Daily Perk 3/29/2021

PHP Git Repository hacked with backdoors per Bleeping Computer

2021 is the year of software supply chain attacks. The latest involves code tampering in the official PHP Git repository. This is alarming because 79% of websites online use PHP as their server-side programming language. Two malicious changes upstream were pushed as “commits” by known PHP developers and maintainers, and made in the name of PHP’s creator.

As supply chain attacks seek to do, this abuses trust, which appears inherent in the commit process that allows for forged sign-offs to come from anyone else locally. To ensure better security going forward, PHP changes will now go through GitHub and not the PHP git server and contributors will need to be added to an authorized group. Sounds good 👍

Critical Netmask bug impacts hundreds if thousands of applications per Bleeping Computer

Netmask is the npm library used worldwide by hundreds of thousands of applications to parse or compare IPv4 addresses and CIDR blocks. It gets 3 million weekly downloads, and 278,000 GitHub repos depend on it.

A critical networking bug was identified, CVE-2021-28918, affecting how netmask handles when IPv4 decimal addresses have a leading zero. It could lead to server-side request forgery bypasses or remote file inclusion. Which impacts the ability of appliances or tools like Web Application firewalls to protect and defend, or perimeter security controls. Fixes are available on Npm downloads.

New Spectre Vulnerabilities found in Linux per The Hacker News

Ah, the wonderful world of speculative attacks aka known as the “sky is falling!” Spectre and Meltdown introduced us to a series of vulnerabilities allowing for things that were “never supposed to happen”. We know “trust but verify”, but need to add “never say never”.

Two new vulnerabilities could potentially allow attackers to bypass mitigations and get their paws on sensitive information from the kernel memory. All versions of Linux prior to 5.11.8 are affected. Patches were being released as of March 20.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s