Explore top 10 tips to secure your open-source projects now. Read More
×According to a recently issued advisory from the X.Org Foundation, eight critical security vulnerabilities affecting both X.Org Server and XWayland were disclosed and promptly patched. As an admin using X.Org or XWayland, staying informed and acting quickly is paramount to securing your server and Linux environment. . These recent flaws include severe user-after-free and buffer overflow vulnerabilities that malicious hackers could exploit to compromise data and critical systems. To help you secure your server and Linux infrastructure against these emerging threats, let's examine these newly discovered security bugs in more detail and broader trends in X.Org and XWayland security that every admin should be aware of. Understanding These New Vulnerabilities X.Org Server and XWayland are critical components within many Linux environments, providing fundamental graphical functionality. Recently, Trend Micro’s Zero Day Initiative disclosed eight serious security flaws within these components. These vulnerabilities significantly impact system stability and security and require prompt updates. The eight new security bugs identified include: CVE-2025-26594 : Use-after-free of the root cursor CVE-2025-26595 : Buffer overflow in XkbVModMaskText() CVE-2025-26596 : Heap overflow in XkbWriteKeySyms() CVE-2025-26597 : Buffer overflow in XkbChangeTypesOfKey() CVE-2025-26598: Out-of-bounds write in CreatePointerBarrierClient() CVE-2025-26599: Use of uninitialized pointer in compRedirectWindow() CVE-2025-26600: Use-after-free in PlayReleasedEvents() CVE-2025-26601: Use-after-free in SyncInitTrigger() These use-after-free vulnerabilities (CVEs) are particularly problematic. Such security flaws occur when programs continue using freed memory for unpredictable behavior. Malicious actors often exploit these situations to run code with the same privileges as affected applications - potentially leading to full system compromise in extreme cases. Also disclosed were buffer overflow vulnerabilities that have serious ramifications. When data exceeds its allocated buffer memory, corrupt memory locations become available and may allow attackers to overwrite critical system locations - potentially leading to code execution or unexpected system behavior. Finally, out-of-bounds memory write vulnerabilities were also found. This type of flaw allows attackers to write data outside the intended buffers, which may corrupt data, crash applications, or open gateways for further exploitation. Immediate Action is Crucial Given the severity of these vulnerabilities, impacted Linux admins must act quickly. X.Org Foundation has released patches , so updating to xorg-server-21.1.16 and xwayland-24.1.6 as soon as possible is imperative in mitigating risk. Applying these updates is relatively straightforward, thanks to package management systems on most Linux distributions. Yet, best practices must still be observed when applying updates - such as performing them during planned maintenance windows for minimum disruption, thoroughly testing updates in staging environments before deployment, and having adequate backups available in case any complications arise during implementation. Debian, Debian LTS , and Slackware have released important security advisory updates in response to these critical flaws. It is crucial that all impacted admins refer to these advisories and apply the patches released by their distro(s) immediately. Addressing Long-Standing Issues Noteworthy about these newly disclosed vulnerabilities is their roots in ancient code, dating back to before X11R6.1 was released. This highlights one of the more pressing challenges in software development: technical debt. Over time, legacy code can become a repository for potential security problems, which often go undetected until they are exposed to new vulnerabilities or attacks. Current efforts to discover and address long-standing security issues are encouraging, signalingincreased security awareness and diligence. For Linux security professionals, this means old software components that seemed secure may soon require updates to meet today's standards. Keeping informed on these changes and applying any required updates, even for components that have seen minimal updates for years, is imperative to maintaining high levels of protection against attacks. The Role of Proactive Security Practices Proactive security practices are becoming ever more vital. In an age when attackers are becoming ever more sophisticated, reactive measures like applying patches post-fact are no longer enough to protect against vulnerabilities. Adopting a proactive security posture is much more effective at improving resilience against vulnerabilities than reactive approaches alone. Auditing and reviewing every system component, even those that seem less critical or are updated less often, can identify vulnerabilities before they are exploited. Security tools designed to monitor system behavior for signs of exploitation can also prove invaluable, and cultivating an organizational culture of security awareness ensures any potential issues can be quickly identified and addressed. Acknowledging Broader Security Trends Trend Micro's Zero Day Initiative and other prominent security research groups have shed light on X.Org Server and XWayland security issues in recent months, reflecting an industry-wide trend where legacy systems are held to higher security standards. Such scrutiny does more than identify individual flaws; it signals an overall shift towards comprehensive strategies to protect against both immediate threats and systemic issues. This shift has been driven by an understanding that even long-standing, stable software can contain vulnerabilities. For Linux admins, every component should be managed with security in mind. Regular updates, comprehensive testing, and staying abreast of security advisories should all be practices regularly undertaken to keep Linux systems secure. Moving Forward As software vulnerabilities evolve, so must Linux security administrators' strategies for combating them. Recent vulnerabilities affecting X.Org Server and XWayland serve as an alarm bell, reminding administrators to remain vigilant and adopt proactive security practices to boost their systems' resilience. Upgrading to patched versions of X.Org Server and XWayland is a crucial first step, while active community involvement and keeping abreast of recent security developments is equally essential. Uncovering and fixing longstanding code issues marks progress toward more secure software environments. Staying abreast of such trends as a Linux security professional will protect your systems and contribute to an open-source ecosystem with greater stability. Our Final Thoughts on Ensuring X.Org Server & XWayland Security The disclosure and patching of eight critical vulnerabilities in X.Org Server and XWayland highlight the significance of being vigilant and proactive regarding system administration. Installing updates promptly to protect against possible exploits is crucial. Acknowledging trends in software security (for instance, addressing long-standing issues or adopting comprehensive strategies) will significantly enhance an organization's capacity to safeguard its systems. By staying informed, proactive, and engaged with the broader security community, we Linux admins can ensure their environments remain safe even as new threats emerge. . Critically patched vulnerabilities in X.Org and XWayland highlight the need for immediate admin action to secure systems.. according, recently, issued, advisory, foundation, eight, critical, security, vulnerabi. . Brittany Day
At a time of rapid technological progress, the security of our digital tools - particularly WiFi routers - has become critical. Recent news from ASUS sent shockwaves through the cybersecurity community when multiple models of their routers were found with critical flaws that exposed an ongoing challenge of protecting networks against intrusions. . Unpacking the Critical Flaw in ASUS Routers According to an extensive report by RedPacket Security, ASUS recently resolved an authentication bypass vulnerability known as CVE-2024-3080, which scored 9.8 on the Common Vulnerability Scoring System scale, indicating its severity. This security hole allowed unauthenticated, remote attackers to access devices for unauthorized gains without authentication, granting them any legitimate privileges whatsoever. Another high-severity buffer overflow flaw, CVE-2024-3079, compounded this security hole by enabling remote attackers with administrative privileges to execute arbitrary commands remotely on devices with administrative rights. These vulnerabilities could constitute an exploit chain compromising all security protection on affected routers. ASUS routers such as the ZenWiFi XT8, RT-AX88U, RT-AX58U, and others were affected. ASUS quickly responded with software updates to address these vulnerabilities. This incident raises a fundamental issue regarding routers' reliance on proprietary software. While manufacturers frequently push out security patches, proprietary programs' closed nature means vulnerabilities remain unseen until a breach occurs, leaving users vulnerable. Embracing Open Source: A Route to Enhanced Security Open-source firmware and operating systems offer an alternative to proprietary router software. Their publicly collaborative development processes make security flaws less likely to go undetected. OpenWRT
OpenWrt is one of the mostwidely used open-source router operating systems available. It provides highly configurable control over performance and security settings, surpassing what most stock router firmware allows. OpenWrt also features an innovative package management system that enables users to add or remove features as desired, making the operating system leaner and more cost-effective than others. Here are five of the best features of OpenWrt: Extensive Hardware Support: OpenWrt supports a wide range of devices, from home routers to professional-grade equipment, making it adaptable to various networking situations. Fully Writeable Filesystem: With its roots in Linux, OpenWrt provides a fully writeable filesystem. Users can modify, add, or delete any file, similar to a traditional Linux distribution, offering unparalleled flexibility. Customizable Packages: OpenWrt allows users to install and remove packages to customize the router for specific needs without bloating the system with unnecessary features. Advanced Network Capabilities: OpenWrt contains many out-of-the-box network features, including IPv6 support, VLANs, traffic shaping, VPN, and firewall configurations, allowing for detailed network management.\ Active Community and Development: The vibrant OpenWrt community and ongoing development mean the firmware is constantly updated. New features are regularly added, and security vulnerabilities are promptly addressed, enhancing your network's functionality and security. These features underscore OpenWrt's flexibility and capabilities, making it a powerful choice for users looking to maximize their router's potential. DD-WRT
Like OpenWrt, DD-WRT is another Linux-based firmware that enhances routers by improving network stability, range expansion, and security features such as VPN integration and VLAN support. Furthermore, its community is quite active, providingresources and forums for help and advice regarding its usage. The five best features of DD-WRT include: Advanced Quality of Service (QoS): This technology enables intricate control over bandwidth allocation to prioritize traffic or devices for improved network performance. VPN Integration: Facilitates the integration of a Virtual Private Network directly within the router, securing all connected devices without individual configuration. Wireless Bridge and Repeater Modes: Allows routers to function as wireless repeaters or bridges, extending the wireless network's coverage or connecting wired devices to a wireless network. VLAN Support: Supports Virtual LANs for better network segmentation, enhancing security and management, and is especially useful for guest or separate IoT networks. DNS Caching: Stores DNS queries locally to speed up webpage loading times, resulting in a faster internet experience for all network users. Tomato
Tomato firmware is known for its user-friendly interface and emphasis on real-time network monitoring, supporting many of the same models as DD-WRT while offering more secure security features than its stock counterpart. Here are five of the best features of Tomato firmware for routers: Bandwidth Monitoring: This allows users to monitor network traffic and bandwidth usage, making it easier to manage network resources effectively. Advanced Quality of Service (QoS) provides detailed settings to prioritize network traffic, which helps optimize performance for critical applications. Access Control: Offers robust options to manage and control access to the network, enhancing security by restricting unauthorized usage. Built-in OpenVPN Server/Client: Integrates support for OpenVPN, enabling secure VPN connectivity for enhanced privacy and secure remote access. IP/MAC Bandwidth Limiter: This tool enables settingbandwidth limits for specific IP addresses or MAC addresses, useful in managing bandwidth consumption per device. These features enhance network management, security, and performance, making Tomato firmware a valuable choice for users with compatible Broadcom-based routers. pfSense
While not specifically for routers, pfSense can transform an old computer into a powerful firewall and router. Based on FreeBSD and widely regarded as one of the safest and most flexible network administration solutions available today, pfSense handles everything from routing and firewalling to VPN provisioning easily. Here are the five best features of pfSense router firmware: Comprehensive Firewall Security: pfSense provides an advanced firewall with stateful packet inspection, anti-spoofing, and more, for robust network protection. Versatile VPN Support: It supports multiple VPN protocols, including IPsec, OpenVPN, and WireGuard, enabling secure and flexible remote access configurations. High Availability and Redundancy: This service offers features like CARP (Common Address Redundancy Protocol) and pfsync to ensure network uptime and reliability through failover and redundancy setups. Traffic Shaping and QoS: This allows detailed control over network traffic, enabling the prioritization of critical services to maintain optimal performance and reduce congestion. Extensibility with Packages: This can be extended with a wide range of packages for additional features, such as Snort for intrusion detection, Squid for web caching, and more, tailoring the system to specific needs. AsusWRT-Merlin: Custom Firmware Powering ASUS Routers
AsusWRT-Merlin is a third-party firmware developed for select ASUS routers by Eric Sauvageau toimprove upon the original AsusWRT firmware without drastically altering its user experience or user interface. Retaining all original features while adding improvements, bug fixes, and occasional new ones; Eric Sauvageau leads the development of AsusWRT-Merlin with support from The Merlin Group, users, and developers who contribute to its ongoing maintenance and enhancement. Their efforts focus on stability, improved performance, and better customization possibilities across ASUS router models supported by this open-source firmware project. Using AsusWRT-Merlin can bring many advantages for users who appreciate open source's philosophy and its associated benefits: Improved Security: Regular updates from the Merlin Group may include security patches which make your router less susceptible to vulnerabilities discovered over time. Enhanced Features: The AsusWRT-Merlin includes additional features not found in its predecessor AsusWRT, such as DNS over HTTPS support (DoH), enhanced Quality of Service capabilities (QoS), and the option to monitor real-time bandwidth usage. Customizability Freedom: Fans looking to tailor their network according to specific needs will appreciate the various settings and tweaks available. Active Community Support: Our vibrant community works tirelessly on improvements and shares knowledge for troubleshooting and advanced configurations. Open Source Firmware Limitations AsusWRT-Merlin keeps users familiar with AsusWRT at ease since its GUI and overall design philosophy are the same as before, helping ease any learning curve. Open-source firmware such as this also comes with some restrictions users should be aware of: Warranty Concerns: Installing third-party firmware could void your device's manufacturer warranty; users should check their warranty terms before proceeding. Limited Support: While community support exists for using third-party firmware such as AsusWRT-Merlin, users will not receive official assistance from ASUS for issues caused by usingsuch third-party solutions. Compatibility and Stability: Not all routers can support third-party firmware, and while open-source firmware tends to be stable, poorly executed updates or incompatible configurations could create stability issues. Learning Curve: For less tech-savvy, understanding all the additional features and configuration options may take more effort than familiarising themselves with stock firmware's user-friendly setups. No Guarantee of Features: Unfortunately, Merlin may not support all the proprietary features found in AsusWRT; some features present may also sometimes be removed if they pose significant bugs or security risks. Although open-source firmware such as AsusWRT-Merlin may have disadvantages, many advanced users find the advantages far outweigh them, particularly its enhanced control and security features. Individuals looking to maximize the potential of their router will discover that this version provides a robust upgrade from the original AsusWRT, offering both familiarity with stock firmware and access to more sophisticated capabilities of fully open-source solutions. Making the Switch to Open-Source Firmware for Enhanced Network Security Transitioning to open-source firmware like AsusWRT-Merlin can be an important strategic move for users who prioritize network security. However, this endeavor must be carefully prepared to ensure a successful transition. Before making the change, you must verify whether or not the open-source firmware you've selected is compatible with your router model. Not all routers support all firmware installations; installing incompatible ones could result in functional severe issues or even brick your device. Once compatibility has been confirmed, backing up existing router settings as a protective measure can prevent data loss and help ensure smooth transition processes. As installation processes can differ between router models, it is wise to refer to an after-installing guide tailored specifically for your router model forafter-installation instructions and potential obstacles related to firmware upgrading processes. Such guides often offer step-by-step guidance and can help address common obstacles encountered during this process. The Bigger Picture The ASUS incident highlights the need for more proactive security measures in network hardware. By turning to open-source solutions, users can take advantage of collective approaches to security where vulnerabilities can be quickly identified and patched by an international community of developers. Transitioning to open-source software might initially appear daunting; however, spending the time and energy learning how to utilize these powerful tools can significantly boost both the security and efficiency of home or office networks. Open source network management represents more than software changes; it represents a wider trend toward transparency and community in cybersecurity—an essential aspect in today's increasingly interconnected society. . ASUS routers face critical vulnerabilities including firmware issues and default passwords, risking network security and unauthorized access for users.. ASUS Router Flaws, Open Source Alternatives, Network Security Enhancements. . Dave Wreski
Two critical vulnerabilities were recently discovered in the Linux kernel, which both received a National Vulnerability Database base score of 9.8 out of 10 due to how simple they are for attackers to exploit and their severe threat to impacted systems. . CVE-2023-45871 is a buffer overflow vulnerability due to improper validation of received frames larger than the set MTU size in the Intel(R) PCI-Express Gigabit (igb) Ethernet driver in the Linux kernel. CVE-2023-25775 exists because the InfiniBand RDMA driver in the Linux kernel does not properly check for zero-length STAG or MR registration. How Do These Vulnerabilities Affect Linux Systems? These impactful bugs could enable a remote attacker to escalate privilege via network access and execute arbitrary code or carry out denial of service attacks, leading to loss of system access. In the worst-case scenario, these bugs could allow attackers to obtain sensitive data or even gain complete control of an impacted system or network. What Can You Do to Stay Safe? Essential updates for the Linux kernel have been released to mitigate these critical flaws. Given these vulnerabilities’ severe threat to affected systems, if left unpatched, we urge all impacted users to apply the updates released by Mageia , Slackware , and Ubuntu as soon as possible. Doing so will protect against downtime and system compromise. To stay on top of essential updates released by the open-source programs and applications you use, register as a LinuxSecurity user , subscribe to our Linux Advisory Watch newsletter, and customize your advisories for your distro(s). This will enable you to stay up-to-date on the latest, most significant issues impacting the security of your systems. Follow @LS_Advisories on X for real-time updates on advisories for your distro(s) . . Critical weaknesses lead to threats of system overload and illicit entry, necessitating prompt patching of software.. Linux Kernel Issues, Buffer Overflow Risks, Denial ofService Attacks, Privilege Escalation, Security Updates. . Duane Dunston
In August 1991, Linus Torvalds, a student at the University of Helsinki, created an operating system that could be a free, open-source alternative to MINIX. He said about starting Linux , "Hello everybody out there using minix - I'm doing a (free) operating system (just a hobby, won't be big and professional like gnu)..." . Little did Torvalds know, his hobby would become one of the most powerful systems only thirty years later, assisting billions of devices worldwide. This system, Linux, makes up almost 3.08% of all the operating systems used worldwide. As the backbone to a multitude of servers, workstations, kiosks, and other front-line devices throughout the globe, it is imperative for organizations to keep their Linux environments secure while running at all times. That's the ideal, but the reality isn't as simple, especially with over 1,050 cyber security vulnerabilities being detected in the Linux kernel in the last five years to date. This article will take a look at these network security threats and the best ways to approach and mitigate such issues. What Are Some Common Types of Linux Vulnerabilities? While Linux web application security vulnerabilities are a growing problem for admins and IT teams, it is of great importance to understand the common types of network security issues to be a step ahead in bolstering your system against them. Here are some Linux issues you should be familiar with: Denial of Service (DoS) Vulnerabilities As the name suggests, a Denial of Service (DoS) vulnerability is when exploits in cyber security carry out attacks that prevent the intended users from accessing their systems and services by shutting them down. Such attacks can prevent the account holders of a bank from accessing the bank's services, for example. DoS is generally achieved by overloading target systems with excessive traffic or sending them information that can potentially result in triggers, eventually causing a crash in data and network security. Further,this form of attack is classified into specific types based on the attack vector, such as Ping of Death, Buffer Overflow, Teardrop, and SYN Flood. Remote Code Execution (RCE) Vulnerabilities One of the most common types of cyber security vulnerabilities by far, Remote Code Execution (RCE) can result in attacks in network security that allow malicious code on target systems from afar. These bugs can cause full-scale cloud security breaches, allowing the attackers to gain full control over the exploited systems, thereby compromising entire web servers due to web application security vulnerabilities. Buffer Overflow Vulnerabilities Buffer overflows are yet another common form of Linux cyber security vulnerabilities that can cause arbitrary code execution in target systems, thereby paving the way for threat actors to gain unauthorized access to the network. This occurs when programs attempt to place data in a memory region past a buffer. Such exploits in cyber security are found in both web and application servers, as well as in custom web application code. Buffer overflow attacks in network security can be classified into two types. In stack-based buffer overflows, malicious code is sent to applications that store the data in a stack buffer. In heap-based buffer overflows, the malicious code floods the program's memory space, causing the heap memory data to be overwritten. Some of the other common web application security vulnerabilities affecting Linux systems include Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), and SQL Injection. Linux Vulnerabilities Over Time and Their Impact If we were to consider the earliest Linux virus ever discovered, we would have to begin with Staog , which was discovered in 1996. Over the years, as the kernel's security matured, so too did methods of exploits in cyber security. While Staog reportedly did not contain a critical payload to damage systems, the newer Linux cyber security vulnerabilities are much deadlier. Fromleakage of data and information to memory corruption in the affected systems, these network security threats can be incredibly harmful to an enterprise's security, as well as its normal operations. Here's a look at some of the most notorious Linux vulnerabilities discovered in the past. CVE-2022-47939 In the second half of 2022, Zero Day Initiative, which focuses on international software vulnerabilities, identified this network security threat in the ksmbd file server module of the Linux kernel. This problem was rated to be of Critical severity, owing to its CVSSv3 score of 10.0. Primarily related to the faulty use of dynamic memory allocation, or use-after-free vulnerability , it allowed unauthenticated, remote threat actors to execute code on systems that had ksmbd enabled. Fortunately, this bug could not spread its talons and cause much destruction since ksmbd was disabled by default in most Linux distros. However, certain versions of Debian and Ubuntu were affected by the bug but had the fixes released in the subsequent versions. CVE-2022-25636 Another one of these high-severity cyber security vulnerabilities was made public in February 2022 after it affected the Linux kernel by leveraging a heap out-of-bounds write error, particularly in nft_fwd_dup_netdev_offload in net/netfilter/nf_dup_netdev.c , a netfilter subcomponent of the kernel that enables the implementation of various networking-related operations. Typically, out-of-bounds errors occur in software in case the program writes a code outside its allocated memory area. This vulnerability affected Red Hat Linux patching versions 8.3 and above, as well as certain Debian upgrades, eventually leading to system crashes or elevation of privileges. CVE-2022-0847 Also discovered in 2022, keeping Linux IT administrators busy, Dirty Pipe is another vulnerability that focused on the escalation of local privileges in Linux kernel versions 5.8 and above. Threat actors could overwrite files with justread-only permissions, which means malicious applications could gain full control over the system. Primarily affecting Android devices, Dirty Pipe was assigned a high severity rating to its CVSSv3 score of 7.8. The name of this network security threat derives from how this breach reads, writes, and distributes data via pipes. So, by leveraging the Dirty Pipe vulnerability, malicious actors can instigate exploits in cyber security to modify data in the system files. CVE-2021-4034 The last of the Linux cyber security vulnerabilities we will discuss is Polkit , an authentication framework that controls system-wide privileges, seeking to elevate them for threat actors. This network security threat, with a CVSSv3 score of 7.8 ( high severity), was detected in the pkexec application. First detected in 2022, this vulnerability managed to stay hidden for over 12 years, even though it affected all versions of pkexec since its initial release in May 2009. This vulnerability affected several popular Linux distros, such as Debian, Fedora, CentOS, and even Ubuntu, and threat actors were able to obtain full root privileges on the default installations of these distros. CVE-2024-26592 and CVE-2024-26594 CVE-2024-26592 and CVE-2024-26594 are vulnerabilities affecting the Linux KSMBD file server. An unauthenticated attacker could use the CVE-2024-26594 ksmbd file server module vulnerability to access sensitive data. When combined with CVE-2024-26592, this ksmbd file server module vulnerability allows the execution of arbitrary code in the kernel, though an unauthenticated, remote attacker could also exploit CVE-2024-26592 directly. Successful exploitation of these vulnerabilities could significantly compromise a targeted system's availability, confidentiality, and integrity. Linux systems running ksmbd are especially susceptible to these flaws; taking over an entire file server appliance could seriously affect everything connected to your network. How Can I Safeguard MyLinux-Based Network from Exploits & Vulnerabilities? As enterprises’ digital footprint grows, so do the network security threats and web application security vulnerabilities that can result in various problems. A slight slip or a little oversight, and the next thing you know, your data and network security are facing an attack from cybercriminals. Hence, it is of paramount importance to strategize and develop proactive measures to fend off these cyber security vulnerabilities and attacks in network security. Below are some tips and best practices to follow to secure your Linux-based network and systems. Leverage Linux Kernel Lockdown Restricting access to the features and data structures of the Linux kernel by leveraging Linux Kernel lockdown is one of the most powerful ways to secure Linux systems. Once enabled, this prevents: Any unprivileged access to the Linux systems and their kernel memory. Unsigned kernel modules from being loaded. Secure boot restrictions from being overridden. Regularly Audit Open Ports Ports are the most essential component for all Internet-facing activities. However, they are also one of the easiest doorways for threat actors to creep in and instigate exploits in cybersecurity in the case that these ports are left open unintentionally or accidentally. Some common causes of this mistake are when an admin opens a specific port to perform an action but forgets to close it, or when installed software changes the firewall configuration and keeps certain ports open. Hence, it is highly important to perform port audits at regular intervals to check for open ports and close the ones that aren't supposed to be left open immediately to protect your data and network security. Perform Regular Security Audits Performing regular audits is one of the most foolproof ways to secure your Linux network. By using the Linux Auditing System, admins can audit the kernel and collect important logs on system activities. These logs provideadmins with critical insights into the data and network security and stability of their systems. Ensure Timely Patching of Your OS & software When it comes to fending off cybersecurity vulnerabilities in your network, patch management for your operating system and third-party applications is always a prerequisite. The above-mentioned instances of web application security vulne rabilities in Linux stand as proof that networks are in danger, not just from third-party data and network security issues but also from the ones camping in the kernel. With problems growing at an alarming pace over the years, manually scanning the network for vulnerable distros or third-party applications is just the final nail in the coffin. Combating this exponential growth demands automation—specifically, an automated patch management software that scans the network, detects vulnerable components, and deploys mitigations almost instantaneously. ManageEngine Patch Manager Plus checks all the boxes when it comes to safeguarding your network from Linux cyber security vulnerabilities, be it applications or the operating system as a whole. Right from a single console, this solution lets you automate the patching process for your data and network security and deploy patches to all major Linux distros as well as Windows, macOS, and over850 third-party applications. What's more? Integrating a third-party vulnerability scanning solution, such as Tenable, is easy-breezy with Patch Manager Plus, enabling real-time vulnerability monitoring and mitigation across the entire network. Don't take our word for it. Try out the fully functional,30-day free trial of Patch Manager Plus, and see how easy it can be to thwart Linux cyber security vulnerabilities in your network. Final Thoughts on Protecting Against Linux Vulnerabilities Securing your Linux systems against the plethora of cybersecurity vulnerabilities that exist is no longer a choice but a necessity. To sum up, there isn't just a single antidote to Linuxnetwork security issues. Rather, it is a set of proactive measures that include kernel hardening, constant data and network security monitoring, audits of misconfigurations and open ports in the network, and regular patch deployments to keep systems updated. To better secure your network via proactive security patching, you can take a look at the Linux patching best practices for automating Linux systems security deployment. . Linux has evolved significantly in security, facing threats as its popularity surged. Proactive strategies, regular updates, and user education are crucial for safeguarding against risks. Linux Threats, Network Strategies, Cyber Security Best Practices. . Brittany Day
The popularity of web applications is constantly growing as businesses and corporations host several services through them. However, as companies utilize web applications, they still face the threat of cybersecurity vulnerabilities. . Web application security vulnerabilities refer to any flaws in your system that hackers may exploit to obtain unauthorized access, run malicious code, install malware, and perhaps steal sensitive information. Remediating these attacks on network security could be near impossible, especially since most small businesses, corporations, and even daily users lack the resources to fix several network security issues at a time. As network security threats become a critical risk for every company, it is valuable to have an expansive range of security knowledge to prevent carelessness from being the cause of application layer web application security issues. In general, a vulnerability scanner will scan your environment and compare it to a vulnerability database or a list of known flaws. However, in order to grasp what cybersecurity threats and vulnerabilities you may be facing, it is best to start with the basics. Throughout this article, we will go through the fundamentals of web application security vulnerabilities and how they may or may not be affecting your system. What Are the Vulnerability Basics I Should Know? Buffer Overflow To correctly manage Linux buffer overflow vulnerabilities to prevent buffer overflow attacks, you should first understand what they are, the threats they pose to your applications, and the exploits that cybersecurity attackers utilize in their tactics. A buffer overflow attack occurs when a program attempts to put more data in a buffer than it can store or a program tries to place data in a memory region past a buffer. In doing so, this can destroy the application and possibly trigger the execution of malicious code, allowing cybercriminals to gain unauthorized access to systems and networks. Although buffer overflow is a well-knownnetwork security threat, it continues to pose a risk to both companies and small organizations. Attackers use a buffer overflow to corrupt a web application’s execution stack, execute arbitrary code, and take over a machine. Flaws in buffer overflows can exist in both application servers and web servers, especially web applications that use libraries like graphics libraries. Buffer overflows can also exist in custom web application codes. Types of Buffer Overflow Cybersecurity Vulnerabilities According to OWASP, there are two types of Linux buffer overflow vulnerabilities: A Stack-based buffer overflow attack occurs when an attacker sends data containing malicious code to an application, which stores the data in a stack buffer. This overwrites the data on the stack to give the attacker transfer control. A Heap-based buffer overflow attack specifically targets the heap. It involves flooding a program’s memory space beyond the memory it uses so the data in the heap can be overwritten to exploit aspects of the programming. Once this is completed, an attacker can grant themselves access to edit the software. DoS Basics A DoS attack, or Denial of Service attack, is a cloud security breach meant to shut down a machine or network so it and its services are inaccessible to intended users. DoS attacks flood the target with traffic or send the target information that triggers a crash. In both instances, the DoS attack deprives legitimate users, such as employees or account holders, of the service. Thankfully, when it comes to DoS attacks, the remediation process is quicker since they are easier to block and trace, as only a single device is in play. Types of DoS Attacks There are a variety of DoS attack types to keep in mind: Buffer Overflow : Buffer Overflow attacks, as listed above, are a common type of DoS attack that relies on sending an amount of traffic to a network resource that exceeds the default processing capacity of the system. Ping of Death : Also knownas ICMP Flood and Smurf Attack, the Ping of Death involves attackers sending spoofed, enlarged, or malicious packets that ping every computer on the targeted network. The target responds and becomes flooded with responses from the malicious packet. When an attacker sends a packet larger than that size, the target system will break it down into smaller-sized packets, allow the packets through, and when it gets pieced back together, it causes a buffer overflow, which can cause the machine to freeze or crash. SYN Flood : A SYN Flood attack exploits the TCP handshake. The attacker sends a SYN message, and the handshake is left incomplete either because the server does not acknowledge the SYN message or because it sent back a SYN/ACK message and the attacker never answered. Doing this leaves the connected host in an occupied status and unavailable to take further requests. Attackers will increase the number of requests, populating all open ports and preventing anyone from connecting to the network. Teardrop : In a Teardrop attack, IP data packet fragments are sent to the target network, which then reassembles the fragments into the original packet. The process of reassembling these fragments exhausts the system and it ends up crashing. In some cases, attackers might even try to find a TCP/IP vulnerability to do the same thing. Ultimately, the server is unable to reassemble these packets, causing an overload. SQLi Attacks SQL Injection is a type of injection attack that makes it possible to execute malicious SQL statements that can control a database server behind web applications. Attackers can use SQL Injection on cybersecurity vulnerabilities to bypass security measures in a system. SQLi interferes with the queries that get sent to the database, such as modifying or deleting data, and can cause persistent changes to an application's behavior. Scanning for SQLi vulnerabilities is a must to make sure that important information is not accessed and to be able to reinforce your server and mitigateSQLi attacks in network security. There are many different situational SQLi attacks, and threat actors can: Retrieve hidden data to modify an SQL query and return additional results and data that would not be normally available otherwise Change application logic by changing a query to interfere with the app Perform a UNION attack where it is possible to retrieve data from different database tables using the UNION SQL selector Execute a Blind SQL injection, one of the most well-known SQLi attacks, where the results of a query you control are not returned Cross-Site Scripting (XSS) Cross-site scripting (XSS) targets application users by inserting code, typically client-side like JavaScript, into the output of an online application. The principle of XSS is to change client-side scripts of a web application so that they run in the way that the attacker wishes. XSS enables attackers to run scripts in the victim's browser, allowing them to hijack user sessions or possibly cause redirects, sending users to malicious sites. Since XSS allows unauthenticated users to execute code in trusted users' browsers and access certain types of data, XSS web application security vulnerabilities also allow attackers to intercept and control data from users. This can lead to an attacker taking control of a site or an application if an administrative or elevated user is targeted. Ultimately, when it comes to XSS, there are two things to remember: The web application is not the target - the user is Attackers plan to manipulate these users by injecting malicious code Cross-Site Request Forgery (CSRF) Cross-Site Request Forgery is in the OWASP Top 10 Web Application Security Vulnerabilities list. CSRF is a malicious attack that tricks a user into executing an act they did not plan to do. The attacker then can gain access through the victim's already established browser. Web applications like email clients, Facebook, Instagram, and online banking applications can be targets. Attacks trickusers by having them log in or change their email addresses in order to gain information on their credentials. If you have input a login and have the information saved for the future, the attacker can take those credentials and redirect your browser to input money into other websites without your knowledge. Remote Code Execution Remote Code Execution (RCE) cybersecurity vulnerabilities allow an attacker to execute arbitrary code from a remote device and place it onto a computer. RCE network security issues can lead to attacks that range from malware executions to threat actors obtaining full control over a compromised machine. A Remote Code Execution Attack can lead to a full-scale network security threat that could harm an entire web application and web server. RCE could also lead to privilege escalation, network pivoting, and establishing persistence. Why Are the Basics Important? It is valuable to understand any web application security vulnerabilities you may encounter because they form the backbone for attacks in network security, whether well-known or not. Having this knowledge gives you a larger understanding of the threats you face. You must be educated on what these web application security vulnerabilities are, how they can be used in attacks, and different scenarios in which an attacker might use these exploits in cybersecurity so that you can fight attacks and better prepare your company for any risks. Our Final Thoughts on Vulnerability Basics Educating yourself and your team on basic cybersecurity vulnerabilities is essential to being able to mitigate these attacks in network security. To better understand network security threats, it might be helpful to implement a daily vulnerability scanner to minimize the amount of security flaws your applications might have. Make sure to read our Complete Guide to Using Wapiti Web Vulnerability Scanner to get an idea of how we can assist you with your data and network security. . Web application security vulns involve flaws hackersexploit for unauthorized access, risk management, and mitigation.. popularity, applications, constantly, growing, businesses, corporations. . Brian Gomez
Several critical and high-severity network security issues, including multiple use-after-free and stack-based buffer overflow cybersecurity vulnerabilities, were discovered in the Linux kernel. These network security threats could lead to Denial of Service (DoS) attacks, privilege escalation, or the execution of arbitrary code. This article will discuss the Linux kernel issue’s discovery, impact, and protection opportunities. . The Discovery & The Impact The most serious network security issues recently discovered in the Linux kernel are the following critical cybersecurity vulnerabilities: A “use-after-free” vulnerability affecting the function “area_cache_get” of the file “drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c” of the component IPsec ( CVE-2022-3545 ). A “use-after-free” vulnerability affecting the function “l2cap_conn_del” of the file “net/bluetooth/l2cap_core.c” of the component Bluetooth ( CVE-2022-3640 ). A stack overflow flaw in the SYSCTL subsystem, how a user changes certain kernel parameters and variables ( CVE-2022-4378 ). A “use-after-free” vulnerability that can be exploited to achieve local privilege escalation ( CVE-2023-0461 ). To reach the vulnerability kernel configuration flag, “CONFIG_TLS” or “CONFIG_XFRM_ESPINTCP” has to be configured, but the operation does not require any privilege. There is a “use-after-free” bug, “icsk_ulp_data” of a struct “inet_connection_sock.” When CONFIG_TLS is enabled, the user can install a tls context (struct tls_context) on a connected tcp socket. The context is not cleared if this socket is disconnected and reused as a listener. If a new socket is created from the listener, the context is inherited and vulnerable. The setsockopt TCP_ULP operation does not require any privilege. A local attacker could exploit these bugs to cause Denial of Service attacks in network security, escalate privileges, or possibly execute arbitrary code. This impacts: linux: Linux kernel linux-aws: Linux kernel for Amazon Web Services (AWS) systems linux-dell300x: Linux kernel for Dell 300x platforms linux-gcp-4.15: Linux kernel for Google Cloud Platform (GCP) systems linux-oracle: Linux kernel for Oracle Cloud systems How Can I Secure My Systems Against Cybersecurity Vulnerabilities? An important kernel security update was released recently, and it fixes these dangerous bugs. Distros have released security advisories for these cybersecurity vulnerabilities, providing instructions on how users can update their systems to protect against them. LinuxSecurity Founder Dave Wreski warns, “We urge all impacted users to update now to protect against attacks leading to downtime and compromise. Patching is an easy and effective way to mitigate the risk of an adversary exploiting these issues to halt productivity and potentially harm your critical systems.” Be sure to register as a LinuxSecurity user , then subscribe to our Linux Advisory Watch newsletter and customize your advisories for the distro(s) you use to stay up-to-date on the latest, most significant network security issues impacting your systems so you can improve security posture as quickly as possible. Follow @LS_Advisories on X for real-time updates on advisories for your distro(s). . Essential security patches for the Linux kernel tackle serious vulnerabilities such as memory leaks and denial-of-service threats.. Linux Kernel Security, DoS Mitigation, Code Execution Risks, Use-After-Free, Cybersecurity Updates. . Brittany Day
Buffer overflows are a leading type of security vulnerability. This paper explains what a buffer overflow is, how it can be exploited, and what countermeasures can be taken to prevent the use of buffer overflow vulnerabilities. . Introduction Buffer overflow vulnerabilities are one of the most common vulnerabilities. These kinds of vulnerabilities are perfect for remote access attacks because they give the attacker a great opportunity to launch and execute their attack code on the target computer. Broadly speaking, a buffer overflow attack occurs when the attacker intentionally enters more data than a program was written to handle. The data runs over and overflows the section of memory that was set aside to accept it. The extra data overwrites on top on another portion of memory that was meant to hold something else, like part of the program's instructions. This allows an attacker to overwrite data that controls the program and can takeover control of the program to execute the attacker's code instead of the program. Peikari and Chuvakin point out that, "buffer overflows result from an inherent weakness in the C++ programming language." (Peikari and Chuvakin, 2004) The problem is that C++ and other programming languages (those derived from C++), do not automatically perform bounds-checking when passing data. When variables are passed, extra characters could be written past the variable's end. The overflow consequence could result in the program crashing or allowing the attacker to execute their own code on the target system. Buffers In order to make sense of how a buffer is overflowed, one must understand what a buffer is. A program contains code that accesses variables stored in various locations in memory. When a program is executed, a specific amount of memory is assigned for each variable. The amount of memory is determined by the type of data the variable is anticipated to hold. The memory set aside is used to store information that the program needs forits execution. According to Peikari and Chuvakin , "The program stores the value of a variable in this memory space, then pulls the value back out of memory when it's needed." (Peikari and Chuvakin, 2004) A buffer is this virtual space. Buffer Overflow In exploiting the buffer overflow vulnerability, the main objective is to overwrite some control information in order to change the flow of control in the program. The usual way of taking advantage of this is to modify the control information to give authority to code provided by the attacker to take control. According to Shaneck, "The most widespread type of exploit is called 'Smashing the Stack' and involves overwriting the return address stored on the stack to transfer control to code placed either in the buffer, or past the end of the buffer." (Shaneck, 2003) The stack is a section of memory used for temporary storage of information. In a stack-based buffer overflow attack, the attacker adds more data than expected to the stack, overwriting data. Farrow explains this in an example, "Let's say that a program is executing and reaches the stage where it expects to use a postal code or zip code, which it gets from a Web-based form that customers filled out." (Farrow, 2002) The longest postal code is fewer than twelve characters, but on the web form, the attacker typed in the letter "A" 256 times, followed by some other commands. The data overflows the buffer allotted for the zip code and the attacker's commands fall into the stack. After a function is called, the address of the instruction following the function call is pushed onto the stack to be saved so that the function knows where to return control when it is finished. A buffer overflow allows the attacker to change the return address of a function to a point in memory where they have already inserted executable code. Then control can be transferred to the malicious attack code contained with the buffer, called the payload (Peikari and Chuvakin, 2004). The payload is normally a command toallow remote access or some other command that would get the attacker closer to having control of the system. As Holden explains, "a computer is flooded with more information than it can handle, and some of it may contain instructions that could damage files on the computer or disclose information that is normally protected- or give the hacker root access to the system." (Holden, 2004) Countermeasures The best defense against any of these attacks is to have perfect programs. In ideal circumstances, every input in every program would do bounds checks to allow only a given number of characters. Therefore, the best way to deal with buffer overflow problems is to not allow them to occur in the first place. Unfortunately, not all programs are perfect and some have bugs that permit the attacks discussed in this paper. As described by Farrow, "because programs are not perfect, programmers have come up with schemes to defend against buffer overflow attacks." (Farrow, 2002) One technique entails enforcing the computer to use the stack and the heap for data only and to never to execute any instructions found there. This approach can work for UNIX systems, but it can't be used on Windows systems. Farrow describes another scheme using a canary to protect against buffer overflows, but only the kind that overwrite the stack. (Farrow, 2002) The stack canary protects the stack by being put in sensitive locations in memory like the return address (that tells the computer where to find the next commands to execute after it completes its current function). As described by Farrow, "before return addresses get used, the program checks to see if the canary is okay." (Farrow, 2002) If the canary has been hit, the program then quits because it knows that something has gone wrong. As a user of the programs, the best countermeasure is to make sure your systems are fully patched in order to protect yourself from exploits targeting vulnerabilities. Conclusion Buffer overflow vulnerabilities are one of the mostcommon vulnerabilities and are likely to continue to be a problem for a long time. One main problem is that C++ and other programming languages do not automatically perform bounds-checking when passing data. However, enforcing secure coding practices will be helpful to any future code. As a user, the best thing to do is to take away the ability for the vulnerability to be exploited by knowing what programs are in use and keeping patches up to date. References Farrow, R. (2002), "Foundations: What Are Buffer Overflows?", Security Fundamentals | WatchGuard Technologies Holden, G. (2004), Guide to Firewalls and Network Security, Thomson Course Technology, pp. 255. Peikari, C. and Chuvakin, A. (2004), Security Warrior, O'Reilly & Associates, Inc. pp. 161-167 Shanech, M (2003), "An Overview of Buffer Overflow Vulnerabilities and Internet Worms", Security Focus, (2004), Erica is currently a student at the University of Louisville majoring in Computer Information Systems. . Introduction Buffer overflow vulnerabilities are one of the most common vulnerabilities. These kinds. buffer, overflows, leading, security, vulnerability, paper, explains. . Erica R. Thomas
A buffer overflow occurs when a program or process tries to store more data in a temporary data storage area than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information can overflow into adjacent buffers, corrupting or overwriting the valid data held in them. . By: Suhas Desai Buffer overflows are a fertile source of bugs and malicious attacks. They occur when a program attempts to write data past the end of a buffer. A buffer is a contiguous allocated chunk of memory, such as an array or pointer in C. Limitation of C and C++ is there are no automatic bounds checking on the buffer where user can write past a buffer as given in example. Note: All examples are compiled on Linux platform having x86 configuration. int main () { int buffer [10]; buffer[20]=10; } After execution of this program it won’t give errors but program attempts to write beyond the allocated memory for the buffer which results for unexpected output. Example: void function (char *str) { char buffer[16]; strcpy(buffer,str); } int main() { char *str=”I am greater than 16 bytes”; function(str); } This program is guaranteed to cause unexpected behavior, because a string (str) of 27 bytes has been copied to a location (buffer) that has been allocated for only 16 bytes. The extra bytes run past the buffer and overwrite the space allocated for the FP, return address and so on. This corrupts the process stack. The function used to copy the string is strcpy, which completes no checking of bounds. Using strncpy would have prevented this corruption of the stack. Example: int main() { char buff[15]={0}; printf(“Enter your name:”); scanf(buff,”%s”); } In this example, program reads a string from the standard input but does not check strings length. If the string has more than 14 characters, then it causes a buffer overflow as scanf() tries to write the remaining characterpast buff’s end. Note: One character is always reserved for a null terminator. The result is most likely a segmentation fault that crashes the program .In certain conditions, the users will receive a shell’s prompt after the crash. Even if the shell has restricted privileges, they can examine the values of environment variables; list the current directory files to detect the network with the pig command. Writing Buffer Overflow exploits: 1. Example of an exploitable program - Lets assume that we exploit a function like this: void lame (void) { char small[30]; gets (small); printf("%sn", small); } main() { lame (); return 0; } Compile and disassemble it: # cc -ggdb program.c -o program /tmp/cca017401.o: In function `lame': /root/program.c:1: the `gets' function is dangerous and should not be used. # gdb program /* short explanation: gdb, the GNU debugger is used here to read the binary file and disassemble it (translate bytes to assembler code) */ (gdb) disas main Dump of assembler code for function main: 0x80484c8 : pushl %ebp 0x80484c9 : movl %esp,%ebp 0x80484cb : call 0x80484a0 0x80484d0 : leave 0x80484d1 : ret (gdb) disas lame Dump of assembler code for function lame: /* saving the frame pointer onto the stack right before the ret address */ 0x80484a0 : pushl %ebp 0x80484a1 : movl %esp,%ebp /* enlarge the stack by 0x20 or 32. our buffer is 30 characters, but the memory is allocated 4byte-wise (because the processor uses 32bit words) this is the equivalent to: char small[30]; */ 0x80484a3 : subl $0x20,%esp /* load a pointer to small[30] (the space on the stack, which is located at virtual address 0xffffffe0(%ebp)) on the stack, and call the gets function: gets(small); */ 0x80484a6 : leal 0xffffffe0(%ebp),%eax 0x80484a9 : pushl %eax 0x80484aa : call 0x80483ec 0x80484af : addl $0x4,%esp /* load the address of small and the address of "%sn" string on stack and call the print function: printf("%sn", small); */ 0x80484b2 : leal 0xffffffe0(%ebp),%eax 0x80484b5 : pushl %eax 0x80484b6 : pushl $0x804852c 0x80484bb : call 0x80483dc 0x80484c0 : addl $0x8,%esp /* get the return address, 0x80484d0, from stack and return to that address. you don't see that explicitly here because it is done by the CPU as 'ret' */ 0x80484c3 : leave 0x80484c4 : ret End of assembler dump. 1.a. Overflowing the program # ./program xxxxxxxxx
Get the latest Linux and open source security news straight to your inbox.