PassTheHash from Outlook, RCE in Modem Chipset, OpenSSH Sandboxes, Curl’s Anniversary – ASW #233
Outlook can leak NTLM hashes, potential RCE in a chipset for Wi-Fi calling in phones (and autos!?), the design of OpenSSH's sandboxes, more on the direction of OWASP, celebrating 25 years of Curl.
Announcements
Security Weekly listeners save $100 on their RSA Conference 2023 Full Conference Pass! RSA Conference will take place April 24-27 in San Francisco and on demand. To register using our discount code, please visit https://securityweekly.com/rsac2023 and use the code 53UCYBER! We hope to see you there!
Hosts
- 1. Microsoft Outlook Vulnerability Could Be 2023’s ‘It’ Bug
An attacker payload can lead a victim's Outlook to automatically make an outbound NTLM connection. It doesn't require any interaction on the part of the victim, just having the message appear in a preview pane is enough. The attack basically sets up a way to steal NTLM hashes for a class pass-the-hash followup.
The risk is constrained to "those running an Exchange server and the Outlook for Windows desktop client." We've mentioned several times before the headaches of running your own email server. Add this to that ever-growing list.
Read more details from Microsoft in their post on CVE-2023-23397. The mitigating factors they mention are good advice in general, not just for this bug.
- 2. Multiple Internet to Baseband Remote Code Execution Vulnerabilities in Exynos Modems
Another remote attack with a potential for RCE, only this time all the attacker needs to know is the victim's phone number. No patch yet, which means the current guidance is to "turn off Wi-Fi calling and Voice-over-LTE (VoLTE)."
This highlights another challenge of supply chain security. Multiple phone manufacturers used the impacted chipset. The manufacturer fixed the flaw, but now phone manufacturers need to make them available to their users. The article indicates Google addressed this for their Pixel 6 and 7 versions, while other phone manufacturers -- and autos with the chip (!?) -- have yet to release fixes.
- 3. At yesterday’s OWASP board of Directors meeting, I resigned my board position.
Mark Curphey steps down from the OWASP board. Over the summer he posted a manifesto about changes he'd like to see in OWASP as part of his platform for running for the board. While he sees a shared understanding among members that some change is needed, he sees a mismatch in priority and urgency.
The part that resonates the most with me is in his opening paragraph where he notes "an increasing number of projects, approaches and decisions that mainly benefit security consultants and vendors."
We need fewer top 10 lists and more resources designed for developers -- resources that are relevant and actionable. We've had twenty years of awareness of XSS, SQL injection, and broken authentication. We have modern, useful solutions to those problems that have come out of engineering needs. Learning more about how solutions like React and WebAuthn address security challenges and how developers can better consume them sounds like a better focus than once again counting to ten.
- 4. Examining OpenSSH Sandboxing and Privilege Separation – Attack Surface Analysis
A good way to improve application security is to read about the decisions and approaches that others took to secure their own apps. Sometimes you gain insights about a tech stack or programming language that you use. Sometimes you gain insights about isolation techniques and access controls that you can adopt. Sometimes you learn about threat models you weren't familiar with.
These articles are also helpful when you start thinking about how to address vuln classes rather than individual vulns. Just chasing vulns -- a BugOps approach -- doesn't improve architectures. Sandboxing and isolation does.
Looking at this kind of design also informs a discussion around memory safety. Is the state of C-based OpenSSH such that it must be rewritten in Rust? Or is it sufficiently well defended already? What about shifting away from ssh-based remote access entirely?
- 5. TOOL: libcurl – the multiprotocol file transfer library
The first official version of Curl appeared on March 20, 1998. Two weeks later it fixed three bugs. Twenty-five years later it's fixed a several thousand bugs. But that's just the nature of software development.
Most importantly, libcurl and its command-line counterpart are premier tools present on every operating system and in countless apps. It's proven to be one of the most successful open source tools.
A lot of that success lays with its maintainer, Daniel Stenberg, who shepherds the C code through thoughtful design and has built a positive community around the project. Almost 3,000 people have contributed code or feedback to the project. All of these are strong indicators of success.
Read more about its releases and its history to find out about its origins in Brazil and why the first release was 4.0.
- 1. All sorts of new curl vulns!
For the next curl release, a collection of vulns have been disclosed, including connection re-use, double-free, telnet option injection, and sftp path resolution discrepancy
More URLs: https://curl.se/docs/CVE-2023-27537.html, https://curl.se/docs/CVE-2023-27538.html, https://curl.se/docs/CVE-2023-27533.html, https://curl.se/docs/CVE-2023-27535.html
- 2. Acropalypse!
An issue was found with the Android image editing tool that wasn't fully redacting information from screenshots. ????
- 3. SYCL to create safety-critical C++ based hetrogeneous compute
Khronos - a member driven group working on standards for graphics, metaverse, ML, etc (things like OpenGL) are starting to work on SYCL SC - a C++ based framework for HPC with a focus on safety for critical systems