Trust Center

Start your security review
View & download sensitive information
Ask for information
Search items
ControlK

Welcome to Scaleway's Trust Center. We strive to include security in each and every aspect of our business. You will find in this Trust Center information and documentation to attest our actions towards delivering a safe and secure Cloud service.

Bienvenue sur le Trust Center de Scaleway. Nous nous efforçons d'inclure la sécurité dans tous les aspects de notre activité. Vous trouverez dans ce Trust Center des informations et de la documentation qui attestent des actions entreprises pour garantir la sécurité de nos services.

Start your security review
View & download sensitive information
Ask for information

Documents

HDS

Trust Center Updates

GhostWrite

VulnerabilitiesCopy link

Definition:

A serious security flaw has been found in the TH1520 CPU used in our EM-RV1 servers. This isssue, called GhostWrite allows unprivileged code to read and write any part of the system's memory.

How it works:

The non-compliant implementation of the high-order strided vector-store instructions vse128.v to vse1024.v doesn't treat the address as virtual ones but physical ones and allows writing and reading any part of memory regardless of current privileges. It's immediate and works everytime.

Impact:

Any data held in RAM such as cryptographic keys can be extracted by any user. Local users can easily gain higher privileges by manipulating memory. As this directly manipulate physical memory, no isolation technology such as Docker can protect against this.

Fix:

We already provide patched kernels that disables the RVV 0.7.1 vector extension, this disables the offending instructions. As those draft extensions weren't used by the software provided with the distributions we propose, this has no performance impact. If your EM-RV1 install predates the 6th of June 2024, you need to update your kernel manually. You can follow this documentation to do so: https://www.scaleway.com/en/docs/bare-metal/elastic-metal/reference-content/elastic-metal-rv1-guidelines/

Documentation:

https://ghostwriteattack.com/

Published at N/A

RegreSSHion

VulnerabilitiesCopy link

Regresshion

Definition

CVE-2024-6387, named RegreSSHion, is a vulnerability affecting OpenSSH.

This vulnerability allows an attacker to remotely execute arbitrary code with Root privileges. This is a regression of CVE-2006-5051: the vulnerability was patched but reappeared after numerous software updates.

How it works

In order to authenticate an SSH session, the connecting user must complete the process within a given time. If this is not the case, a signal is sent by the system, SIGALRM, which is processed asynchronously and triggers actions at system level. The problem is that the actions triggered were not designed to be securely asynchronous.

If several conditions are met, an attacker can exploit this vulnerability to trigger a race condition: a situation in which a signal is processed while another action is executed. In this case, the action can be stopped prematurely and cause the system not to act as expected.

In the case of RegreSSHion, the race condition (if successfully exploited) leads to a memory boundary violation and remote code execution (RCE).

Impact

It is clear that RegreSSHion is a major security problem. It allows an attacker to potentially :

  • Shut down hosts remotely
  • Install malware and spyware on critical hosts
  • Access critical data
  • Create persistent access to critical hosts
  • Erase access logs and manipulate proof of intrusion.

In order to exploit the vulnerability, an attacker needs to make a large amount of attempts (tens of thousands). As mentioned above, in order for the signal to be processed asynchronously, the user must wait a certain amount of time before sending attempts: this makes the attack very slow: it may take a few days. In addition, the attacker must create a custom payload for the specific version of the vulnerable package and operating system he is attacking.

Fix

There are two ways to mitigate this vulnerability. You can update the package if a patched version exists and you can set LoginGraceTime to 0 in the sshd_config file located in /etc /ssh /sshd_config. This should only be done if there is no corrected version, as this configuration makes the host vulnerable to a denial of service.

For the update part, you can follow the following guides to update your packages:

Detection

To detect whether the vulnerability affects your system, you need to find the vulnerable packages.

Conclusion

RegreSSHion is a resurgence of a 2006 vulnerability identified as CVE-2006-5051.

It allows an attacker to execute code as root on unauthorised hosts. These hosts must have the vulnerable version of the OpenSSH packages, which can be found in the vendors' security advisories.

RegreSSHion has an impact on many systems as OpenSSH is widely used to secure access to other hosts.

An update is required to correct the problem.

Documentation

Published at N/A

Ebury

VulnerabilitiesCopy link

Definition

Ebury is a sophisticated malware and SSH backdoor that targets Linux and Unix systems. Its first goal is to compromise SSH credentials to create persistent and malicious system access. This backdoor allows the attacker to: Steal SSH credentials and use them elsewhere to continue to comprise systems;

  • Create persistent remote access on systems;
  • Execute arbitrary code on infected systems.
  • Ebury has been used in various contexts in terms of cybersecurity and is known for its ability to remain undetected for extended periods. Thus, it is a significant threat to compromise networks.

How it works

After getting access to a system with stolen or forced credentials, Ebury will modify legitimate SSH binaries to obtain more credentials for each connection. Those stolen credentials are then sent to the attackers. Also, those attackers can use a backdoor planted by Ebury to control the system without more authentication. The malware stays undetected by using advanced stealth techniques and modifying critical system binaries.

Impact

Ebury has a significant impact in terms of security:

  • It allows attackers to get critical information.
  • It allows attackers to control an unauthorized system.
  • It can propagate easily.
  • It is hard to detect.

The remediation is very heavy regarding time, work, and finance.

Mitigation

To mitigate Ebury, you should follow those good security practices:

  • Instead of using only a password to connect to a system with SSH, you should use a key-based authentication. Also, you should use a TOTP to complement the key-based authentication.
  • Monitor SSH connections on your system.
  • Monitor logs and network traffic to prevent malicious behaviors.
  • Isolate infected systems.

By securing SSH access, you may prevent Ebury from infecting your system.

Detection

Several actions must be taken to detect Ebury:

  • Your system should be monitored as much as possible, security-wise. Alerts should be raised when critical files are reached, and strange behaviors are detected.
  • If you suspect Ebury to live on a system, you must analyze the running processes: strange processes can run. Remember that Ebury uses advanced stealth techniques, so this step may not give answers.
  • As said before, Ebury will send the collected information to the attackers. This will generate network traffic, which should be monitored. You can use various tools to check kernel extensions. Tools like “rkhunter” allow one to search for rootkits and may give information about Ebury on the scanned system.
  • You can use the dedicated detection script written by ESET, which you can find here: https://github.com/eset/malware-research/tree/master/ebury.

You may detect Ebury on your system using all the previous steps.

Resolution

The resolution for this malware is heavy. If your system is infected, you must:

  • Isolate it as fast as possible to prevent propagation.
  • Please change your credentials, keys, and certificates. The previous ones may have been sent to attackers, making them obsolete.
  • Backup your important files.
  • Reinstall the OS and restore your data.
  • Follow the mitigation steps to avoid another infection.

There is no “easy and fast” way to resolve this problem: the infected system must be erased and replaced by a fresh one.

Conclusion

Ebury is an advanced malware that modifies legitimate OpenSSH binaries to get credentials and to get unauthorized access to systems. Ebury has a very large impact, being hard to detect and present for many years. Good security practices such as MFA, key-based authentication, and system security monitoring must be followed to mitigate this threat. If a system is infected, the recovery process can be heavy regarding time and work: it implies erasing the OS and reinstalling the system.

Documentation

Published at N/A*

Phishing Campaign against Webhosting Customer - May 2024

IncidentsCopy link

Dear All,

On the 21st of May 2024, our Trust & CSIRT Teams have detected a minimal number of customers from our offer « Webhosting » were targeted using a mix of some fuzzing methods.

The threat actor attempted to retrieve credit card information by simulating a fake invoice payment page and credential account information.

Scaleway will never request payment through an email link. As always, if there is an issue with your payment, you will receive a message informing you about the situation.

We took the necessary actions, including reaching out to the provider hosting the threat actor’s website and stopping all reception from those illicit senders to avoid impacting our customers.

If you have any doubts about an email supposedly sent by Scaleway, we invite you to contact our technical assistance, available 24/7, by opening a ticket.

You can also take a look at our documentation about how to identify a suspicious email: https://www.scaleway.com/en/docs/console/account/troubleshooting/protecting-yourself-fraud-phishing/.

If you have entered information in response to an email from a phishing campaign, we encourage you to contact support as soon as possible.

We strongly recommend that all our customers activate 2FA on their account; they can follow the steps with this documentation: https://www.scaleway.com/en/docs/dedibox-console/account/how-to/enable-two-factor-authentication/

Published at N/A

Backdoor inside the XZ utils package - CVE-2024-3094

VulnerabilitiesCopy link

Backdoor inside the XZ utils package - CVE-2024-3094

Scaleway internal infrastructures were not concerned by this vulnerability

On the 29th of March 2024, a backdoor was discovered in the XZ utils packages.

The package contains an obfuscated code that installs a backdoor to interfere with the SSH authentication requests that could grant access to a malicious actor.

The package versions affected are 5.6.0 and 5.6.1, mostly present in testing/unstable/experimental versions of OS.

Here is a list of concerned OS:

The only OS that might be affected on Scaleway Instance/Baremetal/Dedibox offers is ArchLinux

Follow the security announcement from your OS to know if you're concerned and how to patch it. In most of the time, it is highly recommended to update/downgrade the xz package.

Published at N/A*

VMware ESXi multiple vulnerabilities - 05th March 2024

VulnerabilitiesCopy link

The Scaleway internal infrastructure was not impacted by these vulnerabilities.

On the 05th of March 2024, VMware communicated on multiple vulnerabilities that impact their products. The VMware ESXi solution is impacted and must be patch as soon as possible if you are using it.

This is a summary of the potential risk:

CVE-2024-22252 & CVE-2024-22253 (CVSSv3 8.4) - Use-after-free vulnerability in XHCI USB controller: A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host. On ESXi, the exploitation is contained within the VMX sandbox

CVE-2024-22254 (CVSSv3 7.9) - ESXi Out-of-bounds write vulnerability: A malicious actor with privileges within the VMX process may trigger an out-of-bounds write leading to an escape of the sandbox.

CVE-2024-22255 (CVSSv3 7.1) - Information disclosure vulnerability in UHCI USB controller: A malicious actor with administrative access to a virtual machine may be able to exploit this issue to leak memory from the vmx process.

To remediate these flaws, you can apply the following patch:

ESXi 8 - Apply one of these patch:

  • ESXi80U2sb-23305545
  • ESXi80U1d-23299997

ESXi 7 - Apply the following patch:

  • ESXi70U3p-23307199

ESXi 6.7 / 6.5:

  • if you subscribed to the extended support plan, you can apply:
    • ESXi670-202403001 for the 6.7 version
    • ESXi650-202403001 for the 6.5 version
  • If you didn't, You must migrate to either 7 or 8 version to patch it.

More information at : https://www.vmware.com/security/advisories/VMSA-2024-0006.html

Published at N/A*

If you need help using this Trust Center, please contact us.

Powered bySafeBase Logo