Ubuntu Vuln, Magika Tool, Chrome's Defense Feature, & CVE 2023-50387

Introduction

Hello Everyone, this week your editor is Dharminder. I am back again with This Week in Security for Feb 11-17th, 2024.
This week I have security news about vulnerability in Ubuntu's ‘command-not-found’ utility , Google’s open source file identification tool Magika, ‘Private Network Access protections’ a new feature coming soon in Google Chrome, KeyTrap attack and F5 Quarterly Security Notification - Feb 2024. We in F5 SIRT invest lot of time to understand the frequently changing behaviour of bad actors. Bad actors are a threat to your business, your reputation, your livelihood. That’s why we take the security of your business seriously. When you’re under attack, we’ll work quickly to effectively mitigate attacks and vulnerabilities, and get you back up and running. So next time you are under security emergency please contact F5 SIRT.

Ok so let's get started to find details of security news.

Vulnerability In 'Command-not-found' Utility

Aqua Nautilus researchers, have discovered a vulnerability in the 'command-not-found' utility on Ubuntu systems, which could allow threat actors to recommend malicious packages through the snap repository. This utility suggests installations for unavailable commands but can be manipulated to recommend rogue packages. Attackers can exploit an alias loophole to trick users into installing malicious snaps or by registering fake packages similar to legitimate ones. As a result, users may unknowingly install counterfeit packages instead of legitimate ones. The vulnerability affects 26% of APT package commands and poses a significant security risk. Users are advised to verify package sources before installation, and developers are encouraged to register snap names to prevent misuse. Heightened vigilance and proactive defense strategies are recommended to address this pressing concern.

Magika - Google's Open Source AI Powered File Type Identification Tool

Google has unveiled Magika, an AI-powered tool designed to identify various file types, which is now open-sourced to aid defenders in accurately detecting binary and text files. Magika utilises a custom deep-learning model, optimised for precise identification within milliseconds, even on CPUs. The tool can be used via a command line interface or as a Python library, available for installation via pip. Accurate file-type detection is challenging due to varied file structures, especially for textual formats and programming languages. As per Google, Magika outperforms existing tools by about 20%, particularly excelling in identifying textual files. Internally, Google employs Magika to enhance user safety in services like Gmail and Drive, improving file type identification accuracy by 50% compared to previous systems. Magika's integration with VirusTotal will further enhance cybersecurity efforts. The tool is now freely available on GitHub under the Apache2 License, facilitating improved file identification accuracy for other software and researchers.

Various file type identification tools performance for a selection of the file types included in Google's benchmark - n/a indicates the tool doesn’t detect the given file type.

'Private Network Access protections' A Feature Coming Soon in Chrome To Block Attacks Against Home Networks

Google is testing a feature called "Private Network Access protections" in Chrome 123 to prevent malicious public websites from attacking devices and services on users' internal networks. This feature conducts checks before allowing a public website to direct a browser to visit another site within the user's private network. It verifies if the request comes from a secure context and sends a preliminary request to see if the internal device permits access. If there's no response, the connection is blocked; if the device responds, it can decide whether to allow the connection. The feature is currently in a warning-only mode, which means developers have some time to adjust before stricter enforcement begins. As per Google their aim is to protect users' internal networks from internet-based threats, including unauthorized access to routers and local devices. This feature addresses risks like "SOHO Pharming" attacks and CSRF vulnerabilities. However, it doesn't secure HTTPS connections for local services, which is beyond its current scope.

KeyTrap attack: A DNS Packet To Disrupt Internet Access

A team of researchers from German universities and institutes uncovered a high vulnerability CVE-2023-50387 (KeyTrap) in DNSSEC, a security extension for DNS, designed to combat DNS spoofing. Researchers discovered that this flaw could be exploited to cause a prolonged denial-of-service (DoS) condition in DNS resolvers with just one malicious DNS packet. The vulnerability has existed in DNSSEC for over two decades, allowing attackers to exploit misconfigured or unsupported cryptographic keys to overwhelm DNS resolvers, delaying responses by up to 16 hours. This could severely impact internet-dependent applications such as web browsing and email. Although patches are available for some DNS software, the fundamental nature of the issue complicates full resolution. Despite mitigation efforts, the possibility of practical exploitation remains, urging network administrators to prepare backup DNS servers to maintain uninterrupted service.

F5 Quarterly Security Notification - Feb 2024

On February 14, 2024, F5 has announced 20 vulnerabilities and 2 security exposures. Out of 20 vulnerabilities, severity of 14 are of high, 5 are of medium and 1 is of low. Recommendation for customers is to upgrade/update to the latest BIG-IP software version.

Updated Feb 28, 2024
Version 4.0
F5 SIRT
security
series-F5SIRT-this-week-in-security
TWIS

Was this article helpful?

No CommentsBe the first to comment