Off to the PTraces

Yesterday, a privilege escalation bug in the ptrace syscall was made public by Jann Horn at Project Zero, deemed CVE-2019-13272. The culprit was broken permission and object lifetime handling by …

How Security Teams Can Learn to Stop Worrying and Love the OODA Loop

A well-loved military operational strategy is the OODA loop, a learning cycle that helps the operator gain an advantage against their opponent by responding with greater agility to unfolding events. …

Escaping like a Rocket via rkt enter

Last week, a researcher disclosed three vulnerabilities in rkt, CVE-2019-10144, CVE-2019-10145, and CVE-2019-10147, that let an attacker escape the container. Rkt is an open source container runtime created by CoreOS …

Race Conditions – Cloudy with a Chance of R/W Access

Docker Race Condition: CVE-2018-15664 Today, Aleksa Sarai published a Docker vulnerability, CVE-2018-15664, on the oss-sec mailing list. It turns out that a function inside Docker facilitates a TOCTOU bug (more …

A Buffer Buffet for Data Sampling

CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091 Yesterday, three data sampling side channel vulnerabilities were disclosed in Intel CPUs by a whole bunch of smart researchers. Intel is calling them “microarchitectural data sampling” …

Linux Security Fun With Webhooks

At Capsule8, we want to let you work the way you prefer working rather than forcing new workflows on you. To realize this philosophy, we designed Capsule8 to be super …

Apache CARPE DIEM: CVE-2019-0211

Recently, Charles Fol blogged about his privilege escalation bug in Apache, CVE-2019-0211, aka “CARPE DIEM” (seize the 0day, comrades!). This affects Apache HTTP Server versions 2.4.17 through version 2.4.38 (from …

Linux Server Monitoring: a Brief Guide

Different Approaches to Linux Host and Process Monitoring In case you hadn’t heard, Linux is a big deal. Linux servers are used in the vast majority of production systems, the …

UAFs in Linux Kernel Modules: CVE-2019-8912 & CVE-2019-8956

A researcher using syzkaller found a locally-exploitable bug in Linux’s crypto API, CVE-2019-8912, which allows for a use-after-free in sockfs_setattr. It’s received sudden buzz, probably because a bug in the …