Mentioned the other day that a Blog devoted to Linux ‘could easily be kept busy tracking Linux security issues.’ Probably wouldn’t be popular subject, but a blogger could write a lot of posts on the subject. Heck, I could make this a 30-part series just on the links I found from running a search on SAD DNS (Side-channel AttackeD DNS) CVE-2020-25705 which is a new issue that apparently re-enables the old DNS cache poisoning attacks.
Researchers from Tsinghua University and the University of California have identified a new method that can be used to conduct DNS cache poisoning attacks.
The new discovery revives a 2008 bug that had once been thought to have resolved for good.
I’ll add this post to the *Linux Security Issues* page – plus, also just finished creating a new bookmark folder named “Security” with sub-folders “Malware” ‘n “Vulnerability” ‘n “Kernel” in it. Those sub-folders were scattered around different areas in my bookmarks, so all Linux security issues needed organizing…I swear, a blogger could spend hours daily writing on a major weakness with Linux, i.e. its lack of security.
Domain Name System (DNS) can be best understood as a phonebook for the internet.
Much like, when you want to call your friend Alex, you’d need to look up their phone number through a system called the phonebook.
Likewise, when you browse to a domain, your web browser attempts to identify its IP address by looking it up through an internet directory system called DNS.
The actual process happens in a series of steps and isn’t always so straightforward.
For example, had you or someone on your network previously visited bleepingcomputer.com, our IP address would get cached either somewhere on your computer or on intermediary servers.
This means the next time you visit bleepingcomputer.com, another DNS lookup won’t be necessary. Your computer or web browser would already know where to locate us.
DNS cache poisoning attacks refer to polluting this very cache existing on intermediary servers.
Imagine if a DNS cache your computer (the client) had been relying on to lookup bleepingcomputer.com’s IP, returned to you an incorrect IP address instead of ours?
Attackers could wreak havoc on the internet should they be able to poison DNS caches.
Interesting, like a “phonebook for the internet” that can direct your ‘Calls’ to someone else w/o you knowing!?! Do you keep track of your Distro’s Bug Reports? Here’s one that wasn’t listed under my original CVE-2020-25705 search that had Debian, Red Hat, Canonical, and Gentoo ‘Security Trackers’ at the top – and, I clicked the Debian tracker, then on a “more” link listed at the top of that page ‘n saw Arch Linux. Arch and its Arch-based wannabe’s have the worst mannered Desktop OS users…they make the MacJihadi look like a bunch of Mother Teresas. Anyway, a majority of the ArchJihadi Desktop OS users are infamous liars (at their best) and swear they never have problems with Arch ‘n Archies:
Looks like Arch is running 6+++ days behind reporting on CVE-2020-25705 … maybe all the recent “Critical” Bug Reports they’re dealing with has them bogged down. Debian, Red Hat, Canonical, and Gentoo are on top of it tho. CVE is always a handy link to have if you use Linux as your Desktop OS. NVD is another handy link.
This is why major Linux Distros seek security help from Microsoft, i.e. these hacker attacks are coming so fast that Linux Distros *AND* especially the Linux kernel can’t keep up.
Doing this post led to some links that I’ve used in a few past posts ‘n I will use some of the pics from those posts since they offer helpful info on a main “weakness” of Linux, i.e. a lack of security. First, the previous posts:
- 1) Linux Kernel – ‘Portrait in Vulnerabilities’
- 2) Linux or Windows 10 – ‘Which is Most Vulnerable? Which is More Secure?’
- 3) Linux – ‘Data Breach Vulnerability & other Technical Vulnerabilities’
The Linux kernel had 2,357 Technical Vulnerabilities between 1999 ‘n 2019 (3rd most):
Linux ‘n Linux-based software have been vulnerable for a long time – *EXTREMELY* vulnerably when considering its small footprint and/or Worldwide Desktop OS user base (2%+-):
The Linux Desktop market share:
Here’s a list of countries ‘n their 2018 Data Breaches – plus their 5-year average being compared to 2014-2018 Global averages:
I’ve been heavily involved with the internet, OSes and computers since 1992 ‘n can only recall one security/malware issue that I experienced over the years – a so-called friend sent me a prank/joke type of malware (it was literally known as a prank/joke to use on friends!?!?). Apparently, the Worldwide regular home Desktop OS user attacks remains fairly small, but that’s just an observation ‘n guess.
In the Report: Open Source Vulnerabilities Rampant in Popular Projects March 12, 2020 article by Jack M. Germain, he mentions that ‘Open source vulnerabilities rose by nearly 50 percent in 2019 over the previous year, based on a report released Thursday.‘ Just guessing here, but I have recently been looking into why many of the major Linux Distros are making some major changes, e.g. the move to Snap and/or Flatpak, plus some file format changes, plus some unusual behavior in different Distros that I use and/or have been testing. Nothing concrete…just a ‘Feeling‘ I’ve had.
Jack M. Germain continued:
- With the continued increase of both open source usage and security research, the number of reported open source vulnerabilities will keep rising, the 2019 vulnerability report predicts.
- The number of disclosed open source software vulnerabilities in 2019 skyrocketed to more than 6,000 reported vulnerabilities, according to the WhiteSource database.
- More than 55 percent of reported open source vulnerabilities in 2019 were classified as high or critical severity. This large number impacts on software teams’ ability to prioritize vulnerability remediation.
- The open source community increasingly is seeking ways to address the chaos in the open source security process with new initiatives.
- However, the rosy predictions of the current WhiteSource report may not hold true, suggested Thomas Hatch, CTO of SaltStack, as open source software has undergone a transformation in recent years.
Couple of points here…small communities like Arch Linux are apparently getting bogged down (as mentioned above) by these non-stop attacks and it impacts their “ability to prioritize vulnerability remediation.” I believe, in the long-term, that this may also weaken the smaller ‘Freebie‘ type of Linux Distros as they struggle to keep up, i.e. the developers are already donating most of their free time so how much more additional stress can they handle. Thomas Hatch calls the WhiteSource report “rosy predictions” – (?!?!?!) geez, guess humble me missed the “rosy” parts!?
Jack M. Germain continued:
- So is the fact that creating a CVE is a time-consuming process that some prefer to avoid when it comes to lower-severity issues. That explains the imbalance between the number of low severity and high-to-critical severity issues being published, he said.
- Organizations must consider the impact of a specific vulnerability on the security of their products based on a number of factors. The process involves more than the severity score, Arkin added.
- Developers, DevOps and security teams face the challenge of addressing long lists of security alerts. The data and insights in the WhiteSource report can help them better understand how to address open source security vulnerabilities efficiently.
- Instead, it means open source users need to be aware of the security risks. That includes making sure they keep dependencies up to date.
I totally agree with open source users needing “to be more aware of security risks.” For years, these users have thought Linux and/or open source software were secure, and have mistakenly promoted that false impression, IMHO. Can they change their ways? Some, like Debian, Red Hat, Canonical, and Gentoo are already trying … others don’t seem to have the manpower needed to keep up with the security demands.