Mar 30, 2024NewsroomLinux / Supply Chain Attack

RedHat on Friday released an “urgent security alert” warning that two versions of a popular data compression library called XZ Utils (previously LZMA Utils) have been backdoored with malicious code designed to allow unauthorized remote access.

The software supply chain compromise, tracked as CVE-2024-3094, has a CVSS score of 10.0, indicating maximum severity. It impacts XZ Utils versions 5.6.0 (released February 24) and 5.6.1 (released March 9).

“Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code,” the IBM subsidiary said in an advisory.

“This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.”

Specifically, the nefarious code baked into the code is designed to interfere with the sshd daemon process for SSH (Secure Shell) via the systemd software suite, and potentially enable a threat actor to break sshd authentication and gain unauthorized access to the system remotely “under the right circumstances.”

Microsoft security researcher Andres Freund has been credited with discovering and reporting the issue on Friday. The heavily obfuscated malicious code is said to have been introduced over a series of four commits to the Tukaani Project on GitHub by a user named JiaT75.

“Given the activity over several weeks, the committer is either directly involved or there was some quite severe compromise of their system,” Freund said. “Unfortunately the latter looks like the less likely explanation, given they communicated on various lists about the ‘fixes.'”

Microsoft-owned GitHub has since disabled the XZ Utils repository maintained by the Tukaani Project “due to a violation of GitHub’s terms of service.” There are currently no reports of active exploitation in the wild.

Evidence shows that the packages are only present in Fedora 41 and Fedora Rawhide, and do not impact Red Hat Enterprise Linux (RHEL), Debian Stable, Amazon Linux, and SUSE Linux Enterprise and Leap.

Out of an abundance of caution, Fedora Linux 40 users have been recommended to downgrade to a 5.4 build. Some of the other Linux distributions impacted by the supply chain attack are below –

The development has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to issue an alert of its own, urging users to downgrade XZ Utils to an uncompromised version (e.g., XZ Utils 5.4.6 Stable).

A new security shortcoming discovered in Apple M-series chips could be exploited to extract secret keys used during cryptographic operations.

Dubbed GoFetch, the vulnerability relates to a microarchitectural side-channel attack that takes advantage of a feature known as data memory-dependent prefetcher (DMP) to target constant-time cryptographic implementations and capture sensitive data from the CPU cache. Apple was made aware of the findings in December 2023.

Prefetchers are a hardware optimization technique that predicts what memory addresses a currently running program will access in the near future and retrieve the data into the cache accordingly from the main memory. The goal of this approach is to reduce the program’s memory access latency.

DMP is a type of prefetcher that takes into account the contents of memory based on previously observed access patterns when determining what to prefetch. This behavior makes it ripe for cache-based attacks that trick the prefetcher into revealing the contents associated with a victim process that should be otherwise inaccessible.

GoFetch also builds on the foundations of another microarchitectural attack called Augury that employs DMP to leak data speculatively.

“DMP activates (and attempts to dereference) data loaded from memory that ‘looks like’ a pointer,” a team of seven academics from the University of Illinois Urbana-Champaign, University of Texas, Georgia Institute of Technology, University of California, Berkeley, University of Washington, and Carnegie Mellon University said.

“This explicitly violates a requirement of the constant-time programming paradigm, which forbids mixing data and memory access patterns.”

Like other attacks of this kind, the setup requires that the victim and attacker have two different processes co-located on the same machine and on the same CPU cluster. Specifically, the threat actor could lure a target into downloading a malicious app that exploits GoFetch.

What’s more, while the attacker and the victim do not share memory, the attacker can monitor any microarchitectural side channels available to it, e.g., cache latency.

GoFetch, in a nutshell, demonstrates that “even if a victim correctly separates data from addresses by following the constant-time paradigm, the DMP will generate secret-dependent memory access on the victim’s behalf,” rendering it susceptible to key-extraction attacks.

In other words, an attacker could weaponize the prefetcher to influence the data being prefetched, thus opening the door to accessing sensitive data. The vulnerability has serious implications in that it completely nullifies the security protections offered by constant-time programming against timing side-channel attacks.

“GoFetch shows that the DMP is significantly more aggressive than previously thought and thus poses a much greater security risk,” the researchers noted.

The fundamental nature of the flaw means that it cannot be fixed in existing Apple CPUs, requiring that developers of cryptographic libraries take steps to prevent conditions that allow GoFetch to succeed, something that could also introduce a performance hit. Users, on the other hand, are urged to keep their systems up-to-date.

On Apple M3 chips, however, enabling data-independent timing (DIT) has been found to disable DMP. This is not possible on M1 and M2 processors.

“Apple silicon provides data-independent timing (DIT), in which the processor completes certain instructions in a constant amount of time,” Apple notes in its documentation. “With DIT enabled, the processor uses the longer, worst-case amount of time to complete the instruction, regardless of the input data.”

The iPhone maker also emphasized that although turning on DIT prevents timing-based leakage, developers are recommended to adhere to “avoid conditional branches and memory access locations based on the value of the secret data” in order to effectively block an adversary from inferring secret by keeping tabs on the processor’s microarchitectural state.

The development comes as another group of researchers from the Graz University of Technology in Austria and the University of Rennes in France demonstrated a new graphics processing unit (GPU) attack affecting popular browsers and graphics cards that leverages specially crafted JavaScript code in a website to infer sensitive information such as passwords.

The technique, which requires no user interaction, has been described as the first GPU cache side-channel attack from within the browser.

“Since GPU computing can also offer advantages for computations within websites, browser vendors decided to expose the GPU to JavaScript through APIs like WebGL and the upcoming WebGPU standard,” the researchers said.

“Despite the inherent restrictions of the JavaScript and WebGPU environment, we construct new attack primitives enabling cache side-channel attacks with an effectiveness comparable to traditional CPU-based attacks.”

A threat actor could weaponize it by means of a drive-by attack, allowing for the extraction of AES keys or mining cryptocurrencies as users browse the internet. It impacts all operating systems and browsers implementing the WebGPU standard, as well as a broad range of GPU devices.

As countermeasures, the researchers propose treating access to the host system’s graphics card via the browser as a sensitive resource, requiring websites to seek users permission (like in the case of camera or microphone) before use.

Mar 01, 2024NewsroomDevSecOps / Cybersecurity

GitHub on Thursday announced that it’s enabling secret scanning push protection by default for all pushes to public repositories.

“This means that when a supported secret is detected in any push to a public repository, you will have the option to remove the secret from your commits or, if you deem the secret safe, bypass the block,” Eric Tooley and Courtney Claessens said.

Push protection was first piloted as an opt-in feature in August 2023, although it has been under testing since April 2022. It became generally available in May 2023.

The secret scanning feature is designed to identify over 200 token types and patterns from more than 180 service providers in order to prevent their fraudulent use by malicious actors.

The development comes nearly five months after the Microsoft subsidiary expanded secret scanning to include validity checks for popular services such as Amazon Web Services (AWS), Microsoft, Google, and Slack.

It also follows the discovery of an ongoing “repo confusion” attack targeting GitHub that’s inundating the source code hosting platform with thousands of repositories containing obfuscated malware capable of stealing passwords and cryptocurrency from developer devices.

The attacks represent another wave of the same malware distribution campaign that was disclosed by Phylum and Trend Micro last year, leveraging bogus Python packages hosted on the cloned, trojanized repositories to deliver a stealer malware called BlackCap Grabber.

“Repo confusion attacks simply rely on humans to mistakenly pick the malicious version over the real one, sometimes employing social engineering techniques as well,” Apiiro said in a report this week.