FreeBSD, Steam Decks, Ancient Computers, UEFI Rootkits, & Office Macro Saga Continues – PSW #749

Great research post.

Software supply chain anyone? - "The most interesting outcome of this analysis is that ESXi’s TCP/IP stack is based on FreeBSD 8.2 and does not include security patches for the vulnerabilities disclosed over the years since that release of FreeBSD. This result also prompted us to analyze the nature of vulnerabilities disclosed in other open-source components used by VMware, such as OpenSLP and ISC-DHCP. Once again, we observed that most of the disclosed vulnerabilities had upstream patches before the disclosure." Also, this post is amazing. They go on to identify which FreeBSD version VMware is using, identify the missing patches and so forth.

"Designing an institutional framework that would secure open source requires addressing adverse incentives, ensuring efficient resource allocation, and imposing minimum standards." - I take issue with this. One of the things that make open-source software so amazing is the fact that it's OPEN. The incentives, adverse or otherwise, should only be that software is made available to everyone for free. Who decides who gets more or fewer resources? This should be left to the community. And don't even talk about minimum standards because then the software is not truly open.

Whoa: "The company warned that even when Confluence installations don't actively have the app installed, they may still be vulnerable. Uninstalling the app doesn't automatically remediate the vulnerability because the disabledsystemuser account can still reside on the system."

This is getting crazy, also: "Organisations that relied on sharing documents via cloud services, and who hadn’t taken the appropriate precautions to denote which external servers should be treated as official company sources found their macros blocked by default, and voiced their displeasure loudly enough that Microsoft officially relented around the middle of 2022." - Look, just turn this off. Easy for me to say...

We need to level set on the language: "Security researchers discovered a serious vulnerability in the Zyxel Firewall, allowing for local privilege escalation. However, a remote attacker could also exploit the flaw, adding to the severity of the issue." - privilege escalation and authentication bypass needs more explaining, no more Jedi mind tricks!

Better hope they protect his list very well: "The Act, co-sponsored by senators Rob Portman (R-OH) and Maggie Hassan (D-NH), calls for every executive agency to create an inventory of all the cryptographic systems in use, along with the IT systems that they will prioritize for migration to post-quantum cryptography. They will also define processes for evaluating the process of that migration."

So many vulnerabilities: https://research.nccgroup.com/2022/07/25/technical-advisory-multiple-vulnerabilities-in-nuki-smart-locks-cve-2022-32509-cve-2022-32504-cve-2022-32502-cve-2022-32507-cve-2022-32503-cve-2022-32510-cve-2022-32506-cve-2022-32508-cve-2/

I was hoping for more than a sponsored article for HP Wolf.

This is a plug for this: https://www.iotsecurityfoundation.org/ - Great idea, lots of challenges.

This is great research, and all too common in embedded systems. Turns out multiple projects/vendors re-used vulnerable code from Broadcom in their web servers.

This is just one really awesome thing about this: "This specific point in the execution was chosen because at this stage the boot manager is loaded in memory, but isn’t yet running." - So each time the system boots up, at the point when the bootloader is loaded into memory, the bootloader is modified, then the kernel is modified. SO AWESOME (I mean for the attacker, not for defenders...).

Neat stuff, more info here: https://margin.re/blog/pulling-mikrotik-into-the-limelight.aspx

I really want to try this and see how it works. Curious if anyone else has?

GPSJam Daily maps of GPS interference "You can always tell where Putin is"

Elescope was not developed by local team or opportunistic SIGINT vendor. One DSP wizard, one RE/hacking freak, and a bunch of other folks. All foreign. The true

Atlassian disclosed several vulnerabilities, including a hard-coded password issue affecting the Questions for Confluence app. Atlassian has since reported that the password has been leaked online, which makes patching the app even more urgent. Username: disabledsystemuser Email: [email protected] Password: disabled1system1user6708 Update Questions for Confluence app ver 2.7.x >= 2.7.38 or > 3.0.5 https://twitter.com/therceman/status/1550791890026565638

In addition to fixing almost 40 flaws, Apple has addressed a memory corruption vulnerability (CVE-2022-2294) impacting its WebRTC component, which was disclosed by Google last week as part of its release of software fixes for iOS, iPadOS, tvOS, and WatchOS.

SonicWall has released "urgent patches" to address a critical vulnerability (CVE-2022-22280) impacting Global Management System (GMS) installations before 9.3.1-SP2-Hotfix-2 that could be exploited by remote, unauthenticated attackers to send a specially crafted request to the impacted application and execute arbitrary SQL commands in the applications database.

The "CosmicStrand" Windows firmware rootkit is reportedly being used in attacks targeting the Unified Extensible Firmware Interface (UEFI) in order to remain undetected and maintain persistence on targeted systems.

Microsoft is now taking steps to prevent Remote Desktop Protocol (RDP) brute-force attacks as part of the latest builds for the Windows 11 operating system. default policy for Windows 11 builds – particularly, Insider Preview builds 22528.1000 and newer – will automatically lock accounts for 10 minutes after 10 invalid sign-in attempts.

The Filewave mobile device management suite had a pair of vulnerabilities which security researchers have shown could let attackers push malware out as a phone update or obtain access to enterprise networks.

Entrust has revealed it suffered a June 18, 2022, "cyberattack" during which hackers managed to breach its network and steal data, which could affect an array of critical and sensitive organizations using Entrust solutions for authentication and identity management.