Linux Security News Archives

Kees Cook submitted all of the hardening updates this week for the Linux 6.11 merge window in beefing up the kernel's defenses against various attack vectors and vulnerabilities.

The "x86/bugs" code has been merged for the Linux 6.11 kernel that is just three patches this go around but includes a new Spectre BHI mitigation option.

Linux engineer Christian Brauner at Microsoft sent out his various pull requests for areas of the kernel he oversees ahead of the Linux 6.11 merge window. One of the more interesting pull requests from Brauner this cycle are the "vfs procfs" updates that now allow restricting access to the /proc/[pid]/mem files of processes.

While there were plans of adding getrandom() in the vDSO with the upcoming Linux 6.11 merge window to speed up user-space random number generation access, Linus Torvalds is unconvinced by the work and intends to reject any pull request with it for Linux 6.11.

In the making the past two years by developer Jason Donenfeld (of WireGuard fame) is adding getrandom() to the vDSO in the name of better performance. In some tests this has yielded as much as a ~15x speed-up to performance for user-space obtaining crypographically secure random number generation. It's looking like for the upcoming Linux 6.11 merge window, this work will finally be merged.

UC San Diego researchers have gone public with Indirector, high-precision branch target injection attacks on the indirect branch predictor. This UCSD security researchers found Indirector impacting recent Intel Alder Lake and Raptor Lake processors. Intel believes though that no further mitigations are required.

Qualys went public today with a security vulnerability they have discovered within the OpenSSH server that could lead to remote, unauthenticated code execution.

For the Branch History Injection variant of Spectre (Spectre BHI) there is a patch pending to add a new mitigation option for that two year old CPU security vulnerability.

Back in 2019 after various speculation-based CPU vulnerabilities began coming to light, Amazon engineers proposed process-local memory allocations for hiding KVM secrets. They were striving for an alternative mitigation for vulnerabilities like L1TF by essentially providing some memory regions for kernel allocations out of view/access from other kernel code. Amazon engineers this week laid out a new proposal after five years of ongoing Linux kernel improvements for MM-local memory allocations for dealing with current and future speculation-based cross-process attacks.

One of the new security features coming with Linux 6.10 is TPM bus encryption and integrity protection to fend off a wave of possible attacks against Trusted Platform Module recovery keys, TPM sniffing, etc. This functionality was merged for the Linux 6.10 merge window but is now being pulled back to x86_64-only by default where it's been sufficiently tested.

Merged this Friday evening into the Linux 6.10 kernel is the new mseal() system call for memory sealing.

A commit made to the Linux kernel three weeks ago accidentally broke the default CPU security mitigations for non-x86 CPUs. With code sent in today via x86/urgent ahead of tonight's Linux 6.9-rc6 release, that accidental default breakage is being addressed.

A new set of Linux kernel patches were sent out on Friday for tweaking th Native BHI mitigation introduced earlier this month for Intel processors.

The Linux 6.9-rc4 weekly test release is due out later today and ahead of that this week's "x86/urgent" material has been sent in that includes several patches for various x86 speculation mitigation fixes.

Disclosed back in March 2022 was Branch History Injection (BHI) as a new Spectre vulnerability affecting Intel and Arm CPUs. Then in July of 2022 were patches for Intel working on hardware-based prevention for Spectre-BHI attacks. Now two years later the Linux kernel is seeing mitigations added for the native Branch History Injection vulnerability given a new "Native BHI" variant.

Today's disclosure of XZ upstream release packages containing malicious code to compromise remote SSH access has certainly been an Easter weekend surprise... The situation only looks more bleak over time with how the upstream project was compromised while now the latest twist is GitHub disabling the XZ repository in its entirety.

Red Hat today issued an "urgent security alert" for Fedora 41 and Fedora Rawhide users over XZ. Yes, the XZ tools and libraries for this compression format. Some malicious code was added to XZ 5.6.0/5.6.1 that could allow unauthorized remote system access.

With security concerns at all-time highs in the industry, Linux 6.9 is seeing yet more work to beef up its security hardening with various additional safety checks and other compile-time defenses for ensuring security best practices.

VUSec and IBM Research Europe today announced Speculative Race Conditions (SRCs) as a as a new class of vulnerabilities where thread synchronization primitives using conditional branches can be microarchitecturally bypassed on speculative paths using a Spectre-V1 attack. The researchers have dubbed CVE-2024-2193 as GhostRace and is said to affect all major CPU vendors.

The x86/core changes were submitted today for the now-open Linux 6.9 merge window. Among other changes, the x86 CPU security mitigation options within the Linux kernel Kconfig have been adjusted where appropriate to make more clear the options/features are for security mitigations.

While there is already the work underway on allowing the Rust programming language within the Linux kernel in part to leverage its memory safety potential, a proposal was sent out this morning for a new "SandBox Mode" for the Linux kernel to also increase the memory safety of C code within the kernel.

Kicking off what may end up being a fairly busy Patch Tuesday are two WiFi authentication vulnerabilities being made public that affect Intel's IWD daemon as well as the WPA_Supplicant software -- between the two they are the most common solutions for wireless daemons on Linux systems.

For those making use of the AppArmor Linux kernel security module, there is a notable change coming with the Linux 6.8 kernel.

The hardening updates for the Linux 6.7 kernel bring a new hardening configuration profile to help in building a security hardened kernel with some sane defaults.

The AppArmor Linux security system has picked up a few improvements and new features with the in-development Linux 6.7 kernel.

The widely-used Curl project as a command-line tool and library for transferring data via a variety of protocols is preparing to roll-out Curl 8.4 early in order to address a particularly nasty vulnerability.

Disclosed back in August was the Inception vulnerability affecting all Zen processors. It took until today though for the mainline Linux kernel to mitigate Hygon processors for this vulnerability for those Zen 1 CPUs formed from the AMD-Chinese joint venture.

A Red Hat engineer has published patches to optionally allow delayed module signature verification in an effort to have a secure Linux system but to allow for faster boot times.

Security Enhanced Linux (SELinux) has been part of the mainline kernel for two decades to provide a security module implementing access control security policies and is now widely-used for enhancing the security of production Linux servers and other systems. Those that haven't been involved with Linux for a long time may be unaware that SELinux originates from the US National Security Agency (NSA). But now with Linux 6.6 the NSA references are being removed.

To help harden the Linux kernel from memory vulnerabilities and in particular heap spraying, set to be merged into the Linux 6.6 kernel is optional support for randomized slab caches for kmalloc() calls.

There used to be a time when Patch Tuesday wasn't so busy in the Linux space, but certainly not this month... Linus Torvalds just pushed the kernel code changes around AMD INCEPTION and Intel DOWNFALL as well as other security patches.

It's now more clear why last week Linus Torvalds personally took to improving the Linux kernel's user-mode stack expansion code: it's necessary to address a now disclosed security vulnerability dubbed StackRot.

This week alongside several other Linux Foundation events in Vancouver was the Linux Security Summit. Commanding a significant presence at the Linux Security Summit was Microsoft.

In development for several years now has been TrenchBoot as a framework for creating security engines to perform system launch integrity actions. This boot-time integrity framework continues advancing and this past week Oracle engineers posted their latest patches for the Linux kernel in providing dynamic launch support.

With the Linux 6.4 kernel there is the ability being introduced so that the machine keyring can optionally only store CA-enforced keys.

After being deprecated for several years, Security Enhanced Linux "SELinux" beginning with the Linux 6.4 kernel can no longer be run-time disabled.

With the Linux 6.2 release kernel developers addressed "a tasty target for attackers" after it was realized that the per-CPU entry data was not being randomized, even in the presence of Kernel Address Space Layout Randomization (KASLR). The per-CPU entry area randomization has been present since Linux 6.3 but then was realized it's being activated even if KASLR was disabled, so now that is changing to avoid possible confusion.

Ahead of the Linux 6.3-rc1 release later today, a set of "x86/urgent" patches were sent out Sunday morning that include the change to allow Single Threaded Indirect Branch Predictors (STIBP) to be used in the presence of legacy Indirect Branch Restricted Speculation (IBRS) for security reasons.

The Linux kernel since last year has mistakenly left systems relying on the original Indirect Branch Restricted Speculation (IBRS) for Spectre V2 mitigation without Single Threaded Indirect Branch Predictor (STIBP) coverage for cross-HyperThread dealing with this Spectre vulnerability. There is a patch underway that is resolving this issue for Intel Skylake era systems.

Back in 2020 Google and the Open-Source Security Foundation (OpenSSF) came up with a "Criticality Score" to rank the importance/criticality of open-source projects. The Criticality Score is a means of quantifying the importance of an open-source project such as if in need of funding or development assistance. Criticality Score 2.0 has now been published.

Linus Torvalds merged to Linux 6.3 Git the TPM CRB support for Microsoft's controversial Pluton security co-processor that is initially found in the latest AMD Ryzen processors.

A proposed Linux kernel patch would provide a new Kconfig build time option of "CONFIG_DEFAULT_CPU_MITIGATIONS_OFF" to build an insecure kernel if wanting to avoid the growing list of CPU security mitigations within the kernel and their associated performance overhead.

Merged back in Linux 5.13 last year was Landlock for allowing unprivileged application sandboxing. Landlock allows restricting ambient rights for a set of processes and is implemented as a stackable Linux security module (LSM) for establishing safe security sandboxes. With Linux 6.2 file truncation support is added for Landlock.

Intel on Sunday posted a set of Linux patches implementing SPEC CTRL virtualization support for this VMX feature with new Intel CPUs to help with migrating virtual machines to hosts with different CPU microarchitectures where their security mitigations may be different.

As an enhancement to the out-of-the-box Linux kernel in its default x86_64 configuration, it was being eyed to enable Indirect Branch Tracking by default. That change to enable IBT by default has been picked up by TIP's x86/core branch, thus putting it on deck as material for submitting with next month's Linux 6.2 merge window.

Indirect Branch Tracking (IBT) is still being eyed for enabling as part of the default Linux x86_64 kernel configurations to provide better out-of-the-box security on supported processors. A patch sent out today continues the upstream discussion over flipping on this feature by default that is part of Intel's Control-flow Enforcement Technology (CET) for helping to defend against jump/call oriented programming attacks.

Two high severity security vulnerabilities affecting OpenSSL were made public today, which were the issues that led to Fedora 37 being delayed to mid-November to allow the release images have mitigated OpenSSL packages.

Back in August 2021 saw initial patches by Intel for "FineIBT" for the Linux kernel as aiming to combine the best of their Control-flow Enforcement Technology (CET) and Control Flow Integrity for upping the kernel security protections in an efficient manner.

While the Linux 6.1 merge window just passed and the "Call Depth Tracking" patches have been in development the past few months, it looks like that for the Linux 6.2 kernel is where that alternative mitigation technique will be introduced for helping offset some of the significant performance regressions incurred for Intel Skylake era processors as a result of recent CPU security vulnerability mitigations.

Git 2.38.1 was just released along with updates to older versions, including the new point releases of v2.30.6, v2.31.5, v2.32.4, v2.33.5, v2.34.5, v2.35.5, v2.36.3, and v2.37.4. The big set of Git updates today is due to two more security issues coming to light.