TheBeardedBaby (OP)
Legendary
 Offline
Activity: 2184
Merit: 3134
₿uy / $ell
|
 |
January 26, 2022, 09:49:38 PM
Last edit: January 27, 2022, 04:11:20 PM by TheBeardedBaby |
|
I know this is probably not the best place to post the thread, but if you have a cold storage wallet with a Linux distro you could be affected and only that, nodes, servers etc. Take precautions. A vulnerability in Polkit's pkexec component identified as CVE-2021-4034 (PwnKit) is present in the default configuration of all major Linux distributions and can be exploited to gain full root privileges on the system, researchers warn today.
CVE-2021-4034 has been named PwnKit and its origin has been tracked to the initial commit of pkexec, more than 12 years ago, meaning that all Polkit versions are affected.
Part of the Polkit open-source application framework that negotiates the interaction between privileged and unprivileged processes, pkexec allows an authorized user to execute commands as another user, doubling as an alternative to sudo. More info here: Linux system service bug gives root on all major distros, exploit released |
|
|
|
|
|
|
|
|
|
|
|
|
Bitcoin mining is now a specialized and very risky industry, just like gold mining. Amateur miners are unlikely to make much money, and may even lose money. Bitcoin is much more than just mining, though!
|
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
|
|
|
|
|
|
pooya87
Legendary
Offline
Activity: 3430
Merit: 10517
|
if you have a cold storage wallet with a Linux distro you could be affected.
Technically that shouldn't be an issue at all. A cold storage by definition should not be accessible by anyone else remotely or physically, so there shouldn't be any way to use any kind of exploit on it. Additionally you would use some sort of encryption on your cold storage, whether it is encryption provided by Linux itself (eg. encrypting home folder) or encrypting the wallet file itself (eg. encryption provided by Electrum). That means even gaining access to the data won't help the attacker. |
.
.BLACKJACK ♠ FUN. | | | ███▄██████
██████████████▀
████████████
█████████████████
████████████████▄▄
░█████████████▀░▀▀
██████████████████
░██████████████
█████████████████▄
░██████████████▀
████████████
███████████████░██
██████████ | | CRYPTO CASINO &
SPORTS BETTING | | │ | | │ | ▄▄███████▄▄
▄███████████████▄
███████████████████
█████████████████████
███████████████████████
█████████████████████████
█████████████████████████
█████████████████████████
███████████████████████
█████████████████████
███████████████████
▀███████████████▀
███████████████████ | | .
|
|
|
|
TheBeardedBaby (OP)
Legendary
Offline
Activity: 2184
Merit: 3134
₿uy / $ell
|
|
January 27, 2022, 08:11:35 AM |
|
if you have a cold storage wallet with a Linux distro you could be affected.
Technically that shouldn't be an issue at all. A cold storage by definition should not be accessible by anyone else remotely or physically, so there shouldn't be any way to use any kind of exploit on it. Additionally you would use some sort of encryption on your cold storage, whether it is encryption provided by Linux itself (eg. encrypting home folder) or encrypting the wallet file itself (eg. encryption provided by Electrum). That means even gaining access to the data won't help the attacker. I agree that with the cold wallets there are many walls to take down before getting to the honeypot, and most of the time it's impossible with the current available technology, but if you already have a massive door with advanced locker, why leaving it open? |
|
|
|
hugeblack
Legendary
Offline
Activity: 2492
Merit: 3623
Buy/Sell crypto at BestChange
|
|
January 27, 2022, 08:33:27 AM |
|
I did not understand the content of the article accurately, but as I understood it, it gives root privileges for an ordinary user, and therefore it is an account based problem (privileges to unprivileged user.)
Meaning that it will be affected by devices with multiple access or for several people and not for the average user with a single account.
In general, all systems are vulnerable to hacking, and Bitcoin provides the user with the advantage of generating keys without the need to connect to the Internet, which means that most of these bugs will not effect (if the user is able to physically remove all communication parts)
|
|
|
|
PrimeNumber7
Copper Member
Legendary
Offline
Activity: 1610
Merit: 1899
Amazon Prime Member #7
|
|
January 27, 2022, 09:10:16 AM |
|
As pooya87 explained, I don't think this is something that should affect any cold storage setup, as the only person (people) who should have access to the device(s) that contain cold storage private keys is (are) those who have the authorization to spend coin from cold storage.
This might be a bigger issue for a business that allows multiple employees to access a machine that has access to the business's hot wallet (or other secrets). In those cases, this is something that needs to be patched ASAP.
|
|
|
|
|
NeuroticFish
Legendary
Offline
Activity: 3654
Merit: 6371
Looking for campaign manager? Contact icopress!
|
|
January 27, 2022, 09:48:48 AM |
|
Are the linuxes or raspi boxes running hot wallets, nodes, electrum servers affected? I guess so.
And they are probably online 24/7, unlike cold storage that's meant to stay offline.
So the warning is important and big, just the targets.. may need to be updated.
|
.
.HUGE. | | | | | | █▀▀▀▀
█
█
█
█
█
█
█
█
█
█
█
█▄▄▄▄ | ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
.
CASINO & SPORTSBOOK
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ | ▀▀▀▀█
█
█
█
█
█
█
█
█
█
█
█
▄▄▄▄█ | | |
|
|
|
ABCbits
Legendary
Offline
Activity: 2856
Merit: 7430
Crypto Swap Exchange
|
And that's why you shouldn't run random application/script you found on internet, even if you use Linux. This might be a bigger issue for a business that allows multiple employees to access a machine that has access to the business's hot wallet (or other secrets). In those cases, this is something that needs to be patched ASAP.
Application with lots of dependency also risky, i expect someone will try to perform supply chain attack on programming library. |
|
|
|
dkbit98
Legendary
Offline
Activity: 2212
Merit: 7084
|
|
January 27, 2022, 03:57:34 PM |
|
This is not such a big problem when we know small percentage of people running Linux operating systems compared to wiNd0ws and mac.
Furthermore, release fix will be released much quicker than it would on other operating systems, and there is temporary mitigation solution released.
If you are running your Bitcoin node on Linux you can apply temporary solution if you want to be sure, and you don't have to worry if you use your OS offline.
|
.
.HUGE. | | | | | | █▀▀▀▀
█
█
█
█
█
█
█
█
█
█
█
█▄▄▄▄ | ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
.
CASINO & SPORTSBOOK
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ | ▀▀▀▀█
█
█
█
█
█
█
█
█
█
█
█
▄▄▄▄█ | | |
|
|
|
lovesmayfamilis
Legendary
Offline
Activity: 2072
Merit: 4271
✿♥‿♥✿
|
|
January 28, 2022, 06:56:56 AM |
|
This is not such a big problem when we know small percentage of people running Linux operating systems compared to wiNd0ws and mac.
Furthermore, release fix will be released much quicker than it would on other operating systems, and there is temporary mitigation solution released.
If you are running your Bitcoin node on Linux you can apply temporary solution if you want to be sure, and you don't have to worry if you use your OS offline.
As I understand it, you just need to update the system, since some developers, for example, Ubuntu, have already released patches. Does this mean that if we are renewed, we will be protected? I work on Linux, but I am not an advanced user, and I would not want to get into this muck out of inexperience. As for Windows, I don't trust this system at all. |
|
|
|
TheBeardedBaby (OP)
Legendary
Offline
Activity: 2184
Merit: 3134
₿uy / $ell
|
|
January 28, 2022, 07:16:25 AM |
|
Of course the range of affected devices is much larger than only the cold storage wallet, but in my case I have only a cold storage with Linux disto so that's why I noted only that in the OP.
Now the OP it's updated and included some more info.
|
|
|
|
pooya87
Legendary
Offline
Activity: 3430
Merit: 10517
|
|
January 28, 2022, 07:44:42 AM |
|
This is not such a big problem when we know small percentage of people running Linux operating systems compared to wiNd0ws and mac.
It is kind of off-topic but I guess people don't want to change, even if the change is significantly better. It is the same problem we have in bitcoin adoption. I did some search and was very surprised as how low the "open source" adoption is, 2% Linux usage as OS on PC, 2-3% usage of Firefox browser, maybe less than 1% usage of bitcoin, etc. This is while all these alternative open source options are way more superior to their closed source counter parts, not to mention that at this point they are very mature. I'm very surprised and kind of disappointed to be honest.. |
.
.BLACKJACK ♠ FUN. | | | ███▄██████
██████████████▀
████████████
█████████████████
████████████████▄▄
░█████████████▀░▀▀
██████████████████
░██████████████
█████████████████▄
░██████████████▀
████████████
███████████████░██
██████████ | | CRYPTO CASINO &
SPORTS BETTING | | │ | | │ | ▄▄███████▄▄
▄███████████████▄
███████████████████
█████████████████████
███████████████████████
█████████████████████████
█████████████████████████
█████████████████████████
███████████████████████
█████████████████████
███████████████████
▀███████████████▀
███████████████████ | | .
|
|
|
|
|
