<div dir="ltr">Hi, does anyone know if this SolarWinds attack compromises the run-of-the-mill Linux user?</div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Feb 1, 2021 at 8:21 PM Michael Paoli <<a href="mailto:Michael.Paoli@cal.berkeley.edu">Michael.Paoli@cal.berkeley.edu</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">> From: "Bobbie Sellers" <<a href="mailto:bliss-sf4ever@dslextreme.com" target="_blank">bliss-sf4ever@dslextreme.com</a>><br>
> Subject: [sf-lug] sudo problem for users<br>
> Date: Mon, 1 Feb 2021 12:13:13 -0800<br>
<br>
> I checked and no one has noted anything about this problem.<br>
<br>
Well, I saw it, acted in timely manner - including notifying relevant<br>
co-workers, and appropriate timely action was generally taken.<br>
<br>
I thought about posting it to one of the LUG lists or something like that,<br>
but I figured for the most part, those that were particularly interested<br>
in it and cared about about it, already knew. Most any reasonable distro<br>
with reasonable security alert mechanisms, it was there well to see in<br>
quick order - that's where I first spotted it - or at least I'd presume<br>
that was generally the case.<br>
Let's see ... hit my "inbox" at ...<br>
Received: ... Tue, 26 Jan 2021 10:06:34 -0800 (PST)<br>
Anyway, can't find it now, but there was mention in at least one<br>
bit I read on a specific coordinated embargo/release time (wan't thinking<br>
to particularly note/remember it at the time - but I thought it said something<br>
about 6pm ... but I don't recall mention of timezone ... looking at<br>
that bit from my Received header, I'm guestimating it may have been<br>
6PM / 18:00 UTC / GMT0 on 2021-01-26) - so once that<br>
time hit, essentially everyone that had security fixes or (to be) public<br>
releases/advisories - that all basically hit right at or very shortly<br>
after that time - so I think most picked up on it quite right away,<br>
and of course the security news articles and the like followed fairly<br>
shortly thereafter.<br>
<br>
So, ... believe I did mention in another context about that,<br>
essentially saying my email "inbox"/incoming, I see<br>
something in there that says DSA and SECURITY - I at least skim the<br>
Subject: - I see "sudo" in that also I think, knowing the critical role<br>
sudo plays on lots of hosts, I figure uh oh, this might be a biggie, I<br>
read the email. Yup, pretty dang important, easy local exploit. Time to<br>
update now - or at least as soon as feasible (sure, test non-production<br>
first - but be quick about it - and always have ways to rollback anyway).<br>
This isn't a "wait for your monthly / quarterly / major point release /<br>
yearly patch updating", no, this is more like a "patch it now" - or pretty<br>
dang soon - or at least if/where feasible if it can't be done that soon,<br>
and appropriate, apply appropriate mitigating controls if/as/where<br>
feasible. So, yep, ... basically done. Heck, even some hosts I have set<br>
to automatically apply such updates on about a 24 hr. check/install<br>
cycle ... I didn't even wait for that ... nope, this one goes in<br>
now - more risk (at least in my guestimation) on this one of not<br>
putting it in sooner, vs. any potential regression bug of "fixed"<br>
version.<br>
<br>
And, in quick bits 'o research, etc., there seemed to be plenty of<br>
tech / tech security "news" and such on the matter - I figured any folks<br>
with a more casual interest that wanted and paid attention, would likely<br>
have seen it there, or would likely see it sooner or later anyway.<br>
<br>
Perhaps if it had been more of a "network exploitable, this is gonna spread<br>
and impact most everyone", I might've bothered with a prompt mention ...<br>
but in such a case, likely others would've beat me too it anyway - and<br>
others following upon that would probably also be commenting and correcting<br>
misinformation/hype of those that posted first (or about the materials to<br>
of which they quoted or to which they referenced/linked).<br>
<br>
So, mostly not all that much to see here. Somebody did a significant<br>
security booboo. Sometimes it's not caught/spotted for a long time.<br>
Sometimes it's widely deployed. And when it becomes known, well, in<br>
many cases it may be time for a prompt updating - at least where<br>
applicable.<br>
<br>
And don't forget - how's your mitigation strategies? How do you recover<br>
after you've been compromised? How do you detect that you've been<br>
compromised? E.g. Solarwinds supply chain issue, etc., that was a<br>
particular nasty one. And, much of what made it particularly nasty is<br>
how far reaching it's been. It got into a whole lot of places, including<br>
important/critical ones, exploited and leveraged on a large scale - and for<br>
many months, it went undetected - including all the various exploiting,<br>
information gathering, network scanning, etc. I think that's the much<br>
bigger issue on that one.<br>
<br>
Yet another security bug in yet another piece of software - it happens.<br>
Expect it will probably continue to happen. And yes, running less<br>
bloated software - as feasible - and other things that improve software<br>
quality are a good preventive. Likewise limiting network exposure,<br>
unneeded "features", etc. But even that doesn't guarantee<br>
immunity. Mistakes will be made, there will be bugs, there will be<br>
security bugs. Mostly a question of how many, how often, and how bad.<br>
And that's mostly a matter of the nature and quality of the software,<br>
and also the checks and countermeasures and backups (and/or lack<br>
thereof). E.g. every time I look at the bloat of bash, I shudder ...<br>
that's why most of my scripts don't use bash, but use dash - about 1/10th<br>
the possible code to potentially have exploitable bugs in it. Likewise<br>
vim. Major bloat. I mostly use nvi (which is the vi on BSD systems).<br>
Again, about 1/10th the size. How many security issues come up with<br>
nvi? About zero (or pretty close). And, comparatively with vim?<br>
Yeah, I see those once in a while ... probably at or more than 10x the<br>
rate of anything like that with nvi. And so it goes.<br>
<br>
<br>
_______________________________________________<br>
sf-lug mailing list<br>
<a href="mailto:sf-lug@linuxmafia.com" target="_blank">sf-lug@linuxmafia.com</a><br>
<a href="http://linuxmafia.com/mailman/listinfo/sf-lugSF-LUG" rel="noreferrer" target="_blank">http://linuxmafia.com/mailman/listinfo/sf-lug<br>
SF-LUG</a> is at <a href="http://www.sf-lug.org/" rel="noreferrer" target="_blank">http://www.sf-lug.org/</a> </blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature">Christian Einfeldt</div>