New Platform Pushes Data, Dirty Pipe and DNS Tunnel Pollute Linux Plumbing

Open Source Vulnerabilities

In this edition of the latest open-source software industry news from LinuxInsider:

First-mile observability is a key priority for enterprise operations heavily invested in data analysis. It refers to collecting and analyzing data at its source. Two key open-source projects already help maintain data observability issues. An innovation makes those projects more valuable.

Have you cleaned your Linux pipelines lately? Be sure you do not get stuck with a Dirty Pipe situation.

Human errors are a major culprit in successful cybersecurity breakdowns. Check out the opportunity for free cyber training this month and learn about a new Linux backdown piggybacking on Log4j again.

Also, don’t miss out on Wind River’s latest release. It might put more wind in your Linux sails.

New Funding Modernizes Enterprise Observability

First-mile observability platform developer Calyptia earlier this month closed a seed funding round of $5 million led by Sierra Ventures and Carbide Ventures.

The investment will fuel the company’s pursuit to manage observability data at scale with immediate insight into user systems’ performance. The effort builds on the advances of open-source projects Fluent Bit and Fluentd.

Existing methods require data to be fully routed to back-end last-mile storage before centralized analysis and reporting occur. That fails enterprise customers working with distributed IT, IoT, and edge applications across all cloud environments. Calyptia’s solution might well change that.

It brings the firm’s flagship solution, Calyptia Enterprise for Fluent Bit, and its extensive developer toolsets to simplify enterprise adoption. The platform integrates seamlessly with existing observability backends to both improve system analytics and reduce cost.

“Calyptia solves a really difficult problem — how to quickly and efficiently get intelligence out of log and event data at scale in the enterprise. It brings to market a solution that has been needed for quite some time,” said Tim Guleri, managing partner at Sierra Ventures.

The value this solution can bring to enterprises is unprecedented. Businesses can get immediate insight into their systems to enable real-time troubleshooting and performance optimization. Given the rapid adoption of distributed, cloud-based IT, this solution will quickly become a core enterprise requirement, he explained.

Fluent Bit and Fluentd are the most widely used solutions for event data collection. They are fast, lightweight, and highly scalable log and metrics collectors deployed over a billion times embedded into Kubernetes and Red Hat OpenShift.

“What we have done with Calyptia Enterprise is take the most powerful open-source tool for first-mile observability and make it fully accessible for the enterprise,” said Anurag Gupta, co-founder of Calyptia.

Pipe Cleaning a Fix for Linux Malware

Dirty Pipe, a newly-disclosed vulnerability in the Linux kernel since version 5.8, allows overwriting data in arbitrary read-only files. This leads to privilege escalation because unprivileged processes can inject code into root processes.

This latest vulnerability discovery is similar to Dirty Cow CVE-2016-5195 but is easier to exploit. Such OS bugs and application-level vulnerabilities not limited to Linux can allow attackers to elevate privileges, move laterally inside the network, execute arbitrary code, and completely take over devices.

Containers offer a higher degree of security. But recent incidents have demonstrated that containers are being exploited often via such vulnerabilities, according to Shweta Khare, cybersecurity evangelist at Delinea.

“In most organizations, microservices and containers are not yet covered under the enterprise security plan. To minimize the risk exposure of cyberattacks, privilege management is essential for continual benefits of granular access control and consistent security across data centers and cloud-based virtual instances, containers, and microservices,” he said.

Any exploit that gives root-level access to a Linux system is problematic. An attacker that gains root gains full control over the target system and may be able to leverage that control to reach other systems. The mitigating factor with this vulnerability is that it requires local access, which slightly lowers the risk, added Mike Parkin, senior technical engineer at Vulcan Cyber.

“Escalating privileges to root (POSIX family) or Admin (Windows) is often an attacker’s first priority when they gain access to a system, as it gives them full control of the target and can help them extend their foothold to other victims. That has not changed for ages and is unlikely to change in the foreseeable future,” he added.

Get Free Training To Prepare for Cyber Attacks

A recent study by Global Market Estimates approximated that human error causes 85 percent of all cybersecurity breaches. It also found that only 25 percent of organizations provide cybersecurity awareness training programs to employees.

Those are alarming statistics since awareness training reduces the cybersecurity risks of organizations by 70 percent, ensuring employees correctly respond to incoming threats. A general lack of knowledge about best cybersecurity practices, such as reusing passwords, leaving mobile devices open, accessing unknown wireless networks, and falling for fake links, creates exploitable threat vectors.

Security training firm AwareGO this month is offering a free 30-minute cybersecurity training course for up to 500 employees. This quick and intensive cybersecurity training is designed to quickly help organizations and their employees identify and prevent potential cyberattacks.

The program contains 14 hand-picked, relevant, one-minute micro-learning videos, as well as supplementary reading materials that focus on the most common methods that hackers use to trick people and gain access. Once registered, organizations will receive immediate access to AwareGO’s hand-picked training modules and can roll out the training program in a matter of minutes.

Today’s troublesome world justifies concerns about increased cyberattacks with the aim of causing disruptions, acquiring funds, and stealing valuable data, noted Ari Jonsson, CEO of AwareGO.

“Having technical measures in place, such as firewalls and encryption, is good, but it is simply not enough as 85 percent of all successful cyber break-ins are done by fooling people rather than machines. The truly critical component in any organization’s cybersecurity toolbox is up-to-date and aware employees,” he said.

Wind River Studio Secures Linux-Based Challenges

The latest Wind River Studio Linux Services version released March 16 focuses on Linux security, defects, compliance, and the ongoing management of mission-critical intelligent systems for community-based open-source software.

As market demands evolve, the development of innovative, stable, and deployable embedded Linux solutions becomes more urgent. Rising system complexity brings new challenges around security, compliance, defense against defects, and ongoing maintenance of these new platforms.

Finding and repairing security defects can cost 100 times more in deployed systems than during the development phase. This is a heavy burden for a development team to manage while still trying to innovate and meet tight deadlines, according to Wind River.

Mission-critical embedded systems have the most demanding requirements with the longest lifespans. Teams must plan to build, manage, and maintain them over decades. This is especially challenging in an intelligent systems future that demands increasing vigilance around security and compliance, noted Amit Ronen, senior vice president for customer success at Wind River.

“By helping developers build and deploy robust, reliable, and secure Linux-based intelligent devices and systems, Studio Linux Services can remove the burden of monitoring and maintaining platforms so developers can instead focus on developing innovative and differentiated intelligent edge systems that maximize return on investment,” he said.

New Studio Linux Services include:

  • Security and Compliance Scanning — Professional-grade scanning of Linux platforms for CVEs and license issues;
  • Security and Compliance Analysis and Remediation — Deep-dive analysis of CVEs and license compliance issues on existing platforms that can directly impact the open source software of a project; remediation of critical CVEs as well as a license compliance remediation recommendation;
  • Lifecycle Security — Continuous CVE monitoring, mitigation, and management through the software development and deployment lifecycle;
  • Lifecycle Performance Assurance — A full lifecycle management service for Linux platforms and board support packages; delivers technical solutions and support to help keep software current, secure, and stable throughout the life of the device;
  • Architecture and Implementation — Thorough architectural assessment of hardware and software needs for the full lifecycle of the project, including interpretation of system requirements, architecting of platform system options, and recommendations for meeting business, technical, and program goals; also ongoing technical solution assessments for emerging requirements as the project advances.

New Linux Backdoor Uses DNS Tunnel To Wreak Havoc

360Netlab researchers on March 15 found a new backdoor to let intruders overtake computer networks using the Log4J vulnerability.

The Netlab’s honeypot system captured an unknown Executable and Linkable Format (ELF) file propagating through the Log4J vulnerability. The network traffic generated by this sample triggered a DNS tunnel alert in the company’s system, Alex Turing and Hui Wang reported on the firm’s blog.

They found and named a new botnet family — B1txor20 — based on its propagation using the file name b1t, the XOR encryption algorithm, and the RC4 algorithm key length of 20 bytes.

The backdoor for the Linux platform uses DNS tunnel technology to build C2 communication channels. In addition to the traditional backdoor functions, B1txor20 also can open Socket5 proxy and remotely download and install a rootkit.

Leveraging the Log4J vulnerability and DNS tunneling for communication is interesting, but not unexpected, noted Mike Parkin, senior technical engineer at Vulcan Cyber. Malware authors are known for quickly developing new strains to leverage recent vulnerabilities and combining different techniques to try and avoid detection.

“Fortunately, DNS tunneling is relatively easy to detect, and multiple tools exist that can disrupt an attacker’s use of DNS for command and control. It is easy to deploy these tools in a cloud environment as well as on-premises, and some form of DNS protection should be considered a best practice.

“While that would not stop the initial infection, it would effectively contain the breach since the attacker will not be able to control the victim system,” he told LinuxInsider.

This new botnet does reinforce the need to patch for the Log4J vulnerability and make sure the organization has the tools and capabilities to manage this kind of risk in their environment, he added.

B1txor20 seems to be tailored towards targeting vulnerable Log4J instances inside Linux data centers that have otherwise been hardened, suggested Casey Ellis, founder and CTO at Bugcrowd.

“Limiting outbound connections is one of the key mitigations for Log4Shell, but DNS tunneling is a fairly reliable way to get around this type of control where it exists, and the SOCKS5 updater can achieve this goal as well. Aside from finding and patching Log4J wherever possible, monitoring and restricting outbound DNS requests is the only practical defense for this,” he told LinuxInsider.

Jack M. Germain

Jack M. Germain has been an ECT News Network reporter since 2003. His main areas of focus are enterprise IT, Linux and open-source technologies. He is an esteemed reviewer of Linux distros and other open-source software. In addition, Jack extensively covers business technology and privacy issues, as well as developments in e-commerce and consumer electronics. Email Jack.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by Jack M. Germain
More in Enterprise

LinuxInsider Channels