You Think That’s Air You’re Breathing?

What seemed lost in this (runc) hype is that the ability to escape containers is not confined to a one-off vulnerability in container management programs or orchestrators.

Kernel Configuration Glossary

In our post “Millions of Binaries Later: a Look Into Linux Hardening in the Wild”, we examined the security properties of different distributions. In the following, we provide a glossary …

Millions of Binaries Later: a Look Into Linux Hardening in the Wild

TL;DR In this post, we explore the adoption of Linux hardening schemes across five popular distributions by examining their out-of-the-box properties. For each distribution, we analyzed its default kernel configuration, …

UAFs in Linux Kernel Modules: CVE-2019-8912 & CVE-2019-8956

A researcher using syzkaller found a locally-exploitable bug in Linux’s crypto API, CVE-2019-8912, which allows for a use-after-free in sockfs_setattr. It’s received sudden buzz, probably because a bug in the …

Nested Guests: CVE-2019-7221

Earlier this month, twin KVM bugs found by Google’s Project Zero team were released publicly: CVE-2019-7221, a use-after-free vulnerability, and CVE-2019-7222, a memory leak that can assist exploitation of the …

Dirty Sock: CVE-2019-7304

Today, Chris Moberly blogged about his local privilege escalation bug in Ubuntu Linux, CVE-2019-7304, a.k.a. the “Dirty Sock” exploit (ew). This affects snapd, which is installed on Ubuntu 16.04.4 LTS …

A Brief Review of CVE-2019-5736: runc Container Breakout

A group of researchers yesterday announced CVE-2019-5736, a runc container breakout affecting container tools including Docker, Kubernetes, and containerd. Why it matters: Because many people run containers as “root,” the …

Exploiting systemd-journald Part 2

Introduction This is the second part in a multipart series on exploiting two vulnerabilities in systemd-journald, which were published by Qualys on January 9th. In the first post, we covered …

Capsule8’s Stance on Publication and Vulnerability Disclosure

Last week, Capsule8 Labs released an exploit for the problems in systemd that Qualys identified on January 9th, as part of series analyzing the vulnerabilities CVE-2018-16865 and CVE-2018-16866. We were …

Exploiting systemd-journald Part 1

Introduction This is part one in a multipart series (read Part 2 here) on exploiting two vulnerabilities in systemd-journald, which were published by Qualys on January 9th. Specifically, the vulnerabilities …