Red Hat has used RPM for software package distribution for decades, but we now know RPM contained a nasty hidden security bug since Day One. It’s now been unveiled and a repair patch has been submitted.

In 1995, when Linux 1.x was the hot new Linux kernel, early Red Hat founding programmers Marc Ewing and Erik Troan created RPM. This software package management system became the default way to distribute software for Red Hat Linux-based distributions such as Red Hat Enterprise Linux (RHEL), CentOS Stream, AlmaLinux OS, and Rocky Linux. Unfortunately, hidden within its heart is a major security hole.

Dmitry Antipov, a Linux developer at CloudLinux, AlmaLinux OS’s parent company, first spotted the problem in March 2021. Antipov found that RPM would work with unauthorized RPM packages. This meant that unsigned packages or packages signed with revoked keys could silently be patched or updated without a word of warning that they might not be kosher.

Why? Because RPM had never properly checked revoked certificate key handling.

How could this be? It’s because RPM dates back from the days when getting code to work was the first priority and security came a long way second.

Things have changed. Security is a much higher priority.

Antipov, wearing his hat as a TuxCare (CloudLinux’s KernelCare and Extended Lifecycle Support) team member, has submitted a patch to fix this problem. As Antipov explained in an interview: “The problem is that both RPM and DNF, [a popular software package manager that installs, updates, and removes packages on RPM-based Linux distributions] do a check to see if the key is valid and genuine but not expired, but not for revocation. As I understand it, all the distribution vendors have just been lucky enough to never have been hit by this.”

Hacker Fantastic Twitterissä:
“Fully patched Windows 2019 domain controller, popped with 0day exploit (CVE-2021-1675) from a regular Domain User’s account giving full SYSTEM privileges. Disable “Print Spooler” service on servers that do not require it….
https://mobile.twitter.com/hackerfantastic/status/1410100394492112898

NCSC-FI VULNERABILITIES SUMMARY 2021-06-30:
Public Windows PrintNightmare 0-day exploit allows domain takeover
https://www.bleepingcomputer.com/news/security/public-windows-printnightmare-0-day-exploit-allows-domain-takeover/
Classification: Critical, Solution: Mitigation, Exploit: Yes
Another vulnerability, CVE-2021-1675 regarding Print Spooler, was
fixed in the Microsoft June update. Researchers from Chinese security
company Sangfor, decided to release their writeup and demo exploit
called PrintNightmareand believed to release information about the
same issue. As it turns out PrintNightmare is not the same as
CVE-2021-1675. PrintNightmare PoC was released to Github and even if
the original was removed, it was already cloned and is still
available. This vulnerability is critical and workaround should be
implemented immediately.

A televised phone-in with Russian President Vladimir Putin Wednesday was targeted by “powerful” cyberattacks, the state-run Rossiya 24 network which broadcast the event said.

Shown on Kremlin-friendly media, the annual session with Putin sees the president field in real time queries submitted by Russians throughout the country.

This year’s phone-in on Wednesday, which lasted nearly four hours, repeatedly faced connection problems, particularly during calls from remote regions.

“Our digital systems are right now facing attacks, powerful DDoS attacks,” a Rossiya-24 presenter told Putin, after a caller from the Kuzbass region in southwestern Siberia experienced connection issues.

“Are you joking? Seriously?” Putin responded.

“Turns out we have hackers in Kuzbass,” he quipped.

Russia’s largest telecommunications provider, Rostelecom, confirmed the attacks to news agencies, saying that measures were being taken to “block these illegitimate activities”

Windows network administrators are scrambling to contain the fallout from the release of proof-of-concept code for a nasty Windows Print Spooler vulnerability that exposes Windows servers to remote code execution attacks.

The issue is causing major headaches in security research circles because the exploit targets CVE-2021-1675, a vulnerability that was patched by Microsoft on June 8 and originally misdiagnosed as a low-risk privilege escalation issue.

Law enforcement agencies in Europe, the US, and Canada on Tuesday announced the takedown of DoubleVPN, a virtual private network (VPN) service that allegedly helped cybercriminals conduct nefarious activities.

As part of the takedown operation, servers across the world were seized to ensure the disruption of the DoubleVPN service. Furthermore, the service’s web domains now display a law enforcement splash page.

“On 29th of June 2021, law enforcement took down DoubleVPN. Law enforcement gained access to the servers of DoubleVPN and seized personal information, logs and statistics kept by DoubleVPN about all of its customers. DoubleVPN’s owners failed to provide the services they promised,” the splash page reads.

Advertised on underground cybercrime forums for both Russian and English speakers, the service was used by ransomware operators and phishing fraudsters to hide their real location and identity.