heightened cyber alarm levels - timeline of a successful attack on the most basic tools like: exiftool - possible mitigations

cyber is on heightened alarm levels

… ya’ll know why.

timeline of a successful attack on the most basic tools like: exiftool

• This was reported by a security researcher on April 7, 2021, initially confidentially via the bug bounty platform HackerOne at the affected GitLab.
  • They reacted quickly, passed this on to the exiftool maintainers, who already provided a patched version 12.24 on April 13 and on April 14, the researcher received a $19,000 reward.
  • But the story wasn’t over.
  • On April 30 – more than two weeks later – CySrc filed a report with Google’s Vulnerability Reward Program.
  • They had found that DjVu images uploaded to Virustotal gave them access to scan servers.
  • Had the operators of these servers overslept the patches?

translated from: https://www.heise.de/hintergrund/Der-Patch-Alptraum-Wenn-schnell-nicht-schnell-genug-ist-7069924.html

• Probably not. I rather think that they simply relied on the security updates of their Linux distribution.
• And with Debian, for example, that didn’t happen until May 2nd; at Fedora even on May 4th.
• So, after the release of the patch that exposed the problem, there was a window of over 2 weeks in which Linux systems with exiftool were vulnerable to a known, easy-to-exploit vulnerability.
• CySrc used this window of opportunity to score points on Google’s Vulnerability Reward Program (although it’s not clear if they got a reward).
• But just as well, state APT or cybercrime hackers could have exploited this gateway for their own purposes and caused real harm.

possibly mitigation:

/usr/bin/unshare

“For exiftool it would therefore have been the right approach not to start it with root rights (!), but rather to run it with unshare (/usr/bin/unshare) in an extremely downtripped context. Linux comes with a lot of security features that you just have to use.”

(src)

possibly mitigation:

• only run programs with the privileges they absolutely need
  • that is sometimes a bit cumbersome, like users having to be in the right group, then completely log out to make changes effective (example: virtualbox’s user vboxuser (the setup ideally should ask the user “what users should be allowed to run virtual machines on this host?” (list of user appears -> checkbox those that are allowed))
• monitor the network for illicit connections to strange places and strange hosts
  • a starter is: iftop.man.txt
  • firewall every network
    • AppArmor is said to be able to block connections per-application

another: possibly mitigation:

Yes C++ is “ugly”.

So is RUST.

But RUST comes with “build-in” safety (hardware control might be lacking somewhat).

So yes it is an hard-to-understand-and-what-is-actually-going-on-syntax-language… but unless there comes the “C with safety build in” RUST is the best option for Open Source to be secure, reliable and fast in the future.

Linus & probably also Mr Stallman will always stick to C, because yes it is a great language (still) and it is part of their DNA.

Links:

https://dwaves.de/2019/08/17/rust-most-loved-programming-language-ever-c-with-safety-new-programming-language-from-mozilla-for-mozilla-and-safety-now-also-with-step-debugging/

https://dwaves.de/2019/09/27/compile-rust-hello-world-for-arm7/

https://dwaves.de/2021/12/27/rust-dev-lang-how-to-view-onboard-html-based-documentation-man-page-the-rust-standard-library/

https://dwaves.de/2021/07/24/how-to-step-debug-debugging-rust-in-vim-8-1/

java had it’s oopsi time

https://dwaves.de/2021/12/13/cyberinsecurity-ah-oh-its-java-time-log4j-called-log4shell-dynamically-remote-loading-code-or-any-other-resources-is-always-a-bad-cybersec-idea/

#linux #gnu #gnulinux #opensource #administration #sysops #itsec #cyber

Originally posted at: https://dwaves.de/2022/05/03/heightened-cyber-alarm-levels-timeline-of-a-successful-attack-on-the-most-basic-tools-like-exiftool-possible-mitigations/