Linux

USN-3084-1: Linux kernel vulnerabilities | Ubuntu

Jump to site nav

  • Jump to content
  • Cloud
    • Overview
    • Ubuntu OpenStack
    • Public cloud
    • Cloud tools
    • Cloud management
    • Ecosystem
    • Cloud labs
  • Server
    • Overview
    • Server management
    • Hyperscale
  • Desktop
    • Overview
    • Features
    • For business
    • For developers
    • Take the tour
    • Desktop management
    • Ubuntu Kylin
  • Phone
    • Overview
    • Features
    • Scopes
    • App ecosystem
    • Operators and OEMs
    • Carrier Advisory Group
    • Ubuntu for Android
  • Tablet
    • Design
    • Operators and OEMs
    • App ecosystem
  • TV
    • Overview
    • Experience
    • Industry
    • Contributors
    • Features and specs
    • Commercial info
  • Management
    • Overview
    • Landscape features
    • Working with Landscape
    • Return on investment
    • Compliance
    • Ubuntu Advantage
  • Download
    • Overview
    • Cloud
    • Server
    • Desktop
    • Ubuntu Kylin
    • Alternative downloads


Ubuntu Security Notices

USN-3084-2: Linux kernel (Xenial HWE) vulnerabilities | Ubuntu

Jump to site nav

  • Jump to content
  • Cloud
    • Overview
    • Ubuntu OpenStack
    • Public cloud
    • Cloud tools
    • Cloud management
    • Ecosystem
    • Cloud labs
  • Server
    • Overview
    • Server management
    • Hyperscale
  • Desktop
    • Overview
    • Features
    • For business
    • For developers
    • Take the tour
    • Desktop management
    • Ubuntu Kylin
  • Phone
    • Overview
    • Features
    • Scopes
    • App ecosystem
    • Operators and OEMs
    • Carrier Advisory Group
    • Ubuntu for Android
  • Tablet
    • Design
    • Operators and OEMs
    • App ecosystem
  • TV
    • Overview
    • Experience
    • Industry
    • Contributors
    • Features and specs
    • Commercial info
  • Management
    • Overview
    • Landscape features
    • Working with Landscape
    • Return on investment
    • Compliance
    • Ubuntu Advantage
  • Download
    • Overview
    • Cloud
    • Server
    • Desktop
    • Ubuntu Kylin
    • Alternative downloads


Ubuntu Security Notices

USN-3084-3: Linux kernel (Raspberry Pi 2) vulnerabilities | Ubuntu

Jump to site nav

  • Jump to content
  • Cloud
    • Overview
    • Ubuntu OpenStack
    • Public cloud
    • Cloud tools
    • Cloud management
    • Ecosystem
    • Cloud labs
  • Server
    • Overview
    • Server management
    • Hyperscale
  • Desktop
    • Overview
    • Features
    • For business
    • For developers
    • Take the tour
    • Desktop management
    • Ubuntu Kylin
  • Phone
    • Overview
    • Features
    • Scopes
    • App ecosystem
    • Operators and OEMs
    • Carrier Advisory Group
    • Ubuntu for Android
  • Tablet
    • Design
    • Operators and OEMs
    • App ecosystem
  • TV
    • Overview
    • Experience
    • Industry
    • Contributors
    • Features and specs
    • Commercial info
  • Management
    • Overview
    • Landscape features
    • Working with Landscape
    • Return on investment
    • Compliance
    • Ubuntu Advantage
  • Download
    • Overview
    • Cloud
    • Server
    • Desktop
    • Ubuntu Kylin
    • Alternative downloads


Ubuntu Security Notices

USN-3084-4: Linux kernel (Qualcomm Snapdragon) vulnerabilities | Ubuntu

Jump to site nav

  • Jump to content
  • Cloud
    • Overview
    • Ubuntu OpenStack
    • Public cloud
    • Cloud tools
    • Cloud management
    • Ecosystem
    • Cloud labs
  • Server
    • Overview
    • Server management
    • Hyperscale
  • Desktop
    • Overview
    • Features
    • For business
    • For developers
    • Take the tour
    • Desktop management
    • Ubuntu Kylin
  • Phone
    • Overview
    • Features
    • Scopes
    • App ecosystem
    • Operators and OEMs
    • Carrier Advisory Group
    • Ubuntu for Android
  • Tablet
    • Design
    • Operators and OEMs
    • App ecosystem
  • TV
    • Overview
    • Experience
    • Industry
    • Contributors
    • Features and specs
    • Commercial info
  • Management
    • Overview
    • Landscape features
    • Working with Landscape
    • Return on investment
    • Compliance
    • Ubuntu Advantage
  • Download
    • Overview
    • Cloud
    • Server
    • Desktop
    • Ubuntu Kylin
    • Alternative downloads


Ubuntu Security Notices

USN-3072-2: Linux kernel (OMAP4) vulnerabilities | Ubuntu

Jump to site nav

  • Jump to content
  • Cloud
    • Overview
    • Ubuntu OpenStack
    • Public cloud
    • Cloud tools
    • Cloud management
    • Ecosystem
    • Cloud labs
  • Server
    • Overview
    • Server management
    • Hyperscale
  • Desktop
    • Overview
    • Features
    • For business
    • For developers
    • Take the tour
    • Desktop management
    • Ubuntu Kylin
  • Phone
    • Overview
    • Features
    • Scopes
    • App ecosystem
    • Operators and OEMs
    • Carrier Advisory Group
    • Ubuntu for Android
  • Tablet
    • Design
    • Operators and OEMs
    • App ecosystem
  • TV
    • Overview
    • Experience
    • Industry
    • Contributors
    • Features and specs
    • Commercial info
  • Management
    • Overview
    • Landscape features
    • Working with Landscape
    • Return on investment
    • Compliance
    • Ubuntu Advantage
  • Download
    • Overview
    • Cloud
    • Server
    • Desktop
    • Ubuntu Kylin
    • Alternative downloads


Ubuntu Security Notices

USN-3070-2: Linux kernel (Raspberry Pi 2) vulnerabilities | Ubuntu

Jump to site nav

  • Jump to content
  • Cloud
    • Overview
    • Ubuntu OpenStack
    • Public cloud
    • Cloud tools
    • Cloud management
    • Ecosystem
    • Cloud labs
  • Server
    • Overview
    • Server management
    • Hyperscale
  • Desktop
    • Overview
    • Features
    • For business
    • For developers
    • Take the tour
    • Desktop management
    • Ubuntu Kylin
  • Phone
    • Overview
    • Features
    • Scopes
    • App ecosystem
    • Operators and OEMs
    • Carrier Advisory Group
    • Ubuntu for Android
  • Tablet
    • Design
    • Operators and OEMs
    • App ecosystem
  • TV
    • Overview
    • Experience
    • Industry
    • Contributors
    • Features and specs
    • Commercial info
  • Management
    • Overview
    • Landscape features
    • Working with Landscape
    • Return on investment
    • Compliance
    • Ubuntu Advantage
  • Download
    • Overview
    • Cloud
    • Server
    • Desktop
    • Ubuntu Kylin
    • Alternative downloads


Ubuntu Security Notices

USN-3070-3: Linux kernel (Qualcomm Snapdragon) vulnerabilities | Ubuntu

Jump to site nav

  • Jump to content
  • Cloud
    • Overview
    • Ubuntu OpenStack
    • Public cloud
    • Cloud tools
    • Cloud management
    • Ecosystem
    • Cloud labs
  • Server
    • Overview
    • Server management
    • Hyperscale
  • Desktop
    • Overview
    • Features
    • For business
    • For developers
    • Take the tour
    • Desktop management
    • Ubuntu Kylin
  • Phone
    • Overview
    • Features
    • Scopes
    • App ecosystem
    • Operators and OEMs
    • Carrier Advisory Group
    • Ubuntu for Android
  • Tablet
    • Design
    • Operators and OEMs
    • App ecosystem
  • TV
    • Overview
    • Experience
    • Industry
    • Contributors
    • Features and specs
    • Commercial info
  • Management
    • Overview
    • Landscape features
    • Working with Landscape
    • Return on investment
    • Compliance
    • Ubuntu Advantage
  • Download
    • Overview
    • Cloud
    • Server
    • Desktop
    • Ubuntu Kylin
    • Alternative downloads


Ubuntu Security Notices

USN-3070-4: Linux kernel (Xenial HWE) vulnerabilities | Ubuntu

Jump to site nav

  • Jump to content
  • Cloud
    • Overview
    • Ubuntu OpenStack
    • Public cloud
    • Cloud tools
    • Cloud management
    • Ecosystem
    • Cloud labs
  • Server
    • Overview
    • Server management
    • Hyperscale
  • Desktop
    • Overview
    • Features
    • For business
    • For developers
    • Take the tour
    • Desktop management
    • Ubuntu Kylin
  • Phone
    • Overview
    • Features
    • Scopes
    • App ecosystem
    • Operators and OEMs
    • Carrier Advisory Group
    • Ubuntu for Android
  • Tablet
    • Design
    • Operators and OEMs
    • App ecosystem
  • TV
    • Overview
    • Experience
    • Industry
    • Contributors
    • Features and specs
    • Commercial info
  • Management
    • Overview
    • Landscape features
    • Working with Landscape
    • Return on investment
    • Compliance
    • Ubuntu Advantage
  • Download
    • Overview
    • Cloud
    • Server
    • Desktop
    • Ubuntu Kylin
    • Alternative downloads


Ubuntu Security Notices

A group of Dutch researchers have demonstrated a variant of the Rowhammer attack that can be used to successfully compromise Linux virtual machines on cloud servers.

The Flip Feng Shui (FFS) attack is not performed by triggering a software vulnerability. Instead, it relies on exploiting the widespread Rowhammer DRAM glitch to induce bit flips in controlled physical memory pages, and the Linux’ memory deduplication system.

Compromising Linux virtual machines by taking advantage of memory deduplication

A short version of the attack sequence goes like this:

“An attacker rents a virtual server on the same host as your virtual server. Next, the attacker ensures that the hypervisor deduplicates a certain part of the memory that both virtual servers share. That means that both systems store certain information that they both process, in the same part of the physical memory. By employing the so-called rowhammer technique, the attacker is able to change the information in this memory without the hypervisor or your virtual server noticing.”

The researchers were able to perform two attacks on servers running Debian and Ubuntu. In the first one they made the server download malware instead of a software update, and in the second one they managed to access the target’s VM by corrupting their OpenSSH public keys.

According to a fact sheet published by the National Cyber Security Centre (NSCS) of the Dutch government, the attack can be leveraged against virtual machines on workstations as well as servers, but the attacker needs to have access to another virtual machine on the same host.

As the researchers didn’t publish attack code, replicating these attacks is out of reach for most low level attackers, but not for a criminal organization or a foreign intelligence service, NSCS noted.

Temporary solutions to this problem include disabling memory deduplication in the configuration of the hypervisor, or switching to (less efficient) zero-page deduplication.

The researchers informed OpenSSH, GnuPG, VM monitor vendors, and Debian and Ubuntu of the results of their researcher, and GnuPG has already strengthened their key signature checks to protect against the attack.

More technical details about the attack and video demonstrations can be found here and here.


Help Net Security

A new collision attack brings attention to a number of fake short ID keys exploiting a well-known flaw with PGP encryption keys.

The issue arises from the use of short IDs, which are the last eight digits of a public key's fingerprint is used to label the key, meaning this short ID can be spoofed if a fingerprint is generated with the same last eight digits.

On Monday, the Linux Kernel Mailing List posted a warning to users describing a surge in collision attacks on developers beginning in June and culminating in fake keys being found for Linus Torvalds, the creator of Linux, and Greg Kroah-Hartman, current Linux kernel maintainer.

Experts have long acknowledged the flaw in PGP allowing collision attacks to spoof a short ID key. PGP is a cryptography program for encrypting  and digitally signing messages or files, so a fake PGP key could leave a recipient unable to decrypt or authenticate a message, but Jon Rudolph, principal software engineer at Core Security based in Roswell, Ga., said the issue would be far worse for someone like Torvalds.

"For Linus, losing control of the source for his projects is a major setback for the infrastructure of secure operating systems and competition for Microsoft," Rudolph told SearchSecurity. "With increasing access to cloud computing, the ability to find colliding hashes has really multiplied over the last few years."

The Linux Kernel Mailing List post on the issue referenced warnings about the issue of collision attacks on PGP short IDs dating back five years.

In 2011, Asheesh Laroia, former Debian developer and current software engineer for cloud operating system Sandstorm, wrote, "It is important that we stop using short key IDs. There is no vulnerability in OpenPGP and GPG. However, using short key IDs is fundamentally insecure; it is easy to generate collisions for short key IDs. We should always use 64-bit (or longer) key IDs."

In 2013, Daniel Kahn Gillmor, former Debian developer and current technology fellow for the Speech, Privacy, and Technology Project with the American Civil Liberties Union, noted that it would still not be safe to use a longer key ID cut from the PGP fingerprint.

"I am more convinced than ever that key IDs (both short and long) are actively problematic to real-world use of OpenPGP. We want two things from a key management framework -- unforgeability and human-intelligible handles. Key IDs fail at both," Gillmor wrote. "Fingerprints are unforgeable but they aren't human-intelligible. User IDs are human-intelligible, and they are unforgeable if we can rely on a robust keysigning network. Key IDs (both short and long) are neither human-intelligible nor unforgeable, so they are the worst of all possible worlds."

Experts widely agreed the best advice is for users to never trust an ID shorter than the full fingerprint of the public PGP key.

Gunnar Wolf, Debian developer and teacher at the National Autonomous University of Mexico, agreed with Gillmor on short IDs and wrote, "We should rather target either always showing full fingerprints, or not showing it at all (and leaving all the crypto-checking bits to be done by the software, as comparing 160-bit strings is not natural for us humans)."

Rudolph said the easier option can often be trouble.

"Education about sticking to the rules for security, and learning what the real load-bearing structures are, securitywise, [ways to mitigate risk]," Rudolph said. "Sometimes the convenient shortcuts bite back."

Next Steps

Learn more about if it is time for a new encryption standard to replace PGP.

Find out how OpenPGP encryption can improve messaging security.

Get info on protecting PGP keys.


SearchSecurity: Security Wire Daily News