Linux administrators have a bug in CVSS 10 kernel that needs to be addressed

Merry Christmas, Linux sysadmins: Here’s a kernel vulnerability with a CVSS score of 10 in your SMB server for the holiday season that allows a user to execute unauthenticated remote code.

Yes, that sounds bad, and a score of 10 is not reassuring at all. Luckily for the sysadmins who reached for more brandy to pour the eggnog on, it didn’t appear to be widespread.

The vulnerability research team of the French airline Thales Group’s Thallium team discovered in July that the vulnerability is specific to the ksmbd module that was added to the Linux kernel in version 5.15. Disclosure was held responsibly until the patch was released.

Unlike other popular SMB server for Linux, which runs in the usersspace, ksmbd runs in the kernel. That raised alarm bells among some users who discussed merging it last year.

SerNet, the German IT company that offers its own version of Samba, said in a blog post that ksmbd was impressive, but said it seemed a bit immature. Furthermore, SerNet’s Samba+ team said in a blog post, that the value of adding an SMB server to kernel space may not be worth the risk of “squeezing the last bit of performance out of available hardware.”

Developed by Samsung to implement server-side SMB3 with improved performance and a smaller footprint, the ksmbd vulnerability could lead to an attacker leaking SMB server memory, similar to the Heartbleed attack.

Fortunately, if you’re not running Samsung’s “experimental” ksmbd module, as security researcher Sher Tamari described On Twitter, and stick with Samba, you’re pretty safe.

“ksmbd is new; most users are still using Samba and not affected. Basically, if you’re not running SMB servers with ksmbd, enjoy your weekend,” Tamari said on Twitter.

According to the Zero-Day Initiative, which exposed the ksmbd vulnerability, the post-empty bug exists in the processing of SMB2_TREE_DISCONNECT commands. According to ZDI, the problem is due to ksmbd not validating the existence of objects before performing operations on them.

For those using ksmbd, there is a solution other than switching to Samba: update to Linux kernel version 5.15.61, released in August, or later.

The Kernel update also fixed two other issues in ksmbd as well: an out-of-bounds read of SMB2_TREE_CONNECT, which the patch note said could allow invalid requests to not validate messages, and a memory leak in smb2_handle_negotiate causing memory to not be properly freed.

Dodge the “junk cards” by spending your holiday cash now

Plenty of ready-made tools for would-be hackers can be found on the dark web; One trend that the Cybersixgill team has noticed recently is gift card generators that not only guess card numbers, but also validate them by the thousands.

Like brute force password crackers, tools sold online randomly guess gift card numbers issued by companies like Amazon, Microsoft, Sony, Apple and others, with varying degrees of speed and accuracy depending on how predictable the sequence of card numbers is.

These generators are often paired with “checkers” that will run gift card numbers generated on the issuer’s website to look up balance or activation status, which are then returned to the criminal behind the keyboard.

said Uday Blih and Dov Lerner of Cybersixgill log Using software of the kind sold on the dark web to generate, guess, and verify gift card numbers is easy enough, they said, that “a kid with Tor could do it.”

When searching for cards, criminals don’t always look for fully loaded cards, or even wait for inactive cards to come up: they just check out cards with only a small balance left. These cards are forgotten, Bleih said, and cybercriminals can search for business cards “by the thousands” thanks to easy-to-find online tools.

The moral of this holiday story? If you get a gift card, spend it quickly, spend it in full; If you give one, urge the recipient to do the same.

Meta got a soft wrist flick of $725 million on Cambridge Analytica

Details of Meta’s settlement in the consumer lawsuits brought against it over the Cambridge Analytica scandal, which were initially decided in August, were not disclosed, but documents filed in the case this week suggest the price of Meta’s bad behavior is just $725 million. .

Don’t break out of the expensive stuff just yet: Only 25 percent of that money will go to the 250-280 million Facebook users included in the class, attorneys for the plaintiffs said. Reuters.

Still, Legal Eagles say it’s the largest data privacy class action settlement in US history, and the most Meta has ever paid to resolve a legal case.

For those kept from their minds by the Facebook data privacy scandal, Cambridge Analytica was a data company hired by the Donald Trump campaign in 2016. As part of its data collection operations, Cambridge Analytica created Facebook apps that collected data from tens of millions of people. users without their knowledge.

$725 million may also sound like a lot, but don’t forget the context: Meta’s revenue in the third quarter of this year alone was $27.7 billion. Sure, Meta has cut its workforce and hemorrhaged cash, but what’s another $725 million? ®