• CramHacks
  • Posts
  • CramHacks Chronicles #55: Weekly Cybersecurity Newsletter!

CramHacks Chronicles #55: Weekly Cybersecurity Newsletter!

How Quickly Hackers Exploit Exposed Secrets, Google's Strategies for Memory Safety, Python 3.8 EOL, and SLSA Provenance in PyPI

Author

Kyle Kelly
October 02, 2024

Hello! I hope you’re having a great week 🙂.

Check out my talk “A Wild Goose Chase: Understanding and Mitigating Transitive Dependency Issues” @ ADDO on October 10th!

Table of Contents

Industry Updates

Synopsys Software Integrity Group rebrands as Black Duck
Clearlake Capital Group and Francisco Partners finalized the Synopsys Software Integrity Group acquisition for $2.1B, rebranding it as Black Duck Software.

Software Lifecycle and Vulnerabilities

Python3.8 EOL October 2024
👋 How much of the world is powered by EOL software? Who is using Python3.8? Well, the GitHub Ubuntu-20.04 image is! Querying GitHub’s public repositories for "runs-on: ubuntu-20.04" language:yaml , results in more than 161K files.

I’m not suggesting you run out and replace Python3.8 this very second, but it’s interesting how few people even knew the EOL date was coming up.

Attacking UNIX Systems via CUPS, Part I (Remote Command Execution)
Simone Margaritelli (AKA evilsocket) reveals the research that went into discovering the (4) CVEs, enabling a remote unauthenticated attacker to obtain arbitrary command execution.

👋 This was an interesting disclosure. Per evilsocket, the research took two days, whereas the disclosure consisted of twenty-two days of arguing — much of which is public. This likely explains the discussions and warnings before the responsible disclosure.

LinkedIn Survey

Wiz Research Finds Critical NVIDIA AI Vulnerability Affecting Containers Using NVIDIA GPUs, Including Over 35% of Cloud Environments
A critical vulnerability, CVE-2024-0132, was discovered in NVIDIA’s Container Toolkit, affecting versions up to 1.16.1 and GPU Operator 24.6.1 and older. An attacker can create a malicious image, run it on a target platform running either of the vulnerable services and obtain a complete host takeover.

👋 This is especially impactful in shared environments like Kubernetes. “an attacker with permission to deploy a container could escape that container and gain access to data and secrets of other applications running on the same node – or even on the same cluster – thereby affecting the entire environment.“

What’s the worst place to leave your secrets? – Research into what happens to AWS credentials that are left in public places
Cybenari’s Founder, Idan Ben Ari, used AWS API credentials as canary tokens, placing them in public locations to monitor access attempts. A token stored in a published package on NPM was grabbed in < 1 minute and PyPI ~2 minutes. Somehow, the credentials were never grabbed from BitBucket and GitLab 🤔.

👋 Click here to see all the services tested and their access times.

Best Practices and Innovations

Google: Eliminating Memory Safety Vulnerabilities at the Source
Google’s Jeff Vander Stoep & Alex Rebert share the success of the Android team’s 2019 decision to prioritize transitioning new development to memory-safe languages. In 2019, 76% of Android vulnerabilities were memory safety issues; in 2024, that number is 24%, despite 70% being the industry norm.

👋 As detailed in the article, this is partly due to vulnerabilities having a half-life. A large-scale study on FOSS vulnerability lifetimes reveals most vulnerabilities are introduced via new code changes and that the average lifetime of a vulnerability is around four years for large evolving code.

About CPE, and purl as their replacement
Jean points out that folks may be overzealous about replacing CPEs with purl, largely because purl assumes you use a package manager and repository. Which essentially means “good luck!” if you are working on C/C++ projects.

👋 “l want to be perfectly clear about CPE: I hate them with a deep passion.” This seems to be a very common take 🙁.

Securing the software supply chain with the SLSA framework
Trail of Bits’ Cliff Smith discusses the Supply-chain Levels for Software Artifacts (SLSA) framework and the drafted specification (PEP 740) for adding SLSA provenance support to PyPI.

👋 I look forward to the day SLSA verification is baked in for every major package manager!

Until Next Time! 👋

Hey, you made it to the bottom – thanks for sticking around!

Questions, ideas, or want to chat? Slide into my inbox! 💌

Don’t hesitate to forward if someone could benefit from this.

See you next Monday!
-Kyle

P.S. CramHacks has a Supporter tier! You can upgrade here to support CramHacks and its free weekly content 😃.