If you spend more on coffee than on IT security, you will be hacked. What’s more, you deserve to be hacked.
Richard Clarke
Sorry for the late post but the real world got in the way. That being said this week we got an Intel Meltdown-like flaw on AMD Chips, Ubuntu privilege escalation bug, a VMware information disclosure vulnerability, and lastly a shortage of Security Engineers in the United Kingdom. Let’s get started:
AMD Zenbleed Bug
AMD’s newer consumer, workstation, and server processors have been found to have a significant bug that can lead to data leakage at a rate of up to 30 kilobytes per core per second. The vulnerability, known as “Zenbleed” (CVE-2023-20593), was discovered by Tavis Ormandy, a member of Google’s Project Zero security team. Exploiting this bug could grant attackers access to sensitive information, such as encryption keys, root, and user passwords, from any system using an AMD Zen 2 architecture-based CPU.
The article is a bit technical as it involves understanding registers and the C language but essentially, Tavis used Fuzzing to figure out that by triggering specific registers within a precise window you can get a AMD Zen 2 processor to mispredict incorrectly to reveal information. What’s worse is that it affects basic C operations which means it can be done anywhere on the system (Virtual Machines, containers, via software, or even processes). The affected processors are:
- AMD Ryzen 3000 Series Processors
- AMD Ryzen PRO 3000 Series Processors
- AMD Ryzen Threadripper 3000 Series Processors
- AMD Ryzen 4000 Series Processors with Radeon Graphics
- AMD Ryzen PRO 4000 Series Processors
- AMD Ryzen 5000 Series Processors with Radeon Graphics
- AMD Ryzen 7020 Series Processors with Radeon Graphics
- AMD EPYC “Rome” Processors
AMD did announce that it will push a fix this month to its EPYC and PRO lineup but not to its consumer lineup. The reason for this is most likely to protect its biggest cloud clients who will be ripe targets for this kind of data leak. As frustrating as it is consumers will have to wait for a fix while AMD does the work on its cloud clients first. Personally, I would love to see a fix pushed out both for consumers and enterprise customers at the same time but I understand having a bug like that in the cloud is a major issue. On a separate note, I love guys who find these kinds of flaws via Fuzzing. The idea of throwing random unexpected data at a processor to see if it throws exceptions or crashes is something special. It just goes to show it’s impossible for an engineer to plan for everything.
Ubuntu Unprivileged Elevation Gain
Two recent Linux vulnerabilities in the Ubuntu kernel have raised concerns as they could allow unprivileged local users to gain elevated privileges on a large number of devices. Ubuntu, a widely used Linux distribution with over 40 million users, is impacted by these flaws, known as CVE-2023-32629 and CVE-2023-2640.
These two issue stem from Overlayfs, a file system that has had security issues in the past. It actually took me a bit of time to find a PoC of the attack (Thank You Serbian Hacking Forum). Eventually, I would like to get around to writing about my overall love, hate relationship with Ubuntu and one day I will. The attack does require already having access to the affected system but could be useful chained together with other attacks.
VMware Information Disclosure Vulnerability
Another day another unprivileged elevation gain. Much like the Ubuntu vulnerabilities listed above, VMware has posted a bulletin stating, “the VMware Tanzu Application Service for VMs and Isolation Segment contain an information disclosure vulnerability due to the logging of credentials in hex encoding in platform system audit logs.”
Basically, if you already have a user account and you want to gain admin rights you can look at the system audit logs to gain admin credentials. By default, VMware disables access to audit logs for normal users. I guess if your VMware admin isn’t giving you the access you need, you can always look at the audit logs!
UK Shortage of Security Engineers
The UK government released its annual report on the cyber security workforce in the UK. You can download their report from their website here but here are the basic details:
- 50% of all UK businesses have a basic cyber security skills gap, while 33% have an advanced cyber security skills gap. These figures are similar to 2022 and 2021.
- There were 160,035 cyber security job postings in the last year. This is an increase of 30% on the previous year. 37% of vacancies were reported as hard-to-fill (down from 44% in 2022, but same as 2021).
- Only 17% of the cyber sector workforce is female (down from 22% last year, but similar to 2021 and 2020) and 14% of senior roles are filled by women.
- There is an estimated shortfall of 11,200 people to meet the demand of the cyber workforce (down from 14,100 last year, largely due to slower growth of the sector).
I’ve skimmed through most of the report (it’s 100 pages) and honestly most of it doesn’t surprise me. Cyber security is an arms race and for every defense that is built, the attackers will find two different holes to penetrate those defenses. The fact that only 17% of the workforce is female also doesn’t surprise me and is a big issue. In all my years of work, I have only had 3 females that were on my team, and all at different companies. Even when I was actively interviewing and hiring candidates, it was rare to find a woman under the waves of male candidates. I do hope this changes in the future as women are just as capable as men in this field.
Conclusion
There was a Mikrotik vulnerability released this week that I wanted to talk about but after writing three paragraphs about it I decided I would actually make a blog post about it. I have a MikroTik router which makes it a lot easier to play with the PoC. Anyways, I hope you enjoyed the skim and I will see you all next week. Good luck to all the engineers out there and until next time, stay safe!