Cybersecurity Newsletter, August 31 - September 6
Qrator

Welcome to the regular networking and cybersecurity newsletter! With this letter, it is all about the most exciting articles published between August 31 and September 6, 2020.

(Yet another one) CenturyLink BGP incident and the blinking Internet 

"On Sunday, August 30, 2020, it all started with a simple question: "What's happening?"

Approximately around 10 UTC, the global Internet started experiencing a very specific state of connectivity - inside the network of one of the largest Tier-1 operators in the world, CenturyLink (primary AS3356), something bad was undoubtedly going on."
 

Cisco IOS XR Software DVMRP Memory Exhaustion Vulnerabilities

"Multiple vulnerabilities in the Distance Vector Multicast Routing Protocol (DVMRP) feature of Cisco IOS XR Software could allow an unauthenticated, remote attacker to either immediately crash the Internet Group Management Protocol (IGMP) process or make it consume available memory and eventually crash. The memory consumption may negatively impact other processes that are running on the device."
 

Lessons Learned from SSH Credential Honeypots

"For the past few months, I've been running a handful of SSH Honeypots on some cloud providers, including Google Cloud, DigitalOcean, and NameCheap. As opposed to more  complicated honeypots looking at attacker behavior, I decided to do something simple and was only interested in where they were coming from, what tools might be in use, and what credentials they are attempting to use to authenticate. My dataset includes 929,554 attempted logins over a period of a little more than 3 months.

If you're looking for a big surprise, I'll go ahead and let you down easy: my analysis hasn't located any new botnets or clusters of attackers. But it's been a fascinating project nonetheless."
 

New Steps to Combat Disinformation

"Today, we're announcing Microsoft Video Authenticator. Video Authenticator can analyze a still photo or video to provide a percentage chance, or confidence score, that the media is artificially manipulated. In the case of a video, it can provide this percentage in real-time on each frame as the video plays. It works by detecting the blending boundary of the deepfake and subtle fading or greyscale elements that might not be detectable by the human eye."
 

Overcoming the limitations of UDP Options

"A recent extension that aims to add support for transport options to the User Datagram Protocol (UDP) is already showing promise. Unfortunately, its deployment may be undermined by the way existing network devices process UDP length and checksum.

In this post we at the Electronics Research Group, University of Aberdeen, show how using an ad-hoc option can help to overcome these limitations."
 

CVE-2020-14386: Linux kernel: af_packet.c vulnerability

"I discovered a bug which leads to a memory corruption in
(net/packet/af_packet.c). It can be exploited to gain root privileges from unprivileged processes.

To create AF_PACKET sockets you need CAP_NET_RAW in your network namespace, which can be acquired by unprivileged processes on systems where unprivileged namespaces are enabled (Ubuntu, Fedora, etc)."
 

Simple bugs with complex exploits

"This post explores Project Zero Issue 2046, a seemingly unexploitable and simple bug that turns out to be exploitable in a very complex manner."
 

JITSploitation I: A JIT Bug

"This three-part series highlights the technical challenges involved in finding and exploiting JavaScript engine vulnerabilities in modern web browsers and evaluates current exploit mitigation technologies. The exploited vulnerability, CVE-2020-9802, was fixed in iOS 13.5, while two of the mitigation bypasses, CVE-2020-9870 and CVE-2020-9910, were fixed in iOS 13.6."
 

"Recent changes in the kernel memory accounting" - a presentation by Roman Gushchin from Facebook

 

An academic paper of the week - The Sound of Silence: Mining Security Vulnerabilities from Secret Integration Channels in Open-Source Projects

 

Thank you for reading and sharing!

For feedback, please write to us at cybersec@qrator.net.