Jump to content

Search the Community

Showing results for tags 'vulnerability'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station


  • Drivers
  • Filesharing
    • BitTorrent
    • eDonkey & Direct Connect (DC)
    • NewsReaders (Usenet)
    • Other P2P Clients & Tools
  • Internet
    • Download Managers & FTP Clients
    • Messengers
    • Web Browsers
    • Other Internet Tools
  • Multimedia
    • Codecs & Converters
    • Image Viewers & Editors
    • Media Players
    • Other Multimedia Software
  • Security
    • Anti-Malware
    • Firewalls
    • Other Security Tools
  • System
    • Benchmarking & System Info
    • Customization
    • Defrag Tools
    • Disc & Registry Cleaners
    • Management Suites
    • Other System Tools
  • Other Apps
    • Burning & Imaging
    • Document Viewers & Editors
    • File Managers & Archivers
    • Miscellaneous Applications
  • Linux Distributions


  • General News
  • File Sharing News
  • Mobile News
  • Software News
  • Security & Privacy News
  • Technology News

Find results in...

Find results that contain...

Date Created

  • Start


Last Updated

  • Start


Filter by number of...

  1. NSX-V appliance, which VMware no longer supports, also affected and patched. Exploit code was released this week for a just-patched vulnerability in VMware Cloud Foundation and NSX Manager appliances that allows hackers with no authentication to execute malicious code with the highest system privileges. VMware patched the vulnerability, tracked as CVE-2021-39144, on Tuesday and issued it a severity rating of 9.8 out of a possible 10. The vulnerability, which resides in the XStream open source library that Cloud Foundation and NSX Manager rely on, posed so much risk that VMware took the unusual step of patching versions that were no longer supported. The vulnerability affects Cloud Foundation versions 3.11, and lower. Versions 4.x aren't at risk. "VMware Cloud Foundation contains a remote code execution vulnerability via XStream open source library," the company's advisory, published Tuesday, read. "Due to an unauthenticated endpoint that leverages XStream for input serialization in VMware Cloud Foundation (NSX-V), a malicious actor can get remote code execution in the context of 'root' on the appliance." The vulnerability was discovered by Sina Kheirkhah and Steven Seeley of security firm Source Incite. At the same time VMware disclosed and patched the vulnerability, Kheirkhah published their own advisory, which included the following proof-of-concept exploit. "In XStream <= 1.4.18 there is a deserialization of untrusted data and is tracked as CVE-2021-39144," Kheirkhah wrote. "VMWare NSX Manager uses the package xstream-1.4.18.jar so it is vulnerable to this deserialization vulnerability. All we need to do is find an endpoint that is reachable from an unauthenticated context to trigger the vulnerability. I found an authenticated case but upon showing Steven, he found another location in the /home/secureall/secureall/sem/WEB-INF/spring/security-config.xml configuration. This particular endpoint is pre-authenticated due to the use of isAnonymous." "isAnonymous" is a Boolean function that indicates a particular account is anonymous. With exploit code available, a vulnerability of this severity is likely to pose a serious threat to many organizations. Anyone using an affected appliance should prioritize patching as soon as possible. Organizations that can't immediately patch can apply this temporary workaround. VMware patches vulnerability with 9.8/10 severity rating in Cloud Foundation
  2. Microsoft released the Patch Tuesday or Update Tuesday for the month of August a couple of days ago. You can find our coverage here: Windows 11 Windows 10 Windows 7/8.1 In this month's Patch, the Redmond company also issued an important fix related to the Secure Boot DBX with its KB5012170 update. For those unaware, the Secure Boot Forbidden Signature Database or DBX is basically a block-list for blacklisted UEFI executables that were found to be bad. The latest KB5012170 update adds signatures of the known vulnerable UEFI modules to the DBX, meaning they will no longer be able to run after this update. The signatures this time are related to the GRand Unified Boot Loader (GRUB) vulnerability also called BootHole. The official Microsoft bulletin explains how the attack works: Microsoft is aware of a vulnerability in the GRand Unified Boot Loader (GRUB), commonly used by Linux. This vulnerability, known as “There’s a Hole in the Boot”, could allow for Secure Boot bypass. To exploit this vulnerability, an attacker would need to have administrative privileges or physical access on a system where Secure Boot is configured to trust the Microsoft Unified Extensible Firmware Interface (UEFI) Certificate Authority (CA). The attacker could install an affected GRUB and run arbitrary boot code on the target device. After successfully exploiting this vulnerability, the attacker could disable further code integrity checks thereby allowing arbitrary executables and drivers to be loaded onto the target device. [...] Update: August 9, 2022 Microsoft has released standalone security update 5012170 to provide protection against the vulnerabilities described in this advisory. The update is applicable to the following Windows and versions: Windows Server 2012 Windows 8.1 and Windows Server 2012 R2 Windows 10, version 1507 Windows 10, version 1607 and Windows Server 2016 Windows 10, version 1809 and Windows Server 2019 Windows 10, version 20H2 Windows 10, version 21H1 Windows 10, version 21H2 Windows Server 2022 Windows 11, version 21H2 (original release) Azure Stack HCI, version 1809 Azure Stack Data Box, version 1809 (ASDB) The download is available via Windows Update as part of the Patch Tuesday package, but you can also get the standalone update from the Microsoft Update Catalog website here. You may find more information on the official support article here. KB5012170: Microsoft August Patch Tuesday fixes critical Secure Boot GRUB vulnerability
  3. Researchers at Trellix have discovered a critical unauthenticated remote code execution (RCE) vulnerability impacting 29 models of the DrayTek Vigor series of business routers. The vulnerability is tracked as CVE-2022-32548 and carries a maximum CVSS v3 severity score of 10.0, categorizing it as critical. The attacker does not need credentials or user interaction to exploit the vulnerability, with the default device configuration making the attack viable via the internet and LAN. Hackers who exploit this vulnerability could potentially perform the following actions: complete device takeover, information access, laying the ground for stealthy man-in-the-middle attacks, changing DNS settings, using the routers as DDoS or cryptominer bots, or pivoting to devices connected to the breached network. Widespread impact DrayTek Vigor devices became very popular during the pandemic by riding the "work from home" wave. They are excellent cost-efficient products for VPN access to small and medium-sized business networks. A Shodan search returned over 700,000 online devices, most located in the UK, Vietnam, Netherlands, and Australia. Trellix decided to evaluate the security of one of DrayTek's flagship models due to its popularity and found that the web management interface suffers from a buffer overflow issue on the login page. Using a specially crafted pair of credentials as base64 encoded strings in the login fields, one can trigger the flaw and take control of the device's OS. The researchers found at least 200,000 of the detected routers to expose the vulnerable service on the internet and hence are readily exploitable without user interaction or any other special prerequisites. Of the remaining 500,000, many are also believed to be exploitable using one-click attacks, but only via LAN, so the attack surface is smaller. The vulnerable models are the following: Vigor3910 Vigor1000B Vigor2962 Series Vigor2927 Series Vigor2927 LTE Series Vigor2915 Series Vigor2952 / 2952P Vigor3220 Series Vigor2926 Series Vigor2926 LTE Series Vigor2862 Series Vigor2862 LTE Series Vigor2620 LTE Series VigorLTE 200n Vigor2133 Series Vigor2762 Series Vigor167 Vigor130 VigorNIC 132 Vigor165 Vigor166 Vigor2135 Series Vigor2765 Series Vigor2766 Series Vigor2832 Vigor2865 Series Vigor2865 LTE Series Vigor2866 Series Vigor2866 LTE Series DreyTek quickly released security updates for all models mentioned above, so navigate to the vendor's firmware update center and locate the latest version for your model. For information on performing the firmware update on your router, check out this guide by DreyTek. There have been no signs of CVE-2022-32548, but as CISA reported recently, SOHO routers are always in the crosshair of state-sponsored APTs from China and elsewhere. Critical RCE vulnerability impacts 29 models of DrayTek routers
  4. Security researchers have detected a massive campaign that scanned close to 1.6 million WordPress sites for the presence of a vulnerable plugin that allows uploading files without authentication. The attackers are targeting the Kaswara Modern WPBakery Page Builder, which has been abandoned by its author before receiving a patch for a critical severity flaw tracked as CVE-2021-24284. The vulnerability would allow an unauthenticated attacker to inject malicious Javascript to sites using any version of the plugin and perform actions like uploading and deleting files, which could lead to complete takeover of the site. While the size of the campaign is impressive, with 1,599,852 unique sites being targeted, only a small portion of them are running the vulnerable plugin. Researchers at Defiant, the maker of the Wordfence security solution for WordPress, observed an average of almost half a million attack attempts per day against customer sites they protect. Indistinct large-scale attacks Based on Wordfence telemetry data, the attacks started on July 4 and continue to this day. and are still ongoing today at an average of 443,868 attempts every day. Daily attacks captured and blocked by Wordfence The attacks originate from 10,215 distinct IP addresses, with some having generated millions of requests while others are limited to lower numbers, the reearchers say. IP addresses launching the attacks (Wordfence) The attackers send a POST request to ‘wp-admin/admin-ajax/php’, attempting to use the plugin’s ‘uploadFontIcon’ AJAX function to upload a malicious ZIP payload that contains a PHP file. This file, in turn, fetches the NDSW trojan, which injects code in legitimate Javascript files present on the target sites to redirect visitors to malicious destinations like phishing and malware-dropping sites. Some filenames the attackers use for the ZIP payloads are ‘inject.zip’, ‘king_zip.zip’, ‘null.zip’, ‘plugin.zip’, and ‘***_young.zip’. These files or the presence of the “; if(ndsw==” string in any of your JavaScript files indicates that you have been infected. If you’re still using the Kaswara Modern WPBakery Page Builder Addons plugin, you should remove it immediately from your WordPress site. If you’re not using the plugin, you are still recommended to block the IP addresses of the attackers. For more details on the indicators and the most prolific sources of requests, check out Wordfence’s blog. Attackers scan 1.6 million WordPress sites for vulnerable plugin
  5. A new hardware attack targeting Pointer Authentication in Apple M1 CPUs with speculative execution enables attackers to gain arbitrary code execution on Mac systems. Pointer Authentication is a security feature that adds a cryptographic signature, known as pointer authentication code (PAC), to pointers that allow the operating system to detect and block unexpected changes that would otherwise lead to data leaks or system compromise. Discovered by researchers at MIT's Computer Science & Artificial Intelligence Laboratory (CSAIL), this new class of attack would allow threat actors with physical access to Macs with Apple M1 CPUs to access the underlying filesystem. To do that, the attackers first need to find a memory bug affecting software on the targeted Mac that would be blocked by PAC and that can be escalated into a more severe security issue after bypassing PAC defenses. "PACMAN takes an existing software bug (memory read/ write) and turns it into a more serious exploitation primitive (a pointer authentication bypass), which may lead to arbitrary code execution. In order to do this, we need to learn what the PAC value is for a particular victim pointer," the researchers explained. "PACMAN does this by creating what we call a PAC Oracle, which is the ability to tell if a given PAC matches a specified pointer. The PAC Oracle must never crash if an incorrect guess is supplied. We then brute force all possible PAC values using the PAC Oracle." While Apple can't patch the hardware to block attacks using this exploitation technique, the good news is that end-users don't need to be worried as long as they keep their software up to date and free of bugs that could be exploited to gain code execution using PACMAN. "PACMAN is an exploitation technique- on its own it cannot compromise your system. While the hardware mechanisms used by PACMAN cannot be patched with software features, memory corruption bugs can be," the researchers added. While this attack would typically lead to a kernel panic, crashing the entire system, PACMAN ensures that no system crashes occur and leaves no traces in logs. Apple: No immediate risk to users The MIT CSAIL researchers reported their findings and shared proof-of-concept attacks and code with Apple, exchanging info with the company since 2021. Apple says this new side-channel attack doesn't represent a danger to Mac users, given that it also requires other security vulnerabilities to be effective. "We want to thank the researchers for their collaboration as this proof-of-concept advances our understanding of these techniques," an Apple spokesperson told BleepingComputer. "Based on our analysis, as well as the details shared with us by the researchers, we have concluded this issue does not pose an immediate risk to our users and is insufficient to bypass device protections on its own." Security experts have argued that the attack doesn't come with "real-world utility," which was confirmed by Joseph Ravichandran, an MIT Ph.D. student and one of the four researchers behind PACMAN. You can find more technical details about this novel hardware attack on the dedicated site and in the "PACMAN: Attacking ARM Pointer Authentication with Speculative Execution" paper [PDF] that will be presented at the International Symposium on Computer Architecture on June 18. New PACMAN hardware attack targets Macs with Apple M1 CPUs
  6. WordPress security analysts have discovered a set of vulnerabilities impacting the Jupiter Theme and JupiterX Core plugins for WordPress, one of which is a critical privilege escalation flaw. Jupiter is a powerful high-quality theme builder for WordPress sites used by over 90,000 popular blogs, online mags, and platforms that enjoy heavy user traffic. The vulnerability, tracked as CVE-2022-1654, and given a CVSS score of 9.9 (critical), allows any authenticated user on a site using the vulnerable plugins to gain administrative privileges. After exploiting the vulnerability, attackers may perform unlimited actions on the site, including altering its content, injecting malicious scripts, or completely deleting it. The attacker can be a simple subscriber or customer on the site to exploit this vulnerability, so the attack doesn't have very restrictive prerequisites. Discovery and fix According to Wordfence, which discovered the flaw, the problem lies in a function named "uninstallTemplate," which resets the site after a theme is removed. This function elevates the user's privileges to admin, so if a logged-in user sends an AJAX request with the action parameter to call the function, they will elevate their privileges without going through nonce or any other checks. The Wordfence Threat Intelligence team discovered the issue on April 5, 2022, and notified the plugin developer with full technical details. On April 28, 2022, the vendor released a partial fix for the impacted plugins. Then, on May 10, 2022, Artbees released another security update that addressed the issues thoroughly. The versions impacted by CVE-2022-1654 are Jupiter Theme version 6.10.1 and older (fixed in 6.10.2), JupiterX Theme version 2.0.6 and older (fixed in 2.0.7), and JupiterX Core Plugin version 2.0.7 and older (fixed in 2.0.8). The only way to address the security problems is to update to the latest available versions as soon as possible or deactivate the plugin and replace your site's theme. During this security investigation, Wordfence discovered additional, albeit less severe flaws, that got fixed with the mentioned security updates on May 10, 2022. These flaws are: CVE-2022-1656: Medium severity (CVSS score: 6.5) arbitrary plugin deactivation and settings modification. CVE-2022-1657: High severity (CVSS score: 8.1) path traversal and local file inclusion. CVE-2022-1658: Medium severity (CVSS score: 6.5) arbitrary plugin deletion. CVE-2022-1659: Medium severity (CVSS score: 6.3) information disclosure, modification, and denial of service. These additional four vulnerabilities require authentication to be exploited, and they too are accessible to site subscribers and customers, but their consequences aren't as damaging. Critical Jupiter WordPress plugin flaws let hackers take over sites
  7. A vulnerability in the domain name system (DNS) component of a popular C standard library that is present in a wide range of IoT products may put millions of devices at DNS poisoning attack risk. A threat actor can use DNS poisoning or DNS spoofing to redirect the victim to a malicious website hosted at an IP address on a server controlled by the attacker instead of the legitimate location. The library uClibc and its fork from the OpenWRT team, uClibc-ng. Both variants are widely used by major vendors like Netgear, Axis, and Linksys, as well as Linux distributions suitable for embedded applications. According to researchers at Nozomi Networks, a fix is not currently available from the developer of the developer of uClibc, leaving products of up to 200 vendors at risk. Vulnerability details The uClibc library is a C standard library for embedded systems that offers various resources needed by functions and configuration modes on these devices. The DNS implementation in that library provides a mechanism for performing DNS-related requests like lookups, translating domain names to IP addresses, etc. Nozomi reviewed the trace of DNS requests performed by a connected device using the uClibc library and found some peculiarities caused by an internal lookup function. After investigating further, the analysts discovered that the DNS lookup request's transaction ID was predictable. Because of this, DNS poisoning might be possible under certain circumstances. DNS lookup function4s in uClibc (Nozomi) Flaw implications If the operating system doesn't use source port randomization, or if it does but the attacker is still capable of brute-forcing the 16-bit source port value, a specially-crafted DNS response sent to devices using uClibc could trigger a DNS poisoning attack. DNS poisoning is practically tricking the target device into pointing to an arbitrarily defined endpoint and engaging in network communications with it. By doing that, the attacker would be able to reroute the traffic to a server under their direct control. "The attacker could then steal or manipulate information transmitted by users and perform other attacks against those devices to completely compromise them. The main issue here is how DNS poisoning attacks can force an authenticated response," - Nozomi Networks Mitigation and fixing Nozomi discovered the flaw in September 2021 and informed CISA about it. Then, in December, it reported to the CERT Coordination Center, and finally, in January 2022, it disclosed the vulnerability to over 200 potentially impacted vendors. As mentioned above, there's currently no fix available for the flaw, which is now tracked under ICS-VU-638779 and VU#473698 (no CVE yet). Currently, all stakeholders are coordinating to develop a viable patch and the community is expected to play a pivotal role in this, as this was precisely the purpose of the disclosure. As the affected vendors will have to apply the patch by implementing the new uClibc version on firmware updates, it will take a while for the fixes to reach end consumers. Even then, end-users will have to apply the firmware updates on their devices, which is another choke point that causes delays in fixing critical security flaws. "Because this vulnerability remains unpatched, for the safety of the community, we cannot disclose the specific devices we tested on," says Nozomi "We can, however, disclose that they were a range of well-known IoT devices running the latest firmware versions with a high chance of them being deployed throughout all critical infrastructure." Users of IoT and router devices should keep an eye on new firmware releases from vendors and apply the latest updates as soon as they become available. Unpatched DNS bug affects millions of routers and IoT devices
  8. A new set of vulnerabilities collectively tracked as Nimbuspwn could let local attackers escalate privileges on Linux systems to deploy malware ranging from backdoors to ransomware. Security researchers at Microsoft disclosed the issues in a report today noting that they can be chained together to achieve root privileges on a vulnerable system. Tracked as CVE-2022-29799 and CVE-2022-29800, the Nimbuspwn security issues were discovered in networkd-dispatcher, a component that sends connection status changes on Linux machines. Discovering the vulnerabilities started with “listening to messages on the System Bus,” which prompted the researchers to review the code flow for networkd-dispatcher. The Nimbuspwn security flaws refer to directory traversal, symlink race, and time-of-check-time-of-use (TOCTOU) race condition issues, explains Microsoft researcher Jonathan Bar Or says in the report. One observation that piqued interest was that the networkd-dispatcher daemon was running at boot time with root privileges on the system. source: Microsoft The researcher noticed that the daemon used a method called “_run_hooks_for_state” to discover and run scripts depending on the detected network state. The logic implemented by “_run_hooks_for_state” includes returning executable script files owned by the root user and the root group that are in the “/etc/networkd-dispatcher/.d” directory. It runs each script in the above location using the process called subprocess.Popen while supplying custom environment variables. source: Microsoft Microsoft’s report explains that “_run_hooks_for_state” has multiple security issues: Directory traversal (CVE-2022-29799 none of the functions in the flow sanitize the OperationalState or the AdministrativeState. The states are used to build the script path, so a state could contain directory traversal patterns (e.g. “../../”) to escape from the “/etc/networkd-dispatcher” base directory. Symlink race: both the script discovery and subprocess.Popen follow symbolic links. Time-of-check-time-of-use (TOCTOU) race condition (CVE-2022-29800 there is a certain time between the scripts being discovered and them being run. An attacker can abuse this vulnerability to replace scripts that networkd-dispatcher believes to be owned by root to ones that are not. An attacker with low privileges on the system could chain together the above vulnerabilities to escalate to root-level permissions by sending an arbitrary signal. An overview of the steps for successful exploitation is captured in the image below, which covers three stages of the attack: source: Microsoft Bar Or notes that winning the TOCTOU race condition requires planting multiple files. In his experiment to implement a custom exploit, success was recorded after three attempts. source: Microsoft Leveraging Nimbuspwn successfully is possible when the exploit code can own a bus name under a privileged service or process. The researcher says that there are many environments where this is possible, including Linux Mint where “the service systemd-networkd that normally owns the “org.freedesktop.Network1” [used in the research] bus name does not start at boot by default.” Additionally, the Bar Or found additional “processes running as the systemd-network user” that executed arbitrary code from world-writable locations: e.g. several gpgv plugins (launched when apt-get installs or upgrades), the Erlang Port Mapper Daemon (epmd) that allows running arbitrary code under some scenarios. Clayton Craft, the maintainer of networkd-dispatcher has deployed the necessary updates that address the Nimbuspwn vulnerabilities. Linux users are recommended to patch their systems as soon as the fixes become available for their operating system. New Nimbuspwn Linux vulnerability gives hackers root privileges
  9. Security analysts have found that Android devices running on Qualcomm and MediaTek chipsets were vulnerable to remote code execution due to a flaw in the implementation of the Apple Lossless Audio Codec (ALAC). ALAC is an audio coding format for lossless audio compression that Apple open-sourced in 2011. Since then, the company has been releasing updates to the format, including security fixes, but not every third-party vendor using the codec applies these fixes. According to a report Check Point Research, this includes Qualcomm and MediaTek, two of the world's largest smartphone chip makers. The sound of RCE The analysts have not provided many details about the actual exploitation of the flaws yet but promised to do so at the upcoming CanSecWest in May 2022. From the details available, the vulnerability enables a remote attacker to execute code on a target device by sending a maliciously crafted audio file and tricking the user into opening it. The researchers are calling this attack "ALHACK." The impact of remote code execution attacks comes with severe implications, ranging from data breach, planting and executing malware, modifying device settings, accessing hardware components such as the microphone and camera, or account take over. The ALAC flaws were fixed by MediaTek and Qualcomm in December 2021, and are tracked as CVE-2021-0674 (medium severity with a 5.5 score), CVE-2021-0675 (high severity with a 7.8 score), and CVE-2021-30351 (critical severity with a 9.8 score). From the researchers analysis, the ALAC decoder implementations from Qualcomm and MediaTek suffer from possible out-of-bounds reads and writes, and improper validation of audio frames passed during music playback. The possible consequences include information disclosure and elevation of privileges with no user interaction required. BleepingComputer asked Qualcomm for a comment about the currennt risk for customers. A company spokesperson provided the statement below: Providing technologies that support robust security and privacy is a priority for Qualcomm Technologies. We commend the security researchers from Check Point Technologies for using industry-standard coordinated disclosure practices. Regarding the ALAC audio decoder issue they disclosed, Qualcomm Technologies made patches available to device makers in October 2021. We encourage end users to update their devices as security updates have become available The case with audio codec flaws Fixes of remote code execution flaws in closed-source audio processing units are present almost in every monthly Android security update. However, exploiting them is rarely trivial, and the component vendors provide few technical details to reduce exploitation risk. For example, Android patches from April included nine fixes for critical vulnerabilities in closed-source components. One of them is CVE-2021-35104 (9.8 severity score) - a buffer overflow that led to improper parsing of headers while playing FLAC audio clips. The bug affected chipsets present in almost the entire range of products Qualcomm released over in the past several years. How to stay safe The standard security advice applies here, too: keep your devices up to date, in this case it means running the Android patch level "December 2021" or later. If the device no longer receives security updates from the vendor, installing a third-party Android distribution that still provides Android patches is valid option. Finally, when receiving audio files from unknown or suspicious sources/users, it is best not to open them since they could trigger the vulnerability. Critical bug in Android could allow access to users' media files
  10. Recent versions of the open source archiver 7-Zip have a vulnerability that has not been fixed yet. Successful exploitation of the vulnerability allows privilege escalation and the execution of commands; it appears that the issue can be exploited locally only. Filed under CVE-2022-29072, the vulnerability is using the included 7-Zip Help file, 7-zip.chm, for the exploit. Attackers need to drag and drop files with the 7z extension on to the Help > Contents area in the 7-Zip interface. Vulnerability details have been published on GitHub. The page provides technical information and a short demonstration video of the exploit. It is unclear if and when 7-Zip will address the issue. The last update of the application dates back to the release of 7-Zip in December 2021 Users of the application may use the following workaround to mitigate the vulnerability on their devices. Since it is using the included Help file, one way of dealing with the issue is to delete the Help file. Open the 7-Zip installation directory or folder on the system. On Windows, these are usually C:\Program Files\7-Zip or C:\Program Files (x86)\7-Zip, depending on whether the 64-bit or the 32-bit version of the application has been installed. Locate the file 7-Zip.chm; this is the help file. You can open it directly to display its content. Hit the delete button on the keyboard or right-click on the file and select the Delete context menu option, to remove it from the system. You may get a prompt, File Access Denied. If that is the case, select Continue. The file is moved to the recycle bin of the operating system by default. 7-Zip functionality is not reduced when you delete the help file. The Help file won't open anymore after the deletion, when you select Help > Contents in the 7-Zip File Manager or press the F1-key on the keyboard. Closing Words Deleting the Help file does not take longer than a minute. While it appears unlikely that the issue is exploited on large scale, most users may want to remove the Help file to protect their systems against exploits targeting the issue. Now You: which archiver do you use? (via Deskmodder) Workaround for security issue in 7-Zip until it is fixed
  11. The authors of the Elementor Website Builder plugin for WordPress have just released version 3.6.3 to address a critical remote code execution flaw that may impact as many as 500,000 websites. Although exploiting the flaw requires authentication, it's critical severity is given by the fact that anyone logged into the vulnerable website can exploit it, including regular subscribers. A threat actor creating a normal user account on an affected website could change the name and theme of the affected site making it look entirely different. Security researchers believe that a non-logged in user could also exploit the recently fixed flaw in Elementor plugin but they have not confirmed this scenario. Vulnerability details In a report released this week by researchers at the WordPress security service Plugin Vulnerabilities, who found the vulnerability, describe the technical details behind the issue in Elementor. The problem lies in the absence of a crucial access check on one of the plugin's files, "module.php", which is loaded on every request during the admin_init action, even for users that are not logged in, the researchers explain. "The RCE vulnerability we found involves the function upload_and_install_pro() accessible through the previous function. That function will install a WordPress plugin sent with the request" - Plugin Vulnerabilities One of the functions triggered by the admin_init action allows file upload in the form of a WordPress plugin. A threat actor could place a malicious file there to achieve remote code execution. The file upload function (Plugin Vulnerabilities) Activation of the injected malicious plugin (PV) The researchers say that the only restriction in place is access to a valid nonce. However, they found that the relevant nonce is present in "source code of admin pages of WordPress that starts 'elementorCommonConfig', which is included when logged in as a user with the Subscriber role." Impact and fixing According Plugin Vulnerabilities, the issue was introduced with Elementor 3.6.0, released on March 22, 2022. WordPress stats report that approximately 30.7% of Elementor's users have upgraded to version 3.6.x, which indicates that the maximum number of potentially affected sites is roughly 1,500,000. The plugin has been downloaded a little over one million times today. Assuming that all of them were for 3.6.3, there must still be around 500,000 vulnerable websites out there. The latest version includes a commit that implements an additional check on the nonce access, using the "current_user_can" WordPress function. Commit in Elementor addressing the security flaw (WordPress) While this should address the security gap, the researchers haven't validated the fix yet, and the Elementor team hasn't published any details about the patch. BleepingComputer has reached out to Elementor's security team, and will update this article as soon as we receive a response. Plugin Vulnerabilities has also published a proof of concept (PoC) to prove the exploitability, increasing the risk of vulnerable websites to be compromised. Admins are advised to apply the latest update available for the Elementor WordPress plugin or remove the plugin from your website altogether. Critical flaw in Elementor WordPress plugin may affect 500k sites
  12. Windows has a new wormable vulnerability, and there’s no patch in sight Critical bug in Microsoft's SMBv3 implementation published under mysterious circumstances. Enlarge Michael Theis / Flickr 54 with 38 posters participating Word leaked out on Tuesday of a new vulnerability in recent versions of Windows that has the potential to unleash the kind of self-replicating attacks that allowed the WannaCry and NotPetya worms to cripple business networks around the world. The vulnerability exists in version 3.1.1 of the Server Message Block, the service that’s used to share files, printers, and other resources on local networks and over the Internet. Attackers who successfully exploit the flaw can execute code of their choice on both servers and end-user computers that use the vulnerable protocol, Microsoft said in this bare-bones advisory. The flaw, which is tracked as CVE-2020-0796, affects Windows 10, versions 1903 and 1909 and Windows Server versions 1903 and 1909, which are relatively new releases that Microsoft has invested huge amounts of resources hardening against precisely these types of attacks. Patches aren’t available, and Tuesday’s advisory gave no timeline for one being released. Asked if there was a timeline for releasing a fix, a Microsoft representative said, “Beyond the advisory you linked, nothing else to share from Microsoft at this time.” In the meantime, Microsoft said vulnerable servers can be protected by disabling compression to block unauthenticated attackers from exploiting the vulnerability against an SMBv3 server. Users can use the following PowerShell command to turn off compression without needing to reboot the machine: Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force That fix won't protect vulnerable client computers or servers if they connect to a malicious SMB service, but in that scenario, the attacks aren't wormable. Microsoft also recommended users block port 445, which is used to send SMB traffic between machines. Now you see it, now you don’t An advisory published—and then removed—by security firm Fortinet described the vulnerability as “MS.SMB.Server.Compression.Transform.Header.Memory.Corruption.” The pulled advisory said the flaw is the result of a buffer overflow in vulnerable Microsoft SMB servers. “The vulnerability is due to an error when the vulnerable software handles a maliciously crafted compressed data packet,” Fortinet researchers wrote. “A remote, unauthenticated attacker can exploit this to execute arbitrary code within the context of the application.” Cisco’s Talos security team also published—and later pulled—its own advisory. It called the vulnerability “wormable,” meaning a single exploit could touch off a chain reaction that allows attacks to spread from vulnerable machine to vulnerable machine without requiring any interaction from admins or users. “An attacker could exploit this bug by sending a specially crafted packet to the target SMBv3 server, which the victim needs to be connected to,” the removed Talos post said. “Users are encouraged to disable SMBv3 compression and block TCP port 445 on firewalls and client computers. The exploitation of this vulnerability opens systems up to a ‘wormable’ attack, which means it would be easy to move from victim to victim.” Microsoft’s implementation of SMBv3 introduces a variety of measures designed to make the protocol more secure on Windows computers. The update became more widely used after WannaCry and NotPetya used an exploit developed by—and later stolen from—the National Security agency. Known as EternalBlue, the attack exploited SMBv1 to gain remote code execution and move from machine to machine. Microsoft has similarly hardened Windows 10 and Server 2019 to better withstand exploits, especially those that would otherwise be wormable. It’s not clear why Microsoft released the sparse details or why both Fortinet and Talos released and then pulled their advisories. The event came on Update Tuesday, which occurs on the second Tuesday of each month, when Microsoft releases a crop of patches to fix various security vulnerabilities. Risk assessment While CVE-2020-0796 is potentially serious, not everyone said it poses the kind of threat mounted by the SMBv1 flaw that was exploited by WannaCry and NotPetya. Those worms were fueled by the public release of EternalBlue, an exploit that was so reliable it made exploitation a copy-and-paste exercise. Another major contribution to the worms’ success was the near-ubiquity of the SMBv1 at the time. SMBv3, by contrast, is much less used. SMB is also protected by kernel address space layout randomization, a protection that randomizes the memory locations where attacker code gets loaded in the event a vulnerability is successfully exploited. The protection requires attackers to devise two highly reliable exploits, one that abuses a buffer overflow or other code-execution vulnerability and another that reveals the memory locations of the malicious payload. The protection required Buckeye, an advanced hacker group that exploited the SMBv1 flaw 14 months before the mysterious leak of EternalBlue, to use a separate information disclosure flaw as well. Jake Williams, a former NSA hacker and the founder of security firm Rendition Security, said in a Twitter thread that both those factors would likely buy vulnerable networks time. “The TL;DR here is that this IS serious, but it isn't WannaCry 2.0,” he wrote. “Fewer systems are impacted and there's no readily available exploit code. I'm not thrilled about another SMB vuln, but we all knew this would come (and this won't be the last). Hysteria is unwarranted though.” It’s also worth remembering that BlueKeep, the name of another wormable vulnerability Microsoft patched last May, has yet to be exploited widely—if at all—despite dire warnings it posed a serious risk to networks around the world. The cause of the advisories being published and then pulled touched off a fair amount of speculation on Twitter. Microsoft commonly provides details about soon-to-be-released patches with makers of antivirus products and intrusion prevention systems. It’s possible Microsoft delayed release of the SMBv3 patch at the last minute, and these partners didn’t get word of it. Whatever the cause, the cat is out of the bag now. Windows users who have SMBv3 exposed on the Internet would do well to heed Microsoft’s security advice as soon as possible. Source: Windows has a new wormable vulnerability, and there’s no patch in sight (Ars Technica)
  13. Critical F5 BIG-IP vulnerability now targeted in ongoing attacks On Thursday, cybersecurity firm NCC Group said that it detected successful in the wild exploitation of a recently patched critical vulnerability in F5 BIG-IP and BIG-IQ networking devices. The exploitation attempts have started earlier this week and have escalated during the last 24 hours, with mass scanning activity being detected by NCC Group and Bad Packets. "Starting this week and especially in the last 24 hours (March 18th, 2021) we have observed multiple exploitation attempts against our honeypot infrastructure," said NCC Group's Rich Warren and Sander Laarhoven. "This knowledge, combined with having reproduced the full exploit-chain we assess that a public exploit is likely to be available in the public domain soon." The security vulnerability these attackers attempt to exploit is an unauthenticated remote command execution (RCE) tracked as CVE-2021-22986, and it affects most F5 BIG-IP and BIG-IQ software versions. Multiple security researchers have already shared proof-of-concept exploit code after reverse-engineering the BIG-IP patch. Successful exploitation of this bug (with a severity rating of 9.8/10) could lead to full system compromise, including lateral movement to the internal network and interception of controller application traffic. We are now seeing full chain exploitation of F5 BIG-IP/BIG-IQ iControl REST API vulnerabilities CVE-2021-22986 - IoCs in the updated blog - we will share more has we have -https://t.co/gBoOND79Ll — NCC Group Research & Technology (@NCCGroupInfosec) March 19, 2021 Highly valuable targets A similarly critical RCE vulnerability with a maximum 10/10 severity rating tracked as CVE-2020-5902 in F5 BIG-IP ADC appliances was also heavily exploited last year after being patched in July 2020. Iranian-backed Pioneer Kitten hacking group started targeting enterprises with unpatched BIG-IP devices right after the flaw was disclosed. Their attacks lined up with an August alert issued by the FBI and warning of Iranian state hackers attempting to exploit vulnerable Big-IP ADC devices starting with early July 2020. CISA issued another advisory saying that China-backed hacking groups targeted government agencies by hunting down and trying to hack their vulnerable F5, Microsoft Exchange, Citrix, Pulse Secure devices and servers. Organizations are advised to patch their F5 BIG-IP devices as soon as possible to defend against future attacks. "We strongly encourage all customers to update their BIG-IP and BIG-IQ systems to a fixed version as soon as possible," F5 said after releasing security updates to patch CVE-2021-22986 and three other critical security flaws affecting its products. "To fully remediate the critical vulnerabilities, all BIG-IP customers will need to update to a fixed version." F5 provides info on upgrading BIG-IP appliances with details on multiple upgrade scenarios in this BIG-IP upgrade guide. NCC Group also provides indicators of compromise, detection logic, and Suricata network rules to help admins detect and block incoming attacks. Source: Critical F5 BIG-IP vulnerability now targeted in ongoing attacks
  14. Recently Patched Android Vulnerability Exploited in Attacks Google has warned Android users that a recently patched vulnerability has been exploited in attacks. The vulnerability in question, tracked as CVE-2020-11261, was patched by Google with the Android security updates released in January 2021. The vulnerability is a high-severity improper input validation issue affecting a display/graphics component from Qualcomm. The flaw was reported to Qualcomm through Google in July 2020 and it affects a long list of chipsets. In Qualcomm’s advisory, CVE-2020-11261 is described as a “memory corruption due to improper check to return error when user application requests memory allocation of a huge size.” The advisory also reveals that the access vector for the security hole is “local,” which suggests it could be a privilege escalation vulnerability. Google Project Zero researcher Ben Hawkes posted a tweet on Monday to point out that the Android security bulletin for January 2021 has been updated to inform users that the vulnerability has apparently been exploited. “There are indications that CVE-2020-11261 may be under limited, targeted exploitation,” reads a note added to the Android advisory. Google has credited GitHub security researcher Man Yue Mo for reporting the vulnerability. The researcher earned significant bug bounties from Google over the past few years for potentially serious Chrome bugs. Google last week said a sophisticated threat actor had used at least 11 zero-day vulnerabilities as part of a mass spying campaign. The APT group had leveraged watering hole attacks to deliver malware to Windows, Android and iOS devices. It’s unclear if CVE-2020-11261 has been exploited by this group. Source: Recently Patched Android Vulnerability Exploited in Attacks
  15. Trustwave Uncovers Vulnerability in Popular Website CMS Cybersecurity firm Trustwave has uncovered a security vulnerability in the popular website CMS, Umbraco. In a blog post on its website, Trustwave researchers outlined details of a privilege escalation issue which allows low privileged users to elevate themselves to the status of admin. The problem resides in an API endpoint that does not properly check the user’s authorization prior to returning results found to the application’s logging section. In the CMS, higher privileged users, i.e. administrators, are able to view log data in the administrative UI, which contains any information inserted into the application logs. To test the risk of any of this information being leaked, the administrator creates a lower privileged user who is placed into the Writers group. This means the low privileged user can only view the content tab indicating the intent of limiting what Writers can do or see within the application. The low privileged user then authenticates to the application, and is provided with the necessary cookies and headers to access it; these identifiers can then enable the low privileged user to access the API endpoint, which returns log data that should only be available to the administrator. Trustwave revealed the reason for this was that in the Umbraco.Web.dll, the LogViewerController class uses no granular authorization attributes on its exposed endpoints, meaning numerous endpoints are accessible for lower privileged users. Jonathan Yarema, managing consultant, SpiderLabs at Trustwave, commented in the blog: “Conversely, there are other areas which do protect resources such as the UsersController wherein some methods are explicitly limited to Administrative users (“[AdminUsersAuthorize]” attribute) or must otherwise give permission to the controller (“[UmbracoApplicationAuthorize]”). A similar approach should be used for the LogViewerController to limit unauthorized access to its data.” The issue has been observed in Umbraco versions 8.9.0 and 8.6.3. Source: Trustwave Uncovers Vulnerability in Popular Website CMS
  16. T-Mobile, Verizon, AT&T Stop SMS Hijacks After Motherboard Investigation All the mobile carriers have mitigated a major SMS security loophole that allowed a hacker to hijack text messages for just $16. IMAGE: LJUBAPHOTO VIA GETTY IMAGES All of the major carriers made a significant change to how SMS messages are routed to prevent hackers being able to easily reroute a target's texts, according to an announcement from Aerialink, a communications company that helps route text messages. The move comes after a Motherboard investigation in which a hacker, with minimal effort, paid $16 to reroute our text messages and then used that ability to break into a number of online accounts, including Postmates, WhatsApp, and Bumble, exposing a gaping hole in the country's telecommunications infrastructure. "The Number Registry has announced that wireless carriers will no longer be supporting SMS or MMS text enabling on their respective wireless numbers," the March 25 announcement from Aerialink, reads. The announcement adds that the change is "industry-wide" and "affects all SMS providers in the mobile ecosystem." "Be aware that Verizon, T-Mobile and AT&T have reclaimed overwritten text-enabled wireless numbers industry-wide. As a result, any Verizon, T-Mobile or AT&T wireless numbers which had been text-enabled as BYON no longer route messaging traffic through the Aerialink Gateway," the announcement adds, referring to Bring Your Own Number. Do you work for a telecom or one of the other companies mentioned? Do you know anything else about this attack? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on [email protected], or email [email protected] T-Mobile, Verizon, and AT&T did not immediately respond to a request for comment. Neither did the Federal Communications Commission (FCC) nor the CTIA, a trade body for the carriers. Last week, Motherboard published an investigation in which pseudonymous hacker Lucky225 paid a small sum of money to a company called Sakari to demonstrate the issue, which had not previously been reported in detail. Sakari is a firm that helps businesses with SMS marketing and mass messaging. As part of that, Sakari had gained the ability to reroute text messages from another company called Bandwidth, which in turn obtained it from another called NetNumber. A SCREENSHOT OF THE ANNOUNCEMENT ON AERIALINK'S WEBSITE. When entering the respective phone number, Lucky225 was asked to sign a document essentially pinky-swearing he had authority to reroute the messages, but there was no technical mitigation in place to ensure the target had provided consent. "Welcome to create an account if you want to mess with it, literally anyone can sign up," Lucky225, who is Chief Information Officer at cybersecurity firm Okey Systems, said at the time. A few minutes after entering Motherboard's phone number, Lucky225 started receiving text messages originally meant for our phone. From here, he logged into various services that used SMS as a login or authentication mechanism. "It’s not hard to see the enormous threat to safety and security this kind of attack poses. The FCC must use its authority to force phone companies to secure their networks from hackers. Former Chairman Pai’s approach of industry self-regulation clearly failed," Senator Ron Wyden said in a statement after Motherboard explained the contours of the attack at the time. After Motherboard originally contacted Sakari for comment, Adam Horsman, co-founder of the company, said Sakari had introduced a security feature where an entered number will receive an automated call to ensure that the number owner consents to the message rerouting. Now, with the carriers cutting off enabling of text messages on mobile numbers, the wider ecosystem of business text messaging companies are likely unable to perform the service at all. Horsman told Motherboard in a statement on Thursday that "We welcome this news and hope the rest of the industry follows suit. It has always been our policy at Sakari to only support the text-enablement of VoIP and landline phone numbers, and as soon as the industry issue was raised we placed a complete block on any mobile numbers. As part of our internal audit, other than Lucky225’s account, we found no other mobile numbers enabled." Another company included in Motherboard's investigation said it recently saw suspicious activity on another of its accounts. Clarification: In between the original investigation and this article, Lucky225’s position at Okey Systems has changed from Director of Information to Chief Information Officer. The piece has been updated to reflect that. Source: T-Mobile, Verizon, AT&T Stop SMS Hijacks After Motherboard Investigation
  17. GRUB2 boot loader reveals multiple high severity vulnerabilities GRUB, a popular boot loader used by Unix-based operating systems has fixed multiple high severity vulnerabilities. In 2020, BleepingComputer had reported on the BootHole vulnerability in GRUB2 that could have let attackers compromise an operating system's booting process even if the Secure Boot verification mechanism was active. Threat actors could further abuse the flaw to hide arbitrary code ("bootkit") within the OS that would run on every boot. Particularly, flaws like these in boot loaders allow circumvention of UEFI Secure Boot, a verification mechanism for ensuring that code executed by a computer's UEFI firmware is trusted and not malicious. 117 patches issued for high severity GRUB2 vulnerabilities This week GRUB project maintainers have released hundreds of upstream patches for the severe boot loader flaws listed below. "The BootHole vulnerability announced last year encouraged many people to take a closer look at the security of boot process in general and the GRUB bootloader in particular." "Due to that, during past few months we were getting reports of, and also discovering various security flaws in the GRUB ourselves," said Oracle software developer and GRUB maintainer Daniel Kiper. Referring to the list of vulnerabilities and CVEs that were remedied, Kiper stated the patch bundle fixing all the bugs comprises 117 patches. The list of GRUB2 vulnerabilities is as follows: CVE CVSS 3.1 Severity Type Description Reported by CVE-2020-14372 High (7.5) Incomplete List of Disallowed Inputs The acpi command allows privileged user to load crafted ACPI tables when Secure Boot is enabled. Máté Kukri CVE-2020-25632 High (7.5) Use-after-free The rmmod implementation for GRUB2 is flawed, allowing an attacker to unload a module used as dependency without checking if any other dependent module is still loaded. Chris Coulson (Canonical) CVE-2020-25647 Medium (6.9) Out-of-bound write grub_usb_device_initialize() is called to handle USB device initialization. It reads out the descriptors it needs from the USB device and uses that data to fill in some USB data structures. grub_usb_device_initialize() performs very little bounds checking and simply assumes the USB device provides sane values. This behavior can trigger memory corruption or lead to arbitrary code execution. Joseph Tartaro (IOActive), Ilja van Sprundel (IOActive) CVE-2020-27749 High (7.5) Stack buffer overflow grub_parser_split_cmdline() expands variable names present in the supplied command line in to their corresponding variable contents and uses a 1kB stack buffer for temporary storage without sufficient bounds checking. An attacker can exploit the flaw to circumvent Secure Boot protections. Chris Coulson (Canonical) CVE-2020-27779 High (7.5) Improper Authorization The cutmem command allows privileged user to remove memory regions when Secure Boot is enabled Teddy Reed CVE-2021-3418 Medium (6.4) Improper Preservation of Permissions GRUB 2.05 reintroduced CVE-2020-15705. This refers to a distro a specific flaw which made upstream in the mentioned version. Dimitri John Ledkov (Canonical) CVE-2021-20225 High (7.5) Heap out-of-bounds write The option parser in GRUB2 allows an attacker to write past the end of a heap-allocated buffer by calling certain commands with a large number of specific short forms of options. Daniel Axtens (IBM) CVE-2021-20233 High (7.5) Heap out-of-bound write There's a flaw on GRUB2 menu rendering code setparam_prefix() in the menu rendering code performs a length calculation on the assumption that expressing a quoted single quote will require 3 characters, while it actually requires 4 characters. Daniel Axtens (IBM) Vendors yet to release full mitigation details Kiper described the improvements made to resolve these flaws in GRUB's mailing list. Although 117 upstream code patches have been issued to resolve these CVEs, detailed instructions with regards to mitigation and obtaining updates would be provided by OS vendors. "Details of exactly what needs updating will be provided by the respective distros and vendors when updates become available." Advisories have also been published by Canonical (Ubuntu), Debian, RedHat, and Suse detailing remediation steps. "It is important to know that shim and SBAT development is still ongoing." "Full mitigation against all the CVEs will require an updated UEFI revocation list (dbx) which, in at least some cases, will not allow Secure Boot with today's boot artifacts," continued Kiper. Not all vendors may have shipped updates for the flaws just yet and more details are to follow once the coordinated disclosure process is complete. Microsoft is expected to release an updated UEFI revocation file as a mitigation for the vulnerabilities. Given the seriousness of BootHole vulnerability in GRUB, high severity vulnerabilities like the ones mentioned above should be patched as soon as possible. Users are encouraged to keep an eye out for and apply vendor updates as soon as they become available. GRUB2 boot loader reveals multiple high severity vulnerabilities
  18. Apple releases iOS 14.4.1 and macOS 11.2.3 to address a WebKit vulnerability The company recommends downloading the updates as soon as possible. Chris Velazco / Engadget Apple has released a set of updates it recommends all iPhone, iPad and Mac users download as soon as possible. No, iOS 14.5 and Big Sur 11.3 aren’t out yet. Instead, what we have are iOS 14.4.1 and macOS 11.2.3. When you download them on your devices, all you’ll get is a terse explanation from Apple saying that they’re “important.” However, the support pages spotted by 9to5Mac provide more information. Both updates address a memory corruption issue within WebKit, the engine that powers Apple’s Safari browser. The vulnerability, which was discovered by security researchers from Google and Microsoft, may have allowed bad actors to execute code on your devices using “maliciously crafted” web content. On iOS, you can manually download an update to your iPhone or iPad by opening the Settings app, and then tapping “General” followed by “Software Update.” Meanwhile, on macOS, open the System Preferences menu and click on “Software Update.” Source: Apple releases iOS 14.4.1 and macOS 11.2.3 to address a WebKit vulnerability
  19. Bug in Apple's Find My Feature Could've Exposed Users' Location Histories Cybersecurity researchers on Thursday disclosed two distinct design and implementation flaws in Apple's crowdsourced Bluetooth location tracking system that can lead to a location correlation attack and unauthorized access to the location history of the past seven days, thereby by deanonymizing users. The findings are a consequence of an exhaustive review undertaken by the Open Wireless Link (OWL) project, a team of researchers from the Secure Mobile Networking Lab at the Technical University of Darmstadt, Germany, who have historically taken apart Apple's wireless ecosystem with the goal of identifying security and privacy issues. In response to the disclosures on July 2, 2020, Apple is said to have partially addressed the issues, stated the researchers, who used their own data for the study citing privacy implications of the analysis. How Find My Works? Apple devices come with a feature called Find My that makes it easy for users to locate other Apple devices, including iPhone, iPad, iPod touch, Apple Watch, Mac, or AirPods. With the upcoming iOS 14.5, the company is expected to add support for Bluetooth tracking devices — called AirTags — that can be attached to items like keys and wallets, which in turn can be used for tracking purposes right from within the Find My app. What's more interesting is the technology that undergirds Find My. Called offline finding and introduced in 2019, the location tracking feature broadcasts Bluetooth Low Energy (BLE) signals from Apple devices, allowing other Apple devices in close proximity to relay their location to Apple's servers. Put differently, offline loading turns every mobile device into a broadcast beacon designed explicitly to shadow its movements by leveraging a crowdsourced location tracking mechanism that's both end-to-end encrypted and anonymous, so much so that no third-party, including Apple, can decrypt those locations and build a history of every user's whereabouts. This is achieved via a rotating key scheme, specifically a pair of public-private keys that are generated by each device, which emits the Bluetooth signals by encoding the public key along with it. This key information is subsequently synchronized via iCloud with all other Apple devices linked to the same user (i.e., Apple ID). A nearby iPhone or iPad (with no connection to the original offline device) that picks up this message checks its own location, then encrypts the information using the aforementioned public key before sending it to the cloud along with a hash of the public key. In the final step, Apple sends this encrypted location of the lost device to a second Apple device signed in with the same Apple ID, from where the owner can use the Find My app to decrypt the reports using the corresponding private key and retrieve the last known location, with the companion device uploading the same hash of the public key to find a match in Apple's servers. Issues with Correlation and Tracking Since the approach follows a public key encryption (PKE) setup, even Apple cannot decrypt the location as it's not in possession of the private key. While the company has not explicitly revealed how often the key rotates, the rolling key pair architecture makes it difficult for malicious parties to exploit the Bluetooth beacons to track users' movements. But OWL researchers said the design allows Apple — in lieu of being the service provider — to correlate different owners' locations if their locations are reported by the same finder devices, effectively allowing Apple to construct what they call a social graph. "Law enforcement agencies could exploit this issue to deanonymize participants of (political) demonstrations even when participants put their phones in flight mode," the researchers said, adding "malicious macOS applications can retrieve and decrypt the [offline finding] location reports of the last seven days for all its users and for all of their devices as cached rolling advertisement keys are stored on the file system in cleartext." In other words, the macOS Catalina vulnerability (CVE-2020-9986) could allow an attacker to access the decryption keys, using them to download and decrypt location reports submitted by the Find My network, and ultimately locate and identify their victims with high accuracy. The weakness was patched by Apple in November 2020 (version macOS 10.15.7) with "improved access restrictions." A second outcome of the investigation is an app that's designed to let any user create an "AirTag." Called OpenHaystack, the framework allows for tracking personal Bluetooth devices via Apple's massive Find My network, enabling users to create their own tracking tags that can be appended to physical objects or integrated into other Bluetooth-capable devices. This is not the first time researchers from Open Wireless Link (OWL) have uncovered flaws in Apple's closed-source protocols by means of reverse engineering. In May 2019, the researchers disclosed vulnerabilities in Apple's Wireless Direct Link (AWDL) proprietary mesh networking protocol that permitted attackers to track users, crash devices, and even intercept files transferred between devices via man-in-the-middle (MitM) attacks. This was later adapted by Google Project Zero researcher Ian Beer to uncover a critical "wormable" iOS bug last year that could have made it possible for a remote adversary to gain complete control of any Apple device in the vicinity over Wi-Fi. Source: Bug in Apple's Find My Feature Could've Exposed Users' Location Histories
  20. InternetNZ discloses vulnerability that can be used to carry out cyberattacks A new vulnerability against authoritative DNS servers has been disclosed by InternetNZ. It includes servers run by top-level domain (TLD) operators, including .nz. InternetNZ says the vulnerability could be exploited to carry out Denial-of-Service (DoS) attacks across the world. InternetNZ is a a non-profit organisation and is the home and guardian for the .nz domain, Its mission is to "create an internet for all New Zealanders that is safe, accessible and a place for good". It is role involved in a lot of internet-related work throughout New Zealand, funded by the sales of .nz domain names, including policy work on internet issues faced in New Zealand, providing community grants to support Internet-related projects, conducting research to highlight the state of the internet, and hHosting events, such as NetHui, to bring together the internet community. The vulnerability, called TsuNAME, was noticed in February 2020 in the .nz registry. InternetNZ worked with the global community to have it fixed. According to InternetNZ, TsuNAME requires three things to be exploited: cyclic dependent NS records, vulnerable resolvers, and user queries only to start/drive the process. In February 2020, two .nz domains were unintentionally misconfigured with cyclic dependencies, which resulted in a 50% surge in DNS traffic for all .nz infrastructure. Later, this phenomenon was studied and replicated by an international group of researchers from InternetNZ, SIDN Labs (InternetNZ's counterpart from the Netherlands, the organisation running .nl), and the University of Southern California Information Science Institute (USC/ISI). Further tests showed that conditions for an attack event are easy to execute, and the consequences are serious. "Google Public DNS was the main affected party by this vulnerability," says InternetNZ's chief scientist Sebastian Castro. "They received a private responsible disclosure from our group in October 2020 and have repaired their code since then," he says. "We also reached out to Cisco, whose Public DNS was affected as well, and it is now fixed," Castro adds. During February 2021, the group reached out privately to the DNS and registry community, including other country code top-level domains (ccTLDs), to make them aware of the vulnerability and to be prepared. The TsuNAME group developed a security advisory paper and an open-source detection tool called Cycle Hunter, and TLDs all around the world have been using it to detect and remove cyclic dependencies. "This underground work of months shows our organisations commitment to a better internet, where issues that can affect others are identified and fixed," Castro says. "Our work is not finished yet." Source: InternetNZ discloses vulnerability that can be used to carry out cyberattacks
  21. WhatsApp Vulnerability Discovered That Could Allow Attackers to Suspend Your Account Remotely WhatsApp has suggested that users could avoid the problem by providing their email address with the two-step verification. WhatsApp users are at risk even if they’ve enabled two-factor authentication (2FA) on their accounts WhatsApp is found to have a vulnerability that can allow an attacker to suspend your account remotely using your phone number. The flaw that has now been found by security researchers appears to have existed on the instant messaging app for quite some time now — due to fundamental weaknesses. A large number of WhatsApp users are said to be at risk as a remote attacker can deactivate WhatsApp on your phone and then restrict you from activating it back. The vulnerability can be exploited even if you've enabled two-factor authentication (2FA) for your WhatsApp account. Security researchers Luis Márquez Carpintero and Ernesto Canales Pereña have discovered the flaw that can allow attackers to remotely suspend your WhatsApp account. As first reported by Forbes, the researchers found that the flaw exists on the instant messaging app due to two fundamental weaknesses. The first weakness allows the attacker to enter your phone number on WhatsApp installed on their phones. This will, of course, not give access to your WhatsApp account unless the attacker obtains the six-digit registration code you'll get on your phone. Multiple failed attempts to sign in using your phone number will also block code entries on WhatsApp installed on the attacker's phone for 12 hours. However, while the attacker won't be able to repeat the sign in process with your phone number, they will be able to contact WhatsApp support to deactivate your phone number from the app. What they need is a new email address and a simple email stating that the phone has been stolen or lost. In response to that email, WhatsApp will ask for a confirmation that the attacker will quickly provide from their end. This will deactivate your WhatsApp account, meaning that you'll no longer be able to access the instant messaging app on your phone. You won't be able to avoid that deactivation by using 2FA on your WhatsApp account as the account has apparently been deactivated through the email sent by the attacker. In a regular deactivation case, you can activate your WhatsApp account back by verifying your phone number. This is, however, not possible if the attacker has already locked the verification process for 12 hours by making multiple failed attempts to sign in to your WhatsApp account. This means that you'll also be restricted from getting a new registration code on your phone number for 12 hours. The attacker can also repeat the process of failed sign-in attempts to restrict your account for another 12 hours when the first one expires. This highlights that WhatsApp will treat your phone the same way it is treating the attacker's one and will block sign in access. You'll only have the option to get your WhatsApp account back by contacting the messaging app over email. A WhatsApp spokesperson told Gadgets 360 that users could avoid the problem of getting their accounts deactivated by attackers using the newly discovered flaw by registering their email address to their account via two-step verification. “Providing an email address with your two-step verification helps our customer service team assist people should they ever encounter this unlikely problem. The circumstances identified by this researcher would violate our terms of service and we encourage anyone who needs help to email our support team so we can investigate,” the spokesperson said. However, WhatsApp has not provided any details on whether it is fixing the vulnerability to avoid its adverse effect on the masses. It is currently unclear whether an attacker has exploited the vulnerability in the wild. However, considering the fact that the details about the flaw are now in the public, it could easily be leveraged to restrict anyone from using their WhatsApp — at least for a few hours. WhatsApp has a massive user base of more than two billion users worldwide, with over 400 million users in India alone. Most of the users aren't likely to have their email addresses registered with their accounts at this moment. Therefore, the scope of the reported vulnerability is quite wide. Source: WhatsApp Vulnerability Discovered That Could Allow Attackers to Suspend Your Account Remotely
  22. A New Facebook Bug Exposes Millions of Email Addresses A recently discovered vulnerability discloses user email addresses even when they’re set to private. PHOTOGRAPH: MIRAGEC/GETTY IMAGES STILL SMARTING FROM last month's dump of phone numbers belonging to 500 million Facebook users, the social media giant has a new privacy crisis to contend with: a tool that, on a massive scale, links Facebook accounts with their associated email addresses, even when users choose settings to keep them from being public. A video circulating on Tuesday showed a researcher demonstrating a tool named Facebook Email Search v1.0, which he said could link Facebook accounts to as many as 5 million email addresses per day. The researcher—who said he went public after Facebook said it didn't think the weakness he found was "important" enough to be fixed—fed the tool a list of 65,000 email addresses and watched what happened next. "As you can see from the output log here, I'm getting a significant amount of results from them," the researcher said as the video showed the tool crunching the address list. "I've spent maybe $10 to buy 200-odd Facebook accounts. And within three minutes, I have managed to do this for 6,000 [email] accounts." Ars obtained the video on condition the video not be shared. A full audio transcript appears at the end of this post. In a statement, Facebook said: "It appears that we erroneously closed out this bug bounty report before routing to the appropriate team. We appreciate the researcher sharing the information and are taking initial actions to mitigate this issue while we follow up to better understand their findings." A Facebook representative didn't respond to a question asking if the company told the researcher it didn't consider the vulnerability important enough to warrant a fix. The representative said Facebook engineers believe they have mitigated the leak by disabling the technique shown in the video. The researcher, whom Ars agreed not to identify, said that Facebook Email Search exploited a front-end vulnerability that he reported to Facebook recently but that "they [Facebook] do not consider to be important enough to be patched." Earlier this year, Facebook had a similar vulnerability that was ultimately fixed. "This is essentially the exact same vulnerability," the researcher says. "And for some reason, despite me demonstrating this to Facebook and making them aware of it, they have told me directly that they will not be taking action against it." Facebook has been under fire not just for providing the means for these massive collections of data, but also for actively promoting the idea that they pose minimal risk to Facebook users. An email that the company inadvertently sent to a reporter at the Dutch publication DataNews instructed public relations people to "frame this as a broad industry issue and normalize the fact that this activity happens regularly." Facebook has also made the distinction between scraping and hacks or breaches. It's not clear if anyone actively exploited this bug to build a massive database, but it certainly wouldn't be surprising. "I believe this to be quite a dangerous vulnerability, and I would like help in getting this stopped," the researcher said. Here's the written transcript of the video: So, what I would like to demonstrate here is an active vulnerability within Facebook, which allows malicious users to query email addresses within Facebook, and have Facebook return any matching users. This works with a front-end vulnerability with Facebook, which I've reported to them, made them aware of, um, that they do not consider to be important enough to be patched—which I would consider to be quite a significant privacy violation and a big problem. This method is currently being used by software which is available right now within the hacking community. Currently it's being used to compromise Facebook accounts for the purpose of taking over Pages groups and, uh, Facebook advertising accounts for obviously monetary gain. I've set up this visual example within no JS. What I've done here is I've taken 250 Facebook accounts, newly registered Facebook accounts, which I've purchased online for about $10. I have queried or I'm querying 65,000 email addresses. And as you can see from the output log here, I'm getting a significant amount of results from them. If I have a look at the output file, you can see I have a user ID name and the email address matching the input email addresses, which I have used. Now I have, as I say, I've spent maybe $10 to buy 200-odd Facebook accounts. And within three minutes, I have managed to do this for 6,000 accounts. I have tested this at a larger scale, and it is possible to use this to extract feasibly up to 5 million email addresses per day. Now there was an existing vulnerability with Facebook earlier this year, which was patched. This is essentially the exact same vulnerability. And for some reason, despite me demonstrating this to Facebook and making them aware of it, they have told me directly that they will not be taking action against it. So I am reaching out to people such as yourselves, in hope that you can use your influence or contacts to get this stopped, because I am very, very confident this is not only a huge privacy breach, but this will result in a new, another large data dump, including emails, which is going to allow undesirable parties, not only to have these email-to-user ID matches, but to append the email address to phone numbers, which have been available in previous breaches. I'm quite happy to demonstrate the front-end vulnerability so you can see how this works. I'm not going to show it in this video, simply because I don't want the video to be, um, I don't want the method to be exploited. But I would be quite happy to demonstrate it if that is necessary. But as you can see, it continues to output more and more and more. I believe this to be quite a dangerous vulnerability, and I would like help in getting this stopped. Source: A New Facebook Bug Exposes Millions of Email Addresses
  23. A Razer Synapse zero-day vulnerability has been disclosed on Twitter, allowing you to gain Windows admin privileges simply by plugging in a Razer mouse or keyboard. Razer is a very popular computer peripherals manufacturer known for its gaming mouses and keyboards. When plugging in a Razer device into Windows 10 or Windows 11, the operating system will automatically download and begin installing the Razer Synapse software on the computer. Razer Synapse is software that allows users to configure their hardware devices, set up macros, or map buttons. Razer claims that that their Razer Synapse software is used by over 100 million users worldwide. Security researcher jonhat discovered a zero-day vulnerability in the plug-and-play Razer Synapse installation that allows users to gain SYSTEM privileges on a Windows device quickly. SYSTEM privileges are the highest user rights available in Windows and allow someone to perform any command on the operating system. Essentially, if a user gains SYSTEM privileges in Windows, they attain complete control over the system and can install whatever they want, including malware. After not receiving a response from Razer, jonhat disclosed the zero-day vulnerability on Twitter yesterday and explained how the bug works with a short video. Getting SYSTEM privileges by plugging in a mouse As BleepingComputer has a Razer mouse available, we decided to test out the vulnerability and have confirmed that it took us about two minutes to gain SYSTEM privileges in Windows 10 after plugging in our mouse. It should be noted that this is a local privilege escalation (LPE) vulnerability, which means that you need to have a Razer devices and physical access to a computer. With that said, the bug is so easy to exploit as you just need to spend $20 on Amazon for Razer mouse and plug it into Windows 10 to become an admin. To test this bug, we created a temporary 'Test' user on one of our Windows 10 computers with standard, non-administrator privileges, as shown below. Test user with no administrative rights in Windows 10 When we plugged the Razer device into Windows 10, the operating system automatically downloaded and installed the driver and the Razer Synapse software. Since the RazerInstaller.exe executable was launched via a Windows process running with SYSTEM privileges, the Razer installation program also gained SYSTEM privileges, as shown below. RazerInstaller.exe running with SYSTEM privileges When the Razer Synapse software is installed, the setup wizard allows you to specify the folder where you wish to install it. The ability to select your installation folder is where everything goes wrong. When you change the location of your folder, a 'Choose a Folder' dialog will appear. If you press Shift and right-click on the dialog, you will be prompted to open 'Open PowerShell window here,' which will open a PowerShell prompt in the folder shown in the dialog. Razer Synapse installation prompt As this PowerShell prompt is being launched by a process with SYSTEM privileges, the PowerShell prompt will also inherit those same privileges. As you can see below, once we opened the PowerShell prompt and typed the 'whoami' command, it showed that the console has SYSTEM privileges allowing us to issue any command we want. PowerShell prompt with SYSTEM privileges As explained by Will Dormann, a Vulnerability Analyst at the CERT/CC, similar bugs are likely to be found in other software installed by the Windows plug-and-play process. A video demonstration of the Razer Synapse vulnerability has also been shared by jonhat, which can be watched below. Razer to fix the vulnerability After this zero-day vulnerability gained wide attention on Twitter, Razer has contacted the security researcher to let them know that they will be issuing a fix. Razer also told the researcher that he would be receiving a bug bounty reward even though the vulnerability was publicly disclosed. Razer bug lets you become a Windows 10 admin by plugging in a mouse
  24. Threat actors are actively exploiting Microsoft Exchange servers using the ProxyShell vulnerability to install backdoors for later access. ProxyShell is the name of an attack that uses three chained Microsoft Exchange vulnerabilities to perform unauthenticated, remote code execution. The three vulnerabilities, listed below, were discovered by Devcore Principal Security Researcher Orange Tsai, who chained them together to take over a Microsoft Exchange server in April's Pwn2Own 2021 hacking contest. CVE-2021-34473 - Pre-auth Path Confusion leads to ACL Bypass (Patched in April by KB5001779) CVE-2021-34523 - Elevation of Privilege on Exchange PowerShell Backend (Patched in April by KB5001779) CVE-2021-31207 - Post-auth Arbitrary-File-Write leads to RCE (Patched in May by KB5003435) Last week, Orange Tsai gave a Black Hat talk about recent Microsoft Exchange vulnerabilities he discovered when targeting the Microsoft Exchange Client Access Service (CAS) attack surface. Tsai revealed that the ProxyShell exploit uses Microsoft Exchange's AutoDiscover feature to perform an SSRF attack as part of the talk. After watching the talk, security researchers PeterJson and Nguyen Jang published more detailed technical information about successfully reproducing the ProxyShell exploit. Soon after, security researcher Kevin Beaumont began seeing threat actors scan for Microsoft Exchange servers vulnerable to ProxyShell. ProxyShell actively exploited to drop webshells Today, Beaumont and NCC Group's vulnerability researcher Rich Warren disclosed that threat actors have exploited their Microsoft Exchange honeypots using the ProxyShell vulnerability. When exploiting Microsoft Exchange, the attackers are using an initial URL like: https://Exchange-server/autodiscover/[email protected]/mapi/nspi/?&Email=autodiscover/autodiscover.json%[email protected] Note: The email address listed in the URL does not have to exist and change between attackers. The exploit is currently dropping a webshell that is 265KB in size to the 'c:\inetpub\wwwroot\aspnet_client\' folder. Last week, Jang explained to BleepingComputer that 265KB is the minimum files size that can be created using the ProxyShell exploit due to its abuse of the Mailbox Export function of Exchange Powershell to create PST files. From a sample shared by Warren with BleepingComputer, the webshells consist of a simple authentication-protected script that the threat actors can use to upload files to the compromised Microsoft Exchange server. Warren said the threat actors use the first webshell to upload an additional webshell to a remotely accessible folder and two executables to the C:\Windows\System32 folders, listed below: C:\Windows\System32\createhidetask.exe C:\Windows\System32\ApplicationUpdate.exe If the two executables can't be found, another webshell will be created in the following folder as random-named ASPX files. C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\ The attackers use the second webshell to launch the 'createhidetask.exe,' which creates a scheduled task named 'PowerManager' that launches the 'ApplicationUpdate.exe' executable at 1 AM every day. Warren told BleepingComputer that the ApplicationUpdate.exe executable is a custom .NET loader used as a backdoor. "ApplicationUpdate.exe is the .NET loader which fetches another .NET binary from a remote server (which is currently serving a benign payload)," explained Warren. While the current payload is benign, it is expected to be swapped out with a malicious payload once enough servers are compromised. Cybersecurity intelligence firm Bad Packets told BleepingComputer that they currently see threat actors scan for vulnerable ProxyShell devices from IP addresses in the USA, Iran, and the Netherlands. The known addresses are: BadPackets also said that the email domains used in the scans have been from @abc.com and @1337.com, as shown below. Bad Packets detecting a ProxyShell scan Now that threat actors are actively exploiting vulnerable Microsoft Exchange servers, Beaumont advises admins to perform Azure Sentinel queries to check if their devices have been scanned. W3CIISLog | where csUriStem == "/autodiscover/autodiscover.json" | where csUriQuery has "PowerShell" | where csMethod == "POST" For those who have not updated their Microsoft Exchange server recently, it is strongly recommended to do so immediately. As the previous ProxyLogon attacks led to ransomware, malware, and data theft on exposed servers, we will likely see similar attacks using ProxyShell. Microsoft Exchange servers are getting hacked via ProxyShell exploits
  25. PrintNightmare is a vulnerability that allows privilege escalation by letting regular users install fake printer drivers which grant hackers admin privileges. After a number of patched is various efficacy Microsoft has chosen to fix the issue with this month’s Patch Tuesday by requiring users to have admin privileges before they can install printer drivers. Microsoft notes: Our investigation into several vulnerabilities collectively referred to as “PrintNightmare” has determined that the default behavior of Point and Print does not provide customers with the level of security required to protect against potential attacks. Today, we are addressing this risk by changing the default Point and Print driver installation and update behavior to require administrator privileges. The installation of this update with default settings will mitigate the publicly documented vulnerabilities in the Windows Print Spooler service. This change will take effect with the installation of the security updates released on August?10, 2021 for all versions of Windows, and is documented as CVE-2021-34481. This means regular users will not be able to install printer drivers without the assistance of an admin, but given how rarely this is needed this is unlikely to be a major issue. If it is a major inconvenience however this behaviour can be bypassed via the registry, but this is of course not recommended. Admins can read more about the issue at CVE-2021-34481. via onMSFT Patch Tuesday fixes PrintNightmare by requiring admin privileges to install print drivers
  • Create New...