Another one: CIFSwitch: a non-universal Linux local root vulnerability

f33dm3bits

f33dm3bits

Super Moderator
Staff member
Gold Supporter
Joined
Dec 11, 2019
Messages
10,070
Reaction score
8,948
Credits
73,926


Way over my head, but thanks for sharing, Maarten. o_O
 
Aww. they should of named it CopyFail3.. Then I could have said they took it higher!





Sinister Pun Mode Activated

Btw- Thanks for the info!
 
I guess we will see more of this in near future, AI is damn good in finding this stuff. I am not sure if this is a good or a bad thing. i am happy that these vulns will be closed now. But I am also afraid if there are more and more of these exploits being used by bad actors in silence
 
tinfoil-hat said:
I am also afraid if there are more and more of these exploits being used by bad actors in silence
Click to expand...
It should also follow logically that AI will route those out as well.

But, AI is just as available to bad actors as well.

Where exactly that leaves us, I am unsure. (possibly in quite a pickle, as my Mum used to say)

The question, is whether AI can be used equally for 'bad' as it can be for 'good' ?
 
From the Debian Discord:
No week without a local root exploit - this time: CIFS.

tldr: if you have cifs-utils installed, remove /etc/request-key.d/cifs.spnego.conf or - if you need kerberos - replace its contents with create cifs.spnego * * /usr/bin/keyctl negate %k 30 %S.

For all the details: https://heyitsas.im/posts/cifswitch/
Click to expand...
 
I wonder how long some of these exploits have been around and we're just now learning about them.

AI is now all a rage and so are all of these new exploits for Linux.

Hmm!
 
The Duck said:
I wonder how long some of these exploits have been around and we're just now learning about them.
Click to expand...

This one dates back to 2007, as mentioned above. Sometimes, they've been around for a long time. We never really know if the exploit was known (but unshared) by malicious actors. We can hope so, but we never really know.
 
So short of finding these bad guys and shooting them through the head for rehabilitation whats the solution or is there one.

I keep seeing here and there that the Kernel 7.0.x is the answer although. (scratches head)

I know I probably sound a bit radical although I take a dim view of bad guys wanting to wreck my stuff.
 
The Duck said:
I know I probably sound a bit radical although I take a dim view of bad guys wanting to wreck my stuff.
Click to expand...

I agree, though not with the capital punishment part of it. I'm okay with a solid prison sentence, especially if that prison is designed to provide rehabilitation and to reduce recidivism.

As a part of their punishment, they should probably be given some probation time. During that time, they probably shouldn't be allowed access to an unsupervised computer that can connect to the public internet, even being restricted to a dumb phone. All of which would be subject to a warrantless search by law enforcement/probation officers.

But I think the goals should be rehabilitation and reduction of recidivism. Right now, we're just warehousing inmates. Sure, some of them have some opportunities, but taking advantage of those opportunities isn't easy in their environment.

It's as though we're putting people in prison to be punished, instead of putting people in prison as punishment.

I worked at the brig for about the last half of my 2nd enlistment. There's a huge difference in how that worked and how other state/federal prisons are run, but I don't want to dive too deep into that and derail the thread. It also starts to learn towards the whole 'political' discussion thing, and we can't have that.

So, yeah, I like the idea of sending them to prison. I can't go so far as to support capital punishment for a computer crime.
 
KGIII said:
As a part of their punishment, they should probably be given some probation time. During that time, they probably shouldn't be allowed access to an unsupervised computer that can connect to the public internet, even being restricted to a dumb phone. All of which would be subject to a warrantless search by law enforcement/probation officers.
Click to expand...
Not so fast, even bad guys have the right to public info; you can't take that from anyone even if in prison.
 
CaffeineAddict said:
Not so fast, even bad guys have the right to public info; you can't take that from anyone even if in prison.
Click to expand...

We can, and do, take that away from people. Generally speaking, you don't get to access the internet while you're in jail or prison. You might get access to an expensive email service. In some areas, you can use a locked-down laptop to work (like, at a real job, it's available to some inmates in Maine).

But, no... No, you don't get the internet while in prison. People convicted of computer crimes don't get unfettered access until they're completely done with their sentence, which includes probation and parole. That's normal, at least here in the US.

Heck, some inmates don't even get access to the news.

I went to donate a bunch of books at a corrections center about a dozen years ago. (I know the dude who works in the library.)

I had to go back through my boxes of books to remove a few of them. Why? They had maps in them. The inmates weren't allowed access to maps. Well, not modern/detailed maps. Even if those maps aren't local, they're not allowed.

Some inmates don't get a TV, or even a newspaper. They don't even get access to books.

So, yes, we can limit their information and their access to tech. One of the whole points of probation/parole is to acclimate former inmates to a new life without any criminal activity. As such, they have limited permissions. If they don't want to live with those limits, they can return to prison to finish out their sentence.

(Note: I said 'whole points'. That's the goal, in theory. In reality, it's just making people go back to prison on the installment plan.)
 
KGIII said:
I agree, though not with the capital punishment part of it.
Click to expand...
Perhaps I'm a bit radical.

KGIII said:
I'm okay with a solid prison sentence,
Click to expand...
Time in prison gives criminals to much opportunity to use legal libraries and find loopholes.

Prisoners should be doing hard manual labor moving a rock pile to another rock pile and back to the original so to speak.

Criminals get off to easy these days need to have good old fashion floggings with chains something that they will never forget.

I'm all for capitol punishment and corporal punishment it worked.

People who go to prison lose the rights they had before breaking the law.

Guess I'm to old school for today's ways of thinking.
 
You must log in or register to reply here.

Similar threads

LinuxBot
Ubuntu Security Update USN-8226-2: kmod update
Replies
0
Views
173
LinuxBot
LinuxBot
LinuxBot
Ubuntu Security Update USN-8226-1: kmod update
Replies
0
Views
484
LinuxBot
LinuxBot
LinuxBot
News [Linuxiac] CIFSwitch Vulnerability Exposes Some Linux Distros to Local Root Access
Replies
0
Views
123
LinuxBot
LinuxBot
LinuxBot
News [Linuxiac] Copy Fail Linux Kernel Flaw Allows Local Users to Gain Root
Replies
0
Views
183
LinuxBot
LinuxBot
LinuxBot
News [LWN.net] Yet another Dirty Frag type vulnerability: Fragnesia
Replies
0
Views
179
LinuxBot
LinuxBot


Follow Linux.org

Members online

Total: 4,569 (members: 5, guests: 4,564)

Latest posts

Top