The China-affiliated group is using the highly modular DeepData framework to target organizations in South Asia.

Source: u3d via Shutterstock

China's APT41 threat group is using a sophisticated Windows-based surveillance toolkit in a cyber-espionage campaign targeting organizations in South Asia.

The malware adds to the already broad portfolio of malicious tools that the threat actor has deployed in recent years and makes APT41 an even more pernicious threat to targeted enterprises.

**Optimized Plug-ins**

Researchers at BlackBerry, among the many who are tracking the threat actor, spotted the new malware toolkit earlier this year and have dubbed it "DeepData Framework." Their analysis showed it to be a highly modular toolkit that supports as many as 12 separate plug-ins, each one optimized for a specific malicious function.

Four of the plug-ins steal communications from WhatsApp, Signal, Telegram, and WeChat. Another three are rigged to steal and exfiltrate system information, Wi-Fi network data, and information on all installed applications on the compromised system — including names and installation paths. Three DeepData plug-ins steal information related to browsing history and cookies; they also grab passwords from Web browsers, Baidu storage services, FoxMail, and other cloud services, and other information like user emails and contact lists in Microsoft Outlook. The remaining two plug-ins enable theft of audio files from compromised systems.

Blackberry researchers chanced upon DeepData when conducting an investigation of "LightSpy," an iOS implant that they have tracked APT41 using in an ongoing and wide-ranging mobile espionage campaign against targets in India and South Asia. Their analysis showed DeepData to have a similar design to LightSpy in that both have a core module and support for multiple data theft plug-ins.

Significantly, DeepData appears to be a malware toolkit that the attackers are manually interacting with after compromising a target and gaining access. "The \[command and control\] address is also specified as a command line argument, as are the requested plugins to be run or data to extract," Blackberry's research and intelligence team said in a blog post this week. "The implication of this execution method is that it must be done manually, sans a script or some other bundling distribution."

**Surveillance Powers Continue to Grow**

DeepData adds to APT41's already formidable surveillance and cyber espionage capabilities. The malicious framework is an example of the constantly emerging threats that organizations have to deal with when trying to mitigate threats from advanced persistent threat groups and nation-state bad actors. "Our latest findings indicate that the threat actor behind DeepData has a clear focus on long-term intelligence gathering," BlackBerry said. Since first deploying LightSpy in 2022, the threat actor has methodically and strategically bulked up its capabilities to intercept communications and steal data in total stealth, BlackBerry said.

APT41 is a known threat actor that security vendors and researchers have been variously tracking as Winnti, WickedPanda, Barium, Wicked Spider, and other names. Some vendors consider APT41 to be a collection of smaller subgroups collectively working at the behest of, or on behalf of the Chinese government. The group's mandate appears to be very broad, based on its targets and the kind of campaigns it has conducted in recent years.

Most recently, researchers tied APT41 to attacks targeting global logistics and utilities companies, and to a campaign that targeted research entities in Taiwan. Over the years, the group has stolen data from a wide range of organizations, including intellectual property and trade secrets from healthcare organizations, media and entertainment companies, government agencies, automative firms, retailers, energy companies, pharmaceutical companies, and others. Its activities prompted a US government investigation and subsequent indictment of five alleged members of APT41 back in 2020. Its victims have spanned Europe, Asia, and North America.

The group's latest South Asian campaign appears aimed at politicians, journalists, and political activists in the region, according to BlackBerry. "Organizations of all sizes, particularly those in targeted regions, should treat this threat as a high priority and implement comprehensive defensive measures."

The company's recommended mitigation measures include blocking the group's known C2 infrastructure, monitoring networks and devices for unexpected audio recording activities, using secure communications for transmitting data, and deploying the detection rules that BlackBerry has released for DeepData components.  

Don't miss the upcoming free Dark Reading Virtual Event, "Know Your Enemy: Understanding Cybercriminals and Nation-State Threat Actors," Nov. 14 at 11 a.m. ET. Don't miss sessions on understanding MITRE ATT&CK, using proactive security as a weapon, and a masterclass in incident response; and a host of top speakers like Larry Larsen from the Navy Credit Federal Union, former Kaspersky Lab analyst Costin Raiu, Ben Read of Mandiant Intelligence, Rob Lee from SANS, and Elvia Finalle from Omdia. Register now!

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Toolkit Vastly Expands APT41's Surveillance Powers

Red Hat Security Advisory 2024-9525-03 - An update for libsoup is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service. Issues addressed include a HTTP request smuggling vulnerability.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_9525.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: libsoup security updateAdvisory ID:        RHSA-2024:9525-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:9525Issue date:         2024-11-13Revision:           03CVE Names:          CVE-2024-52530====================================================================Summary: An update for libsoup is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The libsoup packages provide an HTTP client and server library for GNOME.Security Fix(es):* libsoup: HTTP request smuggling via stripping null bytes from the ends of header names (CVE-2024-52530)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-52530References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2325284

Red Hat Security Advisory 2024-9525-03

Red Hat Security Advisory 2024-9500-03 - An update for kernel is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service. Issues addressed include a use-after-free vulnerability.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_9500.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: kernel security updateAdvisory ID:        RHSA-2024:9500-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:9500Issue date:         2024-11-13Revision:           03CVE Names:          CVE-2022-48695====================================================================Summary: An update for kernel is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The kernel packages contain the Linux kernel, the core of any Linux operating system.Security Fix(es):* kernel: drm/amdgpu: use-after-free vulnerability (CVE-2024-26656)* kernel: scsi: mpt3sas: Fix use-after-free warning (CVE-2022-48695)* kernel: mptcp: pm: Fix uaf in __timer_delete_sync (CVE-2024-46858)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2022-48695References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2272692https://bugzilla.redhat.com/show_bug.cgi?id=2278999https://bugzilla.redhat.com/show_bug.cgi?id=2315210

Red Hat Security Advisory 2024-9500-03

US Immigration and Customs Enforcement put out a fresh call for contracts for surveillance technologies before an anticipated surge in the number of people it monitors ahead of deportation hearings.

On November 6, just hours after news outlets declared that Donald Trump had been elected the next president of the United States, Immigration and Customs Enforcement posted a notice asking companies to submit plans for how they would expand ICE’s system of ankle monitors, GPS trackers, biometric check-in technology, and human agents monitoring “non-citizens” awaiting immigration court hearings or deportation.

The notice signals the mechanisms through which ICE will expand its intensive surveillance of people awaiting deportation hearings—a list that could grow from under 200,000 to more than 5 million.

Throughout Trump’s presidential campaign, he has promised to execute “the largest deportation operation in American history.” Beyond promising workplace raids and giant detention “camps,” Trump hasn’t released specific plans for how his mass deportations would work. However, it’s likely that many granular aspects of a mass monitoring, detention, and deportation program would be planned by private companies contracting with ICE.

ICE’s recent notice asks interested companies to send specific details about how they would store location data and personal information, where their office locations would be, how they would staff agents, and what technology they have for remote surveillance, among other details. Currently, ICE uses a combination of ankle monitors and GPS-enabled smartwatches and smartphone apps to remotely monitor people. It also uses apps with facial recognition for “biometric” check-ins.

The notice says companies must have facilities with “suitably large intake rooms” for people being enrolled in ICE surveillance. They also must have the “ability to perform mass-scale intakes as required by unforeseeable events.”

Contractors would be facilitating ICE’s Intensive Supervision Appearance Program, which is a way for ICE to monitor these undocumented or unnaturalized people without placing them in a detention facility. ISAP is meant especially for people who have been in the United States for some period of time and already have a house, apartment, or other residence. ISAP has flourished under President Biden, who has more than doubled the number of participants since December 2020, putting the current total at almost 200,000 people.

For ICE, according to the November notice, the program offers “considerable cost savings” compared to detention. So even if Trump follows through on his promise of mass detention, it’s likely that ISAP would be a significant aspect of any mass deportation program.

Compared to its recent November notice, ICE was more detailed about its 2025 plans in a different notice released last year. This earlier notice shows that ICE was preparing for a more intense immigration policy on the horizon regardless of who eventually won the election.

In the 2023 notice, ICE says that ISAP’s parent program, Alternatives to Detention, would be rebranded as Release and Reporting Management. This new program would involve monitoring every single non-detained person who’s awaiting a court hearing or deportation, as opposed to just some. At the time the notice was published, ICE said 5.7 million people were eligible to be monitored under the new program—meaning that if implemented, the scale of ICE’s remote surveillance would increase by approximately 3,000 percent.

According to a government contract database, B.I. Incorporated has been ICE’s ISAP contractor since at least 2005. The company is a subsidiary of GEO Group, which is one of the largest private prison companies in the US.

Though the stock market as a whole went up the day after Trump’s victory, GEO Group’s stock boost made it “the single biggest winner in the US stock market—among companies of any size,” according to Robinhood-owned investment news site Sherwood News. Its five-year contract to run ISAP, worth $2.2 billion, is scheduled to expire next year.

On a post-election earnings call for GEO Group, CEO Brian Evans said that the company could increase its ISAP capacity by “several hundreds of thousands of participants, and up to several million if necessary,” as reported by HuffPo. The company’s COO, Wayne Calabrese, added that they have already informed ICE that it’s ready to do this.

“We expect the incoming Trump administration to take a much more expansive approach to monitoring the several millions of individuals who are currently on the non-detained immigrant docket,” Calabrese said on the call.

According to HuffPo, GEO Group competitor CoreCivic (previously called Corrections Corporation of America) had its own post-election earnings call, during which CEO Damon Hininger said that the timing of the November 6 ICE notice was “probably not a coincidence.”

“We took that as a very encouraging sign,” Hininger said.

ICE Started Ramping Up Its Surveillance Arsenal Immediately After Donald Trump Won

## Description

When the `register_argc_argv php` directive is set to `on` , and users call any URL with a special crafted query string, they are able to change the environment used by the framework when handling the request.

## Resolution

The framework now ignores argv values for environment detection on non-cli SAPIs.

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-gv7v-rgg6-548h: Laravel environment manipulation via query string

Red Hat Security Advisory 2024-9331-03 - An update for krb5 is now available for Red Hat Enterprise Linux 9. Issues addressed include a memory leak vulnerability.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_9331.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: krb5 security updateAdvisory ID:        RHSA-2024:9331-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:9331Issue date:         2024-11-12Revision:           03CVE Names:          CVE-2024-26458====================================================================Summary: An update for krb5 is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Kerberos is a network authentication system, which can improve the security of your network by eliminating the insecure practice of sending passwords over the network in unencrypted form. It allows clients and servers to authenticate to each other with the help of a trusted third party, the Kerberos key distribution center (KDC).Security Fix(es):* krb5: Memory leak at /krb5/src/lib/rpc/pmap_rmt.c (CVE-2024-26458)* krb5: Memory leak at /krb5/src/lib/gssapi/krb5/k5sealv3.c (CVE-2024-26461)* krb5: Memory leak at /krb5/src/kdc/ndr.c (CVE-2024-26462)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Additional Changes:For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.5 Release Notes linked from the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-26458References:https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/9.5_release_notes/indexhttps://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2266731https://bugzilla.redhat.com/show_bug.cgi?id=2266740https://bugzilla.redhat.com/show_bug.cgi?id=2266742

Red Hat Security Advisory 2024-9331-03

Atlas Biomed, a DNA testing company that promised clients insights into their genetic disposition has suddenly disappeared.

A DNA testing company that promised clients insights into their genetic disposition has suddenly disappeared. The BBC reports it tried several methods to reach the company but failed in this effort.

London offices are closed, nobody answers the phone, and clients are no longer capable of accessing their online records. All the company’s social media accounts haven’t been updated since 2023 at the latest.

The atlasbiomed.com domain appears to be inactive. Customers were only able to look at their test results online, these were not downloadable, so now they are not only unable to see them, but they also have no idea what has happened to that data.

Although there is no evidence that any of the data has been misused, it is worrying to not know who now has access to the data, especially now that the investigation shows that there might be ties to Russia.

While four out of eight company officers have resigned, two of those that remain are listed at the same address in Moscow. That happens to be the same address as that of a Russian billionaire, who is described as a now resigned director.

DNA testing has become so commonplace that many people have blindly participated without truly understanding the implications. It has always been a problem to figure out who you could trust with your genetic data. For some people it’s their cheapest chance of finding out whether they are affected by some genetic disorder.

Since those early days, we’ve had several warnings about how submitting your genetic data can go sideways.

In 2018, MyHeritage suffered a security incident which exposed the email addresses and hashed passwords of 92 million users.

In 2020, Ancestry was acquired by investment firm Blackstone for $4.7 billion, which raised questions about the potential commercialization of genetic data and its transfer to new owners.

And the ongoing saga of what happened at 23andMe is the clearest example of why people would be hesitant to submit genetic data. In 2023, cybercriminals put up information belonging to as many as seven million 23andMe customers for sale on criminal forums following a credential stuffing attack against the genomics company.

Since then all board members have resigned, except for CEO Anne Wojcicki who has stood by her plans to take the company private, raising again the subject of what happens to customer genetic data when a company is sold.

Data breaches happen to the best companies. So, even if a company has good intentions, there is still a risk of your genetic data being linked to your personally identifiable information (PII). This makes the information a treasure trove for advertisers, insurance companies, and Big Pharma.

All of this makes it very understandable that customers of Atlas Biomed are worried about where their data might end up.

**Words of warning**

The UK regulator, the Information Commissioner’s Office (ICO) has confirmed it has received a complaint about Atlas Biomed, saying in a statement:

> “People have the right to expect that organizations will handle their personal information securely and responsibly.”

Unfortunately, we know that not all organizations will meet that expectation, so there are a few things you should keep in mind.

If you submit genetic material, research the company you want to trust with it thoroughly.

Only share the personal information you absolutely have to provide with the genetic testing company. Lie if you must and create a separate free email account so the information can’t be tied to your main account.

Make sure to familiarize yourself with the company’s privacy policy and opt out of sharing information where possible. Make sure to stay informed about any policy updates or changes from the company.

As a wise lady and one of my former editors once wrote:

> “Many a friend and family member have scoffed at my warnings to stay away from consumer DNA testing kits, remarking that they have nothing to hide or that there’s no harm in releasing their DNA into the hands of researchers. I honestly hope they’re right.
> 
> I hope they never have to fear having their health insurance ripped away because of pre-existing conditions or an increased risk of developing certain diseases. I hope they aren’t inundated with marketing emails about cancer-preventative nutrition or the best new medicines to prolong the onset of Alzheimer’s. I sincerely hope they’re never targeted by racial-profiling police officers, denied a job by a prejudiced employer or buried in paperwork after having their identity stolen by a hacker. And I fervently hope they’ll never have to hide their genetic profile from a government hell-bent on ridding its country of a certain ethnicity or race.”

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 DNA testing company vanishes along with its customers&#8217; genetic data 

Donald Trump has vowed to deport millions and jail his enemies. To carry out that agenda, his administration will exploit America’s digital surveillance machine. Here are some steps you can take to evade it.

The WIRED Guide to Protecting Yourself From Government Surveillance

Debian Linux Security Advisory 5805-1 - It was discovered that the daemon of the GNU Guix functional package manager was susceptible to privilege escalation.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5805-1                   security@debian.org  
https://www.debian.org/security/                       Moritz Muehlenhoff  
November 08, 2024                     https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : guix  
CVE ID         : not yet available

It was discovered that the daemon of the GNU Guix functional package  
manager was susceptible to privilege escalation. For additional  
information please refer to  
https://guix.gnu.org/en/blog/2024/build-user-takeover-vulnerability/

For the stable distribution (bookworm), this problem has been fixed in  
version 1.4.0-3+deb12u2.

We recommend that you upgrade your guix packages.

For the detailed security status of guix please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/guix

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmcuaRAACgkQEMKTtsN8  
TjZa/Q//eoPkJt2H3eEwYAqg8KGN0HD6rJpNNIznSbFIbjBCy/Dojt1YbA/3f7LC  
K4dFp6eQo59drzf2EYVyiBL3a8kXHmAa+HxCY/n//fmBBN/IzkhbXEkAfiCo5wH1  
ICGb3AgNHL2q1+OllyV4PPdwo6YS97/tmUXD3rkr29yX2D8eJ3Iwyf2f9JqBMc7J  
KyBTTYHk9BS0b7XqdkyYJ69WcMNEDa6peCXp11Ebvh6Zk0jo5zoYO8INzNszquKr  
oyI37gEOfrEV2jzWrQCNoHeF5pz9EE5aSXrxSAPOPgkAQ4Y933tVVLoUBMHWCasz  
rTS1rPPAf85V2QqAz5nHk05B4Q3v8WKhd+t0pnpLO87QXLIoas1mUUYPnwzI662i  
aed//ld1LSyDkErVeXWmS5AIW2k/Z7eabmUc23MfSwgdkkBBbZz9T0Ms4VdIKyCZ  
eHv6EwAt6hIXGycwuCLLGUag4q6FMMBFCAuNsBMoLn+8XbIiQImAax/0inlmuqQb  
svuVk5UFp1mycwvSxZhNRm6bI1H4Q1zXFYhAE1VC1CCv9Rw/ZNySHEFRBLpUUcJj  
zdkED2qh8LsigrUfxA7XXE+KIDoFzV865zNRBECxasjnVXSbQiG7R5kHx7kAPHRk  
FWb+efJZbHSFSvvg9pWXRSPqYdCA7Mm+gsouvPyloVNAdo6R6yQ=  
=j+rv  
-----END PGP SIGNATURE-----

Debian Security Advisory 5805-1

A significant amount of vulnerabilities in the Linux kernel have been resolved that include use-after-free and race conditions.

    Linux kernel vulnerabilitiesA security issue affects these releases of Ubuntu and its derivatives:-   Ubuntu 20.04 LTS-   Ubuntu 18.04 LTS-   Ubuntu 16.04 LTS-   Ubuntu 22.04 LTS-   Ubuntu 14.04 LTSSummarySeveral security issues were fixed in the kernel.Software Description-   linux - Linux kernel-   linux-aws - Linux kernel for Amazon Web Services (AWS) systems-   linux-azure - Linux kernel for Microsoft Azure Cloud systems-   linux-gcp - Linux kernel for Google Cloud Platform (GCP) systems-   linux-gke - Linux kernel for Google Container Engine (GKE) systems-   linux-gkeop - Linux kernel for Google Container Engine (GKE) systems-   linux-ibm - Linux kernel for IBM cloud systems-   linux-oracle - Linux kernel for Oracle Cloud systemsDetailsIn the Linux kernel, the following vulnerability has been resolved:inet: inet_defrag: prevent sk release while still in use ip_local_out()and other functions can pass skb->sk as function argument. If the skb isa fragment and reassembly happens before such function call returns, thesk must not be released. This affects skb fragments reassembled vianetfilter or similar modules, e.g. openvswitch or ct_act.c, when run aspart of tx pipeline. Eric Dumazet made an initial analysis of this bug.Quoting Eric: Calling ip_defrag() in output path is also implyingskb_orphan(), which is buggy because output path relies on sk notdisappearing. A relevant old patch about the issue was : 8282f27449bf(“inet: frag: Always orphan skbs inside ip_defrag()”) [..net/ipv4/ip_output.c depends on skb->sk being set, and probably to aninet socket, not an arbitrary one. If we orphan the packet in ipvlan,then downstream things like FQ packet scheduler will not work properly.We need to change ip_defrag() to only use skb_orphan() when reallyneeded, ie whenever frag_list is going to be used. Eric suggested tostash sk in fragment queue and made an initial patch. However there is aproblem with this: If skb is refragmented again right after,ip_do_fragment() will copy head->sk to the new fragments, and sets updestructor to sock_wfree. IOW, we have no choice but to fix up sk_wmemaccouting to reflect the fully reassembled skb, else wmem willunderflow. This change moves the orphan down into the core, to lastpossible moment. As ip_defrag_offset is aliased with sk_buff->sk member,we must move the offset into the FRAG_CB, else skb->sk gets clobbered.This allows to delay the orphaning long enough to learn if the skb hasto be queued or if the skb is completing the reasm queue. In the formercase, things work as before, skb is orphaned. This is safe because skbgets queued/stolen and won’t continue past reasm engine. In the lattercase, we will steal the skb->sk reference, reattach it to the head skb,and fix up wmem accouting when inet_frag inflates truesize.(CVE-2024-26921)In the Linux kernel, the following vulnerability has been resolved:af_unix: Fix garbage collector racing against connect() Garbagecollector does not take into account the risk of embryo getting enqueuedduring the garbage collection. If such embryo has a peer that carriesSCM_RIGHTS, two consecutive passes of scan_children() may see adifferent set of children. Leading to an incorrectly elevated inflightcount, and then a dangling pointer within the gc_inflight_list. socketsare AF_UNIX/SOCK_STREAM S is an unconnected socket L is a listeningin-flight socket bound to addr, not in fdtable V’s fd will be passed viasendmsg(), gets inflight count bumped connect(S, addr) sendmsg(S, [V]);close(V) __unix_gc() —————- ————————- ———– NS = unix_create1() skb1 =sock_wmalloc(NS) L = unix_find_other(addr) unix_state_lock(L)unix_peer(S) = NS // V count=1 inflight=0 NS = unix_peer(S) skb2 =sock_alloc() skb_queue_tail(NS, skb2[V]) // V became in-flight // Vcount=2 inflight=1 close(V) // V count=1 inflight=1 // GC candidatecondition met for u in gc_inflight_list: if (total_refs ==inflight_refs) add u to gc_candidates // gc_candidates={L, V} for u ingc_candidates: scan_children(u, dec_inflight) // embryo (skb1) was not// reachable from L yet, so V’s // inflight remains unchanged__skb_queue_tail(L, skb1) unix_state_unlock(L) for u in gc_candidates:if (u.inflight) scan_children(u, inc_inflight_move_tail) // V count=1inflight=2 (!) If there is a GC-candidate listening socket, lock/unlockits state. This makes GC wait until the end of any ongoing connect() tothat socket. After flipping the lock, a possibly SCM-laden embryo isalready enqueued. And if there is another embryo coming, it can notpossibly carry SCM_RIGHTS. At this point, unix_inflight() can not happenbecause unix_gc_lock is already taken. Inflight graph remainsunaffected. (CVE-2024-26923)In the Linux kernel, the following vulnerability has been resolved: mm:swap: fix race between free_swap_and_cache() and swapoff() There waspreviously a theoretical window where swapoff() could run and teardown aswap_info_struct while a call to free_swap_and_cache() was running inanother thread. This could cause, amongst other bad possibilities,swap_page_trans_huge_swapped() (called by free_swap_and_cache()) toaccess the freed memory for swap_map. This is a theoretical problem andI haven’t been able to provoke it from a test case. But there has beenagreement based on code review that this is possible (see link below).Fix it by using get_swap_device()/put_swap_device(), which will stallswapoff(). There was an extra check in _swap_info_get() to confirm thatthe swap entry was not free. This isn’t present in get_swap_device()because it doesn’t make sense in general due to the race between gettingthe reference and swapoff. So I’ve added an equivalent check directly infree_swap_and_cache(). Details of how to provoke one possible issue(thanks to David Hildenbrand for deriving this): –8<—–__swap_entry_free() might be the last user and result in “count ==SWAP_HAS_CACHE”. swapoff->try_to_unuse() will stop as soon as soon assi->inuse_pages==0. So the question is: could someone reclaim the folioand turn si->inuse_pages==0, before we completedswap_page_trans_huge_swapped(). Imagine the following: 2 MiB folio inthe swapcache. Only 2 subpages are still references by swap entries.Process 1 still references subpage 0 via swap entry. Process 2 stillreferences subpage 1 via swap entry. Process 1 quits. Callsfree_swap_and_cache(). -> count == SWAP_HAS_CACHE [then, preempted inthe hypervisor etc.] Process 2 quits. Calls free_swap_and_cache(). ->count == SWAP_HAS_CACHE Process 2 goes ahead, passesswap_page_trans_huge_swapped(), and calls __try_to_reclaim_swap().__try_to_reclaim_swap()->folio_free_swap()->delete_from_swap_cache()->put_swap_folio()->free_swap_slot()->swapcache_free_entries()->swap_entry_free()->swap_range_free()-> … WRITE_ONCE(si->inuse_pages,si->inuse_pages - nr_entries); What stops swapoff to succeed afterprocess 2 reclaimed the swap cache but before process1 finished its callto swap_page_trans_huge_swapped()? –8<—– (CVE-2024-26960)In the Linux kernel, the following vulnerability has been resolved:Bluetooth: Fix use-after-free bugs caused by sco_sock_timeout When thesco connection is established and then, the sco socket is releasing,timeout_work will be scheduled to judge whether the sco disconnection istimeout. The sock will be deallocated later, but it is dereferencedagain in sco_sock_timeout. As a result, the use-after-free bugs willhappen. The root cause is shown below: Cleanup Thread | Worker Threadsco_sock_release | sco_sock_close | __sco_sock_close |sco_sock_set_timer | schedule_delayed_work | sco_sock_kill | (wait atime) sock_put(sk) //FREE | sco_sock_timeout | sock_hold(sk) //USE TheKASAN report triggered by POC is shown below: [ 95.890016================================================================== [95.890496] BUG: KASAN: slab-use-after-free insco_sock_timeout+0x5e/0x1c0 [ 95.890755] Write of size 4 at addrffff88800c388080 by task kworker/0:0/7 … [ 95.890755] Workqueue: eventssco_sock_timeout [ 95.890755] Call Trace: [ 95.890755][ 95.890755] dump_stack_lvl+0x45/0x110 [ 95.890755]print_address_description+0x78/0x390 [ 95.890755print_report+0x11b/0x250 [ 95.890755] ? __virt_addr_valid+0xbe/0xf0 [95.890755] ? sco_sock_timeout+0x5e/0x1c0 [ 95.890755kasan_report+0x139/0x170 [ 95.890755] ? update_load_avg+0xe5/0x9f0 [95.890755] ? sco_sock_timeout+0x5e/0x1c0 [ 95.890755kasan_check_range+0x2c3/0x2e0 [ 95.890755] sco_sock_timeout+0x5e/0x1c0 [95.890755] process_one_work+0x561/0xc50 [ 95.890755worker_thread+0xab2/0x13c0 [ 95.890755] ? pr_cont_work+0x490/0x490 [95.890755] kthread+0x279/0x300 [ 95.890755] ? pr_cont_work+0x490/0x490 [95.890755] ? kthread_blkcg+0xa0/0xa0 [ 95.890755]ret_from_fork+0x34/0x60 [ 95.890755] ? kthread_blkcg+0xa0/0xa0 [95.890755 ret_from_fork_asm+0x11/0x20 [ 95.890755][ 95.890755] [ 95.890755 Allocated by task 506: [ 95.890755]kasan_save_track+0x3f/0x70 [ 95.890755 __kasan_kmalloc+0x86/0x90 [95.890755] __kmalloc+0x17f/0x360 [ 95.890755 sk_prot_alloc+0xe1/0x1a0 [95.890755] sk_alloc+0x31/0x4e0 [ 95.890755 bt_sock_alloc+0x2b/0x2a0 [95.890755] sco_sock_create+0xad/0x320 [ 95.890755]bt_sock_create+0x145/0x320 [ 95.890755 __sock_create+0x2e1/0x650 [95.890755] __sys_socket+0xd0/0x280 [ 95.890755__x64_sys_socket+0x75/0x80 [ 95.890755] do_syscall_64+0xc4/0x1b0 [95.890755] entry_SYSCALL_64_after_hwframe+0x67/0x6f [ 95.890755] [95.890755] Freed by task 506: [ 95.890755] kasan_save_track+0x3f/0x70 [95.890755] kasan_save_free_info+0x40/0x50 [ 95.890755poison_slab_object+0x118/0x180 [ 95.890755] __kasan_slab_free+0x12/0x30[ 95.890755] kfree+0xb2/0x240 [ 95.890755] __sk_destruct+0x317/0x410 [95.890755] sco_sock_release+0x232/0x280 [ 95.890755]sock_close+0xb2/0x210 [ 95.890755] __fput+0x37f/0x770 [ 95.890755]task_work_run+0x1ae/0x210 [ 95.890755] get_signal+0xe17/0xf70 [95.890755 arch_do_signal_or_restart+0x3f/0x520 [ 95.890755syscall_exit_to_user_mode+0x55/0x120 [ 95.890755]do_syscall_64+0xd1/0x1b0 [ 95.890755]entry_SYSCALL_64_after_hwframe+0x67/0x6f [ 95.890755] [ 95.890755] Thebuggy address belongs to the object at ffff88800c388000 [ 95.890755]which belongs to the cache kmalloc-1k of size 1024 [ 95.890755 The buggyaddress is located 128 bytes inside of [ 95.890755] freed 1024-byteregion [ffff88800c388000, ffff88800c388400) [ 95.890755] [ 95.890755]The buggy address belongs to the physical page: [ 95.890755 page:refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88800c38a800pfn:0xc388 [ 95.890755] head: order:3 entire_mapcount:0nr_pages_mapped:0 pincount:0 [ 95.890755] ano —truncated—(CVE-2024-27398)In the Linux kernel, the following vulnerability has been resolved:watchdog: cpu5wdt.c: Fix use-after-free bug caused by cpu5wdt_triggerWhen the cpu5wdt module is removing, the origin code uses del_timer() tode-activate the timer. If the timer handler is running, del_timer()could not stop it and will return directly. If the port region isreleased by release_region() and then the timer handlercpu5wdt_trigger() calls outb() to write into the region that isreleased, the use-after-free bug will happen. Change del_timer() totimer_shutdown_sync() in order that the timer handler could be finishedbefore the port region is released. (CVE-2024-38630)Update instructionsThe problem can be corrected by updating your kernel livepatch to thefollowing versions:Ubuntu 20.04 LTS    aws - 107.1    aws - 107.2    azure - 107.1    azure - 107.2    gcp - 107.1    gcp - 107.2    generic - 107.1    generic - 107.2    gke - 107.1    gkeop - 107.1    gkeop - 107.2    ibm - 107.1    ibm - 107.2    lowlatency - 107.1    lowlatency - 107.2    oracle - 107.1    oracle - 107.2Ubuntu 18.04 LTS    aws - 107.1    aws - 107.2    azure - 107.1    azure - 107.2    gcp - 107.1    gcp - 107.2    generic - 107.1    generic - 107.2    lowlatency - 107.1    lowlatency - 107.2    oracle - 107.1    oracle - 107.2Ubuntu 16.04 LTS    aws - 107.1    aws - 107.2    azure - 107.1    azure - 107.2    gcp - 107.1    gcp - 107.2    generic - 107.1    generic - 107.2    lowlatency - 107.1    lowlatency - 107.2Ubuntu 22.04 LTS    aws - 107.1    aws - 107.2    azure - 107.1    azure - 107.2    gcp - 107.1    gcp - 107.2    generic - 107.1    generic - 107.2    gke - 107.1    gke - 107.2    ibm - 107.1    ibm - 107.2    oracle - 107.1Ubuntu 14.04 LTS    generic - 107.1    lowlatency - 107.1Support InformationLivepatches for supported LTS kernels will receive upgrades for a periodof up to 13 months after the build date of the kernel.Livepatches for supported HWE kernels which are not based on an LTSkernel version will receive upgrades for a period of up to 9 monthsafter the build date of the kernel, or until the end of support for thatkernel’s non-LTS distro release version, whichever is sooner.References-   CVE-2024-26921-   CVE-2024-26923-   CVE-2024-26960-   CVE-2024-27398-   CVE-2024-38630

Tag

#sap