The last ten years in the computer and IT security world are crippled with so many vulnerabilities. We saw massive cloud computing adoption and end-users using mobile devices with high speed 4G LTE networks. A threat actor may have exploited such weakness in modern computers and networks. Let us look into top vulnerabilities and the attack surface in this decade (2010-2020) that affected Linux/Unix, macOS, IT, cloud-computing, and computers in general.
Windows and Samba (a free software re-implementation of the SMB networking protocol for Unix and Linux), which caused Man-in-the-middle (MITM) and Denial-of-Service (DoS) attacks.
BlueBorne bug is estimated to affect over 8.2 billion devices worldwide potentially. Almost all leading operating systems such as Linux, iOS, Windows, Android are affected due to security vulnerability in Bluetooth implementations. This security bug affects many electronic devices such as laptops, smartphones, smart cars, IoT, and more.
Cloudflare is a leading cloud-based security, reverse proxy, and optimization company. Some of the top and busiest websites/apps on the internet rely on Cloudflare for protection. A security bug called Cloudbleed was discovered on 17/Feb/2017. The bug caused their network edge servers to run past the end of a buffer and return memory that contained private information such as:
- HTTP cookies
- Authentication tokens
- HTTP POST bodies
- Tons of sensitive data and more
The worst part was this data cached by Google and other search engines.
4. Dirty COW
A very serious security problem was found in the Linux kernel. A 0-day local privilege escalation vulnerability has existed for eleven years since 2005. This bug affects all sort of Android or Linux kernels to escalate privileges. Any user can become root in less than 5 seconds. The bug has existed since Linux kernel version 2.6.22+. Most Linux distros released patch to protect Linux Kernel from zero day local privilege escalation vulnerability (CVE-2016-5195).
Modern Intel/AMD processors are crippled with many security bugs. L1 Terminal Fault (L1TF or Foreshadow) vulnerability that affects modern microprocessors. The first version results in the disclosure of sensitive information stored in PC and cloud servers. The second version targets:
- Virtual machines (VMs)
- Hypervisors (VMM)
- Operating systems (OS) kernel memory
- System Management Mode (SMM) memory
Applying software patches may have helped mitigate some concern(s), but users may see a significant decrease in their overall PC or server powers running in the cloud.
The Heartbleed security bug is a severe vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS
encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as Web, email, instant messaging (IM), and some virtual private networks (VPNs). After the discovery, Google established Project Zero, which is tasked with finding zero-day vulnerabilities to help secure the Web and society. Patch to protect OpenSSL vulnerability # CVE-2015-0291 CVE-2015-0204 on Linux were released.
iSeeYou is a security bug affecting iSight cam in any Apple laptops. An attacker can gain remote access and take photographs of an unconsenting person. The Apple laptops involved a variety of operating systems, including macOS, Microsoft Windows, and Linux. Hence, litigations against iSeeYou attack vary by the operating system. They released iSightDefender, a macOS kernel extension to reduce the attack surface on macOS Unix operating system.
KRACK means Key Reinstallation Attack. It is a replay attack, a type of exploitable flaw on the WPA (Wi-Fi Protected Access protocol) that we use to secure our Wi-Fi connections. Naturally, all devices, software, router, and operating system that use Wi-Fi Protected Access (WPA) are affected. For instance, all significant oses like Microsoft Windows, ChromeOS, macOS, iOS, Android, Linux, OpenBSD, and other tools such as wpa_supplicant can install an all-zeros encryption key, effectively nullifying WPA2 protection in a man-in-the-middle attack.
Lazy (Lazy FP state restore) is a security vulnerability affecting Intel CPUs. One can use this vulnerability local process to leak the FPU registers’ content that belongs to another process. This vulnerability is related to the Spectre and Meltdown vulnerabilities. Linux, OpenBSD, Xen, and others released patches to address the vulnerability.
Lazy FP state restore (Lazy)
Linux.Encoder (also known as ELF/Filecoder.A and Trojan.Linux.Ransom.A) is the first ransomware Trojan targeting computers, cloud servers, and devices running Linux. There are additional variants of this Trojan that target other Unix and Unix-like systems.
A severe security bug found in the Intel CPUs. Meltdown CPU Vulnerability CVE-2017-5754 breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory and the secrets of other programs and the operating system. To protect Linux computer/server and laptop/desktop against the Meltdown and Spectre vulnerabilities on Linux patches released. The Meltdown vulnerability primarily affects Intel microprocessors, but the ARM Cortex-A75 and IBM’s Power microprocessors are also affected. The vulnerability does not affect AMD CPUs. We can check Linux for Spectre and Meltdown vulnerability. I had to patch Meltdown on both OpenBSD and FreeBSD servers too.
The Microarchitectural Data Sampling (MDS) vulnerabilities are a set of weaknesses in Intel x86 microprocessors that use hyper-threading and leak data across protection boundaries that are architecturally supposed to be secure. After Meltdown, Spectre, and Foreshadow, authors discovered more critical vulnerabilities in modern processors. The ZombieLoad attack allows stealing sensitive data and keys while the computer accesses them.
Mirai (未来) malware attacks Linux running devices such as routers and IP cameras and turn those networked devices into bots. Mirai was named after the 2011 TV anime series Mirai Nikki and belived to be behind some of the largest and most disruptive distributed denial of service (DDoS) attacks on the Internet. Linux is the number one dominant operating system for IoT, home & WiFi routers, cloud servers, IP cameras, and more. Hence, like MS-Windows, it attracted many malware authors. Here are other attack vectors that significantly used vulnerabilities during the 2010-2020 decade:
- Linux.Darlloz – A worm which infects embedded Linux system such as routers, security IP cams, set-top boxes by exploiting a PHP vulnerability. It is active since 2013.
- Linux.Wifatch – An open-source malware that does not use your hacked Linux router for malicious purposes. Instead, it secures your devices from other malware. Wifatch not only tries to prevent further access by killing the legitimate Telnet daemon, but it also leaves a message in its place telling device owners to change passwords and update the firmware:
- Wifatch is not the only white hat malware. They found Hajime in October 2016, and it also endeavors to secure your Linux devices. The following message the malware left on your Linux based appliance that it compromised:
Just a white hat, securing some systems.
Important messages will be signed like this!
Contact CLOSED Stay sharp!
- BrickerBot – It is believed that this malware destroyed more than ten million devices before the author of BrickerBot retired it. As the name suggests, it attempts to permanently destroy or brick IoT (“Internet of Things”) devices. It was first discovered on Apr/10/2017, and BrickerBot was retried on Dec/10/2017.
- BASHLITE (LizardStresser) – It is malware that infects Linux systems, routers, IoTs, and DVRs to launch distributed denial-of-service attacks (DDoS). The original version in 2014 exploited a flaw in the bash called the Shellshock to control devices running BusyBox.
A POODLE is an exploit that takes advantage of the way some browsers deal with encryption. It is a man-in-the-middle exploit that takes advantage of Internet and security software clients’ fallback to SSL 3.0. Any software that supports a fallback to SSL 3.0 is affected. To mitigate the POODLE attack, we have to disable SSL 3.0 on the client-side and the server-side. Various vendors such as Google, Microsoft, Apple, OpenSSL, and others have released software patches to protect against the POODLE security bug.
Rootpipe security vulnerability seen in OS X that allows privilege escalation. By leveraging other security vulnerabilities on a system, an attacker can obtain superuser (root) access. Combined with other bugs on a mac, such as an unpatched Apache web browser, an attacker could use root pipe to gain complete control of the operating system and Apple Mac computer or server. Additionally, in November 2017, a similar vulnerability was found in macOS High Sierra, making it possible to enter the machine without a password and root account.
Shellshock or Bashdoor is a critical software bug in Bash running on Linux, macOS, BSD, and Unix-like systems. Shellshock allows an attacker to cause Bash to execute arbitrary commands and gain unauthorized access to many Internet-facing services, such as web servers, that use Bash to process requests. Attackers specific targetted the following services on Linux or Unix systems or any Internet services that used bash:
- CGI-based web server
- OpenSSH server
- DHCP clients
- IBM HMC restricted shell
- Qmail email server
Shellshock is often compared with the Heartbleed bug in its severity due to the massive number of unpatched Linux and Unix servers running in the cloud.
SigSpoof is a family of security vulnerabilities that have affected the software package GNU Privacy Guard since 1998 but only discovered in June 2018. Marcus Brinkmann, who found the SigSpoof vulnerabilities, their existence, and the fact that they were present “in the wild” for so long, throws into question the integrity of past emails, “backups, software updates in Linux/Unix distros, and source code in version control systems like Git.”
The Spectre breaks the isolation between different applications on modern microprocessors that perform branch prediction. The Meltdown attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system. The big cloud vendor such as Google and AWS patched bugs before anyone else. Most Linux distros and IT vendors did release patches on time too. From a branch misprediction may leave observable side effects that may reveal private data to attackers. Speculative Store Bypass (SSB) is a security vulnerability and exploitation that takes advantage of speculative execution similar to the Meltdown Spectre security vulnerabilities. It affects the ARM, AMD, and Intel processors.
Stagefright is a group of software bugs for the Android operating system. The bug exploitation allows an attacker to perform arbitrary operations on the victim’s mobile phone through remote code execution and privilege escalation. A phone number is the only information needed to carry out the attack using MMS. The latest version of Android 10+ moved all software codecs to a constrained sandbox to mitigates this threat. Affected software includes Android 2.2 “Froyo,” Android 1.5 “Cupcake” to Android 5.1 “Lollipop.”
TLBleed attack exploited a cryptographic side-channel attack that uses machine learning to manipulate a timing side-channel via the translation look-aside buffer (TLB) on modern microprocessors that use simultaneous multithreading, mainly in Intel CPUs. OpenBSD Unix disabled simultaneous multithreading on Intel microprocessors as there is no easy fix to such bugs in Intel CPUs.
Of course, this is not a definitive list of all notable vulnerabilities that crippled the IT world this decade. I mostly focused on vulnerabilities that affected Linux, Unix, macOS, servers, and cloud computing. I left out Microsoft, VMware, and many other vendors as those are not related to my interest. Many discovered and undiscovered vulnerabilities come from trusting user input, unpatched firmware/software, poorly written code, complex software running millions of code lines, and more. Mitigating software and hardware vulnerabilities is an ongoing process, and I am sure we will see more severe bugs in the next decade. Until then, stay safe and have a wonderful year ahead.
Did you affected by the various vulnerabilities talked about in this post? Have your say in the comments below.