Security
Possible attack vectors on Linux
https://security.archlinux.org/ includes recent CVE’s related to official packages. See ArchWiki for general security recommendations.
This post is about practical real-life examples of previous security vulnerabilities that Linux has been affected with. The CVE’s listed in ASA are of course useful to know about, but I want to see how they can be leveraged by an attacker. Here are some examples, and what I learned from them:
- Shellshock (CVE-2014-6271, CVE-2014-7169): your shell is a huge attack vector. Review your zsh plugins, use only trusted plugins, and keep them minimal.
- BlueBorne (CVE-2017-1000251, CVE-2017-1000250): start bluetooth service manually, and prefer wired headset, mouse, and keyboard over wireless ones.
- Grub2 BootHole (CVE-2020-10713): grub is bloated. Use a minimal bootloaders.
- CVE-2021-3156 (Baron Samedit): use doas
- Microsoft Follina: PDFs and documents are a big attack vector. While not a Linux-related vulnerability, it reminded me to be cautious with document files. As an alternative, MS office files can be uploaded to Google Drive and viewed there, or using a conversion tool like Pandoc, or soffice. Also PDF viewers can be hardened in settings, or even better, sandboxed (see Zathura seccomp filter).
- File previewers: The Follina vulnerability was so terrible that it was executed even without launching office. Simply by having the side preview panel, the previewer executed the vulnerability. If you’re using a terminal file manager, then you have to check your
scopeshell script that previews files. See this Wiki section: https://wiki.archlinux.org/title/Lf#Sandboxing_previews - Archive files: zip bombs
- PKGBUILDs: be cautious with random AUR scripts
- Malicious USBs: see https://wiki.archlinux.org/title/USBGuard
I excluded vulnerabilities that are related to servers or hardware like Spectre, heartbleed and downfall. The solution for these is simply keeping your system updated, using firewall, sandboxing applications, and the rest of the generic recommendations.
Sandboxing
- Sandboxing DEs: 2
- Vim backup: one of the caches to be aware of.
- Nautilus saves thumbnails of all viewed images in
~/.cache/thumbnails- Solution: symlink to
/tmp/thumbnails
- Solution: symlink to
- Clipboard loggers:
gvfsd-recentlogs file history. See:/home/user/.local/share/RecentDocuments- Solution: disable AutoMount in
/usr/share/gvfs/mounts/recent.mount.
- Solution: disable AutoMount in
- awk vulnerability