• The study focuses on the Sierra Wireless AirLink cellular routers, crucial for connecting OT/IoT networks to the internet.
• These routers are used in various critical infrastructure sectors, including manufacturing, healthcare, government, energy, transportation, and emergency services.
• Sierra Wireless, OpenNDS, and Nodogsplash have patched several vulnerabilities, but challenges remain due to the abandonment of projects like TinyXML​​.

Flaws and Examples

The vulnerabilities are grouped into five impact categories​​:

1. Remote Code Execution (RCE): Attackers can take full control of a device by injecting malicious code.
2. Cross-Site Scripting (XSS): This allows for the injection of malicious code on clients browsing the ACEmanager application, potentially leading to credential theft.
3. Denial of Service (DoS): These vulnerabilities can be used to crash ACEmanager, rendering it unreachable or causing it to restart automatically.
4. Unauthorized Access: This involves design flaws like hardcoded credentials and private keys, which could allow attackers to perform man-in-the-middle attacks or recover passwords.
5. Authentication Bypasses: These allow attackers to bypass the authentication service of the captive portal and directly connect to the protected WiFi network.

Severity of Vulnerabilities: Among these 21 vulnerabilities, one is of critical severity, nine have high severity, and eleven have medium severity. These vulnerabilities could allow attackers to steal credentials, take control of a router by injecting malicious code, persist on the device, and use it as an initial access point into critical networks.

Affected Sectors: The affected devices are found in multiple critical infrastructure sectors. These include manufacturing, healthcare, government and commercial facilities, energy and power distribution, transportation, water and wastewater systems, retail, emergency services, and vehicle tracking. Additionally, these routers are used to stream video for remote surveillance and connect police vehicles to internal networks.

Extent of Exposure: Over 86,000 vulnerable routers are exposed online. Notably, less than 10% of these exposed routers have been confirmed to be patched against known vulnerabilities found since 2019, which indicates a large attack surface. Moreover, 90% of devices exposing a specific management interface (AT commands over Telnet) have reached the end of their life, meaning they cannot receive further patches​​.

Specific examples include:

• CVE-2023-40458: ACEmanager enters an infinite loop when parsing malformed XML documents, leading to DoS.
• CVE-2023-40459: A NULL-pointer dereference in ACEmanager during user authentication, leading to limited DoS.
• CVE-2023-40460: Attackers can upload HTML documents to replace legitimate web pages in ACEmanager, leading to XSS attacks.
• CVE-2023-40461 and CVE-2023-40462: Issues with uploading client certificates and client TLS keys in ACEmanager, enabling JavaScript code injection.
• CVE-2023-40463: Hardcoded hash of the root password in ALEOS, allowing unauthorized root access.
• CVE-2023-40464: Default SSL private key and certificate in ALEOS, enabling impersonation and traffic sniffing/spoofing​​.

Mitigation or Workaround

• Patching is essential. Sierra Wireless has released updated ALEOS versions containing fixes.
• Change default SSL certificates.
• Disable unnecessary services like captive portals, Telnet, and SSH.
• Deploy web application firewalls to protect against web-based vulnerabilities.
• Use OT/IoT-aware intrusion detection systems to monitor network connections​​.

Conclusion

• Vulnerabilities in OT/IoT network infrastructure are a major concern and are often left unpatched.
• Less than 10% of routers exposed online are patched against known vulnerabilities.
• Embedded devices lag in addressing vulnerabilities and implementing exploit mitigations.
• Incomplete fixes can lead to new issues, as seen with CVE-2023-40460, originating from an incomplete fix for a previous vulnerability.
• Manufacturers need to understand and address the root causes of vulnerabilities for effective long-term solutions​​.

The post Over 86,000 Routers at Risk – Is Yours One of Them? Shocking Vulnerabilities in Widely Used OT/IoT Routers appeared first on Information Security Newspaper | Hacking News.

These vulnerabilities were discovered by the Binarly Research team and have far-reaching consequences:

1. Discovery and Impact: LogoFAIL vulnerabilities affect various vendors’ system firmware during the device boot process, not being specific to any silicon type. They impact the entire firmware ecosystem, including Independent BIOS vendors (IBVs) like AMI, Insyde, and Phoenix. This implies that a broad range of consumer and enterprise devices could be at risk​​. Imagine a scenario where a large electronics manufacturer uses firmware from an Independent BIOS Vendor (IBV) like AMI for its laptops. If this firmware contains the vulnerable image parsing libraries identified in LogoFAIL, then all these laptops, regardless of their specific models or configurations, could potentially be at risk. This would mean millions of devices across the globe could be vulnerable to these security flaws.
2. Operation of Vulnerabilities: These vulnerabilities enable attackers to store malicious logo images on the EFI System Partition (ESP) or in unsigned sections of a firmware update. During the boot process, when these images are parsed, the vulnerability can be triggered, allowing attackers to execute arbitrary payloads. This can lead to the bypassing of critical security features like Secure Boot and hardware-based Verified Boot mechanisms, including Intel Boot Guard, AMD Hardware-Validated Boot, or ARM TrustZone-based Secure Boot​​. For example, an attacker could craft a malicious logo image and insert it into the EFI System Partition on a victim’s laptop. When the laptop is booted, the firmware parses this image, unknowingly triggering the vulnerability. This could allow the attacker to bypass the laptop’s Secure Boot mechanism, effectively undermining one of the key security features that is supposed to ensure only trusted software is loaded during the boot process.
3. Implications: LogoFAIL vulnerabilities can completely compromise the system’s security, making “below-the-OS” security measures like Secure Boot ineffective. This level of compromise allows attackers to gain deep control over affected systems. The vulnerabilities offer a different attack surface on the ESP partition, allowing for data-only exploitation by modifying the logo image​​.Consider a highly secure workstation used in a government facility, which relies on Secure Boot for security. If this workstation is affected by LogoFAIL, an attacker could exploit these vulnerabilities to gain control over the system even before the operating system loads. This could potentially allow the attacker to manipulate or disable other security measures, essentially gaining unrestricted access to the system and the sensitive data it contains.

Exploitation

Threat actors can exploit the LogoFAIL vulnerabilities in the following ways:

1. Malicious Logo Images: Attackers can craft malicious logo images and place them on the EFI System Partition (ESP) or within unsigned sections of a firmware update. Since these images are parsed during the boot process, the malicious code within the images gets executed.
2. Bypassing Security Mechanisms: By exploiting these vulnerabilities, attackers can bypass critical security features like Secure Boot, Intel Boot Guard, and other hardware-validated boot mechanisms. This allows them to execute unauthorized code at a fundamental level of the device.
3. System Compromise: Once they bypass these security measures, attackers can potentially gain deep control over the system, undermining its security and potentially accessing sensitive information or installing further malware. This level of access can be particularly damaging as it occurs below the operating system level, making detection and remediation more challenging.

Mitigation

To mitigate the risks associated with the LogoFAIL vulnerabilities, several steps can be taken:

1. Firmware Updates: Regularly updating firmware is crucial. Manufacturers often release patches and updates to address known vulnerabilities. Keep all devices updated with the latest firmware versions provided by the manufacturer.
2. Vendor Communication: Stay informed about any security advisories or updates from device manufacturers. This can include checking for updates on their websites or subscribing to their security bulletins.
3. Security Solutions: Employ security solutions that monitor firmware integrity and detect anomalies at the firmware level.
4. Regular Audits: Conduct regular security audits of firmware to identify and mitigate potential vulnerabilities.
5. Best Practices: Follow cybersecurity best practices, including maintaining a secure and updated environment, and educating users about the importance of security in preventing malware infections.

These steps can significantly reduce the risk of exploitation of these vulnerabilities. This research underscores the seriousness of these vulnerabilities and their potential to affect a vast range of devices, highlighting the need for comprehensive security measures in firmware development and maintenance.

The post Inside LogoFAIL: The UEFI Firmware Flaw Compromising Millions of Devices appeared first on Information Security Newspaper | Hacking News.

Discovery of Advanced Attack Techniques

Bitdefender’s research team, working in conjunction with their in-house research institute Bitdefender Labs, has identified previously unknown methods that cybercriminals could use to escalate a breach from a single endpoint to a network-wide level. These techniques, if exploited, could lead to severe consequences such as ransomware attacks or massive data exfiltration.

The attack progression involves several key stages, starting from a single compromised machine. Once inside the system, attackers could potentially:

• Move across cloned machines within the network, especially if they are equipped with GCPW.
• Gain unauthorized access to the Google Cloud Platform through custom permissions.
• Decrypt locally stored passwords, extending their reach beyond the initially compromised machine.

These findings were responsibly disclosed to Google. However, Google has stated that these issues will not be addressed directly, as they fall outside their designated threat model. This decision reflects Google’s risk assessment and security priorities.

The Dual Role of Google Credential Provider for Windows (GCPW)

At the heart of these vulnerabilities is the Google Credential Provider for Windows (GCPW), a tool designed to streamline access and management within Google’s ecosystem. GCPW serves two primary functions:

1. Remote Device Management: Similar to Mobile Device Management (MDM) systems like Microsoft Intune, GCPW allows administrators to remotely manage and control Windows devices connected to Google Workspace. This includes enforcing security policies, deploying software updates, and managing device settings without needing a VPN connection or domain registration.
2. Single-Sign On (SSO) Authentication: GCPW facilitates SSO for Windows devices using Google Workspace credentials. This integration provides a seamless login experience, enabling users to access their devices with the same credentials used for Google services like Gmail, Google Drive, and Google Calendar.

The Operational Mechanism of GCPW

Understanding GCPW’s functioning is crucial in comprehending the vulnerabilities. Here’s a breakdown of its operational process:

• Local Service Account Creation: Upon installing GCPW, a new user account named ‘gaia’ is created. This account, not intended for regular user interactions, serves as a service account with elevated privileges.
• Credential Provider Integration: GCPW integrates a new Credential Provider into the Windows Local Security Authority Subsystem Service (lsass), a critical component responsible for handling security operations and user authentication in Windows.
• Local User Account Creation: GCPW facilitates the creation of new local user accounts linked to Google Workspace accounts whenever a new user authenticates with the system.
• Logon Procedure: These Google Workspace users are logged in using their newly created local profiles, where a refresh token is stored to ensure continuous access without repeated authentication prompts.

Uncovered Attack Methods

Bitdefender’s research sheds light on specific attack vectors that exploit the functionalities of GCPW:

Golden Image Lateral Movement:

• Virtualized Environment Challenge: In environments that use cloned virtual machines (VMs), such as Virtual Desktop Infrastructure (VDI) or Desktop as a Service (DaaS) solutions, the installation of GCPW on a base machine means that the ‘gaia’ account and its password are cloned across all VMs.
• Attack Implication: If an attacker discovers the password of one ‘gaia’ account, they can potentially access all machines that have been cloned from the same base image.
• Scenario: Imagine a company, “Acme Corp,” uses a Virtual Desktop Infrastructure (VDI) where multiple virtual machines (VMs) are cloned from a single ‘golden image’ for efficiency. This image has Google Credential Provider for Windows (GCPW) pre-installed for ease of access.
  • Attack Example:
• An attacker, Alice, manages to compromise one of Acme Corp’s VMs. During her exploration, she discovers that the VM has GCPW installed.
• She learns that the ‘gaia’ account password created during the GCPW setup is identical across all cloned VMs because they were derived from the same golden image.
• By extracting the ‘gaia’ account password from the compromised VM, Alice can now access all other VMs cloned from the same image. This allows her to move laterally across the network, potentially accessing sensitive information or deploying malware.

Unauthorized Access Token Request:

• Exploitation of OAuth Tokens: GCPW stores an OAuth 2.0 refresh token within the user’s session, maintaining access to the broader Google ecosystem. Attackers gaining access to this token can request new Access Tokens with varied permissions.
• Scope of Abuse: The permissions granted by these tokens can enable attackers to access or manipulate a wide range of user data and Google services, effectively bypassing multi-factor authentication (MFA) processes.
• Scenario: At a different company, “Beta Ltd.,” employees use their Google Workspace credentials to log into their Windows machines, facilitated by GCPW.

Attack Example:

• Bob, a cybercriminal, gains initial access to a Beta Ltd. employee’s computer through a phishing attack.
• Once inside the system, Bob finds the OAuth 2.0 refresh token stored by GCPW. This token is meant to maintain seamless access to Google services without repeated logins.
• With this token, Bob crafts a request to Google’s authentication servers pretending to be the legitimate user. He requests new Access Tokens with broad permissions, like access to emails or cloud storage.
• Using these tokens, Bob can now access sensitive data in the employee’s Google Workspace environment, like emails or documents, bypassing any multi-factor authentication set up by the company.

Password Recovery Threat:

• Plaintext Credential Risk: GCPW’s mechanism of saving user passwords as encrypted LSA secrets, intended for password resetting, presents a vulnerability. Skilled attackers could decrypt these credentials, allowing them to impersonate users and gain unrestricted account access.

Scenario: A small business, “Gamma Inc.,” uses GCPW for managing their Windows devices and Google Workspace accounts.

Attack Example:

• Carla, an experienced hacker, targets Gamma Inc. She successfully breaches one of the employee’s systems through a malware-laden email attachment.
• After gaining access, Carla locates the encrypted LSA secret stored by GCPW, which contains the user’s Google Workspace password.
• Using advanced decryption techniques, she decrypts this password. Now, Carla has the same access privileges as the employee, not just on the local machine but across all Google services where the employee’s account is used.
• This enables Carla to impersonate the employee, access company emails, manipulate documents, or even transfer funds if the employee has financial privileges.

Google’s Stance and Security Implications

Google’s decision not to address these findings, citing their exclusion from the company’s specific threat model, has stirred a debate in the cybersecurity community. While Google’s risk

The post Your Google Cloud Security Might Be at Risk. Hacking GCP via Google Workspace flaw appeared first on Information Security Newspaper | Hacking News.

Let’s consider a hypothetical example to understand the implications of CVE-2023-36052:

Suppose a development team uses Azure CLI for managing their Azure resources and automates their deployment process using GitHub Actions. During their routine operations, they execute various Azure CLI commands which generate logs. These logs, by default, include plaintext credentials such as usernames and passwords.

An external attacker, aware of this vulnerability, could access the public repository where the team’s GitHub Actions are configured. By examining the CI/CD logs published there, the attacker could find and extract these plaintext credentials. With these credentials, the attacker could gain unauthorized access to the team’s Azure resources, potentially leading to data breaches, unauthorized modifications, or even service disruptions.

This scenario underscores the critical nature of CVE-2023-36052, where seemingly benign logs could inadvertently become a source of significant security breaches. The mitigation steps provided by Microsoft, including updating Azure CLI and implementing best practices for log management and key rotations, are essential to prevent such unauthorized access.

Mitigation

Microsoft implemented several measures to address this vulnerability. These include:

1. Azure CLI Update: Advising customers to update Azure CLI to the latest release.
2. Securing Logs: Avoiding exposure of Azure CLI output in logs or publicly accessible locations and implementing guidance for masking environment variables.
3. Regularly Rotating Keys and Secrets: Encouraging regular rotation of keys and secrets.
4. Reviewing Security Best Practices: Providing guidance on secrets management for Azure services and GitHub Actions, and ensuring GitHub repositories are private unless necessary to be public.
5. Securing Azure Pipelines: Offering guidance for securing Azure Pipelines.
6. Enhancing Default Configurations: Introducing a new default configuration in Azure CLI to prevent accidental disclosure of sensitive information. This included restricting the presentation of secrets in output from update commands and broadening credential redaction capabilities across GitHub Actions and Azure Pipelines.

Workaround

Without patching, the primary alternative way to mitigate the risks associated with CVE-2023-36052 involves several best practices and security measures:

1. Secure Logging Practices: Ensure that logs do not contain sensitive information. This might involve custom scripts or tools to filter out or obfuscate credentials and other sensitive data before they are logged.
2. Access Control on Logs: Restrict access to CI/CD logs. Ensure that only authorized personnel can view these logs, and they are not publicly accessible.
3. Frequent Credential Rotation: Regularly change credentials and secrets to reduce the window of opportunity for an attacker to use compromised credentials.
4. Monitoring and Alerting: Implement monitoring to detect unusual access patterns or usage of credentials, which might indicate a compromise.
5. Environment Segmentation: Segregate development, testing, and production environments. Limit the scope of what each environment can access to minimize potential damage.

However, these measures are more complex and potentially less effective than updating the Azure CLI to a patched version. Patching directly addresses the vulnerability at its source, providing a more comprehensive and straightforward solution.

The post Azure CLI stores credentials in plaintext in logs. A easy technique to hack cloud environments appeared first on Information Security Newspaper | Hacking News.

The flaw is a buffer overflow that can be exploited by a local attacker using specially crafted GLIBC_TUNABLES environment variables when launching binaries with Set-UID (SUID) permissions, which could potentially allow the execution of code with elevated privileges. The Qualys Threat Research Unit has been credited with discovering this vulnerability.

This vulnerability has been given a severity score of 7.8, which classifies it as high severity. Exploitation of this flaw could enable an attacker to gain root permission on a Linux system that is running a vulnerable version of GLIBC, specifically version 2.34 or similar.

The issue has been noted to impact major Linux distributions, and organizations that use Linux systems, especially in cloud environments, are advised to patch this vulnerability promptly to mitigate the risks associated with it.

Exploit

To exploit CVE-2023-4911, threat actors would typically follow a sequence of steps that hinge on local access to a vulnerable system. The exploitation process can generally be broken down into the following stages:

1. Initial Access: First, the attacker needs local access to a system that runs a vulnerable version of the GNU C Library, specifically where ld.so is affected by the buffer overflow. This access could be obtained through various means, such as compromising a low-privileged user account.
2. Crafting Malicious Input: The attacker crafts a malicious GLIBC_TUNABLES environment variable. This variable is meant to be used for tuning performance and behavior aspects of the GNU C Library, but when crafted maliciously, it can trigger a buffer overflow.
3. Exploiting the Buffer Overflow: By triggering the buffer overflow, the attacker aims to overwrite certain areas of memory. This could be the stack, the heap, or other memory locations, depending on how the dynamic loader (ld.so) is handling the environment variable.
4. Injecting Code or Redirecting Execution: The overwritten memory could include the injection of malicious code, or it might alter the execution flow of the process to jump to code that the attacker controls. Typically, this would be shellcode—a small piece of code that launches a shell or another control mechanism.
5. Elevating Privileges: If the process being exploited has SUID permissions, it runs with the privileges of the owner of the file, often root. By exploiting such a process, the attacker can execute their code with elevated privileges, effectively gaining root access to the system.

Here’s a hypothetical example:

• Alice is a system administrator for a cloud service provider that uses Linux servers.
• Bob is a threat actor who has managed to gain access to a low-privileged account on one of the Linux servers due to a weak password.
• The server runs a version of GLIBC that is vulnerable to CVE-2023-4911.
• Bob writes a malicious GLIBC_TUNABLES variable and uses it in conjunction with a vulnerable application that has SUID set to run as root.
• When the application runs, the malicious variable causes a buffer overflow in ld.so, which Bob exploits to redirect the application’s execution flow to his shellcode.
• Bob’s shellcode is executed with root privileges, giving him full control over the server.
• Now with root access, Bob could install persistent backdoors, exfiltrate data, or use the compromised server for further attacks.

It’s important to note that exploitation of CVE-2023-4911, like many vulnerabilities, requires specific conditions to be met and often sophisticated knowledge of software internals, memory layout, and exploitation techniques. The exact details of the exploit can vary based on the system’s configuration, the attacker’s goals, and the environment variables involved.

The Aqua Nautilus team documented an attack by the Kinsing malware that exploited CVE-2023-4911 to elevate permissions on a compromised machine. Here’s how they described the exploitation process:

1. Initial Access: The attackers gained initial access by exploiting a PHPUnit vulnerability (CVE-2017-9841), allowing them to download and execute a Perl script to open a reverse shell on the compromised machin.
2. Manual Testing: The Kinsing attackers manually tested shell commands on the compromised systems. These commands included gathering system information, starting an interactive shell session, and creating a directory in /tmp.
3. Downloading Exploits: They downloaded a script named gnu-acme.py, which was an exploit for the Looney Tunables vulnerability (CVE-2023-4911), allowing for local privilege escalation by exploiting a buffer overflow in the handling of the GLIBC_TUNABLES environment variable by ld.so.
4. Executing Additional Exploits: After this, they fetched and executed an obfuscated PHP exploit, which, upon de-obfuscation, turned out to be a JavaScript designed for further exploitative activities. This resulted in a web shell backdoor that allowed them to maintain unauthorized access to the server.

This attack demonstrates the attackers’ sophisticated capabilities in chaining vulnerabilities to penetrate cloud environments, gain unauthorized access, and elevate privileges within the system.

Kinsing aims to gather CSP credentials, potentially exposing sensitive data, like AWS instance identity, which poses risks in cloud environments.

Here below, we have mentioned all the types of credentials and data that could be exposed:-

• Temporary Security Credentials
• IAM Role Credentials
• Instance Identity Tokens

Mitigation

To mitigate an attack exploiting CVE-2023-4911, you should take the following steps:

1. Patch the Vulnerability: Update the GNU C Library (glibc) to the latest version that includes a fix for CVE-2023-4911.
2. Limit Access: Restrict local access to essential personnel and services, minimizing the number of users who can potentially exploit the vulnerability.
3. Monitor for Suspicious Activity: Implement monitoring tools to detect unusual activity, such as unexpected changes to environment variables or unauthorized processes trying to gain elevated privileges.
4. Harden Your Environment: Follow best practices for system hardening, such as disabling unnecessary services, closing open ports, and using tools like SELinux or AppArmor for enhanced security.
5. Regular Security Audits: Conduct regular security audits to identify and remediate misconfigurations or unnecessary privileges that could be exploited.
6. Use Security Tools: Employ security solutions such as intrusion detection systems, firewalls, and anti-malware tools that can detect and prevent exploitation attempts.
7. Educate Staff: Train staff to recognize phishing attempts and other forms of social engineering that could lead to local access being compromised.
8. Incident Response Plan: Have an incident response plan in place that includes procedures for dealing with suspected breaches, including how to contain and eradicate threats.
9. Backup Regularly: Maintain regular backups of critical data to ensure that you can restore systems to a secure state if necessary.

By following these steps, you can significantly reduce the risk of exploitation and mitigate potential damage from attacks like those involving CVE-2023-4911.

The post Hackers’ new favorite: CVE-2023-4911 targeting Debian, Ubuntu and Fedrora servers in the Cloud appeared first on Information Security Newspaper | Hacking News.

The security glitch, identified as CVE-2023-4966, predominantly pertains to sensitive information disclosure. The appliance must be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server to be susceptible to this vulnerability. The core of the issue lies in the Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119), with a CVSS score of 9.4, highlighting its critical nature​.

Real-world Exploitation

Mandiant shed light on the active exploitation of this vulnerability since August, emphasizing the criticality of the situation. The exploitation entailed unauthenticated buffer-related vulnerabilities, underscoring the urgency of mitigation measures beyond mere patching​.

Countermeasures Undertaken:

In a bid to curb the exploitation, Citrix rolled out a patch on October 10, 2023. However, the patch proved to be a half measure, as organizations that had patched their systems continued to face hacks. This revelation underscored the necessity for additional actions alongside patching to thoroughly address the vulnerability​​. The Cybersecurity and Infrastructure Security Agency (CISA) further accentuated the need for users and administrators to review the Citrix security bulletins and apply the requisite updates to barricade against potential exploits​.

Citrix, on October 10, 2023, disseminated a security bulletin concerning the sensitive information disclosure vulnerability, urging users to take remedial actions. Mandiant identified zero-day exploitation of this vulnerability in the wild, which commenced in late August 2023. Successful exploitation could spell significant security implications, thereby necessitating prompt remedial actions​​.

The vulnerable devices affected by CVE-2023-4966 include:

1. NetScaler ADC and NetScaler Gateway versions 14.1-8.50 and later releases.
2. NetScaler ADC and NetScaler Gateway versions 13.1-49.15 and later releases of 13.1.
3. NetScaler ADC and NetScaler Gateway versions 13.0-92.19 and later releases of 13.0.
4. NetScaler ADC 13.1-FIPS versions 13.1-37.164 and later releases of 13.1-FIPS​​.

The emergence of CVE-2023-4966 unveils the incessant security challenges beleaguering the digital landscape. The vulnerability not only underscores the imperative for robust security frameworks but also for the proactive identification and remediation of security loopholes. As organizations grapple with this security menace, the collaborative efforts between vendors, cybersecurity agencies, and the user community will be pivotal in fostering a more secure digital ecosystem.

The post The Terrifying Reality of Citrix’s CVE-2023-4966 Vulnerability “Patching can’t help” appeared first on Information Security Newspaper | Hacking News.

The Vulnerability: CVE-2023-20198

A new, critical zero-day vulnerability has emerged, labeled as CVE-2023-20198. This vulnerability, with a maximum severity rating of CVSS 10, predominantly affects devices running the Cisco IOS XE software and is currently without a patch, leaving systems vulnerable to potential exploits. The flaw can be exploited by an unauthenticated attacker to create a user account with the highest privilege level, leading to unauthorized system access.

Exploitation in the Wild
Attackers have already begun exploiting this vulnerability in the wild, utilizing it to deliver malicious implants. Organizations using the affected devices are advised to apply mitigation measures promptly to defend against these exploits.

Affected Devices and Systems
The vulnerability, CVE-2023-20198, affects all Cisco IOS XE devices that have the Web UI feature enabled, especially when exposed to the internet or untrusted networks. To ascertain if a system is vulnerable, administrators should:

1. Utilize the command show running-config | include ip http server|secure|active to check for the presence of ip http server or ip http secure-server commands in the global configuration.
2. Inspect the configuration for ip http active-session-modules none or ip http secure-active-session-modules none to determine if the vulnerability is exploitable over HTTP or HTTPS respectively.

Cisco’s Response
Cisco has acknowledged the vulnerability, confirming its presence in devices running the Cisco IOS XE software. The company provided steps to identify affected systems and noted the following Indicators of Compromise (IoCs):

1. System logs containing messages indicating programmatic configuration by unfamiliar users, such as:

• %SYS-5-CONFIG_P: Configured programmatically by process SEP_webui_wsma_http from console as user on line.
• %SEC_LOGIN-5-WEBLOGIN_SUCCESS: Login Success [user: user] [Source: source_IP_address].

1. System logs containing messages about unknown file installation actions, like:

• %WEBUI-6-INSTALL_OPERATION_INFO: User: username, Install Operation: ADD filename.

1. Presence of an implant, checked by issuing the following command from a workstation with access to the affected system:

• curl -k -X POST "https://systemip/webui/logoutconfirm.html?logon_hash=1", if a hexadecimal string is returned, the implant is present.

Cisco, alongside other cybersecurity firms like Tenable, has provided plugins to identify affected systems. While awaiting a patch, these plugins and the aforementioned checks can assist in identifying and mitigating unauthorized access attempts.

CVE-2023-20198 poses a significant threat to cybersecurity due to its maximum severity rating and the absence of a patch. Organizations using affected Cisco IOS XE devices should remain vigilant and apply necessary mitigation measures to safeguard their systems from potential exploits.

The post Cisco’s Ticking Time Bomb: CVE-2023-20198 with CVSS Score 10 Hits Cisco Devices appeared first on Information Security Newspaper | Hacking News.

The digital realm, while offering boundless possibilities, is also a fertile ground for myriad cybersecurity threats. One such peril that has recently come to light is the User-After-Free vulnerability in Google Chrome, specifically identified as CVE-2023-5218. This vulnerability not only poses a significant threat to user data and system integrity but also opens a Pandora’s box of potential cyber-attacks and exploitations.

Unraveling the User-After-Free Vulnerability

The User-After-Free vulnerability is a type of cybersecurity flaw that surfaces when a program continues to utilize memory space after it has been freed or deleted. This flaw allows attackers to execute arbitrary code or potentially gain unauthorized access to a system. CVE-2023-5218, identified within Google Chrome, was noted to be potentially exploitable to perform such malicious actions, thereby putting users’ data and privacy at substantial risk.

Timeline and Discovery

CVE-2023-5218 was unveiled to the public through various cybersecurity platforms and researchers who detected unusual activities and potential exploitation trails leading back to this particular flaw. This vulnerability was identified to be present in a specific Chrome component, prompting Google to release a flurry of updates and patches to mitigate the associated risks.

The Exploit Mechanics

Exploiting CVE-2023-5218 allows attackers to manipulate the aforementioned ‘freed’ memory space, enabling them to execute arbitrary code within the context of the affected application. In the context of Chrome, this could potentially allow attackers unauthorized access to sensitive user data, such as saved passwords or personal information, or even navigate the browser to malware-laden websites without user consent.

The Potential Impact

The exploitation of CVE-2023-5218 could have a multifold impact:

• Data Theft: Sensitive user data, including login credentials, personal information, and financial details, could be compromised.
• System Control: Attackers could gain control over the affected system, using it to launch further attacks or for other malicious purposes.
• Malware Spread: By redirecting browsers to malicious websites, malware could be injected into users’ systems, further expanding the impact of the attack.

Technical Insights into CVE-2023-5218

• Vulnerability Class: Use After Free
• Impact: Confidentiality, Integrity, and Availability
• Disclosure Date: 10/11/2023
• Advisory: Chrome Releases Blog

Technical Synopsis

The vulnerability is rooted in the improper handling of memory in the Site Isolation component of Google Chrome. The flaw arises from referencing memory after it has been freed, which can lead to program crashes, unexpected value utilization, or arbitrary code execution. The vulnerability is classified under CWE-416 and CWE-119, indicating its potential to improperly restrict operations within the bounds of a memory buffer and its susceptibility to use after free exploits.

Mitigation and Countermeasures

The primary mitigation strategy recommended is upgrading to Google Chrome version 118.0.5993.70, which eliminates this vulnerability. However, considering the potential risks associated with such vulnerabilities, organizations and individual users are advised to:

• Regularly update and patch software to safeguard against known vulnerabilities.
• Employ robust cybersecurity practices, including using security software and adhering to safe browsing practices.
• Educate users on recognizing and avoiding potential phishing attempts or malicious sites that might exploit such vulnerabilities.

Conclusion

The identification and subsequent mitigation of CVE-2023-5218 underscore the perpetual battle between cybersecurity professionals and cyber adversaries. While this vulnerability has been addressed in the latest Chrome update, it serves as a potent reminder of the criticality of maintaining up-to-date systems and employing prudent cybersecurity practices. As we navigate through the digital era, the complexity and sophistication of cyber threats continue to evolve, making vigilance and preparedness crucial in ensuring secure digital interactions.

The post How Google Chrome Vulnerability can Put Millions of Users in Danger – Safeguard Your Data Now! appeared first on Information Security Newspaper | Hacking News.

“Looney Tunables” allows bad actors to exploit a buffer overflow within the ld.so dynamic loader of the GNU C Library (glibc). This exploitation path provides local attackers with a mechanism to elevate their privileges to root level, thereby gaining unparalleled access and control over the system. Given that root privileges allow complete control over a system, attackers can execute a variety of malicious activities, from accessing sensitive information to altering system settings and functionalities, underscoring the critical nature of this security flaw.

The GNU C Library, or glibc, is fundamentally integral to the operation of a majority of systems based on the Linux kernel. This crucial library facilitates numerous system calls, from elementary functions like open, malloc, and printf to more complex ones such as exit, serving as the operational backbone for these systems. As such, glibc plays a pivotal role in the functionality and performance of Linux-based systems, making any vulnerability within this library particularly concerning for system administrators and users alike.

Within glibc, the ld.so dynamic loader is an element of paramount importance. This component is tasked with the significant responsibility of initializing and running programs on Linux systems that rely on glibc for their operation. Its role is crucial as it ensures the smooth execution of various applications and services on a Linux system, making it an indispensable part of the operating environment. Given its central function, any vulnerability within the ld.so dynamic loader is a matter of serious concern as it could potentially compromise the security and stability of a wide range of systems.

In light of the discovery of “Looney Tunables”, it is imperative for organizations and users utilizing Linux-based systems to acknowledge and address this security vulnerability swiftly to safeguard their systems against potential exploits. Immediate mitigation steps, including the application of security patches and updates, should be undertaken to protect systems from the risks associated with this high-severity vulnerability. Users and administrators should stay vigilant and monitor any security advisories and updates issued by the Linux community and cybersecurity experts to ensure timely and effective protection against this newly identified threat.

Furthermore, it would be prudent for organizations to adopt and enforce a set of security best practices. These might include the regular updating and patching of systems, the use of reliable security solutions, conducting cybersecurity awareness and training programs for employees, and implementing network segmentation strategies. These proactive measures can significantly enhance the security posture of an organization, providing robust defense mechanisms against “Looney Tunables” and other similar security threats that might emerge in the future.

The GNU C Library’s ld.so dynamic loader was found to include the security flaw, which exposed a crack in the armor. During the processing of the ‘GLIBC_TUNABLES’ environment variable, this security hole might manifest itself. To put it more simply, a hostile attacker on the local network who has some dexterity and cunning may insert text into the ‘GLIBC_TUNABLES’ environment variable. The attacker is able to execute code with dangerously high privileges if they do this while beginning binaries that have the SUID permission.

This vulnerability was discovered by the observant members of the Qualys Threat Research Unit. According to an investigation into the origin of the vulnerability, it was first discovered in April 2021, when glibc version 2.34 was being distributed. Ironically, the commit was made with the intention of improving security by correcting the behavior of SXID_ERASE in setuid applications.

It is important to keep in mind that attackers, even those with just the most basic privileges, are able to take advantage of this severe gap. since of their simplicity and since they don’t need any input from the user, these assaults are particularly alarming.

There is a solution available for those who are unable to update their software promptly and do not have the Secure Boot capability. A SystemTap script has been made available, and once it is enabled, it will immediately stop any setuid application that has been launched with the ‘GLIBC_TUNABLES’ environment variable present. To securely call the setuid program thereafter, one just has to unset or remove the ‘GLIBC_TUNABLES’ environment variable, for instance by executing the command ‘GLIBC_TUNABLES= sudo’.

According to Saeed Abbasi, who is the Product Manager at Qualys’ Threat Research Unit, “Our successful exploitation, leading to full root privileges on major distributions like Fedora, Ubuntu, and Debian, underscores the profound and ubiquitous nature of this vulnerability.”

While the Qualys team has indicated that they will not release its exploit code at this time, the inherent simplicity of transforming the buffer overflow into a data-only assault suggests that other research teams may soon take up the challenge.

Systems that are running Debian 12 and 13, Ubuntu 22.04 and 23.04, or Fedora 37 and 38 are vulnerable to the CVE-2023-4911 flaw and should be avoided at all costs. The extent of the possible harm might be enormous due to the widespread use of the glibc library in Linux’s many different distributions. Distributions such as Alpine Linux, which use the musl libc library instead of the glibc library, are given a little bit of wiggle room.

The post Hacking Debian 12, 13, Ubuntu 22.04, 23.04 & Fedora 37, 38 servers using a single vulnerability appeared first on Information Security Newspaper | Hacking News.

In response to these imminent threats, Qualcomm has rolled out security updates designed to rectify the issues present within its Adreno GPU and Compute DSP drivers. The company has promptly communicated this information to the affected Original Equipment Manufacturers (OEMs), urging them to implement these security updates without delay.

One of the significant flaws, CVE-2022-22071, which was initially disclosed in May 2022, is categorized as a high-severity issue, with a CVSS v3.1 score of 8.4. This vulnerability is a use-after-free bug that can be exploited locally and affects widely-used chips, including the SD855, SD865 5G, and SD888 5G.

However, Qualcomm has opted to remain tight-lipped regarding the details of the other actively exploited vulnerabilities, namely CVE-2023-33106, CVE-2022-22071, and CVE-2023-33063. Further information on these vulnerabilities is expected to be disclosed in the company’s security bulletin scheduled for December 2023.

In addition to these, Qualcomm’s recent security bulletin also shed light on three other critical vulnerabilities, each with severe implications:

• CVE-2023-24855 involves memory corruption within Qualcomm’s Modem component. This occurs when processing security-related configurations prior to the AS Security Exchange and has a CVSS v3.1 score of 9.8.
• CVE-2023-28540 relates to a cryptographic issue within the Data Modem component, resulting from insufficient authentication processes during TLS handshakes, with a CVSS v3.1 score of 9.1.
• CVE-2023-33028 involves memory corruption in the WLAN firmware which occurs during the copying of pmk cache memory without conducting necessary size checks, and it holds a CVSS v3.1 score of 9.8.

In light of these findings, Qualcomm disclosed an additional 13 high-severity flaws along with three more vulnerabilities classified as critical, all of which were identified by the company’s engineers. In total, Qualcomm has released updates to address 17 vulnerabilities across various components while highlighting that three zero-day vulnerabilities are currently being actively exploited.

Of these identified vulnerabilities, three have been classified as critical, 13 are high-severity, and one is medium-severity. Qualcomm’s advisory noted: “There are indications from Google Threat Analysis Group and Google Project Zero that CVE-2023-33106, CVE-2023-33107, CVE-2022-22071, and CVE-2023-33063 may be under limited, targeted exploitation.”

To safeguard against these vulnerabilities, patches for issues in the Adreno GPU and Compute DSP drivers have been issued and are readily available. OEMs have been duly notified and strongly urged to deploy these security patches at the earliest convenience to prevent potential exploitation.

Users of Qualcomm products are advised to stay vigilant and apply updates provided by OEMs as soon as they are released to ensure their devices are protected from these vulnerabilities. This proactive approach to device security is crucial in mitigating the risk of exploitation and maintaining the integrity and functionality of devices that play a pivotal role in various technological applications.

The post Zero day vulnerabilities in Qualcomm chips allow hacking into billion mobile phones in world appeared first on Information Security Newspaper | Hacking News.

By infiltrating these Cisco routers, BlackTech successfully gains consistent access and leverage within organizations, allowing them to navigate from smaller international subsidiaries to the main headquarters. Targets of these quiet cyber-attacks have been varied, including governmental bodies, industrial complexes, and companies within the technology, media, electronics, and telecommunications fields, among others. Notably, some of the affected entities are known to provide support to the U.S. and Japanese military forces.

A collective cybersecurity advisory released by the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), along with Japanese national police and cybersecurity agencies, alerted the public to these activities. However, the advisory didn’t specify particular vulnerabilities in Cisco routers but noted that the observed tactics, techniques, and procedures (TTPs) are not exclusive to Cisco products, suggesting that similar strategies could compromise other network equipment as well.

Tom Pace, a former Department of Energy cyber head who now leads NetRise, indicated that these incidents highlight broader challenges in securing edge devices. He argued that regardless of the manufacturer—be it Cisco, Juniper, Huawei, or Arista—the same security issues seem to persist across the board.

Since its inception around 2010, BlackTech has been actively involved in compromising Cisco routers and stealing intellectual property. The group is known for its deployment of twelve distinct custom malware families, designed to penetrate Windows, Linux, and FreeBSD operating systems. These malware appear legitimate due to code-signing certificates and are regularly updated to avoid detection by antivirus programs.

Once embedded within a target’s networks, the group employs tools that allow it to stealthily avoid endpoint detection, including NetCat shells, Secure Shell Protocol (SSH), and Remote Desktop Protocol (RDP). BlackTech’s primary objective is to acquire administrator privileges over vulnerable network routers, which sets it apart from other threat actors in the field.

The group typically targets routers located at smaller, remote branches of larger corporations where security protocols may not be as stringent. By controlling these routers, BlackTech not only carries out its malicious activities undetected but also blends into the organization’s main IT network, potentially accessing other systems and victims within the target organization.

In an effort to gain and maintain control over routers, while simultaneously hiding its malicious endeavors, the group known as BlackTech executes a sophisticated downgrade attack.

This operation commences with the installation of an outdated version of the router’s firmware. Cisco permits individuals possessing specific privileges on the device to revert the operating system image and firmware to a previous version. The ability to downgrade the firmware is crucial for the attackers to persistently embed themselves in the system. The attackers to ensure their sustained presence and to alter the firmware image for delivering harmful code onto the device, an authentication bypass vulnerability is requisite. Although the joint advisory did not mention particular vulnerabilities exploited, experts referred to CVE-2023-20082. This vulnerability, identified in Cisco Catalyst switches, possesses a medium-risk score of 6.8 on the Common Vulnerability Scoring System (CVSS) and serves as an illustrative example of the potential weaknesses exploited.

Following the initial step of the downgrade attack, BlackTech proceeds to implement “hot patches” on the antiquated firmware residing in the device’s memory. This delicate operation entails modifications to the old firmware without necessitating a system shutdown or reboot. Through this technique, the group adeptly facilitates the installation of a bootloader and subsequently implants its malicious firmware, which is intricately designed with a built-in Secure Shell (SSH) backdoor. This stealthy backdoor grants the group unfettered access to the compromised devices.

Consider finding yourself working on a computer where a malicious actor has stealthily substituted your entire Windows operating system, and it’s done so imperceptibly. Quite a startling scenario to contemplate, isn’t it?

To mitigate the risks posed by BlackTech’s tactics, companies are advised to monitor connections with network devices, review firmware changes, and maintain robust password policies. However, we believethat these measures are merely superficial solutions to deeper, systemic issues in edge security. He advocates for a significant enhancement in the security measures implemented by device manufacturers, or a substantial investment by customers in this traditionally neglected area, to prevent the recurrence of such incidents in the future. Without such steps, the industry is likely to witness similar stories unfolding over the next decade or even longer.

The post Hacking Cisco Routers firmware and replacing it with a malicious firmware using this flaw appeared first on Information Security Newspaper | Hacking News.

As a result of the analysis of the vulnerability, it was found that the libwebp library included a heap buffer overflow vulnerability. This vulnerability allows a threat actor to conduct an out-of-bounds memory write by using a crafted HTML page to trigger the issue.

However, Google has once again reported this vulnerability, which is now known as CVE-2023-5129 and is being monitored. After further investigation, it was discovered that the vulnerability known as CVE-2023-41064 and this one also impacted the same libwebp library. The development comes after Apple, Google, and Mozilla provided remedies to address a flaw that may enable arbitrary code execution when processing a carefully designed picture. The bug is tracked separately as CVE-2023-41064 and CVE-2023-4863. The execution of arbitrary code might lead to a security breach. It is likely that both problems are solutions to the same fundamental issue that exists in the library. CVE-2023-41064 is claimed to have been linked with CVE-2023-41061 as part of a zero-click iMessage attack chain termed BLASTPASS to deliver a mercenary malware known as Pegasus, as stated by the Citizen Lab. At this time, we do not have access to any other technical specifics.

But the choice to “wrongly scope” CVE-2023-4863 as a vulnerability in Google Chrome belied the reality that it also affects practically every other program that depends on the libwebp library to handle WebP pictures, showing that it had a wider effect than was originally supposed. CVE-2023-4863 was discovered by Google security researchers and is tracked by the CVE identifier.

An investigation carried out by Rezillion over the last week has uncovered a comprehensive list of frequently used software programs, code libraries, frameworks, and operating systems that are susceptible to the CVE-2023-4863 vulnerability.

Additionally, the security researcher who found the vulnerabilities CVE-2023-41064 and CVE-2023-4863 reported both of them. This indicates that the researcher brought this issue to the attention of both firms, which led to the creation of two distinct CVEs in the past.

The post This zero day vulnerability could you used to hack into iPhone, Android, Chrome and many other software appeared first on Information Security Newspaper | Hacking News.