential denial-of-service (DoS) to their users.
The flaw lies in the way a hash is calculated from the Issuer and Serial Number data of an X509 certificate, which can make OpenSSL fail returning a NULL value. In turn, this can crash the application calling the function.
Continue reading “Extended Lifecycle Support service providing updated OpenSSL to address CVE-2021-23841”
This February we did a diligent work to keep your Linux kernels and shared libraries updated. For instance, you’ll find detailed updates regarding the latest CVEs, recent KernelCare projects, and technical instructions in the following sections. Or, watch a quick recap of the news in video format. Continue reading “Monthly KernelCare Update – February 2021”
We’ve covered brand new Linux kernel vulnerabilities in a few of our past articles, but in this article we’ll take a look at a vulnerability that’s been re-listed accidentally. Both reports – the erroneous relisting, and the original listing – point to a vulnerability in Linux kernel memory mapping where a race condition can develop when a memory expansion function is used.
We’ll cover the vulnerability as it stands. But we’ll also look at a key issue revealed by the double listing: if security experts can so easily lose sight of an existing vulnerability to the extent that a vulnerability is relisted as “new” and “just discovered” – what does it say about the state of vulnerability management?
And what does it mean for Linux users around the globe, vulnerable to countless offensive strategies – but dependent on the security experts for assistance?
Continue reading “Mmap kernel vulnerability is relisted”
KernelCare added support for AlmaLinux OS. This new linux distribution is a community driven project that intends to fill the gap left by the change in direction of CentOS, in terms of stability and support. It is a stable enterprise-grade server OS, with long support windows. Forever free and open-source, AlmaLinux OS is backed by CloudLinux and has a growing community gathering around it, helping guide it’s direction and strategy. Alma means soul in some latin-based languages and the name aims to celebrate the soul of linux – it’s users and community.
Continue reading “KernelCare supports AlmaLinux OS”