Ncurses & Bad Things, LVFS is NOT a Backdoor, Physical Proximity, & Oh, Fortinet! – PSW #799
In the Security News: LVFS is not a backdoor, attackers are in physical proximity, when you need to re-cast risk, oh Fortinet, pre-installed backdoors again, deep down the rabbit hole, the buffer overflow is in your BIOS!, what is 345gs5662d34?, a cone is all you need, we are compliant because we said so but we lied, 10 years of updates, Microsoft looks at ncurses and finds bad things, they also lost 38TB of data (Microsoft that is), when MFA isn’t really MFA, China and Russia are cyber attacking things, and MGM and Caesars are in hot water, All that and more on this episode of Paul’s Security Weekly!
Announcements
As a member of the Security Weekly community, we are pleased to offer you 50% off your AI DC 2023 tickets using code CRA50OFF! Join us on October 4, 2023, in Pentagon City. ICIT, the Nation’s #1 cyber security think tank, brings together America’s leading minds to discuss AI’s impact on the country.
Register today at securityweekly.com/AIDC2023.
Hosts
- 1. From MQTT Fundamentals to CVE – Compass Security Blog
- 2. The Linux Vendor Firmware Service is a Malicious Remote Backdoor, and You Should Turn it Off Now.
This is simply not true, and the author does not understand how these things work. For example, he refers to the DBX updates as firmware (in fact, DBX updates are just data that is stored in a UEFI variable and also cryptographically verified by a chain of trust).
- 3. Wind River VxWorks tarExtract directory traversal vulnerability (CVE-2
- 4. CISA Says Owl Labs Vulnerabilities Requiring Close Physical Range Exploited in Attacks
This is amazing! We've been talking about Wifi and Bluetooth vulnerabilities for ages. Many do not give fixing these vulnerabilities a high priority because an attacker has to be within physical proximity. China and Russia are really far away, so I don't need to go updating firmware on all my devices that have Wifi and Bluetooth, right? Wrong. CISA has added a number of vulnerabilities to the KEV that are only exploited if an attacker is in close proximity. We don't have details on these attacks, but I am very curious. In the past I've also threat modeled the scenario of this: Maybe the attacker is not in physical proximity but has remotely accessed a device that has Wifi and/or Bluetooth capabilities that IS in range, and now can hack you from across the world.
- 5. Fileless Remote Code Execution on Juniper Firewalls – Blog – VulnCheck
This is a case where you need to re-cast the risk score: "In this blog, we demonstrated how CVE-2023-36845, a vulnerability flagged as “Medium” severity by Juniper, can be used to remotely execute arbitrary code without authentication. We’ve turned a multi-step (but very good) exploit into an exploit that can be written using a single curl command and appears to affect more (older) systems." - This is also really bad: "When an attacker uses this form of attack, httpd.log (and all other logs as far as we can tell) are essentially useless. Determining if you’ve been compromised by a careful attacker will be quite difficult."
- 6. Fortinet Patches High-Severity Vulnerabilities in FortiOS, FortiProxy, FortiWeb Products
Look, everyone has vulnerabilities in their software. Fortinet has a lot, and seems to be a favorite of attackers lately. This is a bad combination. Fortinet is handling it fairly well, though I believe they did try to make it more difficult for people to acquire their firmware. I still believe they should have a bug bounty program for their firmware. Attackers will go after this gear because it is connected and poorly monitored and secured. We can't change the fact that its Internet exposed in most cases...
- 7. Millions of cheap Android TV boxes come pre-infected with botnet malware
How many times are we going to cover this story? "According to Russian IT-security solutions vendor Dr. WEB, the malware on the device can be acquired in one of two ways — it’s either put there via a firmware update from the manufacturers or can be a side-effect of downloading third-party streaming apps that promise free content. " - This is the second time, but I feel it needs more attention and validation. I don't trust the Russian IT solutions vendor Dr. Web, as this story is the only time I hear of them.
- 8. How Google Authenticator made one company’s network breach much, much worse
- 9. Earth Lusca Employs New Linux Backdoor, Uses Cobalt Strike for Lateral Movement
- 10. Microsoft leaks 38TB of private data via unsecured Azure storage
- 11. Ubuntu 23.04 & 22.04.3 Installs Haven’t Been Following Their Own Security Best Practices – Phoronix
This is like a really nerdy esoteric thing that I intend to torture you all with by talking about on the show: "Ubuntu's recommended configuration has always been to obtain the security updates from security.ubuntu.com rather than going through any mirrors that could potentially fall stale or otherwise not be updated as quickly as the main Ubuntu security archive for quickly obtaining new security package updates as they are published. It took until earlier this month to realize the security pocket source is not security.ubuntu.com but that for Ubuntu Desktop 23.04 and other Ubuntu installs with Subiquity since April it's been going through mirrors instead. This bug was marked as of "critical" importance."
- 12. HPE Aruba Networking Product Security Advisory
I worked hard to dig this one up: "Multiple Buffer Overflow Vulnerabilities in BIOS Implementation of 9200 and 9000 Series Controllers and Gateways (CVE-2023-38484, CVE-2023-38485) Vulnerabilities exist in the BIOS implementation of Aruba 9200 and 9000 Series Controllers and Gateways that could allow an attacker to execute arbitrary code early in the boot sequence. An attacker could exploit this vulnerability to gain access to and change underlying sensitive information in the affected controller leading to complete system compromise."
- 13. CVE-2023-38146: Arbitrary Code Execution via Windows Themes
- 14. Common usernames submitted to honeypots (via @[email protected])
I really think he nailed it, now we just need evidence: "could 345gs5662d34 be something like a 'radioactive dye’ to see how how a botmaster's network is being see from open security honeypots?" - I love a good cyber detective story!
- 15. Coning Cars For Fun And Non-Profit
Want to stop a self-driving car? Here's the hack to try: "By placing a traffic cone on the vehicle’s hood in the way of the sensors and cameras used to navigate the streets, the vehicles are rendered inoperable." - I really want self-driving cars to remove anything that shouldn't be on the vehicle with a flame thrower or laser beams. Problem solved, right? Safety aside, it would be fun, like robot wars, but all over the roads and in real life. All kidding aside, this is a huge problem for automated vehicle companies.
- 16. When URL parsers disagree (CVE-2023-38633) – Canva Engineering Blog
- 17. openrisk
This is really interesting: "openrisk is an experimental tool which reads nuclei output (text, markdown, and JSON) and generates a risk score for the host using OpenAI's GPT-3 model. It is intended, for now, to work against a single target at a time." - Why not just use AI to generate a risk score? In fact, entire companies are build around this notion, can we just use free or inexpensive LLMs to do the same thing? Not sure this is going to work, but I like the idea, until I think about how attackers could impact the results so you are not patching the things that you should because Bob's AI said not to...
- 18. Kubernetes Vulnerability Leads to Remote Code Execution
- 19. Feds hit Penn State University with false claims lawsuit over cyber compliance
This was one offense: "Decker claims that after he finished his interim role, he discovered missing records for certain university projects in the registration Supplier Performance Risk System, a database used monitor contractor performance around acquisitions and procurement. According to Decker, the university, under order from his successor, “simply uploaded template documents to “solve” the missing records problem." - Just click the "we are compliant" box means trouble. And this: "In another instance in 2020, the university allegedly moved its cloud services from Box, a solution certified by FedRAMP, the federal government’s program for approving secure cloud applications in government, to a commercial version of Microsoft365 OneDrive, which was not certified." - Uhm, yea, you can't do that. I believe this will become more of a trend: If you want to do business with the US Federal Government you better meet all of the security standards. Expect to see more on this front and I hope this has a positive impact on security for many organizations.
- 20. Chromebooks will now receive 10 years of automatic security updates
This has some interesting security implications: " Security is our number one priority. Chromebooks get automatic updates every four weeks that make your laptop more secure and help it last longer. And starting next year, we’re extending those automatic updates so your Chromebook gets enhanced security, stability and features for 10 years after the platform was released. A platform is a series of components that are designed to work together — something a manufacturer selects for any given Chromebook. To ensure compatibility with our updates, we work with all the component manufacturers within a platform (for things like the processor and Wi-Fi) to develop and test the software on every single Chromebook." - Now, before you go blaming Microsoft and Intel, they have a MUCH greater ecosystem to secure and update. Chromebooks also came out in 2012, so much more gear to support, or not support. Why doesn't Apple do this? Shareholders is my guess!
- 21. More Linux Malware Means More Linux Monitoring
Great quotes from Joao Correia of TuxCare in this article: "You need to change the way that you patch. If you struggle to patch your systems because of the disruption it causes, then you need to look at different ways to do that. That is the absolute bare minimum basic thing that you could do to improve security." So, like, just patch them: " Because at the end of the day, when malicious actors are creating malware, ransomware, and viruses, they look for an easy way to enter a system. So, if you patch all the other ones but leave one open, that is where they will come through." - Not one mention of operational risk though... Oh, but then there is this: "In the eyes of cybercriminals, Linux is now a more appealing target due to the computing platform’s potentially high return on their “investment.” Prevailing security countermeasures predominantly cater to Windows-based threats, often leaving Linux, particularly in private cloud deployments, perilously vulnerable to a barrage of ransomware assaults." -
- 22. Uncursing the ncurses: Memory corruption vulnerabilities found in library
More than I ever wanted to know about ncurses and I still need to go back and do more research. Ncurses is, of course, used in many different platforms (Linux, BSD, macOS, etc...), so make sure you are applying updates to all sorts of things. I believe these are limited to local attacks. However, so many Linux-based appliances and IoT devices could be using this vulnerable library this could stick around for a while. Some brief information: "Microsoft has discovered a set of memory corruption vulnerabilities in a library called ncurses, which provides APIs that support text-based user interfaces (TUI). Released in 1993, the ncurses library is commonly used by various programs on Portable Operating System Interface (POSIX) operating systems, including Linux, macOS, and FreeBSD. Using environment variable poisoning, attackers could chain these vulnerabilities to elevate privileges and run code in the targeted program’s context or perform other malicious actions." - Microsoft also worked with the ncurses maintainer (Thomas E. Dickey for those that did not know), Apple, Twitter user who wrote a fuzzer that uncovered more information (Gergely Kalman). Overall great effort from Microsoft! Curious, why were they looking at the ncurses code in the first place?
- 1. Today The UK Parliament Undermined The Privacy, Security, And Freedom Of All Internet Users
The U.K. Parliament has passed the Online Safety Bill (OSB), which says it will make the U.K. “the safest place” in the world to be online. In reality, the OSB will lead to a much more censored, locked-down internet for British users. The bill could empower the government to undermine not just the privacy and security of U.K. residents, but internet users worldwide.
- 2. Vast majority of bot attacks emanate from China and Russia
A study released Tuesday by Netacea found that 72% of organizations surveyed suffered bot attacks that originated in China, and 66% from Russia.
The study also found that the average business loses 4.3% of online revenues every year to bots, or $85.6 million, a number that has more than doubled in the past two years.
Netacea commissioned independent researchers Coleman Parkes for the third straight year to survey 440 businesses with average online revenue of $1.9 billion across the travel, entertainment, ecommerce, financial services, and telecom sectors in the United States and UK.
The survey also found that it takes four months on average to detect bot attacks, with 97% admitting it takes over a month to respond. And 40% of businesses report attacks on their APIs, while attacks on mobile apps have overtaken website attacks for the first time.
- 3. Signal Messenger Introduces PQXDH Quantum-Resistant Encryption
Encrypted messaging app Signal has announced an update to the Signal Protocol to add support for quantum resistance by upgrading the Extended Triple Diffie-Hellman (X3DH) specification to Post-Quantum Extended Diffie-Hellman (PQXDH).
"With this upgrade, we are adding a layer of protection against the threat of a quantum computer being built in the future that is powerful enough to break current encryption standards," Signal's Ehren Kret said.
The development comes weeks after Google added support for quantum-resistant encryption algorithms in its Chrome web browser and announced a quantum-resilient FIDO2 security key implementation as part of its OpenSK security keys initiative last month.
- 4. #mWISE: US to Implement Game-Changing Cyber Mandates on Medical Devices
Cybersecurity in healthcare products will no longer be an afterthought in the US.
From October 1, 2023, every new medical device with known vulnerabilities or that lacks a secure design will be rejected by the US Food and Drug Administration (FDA) and not allowed to be sold on the US market.
Healthcare manufacturers seeking approval for new medical devices will have to comply with a list of new requirements.
First Consumer SBOM Mandate Worldwide First, applicants will also need to outline a process to provide “reasonable assurance” that the device in question is protected with regular security updates and patches, including for critical situations.
Then, they will be expected to provide the FDA with a software bill of materials (SBOM), which should include commercial, open-source and off-the-shelf software components.
- 5. MGM, Caesars Face Regulatory, Legal Maze After Cyber Incidents
In the wake of the new Securities and Exchange Commission (SEC) regulatory requirements to disclose "material" cyber incidents within four days of discovery, the dual cyber breaches of MGM Resorts and Caesars Entertainment have demonstrated how differently those rules can be interpreted.
Both breaches resulted from abuse of an Okta Agent, and both were reportedly carried out by the same ransomware threat actor. Both occurred within days of one another. But how each organization handled the new SEC disclosure rules was distinct.
Caesars filed its disclosure, SEC form 8-K, on Sept. 14. It was filled with details about the nature and scope of the cyberattack, including the use of a social engineering attack on an outsourced IT support vendor. However, the disclosure added that the incident was discovered on Sept. 7, outside the SEC established four-day deadline to report.
MGM Resorts was more prompt in its disclosure, filing within the four-day window on Sept. 12 but didn't include any details about the compromise beyond what it had already laid out in an initial press release.
- 1. 38TB of data accidentally exposed by Microsoft AI researchers
The Wiz Researcher Team discovered that Microsoft AI researchers inadvertently exposed 38 terabytes of private data while publishing open source training data in GitHub. The issue was due to an “overly-permissive Shared Access Signature token for an internal storage account. The compromised data include passwords, private keys, secrets, and more than 30,000 internal Microsoft Teams messages.
- 2. When MFA isn’t actually MFA
On August 27, Retool was the target of a successful spear-phishing attack that resulted in the disclosure of a multi-factor authentication (MFA) code. Retool says the breach was made worse by a new synchronization feature in Google Authenticator that syncs MFA codes to the cloud. Attackers compromised the Google Account, retrieving other TOTP seeds to compromise other Retool accounts,
If you're syncing your TOTP seeds or otherwise backing them up, they are only as secure as that storage.
- 3. Fortinet Patches High-Severity Vulnerabilities in FortiOS, FortiProxy, FortiWeb Products
Fortinet has released patches for an improper neutralization of input during web page generation vulnerability that affects multiple versions of FortiProxy and FortiOS. The high-severity flaw (CVE-2023-29183) could be exploited in cross-site scripting (XSS) attacks.
My point (from John Pescatore): Back in 2021 when Fortinet had a rapid increase in vulnerabilities, they put out a blog entry detailing improvements in their development and vulnerability management processes. In 2023, nothing. It is time for Fortinet management to provide assurance that they understand why XSS and other vulnerabilities are still appearing in their security products and that they are making major changes to fix those problems.
- 4. California stays ahead on state privacy protection – SiliconANGLE
Lawmakers in California have passed the “Delete Law,” which would give consumers the ability to demand that data brokers delete all their personal information. If the governor signs the bill into law, the California Privacy Protection Agency (CPPA) will be tasked with creating a website that allows consumers to opt out of letting data brokers collect their information with a single request.
If signed, goes into effect in 2026. With all the data breaches and unexpected use of consumer data, being able to ask data brokers to delete our information is appealing.
- 5. Ransomware attack hits Orbcomm’s BT series of ELDs; paper logs are back
Orbcomm, a major provider of ELDs to the trucking sector, is dealing with a ransomware attack that has limited the ability of its customers to use its Fleet.
Ironically, truckers who opposed the electronic tracking, are now struggling to revert to paper. I wonder how the paper logs will be re-incorporated when the system is back (expected 9/28)?
- 6. Uncursing the ncurses: Memory corruption vulnerabilities found in library
Microsoft researchers detected “a set of memory corruption vulnerabilities in a library called ncurses, which provides APIs that support text-based user interfaces (TUI).” The vulnerabilities could be exploited to execute malicious code on Linux and macOS systems. Microsoft disclosed the vulnerabilities to the library’s maintainers, who fixed the flaws in April 2023. In case you're thinking ncurses is familiar but not recent, the library was first released in 1993 and provides mechanisms for handing creating windows, manipulating text, user input, colors etc. for terminal based applications. The maintainer created an updated version 6.4.20230408; Apple and RedHat released updates which address the flaws in September.
- 7. Adobe, Apple, Google & Microsoft Patch 0-Day Bugs – Krebs on Security
On Tuesday, September 12, Microsoft released fixes for 66 security issues in a variety of products. Five of the vulnerabilities are rated critical, and two are being actively exploited: a Microsoft Streaming Service Proxy Elevation of Privilege Vulnerability (CVE-2023-36802) and a Microsoft Word Information Disclosure Vulnerability (CVE-2023-36761).
- 8. Feds hit Penn State University with false claims lawsuit over cyber compliance
A lawsuit filed against Pennsylvania State University alleges violations of the False Claims Act. The lawsuit alleges that the university lied to or misled federal officials regarding its compliance with cybersecurity requirements while contracting with the government. As a contractor, the university handles controlled unclassified information (CUI). Adequate protection for CUI is, at a minimum, implementing the National Institute of Standards and Technology (NIST) Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.
In short make sure you're protecting data as required, and verify don't just check the box...
- 9. Update Kubernetes Clusters to Fix Vulnerabilities
A researcher from Akamai has found three vulnerabilities in Kubernetes; all three are due to insecure function call and lack of user input sanitization. The most serious of the bunch is a high-severity flaw that can be exploited to achieve remote code execution with SYSTEM privileges on Windows nodes within the machine. This specifically apply to Windows endpoints in the cluster. In addition to applying the update, make sure you're limiting the number of users who can perform actions on a cluster. Another workaround is to disable the use of Volume.Subpath, which was being passed to a PowerShell script to evaluate and execute, without proper sanitization.
- 10. DOE Announces $39 Million in Research Funding to Enhance Cybersecurity of Clean Distributed Energy Resources
The US Department of Energy (DOE) will disburse $39 million among nine National Laboratory projects focused on strengthening the cybersecurity of the country’s distributed energy resources (DER). “DER systems include utility-scale solar, wind, storage and other clean technologies; behind-the-meter renewables and storage systems; electric vehicle chargers; and other customer-owned devices. These research, development, and demonstration projects will develop innovative cybersecurity tools and technologies for DER Systems, such as Distribution Management Systems, Distributed Energy Resource Management Systems, and DER aggregators.”
These nine projects are designed to leverage modern technologies, AI, ML, IPv6, etc. to secure existing utility systems without disrupting them, as well as provide a model for future services which can be built with security in mind.
- 11. Clorox warns of product shortages after cyberattack
An August cyberattack, likely ransomware, on Clorox damaged parts of its IT infrastructure and disrupted its operations, resulting in product delays and shortages that are expected to impact the company's first-quarter earnings, according to a securities filing on Monday.