In November last year, Google already increased the size of payments: then the company tripled rewards for exploits for previously unknown bugs in the Linux kernel. The idea was that people would be able to discover new ways to exploit the kernel, in particular related to Kubernetes running in the cloud. Then the researchers were asked to compromise the Google kCTF (Kubernetes Capture The Flag) cluster and get a “flag” in the context of the competition.

NOTE: Let me remind you that we wrote that Apple paid $100,000 for macOS camera and microphone hack, and also that Zerodium offers up to $400,000 for exploits for Microsoft Outlook.

Google reports that the bug-finding program has been a success, receiving nine reports in three months and disbursing more than $175,000 to researchers. During this time, five 0-day vulnerabilities and two exploits for fresh 1-day bugs were discovered. According to Google, thanks to the bug bounty, three of these issues have already been fixed and detailed, including CVE-2021-4154, CVE-2021-22600 (patch), and CVE-2022-0185 (report).

As a result, the program will be extended until at least the end of 2022, and will also undergo a number of changes. Whereas in November it was decided that experts would receive a reward of up to $50,337 for critical vulnerabilities (depending on the severity of the problem), the maximum reward has now been increased to $91,337.

The sum of payments depends on several factors: whether the problem found is a 0-day vulnerability, whether it requires unprivileged user namespaces, whether it uses some new methods of exploitation. Each of these points comes with a bonus of $20,000, which ultimately raises the payout for a working exploit to $91,337.

The post Google Offers up to $91,000 for Linux Kernel Vulnerabilities appeared first on Gridinsoft Blog.

Vulnerabilities CVE-2020-27170 and CVE-2020-27171 (5.5 out of 10 on the CVSS severity scale) were discovered by Symantec Threat Hunter Pyotr Krysiuk and affect all versions of the Linux kernel prior to 5.11.8. Fixes for Ubuntu, Debian and Red Hat were released on March 20, 2021.

CVE-2020-27170 can be used to retrieve content from anywhere in kernel memory, while CVE-2020-27171 can retrieve data from kernel memory in the 4GB range.

The Specter and Meltdown vulnerabilities, documented in January 2018, exploit the flaws of modern processors for leaking data processed on the computer, thereby allowing an attacker to bypass the hardware boundaries between applications. In other words, two side-channel attacks allowed malicious code to read memory, which it usually does not have permission to do.

Despite the implementation of security measures and the addition of special means of protection against time attacks by reducing the accuracy of the timing functions, all these measures were taken at the operating system level and did not solve the main problem.

Vulnerabilities discovered by Krysiuk allow bypassing these measures in Linux by using kernel support for Berkeley Packet Filters (eBPF) extensions to retrieve kernel memory contents.

Specifically, the kernel (kernel / bpf / verifier.c) has been found to perform unwanted speculation on out-of-bounds pointer arithmetic, thereby eliminating Specter fixes and making the system vulnerable to side-channel attacks.

In a real-world scenario, unprivileged users could exploit these vulnerabilities to gain access to sensitive data from other users on the same vulnerable computer.

Vulnerabilities can also be exploited if an attacker can first gain access to an attacked system, for example, by downloading malware to it for remote access. In this case, the attacker can gain access to all user profiles on the system.

Recall also that I wrote that Google experts published PoC exploit for Specter that is targeting browsers.

The post New vulnerabilities help to bypass protection from Specter on Linux systems appeared first on Gridinsoft Blog.

The bugs are collectively known as BleedingTooth and are associated with the BlueZ stack, which is widely used in Linux distributions, as well as consumer and industrial IoT devices (with Linux 2.4.6 and higher).

“This issue allows attackers to freely execute arbitrary code within Bluetooth range, while Intel attributed this flaw to privilege escalation and information disclosure”, – say Google experts.

Google engineer Andy Nguyen discovered this collection of BleedingTooth vulnerabilities. The vulnerabilities were identified as CVE-2020-12351, CVE-2020-12352 and CVE-2020-24490, and appeared in the code back in 2012, 2016 and 2018.

The most serious bug in this suite is CVE-2020-12351, which is a type confusion vulnerability that affects Linux 4.8 and above kernels.

The bug has a high severity rating (8.3 points on the CVSS vulnerability rating scale) and can be exploited by an attacker if he is within Bluetooth range and knows the bd address of the target device.

To exploit the bug, an attacker must send a malicious l2cap packet to the victim, which can lead to denial of service (DoS) or arbitrary code execution with kernel privileges. Nguyen stresses that exploiting the problem does not require any user interaction.

The proof-of-concept exploit for CVE-2020-12351 has already been published on GitHub, and a demonstration of the attack in action can be seen in the video below.

The second issue, CVE-2020-12352, is an information leak and affects the Linux 3.6 and higher kernels. This error was assigned a medium severity category (5.3 on the CVSS).

“Knowing the bd-address of the victim, a remote attacker at a short distance can obtain information about the kernel stack containing various pointers that can be used to predict the memory structure and bypass KASLR. The leak may contain other valuable data, including encryption keys”, – explain the researchers at Google.

The third vulnerability, CVE-2020-24490 (5.3 score of CVSS), is a heap buffer overflow that affects Linux kernel version 4.19 and above. In this case, a remote attacker within a short distance of a vulnerable device can also achieve denial of service and even execute arbitrary code with kernel privileges.

Google researchers note that only devices equipped with Bluetooth 5 chips and which are in scan mode are affected, but attackers can use malicious chips for attacks.

In turn, specialists from Intel, which is one of the main participants in the BlueZ project, write that the BlueZ developers have already announced patches for all three discovered problems. Experts now recommend asap upgrading Linux kernel to version 5.9, which was released over the weekend.

Let me remind you that recently I talked about the IPStorm botnet, which, among other things, actively attacks Linux devices.

The post Google and Intel experts warn of dangerous Bluetooth bugs in Linux appeared first on Gridinsoft Blog.