A vulnerability in Linux’s GNU C Library (glibc) could allow attackers to gain full root access to a system, according to a warning from researchers at Qualys.

Tracked as CVE-2023-6246 and described as a heap-based buffer overflow, the issue was identified in glibc’s __vsyslog_internal() function, which is called by the widely-used syslog() and vsyslog() logging functions.

An unprivileged attacker could exploit the flaw by providing an argv[0] or openlog() ident argument longer than 1024 bytes to overflow the __vsyslog_internal() buffer and overwrite the name[] field of a heap-based struct nss_module with a string of characters that contains a slash.

This action results in a shared library located in the attacker’s working directory being loaded and executed with root privileges, Qualys explains in a technical documentation of its findings.

However, Qualys points out that it takes thousands of attempts to brute force the exploit parameters (such as the length of argv[0] and other variables), which makes the vulnerability unlikely to be triggered remotely.

Even so, the severity of the bug should not be underestimated, as it could provide an attacker with full root access through crafted inputs to applications that employ the syslog() and vsyslog() logging functions.

Introduced in glibc version 2.37 in August 2022 and backported to glibc 2.36 while addressing a different issue, Qualys notes that the CVE-2023-6246 bug impacts major Linux distributions.

The vulnerability was addressed in glibc 2.38, an update that also resolves five other security defects found by the Qualys team.

https://www.qualys.com/2024/01/30/cve-2023-6246/syslog.txt

Chinese Hacking Against U.S. Infrastructure Threatens American Lives, Officials Say
https://www.wsj.com/politics/national-security/u-s-disables-chinese-hacking-operation-that-targeted-critical-infrastructure-184bb407?mod=followamazon

U.S. officials say Beijing is preparing to set off potentially damaging cyberattacks in any future conflict, including over Taiwan

TEKOÄLYN avulla tuotetut väärät alastonkuvat laulaja Taylor Swiftistä synnyttivät ison vastareaktion laulajan fanien keskuudessa, mutta vaikutukset eivät rajoitu siihen. Uutistoimisto Reutersin mukaan Valkoinen talo otti asiaan kantaa perjantaina ja kuvaili vääriä kuvia ”hälyttäviksi”.

X lifts ban on Taylor Swift searches after spread of fake explicit images
https://www.reuters.com/technology/x-lifts-ban-taylor-swift-searches-after-explicit-fake-images-spread-wsj-2024-01-30/

Jan 29 (Reuters) – Social-media company X lifted the ban on searches for Taylor Swift Monday evening, after blocking users from searching for her following the spread of fake sexually-explicit images of the pop singer on the social media site last week.
The search has been reactivated and the social media platform “will continue to be vigilant for any attempt to spread this content and will remove it if we find it,” Joe Benarroch, head of business operations at X, said in a statement on Monday

Kiittämättömyys on maailman palkka.

Liian helppoa. Salasana oli löydettävissä ilman vippaskonsteja, mutta haavoittuvuudesta ilmoittanutta konsulttia kiitettiin sakoilla.

Yhä edelleen on olemassa yhtiöitä, joissa ei täysin ymmärretä tietoturvan merkitystä tai että miten siitä olisi hyvä huolehtia. Kuumottava esimerkki saadaan Saksasta, jossa avulias valkohattuhakkeri sai sakkoja.

The Register kertoo ”Hendrik H:sta”, joka kesällä 2021 tutkaili erään yhtiön ohjelmisto-ongelmia. Tuo yhtiö oli it-palveluita tarjoavan Modern Solution GmbH:n asiakas. Kävi ilmi, että Modern Solutionin koodi otti yhteyden MariaDB-tietokantapalvelimeen, jonne kirjautumiseen tarvittava salasana löytyi selkokielisenä Modern Solutionin verkossa jakamasta suoritettavasta tiedostosta.

Kuka tahansa, joka olisi avannut Modern Solutionin ohjelman tekstieditorissa, olisi saanut salasanan haltuunsa ilman vippaskonsteja. Palvelimelle kirjautumalla pääsi käsiksi kaikkien niiden Modern Solutionin asiakkaiden tietoihin, jotka tuolle palvelimelle oli tallennettu. Datan kerrotaan sisältäneen Modern Solutionin asiakkaina olleiden verkkokauppojen asiakkaiden tietoja.

Yhtiötä varoitettiin tietoturvaongelmista ja asiaa käsiteltiin verkkokaupankäynnistä uutisoivan Mark Steierin kirjoituksessa kesäkuussa 2021.

Kummallinen käänne tapahtui syyskuussa 2021, kun poliisi takavarikoi löydön tehneen tietoturvakonsultin tietokoneet. Modern Solution väitti, että konsultti olisi saanut salasanan haltuunsa sisäpiirin tiedon myötä ja väitti tämän olevan kilpailija.

Konsultin väitetään rikkoneen Saksan lakia tunkeutumalla palvelimelle, vaikka Steierin mukaan selväkielisenä tallennettu salasana ei täytä kyseisen lainkohdan kuvailemaa ”erityistä tietoturvaratkaisua”.

IT consultant fined for daring to expose shoddy security
Spotting a plaintext password and using it in research without authorization deemed a crime
https://www.theregister.com/2024/01/19/germany_fine_security/

A security researcher in Germany has been fined €3,000 ($3,300, £2,600) for finding and reporting an e-commerce database vulnerability that was exposing almost 700,000 customer records.

Back in June 2021, according to our pals at Heise, a contractor identified elsewhere as Hendrik H. was troubleshooting software for a customer of IT services firm Modern Solution GmbH. He discovered that the Modern Solution code made a MySQL connection to a MariaDB database server operated by the vendor. It turned out the password to access that remote server was stored in plain text in the program file MSConnect.exe, and opening it in a simple text editor would reveal the unencrypted hardcoded credential.

With that easy-to-find password in hand, anyone could log into the remote server and access data

And we’re told that Modern Solution’s program files were available for free from the web, so truly anyone could inspect the executables in a text editor for plain-text hardcoded database passwords.

Hendrik H. was charged with unlawful data access under Section 202a of Germany’s Criminal Code, based on the rule that examining data protected by a password can be classified as a crime under the Euro nation’s cybersecurity law.

In June, 2023, a Jülich District Court in western Germany sided with the IT consultant because the Modern Solution software was insufficiently protected. But the Aachen regional court directed the district court to hear the complaint. Now, the district court has reversed its initial decision. On January 17, a Jülich District Court fined Hendrik H. and directed him to pay court costs.

“The penalty order is all the more shocking because it is fundamentally wrong,” wrote Steier, the blogger who helped bring the exposed database to light, in a post on Wednesday.

“A password that has been saved almost in plain text does not constitute a ‘special security’ which is required by §202. It’s understandable that a judge can’t evaluate that, but then an expert would have had to be heard on exactly this question. Unfortunately that didn’t happen.”

According to reports, the verdict is not yet legally binding as the two parties have a week to appeal, which the IT consultant reportedly intends to do.

“But it’s exactly as people feared: no matter how flawed the supposed ‘protection,’ its mere existence turns security research into criminal hacking under the German law. This has a chilling effect on legitimate research, allowing companies to get away with inadequate security and in the end endangering users.”

”Maltti on valttia. Toki salasanoja pitää vaihtaa, jos huijarilla on tiedossaan samat käyttäjä­tunnukset, joita henkilö käyttää muissakin palveluissa.”

KAAPPAAJA saattaa julkaista haltuun ottamaansa ryhmään haitallista sisältöä ja mainoksia, Mesiä huomauttaa. Organisaation tulisi myös ottaa huomioon, että asiakkaiden arkaluontoisia tietoja voi päätyä kaappaajan tietoon.

”Tilimurron tapauksessa yrityksen pitää miettiä, tekeekö ilmoituksen tietosuojavaltuutetulle.”

Mesiän mukaan ikinä ei pitäisi suostua, jos kaappaaja vaatii rahaa tunnusten palauttamisesta. Sen sijaan kiristäjästä tulisi tehdä rikosilmoitus.

https://www.hs.fi/kotimaa/art-2000010114303.html?fbclid=IwAR3LEZq0IKIMmdp021-dLNX2KECMKmlBXR1SYLZNLGmTomQwHI7IIeqV7Aw