Jump to content

Search the Community

Showing results for tags 'vulnerability'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station

Categories

  • Drivers
  • Filesharing
    • BitTorrent
    • eDonkey & Direct Connect (DC)
    • NewsReaders (Usenet)
    • Other P2P Clients & Tools
  • Internet
    • Download Managers & FTP Clients
    • Messengers
    • Web Browsers
    • Other Internet Tools
  • Multimedia
    • Codecs & Converters
    • Image Viewers & Editors
    • Media Players
    • Other Multimedia Software
  • Security
    • Anti-Malware
    • Firewalls
    • Other Security Tools
  • System
    • Benchmarking & System Info
    • Customization
    • Defrag Tools
    • Disc & Registry Cleaners
    • Management Suites
    • Other System Tools
  • Other Apps
    • Burning & Imaging
    • Document Viewers & Editors
    • File Managers & Archivers
    • Miscellaneous Applications
  • Linux Distributions

Categories

  • General News
  • File Sharing News
  • Mobile News
  • Software News
  • Security & Privacy News
  • Technology News

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

  1. Critical Microsoft Hyper-V bug could haunt orgs for a long time Technical details are now available for a vulnerability that affects Hyper-V, Microsoft's native hypervisor for creating virtual machines on Windows systems and in the Azure cloud computing environment. Currently tracked as CVE-2021-28476, the security issue has a critical severity score of 9.9 out of 10. Exploiting it on unpatched machines can have a devastating impact as it allows crashing the host (denial of service) or execute arbitrary code on it. Terminate VMs or take full control The bug is in Hyper-V's network switch driver (vmswitch.sys) and affects Windows 10 and Windows Server 2012 through 2019. It emerged in a build from August 2019 and received a patch earlier this year in May. Public details about the flaw are scarce at the moment but in a blog post today, researchers Peleg Hadar of SafeBreach and Ophir Harpaz of Guardicore explain where the fault is and why it is exploitable. The two researchers found the bug together and disclosed it privately to Microsoft. The flaw stems from the fact that Hyper-V’s virtual switch (vmswitch) does not validate the value of an OID (object identifier) request that is intended for a network adapter (external or connected to vmswitch). An OID request can include hardware offloading, Internet Protocol security (IPsec), and single root I/O virtualization (SR-IOV) requests. “While processing OID requests, vmswitch traces their content for logging and debugging purposes; this also applies to OID_SWITCH_NIC_REQUEST. However, due to its encapsulated structure, vmswitch needs to have special handling of this request and dereference OidRequest to trace the inner request as well. The bug is that vmswitch never validates the value of OidRequest and can thus dereference an invalid pointer,” Harpaz explains An attacker successfully leveraging this vulnerability needs to have access to a guest virtual machine (VM) and send a specially crafted packet to the Hyper-V host. The result can be either crashing the host - and terminate all the VMs running on top of it, or gaining remote code execution on the host, which gives complete control over it and the attached VMs. Orgs are slow to patch While the Azure service is safe from this issue, some local Hyper-V deployments are likely still vulnerable as not all admins update Windows machines when patches come out. Harpaz told BleepingComputer that vulnerabilities that remain unpatched for years on machines in enterprise networks are a common encounter for Guardicore. One of the most common examples is EternalBlue that became known in April 2017 - patched a month earlier and leveraged in the destructive WannaCry and NotPetya cyberattacks. “There are so many Windows Servers today that are vulnerable to well-known bugs, I won't be surprised if this bug stays unpatched for a very long time in organizations” - Ophir Harpaz Harpaz and Hadar are scheduled for a presentation at the Black Hat security conference on August 4 on their research and how found the vulnerability using an in-house fuzzing program called hAFL1. Critical Microsoft Hyper-V bug could haunt orgs for a long time
  2. Microsoft shares workaround for Windows 10 SeriousSAM vulnerability Microsoft has shared workarounds for a Windows 10 zero-day vulnerability dubbed SeriousSAM that can let attackers gain admin rights on vulnerable systems and execute arbitrary code with SYSTEM privileges. As BleepingComputer previously reported, a local elevation of privilege bug (dubbed SeriousSAM) found in recently released Windows versions allows users with low privileges to access sensitive Registry database files. Affects Windows 10 versions released since 2018 The security flaw, publicly disclosed by security researcher Jonas Lykkegaard on Twitter and yet to receive an official patch, is now tracked by Microsoft as CVE-2021-36934. "An elevation of privilege vulnerability exists because of overly permissive Access Control Lists (ACLs) on multiple system files, including the Security Accounts Manager (SAM) database," Microsoft explains in a security advisory published on Tuesday evening. "An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. An attacker must have the ability to execute code on a victim system to exploit this vulnerability." As Microsoft further revealed, this zero-day vulnerability impacts Windows releases since October 2018, starting with Windows 10, version 1809. Lykkegaard also found that Windows 11 (Microsoft's not yet officially released OS) is also impacted. Workarounds now available The databases exposed to user access by this bug (i.e., SYSTEM, SECURITY, SAM, DEFAULT, and SOFTWARE) are stored under the C:\Windows\system32\config folder. Mimikatz creator Benjamin Delpy told BleepingComputer that anyone could easily take advantage of the incorrect file permissions to steal an elevated account's NTLM hashed password and gain higher privileges via a pass-the-hash attack. While attackers can't directly access the databases due to access violations triggered by the files always being in use by the OS, they can access them through shadow volume copies. Microsoft recommends restricting access to the problematic folder AND deleting Volume Shadow Copy Service (VSS) shadow copies to mitigate this issue. Users should be aware that removing shadow copies from their systems could impact system and file restore operations, such as restoring data using third-party backup apps. These are the steps needed to block exploitation of this vulnerability temporarily: Restrict access to the contents of %windir%\system32\config: Open Command Prompt or Windows PowerShell as an administrator. Run this command: icacls %windir%\system32\config\*.* /inheritance:e Delete Volume Shadow Copy Service (VSS) shadow copies: Delete any System Restore points and Shadow volumes that existed prior to restricting access to %windir%\system32\config. Create a new System Restore point (if desired). Microsoft is still investigating the vulnerability and is working on a patch that will most likely be released as an out-of-band security update later this week. "We are investigating and will take appropriate action as needed to help keep customers protected," Microsoft told BleepingComputer Microsoft shares workaround for Windows 10 SeriousSAM vulnerability
  3. New Windows 10 vulnerability allows anyone to get admin privileges Windows 10 and Windows 11 are vulnerable to a local elevation of privilege vulnerability after discovering that users with low privileges can access sensitive Registry database files. The Windows Registry acts as the configuration repository for the Windows operating system and contains hashed passwords, user customizations, configuration options for applications, system decryption keys, and more. The database files associated with the Windows Registry are stored under the C:\Windows\system32\config folder and are broken up into different files such as SYSTEM, SECURITY, SAM, DEFAULT, and SOFTWARE. As these files contain sensitive information about all user accounts on a device and security tokens used by Windows features, they should be restricted from being viewed by regular users with no elevated privileges. This is especially true for the Security Account Manager (SAM) file as it contains the hashed passwords for all users on a system, which threat actors can use to assume their identity. SAM file can be read by anyone Yesterday, security researcher Jonas Lykkegaard told BleepingComputer he discovered that the Windows 10 and Windows 11 Registry files associated with the Security Account Manager (SAM), and all other Registry databases, are accessible to the 'Users' group that has low privileges on a device. These low permissions were confirmed by BleepingComputer on a fully patched Windows 10 20H2 device, as shown below. File permissions on the SAM file With these low file permissions, a threat actor with limited privileges on a device can extract the NTLM hashed passwords for all accounts on a device and use those hashes in pass-the-hash attacks to gain elevated privileges. As the Registry files, such as the SAM file, are always in use by the operating system, when you attempt to access the file, you will receive an access violation as the files are open and locked by another program. Cannot access the open SAM file However, as the Registry files, including the SAM, are usually backed up by the Windows shadow volume copies, Lykkegaard says you can access the files through shadow volumes without an access violation. For example, threat actors can use the following Win32 device namespace path for shadow volume copies below to access the SAM file by any user on the computer. \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SAM Using these low and incorrect file permissions, along with shadow volume copies of the files, Security researcher and Mimikatz creator Benjamin Delpy has told BleepingComputer that you could easily steal an elevated account's NTLM hashed password to gain higher privileges. This attack is demonstrated in the video below created by Delpy and shared with BleepingComputer that shows Mimikatz using an NTLM hash to gain debug privileges. In addition to stealing NTLM hashes and elevating privileges, Delpy told BleepingComputer that this low privileged access could allow for further attacks, such as Silver Ticket attacks. It is unclear why Microsoft changed the permissions on the Registry to allow regular users to read the files. However, Will Dormann, a vulnerability analyst for CERT/CC, and SANS author Jeff McJunkin, said Microsoft introduced the permission changes in Windows 10 1809. Strangely, Dormann stated that when installing a fresh version of Windows 10 20H2 from June, the loose permissions were not present. Therefore, it is not clear if Microsoft fixed the permission issue when performing a clean installation of Windows but did not fix it when upgrading to new versions. BleepingComputer has reached out to Microsoft for more information but has not heard back at this time. New Windows 10 vulnerability allows anyone to get admin privileges
  4. Microsoft warns of critical PowerShell 7 code execution vulnerability Microsoft warns of a critical .NET Core remote code execution vulnerability in PowerShell 7 caused by how text encoding is performed in .NET 5 and .NET Core. PowerShell provides a command-line shell, a framework, and a scripting language focused on automation for processing PowerShell cmdlets. It runs on all major platforms, including Windows, Linux, and macOS, and it allows working with structured data such as JSON, CSV, and XML, as well as REST APIs and object models. "Update as soon as possible" The company says no mitigation measures are available to block exploitation of the security flaw tracked as CVE-2021-26701. Customers are urged to install the updated PowerShell 7.0.6 and 7.1.3 versions as soon as possible to protect their systems from potential attacks. Microsoft's initial advisory also provides developers with guidance on updating their apps to remove this vulnerability. "The vulnerable package is System.Text.Encodings.Web. Upgrading your package and redeploying your app should be sufficient to address this vulnerability," Microsoft explained in April when the security flaw was patched. Any .NET 5, .NET Core, or .NET Framework-based app using a System.Text.Encodings.Web package version listed below is exposed to attacks. Package Name Vulnerable Versions Secure Versions System.Text.Encodings.Web 4.0.0 - 4.5.0 4.5.1 System.Text.Encodings.Web 4.6.0-4.7.1 4.7.2 System.Text.Encodings.Web 5.0.0 5.0.1 While Visual Studio also contains the binaries for .NET, it is not vulnerable to this issue, according to Microsoft's security advisory. The update is offered to include the .NET files so that apps built using Visual Studio including .NET functionality will be protected from this security issue. "If you have questions, ask them in GitHub, where the Microsoft development team and the community of experts are closely monitoring for new issues and will provide answers as soon as possible," Microsoft added. Microsoft has also recently announced that it would be making it easier to update PowerShell on Windows 10 and Windows Server by releasing future updates through the Microsoft Update service. Update: Added a link to Microsoft's warning to install the updated versions ASAP. Microsoft warns of critical PowerShell 7 code execution vulnerability
  5. Microsoft finds Netgear router bugs enabling corporate breaches Attackers could use critical firmware vulnerabilities discovered by Microsoft in some NETGEAR router models as a stepping stone to move laterally within enterprise networks. The security flaws impact DGN2200v1 series routers running firmware versions before v1.0.0.60 and compatible with all major DSL Internet service providers. They allow unauthenticated attackers to access unpatched routers' management pages via authentication bypass, gain access to secrets stored on the device, and derive saved router credentials using a cryptographic side-channel attack. The three bugs "can compromise a network's security—opening the gates for attackers to roam untethered through an entire organization," Microsoft 365 Defender Research Team's Jonathan Bar Or explains. The security issues were discovered by Microsoft's researchers while reviewing Microsoft Defender for Endpoint's new device discovery fingerprinting capabilities after noticing that a DGN2200v1 router's management port was being accessed by another device on the network. "The communication was flagged as anomalous by machine learning models, but the communication itself was TLS-encrypted and private to protect customer privacy, so we decided to focus on the router and investigate whether it exhibited security weaknesses that can be exploited in a possible attack scenario," the researcher added. "In our research, we unpacked the router firmware and found three vulnerabilities that can be reliably exploited." Vulnerabilities patched by NETGEAR NETGEAR has fixed the vulnerabilities, with CVSS base scores ranging from high to critical severity, and has published a security advisory with additional details in December. To download and install the patched firmware for your NETGEAR router, you have to: Visit NETGEAR Support. Start typing your model number in the search box, then select your model from the drop-down menu as soon as it appears. If you do not see a drop-down menu, make sure that you entered your model number correctly or select a product category to browse for your product model. Click Downloads. Under Current Versions, select the download whose title begins with Firmware Version. Click Download. Follow the instructions in your product's user manual, firmware release notes, or product support page to install the new firmware. Last year, security researchers also discovered a zero-day vulnerability in 79 Netgear router models allowing remote attackers to take full control of vulnerable devices. Microsoft finds Netgear router bugs enabling corporate breaches
  6. Microsoft Office MSGraph vulnerability could lead to code execution Microsoft today will release a patch for a vulnerability affecting the Microsoft Office MSGraph component, responsible for displaying graphics and charts, that could be exploited to execute code on a target machine. Because the component can be embedded in most Office documents, an attacker can use it to deliver a malicious payload without the need for special functions. Legacy code Tracked as CVE-2021-31939, the security flaw is part of a larger set of security vulnerabilities that researchers at Check Point discovered in MSGraph and reported to Microsoft. The reason the researchers focused on testing MSGraph for security flaws is that it contains code that is at least 17 years old and has an attack surface that is similar to Microsoft Equation Editor, where bugs fixed in 2017 continue to be heavily exploited to this day. MSGraph editor embedded in a Microsoft Excel document Details about the vulnerability are lacking at this point, as the bug received an identifier only recently. However, Check Point notes in a report today that CVE-2021-31939 is a use-after-free (UAF). This type of flaw consists of incorrect use of dynamic memory during program operation and can lead to arbitrary code execution on the system. According to the researchers, the issue is in a MSGraph file parsing function, which “is commonly used across multiple different Microsoft Office products, such as Excel (EXCEL.EXE), Office Online Server (EXCELCNV.EXE) and Excel for OSX.” Check Point’s public disclosure today includes three other security flaws discovered in the Microsoft Office MSGraph component, all of them patched last month: CVE-2021-31174 - out-of-bounds read (OOBR) vulnerability leading to information disclosure in Microsoft Excel (medium severity); affects MSGraph, Office Online, and Microsoft Excel CVE-2021-31178 - integer underflow to out-of-bounds read (OOBR) vulnerability leading to information disclosure (medium severity) CVE-2021-31179 - memory corruption vulnerability leading to remote code execution (high severity) All the flaws were discovered through fuzzing, a testing technique where code is bombarded with various input to find errors and security vulnerabilities. The exceptions generated this way include crashes and memory leaks that could lead to exploitation. The researchers say that all four vulnerabilities can be embedded in most Office documents, leaving room for multiple attack scenarios with the vulnerability being triggered once the victim opens a malicious Office file. "If exploited, the vulnerabilities would grant an attacker the ability to execute malicious code on targets via specially crafted Office documents," Check Point told BleepingComputer. “Since the entire Office suite has the ability to embed Excel objects, this broadens the attack vector, making it possible to execute such an attack on almost any Office software, including Word, Outlook and others” - Check Point Check Point reported the vulnerabilities to Microsoft on February 28 and three of them were patched last month. CVE-2021-31939 received its tracking identifier at a later date and is scheduled to receive a patch today. Microsoft Office MSGraph vulnerability could lead to code execution
  7. This is not a drill: VMware vuln with 9.8 severity rating is under attack Code execution flaw in vCenter is exploited to install web shell on unpatched machines. A VMware vulnerability with a severity rating of 9.8 out of 10 is under active exploitation. At least one reliable exploit has gone public, and there have been successful attempts in the wild to compromise servers that run the vulnerable software. The vulnerability, tracked as CVE-2021-21985, resides in the vCenter Server, a tool for managing virtualization in large data centers. A VMware advisory published last week said vCenter machines using default configurations have a bug that, in many networks, allows for the execution of malicious code when the machines are reachable on a port that is exposed to the Internet. Code execution, no authentication required On Wednesday, a researcher published proof-of-concept code that exploits the flaw. A fellow researcher who asked not to be named said the exploit works reliably and that little additional work is needed to use the code for malicious purposes. It can be reproduced using five requests from cURL, a command-line tool that transfers data using HTTP, HTTPS, IMAP, and other common Internet protocols. Another researcher who tweeted about the published exploit told me he was able to modify it to gain remote code execution with a single mouse click. “It will get code execution in the target machine without any authentication mechanism,” the researcher said. I haz web shell Researcher Kevin Beaumont, meanwhile, said on Friday that one of his honeypots—meaning an Internet-connected server running out-of-date software so the researcher can monitor active scanning and exploitation—began seeing scanning by remote systems searching for vulnerable servers. About 35 minutes later, he tweeted, “Oh, one of my honeypots got popped with CVE-2021-21985 while I was working, I haz web shell (surprised it’s not a coin miner).” A web shell is a command-line tool that hackers use after successfully gaining code execution on vulnerable machines. Once installed, attackers anywhere in the world have essentially the same control that legitimate administrators have. Troy Mursch of Bad Packets reported on Thursday that his honeypot had also started receiving scans. On Friday, the scans were continuing, he said. Under barrage The in-the-wild activity is the latest headache for administrators who were already under barrage by malicious exploits of other serious vulnerabilities. Since the beginning of the year, various apps used in large organizations have come under attack. In many cases, the vulnerabilities have been zero-days, exploits that were being used before companies issued a patch. Attacks included Pulse Secure VPN exploits targeting federal agencies and defense contractors, successful exploits of a code-execution flaw in the BIG-IP line of server appliances sold by Seattle-based F5 Networks, the compromise of Sonicwall firewalls, the use of zero-days in Microsoft Exchange to compromise tens of thousands of organizations in the US, and the exploitation of organizations running versions of the Fortinet VPN that hadn’t been updated. Like all of the exploited products above, vCenter resides in potentially vulnerable parts of large organizations’ networks. Once attackers gain control of the machines, it’s often only a matter of time until they can move to parts of the network that allow for the installation of espionage malware or ransomware. Admins responsible for vCenter machines that have yet to patch CVE-2021-21985 should install the update immediately if possible. It wouldn’t be surprising to see attack volumes crescendo by Monday. This is not a drill: VMware vuln with 9.8 severity rating is under attack
  8. Cross-browser tracking vulnerability tracks you via installed apps Researchers have developed a way to track a user across different browsers on the same machine by querying the installed applications on the device. Certain applications, when installed, will create custom URL schemes that the browser can use to launch a URL in a specific application. For example, the custom URL scheme for a Zoom web meeting is zoommtg://, which when opened, will prompt the browser to launch the Zoom client, as shown below. The application opened via a customer URL handler Over a hundred different custom URL handlers configured by applications exist, including Slack, Skype, Windows 10, and even steam. Cross-browser tracking using URL schemes A researcher from one of the most well-known fingerprinting scripts, FingerprintJS, has disclosed a vulnerability that allows a website to track a device's user between different browsers, including Chrome, Firefox, Microsoft Edge, Safari, and even Tor. "Cross-browser anonymity is something that even a privacy conscious internet user may take for granted. Tor Browser is known to offer the ultimate in privacy protection, though due to its slow connection speed and performance issues on some websites, users may rely on less anonymous browsers for their every day surfing," explains a new vulnerability report by FingerprintJS' Konstantin Darutkin. "They may use Safari, Firefox or Chrome for some sites, and Tor for sites where they want to stay anonymous. A website exploiting the scheme flooding vulnerability could create a stable and unique identifier that can link those browsing identities together." To perform cross-browser tracking using scheme flooding, a website builds a profile of applications installed on a device by attempting to open their known URL handlers and checking if the browser launches a prompt. If a prompt is launched to open the application, then it can be assumed that the specific app is installed. By checking for different URL handlers, a script can use the detected applications to build a unique profile for your device. As the installed applications on a device are the same regardless of the browser you are using, this could allow a script to track a user's browser usage on both Google Chrome and an anonymizing browser such as Tor. To test this vulnerability, we visited Darutkin's demo site at schemeflood.com with Microsoft Edge, where a script launches URL handlers for a variety of applications to determine if they are installed. When completed, a unique identifier was shown on my profile that was also the same for tests using different browsers on my PC, including Firefox, Google Chrome, and Tor. ID generated for my device Darutkin's scheme flooding vulnerability currently checks for the following twenty-four applications, Skype, Spotify, Zoom, vscode, Epic Games, Telegram, Discord, Slack, Steam, Battle.net, Xcode, NordVPN, Sketch, Teamviewer, Microsoft Word, WhatsApp, Postman, Adobe, Messenger, Figma, Hotspot Shield, ExpressVPN, Notion, and iTunes. It is possible that multiple users can have the same combination of installed programs, leading to the same profile ID. Existing mitigations can be bypassed Of the four major browsers tested by Darutkin, only Google Chrome had previously added mitigations to prevent this type of attack by preventing multiple attempts to use URL handlers without a user gesture (interaction). However, Darutkin discovered that triggering a built-in Chrome extension, such as the Chrome PDF Viewer, bypasses this mitigation. "The built-in Chrome PDF Viewer is an extension, so every time your browser opens a PDF file it resets the scheme flood protection flag. Opening a PDF file before opening a custom URL makes the exploit functional," explains Darutkin. Microsoft Edge Program Manager Eric Lawrence has acknowledged the attack, and Chromium and Microsoft engineers are working on a fix in a new bug report. Until browsers add working mitigations for this attack, the only way to prevent this method of cross-browser tracking is to use a browser on a different device. Source: Cross-browser tracking vulnerability tracks you via installed apps
  9. InternetNZ discloses vulnerability that can be used to carry out cyberattacks A new vulnerability against authoritative DNS servers has been disclosed by InternetNZ. It includes servers run by top-level domain (TLD) operators, including .nz. InternetNZ says the vulnerability could be exploited to carry out Denial-of-Service (DoS) attacks across the world. InternetNZ is a a non-profit organisation and is the home and guardian for the .nz domain, Its mission is to "create an internet for all New Zealanders that is safe, accessible and a place for good". It is role involved in a lot of internet-related work throughout New Zealand, funded by the sales of .nz domain names, including policy work on internet issues faced in New Zealand, providing community grants to support Internet-related projects, conducting research to highlight the state of the internet, and hHosting events, such as NetHui, to bring together the internet community. The vulnerability, called TsuNAME, was noticed in February 2020 in the .nz registry. InternetNZ worked with the global community to have it fixed. According to InternetNZ, TsuNAME requires three things to be exploited: cyclic dependent NS records, vulnerable resolvers, and user queries only to start/drive the process. In February 2020, two .nz domains were unintentionally misconfigured with cyclic dependencies, which resulted in a 50% surge in DNS traffic for all .nz infrastructure. Later, this phenomenon was studied and replicated by an international group of researchers from InternetNZ, SIDN Labs (InternetNZ's counterpart from the Netherlands, the organisation running .nl), and the University of Southern California Information Science Institute (USC/ISI). Further tests showed that conditions for an attack event are easy to execute, and the consequences are serious. "Google Public DNS was the main affected party by this vulnerability," says InternetNZ's chief scientist Sebastian Castro. "They received a private responsible disclosure from our group in October 2020 and have repaired their code since then," he says. "We also reached out to Cisco, whose Public DNS was affected as well, and it is now fixed," Castro adds. During February 2021, the group reached out privately to the DNS and registry community, including other country code top-level domains (ccTLDs), to make them aware of the vulnerability and to be prepared. The TsuNAME group developed a security advisory paper and an open-source detection tool called Cycle Hunter, and TLDs all around the world have been using it to detect and remove cyclic dependencies. "This underground work of months shows our organisations commitment to a better internet, where issues that can affect others are identified and fixed," Castro says. "Our work is not finished yet." Source: InternetNZ discloses vulnerability that can be used to carry out cyberattacks
  10. A New Facebook Bug Exposes Millions of Email Addresses A recently discovered vulnerability discloses user email addresses even when they’re set to private. PHOTOGRAPH: MIRAGEC/GETTY IMAGES STILL SMARTING FROM last month's dump of phone numbers belonging to 500 million Facebook users, the social media giant has a new privacy crisis to contend with: a tool that, on a massive scale, links Facebook accounts with their associated email addresses, even when users choose settings to keep them from being public. A video circulating on Tuesday showed a researcher demonstrating a tool named Facebook Email Search v1.0, which he said could link Facebook accounts to as many as 5 million email addresses per day. The researcher—who said he went public after Facebook said it didn't think the weakness he found was "important" enough to be fixed—fed the tool a list of 65,000 email addresses and watched what happened next. "As you can see from the output log here, I'm getting a significant amount of results from them," the researcher said as the video showed the tool crunching the address list. "I've spent maybe $10 to buy 200-odd Facebook accounts. And within three minutes, I have managed to do this for 6,000 [email] accounts." Ars obtained the video on condition the video not be shared. A full audio transcript appears at the end of this post. In a statement, Facebook said: "It appears that we erroneously closed out this bug bounty report before routing to the appropriate team. We appreciate the researcher sharing the information and are taking initial actions to mitigate this issue while we follow up to better understand their findings." A Facebook representative didn't respond to a question asking if the company told the researcher it didn't consider the vulnerability important enough to warrant a fix. The representative said Facebook engineers believe they have mitigated the leak by disabling the technique shown in the video. The researcher, whom Ars agreed not to identify, said that Facebook Email Search exploited a front-end vulnerability that he reported to Facebook recently but that "they [Facebook] do not consider to be important enough to be patched." Earlier this year, Facebook had a similar vulnerability that was ultimately fixed. "This is essentially the exact same vulnerability," the researcher says. "And for some reason, despite me demonstrating this to Facebook and making them aware of it, they have told me directly that they will not be taking action against it." Facebook has been under fire not just for providing the means for these massive collections of data, but also for actively promoting the idea that they pose minimal risk to Facebook users. An email that the company inadvertently sent to a reporter at the Dutch publication DataNews instructed public relations people to "frame this as a broad industry issue and normalize the fact that this activity happens regularly." Facebook has also made the distinction between scraping and hacks or breaches. It's not clear if anyone actively exploited this bug to build a massive database, but it certainly wouldn't be surprising. "I believe this to be quite a dangerous vulnerability, and I would like help in getting this stopped," the researcher said. Here's the written transcript of the video: So, what I would like to demonstrate here is an active vulnerability within Facebook, which allows malicious users to query email addresses within Facebook, and have Facebook return any matching users. This works with a front-end vulnerability with Facebook, which I've reported to them, made them aware of, um, that they do not consider to be important enough to be patched—which I would consider to be quite a significant privacy violation and a big problem. This method is currently being used by software which is available right now within the hacking community. Currently it's being used to compromise Facebook accounts for the purpose of taking over Pages groups and, uh, Facebook advertising accounts for obviously monetary gain. I've set up this visual example within no JS. What I've done here is I've taken 250 Facebook accounts, newly registered Facebook accounts, which I've purchased online for about $10. I have queried or I'm querying 65,000 email addresses. And as you can see from the output log here, I'm getting a significant amount of results from them. If I have a look at the output file, you can see I have a user ID name and the email address matching the input email addresses, which I have used. Now I have, as I say, I've spent maybe $10 to buy 200-odd Facebook accounts. And within three minutes, I have managed to do this for 6,000 accounts. I have tested this at a larger scale, and it is possible to use this to extract feasibly up to 5 million email addresses per day. Now there was an existing vulnerability with Facebook earlier this year, which was patched. This is essentially the exact same vulnerability. And for some reason, despite me demonstrating this to Facebook and making them aware of it, they have told me directly that they will not be taking action against it. So I am reaching out to people such as yourselves, in hope that you can use your influence or contacts to get this stopped, because I am very, very confident this is not only a huge privacy breach, but this will result in a new, another large data dump, including emails, which is going to allow undesirable parties, not only to have these email-to-user ID matches, but to append the email address to phone numbers, which have been available in previous breaches. I'm quite happy to demonstrate the front-end vulnerability so you can see how this works. I'm not going to show it in this video, simply because I don't want the video to be, um, I don't want the method to be exploited. But I would be quite happy to demonstrate it if that is necessary. But as you can see, it continues to output more and more and more. I believe this to be quite a dangerous vulnerability, and I would like help in getting this stopped. Source: A New Facebook Bug Exposes Millions of Email Addresses
  11. WhatsApp Vulnerability Discovered That Could Allow Attackers to Suspend Your Account Remotely WhatsApp has suggested that users could avoid the problem by providing their email address with the two-step verification. WhatsApp users are at risk even if they’ve enabled two-factor authentication (2FA) on their accounts WhatsApp is found to have a vulnerability that can allow an attacker to suspend your account remotely using your phone number. The flaw that has now been found by security researchers appears to have existed on the instant messaging app for quite some time now — due to fundamental weaknesses. A large number of WhatsApp users are said to be at risk as a remote attacker can deactivate WhatsApp on your phone and then restrict you from activating it back. The vulnerability can be exploited even if you've enabled two-factor authentication (2FA) for your WhatsApp account. Security researchers Luis Márquez Carpintero and Ernesto Canales Pereña have discovered the flaw that can allow attackers to remotely suspend your WhatsApp account. As first reported by Forbes, the researchers found that the flaw exists on the instant messaging app due to two fundamental weaknesses. The first weakness allows the attacker to enter your phone number on WhatsApp installed on their phones. This will, of course, not give access to your WhatsApp account unless the attacker obtains the six-digit registration code you'll get on your phone. Multiple failed attempts to sign in using your phone number will also block code entries on WhatsApp installed on the attacker's phone for 12 hours. However, while the attacker won't be able to repeat the sign in process with your phone number, they will be able to contact WhatsApp support to deactivate your phone number from the app. What they need is a new email address and a simple email stating that the phone has been stolen or lost. In response to that email, WhatsApp will ask for a confirmation that the attacker will quickly provide from their end. This will deactivate your WhatsApp account, meaning that you'll no longer be able to access the instant messaging app on your phone. You won't be able to avoid that deactivation by using 2FA on your WhatsApp account as the account has apparently been deactivated through the email sent by the attacker. In a regular deactivation case, you can activate your WhatsApp account back by verifying your phone number. This is, however, not possible if the attacker has already locked the verification process for 12 hours by making multiple failed attempts to sign in to your WhatsApp account. This means that you'll also be restricted from getting a new registration code on your phone number for 12 hours. The attacker can also repeat the process of failed sign-in attempts to restrict your account for another 12 hours when the first one expires. This highlights that WhatsApp will treat your phone the same way it is treating the attacker's one and will block sign in access. You'll only have the option to get your WhatsApp account back by contacting the messaging app over email. A WhatsApp spokesperson told Gadgets 360 that users could avoid the problem of getting their accounts deactivated by attackers using the newly discovered flaw by registering their email address to their account via two-step verification. “Providing an email address with your two-step verification helps our customer service team assist people should they ever encounter this unlikely problem. The circumstances identified by this researcher would violate our terms of service and we encourage anyone who needs help to email our support team so we can investigate,” the spokesperson said. However, WhatsApp has not provided any details on whether it is fixing the vulnerability to avoid its adverse effect on the masses. It is currently unclear whether an attacker has exploited the vulnerability in the wild. However, considering the fact that the details about the flaw are now in the public, it could easily be leveraged to restrict anyone from using their WhatsApp — at least for a few hours. WhatsApp has a massive user base of more than two billion users worldwide, with over 400 million users in India alone. Most of the users aren't likely to have their email addresses registered with their accounts at this moment. Therefore, the scope of the reported vulnerability is quite wide. Source: WhatsApp Vulnerability Discovered That Could Allow Attackers to Suspend Your Account Remotely
  12. Trustwave Uncovers Vulnerability in Popular Website CMS Cybersecurity firm Trustwave has uncovered a security vulnerability in the popular website CMS, Umbraco. In a blog post on its website, Trustwave researchers outlined details of a privilege escalation issue which allows low privileged users to elevate themselves to the status of admin. The problem resides in an API endpoint that does not properly check the user’s authorization prior to returning results found to the application’s logging section. In the CMS, higher privileged users, i.e. administrators, are able to view log data in the administrative UI, which contains any information inserted into the application logs. To test the risk of any of this information being leaked, the administrator creates a lower privileged user who is placed into the Writers group. This means the low privileged user can only view the content tab indicating the intent of limiting what Writers can do or see within the application. The low privileged user then authenticates to the application, and is provided with the necessary cookies and headers to access it; these identifiers can then enable the low privileged user to access the API endpoint, which returns log data that should only be available to the administrator. Trustwave revealed the reason for this was that in the Umbraco.Web.dll, the LogViewerController class uses no granular authorization attributes on its exposed endpoints, meaning numerous endpoints are accessible for lower privileged users. Jonathan Yarema, managing consultant, SpiderLabs at Trustwave, commented in the blog: “Conversely, there are other areas which do protect resources such as the UsersController wherein some methods are explicitly limited to Administrative users (“[AdminUsersAuthorize]” attribute) or must otherwise give permission to the controller (“[UmbracoApplicationAuthorize]”). A similar approach should be used for the LogViewerController to limit unauthorized access to its data.” The issue has been observed in Umbraco versions 8.9.0 and 8.6.3. Source: Trustwave Uncovers Vulnerability in Popular Website CMS
  13. T-Mobile, Verizon, AT&T Stop SMS Hijacks After Motherboard Investigation All the mobile carriers have mitigated a major SMS security loophole that allowed a hacker to hijack text messages for just $16. IMAGE: LJUBAPHOTO VIA GETTY IMAGES All of the major carriers made a significant change to how SMS messages are routed to prevent hackers being able to easily reroute a target's texts, according to an announcement from Aerialink, a communications company that helps route text messages. The move comes after a Motherboard investigation in which a hacker, with minimal effort, paid $16 to reroute our text messages and then used that ability to break into a number of online accounts, including Postmates, WhatsApp, and Bumble, exposing a gaping hole in the country's telecommunications infrastructure. "The Number Registry has announced that wireless carriers will no longer be supporting SMS or MMS text enabling on their respective wireless numbers," the March 25 announcement from Aerialink, reads. The announcement adds that the change is "industry-wide" and "affects all SMS providers in the mobile ecosystem." "Be aware that Verizon, T-Mobile and AT&T have reclaimed overwritten text-enabled wireless numbers industry-wide. As a result, any Verizon, T-Mobile or AT&T wireless numbers which had been text-enabled as BYON no longer route messaging traffic through the Aerialink Gateway," the announcement adds, referring to Bring Your Own Number. Do you work for a telecom or one of the other companies mentioned? Do you know anything else about this attack? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on [email protected], or email [email protected] T-Mobile, Verizon, and AT&T did not immediately respond to a request for comment. Neither did the Federal Communications Commission (FCC) nor the CTIA, a trade body for the carriers. Last week, Motherboard published an investigation in which pseudonymous hacker Lucky225 paid a small sum of money to a company called Sakari to demonstrate the issue, which had not previously been reported in detail. Sakari is a firm that helps businesses with SMS marketing and mass messaging. As part of that, Sakari had gained the ability to reroute text messages from another company called Bandwidth, which in turn obtained it from another called NetNumber. A SCREENSHOT OF THE ANNOUNCEMENT ON AERIALINK'S WEBSITE. When entering the respective phone number, Lucky225 was asked to sign a document essentially pinky-swearing he had authority to reroute the messages, but there was no technical mitigation in place to ensure the target had provided consent. "Welcome to create an account if you want to mess with it, literally anyone can sign up," Lucky225, who is Chief Information Officer at cybersecurity firm Okey Systems, said at the time. A few minutes after entering Motherboard's phone number, Lucky225 started receiving text messages originally meant for our phone. From here, he logged into various services that used SMS as a login or authentication mechanism. "It’s not hard to see the enormous threat to safety and security this kind of attack poses. The FCC must use its authority to force phone companies to secure their networks from hackers. Former Chairman Pai’s approach of industry self-regulation clearly failed," Senator Ron Wyden said in a statement after Motherboard explained the contours of the attack at the time. After Motherboard originally contacted Sakari for comment, Adam Horsman, co-founder of the company, said Sakari had introduced a security feature where an entered number will receive an automated call to ensure that the number owner consents to the message rerouting. Now, with the carriers cutting off enabling of text messages on mobile numbers, the wider ecosystem of business text messaging companies are likely unable to perform the service at all. Horsman told Motherboard in a statement on Thursday that "We welcome this news and hope the rest of the industry follows suit. It has always been our policy at Sakari to only support the text-enablement of VoIP and landline phone numbers, and as soon as the industry issue was raised we placed a complete block on any mobile numbers. As part of our internal audit, other than Lucky225’s account, we found no other mobile numbers enabled." Another company included in Motherboard's investigation said it recently saw suspicious activity on another of its accounts. Clarification: In between the original investigation and this article, Lucky225’s position at Okey Systems has changed from Director of Information to Chief Information Officer. The piece has been updated to reflect that. Source: T-Mobile, Verizon, AT&T Stop SMS Hijacks After Motherboard Investigation
  14. Recently Patched Android Vulnerability Exploited in Attacks Google has warned Android users that a recently patched vulnerability has been exploited in attacks. The vulnerability in question, tracked as CVE-2020-11261, was patched by Google with the Android security updates released in January 2021. The vulnerability is a high-severity improper input validation issue affecting a display/graphics component from Qualcomm. The flaw was reported to Qualcomm through Google in July 2020 and it affects a long list of chipsets. In Qualcomm’s advisory, CVE-2020-11261 is described as a “memory corruption due to improper check to return error when user application requests memory allocation of a huge size.” The advisory also reveals that the access vector for the security hole is “local,” which suggests it could be a privilege escalation vulnerability. Google Project Zero researcher Ben Hawkes posted a tweet on Monday to point out that the Android security bulletin for January 2021 has been updated to inform users that the vulnerability has apparently been exploited. “There are indications that CVE-2020-11261 may be under limited, targeted exploitation,” reads a note added to the Android advisory. Google has credited GitHub security researcher Man Yue Mo for reporting the vulnerability. The researcher earned significant bug bounties from Google over the past few years for potentially serious Chrome bugs. Google last week said a sophisticated threat actor had used at least 11 zero-day vulnerabilities as part of a mass spying campaign. The APT group had leveraged watering hole attacks to deliver malware to Windows, Android and iOS devices. It’s unclear if CVE-2020-11261 has been exploited by this group. Source: Recently Patched Android Vulnerability Exploited in Attacks
  15. Critical F5 BIG-IP vulnerability now targeted in ongoing attacks On Thursday, cybersecurity firm NCC Group said that it detected successful in the wild exploitation of a recently patched critical vulnerability in F5 BIG-IP and BIG-IQ networking devices. The exploitation attempts have started earlier this week and have escalated during the last 24 hours, with mass scanning activity being detected by NCC Group and Bad Packets. "Starting this week and especially in the last 24 hours (March 18th, 2021) we have observed multiple exploitation attempts against our honeypot infrastructure," said NCC Group's Rich Warren and Sander Laarhoven. "This knowledge, combined with having reproduced the full exploit-chain we assess that a public exploit is likely to be available in the public domain soon." The security vulnerability these attackers attempt to exploit is an unauthenticated remote command execution (RCE) tracked as CVE-2021-22986, and it affects most F5 BIG-IP and BIG-IQ software versions. Multiple security researchers have already shared proof-of-concept exploit code after reverse-engineering the BIG-IP patch. Successful exploitation of this bug (with a severity rating of 9.8/10) could lead to full system compromise, including lateral movement to the internal network and interception of controller application traffic. We are now seeing full chain exploitation of F5 BIG-IP/BIG-IQ iControl REST API vulnerabilities CVE-2021-22986 - IoCs in the updated blog - we will share more has we have -https://t.co/gBoOND79Ll — NCC Group Research & Technology (@NCCGroupInfosec) March 19, 2021 Highly valuable targets A similarly critical RCE vulnerability with a maximum 10/10 severity rating tracked as CVE-2020-5902 in F5 BIG-IP ADC appliances was also heavily exploited last year after being patched in July 2020. Iranian-backed Pioneer Kitten hacking group started targeting enterprises with unpatched BIG-IP devices right after the flaw was disclosed. Their attacks lined up with an August alert issued by the FBI and warning of Iranian state hackers attempting to exploit vulnerable Big-IP ADC devices starting with early July 2020. CISA issued another advisory saying that China-backed hacking groups targeted government agencies by hunting down and trying to hack their vulnerable F5, Microsoft Exchange, Citrix, Pulse Secure devices and servers. Organizations are advised to patch their F5 BIG-IP devices as soon as possible to defend against future attacks. "We strongly encourage all customers to update their BIG-IP and BIG-IQ systems to a fixed version as soon as possible," F5 said after releasing security updates to patch CVE-2021-22986 and three other critical security flaws affecting its products. "To fully remediate the critical vulnerabilities, all BIG-IP customers will need to update to a fixed version." F5 provides info on upgrading BIG-IP appliances with details on multiple upgrade scenarios in this BIG-IP upgrade guide. NCC Group also provides indicators of compromise, detection logic, and Suricata network rules to help admins detect and block incoming attacks. Source: Critical F5 BIG-IP vulnerability now targeted in ongoing attacks
  16. Apple releases iOS 14.4.1 and macOS 11.2.3 to address a WebKit vulnerability The company recommends downloading the updates as soon as possible. Chris Velazco / Engadget Apple has released a set of updates it recommends all iPhone, iPad and Mac users download as soon as possible. No, iOS 14.5 and Big Sur 11.3 aren’t out yet. Instead, what we have are iOS 14.4.1 and macOS 11.2.3. When you download them on your devices, all you’ll get is a terse explanation from Apple saying that they’re “important.” However, the support pages spotted by 9to5Mac provide more information. Both updates address a memory corruption issue within WebKit, the engine that powers Apple’s Safari browser. The vulnerability, which was discovered by security researchers from Google and Microsoft, may have allowed bad actors to execute code on your devices using “maliciously crafted” web content. On iOS, you can manually download an update to your iPhone or iPad by opening the Settings app, and then tapping “General” followed by “Software Update.” Meanwhile, on macOS, open the System Preferences menu and click on “Software Update.” Source: Apple releases iOS 14.4.1 and macOS 11.2.3 to address a WebKit vulnerability
  17. Bug in Apple's Find My Feature Could've Exposed Users' Location Histories Cybersecurity researchers on Thursday disclosed two distinct design and implementation flaws in Apple's crowdsourced Bluetooth location tracking system that can lead to a location correlation attack and unauthorized access to the location history of the past seven days, thereby by deanonymizing users. The findings are a consequence of an exhaustive review undertaken by the Open Wireless Link (OWL) project, a team of researchers from the Secure Mobile Networking Lab at the Technical University of Darmstadt, Germany, who have historically taken apart Apple's wireless ecosystem with the goal of identifying security and privacy issues. In response to the disclosures on July 2, 2020, Apple is said to have partially addressed the issues, stated the researchers, who used their own data for the study citing privacy implications of the analysis. How Find My Works? Apple devices come with a feature called Find My that makes it easy for users to locate other Apple devices, including iPhone, iPad, iPod touch, Apple Watch, Mac, or AirPods. With the upcoming iOS 14.5, the company is expected to add support for Bluetooth tracking devices — called AirTags — that can be attached to items like keys and wallets, which in turn can be used for tracking purposes right from within the Find My app. What's more interesting is the technology that undergirds Find My. Called offline finding and introduced in 2019, the location tracking feature broadcasts Bluetooth Low Energy (BLE) signals from Apple devices, allowing other Apple devices in close proximity to relay their location to Apple's servers. Put differently, offline loading turns every mobile device into a broadcast beacon designed explicitly to shadow its movements by leveraging a crowdsourced location tracking mechanism that's both end-to-end encrypted and anonymous, so much so that no third-party, including Apple, can decrypt those locations and build a history of every user's whereabouts. This is achieved via a rotating key scheme, specifically a pair of public-private keys that are generated by each device, which emits the Bluetooth signals by encoding the public key along with it. This key information is subsequently synchronized via iCloud with all other Apple devices linked to the same user (i.e., Apple ID). A nearby iPhone or iPad (with no connection to the original offline device) that picks up this message checks its own location, then encrypts the information using the aforementioned public key before sending it to the cloud along with a hash of the public key. In the final step, Apple sends this encrypted location of the lost device to a second Apple device signed in with the same Apple ID, from where the owner can use the Find My app to decrypt the reports using the corresponding private key and retrieve the last known location, with the companion device uploading the same hash of the public key to find a match in Apple's servers. Issues with Correlation and Tracking Since the approach follows a public key encryption (PKE) setup, even Apple cannot decrypt the location as it's not in possession of the private key. While the company has not explicitly revealed how often the key rotates, the rolling key pair architecture makes it difficult for malicious parties to exploit the Bluetooth beacons to track users' movements. But OWL researchers said the design allows Apple — in lieu of being the service provider — to correlate different owners' locations if their locations are reported by the same finder devices, effectively allowing Apple to construct what they call a social graph. "Law enforcement agencies could exploit this issue to deanonymize participants of (political) demonstrations even when participants put their phones in flight mode," the researchers said, adding "malicious macOS applications can retrieve and decrypt the [offline finding] location reports of the last seven days for all its users and for all of their devices as cached rolling advertisement keys are stored on the file system in cleartext." In other words, the macOS Catalina vulnerability (CVE-2020-9986) could allow an attacker to access the decryption keys, using them to download and decrypt location reports submitted by the Find My network, and ultimately locate and identify their victims with high accuracy. The weakness was patched by Apple in November 2020 (version macOS 10.15.7) with "improved access restrictions." A second outcome of the investigation is an app that's designed to let any user create an "AirTag." Called OpenHaystack, the framework allows for tracking personal Bluetooth devices via Apple's massive Find My network, enabling users to create their own tracking tags that can be appended to physical objects or integrated into other Bluetooth-capable devices. This is not the first time researchers from Open Wireless Link (OWL) have uncovered flaws in Apple's closed-source protocols by means of reverse engineering. In May 2019, the researchers disclosed vulnerabilities in Apple's Wireless Direct Link (AWDL) proprietary mesh networking protocol that permitted attackers to track users, crash devices, and even intercept files transferred between devices via man-in-the-middle (MitM) attacks. This was later adapted by Google Project Zero researcher Ian Beer to uncover a critical "wormable" iOS bug last year that could have made it possible for a remote adversary to gain complete control of any Apple device in the vicinity over Wi-Fi. Source: Bug in Apple's Find My Feature Could've Exposed Users' Location Histories
  18. GRUB2 boot loader reveals multiple high severity vulnerabilities GRUB, a popular boot loader used by Unix-based operating systems has fixed multiple high severity vulnerabilities. In 2020, BleepingComputer had reported on the BootHole vulnerability in GRUB2 that could have let attackers compromise an operating system's booting process even if the Secure Boot verification mechanism was active. Threat actors could further abuse the flaw to hide arbitrary code ("bootkit") within the OS that would run on every boot. Particularly, flaws like these in boot loaders allow circumvention of UEFI Secure Boot, a verification mechanism for ensuring that code executed by a computer's UEFI firmware is trusted and not malicious. 117 patches issued for high severity GRUB2 vulnerabilities This week GRUB project maintainers have released hundreds of upstream patches for the severe boot loader flaws listed below. "The BootHole vulnerability announced last year encouraged many people to take a closer look at the security of boot process in general and the GRUB bootloader in particular." "Due to that, during past few months we were getting reports of, and also discovering various security flaws in the GRUB ourselves," said Oracle software developer and GRUB maintainer Daniel Kiper. Referring to the list of vulnerabilities and CVEs that were remedied, Kiper stated the patch bundle fixing all the bugs comprises 117 patches. The list of GRUB2 vulnerabilities is as follows: CVE CVSS 3.1 Severity Type Description Reported by CVE-2020-14372 High (7.5) Incomplete List of Disallowed Inputs The acpi command allows privileged user to load crafted ACPI tables when Secure Boot is enabled. Máté Kukri CVE-2020-25632 High (7.5) Use-after-free The rmmod implementation for GRUB2 is flawed, allowing an attacker to unload a module used as dependency without checking if any other dependent module is still loaded. Chris Coulson (Canonical) CVE-2020-25647 Medium (6.9) Out-of-bound write grub_usb_device_initialize() is called to handle USB device initialization. It reads out the descriptors it needs from the USB device and uses that data to fill in some USB data structures. grub_usb_device_initialize() performs very little bounds checking and simply assumes the USB device provides sane values. This behavior can trigger memory corruption or lead to arbitrary code execution. Joseph Tartaro (IOActive), Ilja van Sprundel (IOActive) CVE-2020-27749 High (7.5) Stack buffer overflow grub_parser_split_cmdline() expands variable names present in the supplied command line in to their corresponding variable contents and uses a 1kB stack buffer for temporary storage without sufficient bounds checking. An attacker can exploit the flaw to circumvent Secure Boot protections. Chris Coulson (Canonical) CVE-2020-27779 High (7.5) Improper Authorization The cutmem command allows privileged user to remove memory regions when Secure Boot is enabled Teddy Reed CVE-2021-3418 Medium (6.4) Improper Preservation of Permissions GRUB 2.05 reintroduced CVE-2020-15705. This refers to a distro a specific flaw which made upstream in the mentioned version. Dimitri John Ledkov (Canonical) CVE-2021-20225 High (7.5) Heap out-of-bounds write The option parser in GRUB2 allows an attacker to write past the end of a heap-allocated buffer by calling certain commands with a large number of specific short forms of options. Daniel Axtens (IBM) CVE-2021-20233 High (7.5) Heap out-of-bound write There's a flaw on GRUB2 menu rendering code setparam_prefix() in the menu rendering code performs a length calculation on the assumption that expressing a quoted single quote will require 3 characters, while it actually requires 4 characters. Daniel Axtens (IBM) Vendors yet to release full mitigation details Kiper described the improvements made to resolve these flaws in GRUB's mailing list. Although 117 upstream code patches have been issued to resolve these CVEs, detailed instructions with regards to mitigation and obtaining updates would be provided by OS vendors. "Details of exactly what needs updating will be provided by the respective distros and vendors when updates become available." Advisories have also been published by Canonical (Ubuntu), Debian, RedHat, and Suse detailing remediation steps. "It is important to know that shim and SBAT development is still ongoing." "Full mitigation against all the CVEs will require an updated UEFI revocation list (dbx) which, in at least some cases, will not allow Secure Boot with today's boot artifacts," continued Kiper. Not all vendors may have shipped updates for the flaws just yet and more details are to follow once the coordinated disclosure process is complete. Microsoft is expected to release an updated UEFI revocation file as a mitigation for the vulnerabilities. Given the seriousness of BootHole vulnerability in GRUB, high severity vulnerabilities like the ones mentioned above should be patched as soon as possible. Users are encouraged to keep an eye out for and apply vendor updates as soon as they become available. GRUB2 boot loader reveals multiple high severity vulnerabilities
  19. Exclusive: Flaws in Zoom’s Keybase App Kept Chat Images From Being Deleted A serious flaw in Zoom’s Keybase secure chat application left copies of images contained in secure communications on Keybase users’ computers after they were supposedly deleted. The flaw in the encrypted messaging application (CVE-2021-23827) does not expose Keybase users to remote compromise. However, it could put their security, privacy and safety at risk, especially for users living under authoritarian regimes in which apps like Keybase and Signal are increasingly relied on as a way to conduct conversations out of earshot of law enforcement or security services. The flaw was discovered by researchers from the group Sakura Samurai as part of a bug bounty program offered by Zoom, which acquired Keybase in May, 2020. Zoom said it has fixed the flaw in the latest versions of its software for Windows, macOS and Linux. Deleted…but not gone According to researcher John Jackson of Sakura Samurai, the Keybase flaw manifested itself in two ways. First: Jackson discovered that images that were copy and pasted into Keybase chats were not reliably deleted from a temporary folder, /uploadtemps, associated with the client application. “In general, when you would copy and paste in a Keybase chat, the folder would appear in (the uploadtemps) folder and then immediately get deleted,” Jackson told Security Ledger in a phone interview. “But occasionally that wouldn’t happen. Clearly there was some kind of software error – a collision of sorts – where the images were not getting cleared.” Discovering that flaw put Sakura Samurai researchers on the hunt for more and they soon struck pay dirt again. Sakura Samurai members Aubrey Cottle (@kirtaner), Robert Willis (@rej_ex) and Jackson Henry (@JacksonHHax) discovered an unencrypted directory, /Cache, associated with the Keybase client that contained a comprehensive record of images from encrypted chat sessions. The application used a custom extension to name the files, but they were easily viewable directly or simply by changing the custom file extension to the PNG image format, Jackson said. In a statement, a Zoom spokesman said that the company appreciates the work of the researchers and takes privacy and security “very seriously.” “We addressed the issue identified by the Sakura Samurai researchers on our Keybase platform in version 5.6.0 for Windows and macOS and version 5.6.1 for Linux. Users can help keep themselves secure by applying current updates or downloading the latest Keybase software with all current security updates,” the spokesman said. In most cases, the failure to remove files from cache after they were deleted would count as a “low priority” security flaw. However, in the context of an end-to-end encrypted communications application like Keybase, the failure takes on added weight, Jackson wrote. “An attacker that gains access to a victim machine can potentially obtain sensitive data through gathered photos, especially if the user utilizes Keybase frequently. A user, believing that they are sending photos that can be cleared later, may not realize that sent photos are not cleared from the cache and may send photos of PII or other sensitive data to friends or colleagues.” Messaging app flaws take on new importance The flaw takes on even more weight given the recent flight of millions of Internet users to end-to-end encrypted messaging applications like Keybase, Signal and Telegram. Those users were responding to onerous data sharing policies, such as those recently introduced on Facebook’s WhatsApp chat. In countries with oppressive, authoritarian governments, end to end encrypted messaging apps are a lifeline for political dissidents and human rights advocates. As a result of the flaw, however, adversaries who gained access to the laptop or desktop on which the Keybase application was installed could view any images contained in Keybase encrypted chats. The implications of that are clear enough. For example, recent reports say that North Korean state hackers have targeted security researchers via phishing attacks sent via Keybase, Signal and other encrypted applications. The flaws in Keybase do not affect the Zoom application, Jackson said. Zoom acquired Keybase in May to strengthen the company’s video platform with end-to-end encryption. That acquisition followed reports about security flaws in the Zoom client, including in its in-meeting chat feature. Jackson said that the Sakura Samurai researchers received a $1,000 bounty from Zoom for their research. He credited the company with being “very responsive” to the group’s vulnerability report. The increased use of encrypted messaging applications has attracted the attention of security researchers, as well. Last week, for example, a researcher disclosed 13 vulnerabilities in the Telegram secure messaging application that could have allow a remote attacker to compromise any Telegram user. Those issues were patched in Telegram updates released in September and October, 2020. Source: Exclusive: Flaws in Zoom’s Keybase App Kept Chat Images From Being Deleted
  20. Vulnerability in Chess.com allowed access to 50 Million user records The vulnerability could have been exploited to access any account on the site including the Chess.com administrator account. An IT security researcher identified a critical set of vulnerabilities in chess.com’s API, an immensely popular online chess playing site and app. The vulnerability could have been exploited to access any account on the site. It could also be used to gain full access to the site through its admin panel. What Happened? Cybersecurity researcher Sam Curry spent a lot of time finding vulnerabilities in Chess.com. The researcher started with finding generic vulnerabilities and stumbled upon a reflected XSS that could be exploited to drop backdoor to gain access to a victim’s account. An attacker could also extract the “Connect to Google” URL and authenticate it with their own account and use an XSS hook and HTTP request that could bind a victim’s chess.com account to the attacker’s account. Account Takeover Vulnerability The “Account Takeover Vulnerability”, as explained by the researcher, was found when the subdomain for the API was found; “api.chess.com”. The researcher intercepted the HTTP traffic and noticed the API requests coming from this domain while using the app. The requests from the app to the API were signed and could not be tampered with easily but when the researcher searched a username for the purpose of sending a message. A request was sent to fetch the user’s information. This information contained the email address of the user. This makes it a vulnerability with medium severity. However, the actual vulnerability was the returned “session_id” as this was unique to each user and the session on the researcher’s computer. It was the authorization token that could let the researcher hijack any session. For further confirmation, the researcher wrote in a blog post that he hijacked the account of one of Chess.com’s administrators Daniel Rensch and was able to access the administrative dashboard. At this point, the whole site was at their disposal. This would let the researcher take full control of any account on the site. Thankfully the researcher did not wish to attack Chess.com and was only working for academic purposes. The administration of chess.com was contacted and the bug was fixed within two hours. How to be safe? Although the bug is fixed, there are some practices that should be adopted to stay safe from any future attack. It is best practice to never use the same password for more than one site as a vulnerability of one site can make every account with the same email and password combination exposed. About Chess.com Chess.com is a huge platform for chess players with hundreds of thousands of players playing at any given time. The website hosts tens of millions of games per day. This shows that the site has a huge number of users and it is a very important place for chess fans. Source: Vulnerability in Chess.com allowed access to 50 Million user records
  21. Vulnerabilities in Realtek Wi-Fi Module Expose Many Devices to Remote Attacks Major vulnerabilities in the Realtek RTL8195A Wi-Fi module expose embedded devices used in a myriad of industries to remote attacks, researchers with automated device security platform provider Vdoo reveal. The low-power Wi-Fi module is designed for use in embedded devices, and is being used in a broad range of industries, including automotive, agriculture, energy, healthcare, industrial, and security. The RTL8195A chip supports WEP, WPA and WPA2 authentication modes, and Vdoo discovered that the WPA2 handshake mechanism is prone to stack overflow and out-of-bounds read bugs. Tracked as CVE-2020-9395, the most severe of the flaws is a remotely exploitable stack overflow that could lead to a complete takeover of the module and the device’s wireless communications. The vulnerability can be exploited by an attacker in the proximity of a vulnerable system, even if they don’t know the Wi-Fi network password (Pre-Shared-Key, or PSK). Two other vulnerabilities (an out-of-bounds read and a stack-based buffer overflow) could also be exploited without knowing the network security key (the PMK, which is derived from the PSK), to execute code remotely or cause a denial of service (DoS) condition. All of the remaining three vulnerabilities are stack-based buffer overflow issues that could lead to remote code execution, but exploitation requires for the attacker to know the network’s PSK. Thus, the use of a strong, private WPA2 passphrase should prevent exploitation of these bugs. Realtek has published an advisory for CVE-2020-9395 only, revealing that RTL8711AM, RTL8711AF, and RTL8710AF modules are also vulnerable. “An issue was discovered on Realtek RTL8195AM, RTL8711AM, RTL8711AF, and RTL8710AF devices before 2.0.6. A stack-based buffer overflow exists in the client code that takes care of WPA2’s 4-way-handshake via a malformed EAPOL-Key packet with a long keydata buffer,” Realtek explains. According to Vdoo’s researchers, because no mitigating factors are in place, exploitation of this vulnerability is trivial. Exploitation is possible regardless of whether the victim is the client or the access point. Vdoo says all of these vulnerabilities have been addressed in the latest version of Ameba Arduino (2.0.8 and above). Updated versions of the Ameba SDK are available on Realtek’s website. Device versions built after March 3, 2020, are patched against CVE-2020-9395, while versions built after April 21, 2020 are completely patched against all issues. Source: Vulnerabilities in Realtek Wi-Fi Module Expose Many Devices to Remote Attacks
  22. US federal payroll agency hacked using SolarWinds software flaw The FBI has discovered that the National Finance Center (NFC), a U.S. Department of Agriculture (USDA) federal payroll agency, was compromised by exploiting a SolarWinds Orion software flaw, according to a Reuters report. NFC provides human resources and payroll services to roughly 170 federal agencies and over 650,000 federal employees since 1973. USDA confirms data breach The software vulnerability used to break into NFC's systems is different than the one used by suspected Russian nation-state hackers to compromise the update mechanism of the Orion software to deploy the Sunburst backdoor on SolarWinds customers' systems. Even though both the FBI and the USDA declined to provide further comment, the latter confirmed that it had suffered a data breach. The USDA did, however, provide a statement saying that it "notified all customers (including individuals and organizations) whose data has been affected." The threat actors behind the USDA agency hack are suspected to be part of a Chinese-backed hacking group according to Reuters' sources. Reuters sources believe the attackers to be based out of China as they utilize infrastructure and tools utilized in previous state-backed Chinese cyberattacks. Hack exploited flaw used to deploy Supernova backdoor Although the vulnerability was not named, Reuters reporters said that the suspected Chinese hackers used the same security bug that made it possible for threat actors to deploy the Supernova backdoor on systems where vulnerable versions of the Orion platform had been installed. "This vulnerability in the Orion Platform has been resolved in the latest updates," SolarWinds said in an advisory providing information on the Sunburst and Supernova malware. Organizations that cannot immediately upgrade to these patched versions, can use a script SolarWinds provides in their advisory to temporarily protect their systems against attempts to deploy the malware. SuperNova was deployed as a DLL file that allowed attackers to remotely send, compile, and execute malicious code on compromised systems. Supernova backdoor code (Palo Alto Networks) Compromised US government targets The list of U.S. government agencies confirmed as having been hit in the SolarWinds supply-chain attack includes: U.S. Department of the Treasury U.S. National Telecommunications and Information Administration (NTIA) U.S. Department of State The National Institutes of Health (NIH) (part of the U.S. Department of Health) U.S. Department of Homeland Security (DHS) U.S. Department of Energy (DOE) U.S. National Nuclear Security Administration (NNSA) Earlier this month, the Administrative Office of the U.S. Courts has also disclosed an ongoing investigation of a potential compromise of the federal courts' case management and electronic case files system. Source: US federal payroll agency hacked using SolarWinds software flaw
  23. Shazam Vulnerability exposed location of Android, iOS users The vulnerability in Shazam was identified in 2019 but the details of it were only revealed last week. Can’t find out what’s the name of that song on television? You know who’ll help – Shazam. Recently though, a vulnerability found in the popular app which could allow a malicious actor to know a victim’s location has come to light. The vulnerability affected more than 100 million users at the time having the potential to compromise the physical security of these users marking its severity. Termed as CVE-2019-8791 and CVE-2019-8792; the vulnerability was discovered by a British IT security researcher Ashley King. It is noteworthy that the issue was also found back in 2018 whereafter it was reported in December the same year to the company. However, due to Shazam having been acquired then by Apple, Ashley was asked to take up the issue with Apple which led the flaw to be finally patched on March 26, 2019, both on iOS and Android without any reward being handed out to him. Talking about the vulnerability, how it worked was that an attacker could send a malicious link to their intended victim. If the victim opened it, this would automatically open the Shazam app and execute the malware resulting in the victim’s location data being sent to the attacker. Explaining the technicality behind which type of link could be used, the researcher states in a blog post that: Shazam uses deeplinks throughout the app as part of its navigation. I found that a particular exported deeplink (which was responsible for loading a website inside an webview) was not validating its parameter, allowing external resources to be in control. This webview included a few javascript interfaces that allowed content to communicate with the Android & iOS API’s making it possible to pull back device specific information and the last known precise location of the user. To conclude, according to Ashley, both Google Play Security Rewards Program and Apple itself did not see the vulnerability as being severe enough at the time even though it was patched. This just shows us the difference in priorities that may lie between the cybersecurity community and the people on the other side of the fence marking a division. In the future, we may see it continue knowing how corporate view user privacy. Source: Shazam Vulnerability exposed location of Android, iOS users
  24. VoIP vulnerability: CoTURN patches access control protection bypass Affected organizations also urged to implement protective configurations Attackers can bypass CoTURN servers’ default access control rules and access network services behind the firewall, security researchers have discovered. One researcher speculated that, under certain circumstances, an attacker could go on to achieve remote code execution (RCE) (although he emphasized that the documented vulnerability was not itself an RCE flaw). Berlin-based Enable Security has urged organizations that use the open source servers, which power VoIP platforms, to apply their configuration advice as well as the latest software update. CoTURN “is used in almost all WebRTC and VoIP systems” worldwide, because it is fast, effective, and “the most full-featured STUN/TURN implementation AFAIK”, Mihály Mészáros, the project’s maintainer, told The Daily Swig. Akin to a proxy server, a TURN (Traversal Using Relays around NAT) server permits the relaying of TCP connections and UDP packets to other peers. Bypassing the block The specter of attackers abusing TURN servers to connect to local services prompted CoTURN maintainers to, in 2018, block by default connections to loopback IP addresses 127.0.0.1 on IPv4 and [::1] on IPv6. However, security researchers bypassed the IPv4 block (as demonstrated in the video below) after discovering that “the same effect could be achieved by specifying 0.0.0.0 as IP instead of 127.0.0.1” – on Linux systems and “possibly other operating systems” too, a technical blog post explains. The IPv6 block turned out to be flawed too. “Strangely we could still specify [::1] as peer address and get connected to local services without getting the standard 403, Forbidden IP response,” reads the blog post. There was also “no code to protect against [::]”. Worst-case scenario The havoc a successful attacker could wreak “greatly depends on what is on the loopback interface”, Sandro Gauci, CEO and founder of Enable Security, told The Daily Swig. “A worst-case scenario would be a network service that does not require authentication (because the loopback interface is often considered to be a trusted network) and allows remote code execution.” He added: “If you have the tools, it is not difficult at all to exploit this vulnerability.” “Fortunately, when researchers probed applicable bug bounty programs only one environment permitted “connections to localhost and only on UDP”. This suggests, the researchers believe, that many organizations have implemented recommendations accompanying Enable Security’s June 2020 research documenting the vulnerability’s presence at several WebRTC-based service providers, and their April 2020 disclosure of a configuration flaw in Slack’s TURN servers. Remediation, mitigation, configuration CoTURN maintainers were alerted to the bypass on November 20. The flaw (CVE-2020-26262) affected CoTURN version 4.5.1.3 and was addressed in version 4.5.2, which landed on January 11. Enable Security provided the fixes, which blocked 0.0.0.0/8 and [::] by default and correctly parsed the IPv6 loopback address [::1], at the request of CoTURN’s Mészáros. In addition to applying the update, the researchers recommend using “denied-peer-ip to block special purpose addresses”, or even deploying “TURN servers on an isolated environment” with “no special access to internal systems”. Organizations unable to immediately apply the latest update are advised in the meantime to “set the -L flag or listening-ip configuration with the value of an IPv4 address” (albeit this will prevent relaying of IPv6 traffic too). CoTURN clarion call Sandro Gauci said Mészáros Mihály had been “very receptive and helpful”, while Mihály expressed gratitude for Enable Security’s professionalism and patch proposals, and other security teams’ help with the fix rollout and various other issues. Mészáros, who said he didn’t have time to fix the problems himself, implored organizations that depend on CoTURN to get in touch via GitHub and help him and project author Oleg Moskalenko maintain the project. Source: VoIP vulnerability: CoTURN patches access control protection bypass
  25. Vulnerability Exposes F5 BIG-IP Systems to Remote DoS Attacks A vulnerability discovered by a researcher in a BIG-IP product from F5 Networks can be exploited to launch remote denial-of-service (DoS) attacks. The security flaw was discovered by Nikita Abramov, a researcher at cybersecurity solutions provider Positive Technologies, and it impacts certain versions of BIG-IP Access Policy Manager (APM), a secure access solution that simplifies and centralizes access to applications, APIs and data. According to F5 Networks, the vulnerability is related to a component named Traffic Management Microkernel (TMM), which processes all load-balanced traffic on BIG-IP systems. “When a BIG-IP APM virtual server processes traffic of an undisclosed nature, the Traffic Management Microkernel (TMM) stops responding and restarts,” the vendor explained in an advisory published in mid-December. “Traffic processing is disrupted while TMM restarts. If the affected BIG-IP system is configured as part of a device group, the system triggers a failover to the peer device.” Abramov noted that exploiting this vulnerability does not require any tools — the attacker simply has to send a specially crafted HTTP request to the server hosting the BIG-IP configuration utility, which results in access to the system being blocked “for a while (until it automatically restarts).” F5 said in its advisory that the vulnerability, tracked as CVE-2020-27716 with a severity rating of high, only impacts versions 14.x and 15.x. Updates that patch the flaw in both branches are available. Last year, Positive Technologies informed F5 of a critical BIG-IP vulnerability that ended up being exploited in the wild, including by profit-driven cybercriminals and state-sponsored cyberspies. Source: Vulnerability Exposes F5 BIG-IP Systems to Remote DoS Attacks
×
×
  • Create New...