Notable security news for the week brought to you by the F5 SIRT. This week Jordan_Zebor going to look at the notable security news for Rustls, Password Based Key Exchange, and Llama Drama.

Rustls Gains OpenSSL and Nginx Compatibility

Back in September of 2023, NGINX released the OpenSSL Compatibility Layer to simplify and eliminate the need for maintaining separate cryptographic libraries in production environments. One of the benefits to the compatibility layer is the ability to use cryptographic libraries such as BoringSSL, LibreSSL, or QuicTLS, in addition to the typical standard, OpenSSL. Recently added to the list of useable cryptographic libraries is Rustls, a library that is easy to get up and running while also avoiding the memory safety pitfalls associated with C/C++ since it's written entirely in Rust.

I went through the deployment of this and found it extremely easy to setup in my test environment with just a few simple steps. By following the process outlined on the memorysafety blog, I was able to pass traffic immediately with no changes to configuration and no requirement to re-build NGINX, a major advantage of the compatibility layer. If you are interested in adding increased security controls through memory safety of your cryptographic library with NGINX, check out the blog post for more details and setup instructions.

Password Based Key Exchange

Research conducted by CISPA (Helmholtz Center for Information Security) focuses on enhancing the security of Zoom group conversations by developing a novel access control method that prevents Zoom servers from needing to have access to the meeting passwords. The study introduces a modified key exchange protocol that in theory can be integrated into Zoom, allowing users to establish secure connections without sharing passwords with the server. This protocol relies on PAKE (Password-based Key Exchange), enabling groups to manage access control internally, thereby safeguarding against potential interference from Zoom servers.

Password-based Key Exchange (PAKE), is a cryptographic protocol used for securely exchanging cryptographic keys over an insecure channel without relying on a trusted third party. It ensures that parties involved in the exchange can derive a shared secret key based on their respective passwords, without exposing the passwords themselves. PAKE protocols have been applied in various contexts beyond Zoom, including authentication mechanisms in online banking, secure messaging applications, and decentralized systems where traditional authentication methods may not be feasible or secure enough.

According to the study, it's not implemented in Zoom but the research showcases the feasibility of implementing advanced cryptographic techniques like PAKE to enhance the privacy and security of video conferencing platforms, contributing to the broader goal of empowering users to communicate securely and protect their privacy in online interactions.

Llama Drama

The recent discovery of a Server-Side Template Injection vulnerability, dubbed "Llama Drama", has stirred concerns over AI model supply chain attacks. The issue in the llama_cpp_python Python package arises from the misuse of the Jinja2 template engine, opening the door for attackers to execute arbitrary code.

This incident mirrors similar issues we've seen with Pickle files used in the model-sharing ecosystem, emphasizing the growing significance of software supply chain security issues, particularly concerning AI models. According to the report by Checkmarx, over 6,000 AI models on HuggingFace relying on the `gguf` format, meaning the ripple effects of this vulnerability extends across a wide spectrum of AI applications.

AI model files, which some may consider benign components of the software supply chain, have emerged as a potent new attack vector. Despite their seemingly innocuous nature, these models use file formats which are known to allow code execution, malicious or not. As AI technologies become more pervasive in application software stacks, it's imperative to recognize and address the potential security vulnerabilities they introduce. This underscores the urgent need for advancements in standards for model packaging. I admittedly don't have a solution to this growing threat but will be spending some time thinking about the potential solutions. Please share your thoughts on solutions to this issue if you have them.