Linux admins have a CVSS 10 kernel bug to fix • The Register

Merry Christmas, Linux sysadmins: Here’s a kernel vulnerability with a CVSS score of 10 in your SMB server for the holiday season, giving remote code execution to an unauthenticated user.

Yes, that sounds bad, and a score of 10 is not at all reassuring. Luckily for sysadmins looking for more brandy to pour into this eggnog, it doesn’t seem to be all that prevalent.

Discovered the Thalium Team Vulnerability Research Team at French aerospace company Thales Group in July, the vulnerability is specific to the ksmbd module which was added to the Linux kernel in version 5.15. Disclosure was held responsibly until a fix is ​​released.

Contrary to this other popular SMB server for Linux, which runs in user space, ksmbd runs in the kernel. This set off alarm bells for some users discuss its merger last year.

SerNet, a German computer company that offers its own version of Samba, said in a blog post that ksmbd was awesome, but said it seemed somewhat immature. Additionally, SerNet’s Samba+ team said in a blog post, the value of adding an SMB server to kernel space may not be worth the risk of “throwing the performance of available hardware to the max”.

Developed by Samsung to implement server-side SMB3 with optimized performance and reduced footprint, the ksmbd vulnerability could lead an attacker to leak memory from an SMB server, similar to the Heartbleed offensive.

Luckily, if you’re not running Samsung’s “experimental” “ksmbd module,” as security researcher Shir Tamari explains. describe on Twitter, and if you’ve stuck with Samba, you’re perfectly safe.

“ksmbd is new; most users are still using Samba and are unaffected. Basically, if you’re not using SMB servers with ksmbd, enjoy your weekend,” Tamari tweeted.

According to the Zero-Day Initiative, which disclosed the ksmbd vulnerability, the use-after-free flaw exists in the processing of SMB2_TREE_DISCONNECT commands. According to ZDI, the problem is caused by ksmbd not validating the existence of objects before performing operations on them.

For those using ksmbd, there is a solution other than switching to Samba: update to the Linux kernel version 5.15.61released in August, or newer.

This kernel update also fixed a few other issues in ksmbd: an out-of-bounds read for SMB2_TREE_CONNECT, which the update note says could allow invalid requests to fail messages, and a memory leak in smb2_handle_negotiate leading to memory malfunction. released.

Dodge the “grift cards” by spending that holiday money now

Many ready-made kits for would-be hackers can be found on the dark web; A trend recently noticed by the Cybersixgill team has been that gift card generators not only guess card numbers but also check their validity by the thousands.

Like brute-force password crackers, the tools sold online Randomly guess the digits of gift cards issued by companies like Amazon, Microsoft, Sony, Apple and others with varying degrees of speed and accuracy depending on the predictability of a card’s number sequence.

These generators are often paired with “verifiers” who run the generated gift card numbers on an issuer’s website to look up the balance or activation status, which is then sent back to the criminal behind the keypad.

Cybersixgill’s Adi Bleih and Dov Lerner recounted The register that using software of the type sold on the dark web to generate, guess and verify gift card numbers is easy enough that “a child with Tor could do it”, they said.

When looking for cards, criminals aren’t always looking for fully loaded cards, or even waiting for unactivated cards to come online: they’re looking for cards with just a small balance remaining. “These cards are forgotten,” Bleih said, and cybercriminals can search for work cards “in the thousands” using tools easily found online.

The moral of this vacation story? If you receive a gift card, spend it quickly and spend it in full; If you give one, urge the recipient to do the same.

Meta gets $725 million slight wrist grab on Cambridge Analytica

Meta details settlement in the lawsuits against her over the Cambridge Analytica scandal, originally decided in August, had not been disclosed, but filed documents in this week’s case, the price for Meta’s misbehavior is just $725 million.

Don’t get the expensive stuff out yet: Only 25% of that money will go to the 250 million to 280 million Facebook users included in the class, the plaintiffs’ attorneys say. Told Reuters.

Still, legal eagles say this is the largest data privacy class action settlement in US history, and the most Meta has ever had to pay to resolve a legal case.

For those who have forgotten the Facebook data privacy scandal, Cambridge Analytica was a data company employed by the Donald Trump campaign in 2016. As part of its data collection operations, Cambridge Analytica created Facebook apps that collected data from tens of millions of people. users without their knowledge.

$725 million might also seem like a lot of money, but don’t forget the context: Meta’s revenue in the third quarter of this year alone was $27.7 billion. Of course, Meta has reduce its workforce and there’s a hemorrhage of money, but what’s another $725 million? ®

Leave a Reply