VSCode Vulnerabilities – Thomas Chauchefoin, Paul Gerste – PSW #804
Full Audio
View Show IndexSegments
1. Shenanigans and more – PSW #804
We officially welcome Bill Swearingen to our expert panel of PSW hosts, and discuss the news including hacking shenanigans, QNAP, recovering crypto currency, Android malware, and more!
Announcements
Security Weekly Listeners: We are celebrating the milestone of reaching over 1,000 members of our CISO community. The Cybersecurity Collaboration Forum is a one-stop shop for executive collaboration comprised of CISOs across various industries. If you want to be part of this growing community of CISOs, join us as a member or technology partner. To learn more, visit: securityweekly.com/cybersecuritycollaboration
Hosts
- 1. QNAP takes down server behind widespread brute-force attacks
"QNAP urges its customers to secure their devices by changing the default access port number, deactivating port forwarding on their routers and UPnP on the NAS, using robust passwords for their accounts, implementing password policies, and deactivating the admin account targeted in attacks." - I mean or you could just ship a more secure product!
- 2. Android will now scan sideloaded apps for malware at install time
"Google hasn't published detailed stats about the dangers of sideloading in a while, but in 2018, it used to publish yearly security reports with statistics on malware installation sources. Back then, Google found that 0.04 percent of all downloads from the Google Play Store were "PHAs" (potentially harmful apps), while sources "Outside of Google Play" had a 0.92 percent PHA install rate. That means you're 20 times more likely to install malware outside of the Play Store, and considering that is basically a comparison between having some malware controls on Google Play and none at all on the free-wheeling Internet, it's not a huge surprise." - Now Google needs to do this for all Android devices, like Android TV devices that come with malware pre-installed. Except, deals may have been made that device manufacturers are allowing this to happen and sharing the profits (At least that is my theory).
- 3. Ghost In The Wire, Sonic In The Wall – Adventures With SonicWall
This write-up is totally awesome. A good read for sure, funny too. And this: "The real moral of the story is a lesson for attackers and fellow researchers - attack ‘hard’ targets, with significant barriers to entry, and often you’ll be surprised by just how ‘soft’ they are."
- 4. People who say “PHP is insecure” are uninformed
I actually now agree with the author. Now you have to go read the article :)
- 5. Exploiting Zenbleed from Chrome
- 6. Signal Pours Cold Water on Zero-Day Exploit Rumors
- 7. Critical RCE flaws found in SolarWinds access audit solution
- 8. Release v2.7.1.1 · six2dez/reconftw
- 9. Shielder – CVE-2023-33466 – Exploiting Healthcare Servers with Polyglot Files
- 10. A Deep Dive into TPM-based BitLocker Drive Encryption
- 11. They Cracked the Code to a Locked USB Drive Worth $235 Million in Bitcoin. Then It Got Weird
- 12. They Cracked the Code to a Locked USB Drive Worth $235 Million in Bitcoin. Then It Got Weird
Of course, it's weird, its crypto currency, and it's ALWAYS weird. This is a weird story.
- 1. Israel’s using widespread GPS tampering to deter Hezbollah’s missiles
- 2. IoT Bug Hunting – Part 2 – Walkthrough of discovering command injections in firmware binaries
- 3. CVE-2023-3959, CVE-2023-4249 – Multiple critical vulnerabilities in Zavio IP cameras
- 4. IoT and OT malware saw a huge rise in 2023
- 5. Threat actor is selling access to Facebook and Instagram’s Police Portal
- 6. Experts Warn of Severe Flaws Affecting Milesight Routers and Titan SFTP Servers
- 7. Critical SolarWinds RCE Bugs Enable Unauthorized Network Takeover
- 8. E-Root admin faces 20 years for selling stolen RDP, SSH accounts
- 9. They Cracked the Code to a Locked USB Drive Worth $235 Million in Bitcoin. Then It Got Weird
- 1. Mozilla Releases Security Advisories for Multiple Products
Mozilla has released security updates to address vulnerabilities in Firefox ESR 115.4 and Firefox 119. A cyber threat actor could exploit these vulnerabilities to take control of an affected system.
CISA encourages users and administrators to review Mozilla security advisories Firefox ESR 115.4 and Firefox 119 for more information and apply the necessary updates.
- 2. International Criminal Court systems breached for cyber espionage
The International Criminal Court provided additional information about the cyberattack five weeks ago, saying that it was a targeted operation for espionage.. Forensic analysis “thus far indicates a targeted and sophisticated attack with the objective of espionage.” There is not adequate information currently available to attribute the attack to a specific threat actor.
The ICC offered to handle the international ransomware court cases recently.
- 3. DC Board of Elections Says Full Voter Roll Compromised in Data Breach
The Washington, DC Board of Elections (DCBOE) says that cyber criminals accessed the district’s voter rolls via a third-party services provider. The breach occurred on the network of DataNet Systems. The compromised data include personal information, such as driver’s license numbers, dates of birth, partial Social Security numbers and contact information.
- 4. American Family Insurance confirms cyberattack is behind IT outages
To file a claim, customers must call the AmFam help desk. Bill due dates are being extended until systems are back online. If you're delaying that payment, don't forget to watch for the window to re-open. While this appears to be a ransomware attack, it's not yet clear if extortion over exfiltrated data is also in play. This, so far, is looking like a good case study to model your ransomware response on.
- 5. Dangerous new malware can crack encrypted USB drives
Cybersecurity researchers from Kaspersky have uncovered a sophisticated new piece of malware called TetrisPhantom seen compromising secure USB drives to steal data. It also targets air-gapped systems which rely on encrypted USB devices to pass data between them.
- 6. Critical SolarWinds RCE Bugs Enable Unauthorized Network Takeover
Eight newly discovered vulnerabilities in the SolarWinds Access Rights Manager Tool (ARM) CVE-2023-35180, CVD-2023-35184 and CVE-2023-35186 can be abused for remote code execution, while CVE-2023-35181 and CVE-2023-35813 allow local users to perform privilege escalation. The final (most severe) three, CVE-2023-35182, CVE-2023-35185 and CVE-2023-35187, allow RCE due to improper validation for the methods createGlobalServerChannelInternal, OpenFile, and OpenClientUpdateFile, respectively, allow that SYSTEM level code execution. The vulnerabilities are fixed in ARM version 2023.2.1.
As this is SolarWinds, assume adversaries are seeing blood in the water....
- 7. Cisco patches critical IOS XE bug as infections mysteriously disappear
This issue has been exploited by multiple groups. Be careful and as you apply patches assume the device is already compromised, possibly multiple times.
Never expose management interfaces to the Internet/untrusted networks. Perhaps disable this web-UI altogether.
- 8. NetScaler ADC and NetScaler Gateway Security Bulletin for CVE-2023-4966 and CVE-2023-4967
The two flaws here - CVE-2023-4966, a buffer overflow flaw, which can result in sensitive information disclosure with a CVSS score of 9.4 and CVE-2023-4967, a denial-of-service flaw, with a CVSS score of 8.2 make an attractive target. Essentially in under two weeks the announced vulnerability is being actively exploited. While the exploit only works on NetScaler ADC and NetScaler Gateways setup as gateways, or AAA virtual servers, you need to apply the update as they still contain the vulnerable code, even if not in the vulnerable configuration, assume threat actors are working to exploit the flaws in the non-gateway/AAA configured devices. This flaw is in CISA's KVE catalog with a due date of November 8th and guidance to apply the mitigation (update) or discontinue use of the product.
- 9. Okta’s Support System Breach Exposes Customer Data to Unidentified Threat Actors
Okta disclosed that stolen credentials were used to access the company’s support case management system. The intruder was able to view customer HTTP Archive (HAR) files that were uploaded as part of support cases. HAR files sometimes include cookies and session tokens, which bad actors can exploit to impersonate users.
When you're gathering data for a support ticket, be aware of sensitive data included in that data. Consider redacting, or better still not gathering in the first place, as redacting log files is painful.
- 10. Cisco discloses new IOS XE zero-day exploited to deploy malware implant
Cisco disclosed a new high-severity zero-day (CVE-2023-20273) today, this new vulnerability gains root access on a device running IOS XE, allowing an attacker to deploy implants. However, first the device has to be compromised using the authentication bypass, zero-day flaw CVE-2023-20198.
- 11. North Korea experiments with AI in cyber warfare: US official
Deputy National Security Advisor Anne Neuberger revealed on Wednesday that North Korea is escalating its cyber capabilities by harnessing the power of artificial intelligence (AI), posing a significant risk for enterprises worldwide.
2. VSCode Vulnerabilities – Thomas Chauchefoin, Paul Gerste – PSW #804
Sonar Vulnerability Researchers Thomas Chauchefoin and Paul Gerste conducted research on the security of Visual Studio Code — the most popular code editor out there — which was presented at DEF CON 31 in August. The pair uncovered a few ways for attackers to gain code execution on a victim's computer if they clicked on a specially crafted link or opened a malicious folder in Visual Studio Code, bypassing existing mitigations like Workspace Trust. Developers tend to trust their IDEs and do not expect such security issues to exist. As developers have access to source code and production systems, they make for very interesting targets for threat actors. Important to note is that the security concepts that the two are able to demonstrate apply not just to Visual Studio Code, but to most other code editors. This is also the story of how the researchers got an unexpected $30,000 bounty from Microsoft for these bugs, by mistake!
Segment Resources:
BLOG POSTS Securing Developer Tools: Argument Injection in Visual Studio Code (https://www.sonarsource.com/blog/securing-developer-tools-argument-injection-in-vscode/) Securing Developer Tools: Git Integrations (https://www.sonarsource.com/blog/securing-developer-tools-git-integrations/)
CVEs CVE-2023-36742 (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36742) CVE-2022-30129 (https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2022-30129) CVE-2021-43891 (https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2021-43891)
Guests
Thomas Chauchefoin is a Staff Vulnerability Researcher in the Sonar R&D team. With a strong background in offensive security, he helps uncover and responsibly disclose 0-days in major open-source software. He also participated in competitions like Pwn2Own or Hack-a-Sat and was nominated for three Pwnies Awards for his research on PHP supply chain security.
Paul Gerste is a Staff Vulnerability Researcher in the Sonar R&D team. In the last months, he has been hunting bugs in popular JavaScript and TypeScript applications, yielding critical vulnerabilities in projects such as Proton Mail, Rocket.Chat, and Blitz.js. Paul has also been a CTF player and organizer for some years and loves to hack all web-related things.