Jump to content

Search the Community

Showing results for tags 'vulnerabilities'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station


  • Drivers
  • Filesharing
    • BitTorrent
    • eDonkey & Direct Connect (DC)
    • NewsReaders (Usenet)
    • Other P2P Clients & Tools
  • Internet
    • Download Managers & FTP Clients
    • Messengers
    • Web Browsers
    • Other Internet Tools
  • Multimedia
    • Codecs & Converters
    • Image Viewers & Editors
    • Media Players
    • Other Multimedia Software
  • Security
    • Anti-Malware
    • Firewalls
    • Other Security Tools
  • System
    • Benchmarking & System Info
    • Customization
    • Defrag Tools
    • Disc & Registry Cleaners
    • Management Suites
    • Other System Tools
  • Other Apps
    • Burning & Imaging
    • Document Viewers & Editors
    • File Managers & Archivers
    • Miscellaneous Applications
  • Linux Distributions


  • General News
  • File Sharing News
  • Mobile News
  • Software News
  • Security & Privacy News
  • Technology News

Find results in...

Find results that contain...

Date Created

  • Start


Last Updated

  • Start


Filter by number of...

  1. Adobe issues security updates for 41 vulnerabilities in 10 products Adobe has released a giant Patch Tuesday security update release that fixes vulnerabilities in ten applications, including Adobe Acrobat, Reader, and Photoshop. The complete list of Adobe Products receiving security updates today and the number of fixed vulnerabilities are below: APSB21-36 | Adobe Connect: 1 Important vulnerability was fixed. APSB21-37 | Adobe Acrobat and Reader: 5 Critical vulnerabilities were fixed. APSB21-38 | Adobe Photoshop: 2 Critical vulnerabilities were fixed. APSB21-39 | Adobe Experience Manager: 3 Important, and 1 Moderate vulnerabilities were fixed. APSB21-41 | Adobe Creative Cloud Desktop Application: 1 Critical and 1 Important vulnerability was fixed. APSB21-44 | Adobe RoboHelp Server: 1 Critical vulnerability was fixed. APSB21-46 | Adobe Photoshop Elements: 1 Important vulnerability was fixed. APSB21-47 | Adobe Premiere Elements: 1 Important vulnerability was fixed. APSB21-49 | Adobe After Effects: 8 Critical, 7 Important, and 1 Moderate vulnerabilities were fixed. APSB21-50 | Adobe Animate: 4 Critical, 3 Important, and 1 Moderate vulnerabilities were fixed. In total, there were 41 vulnerabilities fixed. Out of all the Adobe security updates released today, Adobe After Effects had the most fixes, with 16 vulnerabilities. Install updates immediately While there were no known actively exploited zero-day vulnerabilities, Adobe advises customers to update to the latest versions as soon as possible. This urgency is because threat actors can compare older versions of the software with the patched versions to determine what code is vulnerable and create exploits to target these vulnerabilities. In most cases, users can update their software by using the auto-update feature of the product using the following steps: By going to Help > Check for Updates. The full update installers can be downloaded from Adobe's Download Center. Let the products update automatically, without requiring user intervention, when updates are detected. If the new update is not available via autoupdate, you can check the security bulletins linked above for the latest download links. Adobe issues security updates for 41 vulnerabilities in 10 products
  2. Tens of Thousands of VoIP Devices From Around the Globe Are Publicly Exposed There’s a large number of public-facing VoIP/SIP devices that are easy to discover, evaluate, and target. Many of these devices are vulnerable to multiple known and disclosed CVEs, and some are over a decade old. These VoIP devices should be properly secured and masked, ideally replaced with a new model if no longer supported. Researchers at CyberNews have scanned and found at least 38,335 public-facing VoIP/SIP devices on the net, many of which carry severe vulnerabilities. The majority of those are based in the United States, which accounts for approximately one-fourth of the total number of publicly exposed devices. Significant numbers are also found in the United Kingdom, Canada, Russia, Italy, Australia, and the Netherlands. Source: CyberNews VoIP/SIP devices are supposed to be connected to the internet, of course, as they need to provide internet telephony services to their users. However, publicly declaring them as phones is problematic because it automatically makes them a target. In the worst-case scenario, a malicious actor would explore the existence of potential vulnerabilities and use the device as a pivoting point into more valuable systems in the network. In the best case, you may have to deal with SIP server hijacking and crooks making money at your expense. Source: CyberNews As the CyberNews report details, many of those exposed devices are pretty all, some having been released ten years ago or more. In fact, most of the public-facing devices were made by Aastra Technologies, a company that Mitel Networks acquired in 2013. Then, there are over seven thousand devices made by the Chinese Yealink, six thousand made by Plantronics, and five thousand made by Cisco. Source: CyberNews Cisco, for example, has the biggest number of recorded vulnerabilities, counting 178 – four of which are recent. This large number is the result of Cisco’s vigilant security research, and it doesn’t mean the devices of other manufacturers are safer. On the contrary, it is possible that they are systematically zero-dayed by hackers and the victims don’t ever get to learn about it. If you are using a VoIP/SIP device, make sure to use strong passwords, enable NAT as an additional layer of protection, set your firewall to shut port 80, disable the web configuration interface, and only enable it when needed to use it. If your device is old and no longer supported by the manufacturer, you should replace it with a new one. In that case, take the old devices for electronics recycling and don’t try to resell them. Source: Tens of Thousands of VoIP Devices From Around the Globe Are Publicly Exposed
  3. All Wi-Fi devices impacted by new FragAttacks vulnerabilities Newly discovered Wi-Fi security vulnerabilities collectively known as FragAttacks (fragmentation and aggregation attacks) are impacting all Wi-Fi devices (including computers, smartphones, and smart devices) going back as far as 1997. Three of these bugs are Wi-Fi 802.11 standard design flaws in the frame aggregation and frame fragmentation functionalities affecting most devices, while others are programing mistakes in Wi-Fi products. "Experiments indicate that every Wi-Fi product is affected by at least one vulnerability and that most products are affected by several vulnerabilities," security researcher Mathy Vanhoef (New York University Abu Dhabi), who discovered the FragAttacks bugs, said. "The discovered vulnerabilities affect all modern security protocols of Wi-Fi, including the latest WPA3 specification. Even the original security protocol of Wi-Fi, called WEP, is affected. "This means that several of the newly discovered design flaws have been part of Wi-Fi since its release in 1997!," Vanhoef added. Attackers abusing these design and implementation flaws have to be in the Wi-Fi range of targeted devices to steal sensitive user data and execute malicious code following successful exploitation, potentially leading to full device takeover. FragAttacks vulnerabilities' impact Luckily, as Vanhoef further found, "the design flaws are hard to abuse because doing so requires user interaction or is only possible when using uncommon network settings." However, the programming mistakes behind some of the FragAttacks vulnerabilities are trivial to exploit and would allow attackers to abuse unpatched Wi-Fi products with ease. FragAttacks CVEs associated with Wi-Fi design flaws include: CVE-2020-24588: aggregation attack (accepting non-SPP A-MSDU frames). CVE-2020-24587: mixed key attack (reassembling fragments encrypted under different keys). CVE-2020-24586: fragment cache attack (not clearing fragments from memory when (re)connecting to a network). Wi-Fi implementation vulnerabilities were assigned the following CVEs: CVE-2020-26145: Accepting plaintext broadcast fragments as full frames (in an encrypted network). CVE-2020-26144: Accepting plaintext A-MSDU frames that start with an RFC1042 header with EtherType EAPOL (in an encrypted network). CVE-2020-26140: Accepting plaintext data frames in a protected network. CVE-2020-26143: Accepting fragmented plaintext data frames in a protected network. Other implementation flaws discovered by Vanhoef include: CVE-2020-26139: Forwarding EAPOL frames even though the sender is not yet authenticated (should only affect APs). CVE-2020-26146: Reassembling encrypted fragments with non-consecutive packet numbers. CVE-2020-26147: Reassembling mixed encrypted/plaintext fragments. CVE-2020-26142: Processing fragmented frames as full frames. CVE-2020-26141: Not verifying the TKIP MIC of fragmented frames. The researcher also made a video demo demonstrating how attackers could take over an unpatched Windows 7 system inside a target's local network. Security updates already released by some vendors The Industry Consortium for Advancement of Security on the Internet (ICASI) says that vendors are developing patches for their product to mitigate the FragAttacks bugs. Cisco Systems, HPE/Aruba Networks, Juniper Networks, Sierra Wireless, and Microsoft [1, 2, 3] have already published FragAttacks security updates and advisories. These security updates have been prepared during a 9-month-long coordinated disclosure process supervised by ICASI and the Wi-Fi Alliance. "There is no evidence of the vulnerabilities being used against Wi-Fi users maliciously, and these issues are mitigated through routine device updates that enable detection of suspect transmissions or improve adherence to recommended security implementation practices," the Wi-Fi Alliance said. "As always, Wi-Fi users should ensure they have installed the latest recommended updates from device manufacturers." FragAttacks mitigation If your device vendor hasn't yet released security updates addressing the FragAttacks bugs, you can still mitigate some of the attacks. This can be done by ensuring that all websites and online services you visit use Hypertext Transfer Protocol Secure (HTTPS) protocol (by installing the HTTPS Everywhere web browser extension, for instance.) Additional mitigation advice available on the FragAttacks website suggests "disabling fragmentation, disabling pairwise rekeys, and disabling dynamic fragmentation in Wi-Fi 6 (802.11ax) devices." An open-source tool to determine if access points and Wi-Fi clients on your network are affected by the FragAttacks flaws is also available on GitHub. FragAttacks technical details are available in Vanhoef's "Fragment and Forge: Breaking Wi-Fi ThroughFrame Aggregation and Fragmentation" research paper. During the last four years, Vanhoef also discovered the KRACK and Dragonblood attacks allowing attackers to observe the encrypted network traffic exchanged between connected Wi-Fi devices, crack Wi-Fi network passwords, forge web traffic by injecting malicious packets and steal sensitive information. Source: All Wi-Fi devices impacted by new FragAttacks vulnerabilities
  4. Signal CEO gives mobile-hacking firm a taste of being hacked Software developed by data extraction company Cellebrite contains vulnerabilities that allow arbitrary code execution on the device, claims Moxie Marlinspike, the creator of the encrypted messaging app Signal. Cellebrite products are commonly used by police and governments to unlock iOS and Android phones and extract data on them. Last December, the company announced that its Physical Analyzer also gave access to data from Signal. Occupational hazard In a blog post earlier today, Marlinspike, a cryptographer and security researcher, said that Cellebrite’s software works by parsing data that comes from an untrusted source. This means that it accepts input that may not be formatted correctly, which could trigger a memory corruption vulnerability that leads to code execution on the system. Because of this risk, one would assume that the developer was sufficiently careful to set up protections or use code that is not susceptible to vulnerabilities. “Looking at both UFED and Physical Analyzer, though, we were surprised to find that very little care seems to have been given to Cellebrite’s own software security. Industry-standard exploit mitigation defenses are missing, and many opportunities for exploitation are present” - Moxie Marlinspike Furthermore, the researcher found that Cellebrite’s software had outdated open-source code that had not been updated in almost a decade, despite security updates being available. Exploring possibilities for exploitation, Marlinspike found that he could run arbitrary code on a Cellebrite machine when it parsed a specially formatted, yet non-offensive file on a device it scanned. “For example, by including a specially formatted but otherwise innocuous file in an app on a device that is then scanned by Cellebrite, it’s possible to execute code that modifies not just the Cellebrite report being created in that scan, but also all previous and future generated Cellebrite reports from all previously scanned devices and all future scanned devices in any arbitrary way (inserting or removing text, email, photos, contacts, files, or any other data), with no detectable timestamp changes or checksum failures” - Moxie Marlinspike The researcher provides proof of successful exploitation of UFED, Cellebrite’s product for collecting evidence from sources ranging from mobile devices and apps to public-domain social media services. The payload uses the MessageBox Windows API to deliver a message that is iconic in hacker culture: Another interesting point is that Marlinspike said in the installer for the Packet Analyzer he found MSI packages with a digital signature from Apple. These appear extracted from the Windows installer for iTunes and contain DLL files that help Cellebrite’s program interact with iOS devices and extract data from them. While the announcement is far from the protocol of responsible disclosure, Marlinspike says that he will provide Cellebrite the specifics of the vulnerabilities if the company does the same for all the security issues they exploit for physical extraction services "now and in the future." In seemingly “completely unrelated” news, Marlinspike says that future versions of Signal will add to the app storage files that are “aesthetically pleasing.” These files, add nothing to Signal’s functionality and will not interact with the app, “but they look nice, and aesthetics are important in software.” If these are formatted in a special way, Cellebrite's customers will likely have a hard time demonstrating the integrity of the scan reports from devices where Signal is installed. Source: Signal CEO gives mobile-hacking firm a taste of being hacked
  5. Severe Bugs Reported in EtherNet/IP Stack for Industrial Systems The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday issued an advisory warning of multiple vulnerabilities in the OpENer EtherNet/IP stack that could expose industrial systems to denial-of-service (DoS) attacks, data leaks, and remote code execution. All OpENer commits and versions prior to February 10, 2021, are affected, although there are no known public exploits that specifically target these vulnerabilities. The four security flaws were discovered and reported to CISA by researchers Tal Keren and Sharon Brizinov from operational technology security company Claroty. Additionally, a fifth security issue identified by Claroty was previously disclosed by Cisco Talos (CVE-2020-13556) on December 2, 2020. "An attacker would only need to send crafted ENIP/CIP packets to the device in order to exploit these vulnerabilities," the researchers said. CVE-2020-13556 concerns an out-of-bounds write vulnerability in the Ethernet/IP server that could potentially allow an attacker to send a series of specially-crafted network requests to trigger remote code execution. It's rated 9.8 out of 10 in severity. The four other flaws disclosed to EIPStackGroup, the maintainers of the OpENer stack, in October 2020 are as follows — CVE-2021-27478 (CVSS score: 8.2) - A bug in the manner Common Industrial Protocol (CIP) requests are handled, leading to a DoS condition CVE-2021-27482 (CVSS score: 7.5) - An out-of-bounds read flaw that leverages specially crafted packets to read arbitrary data from memory CVE-2021-27500 and CVE-2021-27498 (CVSS scores: 7.5) - Two reachable assertion vulnerabilities that could be exploited to result in a DoS condition Vendors using the OpENer stack are recommended to update to the latest version while also taking protective measures to minimize network exposure for all control system devices to the internet, erect firewall barriers, and isolate them from the business network. This is far from the first time security issues have been unearthed in EtherNet/IP stacks. Last November, Claroty researchers revealed a critical vulnerability uncovered in Real-Time Automation's (RTA) 499ES EtherNet/IP stack could open up the industrial control systems to remote attacks by adversaries. Source: Severe Bugs Reported in EtherNet/IP Stack for Industrial Systems
  6. NSA: Top 5 vulnerabilities actively abused by Russian govt hackers A joint advisory from the U.S. National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI) warn that the Russian Foreign Intelligence Service (SVR) is exploiting five vulnerabilities in attacks against U.S. organizations and interests. In an advisory issued today, the NSA said that it is aware of the Russian SVR using these vulnerabilities against public-facing services to obtain authentication credentials to further compromise the networks of US corporate and government networks. The NSA is advising all organizations to immediately patch vulnerable devices to protect against cyberattacks that lead to data theft, banking fraud, and ransomware attacks. "The vulnerabilities in today's release are part of the SVR's toolkit to target networks across the government and private sectors," Rob Joyce, NSA Director of Cybersecurity, said in a statement to BleepingComputer. "We need to make SVR's job harder by taking them away." Vulnerabilities used in different phases of attack The U.S. government strongly advises that all admins "urgently implement associated mitigations" for these vulnerabilities to prevent further attacks by the Russian SVR and other threat actors. "Mitigation against these vulnerabilities is critically important as U.S. and allied networks are constantly scanned, targeted, and exploited by Russian state-sponsored cyber actors." "In addition to compromising the SolarWinds Orion software supply chain, recent SVR activities include targeting COVID-19 research facilities via WellMess malware and targeting networks through the VMware vulnerability disclosed by NSA," warns the joint advisory. Below are the top five vulnerabilities the NSA, CISA, and the FBI have seen targeted by the Russian SVR. CVE-2018-13379 targets Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12: In Fortinet Secure Sockets Layer (SSL) Virtual Private Network (VPN) web portals, an Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal") allows an unauthenticated attacker to download system files via special crafted HTTP resource requests Threat actors have extensively used this vulnerability in the past to target government agencies and corporate networks, including U.S. govt elections support systems, COVID-19 research organizations, and more recently, to deploy the Cring ransomware.In November 2020, a threat actor leaked the credentials for almost 50,000 Fortinet VPN devices on a hacker forum. Government advisories: APT29 targets COVID-19 vaccine development & Mitigating Recent VPN Vulnerabilities CVE-2019-9670 targets Synacor Zimbra Collaboration Suite 8.7.x before 8.7.11p10 In Synacor Zimbra Collaboration Suite, the mailboxd component has an XML External Entity injection (XXE) vulnerability. Government advisories: APT29 targets COVID-19 vaccine development CVE-2019-11510 targets Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4 In Pulse Secure VPNs, an unauthenticated remote attacker can send a specially crafted Uniform Resource Identifier (URI) to perform an arbitrary file read. Pulse Secure VPNs have been a favorite for threat actors for some time, being used to gain access to US government networks, attack hospitals, and deploy ransomware on networks. Government advisories: Mitigating Recent VPN Vulnerabilities and APT29 targets COVID-19 vaccine development CVE-2019-19781 targets Citrix ADC and Gateway versions before,,, and and SD-WAN WANOP 4000-WO, 4100-WO, 5000-WO, and 5100-WO versions before 10.2.6b and 11.0.3b. Citrix Application Delivery Controller (ADC) and Gateway allow directory traversal. The CVE-2019-19781 vulnerability is known to be used by threat actors, including ransomware gangs, to gain access to corporate networks and deploy malware. Government advisories: Mitigate CVE-2019-19781, APT29 targets COVID-19 vaccine development, and Detect and Prevent Web Shell Malware. CVE-2020-4006 targets VMware One Access 20.01 and 20.10 on Linux, VMware Identity Manager 3.3.1 - 3.3.3 on Linux, VMware Identity Manager Connector 3.3.1 - 3.3.3 and 19.03, VMware Cloud Foundation 4.0 - 4.1, and VMware Vrealize Suite Lifecycle Manager 8.x. VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector have a command injection vulnerability. In December 2020, the US government warned that Russian state-sponsored threat actors were exploiting this vulnerability to deploy web shells on vulnerable servers and exfiltrate data. Government advisories: Russian State-Sponsored Actors Exploiting Vulnerability and Performing Out-of-Band Network Management. As the Russian SVR has been utilizing a combination of these vulnerabilities in their attacks, it is strongly advised that all administrators install the associated security updates immediately. The NSA warned last year that two of these vulnerabilities, CVE-2019-11510 and CVE-2019-19781, are also in the top 25 vulnerabilities utilized by China state-sponsored hackers. Source: NSA: Top 5 vulnerabilities actively abused by Russian govt hackers
  7. Majority of Mobile App Vulnerabilities From Open Source Code COVID-19 has impacted everything over the past year, and mobile app security is no exception. The Synopsys Cybersecurity Research Center (CyRC) took an in-depth look at application security, and discovered just how vulnerable apps that use open source code really are. According to the report, 98% of apps use open source code, and 63% of those apps have at least one known vulnerability. Open source code is no more or less vulnerable than any other code, Jonathan Knudsen, senior security strategist with Synopsys, was quick to point out in an email interview. The prime security task for any organization that uses open source code is how to manage the code correctly. “The report underscores, among other things, that managing security vulnerabilities in open source software components is a very real problem,” Knudsen said. The challenge lies in the self-service nature of open source use. With no commercial vendor to push out updates and patches, it then becomes the responsibility of the developers and the business to evaluate and monitor for security risks and come up with a strategy for the inevitable security problems. Adoption of Open Source Developers turn to open source because it helps them code 20 to 30 times faster than writing their own from scratch; getting a mobile application into the marketplace quickly is a top priority. This need to move fast has created a dependency on open source. It has also led to the prioritization of development over security in many IT organizations just to remain competitive in the market. “To stay competitive, software development teams must figure out how to write code quickly, while not sacrificing security to create value and preserve competitive advantage for their organizations,” said Yaniv Bar-Dayan, CEO and co-founder at Vulcan Cyber. Until that happens, open source will continue to be the go-to code. Finding the Vulnerabilities Code audits to detect vulnerabilities are easier to do on open source software, which is both a blessing and curse; threat actors and well-intentioned developers both have equal access to the code. “Ethical hackers may look at well-maintained open-source projects and quickly identify and report vulnerabilities to help them get patched,” said Hank Schless, senior manager, security solutions at Lookout. “Threat actors may observe the code, find a vulnerability, and figure out how to exploit it as quickly as possible.” On the other hand, Schless added, closed source or first-party code can encounter the same maintenance issues. “While the quality of both open and closed source code varies, switching from open to closed source code might mean swapping known vulnerabilities for unknown vulnerabilities.” A More Secure Mobile App When open source code is used, it often comes with its own list of other open source solutions that are necessary for functionality. This transitive dependency can be layers deep and create a snowball effect of adding hundreds or more. One open source project can end up including hundreds of layers and dozens of possible vulnerabilities. Because of this, you can never trust or test one layer and think everything is fine. Every layer must be tested and updates and patches regularly checked. “Software composition analysis (SCA) is a type of security testing that automates much of the work of identifying used software components, correlating known vulnerabilities and raising alerts when new vulnerabilities are identified,” said Knudsen. Managing the open source components of an application is important, Knudsen added, but it is far from the end of the story. “Applications will only get safer when they are built better with a comprehensive, proactive approach to security. This means incorporating security into every phase of software development, from design through implementation, testing and maintenance. Automated security testing is useful at multiple phases, and includes SCA, static analysis, fuzzing and other types of dynamic testing.” Source: Majority of Mobile App Vulnerabilities From Open Source Code
  8. Adobe fixes critical vulnerabilities in Photoshop and Digital Editions Adobe has released security updates that address security vulnerabilities in Adobe Photoshop, Adobe Digital Editions, Adobe Bridge, and RoboHelp. In total, the company addressed ten security vulnerabilities affecting four products, with seven of them rated as critical as they allow arbitrary code execution or arbitrary file writes. Of all the products receiving security updates today, Adobe Bridge has the most, fixing four 'Critical' code execution bugs and two vulnerabilities rated as 'Important.' Code execution bugs are the most serious as they could allow attackers to execute almost any command in Windows, including installing malware or taking over the computer. In addition to the Adobe Bridge bugs, Adobe also fixed other vulnerabilities in their products, including: 2 Critical vulnerabilities in Adobe Photoshop 1 Critical vulnerability in Adobe Digital Editions 1 Important vulnerability in RoboHelp Adobe advises customers using vulnerable products to update to the latest versions as soon as possible to fix bugs that could lead to successful exploitation of unpatched installations. In most cases, users can update their software by using the auto-update feature of the product using the following steps: By going to Help > Check for Updates. The full update installers can be downloaded from Adobe's Download Center. Let the products update automatically, without requiring user intervention, when updates are detected. If the new update is not available via autoupdate, you can check the security bulletins linked to above for the latest download links. Source: Adobe fixes critical vulnerabilities in Photoshop and Digital Editions
  9. Cring Ransomware Used in Attacks on European Industrial Firms Attackers exploited a vulnerability in Fortigate VPN servers to gain access to target networks, researchers report. Researchers with Kaspersky say several companies in Europe's industrial sector were recent victims of attacks using Cring ransomware. Attackers exploited CVE-2018-13379, a vulnerability in Fortigate SSL VPN servers, to gain access to the victim's networks, researchers report. The unpatched servers were exposed to the Internet. This vulnerability was publicized in 2019 but not all devices were updated. Offers to sell a ready-made list containing IP addresses of Internet-facing vulnerable devices began to appear on Dark Web forums in autumn 2020, according to a report from Kaspersky. "With such an IP address, an unauthenticated attacker can connect to the appliance through the Internet and remotely access the session file, which contains a username and password stored in clear text," researchers say. These attacks were first mentioned by a member of CSIRT team of Swiss telecommunications provider Swisscom. Kaspersky then conducted an investigation at one of the affected enterprises to learn more about how the servers were being infected. More information on the attacks can be found here. Source: Cring Ransomware Used in Attacks on European Industrial Firms
  10. Samsung April 2021 security update is rolling out now to these Galaxy devices Samsung was once among the worst in the Android world when it came to updates big and small, but in 2021 they’re arguably better than Pixel. Now, Samsung is rolling out the April 2021 security update to its huge lineup of smartphones including Galaxy S21, S20, A52, and more. The April security patch, technically, hasn’t been fully released when Samsung started its rollout. Google follows a pattern of rolling out the update to its Pixel smartphones on the first Monday of every month, this month landing on April 5. Samsung April 2021 security update — what’s new That same April 5 date is when the changes and security improvements made in the patch are officially detailed. So that presents a lack of information when it comes to Samsung rolling out the April 2021 security update to its lineup starting in late March, at least from a technical standpoint on the security changes. Often, though, Samsung will also bring minor UI tweaks to its monthly security updates, and the April 2021 patch is no different. As captured by the folks at SamMobile, one of the notable changes is an expansion of Portrait Mode. The feature was previously limited to the telephoto and ultrawide cameras only on some devices, but the April patch seems to extend functionality to the main camera. Devices with Samsung’s April 2021 security update Which devices are set to get the April 2021 update from Samsung? The list of devices getting monthly updates right now is quite hefty, and as of April 1, several models have already been updated. You can see devices that have been updated so far in the list below. The list below is being updated as new rollouts begin or expand to new regions and carriers. New additions will be marked in bold. Galaxy S Series Samsung’s true flagship series is usually among the first to see monthly updates, and this month the rollout started on March 29 with the current flagship family, the Galaxy S21 series. The download on S21 devices weighs in at over 1GB and started in India, but has since expanded on a mostly global scale. The update has expanded to the S20 FE and S10 series, and on April 1 it showed up on the Galaxy S9+ in Germany. The full list of Galaxy S devices with the April update include: Galaxy S21 — G99xxXXU2AUC8 Galaxy S21+ — G99xxXXU2AUC8 Galaxy S21 Ultra — G998BXXU2AUC8 Galaxy S20 FE — G780FXXS2CUC8 Galaxy S10 — G97xxXXU9FUCD Galaxy S10+ — G97xxXXU9FUCD Galaxy S10e — G97xxXXU9FUCD Galaxy S9+ — G96xFXXUFFUC6 Galaxy A Series The mid-range Galaxy A series is perhaps among the best-updated affordable smartphone lineup, and the latest release, Galaxy A52, is already getting its April update. The A52 saw its rollout start on March 30. Galaxy A52 — A525FXXU1AUC5 Galaxy Foldables Samsung’s super-premium foldable smartphones are sometimes slow to get major updates, but they’re right on track with monthly security patches. The April patch hit Galaxy Z Fold 2 on March 29 and has since expanded. The update is also available on the original Galaxy Fold as of March 31. Galaxy Z Fold 2 — F916BXXU1DUCE Galaxy Fold — F900FXXU4EUCF Galaxy Note Series As the Note stares down the barrel of death, support isn’t really waning. On March 29 the Galaxy Note 10 and Note 10+ saw rollouts begin for the April patch and on April 1st, the update started rolling out Galaxy Note 20 and Note 20 Ultra in select regions including on US carriers such as AT&T, T-Mobile, and Verizon. Galaxy Note 20 Ultra — N986U1XXX2DUC8 Galaxy Note 20 — N986U1XXX2DUC8 Galaxy Note 10 — N97xFXXU6FUCD Galaxy Note 10+ — N97xFXXU6FUCD Galaxy Tab Series Samsung rolled out the April security patch to the Galaxy Tab S6 on March 31. Galaxy Tab S6 — T865XXU4CUC1 Source: Samsung April 2021 security update is rolling out now to these Galaxy devices
  11. Airlift Express Fixes Vulnerabilities in Its E-commerce Store PrivacySavvy experts discovered an OTP vulnerability in Airlift Express, which could lead to account hacks and exploits by cybercriminals. A team of security researchers from PrivacySavvy recently discovered an OTP vulnerability in Airlift Express, which could lead to account hacks and exploits by cybercriminals. Fortunately, the company has successfully fixed the security loopholes, but the incident shows the inadequacy of one-time passwords in protecting app users. PrivacySavvy Labs is a group of researchers whose sole aim is to identify loopholes in the security of web applications that people use every day. They aim to make internets user safe and aware of the threats to their digital security. This Airlift Express discovery is among the many companies the team has evaluated and helped avoid unnecessary security issues. OTP Vulnerability in Airlift E-commerce store Airflift Express Airlift is a Pakistani mass Transit Company also offering online grocery services through its Airlift Express. Recently a group of researchers from Privacysavvy Labs discovered a security bug that could enable hackers to compromise Airlift Express users. According to the researchers, this security bug can provide a loophole for brute force attacks. Hackers can hijack an account on Airlift Express for whatever reasons known to them. As per the PrivacySavvy report published on March 31st, hackers could perpetrate a brute force attack successfully on Airlift because the system is still using OTPs (one-time passwords). Usually, if you forget your password but want to log into Airlift Express, the system will advise you to click on “forgot password.” Once you do this, you’ll then enter your email address or phone number to open your account using an OTP, which Airlift will send to you. (Image credit: PrivacySavvy.com) According to the researchers, hackers can access an Airlift account in the same way. They could get a legit phone number through social engineering and use brute force to get to the right OTP. All they’ll do is try different combinations of numbers until they arrive at the correct one. When the PrivacySavvy researchers tried the brute force attack on Airlift Express, they reported that it took them only 7 minutes to arrive at the right combination to open an account. Once they made this discovery, they sent an email to the company about the discovery. As soon as the company got the information, they went to work fixing the security bug capable of compromising its users. OTP is not adequate against Brute force attack According to the PrivacySavvy report, one-time passwords has proven weak to modern brute force attack. The OTP system was mainly created to identify and authentic users in a way to repel attacks. This is why you might get an SMS OTP on your phone from a website you’re trying to access, and you’ll be required to fill it into the box on the website to confirm your ownership of the account. These OTPs were mainly used to provide additional log-on security for internet users. But unfortunately, hackers defeated the system within a short time. They can now find their ways around it and carry out their nefarious activities against internet users. One of the things that PrivacySavvy researchers proved in their report was that the OTP system of verification couldn’t withstand brute force attacks. According to the team, brute force attacks are a method used by hackers to crack passwords. They’ll spend their time creating different combinations of numbers until they arrive at the correct one. In their trial, it took within 7mintues to crack the password but sometimes, hackers can spend hours trying to break a strong password. The researchers also stated that hackers now employ many tools to carry out the brute force attack. Some of the tools they mentioned in their report include a rainbow crack, Ncrack, john the rippers, etc. Why OTPs are weak and what to do instead PrivaccySavvy researchers also mentioned some significant reasons for the inadequacy of one-time passwords in protecting internet users. They shared a critical study carried out by a group of researchers and what they found out about OTPs. One of the discoveries in the report is that hackers have gotten more sophisticated and, according to them, are now using unique Trojans to bypass OTPs. They also mentioned other substantial reasons not to depend on one-time passwords in protecting internet users. As for the solutions that companies can utilize in keeping their users safe from hackers and brute force attacks, PrivacySavvy says: “Multi-factor authentication offers more security than a simple username and password combinations. That is so because the user must meet specific requirements, usually a) username/password b) have a mobile device; sometimes, a third authentication is needed, too”. However, PrivacySavvy insists that companies should still be careful while implementing multi-factor authentication. The reason, according to them, is that not all multi-factor authentication is safe. Therefore, any company wishing to use Multi-factor authentication should approach it in the right way. The researchers also opined that companies should consider using mobile apps or physical tokens in their authentication strategy to get the best results. The researcher also recommends that companies and web developers also consider using Captcha instead of one-time passwords. Source: Airlift Express Fixes Vulnerabilities in Its E-commerce Store
  12. Facebook Paid Out $50K for Vulnerabilities Allowing Access to Internal Systems A researcher says he has earned more than $50,000 from Facebook after discovering vulnerabilities that could have been exploited to gain access to some of the social media giant’s internal systems. Cybersecurity engineer and bug bounty hunter Alaa Abdulridha revealed in December 2020 that he had earned $7,500 from Facebook for discovering a vulnerability in a service apparently used by the company’s legal department. The researcher said the security hole could have been exploited to reset the password of any account for a web application used internally by Facebook employees. In a blog post published on Thursday, the researcher said he continued analyzing the same application and once again managed to gain access to it. From there he claimed he was able to launch a server-side request forgery (SSRF) attack and gain access to Facebook’s internal network. Facebook described this as an attacker being able to send HTTP requests to internal systems and read their responses. “I was able to scan the ports of the local servers and browse the local applications/web apps that the company uses in their infrastructure,” the researcher told SecurityWeek. “I'm sure such a vulnerability in the wrong hands could be escalated to RCE and can pose a huge risk for the company and its customers.” The social media giant awarded him nearly $50,000 for this second exploit chain. Abdulridha also claimed the account takeover attack may have allowed a hacker to access accounts for other internal Facebook applications as well, but Facebook told SecurityWeek it had not found any evidence to suggest that the flaw could be escalated to access other internal accounts. Facebook has clarified that the vulnerabilities reported by Abdulridha actually affected a third-party service designed for signing documents and they impacted anyone using this service, not just Facebook. The company said it worked with the third-party vendor to quickly get the flaws fixed and said it had found no evidence of malicious exploitation, noting that exploiting the weaknesses was a complex task. The company also pointed out that the first vulnerability only allowed access to accounts within the third-party document signing app, but did not grant access to any employee accounts used for other internal applications. While the researcher claimed that it took Facebook nearly 6 months to patch the second round of vulnerabilities, the company told SecurityWeek that while the report was only closed in February, the bugs were actually completely fixed — by both Facebook and the third-party vendor — within a few days. Facebook also said that while it paid out a bug bounty based on the maximum possible impact it could determine, it did not agree with the researcher’s belief that the SSRF vulnerabilities could have been escalated to remote code execution. Source: Facebook Paid Out $50K for Vulnerabilities Allowing Access to Internal Systems
  13. Can a Programming Language Reduce Vulnerabilities? Rust offers a safer programming language, but adoption is still a problem despite recent signs of increasing popularity. When Microsoft wanted to rewrite a security-critical network processing agent to eliminate memory-safety vulnerabilities causing recurring headaches for the Microsoft Security Response Center (MSRC), the company tasked an intern and told him to rewrite the code in Rust. Rust, a programming language that has claimed the title of "most loved" among developers for five years in a row, could change the vulnerability landscape by practically eliminating certain types of memory-safety errors. The language's claim to fame is that it provides the speed and control of C and C++, while delivering security and safety guarantees of other languages, such as Go and Python. Nearly 70% of the vulnerabilities that the MSRC processes are classified as memory-safety issues, so eliminating the class of vulnerabilities is critical. Discussing his newly found preference for Rust, Alexander Clarke, the MSRC software intern, stated in a blog post that, while it may be easier to write a program that will compile in C++, the resulting program is more likely to have errors and vulnerabilities. "The [Rust] compiler's error messages are justly famous for how useful they are," he says. "Through the error messages, Rust enforces safe programming concepts by telling you exactly why the code isn't correct, while providing possible suggestions on how to fix it." More than a decade after Mozilla adopted and began rewriting code for its Firefox browser using Rust, the language may be ready to take off. While adoption continues to be anemic — only 5.1% of developers use the Rust language, according to the "StackOverflow 2020 Developer Survey" — a number of large companies have committed to using Rust in specific development projects. The Mozilla Foundation shipped code developed using the language in its Firefox browser starting in 2016. In 2019, Microsoft stated its intention to adopt Rust more widely for writing system software in Windows. And in February, Mozilla spun off the project to be managed by the new Rust Foundation, with founding sponsors Microsoft, Google, Amazon, and Huawei. Why the increasingly popularity? It's not just about speed and security, at least not for developers, says Ashley Williams, interim executive director of Rust Foundation. "My joke answer is that we have an animal mascot," she laughs. "In reality, when people talk about loving Rust, there is the language and the compiler, but also the notion that the community should be welcoming and the package management should be first-class. There are all these values that people appreciate." For companies, the decision boils down to the capabilities Rust does not allow. When the language is properly used, the compiler alerts on — and refuses to compile — certain coding patterns that lead to buffer overflows, use-after-free vulnerabilities, double-free memory issues, and null-pointer deferences. "You make a blood pact with the compiler," says Williams. "You write your code in a specific way so the compiler knows your code is correct." For Microsoft, the errors that Rust can prevent account for the majority of vulnerabilities for which the company assigns Common Vulnerability and Exposures (CVE) identifiers. Using the programming language to build its core system components can help reduce a major source of vulnerabilities, said Ryan Levick, principal cloud developer advocate at Microsoft, in a blog post. "We believe Rust changes the game when it comes to writing safe systems software," he said. "Rust provides the performance and control needed to write low-level systems, while empowering software developers to write robust, secure programs." Yet programming languages promising extra security have not always done so. In January 1996, Sun Microsystems announced Java 1.0. The language boasted portable code — as in "write once, run anywhere" — but Sun also touted a number of security attributes, such as automated memory management — that is, "garbage collection" — as well as type safety and the ability to isolate applets from modifying system resources. Fast forward to today. With adoption at about 40%, Java is the fifth most-used language — behind JavaScript, HTML/CSS, SQL, and Python, according to the StackOverflow survey. However, Java programs accounted for 15% of the more than 6,000 vulnerabilities found in open source components in 2019, behind C, which accounted for 30%, and PHP, which accounted for 27%, according to "The 2020 State of Open Source Security" report published by software security firm WhiteSource. Java shows that developers, in the name of efficiency, often will not use security features and instead continue to create insecure code. Rust is more opinionated in its approach than Java, but the language will likely not avoid the potential to have security undermined by developers. While Rust provides memory safety, it also allows a way around it — the "UNSAFE" keyword. Using the keyword is a way for a developer to override the compiler and prevent the compiler from checking a block of code — ostensibly because the developer asserts the code is safe. Many Rust enthusiasts — "Rustaceans," as they are called — argue that overusage of the keyword undermines the Rust model. While the debate is nuanced, Williams understands the point. "There are people who use the UNSAFE block in a way that is unsafe," she says. "If you put something in the unsafe block, the compiler won't check it, and if you are wrong then you could introduce a memory error." Yet, she points out, even if using the capability to only override the compiler correctly, vulnerabilities will likely creep into developers' programs, and — because security researchers and hackers tend to find the problems that developer leave behind — those vulnerabilities will be found. Case in point: The Rust-focused security site RustSec lists more than 250 vulnerabilities in the Rust packages — or "crates" — and the language. "The vulnerability landscape is not an absolute one, so there are always new vulnerability areas," says Williams. "Some languages can be safer than others, but ... there is no such thing as a fully secure system, especially if your target language has a lot of hackers looking at it." Source: Can a Programming Language Reduce Vulnerabilities?
  14. Samsung fixes critical Android bugs in March 2021 updates This week Samsung has started rolling out Android's March security updates to mobile devices to patch critical security vulnerabilities in the runtime, operating system, and related components. This comes after Android had published their March 2021 security updates bulletin, which includes patches for critical vulnerabilities impacting the latest devices. As observed by BleepingComputer, Samsung Galaxy devices are automatically pulling updates released on March 5, 2021, this week. These updates mainly comprise significant security fixes with a couple of enhancements across Samsung Galaxy built-in apps like Calendar, Display, Social Platform, and SmartThings. Samsung Galaxy S10 prompting users to get March 2021 updates Source: BleepingComputer Every vulnerability addressed by this update, has either a 'High' or 'Critical' severity rating, making this update a must for Android users so that their devices remain protected. From RCE via Bluetooth to Privilege Escalation There's the critical vulnerability, CVE-2021-0397 lurking in the Android System arising from a null pointer, which has been fixed by this update. The vulnerability in Android's Bluetooth Service Discovery Protocol (SDP) implementation, called Fluoride Bluetooth stack could let an attacker perform remote code execution (RCE) attacks via a specially crafted Bluetooth transmission. Fix made for CVE-2021-0397, critical RCE vulnerability Source: Google Source for Android Additionally, Google Play Protect has stepped up protections and made exploitation of Android vulnerabilities more challenging by adding security enhancements. "Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform." "We encourage all users to update to the latest version of Android where possible," stated this month's Android advisory. Other flaws impacting components like Framework, System, and Android runtime could allow sensitive information disclosure and privilege escalation by attackers. The list of vulnerabilities patched by this update includes: Android runtime CVE References Type Severity Updated AOSP versions CVE-2021-0395 A-170315126 EoP High 11 Framework CVE References Type Severity Updated AOSP versions CVE-2021-0391 A-172841550 EoP High 8.1, 9, 10, 11 CVE-2021-0398 A-173516292 EoP High 11 System CVE References Type Severity Updated AOSP versions CVE-2021-0397 A-174052148 RCE Critical 8.1, 9, 10, 11 CVE-2017-14491 A-158221622 RCE High 8.1, 9, 10, 11 CVE-2021-0393 A-168041375 RCE High 8.1, 9, 10, 11 CVE-2021-0396 A-160610106 RCE High 8.1, 9, 10, 11 CVE-2021-0390 A-174749461 EoP High 8.1, 9, 10, 11 CVE-2021-0392 A-175124730 EoP High 9, 10, 11 CVE-2021-0394 A-172655291 [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] ID High 8.1, 9, 10, 11 Google Play system updates Component CVE WiFi CVE-2021-0390 Some bugs may still be exploitable On select Samsung Galaxy devices, the updates pushed this week have their latest "security patch level" dated "2021-03-01." This implies the high and critical severity vulnerabilities yet to be fixed by the "2021-03-05 security patch" could still be exploitable. Users are advised to update their Android devices immediately to safeguard against these bugs, and ensure their devices have the "auto-update" settings enabled. A full description of enhancements and optimizations this update brings is provided on Samsung's website. Source: Samsung fixes critical Android bugs in March 2021 updates
  15. Now-fixed Linux kernel vulnerabilities enabled local privilege escalation (CVE-2021-26708) Security researcher Alexander Popov has discovered and fixed five similar issues in the virtual socket implementation of the Linux kernel. The vulnerabilities could be exploited for local privilege escalation, as confirmed in experiments on Fedora 33 Server. The vulnerabilities, known together as CVE-2021-26708, have received a CVSS v3 base score of 7.0 (high severity). These vulnerabilities result from race conditions that were implicitly added with virtual socket multi-transport support. They appeared in Linux kernel version 5.5 in November 2019. The vulnerable kernel drivers (CONFIG_VSOCKETS and CONFIG_VIRTIO_VSOCKETS) are shipped as kernel modules in all major GNU/Linux distributions. The vulnerable modules are automatically loaded when an AF_VSOCK socket is created. This ability is available to unprivileged users. “I successfully developed a prototype exploit for local privilege escalation on Fedora 33 Server, bypassing x86_64 platform protections such as SMEP and SMAP. This research will lead to new ideas on how to improve Linux kernel security,” said Popov. The researcher prepared the fixing patch and disclosed the vulnerabilities responsibly to the Linux kernel security team. The patch has been merged into mainline kernel version 5.11-rc7 and backported into affected stable trees. Source: Now-fixed Linux kernel vulnerabilities enabled local privilege escalation (CVE-2021-26708)
  16. Three New Vulnerabilities Patched in OpenSSL The OpenSSL Project on Tuesday announced the availability of patches for three vulnerabilities, including two that can be exploited for denial-of-service (DoS) attacks and one related to incorrect SSLv2 rollback protection. The most serious of the vulnerabilities, with a severity rating of moderate, is CVE-2021-23841, a NULL pointer dereference issue that can result in a crash and a DoS condition. The security hole is related to a function (X509_issuer_and_serial_hash) that is never called directly by OpenSSL itself, which means it only impacts applications that use the function directly with certificates obtained from untrusted sources. The flaw was reported to OpenSSL developers by Google Project Zero researcher Tavis Ormandy and it has been patched with the release of OpenSSL 1.1.1j. Versions 1.1.1i and earlier are impacted. OpenSSL 1.1.1j also fixes a low-severity integer overflow issue that can also lead to a crash. The bug, tracked as CVE-2021-23840, was identified by Paul Kehrer. Another low-severity issue, CVE-2021-23839, was reported to the OpenSSL Project by researchers at cybersecurity firm Trustwave, who discovered that servers using OpenSSL 1.0.2 are vulnerable to SSL version rollback attacks. However, an attack can only be launched against certain configurations and OpenSSL 1.1.1 is not impacted. CVE-2021-23839 has been patched in version 1.0.2y. However, OpenSSL 1.0.2 is no longer supported so the update is only available to premium support customers. OpenSSL has come a long way in terms of security since the disclosure of the vulnerability dubbed Heartbleed back in 2014. Only three vulnerabilities were patched in 2020, and only two of those, which could be exploited for DoS attacks, were rated high severity. No high-severity issues were fixed in OpenSSL in 2018 and 2019. Source: Three New Vulnerabilities Patched in OpenSSL
  17. SQLite patches use-after-free bug that left apps open to code execution, denial-of-service exploits More than one trillion SQLite databases potentially active in myriad operating systems, browsers, and applications UPDATED SQLite has issued a security patch after the discovery of a use-after-free bug that, if triggered, could lead to arbitrary code execution or denial of service (DoS). The highest threat to systems running affected versions of SQLite, a C-language library that implements an SQL database engine, is to system availability, according to a Red Hat Bugzilla thread. However, the flaw is only marked as medium severity because exploitation depends on attackers already having “access to query the data in the database”, noted Todd Cullum, senior product security engineer at Red Hat, an open source software vendor. Richard Hipp, who launched the SQLite project in 2000 and remains its architect, didn’t think the vulnerability posed a serious threat. If an SQL injection bug exists on a target system then it might be possible – dependent on other protections in place – to cause SQLite to read a previously freed data structure and potentially cause a crash, he told The Daily Swig. “More likely, it will just cause SQLite to return a goofy answer.” As a read – rather than write – after free bug, “there are no known paths to an RCE”, he added. “So really, this problem allows an attacker to escalate an SQL injection vulnerability in the application into a denial of service.” But in that case, “the attacker already has a more trivial denial of service by simply sending in a (well-formed) SQL statement that runs forever. So it isn’t clear that this bug gives an attacker any new capabilities.” Vast attack surface If the impact of the vulnerability is described as moderate, then surely few other applications present such an enormous attack surface. Open source SQLite “is likely used more than all other database engines combined”, claims the SQLite website, which estimates the number of active SQLite databases at more than one trillion. The relational database management system is built into all 3.5 billion active smartphones, as well as all Apple Macs and Windows 10 machines; Firefox, Chrome, and Safari web browsers; Skype, iTunes, and Dropbox; and most smart TVs, among many more applications. Inti De Ceukelaire, head of hackers at bug bounty platform Intigriti, told The Daily Swig that the bug’s moderate severity might instil a false sense of security into some vendors. “The problem with these kind of medium severity vulnerabilities is that vendors will often not consider fixing it until real-world impact is shown,” he explains. “This is a highly contextual vulnerability that would only work in specific situations. “Therefore, I do not expect that vendors will make breaking changes in order to mitigate this vulnerability, which could potentially lead to chained attacks of unpatched systems in the future.” WHERE the flaw was found Found in SQLite’s SELECT query functionality (src/select.c), the issue arose because of a “problem handling sub-queries with both a correlated WHERE clause and a ‘HAVING 0’ clause where the parent query is itself an aggregate”, according to a vulnerability alert published by Ubuntu, the Linux distribution, on February 5. The problem was apparently introduced by a code change implemented in June 2020. Todd Cullum of Red Hat expanded on this analysis: “The WHERE clause (a=2), uses an aggregate column from the outer query. “If the HAVING term (0) is moved into the WHERE clause in this case, SQLite would at one point optimize (a=2 AND 0) to simply (0). Which is logically correct, but happened to cause problems in aggregate processing for the outer query.” Updates and recommendations The security flaw, which affects the SQLite 3 release line, was first flagged in an SQLite bug tracker on January 19, then patched the following day in version 3.341 on January 20. The issue (CVE-2021-20227) was resolved by adding “the ExprAlwaysFalse(pExpr)==0 check to the if statement before the business logic in havingToWhereExprCb() in file src/select.c,” according to Cullum. Ubuntu updated its software accordingly on February 11, while the latest versions of Red Hat Enterprise Linux – 6, 7, and 8 – are unaffected as they run SQLite versions that predate the commit that introduced the bug. A security bulletin issued by AUSCert (Australia’s Computer Emergency Response Team), confirmed that the flaw is exploitable on Ubuntu, Windows, UNIX, Linux, and OSX operating systems. “Even though there are no known vulnerabilities due to this bug, it does come close to being an opportunity to escalate an SQLi into something more serious, so it is still good to upgrade, if only for defense-in-depth,” said Richard Hipp of SQLite. This article was updated on January 16 with comments from Richard Hipp and Inti De Ceukelaire. Source: SQLite patches use-after-free bug that left apps open to code execution, denial-of-service exploits
  18. Palo Alto firewall software vulnerability quartet revealed Researchers unveil details of security flaws in enterprise firewall technology UPDATED Security researchers have unveiled details of a series of flaws in Palo Alto Network’s firewall software addressed by the networking vendor last September. The swarm of four vulnerabilities covers various flaws in Palo Alto’s PAN-OS operating system that were discovered by security researchers at Positive Technologies (PT). PAN-OS is the technology behind Palo Alto Networks’ next-generation firewall (NGFW), a widely-used enterprise-grade firewall. Undesirable consequences The vulnerabilities could lead to arbitrary OS command execution by an authorized user CVE-2020-2037 and CVE-2020-2038 – denial of service by an unauthorized user (CVE-2020-2039), and reflected cross-site scripting (XSS) (CVE-2020-2036). In a technical blog post published on Thursday Positive Technologies’ Mikhail Klyuchnikov and Nikita Abramov explain how these flaws could lead to all manner of undesirable consequences. “Using these vulnerabilities, an attacker can gain access to sensitive data, disrupt the availability of firewall components or gain access to internal network segments,” the researchers warn. The flaws were discovered during black box analysis of the firewall web management interface by the two researchers. The CVE-2020-2037 vulnerability stemmed from lack of user input filtering, while the related CVE-2020-2038 security flaw involved insufficient filtering of user inputs. Both could result in remote code execution (RCE) but each was restricted to exploitation only by pre-authorized users, reducing the overall risk. Another vulnerability allowed any unauthenticated user to conduct denial-of-service (DoS) attacks. The firewall is in built with the Nginx web server. The flaw makes it possible to upload multiple files to this server to the point that there is no remaining disc space. Without any disc space resource to make use of the Palo Alto Networks NGFW web management panel become unaccessible - effectively a denial of service since the whole device can’t be used normally in this scenario. “We tried to open the web management interface but could not log in,” the researchers explain. “Most likely, this happened because PHP failed to create a session file on disk, due to the lack of disk space available. As a result, we were able to conduct a DoS attack on Palo Alto NGFW components acting as an unauthenticated user.” ‘Easily exploitable’ XSS The fourth vulnerability involved a reflected XSS vulnerability discovered in the script /unauth/php/change_password.php. “The script makes use of the $_SERVER['PHP_SELF'] variable, which is user-controlled,” the researchers explain. “This variable is inserted into an attribute value in the form tag without any filtering, thus making the XSS vulnerability easily exploitable.” All four of the vulnerabilities have been resolved but each affects different versions of PAN-OS so, short of referring readers to PT’s advisory for details, the best advice for sysadmins is to upgrade to the latest version of the supported version of the software. In response to queries from The Daily Swig, Palo Alto said customers should review the advisories it published last September (linked above). It also offered a brief comment on its engagement with researchers. The security of our customers is our top priority. In September 2020, Palo Alto Networks released patches and published security advisories for remediation. We appreciate the researchers sharing their findings. Positive Technologies and Palo Alto is yet to respond to a request for comment. We’ll update this story as and when more information comes to hand. This story has been updated with comment from Palo Alto Networks Source: Palo Alto firewall software vulnerability quartet revealed
  19. Fifty shades of vulnerable: How to play it safe with your smart sex toy While you’re living out your fantasies, your internet-enabled sex toy may be setting you up for a privacy nightmare We did it. Somehow, we got through 2020 and now Valentine’s Day is just around the corner. And yet 2020’s imprint may still be observed everywhere, and – believe it or not – the COVID-19 pandemic may have increased your chances of receiving a new, internet-enabled adult toy for your love nest as this year’s Valentine’s gift. The pandemic has caused many people to hunker down at home, sometimes away from their partners and unable to carry on with their normal dating and love lives. Even now, some long-distance couples are still dealing with the consequences of travel restrictions and social distancing. In this context, many have turned into new ways of exploring their sexuality or keep the flame alive through remote-controlled adult toys. After the pandemic hit, the sales of these devices went through the roof, mirroring the recently skyrocketing popularity of sexting applications and other forms of virtual intimacy. To be sure, internet-connected sex toys, also known as teledildonics, have been looking for a place in the sun – or bedrooms, if you will – for years. The myriad contraptions have been gaining traction as part of the concept of sexnology, a portmanteau word of sex and technology. Indeed, it’s safe to say that connected sex tech is here to stay. On the other hand, much like any other Internet of Things gadgets, smart adult toys have considerable privacy and security implications. What’s more, given just how personal these devices are and what kind of data they collect, the potential threats to your privacy are hard to ignore. How smart are smart sex toys? When was the last time you googled for smart sex toys? How versatile do you think these toys are – technology-wise? Well, you needn’t visit online stores and risk an endless parade of pesky and perhaps NSFW advertisements wherever you then go online – we will put you up to date on the state-of-the-art in this ever-growing industry. Nowadays, these devices incorporate a wide range of features. For starters, they allow you to grant remote control of your device to others via the mobile app, the browser, or your laptop. Users can also participate in group chats, send multimedia messages and customized patterns, hold videoconferences, synchronize the vibration patterns with a playlist of songs or audiobooks, and connect the gizmos with smart assistants such as Alexa. Some models allow the users to synchronize two sex toys to replicate their movements, and some others are wearables. When it comes to architecture, most of these devices can be controlled via Bluetooth Low Energy (BLE) from an app installed on a smartphone. Some vendors offer users the possibility to connect to their devices via software on their computers and using a special BLE dongle, and you can also use the BLE API in certain browsers to connect to the sex toys using a web app. Then, the app connects through Wi-Fi or the mobile carrier to a server in the cloud, which stores the person’s account information and multimedia files, and of course is responsible for allowing core functionality, such as chatting and videoconferencing. And this is just the beginning. The latest advances in the sex toys industry include models with VR (Virtual Reality) capabilities and sex robots that include cameras, microphones, as well as voice analysis capabilities. Actually, the use of robots as replacements for sex workers in brothels is already a reality in some countries. But let’s go back to the affordable gadgets you might find in local stores nearby and explore the risks of getting and using one. What happens in the bedroom, stays in the bedroom? Let’s say you decide to buy your partner one of these smart sex toys as a gift for Valentine’s Day… what could go wrong in terms of your security and privacy? Well, given the wide range of functionalities these products offer, the attack surface is quite large. There are certain design characteristics that attackers can exploit: the local connection via Bluetooth that is sometimes unprotected, vulnerabilities on the server or in the apps, insecure Wi-Fi connections, and many others. For the sake of conciseness, we will narrow it down to three main attack scenarios: Executing malicious code on the device In this case, the attacker could, for example, try to modify the code running inside the gadget – its firmware – to perform malevolent actions. In some cases, the cybercriminal could use the compromised device as a zombie, commanding the victim to send more malicious commands to other users on the contact list. The attacker could also intend to cause physical harm to the user, for example, by overheating the device. Intercepting communications and stealing data The information processed by sex toys and apps is extremely sensitive: names and other contact information, sexual partners, intimate photos, and videos. Also, information about device usage, such as preferred patterns or usage hours, can reveal a user’s sexual preferences. If stolen, these pieces of information could be used against the victim, exposing their intimacy, or even be used for sextortion campaigns. The attacker could also exploit vulnerabilities in the protocols being used to gather information on the target, or even connect to the device bypassing poor authentication mechanisms. Imagine a scenario where someone can take control of a sexual device without consent while it’s being used, and even send different commands to the device. Would this be considered sexual assault? Does the current legislation allow for the possibility to punish such behavior? Performing a denial of service attack This would ultimately prevent the user from sending any command to the toy. For example, a popular chastity belt was found to contain vulnerabilities last year that would have allowed an attacker to remotely block the device, preventing the user from unlocking it. This actually led to attacks where the attacker first locked the devices and then asked for a ransom to unlock them. This, too, goes to show how serious security and privacy in sex-related platforms are. Stay safe – use protection! Now, the big question: How can you tech up your sex life without putting your privacy and security at risk? As in any other sexting practice, avoid sharing photos or videos in which you can be identified. And, of course, do not post remote control tokens on the Internet. Also, avoid registering for sex apps using an official name or email address that could identify you. In other words, try to be as anonymous as possible. Always use remote-controlled sex toys in a protected environment and avoid using them in public places or areas with people passing through, like bars or hotels. Also, while using the toy, keep the app connected to it, as this prevents the device from announcing its presence. Before buying a connected sex toy, be sure to buy a secure device from a trusted vendor. Do some research on the gizmo’s security aspects; for example, use search engines to find out if the toy has a history of serious vulnerabilities. If so, determine if patches are available and if there are frequent updates from the developer. Also, downloading the control apps and trying out their features before buying the device can give you an overview of how secure the app is. Regarding dating apps, most security measures revolve around common-sense precautions – which you will definitely also need while dating offline! Try to share as little as possible and only what you need to. We know that creating a profile on Tinder, Happn or any other dating app is very simple. Most of the time we just need to link our account with our Instagram or Facebook profile. However, we must also think that both Facebook and Instagram store photos and personal information related to our tastes and interests that we may not want to share. If you log in with Facebook, Google, or any other account, pay special attention to the various permissions you are granting to the app. Many apps may request more information than your name or email address. Also, be careful when sharing sensitive information such as your location. Beware of fake profiles. Make sure on the other side of the app is a real person. For example, you can use a reverse image search in Google or Tineye to verify the pictures do not belong to someone else or are used on other websites. Stay alert for scams. Do not be tempted to move the conversation off the app and to other platforms, since this is one of the most common techniques used by fraudsters. Also, try not to reveal personal information such as phone number or email address, family details, home location, etc. Many dating apps restrict how much profile information you can share, which is a good thing. However, this protection won’t work if you’re convinced by a scammer to share your personal data through other means. As in any other site or social network, lock down your profile. Use strong and unique passwords for each platform and always enable two-factor authentication. Finally, whether you choose to play with a smart sex toy or use a dating app, always read the terms and conditions of the applications and websites where you register or to which you send any information. Pay special attention to the sections that describe data collected by the company as well as the processing of such data. Also, keep your mobile device and the applications always updated, have a security solution installed on them and try to use protected Wi-Fi networks while sharing sensitive information. Perhaps one last thing to bear in mind – smart sex toys can be fun and a new way of spicing things up in your bedroom. But if you are not planning to let others control the device remotely, just don’t get a smart sex toy – get a regular one. Source: Fifty shades of vulnerable: How to play it safe with your smart sex toy
  20. Vulnerabilities hit record high in 2020, topping 18,000 Analysis of the NIST National Vulnerability Database shows that security teams were under siege defending against an unprecedented number of flaws. “city under siege, waiting for the new year” by shioshvili is licensed under CC BY-SA 2.0 Security teams were under siege last year, according to research analyzing 2020 NIST data on common vulnerabilities and exposures (CVEs) that found more security flaws – 18,103 – were disclosed in 2020 than in any other year to date. To understand the significance, there were far more “critical” and “high severity” vulnerabilities in 2020 (10,342) than the total number of all vulnerabilities recorded in 2010 (4,639), according to Redscan, which ran the analysis of NIST’s National Vulnerability Database (NVD). And, nearly 4,000 vulnerabilities disclosed in 2020 can be described as “worst of the worst” – meeting the worst criteria in all NVD filter categories “The trend lines are clear,” said Yaniv Bar-Dayan, co-founder and CEO of Vulcan Cyber. “Vulnerability management is the biggest game of whack-a-mole facing the IT security profession today. Businesses will lose the game unless they have a strategy to address the crush before it is too late.” Another trend security pros need to address: Low complexity CVEs are on the rise, representing 63 percent of vulnerabilities disclosed in 2020. And vulnerabilities that require no user interaction to exploit are also growing in number, representing 68 percent of all CVEs recorded in 2020. Shawn Wallace, vice president of Energy at IronNet, agreed that the high number of low complexity vulnerabilities has become an increasing concern for security teams. He said once they get into the wild, they can easily be exploited by unsophisticated attackers resulting in massive attacks. “No security team can keep up with an average of 50 new vulnerabilities posted each day and you won’t be able to cover all the ones that are already out there,” Wallace said. “You have to move to a behavioral-based detection platform so you can see the actions of the adversary and are not solely dependent on CVEs, patching or indicators of compromise for your defense.” Companies must also increase scrutiny of the practices employed by software vendors, added Charles Herring, co-founder and CTO of WitFoo. Companies must evaluate how their vendors test custom code and also how they use third-party libraries in their products. Until vendors properly prioritize sustainable, secure DevOps, companies must maintain a rigorous cycle of vulnerability detection and mitigation, he said. “Until we see purchasing organizations hold software vendors accountable for how they source and test source code, the discouraging trends outlined in the NIST NVD report will continue,” Herring contended. “Vendors must take responsibility for all code they bring into their product and establish sustainable hygiene on testing function as well as detecting vulnerabilities early. Until that happens, organizations must own responsibility for the software they use and perform their own vulnerability and penetration testing to uncover the vulnerabilities delivered by their vendors.” Source: Vulnerabilities hit record high in 2020, topping 18,000
  21. Vulnerabilities in TCP/IP Stacks Allow for TCP Connection Hijacking, Spoofing Improperly generated ISNs (Initial Sequence Numbers) in nine TCP/IP stacks could be abused to hijack connections to vulnerable devices, according to new research from Forescout. TCP/IP stacks are critical components that provide basic network connectivity for a broad range of devices, IoT and OT included, and which process all incoming frames and packets. Numerous high-impact vulnerabilities affecting the TCP/IP stacks have already been publicly disclosed, including the Ripple20 and URGENT/11 bugs. In December last year, Forescout’s researchers detailed 33 new vulnerabilities in four open source TCP/IP stacks, collectively called AMNESIA:33. Diving into 11 stacks this time, the researchers discovered that nine of them fail to properly generate ISNs, thus leaving connections open to attacks. Collectively referred to as NUMBER:JACK, the vulnerabilities affect cycloneTCP, FNET, MPLAB Net, Nucleus NET, Nut/Net, picoTCP, uIP, uC/TCP-IP, and TI-NDKTCPIP (Nanostack and lwIP are not impacted). ISNs must be randomly generated, so as to ensure the uniqueness of any TCP connection between two devices, and to eliminate collisions and interference with the connection. However, should an attacker be able to guess an ISN, they could hijack an ongoing connection, close a connection (denial of service), or even spoof a new one. Eight of the identified issues carry a CVSS score of 7.5, namely CVE-2020-27213 (Nut/Net 5.1), CVE-2020-27630 (uC/TCP-IP 3.6.0), CVE-2020-27631 (CycloneTCP 1.9.6), CVE-2020-27632 (NDKTCPIP 2.25), CVE-2020-27633 (FNET 4.6.3), CVE-2020-27634 (uIP 1.0, Contiki-OS 3.0, Contiki-NG 4.5), CVE-2020-27635 (PicoTCP 1.7.0, PicoTCP-NG), and CVE-2020-27636 (MPLAB Net 3.6.1), while the ninth has a CVSS score of 6.5 (CVE-2020-28388 – Nucleus NET 4.3). “However, the actual severity on a particular device and TCP connection may vary depending on, for example, the use of encrypted sessions and the sensitivity of data exchanged,” Forescout’s researchers note. With the vulnerable stacks implemented in millions of embedded devices, including IT storage systems, medical devices, remote terminal units (RTUs), and monitoring systems for wind turbines, among others. Administrators are advised to identify devices that run the vulnerable TCP/IP stacks (Forescout has released an open-source script to aid with discovery), apply the available patches if possible, apply network segmentation to diminish risks, and use end-to-end cryptographic solutions built on top of the Network layer (IPsec). The identified vulnerabilities were reported to the affected vendors and maintainers in October last year, and most of them have already released patches to address the bugs, except for Nut/Net developers, who are still working on a solution, and the uIP developers, who never replied to Forescout. “Unfortunately, this type of vulnerability is also difficult to fix permanently because of the resource constraints of many embedded devices, and what is considered a secure PRNG today may be considered insecure in the future. Some stack developers opt to rely on system integrators to implement their own ISN generation, which is a fair decision, but which means not all devices using a patched stack will be secure automatically,” the researchers conclude. Source: Vulnerabilities in TCP/IP Stacks Allow for TCP Connection Hijacking, Spoofing
  22. Intel fixes vulnerabilities in Windows, Linux graphics drivers Intel addressed 57 security vulnerabilities during this month's Patch Tuesday, including high severity ones impacting Intel Graphics Drivers. 40 of them were found internally by Intel, while the other 17 were externally reported, almost all through Intel's Bug Bounty program. The security bugs are detailed in the 19 security advisories published by Intel on its Product Security Center, with security and functional updates being delivered to users through the Intel Platform Update (IPU) process. Intel includes a list of all impacted products and recommendations for vulnerable products at the end of each advisory. The company also provides contact details for users and researchers who want to report other security issues or vulnerabilities found in Intel branded technology or products. "While you may be able to retrieve these updates direct from Intel, we recommend that you check with your system manufacturer for updates specific to your system," Intel's Director of Communications Jerry Bryant said. "Find links to system manufacturer support sites here." February 2021 Intel Platform Update highlights "The bulk of advisories this month are software driver updates for graphics components and firmware/software updates for ethernet components," Intel's Director of Communications Jerry Bryant said. The vulnerability with the highest severity rating (8.8/10) is tracked as CVE-2020-0544 and it enables authenticated attackers to escalate privileges via local access. The bug behind it is an insufficient control flow management issue in the kernel mode driver for some Intel graphics drivers prior to version Intel graphics driver vulnerabilities patched this month affect multiple Intel processor generations up to the 10th generation, codenamed Comet Lake, and impact several Windows and Linux driver versions. On Tuesday, Apple also released security updates that fix two arbitrary code execution vulnerabilities in Intel graphics drivers. Intel microcode updates for Windows Microsoft has also released Intel microcode updates for Windows 10 20H2, 2004, 1909, and older versions to fix issues impacting current and previously released Windows 10 versions. These microcode updates are offered to affected devices via Windows Update but they can also be manually downloaded directly from the Microsoft Catalog using these links: • KB4589212: Intel microcode updates for Windows 10, version 2004 and 20H2, and Windows Server, version 2004 and 20H2 • KB4589211: Intel microcode updates for Windows 10, version 1903 and 1909, and Windows Server, version 1903 and 1909 • KB4589208: Intel microcode updates for Windows 10, version 1809 and Windows Server 2019 • KB4589206: Intel microcode updates for Windows 10, version 1803 • KB4589210: Intel microcode updates for Windows 10, version 1607 and Windows Server 2016 • KB4589198: Intel microcode updates for Windows 10, version 1507 However, it is important to mention that similar updates are known to have caused system hangs and performance issues on older CPUs in the past due to the way the issues were mitigated. Source: Intel fixes vulnerabilities in Windows, Linux graphics drivers
  23. Google Launches Database for Open Source Vulnerabilities Google last week announced the launch of OSV (Open Source Vulnerabilities), which the internet giant has described as a vulnerability database and triage infrastructure for open source projects. OSV should make it easier for the users of open source software to find out which vulnerabilities impact them. It can also help maintainers of open source software accurately identify all versions and commits impacted by a flaw across all their branches. For consumers, Google says OSV provides a database that can be easily queried, with its goal being to complement existing vulnerability databases. “OSV automates the triage workflow for an open source package consumer by providing an API to query for vulnerabilities,” Google’s security team said in a blog post. In the case of maintainers, they can obtain information on the impact of vulnerabilities by providing the commit that introduced a bug and the commit that patched it. “Unfortunately, many open source projects, including ones that are critical to modern infrastructure, are under resourced and overworked. Maintainers don't always have the bandwidth to create and publish thorough, accurate information about their vulnerabilities even if they want to,” Google’s security experts said. OSV currently stores information on thousands of vulnerabilities from more than 380 critical open source projects integrated with Google’s OSS-Fuzz fuzzing service. However, the company wants to extend it with data from repositories such as npm Registry and PyPI. It also wants to make it very easy for developers to submit information on vulnerabilities. “Our goal with OSV is to rethink and promote better, scalable vulnerability tracking for open source. In an ideal world, vulnerability management should be done closer to the actual open source development process, aided by automated infrastructure. Projects that depend on open source should be promptly notified and fixes uptaken quickly when a vulnerability is reported,” Google said. Source: Google Launches Database for Open Source Vulnerabilities
  24. Geeni smart doorbells, cameras riddled with flaws, research finds Geeni Camera Doorbell Walmart and Amazon are continuing to sell faulty smart doorbells and cameras filled with vulnerabilities that could expose customers’ sensitive information, according to research published Thursday. The vulnerabilities, found in Geeni- and Merkury-branded security cameras and smart doorbells, would allow attackers to take full control of devices and remotely disable cameras through a denial of service attack in some cases, according to the research. In others, the flaws could allow for the the disclosure of sensitive information and unauthenticated access. Some other exploits would allow attackers to gain remote access to a stream of one of the affected doorbell cameras. The flaws variously affect Merkury/Geeni doorbell models GNC-CW013, GNC-CW025 and MI-CW024 and camera models GNC-CW003, GNC-CW010, GNC-CW028 and MI-CW017, according to the research. Merkury is Geeni’s parent company. Security cameras and doorbells that connect to the internet have been plagued by flaws for years. Just last month a TechCrunch investigation revealed that Amazon’s Ring doorbell app Neighbors could expose users’ location and home addresses. Two years ago Ring customers’ passwords were exposed in a massive leak that could allow third parties to access live cameras feeds. The research — conducted by TJ O’Connor, an assistant professor and the Cybersecurity Program Chair and Director of the IoT (internet of things) Security and Privacy Lab at Florida Institute of Technology, and his graduate student Daniel Campos — is a reminder that just because a security product is available for sale in popular retail stores, privacy and security may not be guaranteed. O’Connor and Campos disclosed the flaws to MITRE and the company, Merkury Innovations, last November, but they have not yet been fixed, as The Washington Post first reported. Merkury spokesperson Sol Hedaya told CyberScoop in a statement fixes should be available later this month. “We regularly update the security of our app and devices. We often work with security researchers like this to address theoretical vulnerabilities, and deeply appreciate the way in which the issues are raised and the ability to rectify and address them in a responsible manner,” Hedaya said, adding “we have no known exploits of any of these vulnerabilities.” In the meantime, the flaws, some of which would leave no trace if exploited, are placing user security and privacy at risk, argues ReFirm Labs, whose software the researchers used to probe the products. “Backdoors like these will be used to completely violate consumers’ privacy by criminals, and put citizens’ security at risk when used by nation state hackers,” ReFirm Labs stated in a blog post. Some of the flaws the researchers found could be exploited if attackers used default accounts to connect to vulnerable systems, due to default and static passwords being built into the firmware or because of static usernames and passwords being stored in a shared library, according to the research. It’s a status quo that needs to change and retailers should step up, argues ReFirm Labs. Retailers could, for instance, use systematized labeling to alert customers to trustworthy products. “Just as you expect products you buy from name brand stores won’t catch on fire and burn down your house, consumers should demand that those same products won’t spy on them,” ReFirm labs said. “Retailers have an obligation to be proactive in pushing for proper cybersecurity in the IoT devices they sell.” The security of internet-connected devices is an issue that has gained the attention of lawmakers on Capitol Hill. But while lawmakers recently passed a bill that would address the security of internet of things in federal government purchases, there is still no federal legislation that addresses the conditions under which IoT devices can be sold to consumers safely. Source: Geeni smart doorbells, cameras riddled with flaws, research finds
  25. Skype ‘spoofing vulnerabilities’ are a haven for social engineering attacks, security researcher claims Microsoft doesn’t feel the bugs are important enough to fix immediately, although one researcher disagrees Several purported security flaws in Skype have been disclosed publicly, but Microsoft claims they do not need “immediate security servicing”. On February 2, researcher “mr.d0x,” also known as “TheCyberSecurityTutor”, publicly disclosed a “plague” of spoofing vulnerabilities in the Microsoft-owned remote chat and video app. The researcher first began examining Skype in the second week of January and quickly found that the application’s messaging functionality does not have adequate protection against tampering. As a result, it is possible to spoof links, file names, file sizes, and shared contacts on thick clients, web sessions, and on mobile. Content spoofing According to the researcher, tampering is possible by sending content you want to spoof, intercepting subsequent requests, and forwarding with modified code – such as by modifying href and key attributes, as well as by intercepting spoofed content and changing values such as OriginalName, FileSize, and file extensions. When it comes to spoofing shared contacts, this can be achieved by sharing a contact, intercepting the request, and modifying either the display name or username which will, in turn, be reflected to the recipient. The researcher also accidentally uncovered a means to crash a conversation on thick and web clients. If “too many” tags are added to the content value, this will render a chat session unresponsive and “fully inaccessible” for both an attacker and victim. Another interesting spoof is the opportunity to spear-phish using Skype’s domain name. Mr.d0x explained that once a file has been shared between chat participants, it is uploaded to Skype servers and access is maintained – but if a target has an active Microsoft Outlook session, an attacker could email the link to the file, intercept it, and once again tamper with the request. “Skype’s domain is trusted and so you won’t have to worry about your link being flagged by email providers,” the researcher noted. In addition, mr.d0x discovered a way to spoof a domain and break out of the Skype chat bubble. Mixed messages The findings were submitted on January 13 to Microsoft’s spoofing and tampering report categories, but the Redmond-based tech giant rejected the reports. The spear-phishing bug was submitted separately under tampering two days later, and this was also rejected. “Microsoft’s point of view is that because these vulnerabilities revolve around tricking a user into doing something they’re not as critical,” mr.d0x told The Daily Swig. “All of these low-level spoofing techniques rely on the victim clicking on a link from the attacker and bypassing any security warnings shown in the application,” a Microsoft spokesperson told The Daily Swig. Offering additional context as to why these issues were not deemed security vulnerabilities, the company said that users are presented with several warnings when these techniques are run. For example, hovering over a spoofed link will show the true link, while users are also shown a warning to only download files from people they trust. Future fix While potentially of low impact, the bugs are still active. According to the researcher, Microsoft did not consider the vulnerabilities “to be serious enough for immediate remediation, but [they] will be fixed in future versions”. Mr.d0x, however, does not agree with Microsoft’s assessment, telling us that as a user of Microsoft products, he should “not have to double check whether the content I’m being sent is spoofed or not”. “Microsoft is relying on other factors such as your browser (when you download a file) or a user's vigilance to defend against these vulnerabilities when in reality the first security check should be coming from the product itself,” mr.d0x commented. The Microsoft spokesperson added: “We encourage customers to practice good computing habits online, including exercising caution when clicking on links to web pages, opening unknown files, or accepting file transfers.” Source: Skype ‘spoofing vulnerabilities’ are a haven for social engineering attacks, security researcher claims
  • Create New...