Skip to main content
View All Products
Compute
Storage
Databases
Networking
Developer Tools
Delivery
Security
Services
Industries
Pricing
Community
Engage With Us
Explore Blog
Categories
14
  1. Cloud Consulting Services
    4
  2. Cloud Overviews
    50
  3. Compute
    15
  4. Containers (Kubernetes, Docker)
    33
  5. Databases
    19
  6. Developer Tools
    37
  7. Linode
    254
  8. Linux
    69
  9. Multicloud
    4
  10. Networking
    32
  11. Open Source
    5
  12. Partner Network
    7
  13. Security
    60
  14. Storage
    22
Authors 52
  1. Austin Gil 1
  2. Abe Massry 2
  3. Al Newkirk 1
  4. Alexander Newnham 2
  5. Andrew Sauber 1
  6. Andrew Stebbins 2
  7. Andy Stevens 5
  8. Bradley LaBoon 1
  9. Blair Lyon 11
  10. Billy Thompson 10
  11. Christopher Aker 176
  12. Cassie Bubnis 1
  13. Daniele Polencic 4
  14. David Monschein 2
  15. David Rodriguez 1
  16. Dan Spataro 2
  17. Elvis Segura 1
  18. Gardiner Bryant 1
  19. Holden Morris 4
  20. Hillary Wilmoth 67
  21. Jim Ackley 5
  22. Jessica Capuano Mora 1
  23. Justin Cobbett 15
  24. Jon Frederickson 1
  25. Jonathan Hill 2
  26. Justin Mitchel 4
  27. James Steel 5
  28. Jamie Sherkness 8
  29. Linode 52
  30. Linode Events 8
  31. The Linode Security Team 122
  32. The Linode Network & Security Teams 1
  33. LINQ 1
  34. Leslie Salazar 1
  35. Michelle Berg 1
  36. Mitch Donaberger 1
  37. Mike Fischler 1
  38. Mike Maney 10
  39. Maddie Presland 18
  40. Mike Quatrani 4
  41. Nathan Melehan 2
  42. Nigel Poulton 1
  43. Prasoon Pushkar 1
  44. Rick Myers 7
  45. Richard Tubb 1
  46. Sal Carrasco 1
  47. Salman Iqbal 1
  48. Shawn Michels 1
  49. Linode Support 13
  50. Tom Asaro 18
  51. Travis Baka 1
  52. Talia Nassi 8
BlogSecurityLinode Security Digest October 30 – November 6, 2022

Linode Security Digest October 30 – November 6, 2022

Linode
The Linode Security Team
November 4, 2022
Linode Security Digest

In this week’s digest, we will discuss:

  • an OpenSSL version 3.0.0 security advisory;
  • a Sqlite array-bounds overflow vulnerability; and
  • a GitHub repojacking attack.

Openssl Security Advisory

OpenSSL 3.0.0 recently addressed two vulnerabilities: CVE-2022-3602 and CVE-2022-3786. 

CVE-2022-3602, rated critical (9.8/10), involves a 4-byte stack buffer overflow that can lead to DoS or Code Execution. For a successful exploitation, the target needs to perform X509 certificate validation of a malicious certificate, specifically name constraint checking. An attacker can craft a malicious email address to overflow four attacker-controlled bytes on the stack. That said, the attack could be frustrated by stack overflow protections typically enabled in modern operating systems. The vulnerability was initially described as critical by OpenSSL, and further analysis led to downgrading the severity to high. Although at the time of writing the Base Score is 9.8 (critical).  

CVE-2022-3786, rated high (7.5/10), is another buffer overflow that is triggered by a malicious tls certificate. Similar to the aforementioned vulnerability, the attack entails an attacker crafting a certificate with a malicious email address. The difference lies in the characters that can be used to cause an overflow, which is limited to `.’ character (decimal 46), which leads to service crash or Denial of Service. 

Users that leverage OpenSSL 3.0 are encouraged to upgrade to the latest version as soon as possible. This blog post could be useful in helping users determine whether they have the vulnerable version of the library in use in their environments.  

Sqlite Array-bounds Overflow Vulnerability

TrailofBits disclosed a high-severity vulnerability in a popular DBMS library Sqlite recently patched The CVE assigned to this vulnerability is CVE-2022-35737 and is rated 7.5/10.  

The vulnerability is an array overflow in SQLite 1.0.12 through 3.39.x before 3.39.2 and affects applications that use the SQLite library API. The exploitability depends on how SQLite is compiled; if the program is compiled without stack canaries enabled, a code execution is possible. The vulnerability was introduced in v1.0.12, released on October 17, 2000. 

According to the source, “On vulnerable systems, CVE-2022-35737 is exploitable when large string inputs are passed to the SQLite implementations of the printf functions and when the format string contains the %Q, %q, or %w format substitution types.” This reduces the attack surface and the likelihood of an application being actually exploitable through this vulnerability, although it is still strongly recommended for users to evaluate the risk within the context of their use of the component.   

The patched SQLite version v3.39.2 is available for users to upgrade to in their applications. Users dependent on tools that use the vulnerable SQLite library would need to wait for the patch to be released from the maintainers of the code. Trailofbits has also released the exploit POC which can be found on GitHub.  

Github Repojacking

Checkmarx disclosed yet another method to attack the supply chain by targeting code repositories hosted on github.com. The attack is dubbed repojacking and involves takeover of a repository by bypassing a pre-existing security control set by Microsoft for this type of attack. This control is termed “popular-repository-namespace-retirement” and basically disallows GitHub users from creating repositories with a name that matches the one previously used by a deactivated user with the same username if the repository had more than 100 clones within one week leading up to the username change. It was implemented as a mitigation by GitHub after checkmarx had disclosed a similar vulnerability in 2021. 

The new attack gets around the mitigation by leveraging a github feature called repository transfer. Here’s how the attack is pursued:

  1. “victim/repo” is a popular GitHub repository retired under the “popular repository namespace retirement” protection
  2. “helper_account” creates the “repo” repository
  3. “helper_account” transfers the ownership of the “repo” repository to “attacker_account”
  4. “attacker_account” renames  its username to “victim”
  5. The new “victim” account (previously “attacker_account”) accepts the ownership transfer and essentially takes over the target repository

The fix for this vulnerability has been applied. Checkmarx has also released a tool to check what golang direct dependencies could be vulnerable to this type of attack. 

You might also like...

How to Protect Yourself from Ransomware Attacks featuring Steve Winterfeld, featured image.

How To Protect Yourself From Ransomware Attacks | Steve Winterfeld, Akamai

In this video, Steve Winterfeld, Advisory CISO at Akamai, shares advice on how companies can protect themselves from ransomware attacks.
Security
Wazuh is a Cybersecurity Powerhouse featuring Code with Harry.

Wazuh is a Cybersecurity Powerhouse | Expert Open Source Security Monitoring & Response

@CodeWithHarry covers Wazuh, an open-source security platform used for collecting and analyzing security data.
Security
Introduction to Server Security.
Talia Nassi

Introduction to Server Security

Oct 30, 2023
by Talia Nassi
Server security is vital to an effective cloud environment. Learn about it here.
Security

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *