News and Updates
RASBYTE TECH FEEDS
June 01, 2024 Artificial Intelligence (AI) company Hugging Face on Friday disclosed that it detected unauthorized access to its Spaces platform earlier this week. "We have suspicions that a subset of Spaces' secrets could have been accessed without authorization," it said in an advisory. Spaces offers a way for users to create, host, and share AI and machine learning (ML) applications. It also functions as a discovery service to look up AI apps made by other users on the platform. In response to the security event, Hugging Space said it is taking the step of revoking a number of HF tokens present in those secrets and that it's notifying users who had their tokens revoked via email. "We recommend you refresh any key or token and consider switching your HF tokens to fine-grained access tokens which are the new default," it added. Hugging Face, however, did not disclose how many users are impacted by the incident, which is currently under further investigation. It has also alerted law enforcement agencies and data protection authorities of the breach. The development comes as the explosive growth of the AI sector has landed AI-as-a-service (AIaaS) providers like Hugging Face in attackers' crosshairs, who could exploit them for malicious purposes. In early April, cloud security firm Wiz detailed security issues in Hugging Face that could permit an adversary to gain cross-tenant access and poison AI/ML models by taking over the continuous integration and continuous deployment (CI/CD) pipelines. Previous research undertaken by HiddenLayer also unearthed flaws in the Hugging Face Safetensors conversion service that made it possible to hijack the AI models submitted by users and stage supply chain attacks. "If a malicious actor were to compromise Hugging Face's platform, they could potentially gain access to private AI models, datasets, and critical applications, leading to widespread damage and potential supply chain risk," Wiz researchers noted in April. Source: TheHackerNews
May 30, 2024 The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a security flaw impacting the Linux kernel to the Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. Tracked as CVE-2024-1086 (CVSS score: 7.8), the high-severity issue relates to a use-after-free bug in the netfilter component that permits a local attacker to elevate privileges from a regular user to root and possibly execute arbitrary code. "Linux kernel contains a use-after-free vulnerability in the netfilter: nf_tables component that allows an attacker to achieve local privilege escalation," CISA said. Netfilter is a framework provided by the Linux kernel that allows the implementation of various network-related operations in the form of custom handlers to facilitate packet filtering, network address translation, and port translation. The vulnerability was addressed in January 2024. That said, the exact nature of the attacks exploiting the flaw is presently unknown. Also added to the KEV catalog is a newly disclosed security flaw impacting Check Point network gateway security products (CVE-2024-24919, CVSS score: 7.5) that allows an attacker to read sensitive information on Internet-connected Gateways with remote access VPN or mobile access enabled. In light of the active exploitation of CVE-2024-1086 and CVE-2024-24919, federal agencies are recommended to apply the latest fixes by June 20, 2024, to protect their networks against potential threats. Source: TheHackerNews
