Amazon AWS S3 outage is breaking things for a lot of websites and apps

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Amazon’s S3 web-based storage service is experiencing widespread issues, leading to service that’s either partially or fully broken on websites, apps and devices upon which it relies. The AWS offering provides hosting for images for a lot of sites, and also hosts entire websites, and app backends including Nest.

The S3 outage is due to “high error rates with S3 in US-EAST-1,” according to Amazon’s AWS service health dashboard, which is where the company also says it’s working on “remediating the issue,” without initially revealing any further details.

Affected websites and services include Quora, newsletter provider Sailthru, Business Insider, Giphy, image hosting at a number of publisher websites, filesharing in Slack, and many more. Connected lightbulbs, thermostats and other IoT hardware is also being impacted, with many unable to control these devices as a result of the outage.

Amazingly, even the status indicators on the AWS service status page rely on S3 for storage of its health marker graphics, hence why the site is still showing all services green despite obvious evidence to the contrary.

We’re monitoring the situation and will provide more info as it becomes available.

Source: https://techcrunch.com/2017/02/28/amazon-aws-s3-outage-is-breaking-things-for-a-lot-of-websites-and-apps/

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Serious Bug Exposes Sensitive Data From Millions Sites Sitting Behind CloudFlare

Facebooktwittergoogle_plusredditpinterestlinkedinmail

A severe security vulnerability has been discovered in the CloudFlare content delivery network that has caused big-name websites to expose private session keys and other sensitive data.

CloudFlare, a content delivery network (CDN) and web security provider that helps optimize safety and performance of over 5.5 Million websites on the Internet, is warning its customers of the critical bug that could have exposed a range of sensitive information, including passwords, and cookies and tokens used to authenticate users.

Dubbed Cloudbleed, the nasty flaw is named after the Heartbleed bug that was discovered in 2014, but believed to be worse than Heartbleed.

The vulnerability is so severe that it not only affects websites on the CloudFlare network but affects mobile apps as well.

What is Cloudbleed?

Discovered by Google Project Zero security researcher Tavis Ormandy over a week ago, Cloudbleed is a major flaw in the Cloudflare Internet infrastructure service that causes the leakage of private session keys and other sensitive information across websites hosted behind Cloudflare.

CloudFlare acts as a proxy between the user and web server, which caches content for websites that sits behind its global network and lowers the number of requests to the original host server by parsing content through Cloudflare’s edge servers for optimization and security.

Almost a week ago, Ormandy discovered a buffer overflow issue with Cloudflare’s edge servers that were running past the end of a buffer and were returning memory containing private data like HTTP cookies, authentication tokens, and HTTP POST bodies, with some of the leaked data already cached by search engines.

“I’m finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings,” Ormandy wrote in a blog post that was also published Thursday. “We’re talking full HTTPS requests, client IP addresses, full responses, cookies, passwords, keys, data, everything.”

According to Ormandy, Cloudflare had code in its “ScrapeShield” feature that did something similar to this:

int Length = ObfuscateEmailAddressesInHtml(&OutputBuffer, CachedPage);
write(fd, OutputBuffer, Length);

But the company was not checking if the obfuscation parsers returned a negative value because of malicious HTML.

The Cloudflare’s “ScrapeShield” feature parses and obfuscates HTML, but since reverse proxies are shared among customers, it would affect all CloudFlare customers.

Ormandy contacted Cloudflare and reported it about his findings. The company identified the cause of the issue, and immediately disabled 3 minor Cloudflare features — Email obfuscation, Server-side Excludes, as well as Automatic HTTPS Rewrites — that were using the same HTML parser chain, which was causing the leakage.

Ormandy observed encryption keys, passwords, cookies, chunks of POST data, and HTTPS requests for the other leading Cloudflare-hosted websites from other users and immediately contacted Cloudflare.

Since CloudFlare patched the issue but did not notify customers by Wednesday of the data leak issue, Ormandy made public his findings on Thursday, following Project Zero’s seven-day policy for actively exploited attacks.

Following Ormandy’s public disclosure of the vulnerability on Thursday, CloudFlare confirmed the flaw, ensuring its customers that their SSL private keys were not leaked.

“Cloudflare has always terminated SSL connections through an isolated instance of NGINX that was not affected by this bug,” Cloudflare CTO John Graham-Cumming wrote in a blog post. “The bug was serious because the leaked memory could contain private information and because it had been cached by search engines.”

“We are disclosing this problem now as we are satisfied that search engine caches have now been cleared of sensitive information,” he added. “We have also not discovered any evidence of malicious exploits of the bug or other reports of its existence.”

 

The Root Cause of Cloudbleed:

The root cause of the Cloudbleed vulnerability was that “reaching the end of a buffer was checked using the equality operator and a pointer was able to step past the end of the buffer.” 

“Had the check been done using >= instead of == jumping over the buffer end would have been caught,” said Cumming.

Cloudflare has also confirmed that the greatest period of impact was between February 13 and February 18 with almost one in every 3,300,000 HTTP requests via Cloudflare potentially resulting in memory leakage, which is about 0.00003% of requests.

However, the researcher argued that the DNS provider was double-dealing, claiming that the Cloudbleed vulnerability had existed for months, based on Google’s cached data.

How Does Cloudbleed Affect You?

There are a large number of Cloudflare’s services and websites that use parsing HTML pages and modify them through the Cloudflare’s edge servers.

Even if you do not use CloudFlare directly, that does not mean that you are spared. There is always a chance that websites you visit and web services you use may have been affected, leaking your data as well.

Of course, if you are using Cloudflare services in front of your site, the flaw could impact you, exposing sensitive information that flowed between your servers and end-users through CloudFlare’s proxies.

While CloudFlare’s service was rapidly patched the bug and has said the actual impact is relatively minor, data was leaking constantly before this — for months.

Some of this leaked data were publicly cached in search engines such as Google, Bing, Yahoo, who now removed it, but some engines like DuckDuckGo still host those data.

Also, other leaked data might exist in other services and caches throughout the Web, which is impossible to delete across all of these locations.

Cloudbleed Also Affects Mobile Apps

Cloudbleed also affects mobile apps, because, in many cases, the apps are designed to make use of the same backends as browsers for content delivery and HTTPS (SSL/TLS) termination.

Users on YCombinator have confirmed the presence of HTTP header data for apps like Discord, FitBit, and Uber by searching through DuckDuckGo caches with targeted search terms.

In an analysis conducted by NowSecure, the researchers have discovered some 200 iOS apps that identified as using Cloudflare services from a sampling of some 3,500 of the most popular apps on the app store.

There is always a possibility of someone discovering this vulnerability before Tavis, and may have been actively exploiting it, although there is no evidence to support this theory.

Some of the Cloudflare’s major customers affected by the vulnerability included Uber, 1Password, FitBit, and OKCupid. However, in a blog post published by 1Password, the company assured its users that no sensitive data was exposed because the service was encrypted in transit.

However, a list of websites that have potentially been impacted by this bug has been published by a user, who go by the name of ‘pirate,’ on GitHub, which also included CoinBase, 4Chan, BitPay, DigitalOcean, Medium, ProductHunt, Transferwise, The Pirate Bay, Extra Torrent, BitDefender, Pastebin, Zoho, Feedly, Ashley Madison, Bleeping Computer, The Register, and many more.

Since CloudFlare does not yet provide the list of affected services, bear in mind that this is not a comprehensive list.

What should You do about the Cloudbleed bug?

Online users are strongly recommended to reset their passwords for all accounts in case you have reused the same passwords on every site, as well as monitor account activity closely as cleanup is underway.

Moreover, customers who are using Cloudflare for their websites are advised to force a password change for all of their users.

Update: Uber representative reached out to me via an email and said their investigation revealed that the CloudBleed bug exposed no passwords of their customers. Here’s the statement provided by Uber:

“Very little Uber traffic actually goes through Cloudflare, so only a handful of tokens were involved and have since been changed. Passwords were not exposed.”

Facebooktwittergoogle_plusredditpinterestlinkedinmail

11-Year Old Linux Kernel Local Privilege Escalation Flaw Discovered

Facebooktwittergoogle_plusredditpinterestlinkedinmail
Another privilege-escalation vulnerability has been discovered in Linux kernel that dates back to 2005 and affects major distro of the Linux operating system, including Redhat, Debian, OpenSUSE, and Ubuntu.

Over a decade old Linux Kernel bug (CVE-2017-6074) has been discovered by security researcher Andrey Konovalov in the DCCP (Datagram Congestion Control Protocol) implementation using Syzkaller, a kernel fuzzing tool released by Google.

The vulnerability is a use-after-free flaw in the way the Linux kernel’s “DCCP protocol implementation freed SKB (socket buffer) resources for a DCCP_PKT_REQUEST packet when the IPV6_RECVPKTINFO option is set on the socket.”

The DCCP double-free vulnerability could allow a local unprivileged user to alter the Linux kernel memory, enabling them to cause a denial of service (system crash) or escalate privileges to gain administrative access on a system.

“An attacker can control what object that would be and overwrite its content with arbitrary data by using some of the kernel heap spraying techniques. If the overwritten object has any triggerable function pointers, an attacker gets to execute arbitrary code within the kernel,” full disclosure mailing list about the vulnerability reads.

DCCP is a message-oriented transport layer protocol that minimizes the overhead of packet header size or end-node processing as much as possible and provides the establishment, maintenance and teardown of an unreliable packet flow, and the congestion control of that packet flow.

This vulnerability does not provide any way for an outsider to break into your system in the first place, as it is not a remote code execution (RCE) flaw and require an attacker to have a local account access on the system to exploit the flaw.

Almost two months ago, a similar privilege-escalation vulnerability (CVE-2016-8655) was uncovered in Linux kernel that dated back to 2011 and allowed an unprivileged local user to gain root privileges by exploiting a race condition in the af_packet implementation in the Linux kernel.

The vulnerability has already been patched in the mainline kernel. So, if you are an advanced Linux user, apply the patch and rebuild kernel yourself.

OR, you can wait for the next kernel update from your distro provider and apply it as soon as possible.

Source: http://thehackernews.com/2017/02/linux-kernel-local-root.html
Facebooktwittergoogle_plusredditpinterestlinkedinmail

OPENSSL UPDATE FIXES HIGH-SEVERITY DOS VULNERABILITY

Facebooktwittergoogle_plusredditpinterestlinkedinmail

The OpenSSL Software Foundation released an update to the OpenSSL crypto library that patches a vulnerability rated high severity that could allow a remote attacker to cause a denial-of-service condition.

OpenSSL released the version 1.1.0e update that fixes flaws found in OpenSSL 1.1.0, according to the OpenSSL Security Advisory issued last week. The United States Computer Emergency Response Team also alerted system admins of the issue last week.

According to OpenSSL, the vulnerability occurs during a renegotiation handshake procedure. “If the Encrypt-Then-Mac extension is negotiated where it was not in the original handshake (or vice-versa) then this can cause OpenSSL to crash (dependent on ciphersuite). Both clients and servers are affected,” according to the advisory.

OpenSSL is ubiquitous, in tens of thousands of commercial and homespun software projects. The open source project provides a robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. The technology is credited for keeping communications secure between endpoints by ensuring the identity of both parties.

According OpenSSL, the issue does not impact OpenSSL version 1.0.2. However, additional versions of OpenSSL, such as version 1.0.0 and 0.9.8, which are no longer supported, will also need updates. The bug, CVE-2017-3733, was reported by Red Hat’s Joe Orton on Jan. 31. The fix was developed by the OpenSSL team’s Matt Caswell.

OpenSSL deployments continue to be plagued by the Heartbleed vulnerability. The flaw persists today and can be found on almost 200,000 servers and devices, according to a recent report by the operators of Shodan search engine.

Earlier this month Ubuntu users were urged to update their operating system to address a handful of patched OpenSSL vulnerabilities (CVE-2016-7056 and CVE-2016-7055) which affect Ubuntu and its derivatives.

The OpenSSL toolkit is licensed under an Apache-style license and has the financial backing of firms such as The Linux Foundation, Microsoft, Facebook, Amazon, Dell and Google.

Facebooktwittergoogle_plusredditpinterestlinkedinmail

President Donald Trump’s Website Hacked; Defaced By Iraqi Hacker

Facebooktwittergoogle_plusredditpinterestlinkedinmail
During the 2016 presidential election campaign, we reported about how insecure was the mail servers operated by the Trump organization that anyone with little knowledge of computers can expose almost everything about Trump and his campaign.

Now, some unknown hackers calling themselves “Pro_Mast3r” managed to deface an official website associated with President Donald Trump’s presidential campaign fundraising on Sunday.

The hacker, claiming to be from Iraq, reportedly defaced the server, secure2.donaldjtrump.com, which is behind CloudFlare’s content management system and security platform.

The server appears to be an official Trump campaign server, reported Ars, as the certificate of the server is legitimate, “but a reference to an image on another site is insecure, prompting a warning on Chrome and Firefox that the connection is not secure.

The defaced website displayed an image of a black hat man and included a text message, which reads:

Hacked by Pro_Mast3r ~
Attacker Gov
Nothing Is Impossible
Peace From Iraq

At the time of writing, the server is now offline, and there is no official statement from Trump-Pence campaign team yet.

According to a blog post published by Italian IT journalist Paolo Attivissimo, the source code of the defaced server does not contain any malicious script.

Instead, the server includes a link to javascript on a now-nonexistent Google Code account, ‘masterendi,’ which was linked to cyber attacks on three other sites in the past.

Facebooktwittergoogle_plusredditpinterestlinkedinmail