uTalk

The Zen 2 architecture-based processors from AMD have a new security flaw that could be used to extract private information like encryption keys and passwords.

The Zenbleed bug, code-named by Google Project Zero researcher Tavis Ormandy and tracked as CVE-2023-20593 (CVSS score: 6.5), permits data exfiltration at a rate of 30 kb per core, per second.

The problem is a part of a larger class of flaws known as speculative execution attacks, in which the widely used optimization method in contemporary CPUs is abused to access cryptographic keys from CPU registers.

A register in "Zen 2" CPUs "may not be written to 0 correctly" under certain microarchitectural conditions, according to AMD's advisory. "This could result in data from another process and/or thread being saved in the YMM register, potentially allowing an attacker to access sensitive data. ".

The web infrastructure provider Cloudflare pointed out that the attack could even be executed remotely through JavaScript on a website, negating the need for physical access to the computer or server.

Researchers at Cloudflare Derek Chamorro and Ignat Korchagin found that vectorized operations could be carried out very effectively using the YMM registers. Applications that process a lot of data have a lot to gain from them, but malicious activity is increasingly focusing on them. ".

This attack forces an incorrect command by modifying register files. The register file is shared by all processes running on the same physical core, so this exploit can be used to eavesdrop on even the most basic system operations by watching the data being transferred between the CPU and the rest of the computer, they added.

Although there is no proof that the bug has been used in the wild, it is crucial to apply the microcode updates as soon as they are made available through original equipment manufacturers (OEMs) in order to reduce potential risk.

Update.

Wiz, a cloud security company, has issued a warning that "62 percent of AWS environments are running EC2 instances with Zen 2 CPUs and may therefore be affected by Zenbleed.". In a separate alert, Google stated that the fixes had already been made to its fleet of servers for the Google Cloud Platform. The problem is anticipated to be fixed as soon as the process is finished by Amazon Web Services (AWS), which is currently "testing the stability" of the update

Two critical security flaws that could allow for local privilege escalation attacks have been found by cybersecurity researchers in the Ubuntu kernel.

According to a report provided to The Hacker News by cloud security company Wiz, 40% of Ubuntu users may be affected by the easily exploitable flaws.

Security researchers Sagi Tzadik and Shir Tamari claimed that affected Ubuntu versions are widely used in the cloud because many [cloud service providers] use them as their default operating systems.

The flaws, dubbed GameOver(lay) and tracked as CVE-2023-32629 and 2023-2640 (CVSS scores: 7.8), exist in a module called OverlayFS and result from insufficient permissions checks in some circumstances, allowing a local attacker to obtain elevated privileges.

An overlay filesystem is a type of union mount file system that enables the fusion of different directory trees or file systems into a single, integrated filesystem.

The two flaws are succinctly described below -.

On Ubuntu kernels with the bugfixes "UBUNTU: SAUCE: overlayfs: Skip permission checking for trusted" and c914c0e27eb0.
overlayfs.
* xattrs," a non-privileged user has the ability to set privileged extended attributes on mounted files, causing them to be set on upper files without the necessary security checks.
CVE-2023-32629 - Local privilege escalation vulnerability in Ubuntu kernels when calling overlayfs ovl_copy_up_meta_inode_data skips permission checks when calling ovl_do_setxattr.
In essence, GameOver(lay) enables the creation of executable files with scoped file capabilities and deceives the Ubuntu Kernel into copying them to different locations.

anyone who executes it will have root-like privileges due to its unscoped capabilities. ".

As of July 24, 2023, Ubuntu has patched the vulnerabilities as a result of responsible disclosure.

According to Wiz CTO and co-founder Ami Luttwak, the findings highlight the possibility that Ubuntu's subtle modifications to the Linux kernel may have unintended consequences.

According to the researchers, "Both vulnerabilities are unique to Ubuntu kernels since they were caused by Ubuntu's specific changes to the OverlayFS module." They added that the problems are similar to other flaws like CVE-2016-1576, CVE-2021-3493, CVE-2021-3847, and CVE-2023-0386.

The US Securities and Exchange Commission (SEC) on Wednesday approved new regulations that mandate publicly traded companies disclose information about a cyber attack within four days of realizing it has a "material" impact on their finances. This represents a significant change in the way that data breaches are disclosed.

"It may be material to investors," SEC chair Gary Gensler said.
"Whether a company loses a factory in a fire—or millions of files in a cybersecurity incident.". "At the moment, a lot of publicly traded companies inform investors about cybersecurity. However, I believe that if this disclosure were made in a manner that was more standardized, comparable, and useful for making decisions, both companies and investors would benefit. ".

In order to achieve this, the new obligations require businesses to disclose the incident's nature, scope, timing, and impact. However, if it is found that disclosing these details "would pose a substantial risk to national security or public safety," this disclosure may be postponed for an additional period of up to 60 days. ".

They also require registrants to annually describe the methods and approaches used for evaluating, identifying, and managing material risks from cybersecurity threats, describe the material effects or risks resulting from those events, and share details about ongoing or completed remediation efforts.

Saket Modi, CEO of Safe Security, told The Hacker News that the word "material" is crucial in this context because it must be understood. "Most organizations are unable to determine materiality, a crucial component of shareholder protection, so they are not ready to comply with the SEC guidelines. Systems to calculate risk at both the broad and specific levels are lacking. ".

The rules, however, do not apply to "specific, technical information about the Registrant's planned response to the incident or its cybersecurity systems, related networks and devices, or potential system vulnerabilities in such detail as would prevent the Registrant from responding to or remediating the incident. ".

The policy, which was initially proposed in March 2022, is seen as an effort to increase transparency regarding the threats that nation-state actors and cybercrime pose to US companies, close the gaps in cybersecurity defense and disclosure practices, and harden the systems against data theft and intrusions.

According to Kroll, a ransomware gang known as Cl0p has been responsible for a recent wave of cyber attacks that have affected more than 500 businesses. These attacks have been made possible by the exploitation of serious flaws in software that is frequently used in enterprise environments, and the threat actors are using new exfiltration techniques to steal data.

Amit Yoran, CEO and Chairman of Tenable, said the new regulations on cyber risk management and incident disclosure are "right on the money" and represent a "dramatic step toward greater transparency and accountability. ".

Investors should have the right to know about an organization's cyber risk management initiatives "when cyber breaches have real-life repercussions and reputational costs," Yoran continued.

However, given that it could take businesses weeks or even months to thoroughly investigate a breach, there have been concerns raised that the time frame is too short, which could result in inaccurate disclosures. Premature breach notification could alert additional attackers to a vulnerable target, increasing security risks, further complicating the situation.

According to James McQuiggan, a security awareness advocate at KnowBe4, the new SEC requirement requiring organizations to report cyber attacks or incidents within four days seems aggressive but falls within a more lenient time frame than other nations.

Companies have 72 hours to report a cyber incident within the European Union, the United Kingdom, Canada, South Africa, and Australia. There are 24 hours in some other nations, including Singapore and China. Within six hours, India is required to report the breach. ".

"In either case, organizations should have repeatable and well-documented incident response plans with communication plans, procedures, and requirements on who is brought into the incident and when," McQuiggan further stated.