Pi-Hole has announced that they are addressing two new DNSSEC vulnerabilities in their upcoming versions. The vulnerabilities are found in dnsmasq, the DNS resolver that Pi-hole FTL is forked from. These vulnerabilities can be exploited through specially crafted DNSSEC answers, leading to degraded performance and denial of service attacks. It is important to note that the vulnerabilities are not limited to Pi-hole and can affect other DNSSEC validating DNS resolvers as well.

The author of dnsmasq, Simon Kelley, explains that the vulnerabilities are due to a failure in the DNSSEC specification. The solution for dnsmasq is to impose hard limits on the amount of “work” a DNSSEC validation can take. These limits have been set with significant headroom and can be overridden if necessary. The vulnerabilities have been assigned the CVE numbers CVE-2023-50387 and CVE-2023-50868 and are rated as “high” severity.

Pi-Hole has already released fixes for these vulnerabilities in their beta version of Pi-hole v6.0 and is preparing to release them in the stable version as well. Disabling DNSSEC validation entirely can remove the vulnerability, but Pi-Hole strongly advises upgrading to the fixed version instead. Upgrading to the fixed version will ensure that DNSSEC validation does not impede other server workloads.

For users still using the stable versions of Pi-hole (v5.x), it is recommended to either manually check out the development branch or disable DNSSEC for the time being and rely on the upstream server for DNSSEC validation. However, it is important to ensure that the upstream server is on a sufficiently recent version, such as unbound version 1.19.1, which has been fixed.

Update: Pi-Hole has now released the update. Run pihole -up to apply.

GLAuth (Go-lang LDAP Authentication) has released version 2.3.1. GLAuth is a secure and easy-to-use LDAP server with configurable backends. This release includes several new features, bug fixes, and miscellaneous chores.

Features

• Tracing configuration can now be allowed via the main config.
• Context for OpenTelemetry Protocol (OTLP) spans has been introduced into the handler package.
• Context for OTLP spans has been introduced into the plugins package.
• OTLSql has been introduced.
• OTLP tracer has been introduced.
• Basic tracer has been wired up.

Bug Fixes

• Vendored TOML has been dropped.
• Formatting has been improved.
• The go test command now properly checks OTP within the allowed base DN.
• All TOML parsing has been moved into a new internal package, and the mappings have been dropped in favor of toml.Primitive decoding.
• Configuration setup has been removed from the main function, and log configuration has been reshored.
• Tracing code has been updated to work with breaking changes in OTLP 1.20.
• The server now uses BurntSushi/toml.

For more information, visit the glauth v2.3.1 release page.

XCP-ng has released their January 2024 security update for their virtualization platform. The update is specifically for the 8.2 LTS release, which is currently the only supported release of XCP-ng.

The update addresses a security issue in the Linux kernel of XCP-ng’s control domain. This issue allowed a guest with limited privileges to send special network packets that could crash the network system in XCP-ng. While the crash only occurred in specific situations, several users reported the issue and it was discovered that others in the community were experiencing similar problems. This led to collaboration within the community to investigate and resolve the issue.

The vulnerability that was fixed is known as XSA-448 and is identified as CVE-2023-46838. This vulnerability allowed an unprivileged guest to launch a Denial of Service (DoS) attack on the host system by sending certain network packets to the backend, causing it to crash. This vulnerability was particularly observed when using pfSense with WireGuard, resulting in random crashes of the host system.

The Tillitis TKey is a unique USB-C security key based on a 32-bit RISC-V core, specifically the PicoRV32, housed in a Lattice iCE40 UP5K FPGA. Described as a “new type of flexible USB security token,” it draws inspiration from DICE (Device Identifier Composition Engine) and measured boot technologies. Unlike traditional security keys with persistent onboard storage, the TKey relies on loading apps onto the key each time it connects to a host device. This method, employing measured boot, generates a distinct identifier for each application, enhancing security by avoiding the storage of private keys on the device. Both the hardware and software for the TKey are entirely open-source, ensuring trustability. Developed by Tillitis, a Swedish security firm, the TKey has two versions: locked and unlocked. The locked version, targeting general users, is not reprogrammable, while the unlocked version allows full configuration using the Tillitis TK Programmer, based on a Raspberry Pi Pico, for added flexibility. Tillitis specializes in hardware trust products and emerged as a separate entity from the Mullvad VPN company in 2022.

Specifications:

• Processor:
  • 32-bit RISC-V PicoRV32 core @ 18 MHz
  • FPGA: Lattice iCE40 UP5K
  • 128 KiB RAM for TKey device application
  • 2 KiB RAM for firmware
  • 6 KiB ROM
  • Execution monitor
  • RAM protection
• Connector: USB-C
• Hardware Privilege Modes: Firmware mode and application mode
• Misc: Touch sensor, power indicator, status indicator
• Input voltage: 5V
• Max current consumption: 100mA
• Operating temperature: 0°C – 40°C

The Tillitis TKey RISC-V security key can be purchased from the Tillitis shop. The end-user version and the advanced user version are priced at 880 Swedish kronor (about $90), while the programmer is priced at 500 Swedish kronor (around $50).

Source: CNX Software – Embedded Systems News.

Fedora 40 is set to enhance system security by utilizing high-level security features offered by systemd, as reported by Phoronix. The upcoming release of Fedora plans to enable several optional settings provided by systemd to strengthen the security of services running on the system. These settings include PrivateTmp, ProtectSystem, ProtectHome, ProtectClock, ProtectHostname, ProtectKernelModules, PrivateDevices, PrivateNetwork, NoNewPrivileges, ProtectKernelTunables, and other options that provide additional restrictions and isolation for systemd services.

The change proposal for this systemd security hardening has been approved by the Fedora Engineering and Steering Committee (FESCo) and is expected to be implemented in Fedora 40, due to debut in the spring. The inclusion of these security measures will significantly enhance the default security of Fedora services, protecting against any potential unknown security vulnerabilities in default system services.

For more information on the systemd security hardening changes planned for Fedora 40, you can refer to the change proposal and the approval by FESCo.

Source: Phoronix.

XCP-ng, the popular virtualization platform, has released its latest security update for the month of December. The update is specifically for the 8.2 LTS release, which is currently the only supported version of XCP-ng.

The update includes fixes for vulnerabilities in Xen and linux-firmware in the controller domain. These vulnerabilities have been addressed to ensure the security of the virtual machines running on the platform.

One of the fixed vulnerabilities, labeled XSA-445, addresses a mismatch in IOMMU quarantine page table levels on x86 AMD systems. This vulnerability could potentially allow a device in quarantine mode to access leaked data from previously quarantined pages. Although this feature is not enabled by default in XCP-ng, it can still be enabled at Xen boot time.

The second fixed vulnerability, XSA-446, deals with memory content inference in PV guests. XCP-ng strongly advises against using PV guests and recommends switching to HVM for better security. If you are still using PV guests, it is highly recommended to consider making the switch.

In addition to the security updates, XCP-ng has also released non-security updates to pave the way for upcoming refreshed installation ISOs. These updates include improvements to the linux-firmware, gpumon, tzdata, and vendor-drivers components.

The linux-firmware update includes an update to the AMD microcode, specifically for the family 19h (Zen 3, Zen3+). This update helps mitigate hardware vulnerabilities and bugs. However, it is important to note that updating the hardware’s firmware remains the preferred method for updating microcode, and any newer microcode found in the firmware will take precedence over the microcode provided in XCP-ng.

Other changes include a small change to suppress unnecessary logging in gpumon, updated timezones with the latest CentOS 7 update of the tzdata package, and the integration of new drivers into XCP-ng in preparation for the upcoming refreshed installation ISOs. These new drivers include the igc module for Intel device drivers for I225/I226, the r8125 module for Realtek r8125 device drivers, and the mpi3mr module for Broadcom mpi3mr RAID device drivers.

Overall, the December 2023 security update for XCP-ng brings important security fixes and improvements to the virtualization platform, ensuring the safety and performance of virtual machines. Users are encouraged to update their systems to benefit from these enhancements and to maintain a secure environment for their workloads.