2/2/24: Leaky Vessels, glibc flaws, open source security report...

Here are this week's security highlights:

"Leaky Vessels" bug revealed

Researchers at Snyk have uncovered a set of four vulnerabilities in container engine components that they dubbed "Leaky Vessels," three of which give attackers a way to break out of containers and execute malicious actions on the underlying host system. The vulnerabilities are found in Docker, with one in runC, the lightweight container runtime for Docker, and three others in BuildKit, the default container image building toolkit for Docker.

New Linux glibc flaw

Unprivileged attackers can get root access on multiple major Linux distributions in default configurations by exploiting a newly disclosed local privilege escalation (LPE) vulnerability in the GNU C Library (glibc). The vulnerability has been tracked as CVE-2023-6246 and impacts Debian, Ubuntu, and Fedora systems. The bug is due to a heap-based buffer overflow weakness accidentally introduced in glibc 2.37 in August 2022 and later backported to glibc 2.36 when addressing a less severe vulnerability tracked as CVE-2022-39046.

White House releases report on securing open source software

The White House said it is making progress on its work to better secure open-source software, releasing an end-of-year report that details efforts on a transparent and collaborative software development process that underlines nearly every type of software. The end-of-year report goes over the four areas the administration focused on last year through the OS3I (Open Source Software Security Initiative): unifying the federal government’s voice on open-source software security, establishing a strategic approach to secure such software, encouraging long-term investment, and engaging and building trust with the open-source community.

US disabled Chinese hacking network targeting critical infrastructure

The U.S. government in recent months launched an operation to fight a pervasive Chinese hacking operation that compromised thousands of internet-connected devices, two Western security officials and a person familiar with the matter said. The Justice Department and Federal Bureau of Investigation sought and received legal authorization to remotely disable aspects of the Chinese hacking group known as Volt Typhoon. Sources said U.S. officials are concerned the hackers were working to hurt U.S. readiness in case of a Chinese invasion of Taiwan.

Malicious PyPI packages slip malware onto Windows machines

Cybersecurity researchers have identified malicious packages on the open-source Python Package Index (PyPI) repository that deliver an information stealing malware called WhiteSnake Stealer on Windows systems. The malware-laced packages are named nigpal, figflix, telerer, seGMM, fbdebug, sGMM, myGens, NewGends, and TestLibs111. They have been uploaded by a threat actor named "WS." It's designed to capture data from web browsers, cryptocurrency wallets, and apps Snowflake, Signal, and Discord.

Subscribe for weekly updates!