Linux Security News Archives

While most users frown upon the increasing number of CPU security mitigations in part due to the additional overhead commonly introduced, a new Linux kernel patch by a Google engineer would allow users/developers to opt-in to forcing CPU bugs and their mitigations even if the system in use isn't known to be vulnerable.

Linux 6.10 introduced TPM bus encryption and integrity protection for enhancing the Trusted Platform Module support to protect against interposers from compromising them with TPM sniffing attacks. There is now a new option being added to opt-out of this protection due to a discovered performance bottleneck.

Enterprise security firm Edera today is announcing OpenPaX that they promoted in their advance press notice as a "new open-source alternative to GrSecurity." GrSecurity being the firm focused on providing out-of-tree Linux kernel patches focused in the name of security enhancements. With OpenPaX they are open-source and publicly available kernel patch for mitigating common memory safety errors and other system hardening.

There's been much speculation since this morning over a reported "severe" unauthenticated remote code execution (RCE) flaw affecting Linux systems that carries a CVSS 9.9.9 score... The embargo has now lifted with the details on this nasty issue.

Landlock as the Linux security module for unprivileged access control handling is adding new controls around Unix socket handling with the Linux 6.12 kernel.

Not to be confused with the proposal a few days ago by an AMD engineer for Attack Vector Controls for broader control over CPU security mitigation handling, the in-development Linux 6.12 kernel is adding new Kconfig options to allow for more build-time control over what CPU security mitigation code is compiled for the kernel.

Merged as part of the Linux Security Modules (LSM) updates for the Linux 6.12 kernel is the new Integrity Policy Enforcement (IPE) module that has been years in the making. Integrity Policy Enforcement is an alternative to access controls.

David Kaplan who is a Senior Fellow at AMD focused on security technologies has published an initial set of Linux kernel patches for "Attack Vector Controls" in rethinking the CPU security mitigation handling. The proposed Attack Vector Controls makes it easier to manage desired security mitigations to have enabled/disabled based upon intent of the system rather than having to be knowledgeable about individual CPU security vulnerabilities and the various tuning knobs.

The Linux 6.12 kernel cycle later this year is expected to see a number of new Kconfig options introduced for greater build-time control over what CPU speculative execution security mitigations are included as part of the kernel build.

Merged back in 2021 for Linux 5.13 was Landlock as a means of unprivileged application sandboxing. The Landlock Linux security module has continued to be improved since but it turns out there's been a big hole within this security module since its introduction... The possibility for apps to drop restrictions on itself.

Kees Cook submitted all of the hardening updates this week for the Linux 6.11 merge window in beefing up the kernel's defenses against various attack vectors and vulnerabilities.

The "x86/bugs" code has been merged for the Linux 6.11 kernel that is just three patches this go around but includes a new Spectre BHI mitigation option.

Linux engineer Christian Brauner at Microsoft sent out his various pull requests for areas of the kernel he oversees ahead of the Linux 6.11 merge window. One of the more interesting pull requests from Brauner this cycle are the "vfs procfs" updates that now allow restricting access to the /proc/[pid]/mem files of processes.

While there were plans of adding getrandom() in the vDSO with the upcoming Linux 6.11 merge window to speed up user-space random number generation access, Linus Torvalds is unconvinced by the work and intends to reject any pull request with it for Linux 6.11.

In the making the past two years by developer Jason Donenfeld (of WireGuard fame) is adding getrandom() to the vDSO in the name of better performance. In some tests this has yielded as much as a ~15x speed-up to performance for user-space obtaining crypographically secure random number generation. It's looking like for the upcoming Linux 6.11 merge window, this work will finally be merged.

UC San Diego researchers have gone public with Indirector, high-precision branch target injection attacks on the indirect branch predictor. This UCSD security researchers found Indirector impacting recent Intel Alder Lake and Raptor Lake processors. Intel believes though that no further mitigations are required.

Qualys went public today with a security vulnerability they have discovered within the OpenSSH server that could lead to remote, unauthenticated code execution.

For the Branch History Injection variant of Spectre (Spectre BHI) there is a patch pending to add a new mitigation option for that two year old CPU security vulnerability.

Back in 2019 after various speculation-based CPU vulnerabilities began coming to light, Amazon engineers proposed process-local memory allocations for hiding KVM secrets. They were striving for an alternative mitigation for vulnerabilities like L1TF by essentially providing some memory regions for kernel allocations out of view/access from other kernel code. Amazon engineers this week laid out a new proposal after five years of ongoing Linux kernel improvements for MM-local memory allocations for dealing with current and future speculation-based cross-process attacks.

One of the new security features coming with Linux 6.10 is TPM bus encryption and integrity protection to fend off a wave of possible attacks against Trusted Platform Module recovery keys, TPM sniffing, etc. This functionality was merged for the Linux 6.10 merge window but is now being pulled back to x86_64-only by default where it's been sufficiently tested.

Merged this Friday evening into the Linux 6.10 kernel is the new mseal() system call for memory sealing.

A commit made to the Linux kernel three weeks ago accidentally broke the default CPU security mitigations for non-x86 CPUs. With code sent in today via x86/urgent ahead of tonight's Linux 6.9-rc6 release, that accidental default breakage is being addressed.

A new set of Linux kernel patches were sent out on Friday for tweaking th Native BHI mitigation introduced earlier this month for Intel processors.

The Linux 6.9-rc4 weekly test release is due out later today and ahead of that this week's "x86/urgent" material has been sent in that includes several patches for various x86 speculation mitigation fixes.

Disclosed back in March 2022 was Branch History Injection (BHI) as a new Spectre vulnerability affecting Intel and Arm CPUs. Then in July of 2022 were patches for Intel working on hardware-based prevention for Spectre-BHI attacks. Now two years later the Linux kernel is seeing mitigations added for the native Branch History Injection vulnerability given a new "Native BHI" variant.

Today's disclosure of XZ upstream release packages containing malicious code to compromise remote SSH access has certainly been an Easter weekend surprise... The situation only looks more bleak over time with how the upstream project was compromised while now the latest twist is GitHub disabling the XZ repository in its entirety.

Red Hat today issued an "urgent security alert" for Fedora 41 and Fedora Rawhide users over XZ. Yes, the XZ tools and libraries for this compression format. Some malicious code was added to XZ 5.6.0/5.6.1 that could allow unauthorized remote system access.

With security concerns at all-time highs in the industry, Linux 6.9 is seeing yet more work to beef up its security hardening with various additional safety checks and other compile-time defenses for ensuring security best practices.

VUSec and IBM Research Europe today announced Speculative Race Conditions (SRCs) as a as a new class of vulnerabilities where thread synchronization primitives using conditional branches can be microarchitecturally bypassed on speculative paths using a Spectre-V1 attack. The researchers have dubbed CVE-2024-2193 as GhostRace and is said to affect all major CPU vendors.

The x86/core changes were submitted today for the now-open Linux 6.9 merge window. Among other changes, the x86 CPU security mitigation options within the Linux kernel Kconfig have been adjusted where appropriate to make more clear the options/features are for security mitigations.

While there is already the work underway on allowing the Rust programming language within the Linux kernel in part to leverage its memory safety potential, a proposal was sent out this morning for a new "SandBox Mode" for the Linux kernel to also increase the memory safety of C code within the kernel.

Kicking off what may end up being a fairly busy Patch Tuesday are two WiFi authentication vulnerabilities being made public that affect Intel's IWD daemon as well as the WPA_Supplicant software -- between the two they are the most common solutions for wireless daemons on Linux systems.

For those making use of the AppArmor Linux kernel security module, there is a notable change coming with the Linux 6.8 kernel.

The hardening updates for the Linux 6.7 kernel bring a new hardening configuration profile to help in building a security hardened kernel with some sane defaults.

The AppArmor Linux security system has picked up a few improvements and new features with the in-development Linux 6.7 kernel.

The widely-used Curl project as a command-line tool and library for transferring data via a variety of protocols is preparing to roll-out Curl 8.4 early in order to address a particularly nasty vulnerability.

Disclosed back in August was the Inception vulnerability affecting all Zen processors. It took until today though for the mainline Linux kernel to mitigate Hygon processors for this vulnerability for those Zen 1 CPUs formed from the AMD-Chinese joint venture.

A Red Hat engineer has published patches to optionally allow delayed module signature verification in an effort to have a secure Linux system but to allow for faster boot times.

Security Enhanced Linux (SELinux) has been part of the mainline kernel for two decades to provide a security module implementing access control security policies and is now widely-used for enhancing the security of production Linux servers and other systems. Those that haven't been involved with Linux for a long time may be unaware that SELinux originates from the US National Security Agency (NSA). But now with Linux 6.6 the NSA references are being removed.

To help harden the Linux kernel from memory vulnerabilities and in particular heap spraying, set to be merged into the Linux 6.6 kernel is optional support for randomized slab caches for kmalloc() calls.

There used to be a time when Patch Tuesday wasn't so busy in the Linux space, but certainly not this month... Linus Torvalds just pushed the kernel code changes around AMD INCEPTION and Intel DOWNFALL as well as other security patches.

It's now more clear why last week Linus Torvalds personally took to improving the Linux kernel's user-mode stack expansion code: it's necessary to address a now disclosed security vulnerability dubbed StackRot.

This week alongside several other Linux Foundation events in Vancouver was the Linux Security Summit. Commanding a significant presence at the Linux Security Summit was Microsoft.

In development for several years now has been TrenchBoot as a framework for creating security engines to perform system launch integrity actions. This boot-time integrity framework continues advancing and this past week Oracle engineers posted their latest patches for the Linux kernel in providing dynamic launch support.

With the Linux 6.4 kernel there is the ability being introduced so that the machine keyring can optionally only store CA-enforced keys.

After being deprecated for several years, Security Enhanced Linux "SELinux" beginning with the Linux 6.4 kernel can no longer be run-time disabled.

With the Linux 6.2 release kernel developers addressed "a tasty target for attackers" after it was realized that the per-CPU entry data was not being randomized, even in the presence of Kernel Address Space Layout Randomization (KASLR). The per-CPU entry area randomization has been present since Linux 6.3 but then was realized it's being activated even if KASLR was disabled, so now that is changing to avoid possible confusion.

Ahead of the Linux 6.3-rc1 release later today, a set of "x86/urgent" patches were sent out Sunday morning that include the change to allow Single Threaded Indirect Branch Predictors (STIBP) to be used in the presence of legacy Indirect Branch Restricted Speculation (IBRS) for security reasons.

The Linux kernel since last year has mistakenly left systems relying on the original Indirect Branch Restricted Speculation (IBRS) for Spectre V2 mitigation without Single Threaded Indirect Branch Predictor (STIBP) coverage for cross-HyperThread dealing with this Spectre vulnerability. There is a patch underway that is resolving this issue for Intel Skylake era systems.

Back in 2020 Google and the Open-Source Security Foundation (OpenSSF) came up with a "Criticality Score" to rank the importance/criticality of open-source projects. The Criticality Score is a means of quantifying the importance of an open-source project such as if in need of funding or development assistance. Criticality Score 2.0 has now been published.