### Impact

An API ordering issue in s2n-tls can cause client authentication to unexpectedly not be enabled on the server when it otherwise appears to be. Server applications are impacted if client authentication is enabled by calling s2n_connection_set_config() before calling s2n_connection_set_client_auth_type().

Applications are not impacted if these APIs are called in the opposite order, or if client authentication is enabled on the config with s2n_config_set_client_auth_type(). s2n-tls clients verifying server certificates are not impacted.

Impacted versions: < v1.5.0.


### Patches

The patch is included in v1.5.0 [1].


### Workarounds

Applications can workaround this issue by calling s2n_connection_set_config() after calling s2n_connection_set_client_auth_type(), or by enabling client authentication on the config with s2n_config_set_client_auth_type().

If you have any questions or comments about this advisory we ask that you contact AWS/Amazon Security via our vulnerability reporting page [2] or directly via email to [aws-security@amazon.com](mailto:aws-security@amazon.com). Please do not create a public GitHub issue.

[1] https://github.com/aws/s2n-tls/releases/tag/v1.5.0

[2] https://aws.amazon.com/security/vulnerability-reporting

**Impact**

An API ordering issue in s2n-tls can cause client authentication to unexpectedly not be enabled on the server when it otherwise appears to be. Server applications are impacted if client authentication is enabled by calling s2n\_connection\_set\_config() before calling s2n\_connection\_set\_client\_auth\_type().

Applications are not impacted if these APIs are called in the opposite order, or if client authentication is enabled on the config with s2n\_config\_set\_client\_auth\_type(). s2n-tls clients verifying server certificates are not impacted.

Impacted versions: < v1.5.0.

**Patches**

The patch is included in v1.5.0 \[1\].

**Workarounds**

Applications can workaround this issue by calling s2n\_connection\_set\_config() after calling s2n\_connection\_set\_client\_auth\_type(), or by enabling client authentication on the config with s2n\_config\_set\_client\_auth\_type().

If you have any questions or comments about this advisory we ask that you contact AWS/Amazon Security via our vulnerability reporting page \[2\] or directly via email to aws-security@amazon.com. Please do not create a public GitHub issue.

\[1\] https://github.com/aws/s2n-tls/releases/tag/v1.5.0

\[2\] https://aws.amazon.com/security/vulnerability-reporting

**References**

*   GHSA-857q-xmph-p2v5
*   aws/s2n-tls@e8ca891

GHSA-857q-xmph-p2v5: s2n-tls's mTLS API ordering may skip client authentication

Ubuntu Security Notice 6951-1 - Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system.

    ==========================================================================Ubuntu Security Notice USN-6951-1August 08, 2024linux, linux-aws, linux-aws-5.4, linux-gcp, linux-gcp-5.4, linux-gkeop,linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-kvm,linux-raspi, linux-xilinx-zynqmp vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 20.04 LTS- Ubuntu 18.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux: Linux kernel- linux-aws: Linux kernel for Amazon Web Services (AWS) systems- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems- linux-gkeop: Linux kernel for Google Container Engine (GKE) systems- linux-ibm: Linux kernel for IBM cloud systems- linux-iot: Linux kernel for IoT platforms- linux-kvm: Linux kernel for cloud environments- linux-raspi: Linux kernel for Raspberry Pi systems- linux-xilinx-zynqmp: Linux kernel for Xilinx ZynqMP processors- linux-aws-5.4: Linux kernel for Amazon Web Services (AWS) systems- linux-gcp-5.4: Linux kernel for Google Cloud Platform (GCP) systems- linux-hwe-5.4: Linux hardware enablement (HWE) kernel- linux-ibm-5.4: Linux kernel for IBM cloud systemsDetails:Several security issues were discovered in the Linux kernel.An attacker could possibly use these to compromise the system.This update corrects flaws in the following subsystems:   - ARM64 architecture;   - M68K architecture;   - User-Mode Linux (UML);   - x86 architecture;   - Accessibility subsystem;   - Character device driver;   - Clock framework and drivers;   - CPU frequency scaling framework;   - Hardware crypto device drivers;   - Buffer Sharing and Synchronization framework;   - FireWire subsystem;   - GPU drivers;   - HW tracing;   - Macintosh device drivers;   - Multiple devices driver;   - Media drivers;   - Network drivers;   - Pin controllers subsystem;   - S/390 drivers;   - SCSI drivers;   - SoundWire subsystem;   - Greybus lights staging drivers;   - TTY drivers;   - Framebuffer layer;   - Virtio drivers;   - 9P distributed file system;   - eCrypt file system;   - EROFS file system;   - Ext4 file system;   - F2FS file system;   - JFFS2 file system;   - Network file system client;   - NILFS2 file system;   - SMB network file system;   - Kernel debugger infrastructure;   - IRQ subsystem;   - Tracing infrastructure;   - Dynamic debug library;   - 9P file system network protocol;   - Bluetooth subsystem;   - Networking core;   - IPv4 networking;   - IPv6 networking;   - Netfilter;   - NET/ROM layer;   - NFC subsystem;   - NSH protocol;   - Open vSwitch;   - Phonet protocol;   - TIPC protocol;   - Unix domain sockets;   - Wireless networking;   - eXpress Data Path;   - XFRM subsystem;   - ALSA framework;(CVE-2024-36934, CVE-2024-38578, CVE-2024-38600, CVE-2024-27399,CVE-2024-39276, CVE-2024-38596, CVE-2024-36933, CVE-2024-36919,CVE-2024-35976, CVE-2024-37356, CVE-2023-52585, CVE-2024-38558,CVE-2024-38560, CVE-2024-38634, CVE-2024-36959, CVE-2024-38633,CVE-2024-36886, CVE-2024-27398, CVE-2024-39493, CVE-2024-26886,CVE-2024-31076, CVE-2024-38559, CVE-2024-38615, CVE-2024-36971,CVE-2024-38627, CVE-2024-36964, CVE-2024-38780, CVE-2024-37353,CVE-2024-38621, CVE-2024-36883, CVE-2024-39488, CVE-2024-38661,CVE-2024-36939, CVE-2024-38589, CVE-2024-38565, CVE-2024-38381,CVE-2024-35947, CVE-2024-36905, CVE-2022-48772, CVE-2024-36017,CVE-2024-36946, CVE-2024-27401, CVE-2024-38579, CVE-2024-38612,CVE-2024-38598, CVE-2024-38635, CVE-2024-38587, CVE-2024-38567,CVE-2024-38549, CVE-2024-36960, CVE-2023-52752, CVE-2024-27019,CVE-2024-38601, CVE-2024-39489, CVE-2024-39467, CVE-2023-52882,CVE-2024-38583, CVE-2024-39480, CVE-2024-38607, CVE-2024-36940,CVE-2024-38659, CVE-2023-52434, CVE-2024-36015, CVE-2024-38582,CVE-2024-36950, CVE-2024-38552, CVE-2024-33621, CVE-2024-36954,CVE-2024-39475, CVE-2024-39301, CVE-2024-38599, CVE-2024-36902,CVE-2024-36286, CVE-2024-38613, CVE-2024-38637, CVE-2024-36941,CVE-2024-36014, CVE-2024-38618, CVE-2024-36904, CVE-2024-36270,CVE-2024-39292, CVE-2024-39471, CVE-2022-48674)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 20.04 LTS   linux-image-5.4.0-1042-iot      5.4.0-1042.43   linux-image-5.4.0-1049-xilinx-zynqmp  5.4.0-1049.53   linux-image-5.4.0-1077-ibm      5.4.0-1077.82   linux-image-5.4.0-1097-gkeop    5.4.0-1097.101   linux-image-5.4.0-1114-raspi    5.4.0-1114.126   linux-image-5.4.0-1118-kvm      5.4.0-1118.125   linux-image-5.4.0-1130-aws      5.4.0-1130.140   linux-image-5.4.0-1134-gcp      5.4.0-1134.143   linux-image-5.4.0-192-generic   5.4.0-192.212   linux-image-5.4.0-192-generic-lpae  5.4.0-192.212   linux-image-5.4.0-192-lowlatency  5.4.0-192.212   linux-image-aws-lts-20.04       5.4.0.1130.127   linux-image-gcp-lts-20.04       5.4.0.1134.136   linux-image-generic             5.4.0.192.190   linux-image-generic-lpae        5.4.0.192.190   linux-image-gkeop               5.4.0.1097.95   linux-image-gkeop-5.4           5.4.0.1097.95   linux-image-ibm-lts-20.04       5.4.0.1077.106   linux-image-kvm                 5.4.0.1118.114   linux-image-lowlatency          5.4.0.192.190   linux-image-oem                 5.4.0.192.190   linux-image-oem-osp1            5.4.0.192.190   linux-image-raspi               5.4.0.1114.144   linux-image-raspi2              5.4.0.1114.144   linux-image-virtual             5.4.0.192.190   linux-image-xilinx-zynqmp       5.4.0.1049.49Ubuntu 18.04 LTS   linux-image-5.4.0-1077-ibm      5.4.0-1077.82~18.04.1                                   Available with Ubuntu Pro   linux-image-5.4.0-1130-aws      5.4.0-1130.140~18.04.1                                   Available with Ubuntu Pro   linux-image-5.4.0-1134-gcp      5.4.0-1134.143~18.04.1                                   Available with Ubuntu Pro   linux-image-5.4.0-192-generic   5.4.0-192.212~18.04.1                                   Available with Ubuntu Pro   linux-image-5.4.0-192-lowlatency  5.4.0-192.212~18.04.1                                   Available with Ubuntu Pro   linux-image-aws                 5.4.0.1130.140~18.04.1                                   Available with Ubuntu Pro   linux-image-gcp                 5.4.0.1134.143~18.04.1                                   Available with Ubuntu Pro   linux-image-generic-hwe-18.04   5.4.0.192.212~18.04.1                                   Available with Ubuntu Pro   linux-image-ibm                 5.4.0.1077.82~18.04.1                                   Available with Ubuntu Pro   linux-image-lowlatency-hwe-18.04  5.4.0.192.212~18.04.1                                   Available with Ubuntu Pro   linux-image-oem                 5.4.0.192.212~18.04.1                                   Available with Ubuntu Pro   linux-image-oem-osp1            5.4.0.192.212~18.04.1                                   Available with Ubuntu Pro   linux-image-snapdragon-hwe-18.04  5.4.0.192.212~18.04.1                                   Available with Ubuntu Pro   linux-image-virtual-hwe-18.04   5.4.0.192.212~18.04.1                                   Available with Ubuntu ProAfter a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:   https://ubuntu.com/security/notices/USN-6951-1   CVE-2022-48674, CVE-2022-48772, CVE-2023-52434, CVE-2023-52585,   CVE-2023-52752, CVE-2023-52882, CVE-2024-26886, CVE-2024-27019,   CVE-2024-27398, CVE-2024-27399, CVE-2024-27401, CVE-2024-31076,   CVE-2024-33621, CVE-2024-35947, CVE-2024-35976, CVE-2024-36014,   CVE-2024-36015, CVE-2024-36017, CVE-2024-36270, CVE-2024-36286,   CVE-2024-36883, CVE-2024-36886, CVE-2024-36902, CVE-2024-36904,   CVE-2024-36905, CVE-2024-36919, CVE-2024-36933, CVE-2024-36934,   CVE-2024-36939, CVE-2024-36940, CVE-2024-36941, CVE-2024-36946,   CVE-2024-36950, CVE-2024-36954, CVE-2024-36959, CVE-2024-36960,   CVE-2024-36964, CVE-2024-36971, CVE-2024-37353, CVE-2024-37356,   CVE-2024-38381, CVE-2024-38549, CVE-2024-38552, CVE-2024-38558,   CVE-2024-38559, CVE-2024-38560, CVE-2024-38565, CVE-2024-38567,   CVE-2024-38578, CVE-2024-38579, CVE-2024-38582, CVE-2024-38583,   CVE-2024-38587, CVE-2024-38589, CVE-2024-38596, CVE-2024-38598,   CVE-2024-38599, CVE-2024-38600, CVE-2024-38601, CVE-2024-38607,   CVE-2024-38612, CVE-2024-38613, CVE-2024-38615, CVE-2024-38618,   CVE-2024-38621, CVE-2024-38627, CVE-2024-38633, CVE-2024-38634,   CVE-2024-38635, CVE-2024-38637, CVE-2024-38659, CVE-2024-38661,   CVE-2024-38780, CVE-2024-39276, CVE-2024-39292, CVE-2024-39301,   CVE-2024-39467, CVE-2024-39471, CVE-2024-39475, CVE-2024-39480,   CVE-2024-39488, CVE-2024-39489, CVE-2024-39493Package Information:   https://launchpad.net/ubuntu/+source/linux/5.4.0-192.212   https://launchpad.net/ubuntu/+source/linux-aws/5.4.0-1130.140   https://launchpad.net/ubuntu/+source/linux-gcp/5.4.0-1134.143   https://launchpad.net/ubuntu/+source/linux-gkeop/5.4.0-1097.101   https://launchpad.net/ubuntu/+source/linux-ibm/5.4.0-1077.82   https://launchpad.net/ubuntu/+source/linux-iot/5.4.0-1042.43   https://launchpad.net/ubuntu/+source/linux-kvm/5.4.0-1118.125   https://launchpad.net/ubuntu/+source/linux-raspi/5.4.0-1114.126   https://launchpad.net/ubuntu/+source/linux-xilinx-zynqmp/5.4.0-1049.53

Ubuntu Security Notice USN-6951-1

Ubuntu Security Notice 6950-1 - Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system.

    ==========================================================================Ubuntu Security Notice USN-6950-1August 08, 2024linux, linux-aws, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop,linux-intel-iotg, linux-intel-iotg-5.15, linux-kvm, linux-lowlatency,linux-lowlatency-hwe-5.15, linux-nvidia vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTS- Ubuntu 20.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux: Linux kernel- linux-aws: Linux kernel for Amazon Web Services (AWS) systems- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems- linux-gke: Linux kernel for Google Container Engine (GKE) systems- linux-gkeop: Linux kernel for Google Container Engine (GKE) systems- linux-intel-iotg: Linux kernel for Intel IoT platforms- linux-kvm: Linux kernel for cloud environments- linux-lowlatency: Linux low latency kernel- linux-nvidia: Linux kernel for NVIDIA systems- linux-gcp-5.15: Linux kernel for Google Cloud Platform (GCP) systems- linux-intel-iotg-5.15: Linux kernel for Intel IoT platforms- linux-lowlatency-hwe-5.15: Linux low latency kernelDetails:Several security issues were discovered in the Linux kernel.An attacker could possibly use these to compromise the system.This update corrects flaws in the following subsystems:   - ARM32 architecture;   - ARM64 architecture;   - Block layer subsystem;   - Bluetooth drivers;   - Clock framework and drivers;   - FireWire subsystem;   - GPU drivers;   - InfiniBand drivers;   - Multiple devices driver;   - EEPROM drivers;   - Network drivers;   - Pin controllers subsystem;   - Remote Processor subsystem;   - S/390 drivers;   - SCSI drivers;   - 9P distributed file system;   - Network file system client;   - SMB network file system;   - Socket messages infrastructure;   - Dynamic debug library;   - Bluetooth subsystem;   - Networking core;   - IPv4 networking;   - IPv6 networking;   - Multipath TCP;   - NSH protocol;   - Phonet protocol;   - TIPC protocol;   - Wireless networking;   - Key management;   - ALSA framework;   - HD-audio driver;(CVE-2024-36883, CVE-2024-36940, CVE-2024-36902, CVE-2024-36975,CVE-2024-36964, CVE-2024-36938, CVE-2024-36931, CVE-2024-35848,CVE-2024-26900, CVE-2024-36967, CVE-2024-36904, CVE-2024-27398,CVE-2024-36031, CVE-2023-52585, CVE-2024-36886, CVE-2024-36937,CVE-2024-36954, CVE-2024-36916, CVE-2024-36905, CVE-2024-36959,CVE-2024-26980, CVE-2024-26936, CVE-2024-36928, CVE-2024-36889,CVE-2024-36929, CVE-2024-36933, CVE-2024-27399, CVE-2024-36946,CVE-2024-36906, CVE-2024-36965, CVE-2024-36957, CVE-2024-36941,CVE-2024-36897, CVE-2024-36952, CVE-2024-36947, CVE-2024-36950,CVE-2024-36880, CVE-2024-36017, CVE-2023-52882, CVE-2024-36969,CVE-2024-38600, CVE-2024-36955, CVE-2024-36960, CVE-2024-27401,CVE-2024-36919, CVE-2024-36934, CVE-2024-35947, CVE-2024-36953,CVE-2024-36944, CVE-2024-36939)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS   linux-image-5.15.0-1050-gkeop   5.15.0-1050.57   linux-image-5.15.0-1062-intel-iotg  5.15.0-1062.68   linux-image-5.15.0-1062-nvidia  5.15.0-1062.63   linux-image-5.15.0-1062-nvidia-lowlatency  5.15.0-1062.63   linux-image-5.15.0-1064-gke     5.15.0-1064.70   linux-image-5.15.0-1064-kvm     5.15.0-1064.69   linux-image-5.15.0-1066-gcp     5.15.0-1066.74   linux-image-5.15.0-1067-aws     5.15.0-1067.73   linux-image-5.15.0-118-generic  5.15.0-118.128   linux-image-5.15.0-118-generic-64k  5.15.0-118.128   linux-image-5.15.0-118-generic-lpae  5.15.0-118.128   linux-image-5.15.0-118-lowlatency  5.15.0-118.128   linux-image-5.15.0-118-lowlatency-64k  5.15.0-118.128   linux-image-aws-lts-22.04       5.15.0.1067.67   linux-image-gcp-lts-22.04       5.15.0.1066.62   linux-image-generic             5.15.0.118.118   linux-image-generic-64k         5.15.0.118.118   linux-image-generic-lpae        5.15.0.118.118   linux-image-gke                 5.15.0.1064.63   linux-image-gke-5.15            5.15.0.1064.63   linux-image-gkeop               5.15.0.1050.49   linux-image-gkeop-5.15          5.15.0.1050.49   linux-image-intel-iotg          5.15.0.1062.62   linux-image-kvm                 5.15.0.1064.60   linux-image-lowlatency          5.15.0.118.108   linux-image-lowlatency-64k      5.15.0.118.108   linux-image-nvidia              5.15.0.1062.62   linux-image-nvidia-lowlatency   5.15.0.1062.62   linux-image-virtual             5.15.0.118.118Ubuntu 20.04 LTS   linux-image-5.15.0-1062-intel-iotg  5.15.0-1062.68~20.04.1   linux-image-5.15.0-1066-gcp     5.15.0-1066.74~20.04.1   linux-image-5.15.0-118-lowlatency  5.15.0-118.128~20.04.1   linux-image-5.15.0-118-lowlatency-64k  5.15.0-118.128~20.04.1   linux-image-gcp                 5.15.0.1066.74~20.04.1   linux-image-intel               5.15.0.1062.68~20.04.1   linux-image-intel-iotg          5.15.0.1062.68~20.04.1   linux-image-lowlatency-64k-hwe-20.04  5.15.0.118.128~20.04.1   linux-image-lowlatency-hwe-20.04  5.15.0.118.128~20.04.1After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:   https://ubuntu.com/security/notices/USN-6950-1   CVE-2023-52585, CVE-2023-52882, CVE-2024-26900, CVE-2024-26936,   CVE-2024-26980, CVE-2024-27398, CVE-2024-27399, CVE-2024-27401,   CVE-2024-35848, CVE-2024-35947, CVE-2024-36017, CVE-2024-36031,   CVE-2024-36880, CVE-2024-36883, CVE-2024-36886, CVE-2024-36889,   CVE-2024-36897, CVE-2024-36902, CVE-2024-36904, CVE-2024-36905,   CVE-2024-36906, CVE-2024-36916, CVE-2024-36919, CVE-2024-36928,   CVE-2024-36929, CVE-2024-36931, CVE-2024-36933, CVE-2024-36934,   CVE-2024-36937, CVE-2024-36938, CVE-2024-36939, CVE-2024-36940,   CVE-2024-36941, CVE-2024-36944, CVE-2024-36946, CVE-2024-36947,   CVE-2024-36950, CVE-2024-36952, CVE-2024-36953, CVE-2024-36954,   CVE-2024-36955, CVE-2024-36957, CVE-2024-36959, CVE-2024-36960,   CVE-2024-36964, CVE-2024-36965, CVE-2024-36967, CVE-2024-36969,   CVE-2024-36975, CVE-2024-38600Package Information:   https://launchpad.net/ubuntu/+source/linux/5.15.0-118.128   https://launchpad.net/ubuntu/+source/linux-aws/5.15.0-1067.73   https://launchpad.net/ubuntu/+source/linux-gcp/5.15.0-1066.74   https://launchpad.net/ubuntu/+source/linux-gke/5.15.0-1064.70   https://launchpad.net/ubuntu/+source/linux-gkeop/5.15.0-1050.57   https://launchpad.net/ubuntu/+source/linux-intel-iotg/5.15.0-1062.68   https://launchpad.net/ubuntu/+source/linux-kvm/5.15.0-1064.69   https://launchpad.net/ubuntu/+source/linux-lowlatency/5.15.0-118.128   https://launchpad.net/ubuntu/+source/linux-nvidia/5.15.0-1062.63   https://launchpad.net/ubuntu/+source/linux-gcp-5.15/5.15.0-1066.74~20.04.1  https://launchpad.net/ubuntu/+source/linux-intel-iotg-5.15/5.15.0-1062.68~20.04.1  https://launchpad.net/ubuntu/+source/linux-lowlatency-hwe-5.15/5.15.0-118.128~20.04.1

Ubuntu Security Notice USN-6950-1

Ubuntu Security Notice 6949-1 - Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system.

    ==========================================================================Ubuntu Security Notice USN-6949-1August 08, 2024linux, linux-aws, linux-gcp, linux-gke, linux-ibm, linux-nvidia,linux-nvidia-6.8, linux-oem-6.8 vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 24.04 LTS- Ubuntu 22.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux: Linux kernel- linux-aws: Linux kernel for Amazon Web Services (AWS) systems- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems- linux-gke: Linux kernel for Google Container Engine (GKE) systems- linux-ibm: Linux kernel for IBM cloud systems- linux-nvidia: Linux kernel for NVIDIA systems- linux-oem-6.8: Linux kernel for OEM systems- linux-nvidia-6.8: Linux kernel for NVIDIA systemsDetails:Several security issues were discovered in the Linux kernel.An attacker could possibly use these to compromise the system.This update corrects flaws in the following subsystems:   - ARM32 architecture;   - ARM64 architecture;   - M68K architecture;   - OpenRISC architecture;   - PowerPC architecture;   - RISC-V architecture;   - x86 architecture;   - Block layer subsystem;   - Accessibility subsystem;   - Bluetooth drivers;   - Clock framework and drivers;   - CPU frequency scaling framework;   - Hardware crypto device drivers;   - DMA engine subsystem;   - DPLL subsystem;   - FireWire subsystem;   - EFI core;   - Qualcomm firmware drivers;   - GPIO subsystem;   - GPU drivers;   - Microsoft Hyper-V drivers;   - InfiniBand drivers;   - IOMMU subsystem;   - IRQ chip drivers;   - Macintosh device drivers;   - Multiple devices driver;   - Media drivers;   - EEPROM drivers;   - MMC subsystem;   - Network drivers;   - STMicroelectronics network drivers;   - Device tree and open firmware driver;   - HiSilicon SoC PMU drivers;   - PHY drivers;   - Pin controllers subsystem;   - Remote Processor subsystem;   - S/390 drivers;   - SCSI drivers;   - SPI subsystem;   - Media staging drivers;   - Thermal drivers;   - Userspace I/O drivers;   - USB subsystem;   - DesignWare USB3 driver;   - ACRN Hypervisor Service Module driver;   - Virtio drivers;   - 9P distributed file system;   - BTRFS file system;   - eCrypt file system;   - EROFS file system;   - File systems infrastructure;   - GFS2 file system;   - JFFS2 file system;   - Network file systems library;   - Network file system client;   - Network file system server daemon;   - NILFS2 file system;   - Proc file system;   - SMB network file system;   - Tracing file system;   - Mellanox drivers;   - Memory management;   - Socket messages infrastructure;   - Slab allocator;   - Tracing infrastructure;   - User-space API (UAPI);   - Core kernel;   - BPF subsystem;   - DMA mapping infrastructure;   - RCU subsystem;   - Dynamic debug library;   - KUnit library;   - Maple Tree data structure library;   - Heterogeneous memory management;   - Amateur Radio drivers;   - Bluetooth subsystem;   - Ethernet bridge;   - Networking core;   - IPv4 networking;   - IPv6 networking;   - Multipath TCP;   - Netfilter;   - NET/ROM layer;   - NFC subsystem;   - NSH protocol;   - Open vSwitch;   - Phonet protocol;   - SMC sockets;   - TIPC protocol;   - Unix domain sockets;   - Wireless networking;   - Key management;   - ALSA framework;   - HD-audio driver;   - Kirkwood ASoC drivers;   - MediaTek ASoC drivers;(CVE-2024-36006, CVE-2024-36922, CVE-2024-38567, CVE-2024-38584,CVE-2024-36923, CVE-2024-36892, CVE-2024-35855, CVE-2024-35853,CVE-2024-38562, CVE-2024-36920, CVE-2024-38543, CVE-2024-38576,CVE-2024-38572, CVE-2024-36898, CVE-2024-38560, CVE-2024-36004,CVE-2024-36956, CVE-2024-36881, CVE-2024-36977, CVE-2024-36955,CVE-2024-36906, CVE-2024-36013, CVE-2024-36884, CVE-2024-38563,CVE-2024-36966, CVE-2024-38547, CVE-2024-38594, CVE-2024-36926,CVE-2024-38587, CVE-2024-38566, CVE-2024-27400, CVE-2024-36941,CVE-2024-36017, CVE-2024-38544, CVE-2024-36899, CVE-2024-35851,CVE-2024-38577, CVE-2024-38590, CVE-2024-38568, CVE-2024-38559,CVE-2024-38611, CVE-2024-36887, CVE-2024-36886, CVE-2024-35996,CVE-2024-38612, CVE-2024-36925, CVE-2024-38586, CVE-2024-38596,CVE-2024-36932, CVE-2024-39482, CVE-2024-38585, CVE-2024-36033,CVE-2024-38614, CVE-2024-35852, CVE-2024-36908, CVE-2024-36939,CVE-2024-36963, CVE-2024-27401, CVE-2024-36029, CVE-2024-38540,CVE-2024-38565, CVE-2024-36927, CVE-2024-36910, CVE-2024-42134,CVE-2024-36888, CVE-2024-35859, CVE-2024-36911, CVE-2024-35947,CVE-2024-36940, CVE-2024-36921, CVE-2024-36913, CVE-2024-36943,CVE-2024-35986, CVE-2024-38616, CVE-2024-36900, CVE-2024-36954,CVE-2024-36915, CVE-2024-38602, CVE-2024-41011, CVE-2024-35991,CVE-2024-36909, CVE-2024-38603, CVE-2023-52882, CVE-2024-36953,CVE-2024-38599, CVE-2024-38574, CVE-2024-36967, CVE-2024-36895,CVE-2024-36003, CVE-2024-36961, CVE-2024-38545, CVE-2024-38538,CVE-2024-36001, CVE-2024-36912, CVE-2024-36952, CVE-2024-38550,CVE-2024-38570, CVE-2024-36969, CVE-2024-38595, CVE-2024-35849,CVE-2024-36936, CVE-2024-35949, CVE-2024-36009, CVE-2024-35987,CVE-2024-38541, CVE-2024-38564, CVE-2024-36032, CVE-2024-38615,CVE-2024-36960, CVE-2024-36934, CVE-2024-36951, CVE-2024-35999,CVE-2024-38551, CVE-2024-36903, CVE-2024-36931, CVE-2024-38593,CVE-2024-36938, CVE-2024-38607, CVE-2024-36928, CVE-2024-38552,CVE-2024-36002, CVE-2024-38605, CVE-2024-38582, CVE-2024-36933,CVE-2024-38620, CVE-2024-27395, CVE-2024-27396, CVE-2024-36012,CVE-2024-38591, CVE-2024-38597, CVE-2024-36889, CVE-2024-36964,CVE-2024-38606, CVE-2024-38553, CVE-2024-36945, CVE-2024-35848,CVE-2024-36962, CVE-2024-36947, CVE-2024-27399, CVE-2024-38546,CVE-2024-38583, CVE-2024-38573, CVE-2024-35850, CVE-2024-38549,CVE-2024-38588, CVE-2024-38610, CVE-2024-36917, CVE-2024-36957,CVE-2024-35846, CVE-2024-38579, CVE-2024-36965, CVE-2024-35857,CVE-2024-38548, CVE-2024-36975, CVE-2024-36919, CVE-2024-38542,CVE-2024-36948, CVE-2024-36011, CVE-2024-38556, CVE-2024-36897,CVE-2024-38557, CVE-2024-36890, CVE-2024-36882, CVE-2024-38613,CVE-2024-36914, CVE-2024-35998, CVE-2024-36958, CVE-2024-38580,CVE-2024-36896, CVE-2024-36891, CVE-2024-36924, CVE-2024-38589,CVE-2024-38592, CVE-2024-36904, CVE-2024-36894, CVE-2024-36028,CVE-2024-36014, CVE-2024-36880, CVE-2024-36944, CVE-2024-38598,CVE-2024-36929, CVE-2024-36883, CVE-2024-35858, CVE-2024-38555,CVE-2024-36005, CVE-2024-38539, CVE-2024-35994, CVE-2024-36030,CVE-2024-27394, CVE-2024-36930, CVE-2024-36937, CVE-2024-38561,CVE-2024-38578, CVE-2024-36959, CVE-2024-36935, CVE-2024-36916,CVE-2024-36902, CVE-2024-38604, CVE-2024-38554, CVE-2024-38575,CVE-2024-36918, CVE-2024-36979, CVE-2024-35854, CVE-2024-36968,CVE-2024-38558, CVE-2024-36000, CVE-2024-27398, CVE-2024-35983,CVE-2024-36949, CVE-2024-38600, CVE-2024-36950, CVE-2024-36946,CVE-2024-36031, CVE-2024-35847, CVE-2024-36905, CVE-2024-38571,CVE-2024-36007, CVE-2024-35856, CVE-2024-38601, CVE-2024-38569,CVE-2024-38617, CVE-2024-35988, CVE-2024-35989, CVE-2024-35993,CVE-2024-36893, CVE-2024-36901)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 24.04 LTS   linux-image-6.8.0-1008-gke      6.8.0-1008.11   linux-image-6.8.0-1010-ibm      6.8.0-1010.10   linux-image-6.8.0-1010-oem      6.8.0-1010.10   linux-image-6.8.0-1011-nvidia   6.8.0-1011.11   linux-image-6.8.0-1011-nvidia-64k  6.8.0-1011.11   linux-image-6.8.0-1012-gcp      6.8.0-1012.13   linux-image-6.8.0-1013-aws      6.8.0-1013.14   linux-image-6.8.0-40-generic    6.8.0-40.40   linux-image-6.8.0-40-generic-64k  6.8.0-40.40   linux-image-aws                 6.8.0-1013.14   linux-image-gcp                 6.8.0-1012.13   linux-image-generic             6.8.0-40.40   linux-image-generic-64k         6.8.0-40.40   linux-image-generic-64k-hwe-24.04  6.8.0-40.40   linux-image-generic-hwe-24.04   6.8.0-40.40   linux-image-generic-lpae        6.8.0-40.40   linux-image-gke                 6.8.0-1008.11   linux-image-ibm                 6.8.0-1010.10   linux-image-ibm-classic         6.8.0-1010.10   linux-image-ibm-lts-24.04       6.8.0-1010.10   linux-image-kvm                 6.8.0-40.40   linux-image-nvidia              6.8.0-1011.11   linux-image-nvidia-64k          6.8.0-1011.11   linux-image-oem-24.04           6.8.0-1010.10   linux-image-oem-24.04a          6.8.0-1010.10   linux-image-virtual             6.8.0-40.40   linux-image-virtual-hwe-24.04   6.8.0-40.40Ubuntu 22.04 LTS   linux-image-6.8.0-1011-nvidia   6.8.0-1011.11~22.04.1   linux-image-6.8.0-1011-nvidia-64k  6.8.0-1011.11~22.04.1   linux-image-nvidia-6.8          6.8.0-1011.11~22.04.1   linux-image-nvidia-64k-6.8      6.8.0-1011.11~22.04.1After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:   https://ubuntu.com/security/notices/USN-6949-1   CVE-2023-52882, CVE-2024-27394, CVE-2024-27395, CVE-2024-27396,   CVE-2024-27398, CVE-2024-27399, CVE-2024-27400, CVE-2024-27401,   CVE-2024-35846, CVE-2024-35847, CVE-2024-35848, CVE-2024-35849,   CVE-2024-35850, CVE-2024-35851, CVE-2024-35852, CVE-2024-35853,   CVE-2024-35854, CVE-2024-35855, CVE-2024-35856, CVE-2024-35857,   CVE-2024-35858, CVE-2024-35859, CVE-2024-35947, CVE-2024-35949,   CVE-2024-35983, CVE-2024-35986, CVE-2024-35987, CVE-2024-35988,   CVE-2024-35989, CVE-2024-35991, CVE-2024-35993, CVE-2024-35994,   CVE-2024-35996, CVE-2024-35998, CVE-2024-35999, CVE-2024-36000,   CVE-2024-36001, CVE-2024-36002, CVE-2024-36003, CVE-2024-36004,   CVE-2024-36005, CVE-2024-36006, CVE-2024-36007, CVE-2024-36009,   CVE-2024-36011, CVE-2024-36012, CVE-2024-36013, CVE-2024-36014,   CVE-2024-36017, CVE-2024-36028, CVE-2024-36029, CVE-2024-36030,   CVE-2024-36031, CVE-2024-36032, CVE-2024-36033, CVE-2024-36880,   CVE-2024-36881, CVE-2024-36882, CVE-2024-36883, CVE-2024-36884,   CVE-2024-36886, CVE-2024-36887, CVE-2024-36888, CVE-2024-36889,   CVE-2024-36890, CVE-2024-36891, CVE-2024-36892, CVE-2024-36893,   CVE-2024-36894, CVE-2024-36895, CVE-2024-36896, CVE-2024-36897,   CVE-2024-36898, CVE-2024-36899, CVE-2024-36900, CVE-2024-36901,   CVE-2024-36902, CVE-2024-36903, CVE-2024-36904, CVE-2024-36905,   CVE-2024-36906, CVE-2024-36908, CVE-2024-36909, CVE-2024-36910,   CVE-2024-36911, CVE-2024-36912, CVE-2024-36913, CVE-2024-36914,   CVE-2024-36915, CVE-2024-36916, CVE-2024-36917, CVE-2024-36918,   CVE-2024-36919, CVE-2024-36920, CVE-2024-36921, CVE-2024-36922,   CVE-2024-36923, CVE-2024-36924, CVE-2024-36925, CVE-2024-36926,   CVE-2024-36927, CVE-2024-36928, CVE-2024-36929, CVE-2024-36930,   CVE-2024-36931, CVE-2024-36932, CVE-2024-36933, CVE-2024-36934,   CVE-2024-36935, CVE-2024-36936, CVE-2024-36937, CVE-2024-36938,   CVE-2024-36939, CVE-2024-36940, CVE-2024-36941, CVE-2024-36943,   CVE-2024-36944, CVE-2024-36945, CVE-2024-36946, CVE-2024-36947,   CVE-2024-36948, CVE-2024-36949, CVE-2024-36950, CVE-2024-36951,   CVE-2024-36952, CVE-2024-36953, CVE-2024-36954, CVE-2024-36955,   CVE-2024-36956, CVE-2024-36957, CVE-2024-36958, CVE-2024-36959,   CVE-2024-36960, CVE-2024-36961, CVE-2024-36962, CVE-2024-36963,   CVE-2024-36964, CVE-2024-36965, CVE-2024-36966, CVE-2024-36967,   CVE-2024-36968, CVE-2024-36969, CVE-2024-36975, CVE-2024-36977,   CVE-2024-36979, CVE-2024-38538, CVE-2024-38539, CVE-2024-38540,   CVE-2024-38541, CVE-2024-38542, CVE-2024-38543, CVE-2024-38544,   CVE-2024-38545, CVE-2024-38546, CVE-2024-38547, CVE-2024-38548,   CVE-2024-38549, CVE-2024-38550, CVE-2024-38551, CVE-2024-38552,   CVE-2024-38553, CVE-2024-38554, CVE-2024-38555, CVE-2024-38556,   CVE-2024-38557, CVE-2024-38558, CVE-2024-38559, CVE-2024-38560,   CVE-2024-38561, CVE-2024-38562, CVE-2024-38563, CVE-2024-38564,   CVE-2024-38565, CVE-2024-38566, CVE-2024-38567, CVE-2024-38568,   CVE-2024-38569, CVE-2024-38570, CVE-2024-38571, CVE-2024-38572,   CVE-2024-38573, CVE-2024-38574, CVE-2024-38575, CVE-2024-38576,   CVE-2024-38577, CVE-2024-38578, CVE-2024-38579, CVE-2024-38580,   CVE-2024-38582, CVE-2024-38583, CVE-2024-38584, CVE-2024-38585,   CVE-2024-38586, CVE-2024-38587, CVE-2024-38588, CVE-2024-38589,   CVE-2024-38590, CVE-2024-38591, CVE-2024-38592, CVE-2024-38593,   CVE-2024-38594, CVE-2024-38595, CVE-2024-38596, CVE-2024-38597,   CVE-2024-38598, CVE-2024-38599, CVE-2024-38600, CVE-2024-38601,   CVE-2024-38602, CVE-2024-38603, CVE-2024-38604, CVE-2024-38605,   CVE-2024-38606, CVE-2024-38607, CVE-2024-38610, CVE-2024-38611,   CVE-2024-38612, CVE-2024-38613, CVE-2024-38614, CVE-2024-38615,   CVE-2024-38616, CVE-2024-38617, CVE-2024-38620, CVE-2024-39482,   CVE-2024-41011, CVE-2024-42134Package Information:   https://launchpad.net/ubuntu/+source/linux/6.8.0-40.40   https://launchpad.net/ubuntu/+source/linux-aws/6.8.0-1013.14   https://launchpad.net/ubuntu/+source/linux-gcp/6.8.0-1012.13   https://launchpad.net/ubuntu/+source/linux-gke/6.8.0-1008.11   https://launchpad.net/ubuntu/+source/linux-ibm/6.8.0-1010.10   https://launchpad.net/ubuntu/+source/linux-nvidia/6.8.0-1011.11   https://launchpad.net/ubuntu/+source/linux-oem-6.8/6.8.0-1010.10   https://launchpad.net/ubuntu/+source/linux-nvidia-6.8/6.8.0-1011.11~22.04.1

Ubuntu Security Notice USN-6949-1

As AI technologies continue to advance at a rapid pace, privacy, security and governance teams can't expect to achieve strong AI governance while working in isolation.

Source: marcos alvarado via Alamy Stock Photo

COMMENTARY

AI technology is proliferating at a rapid pace, becoming an essential component of many businesses' operations. While organizations are achieving genuine benefits with them, the rise of AI-based systems does create new obstacles regarding data privacy, reputational risk, and new attack vectors for companies. 

AI systems rely on massive amounts of data, often including sensitive personal information. Improper handling of this data can lead to cyber vulnerabilities, privacy violations, and legal and regulatory issues. When tampered with, AI tools also have the potential to cause reputational damage — such as when Microsoft's AI chatbot Tay was exploited by users who fed it offensive and racist content, or when Amazon's AI recruiting tool exhibited bias against female candidates after being trained on historical hiring data that favored men. These incidents illustrate how important it is for organizations to implement safeguards to ensure AI systems aren't learning — and then generating outputs with — biased or malicious data.

Developing these safeguards requires a collaborative approach from privacy, security, and governance teams. While these teams, of course, have their areas of expertise, approaching AI governance from siloes won't work. Here are some ways that privacy, security, and governance teams can each flex their strengths to collaborate on strong AI governance:

**Security Team**

*   Infrastructure hardening: Strengthen your organization’s AI/ML infrastructure so that it can handle extensive training data — securely. You can achieve this by building strong access controls over who can access training data, setting multifactor authentication protocols for any access to the infrastructure, patching the infrastructure, and so on. Test the strength of your AI/ML infrastructure with red teaming or penetration testing. 
    
*   Alerting and monitoring: Develop robust monitoring capabilities to detect and prevent theft of your proprietary AI models.
    
*   Data leakage prevention: Adequate governance over the data being input into third-party AI systems is crucial; after all, this is what these AI systems will be trained on. Implement data leakage prevention solutions and strategies to monitor the sensitive data flowing into your and third-party AI systems, and ensure all AI solutions are vetted before uploading any sensitive information.
    
*   Employee training: Educate employees on AI-related risks, such as deepfakes and voice-based vishing attacks. Regularly test employees on their abilities to identify and thwart potential attacks.
    

**Governance Team**

*   Evaluate, evaluate, evaluate: Continuously evaluate the ethical implications of using AI technologies within your organization, and cross-check your AI and data practices with new regulation to ensure you remain compliant.
    
*   And educate, educate, educate: With the rapidly changing landscape, it’s crucial to continuously educate and enable your employees on risks and organizational policies for AI usage.
    

**Privacy Team**

*   AI risk assessments: Own the process of conducting risk assessments for AI projects to identify and mitigate privacy and compliance risks. 
    
*   Privacy by design: Implement privacy-by-design principles in AI development to build privacy-focused AI systems. These include ensuring consumer consent gathering strategies are understood, putting privacy safeguards in place to protect personal data, and implementing data anonymization strategies when training models.
    
*   Maintaining transparency and user preferences: Build workflows to ensure transparency and manage user consent, preferences, and data rights effectively.
    

**Working Together**

Collaboration between these teams is crucial for effective AI governance. Here's where they'll intertwine most:

*   AI task force: Develop a cross-functional AI task force within the organization with representation from key stakeholders across privacy, security, and governance. This task force will be responsible for developing AI guidelines and policies for the organization, approving the procurement of new AI technologies to carefully evaluate and mitigate AI risks, and ensuring that AI safety is prioritized when new systems are developed. Schedule regular meetings (monthly, for example) for the AI task force to discuss industry trends, emerging threats, and new use cases for AI technologies.
    
*   Dedicated communication channels: Establish channels where employees can easily ask questions and receive timely information about approved AI tools and their use. Utilize cross-functional forums like company all-hands or department-specific all-hands meetings to communicate organization-wide updates pertaining to AI use and considerations.
    
*   Leveraging technology and automation: The rise of AI systems has led to innovative technologies designed to identify and catalog AI systems within your organization and supply chain. It is essential to evaluate and implement these tools to enhance your AI governance framework. Integrating these advanced technologies, as well as solutions like SecurityPal for navigating security reviews, can help you maintain oversight, ensure compliance, and effectively manage the growing complexity of AI applications.
    

As AI technologies continue to advance at a rapid pace, privacy, security, and governance teams can't expect to achieve strong AI governance while working in isolation. The creation of an AI task force, fostering open communication around timely challenges and risks, will provide immediate benefits. Working together, rather than in siloes, these teams can ensure your AI systems are developed and deployed responsibly, ethically, and securely, ultimately safeguarding your organization's reputation and integrity.

**About the Authors**

Sanket Kavishwar, Director of Product Management, Relyance AI

Sanket Kavishwar is director of product management at Relyance AI. With more than a decade of experience in SaaS, Sanket has a diverse background encompassing roles as a software engineer developing security solutions, a consultant implementing ERP solutions for enterprise clients, a customer success leader managing enterprise accounts, and a go-to-market leader scaling advanced privacy programs for enterprises. Currently, as a product leader, he focuses on delivering products at the intersection of privacy and security.

Security & GRC Lead, Plaid

Kenneth Moras, security and GRC lead for Plaid, is a cybersecurity leader with extensive experience in building strategic risk management programs at Plaid and scaling cybersecurity programs at notable organizations such as Meta and Adobe. His expertise also extends to cybersecurity consulting for Fortune 500 companies during his tenure at KPMG.

Building an Effective Strategy to Manage AI Risks

Researchers at Aqua Security discovered the "Shadow Resource" attack vector and the "Bucket Monopoly" problem, where threat actors can guess the name of S3 buckets based on their public account IDs.

Source: Holger Burmeister via Alamy Stock Photo

BLACK HAT USA – Las Vegas – Thursday, Aug. 8 – Six critical vulnerabilities in Amazon Web Services (AWS) could have allowed threat actors to target organizations with remote code execution (RCE), exfiltration, denial-of-service attacks, or even account takeovers.

"Most of the vulnerabilities were considered critical because they gave access to other accounts with minimal effort from the attacker perspective," Aqua's lead security researcher Yakir Kadkoda tells Dark Reading.

During a briefing on Wednesday at Black Hat USA in Las Vegas, researchers at Aqua Security revealed that they discovered new attack vectors using bugs "Bucket Monopoly" and "Shadow Resources." The impacted AWS services include Cloud Formation, CodeStar, EMR, Glue, SageMaker, and Service Catalog.

Upon discovering the vulnerabilities in February, the Aqua researchers reported them to AWS, which confirmed the issues and rolled out mitigations to the respective services piecemeal between March and June. However, open source iterations could still be vulnerable.

**'Bucket Monopoly': Attacking Public AWS Account IDs**

The researchers first uncovered Bucket Monopoly, an attack method that can significantly boost the success rate of attacks that exploit AWS S3 buckets — i.e., online storage containers for managing objects, such as files or images, and resources required for storing operational data.

The issue is that S3 storage buckets were designed to use predictable, easy-to-guess AWS account IDs instead of a unique identifier for each bucket name using a hash or qualifier.

"Sometimes the only thing that an attacker needs to know about an organization is their public account ID for AWS, which is not considered sensitive data right now, but we recommend it is something that an organization should keep as a secret," Kadkoda says.

To mitigate the issue, AWS changed the default configurations.

"All of the services have been fixed by AWS in that they no longer create the bucket name automatically," he explains. "AWS now adds a random identifier or sequence number if the desired bucket name already exists."

Security researchers and AWS customers have long debated whether AWS account IDs should be public or private. AWS cautions customers against sharing credentials and advises them to use and share account IDs carefully. However, according to AWS documentation on account identities, account IDs "are not considered secret, sensitive, or confidential information."

Aqua's researchers disagree.

"Based on our research, we strongly believe that account IDs should be considered secrets since there may be other kinds of similar exploits that could be carried out based on knowing an account ID," Kadkoda notes in a detailed technical report on the vulnerabilities set to be published on Friday. "Although the common assumption is that knowing an account ID alone is not sufficient to hack an account, attackers might still use it to gather information about your AWS account and more."

An AWS spokesperson declined to comment on that specifically, but did say that AWS was aware of this research.

"We can confirm that we have fixed this issue, all services are operating as expected, and no customer action is required,” the spokesperson says.

**Shadow Resources: Hidden Assets Offer Cover for Attackers**

Kadkoda says his team also discovered the Shadow Resources attack vector, which can create AWS S3 service components unknown to the account owner.

The researchers initially discovered the problem in the AWS CloudFormation service, where an attacker could engage in resource squatting by creating accounts in unused AWS geographic regions with the same name as legitimate, existing stacks. Once the victim stored their workloads in a new region, they could connect to it and then unknowingly use attacker-controlled S3 buckets.

That's because when using the service with the AWS Management Console to create a new stack, AWS automatically creates an S3 bucket to store CloudFormation templates. The name of the S3 bucket is the same across all AWS regions, which is how an attacker can guess the account name and gain access to it.

"I can take over your S3 bucket and just poison the configuration and replace it," Aqua security researcher Assaf Morag says. "It's a huge thing because in between the lines, with a remote code execution, you can grab the accounts of any company in the world."

All services require configuration files, and AWS uses S3 buckets as its file system to store configurations.

"In most cases, these configurations are really significant because these are the instructions to the services," Morag says. "It could be a YAML file or other things that the service needs to use behind the scenes."

Given that customers can have hundreds or thousands of distinct AWS accounts spread across regions worldwide, exploits of shadow services could have been significant, Morag emphasizes. Where there were any victims of the vulnerability is not known.

"The potential of being attacked or being a victim could have been massive," he says.

**Open Source Projects in S3 Buckets Could Still Be Vulnerable**

While AWS has mitigated the vulnerabilities impacting its services, Kadkoda warns that the attack vectors could still impact open source projects deployed in their AWS environments. Many open source projects automatically create S3 buckets or direct users to deploy them, he notes.

"We found a lot of open source projects vulnerable to this vector because they're using them behind the scenes with predictable bucket names," Kadkoda says.

Users should check to see whether each existing bucket's name has been claimed elsewhere, and, if so, they should rename it.

In all cases, Kadkoda and Morag say users should avoid creating S3 buckets with predictable or static identifiers in the first place. Instead, they should create an S3 bucket name with a unique hash or a random identifier for each region and account to prevent attackers from claiming them first.

**About the Author**

Jeffrey Schwartz is a journalist who has covered information security and all forms of business and enterprise IT, including client computing, data center and cloud infrastructure, and application development for more than 30 years. Jeff is a regular contributor to Channel Futures. Previously, he was editor-in-chief of Redmond magazine and contributed to its sister titles Redmond Channel Partner, Application Development Trends, and Virtualization Review. Earlier, he held editorial roles with CommunicationsWeek, InternetWeek, and VARBusiness. Jeff is based in the New York City suburb of Long Island.

Critical AWS Vulnerabilities Allow S3 Attack Bonanza

Cybersecurity researchers have discovered a novel phishing campaign that leverages Google Drawings and shortened links generated via WhatsApp to evade detection and trick users into clicking on bogus links designed to steal sensitive information.
"The attackers chose a group of the best-known websites in computing to craft the threat, including Google and WhatsApp to host the attack elements,

Network Security / Cloud Security

Cybersecurity researchers have discovered a novel phishing campaign that leverages Google Drawings and shortened links generated via WhatsApp to evade detection and trick users into clicking on bogus links designed to steal sensitive information.

"The attackers chose a group of the best-known websites in computing to craft the threat, including Google and WhatsApp to host the attack elements, and an Amazon look-alike to harvest the victim's information," Menlo Security researcher Ashwin Vamshi said. "This attack is a great example of a Living Off Trusted Sites (LoTS) threat."

The starting point of the attack is a phishing email that directs the recipients to a graphic that appears to be an Amazon account verification link. This graphic, for its part, is hosted on Google Drawings, in an apparent effort to evade detection.

Abusing legitimate services has obvious benefits for attackers in that they're not only a low-cost solution, but more importantly, they offer a clandestine way of communication inside networks, as they are unlikely to be blocked by security products or firewalls.

"Another thing that makes Google Drawings appealing in the beginning of the attack is that it allows users (in this case, the attacker) to include links in their graphics," Vamshi said. "Such links may easily go unnoticed by users, particularly if they feel a sense of urgency around a potential threat to their Amazon account."

Users who end up clicking on the verification link are taken to a lookalike Amazon login page, with the URL crafted successively using two different URL shorteners -- WhatsApp ("l.wl\[.\]co") followed by qrco\[.\]de -- as an added layer of obfuscation and deceive security URL scanners.

The fake page is designed to harvest credentials, personal information, and credit card details, after which the victims are redirected to the original phished Amazon login page. As an extra step, the web page is rendered inaccessible from the same IP address once the credentials have been validated.

The disclosure comes as researchers have identified a loophole in Microsoft 365's anti-phishing mechanisms that could be abused to increase the risk of users opening phishing emails.

The method entails the use of CSS trickery to hide the "First Contact Safety Tip," which alerts users when they receive emails from an unknown address. Microsoft, which has acknowledged the issue, has yet to release a fix.

"The First Contact Safety Tip is prepended to the body of an HTML email, which means it is possible to alter the way it is displayed through the use of CSS style tags," Austrian cybersecurity outfit Certitude said. "We can take this a step further, and spoof the icons Microsoft Outlook adds to emails that are encrypted and/or signed."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Phishing Scam Uses Google Drawings and WhatsApp Shortened Links

Feeling creative? Submit your caption and our panel of experts will reward the winner with a $25 Amazon gift card.

Someone did — or didn't — do something they should or shouldn't have, but no one wants to claim responsibility. What's your take? Send us a cybersecurity-related caption to explain the scene, above, and our favorite will win its creator a $25 Amazon gift card.

Here are four convenient ways to submit your ideas before the August 28, 2024, deadline:

*   Via social media: X, Facebook, and LinkedIn. (If you win, we'll respond to you on the same platform, requesting your email address.)
    

**Last Month's Winner**

Props to Marcello Delcaro, implementation manager at Exiger, whose caption for last month's "Cyber Cloudburst" contest snagged first place and a $25 Amazon gift card. Many thanks to all who played!

**About the Author**

John Klossner has been drawing technology cartoons for more than 15 years. His work regularly appears in Computerworld and Federal Computer Week. His illustrations and cartoons have also been published in The New Yorker, Barron's, and The Wall Street Journal.

Name That Edge Toon: Pointing Fingers

PRESS RELEASE

SEATTLE -- July 31, 2024 – Protect AI, a leader in AI security, today announced the acquisition of SydeLabs, which specializes in the automated attack simulation (red teaming) of generative AI (GenAI) systems. This strategic acquisition enhances Protect AI's platform ability to test and improve LLM security and extends the company’s lead as the only provider of end-to-end AI security solutions.

SydeLabs: A Leader in AI Red Teaming

Generative AI and LLM adoption are revolutionizing industries. LLMs are being integrated into critical end user applications such as customer service, finance and healthcare. However the complexity and scale of the technology has exacerbated security concerns that traditional application security processes simply can not keep up with or address effectively. 

SydeLabs was founded less than a year ago by former product and engineering leads from Google and MPL, and has quickly established itself as a pioneer in the field of AI security. Based in Bangalore, India, SydeLabs has developed SydeBox, a cutting-edge product designed to provide comprehensive vulnerability assessments for GenAI systems. The talented team from SydeLabs will join Protect AI where they will continue to add local talent in Bangalore to complement our Seattle and Berlin based teams.

“Protect AI is continuously looking to add products to our AI security posture management platform that help our customers build a safer AI-powered world,” said Ian Swanson, CEO of Protect AI. “The acquisition of SydeLabs extends the Protect AI platform with unmatched red teaming capabilities and immediately provides our customers with the ability to stress test, benchmark and harden their large language models against security risks.” 

SydeBox will be integrated into the Protect AI Platform and rebranded as Protect AI Recon. Recon identifies potential vulnerabilities in LLMs, ensuring enterprises can deploy AI applications with confidence. Key features of Recon include no-code integration, model-agnostic scanning, and detailed threat profiling across multiple categories. Recon uses both an attack library and LLM agent based solution for red teaming and evaluating the security and safety of GenAI systems. Protect AI Recon aligns perfectly with the growing demand for robust AI security solutions, driven by formal guidance from NIST, MITRE, OWASP and CISA, as well as mandates like the Executive Order on AI Safety and Security and the EU AI Act.

“The combination of SydeLabs’ SydeBox and Protect AI’s platform provides customers a comprehensive defense-in-depth solution for building, managing, testing, deploying and monitoring LLMs,” said Ruchir Patwa, co-founder of SydeLabs. “We couldn’t be more excited about joining the Protect AI mission and the prospect of what we can achieve in terms of helping companies of all sizes adopt and deploy more secure LLMs and AI applications.”

The new Recon product will enable Protect AI to meet growing customer demand for robust AI security solutions. Customers will benefit from detailed threat profiling across jailbreaks, prompt injection attacks, input manipulations and other attack vectors, which are crucial for maintaining the integrity and security of AI systems. Recon covers six of the OWASP Top 10 for LLM applications.

“Recon, formally SydeBox, has enabled us to identify and fix security blindspots before deploying our GenAI solutions to ensure we are building the most secure and safe LLM powered applications, and that products we serve our customers are free from any security or safety loopholes,” Said Kiran Darisi, CTO and cofounder, AtomicWork.

This acquisition and new product, Recon, further enhances Protect AI’s position as the leader in the AI security market and AI Security Posture Management (AI-SPM) solutions, differentiating it from competitors and solidifying its market presence. More specifically when used alongside Layer, Protect AI’s LLM observability and monitoring solution, Recon enables organizations to harden the implementation of LLMs against the spectrum of emerging security concerns associated with GenAI usage. Partners and stakeholders will also gain from the enhanced security capabilities, ensuring that the entire AI ecosystem is better protected against potential threats.

About SydeLabs

SydeLabs is a pioneering AI security company specializing in automated red teaming for GenAI systems. Founded by former leaders from Google and MPL, SydeLabs has developed SydeBox, a leading product designed to identify and mitigate vulnerabilities in LLMs. SydeLabs’ products have been adopted by enterprises to make GenAI models and applications safe and secure, giving them the confidence to deploy these systems to production. The company is headquartered in Bangalore. 

About Protect AI

Protect AI empowers organizations to secure their AI applications with comprehensive AI Security Posture Management (AI-SPM) capabilities, enabling them to see, know, and manage their ML environments effectively. The Protect AI Platform offers end-to-end visibility, remediation, control, and governance, safeguarding AI/ML systems from security threats and risks. Founded by AI leaders from Amazon and Oracle, Protect AI is backed by top investors, including Acrew Capital, boldstart ventures, Evolution Equity Partners, Knollwood Capital, Pelion Ventures, 01 Advisors, StepStone Group, Samsung, and Salesforce Ventures. The company is headquartered in Seattle, with offices in Berlin and Bangalore. For more information, visit our website and follow us on LinkedIn and Twitter.

Protect AI Acquires SydeLabs to Red Team Large Language Models

Two US senators accuse carmakers of deceptive language and shifty practices in sharing and resale of driver data.

Source: CC7 via Shutterstock

Two US senators have called on the US Federal Trade Commission (FTC) to hold automakers accountable for sharing driver data without consent, highlighting the growing data privacy challenges — and deceptive verbiage from terms of service — associated with modern smart cars.

In a letter to the FTC (PDF) last week, Sens. Ron Wyden (D-Ore.) and Edward Markey (D-Mass.) used the data-sharing practices of General Motors, Honda, and Hyundai as symptomatic of an industrywide problem that needs immediate investigation.

**Data Sharing Without Consent**

All three vendors collected and sold driver information such as acceleration and braking data to Verisk, a data analytics company that used the information to prepare driver behavior reports that it then resold to insurance companies. By their own account, none of the automakers obtained informed consent from customers before sharing their information. Instead, they deliberately obscured their data-sharing relationship with Verisk in lengthy disclosures and made deceptive claims about how they would use driver data, the senators charged.

"The FTC should hold accountable the automakers, which shared their customers' data with data brokers without obtaining informed consent, as well as the data brokers, which resold data that had not been obtained in a lawful manner," their letter noted. "Given the high number of consumers impacted, and the outrageous manipulation of consumers using dark patterns, the FTC should also hold senior company officials responsible for their flagrant abuse of their customers' privacy."

The letter highlights just one aspect of what many say is a rapidly growing set of security and privacy issues around modern, highly connected software-defined vehicles. While such vehicles offer increased automation, autonomous capabilities, and highly customizable user experiences, they also collect an enormous amount of data that can be hard to protect and secure.

"Your vehicle knows your name, your home address, your debit/credit card info, how fast you drive, how hard you brake, what you ask its voice assistant, the locations you frequent and at what times," says Riley Keehn, lead regulatory and government affairs consultant for SBD Automotive, an automotive research and consulting firm. "Certain occupant detection and automated driving cameras and sensors can even see you and your surroundings."

The onboard storage of this sheer volume of personal and identifying information (PII) and sensitive data types make drivers and their vehicles the direct targets of cyberattacks. These attacks can happen via hardwired systems like the OBD-II port or even the headlights, connections to the vehicle via shared and insecure Wi-Fi networks, through electric vehicle charging stations, compromised aftermarket components, and other means, Keehn says.

Some of these risks can be addressed via security-by-design approaches and the implementation of industry best practices and regulations, such as UN R155 on Cybersecurity Management Systems (CSMS) and UN R156 on Software Update Management Systems (SUMS), ISO/SAE 21434:2021 on Cybersecurity Engineering for Road Vehicles, and other international and regional requirements, she notes.

**A Complete Lack of Consumer Privacy Protections?**

But where things can get messy is what happens to personal data after a vehicle collects it. "The US still lacks a comprehensive, general data privacy regulation comparable to the EU's GDPR, China's PIPL/DSL/CSL framework, and other global regulations that have adopted the GDPR's model and stringency," Keehn says.

The US largely relies on sector-specific regulations, such as HIPAA in healthcare, to address unique data privacy and security requirements. Individual states have filled that gap with their own data privacy laws, creating a patchwork of inconsistent rules, often exempting certain sectors and technologies. While some states may have clear requirements for how an original equipment manufacturer (OEM) must handle the storage, collection, sharing, and sale of data, other states may have different requirements or none at all, she says.

"This inconsistency and lack of national guidance in the US creates a host of risks at the business level and can foster an OEM culture where security stops with the vehicle," Keehn adds.

**Can the FTC Really Drive Change?**

David Brumley, CEO of software security firm ForAllSecure, says car companies should be required to ask for informed consent from drivers to share their information for advertising or for any other purpose not specific to delivering a required feature. 

"Over-the-air software updates? Probably being served from Amazon or Google. Maps? Probably from a third-party. Accurate position? It's not just GPS; often it's assisted with other metadata — like Swift Navigation — to increase accuracy," Brumley notes.

A car vendor might require some data, like location information, for instance, to provide services such as roadside assistance, traffic warnings, and autonomous driving. So there needs to be separate consent requirement for sharing such data and for sharing data for pure profit reasons, he says. "Second, we need a law that says companies must not limit functionality when someone opts out," he adds. "Someone shouldn't be able to force your consent so you can keep driving to work."

Brumley says it's unrealistic, however, to expect the FTC to drive much change. "They don't exercise their regulatory powers in other domains, and instead rely on free-market" dynamics, which won't help here, he says. "Where we may get a bump is EU regulations, which tend to be stricter.  We also need consumers to speak up that it impacts their buying decisions."

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Tag

#amazon