LogoFAIL, Default Passwords and Android Hacking – PSW #810

"Like other standards governing federal data, CJIS requirements are based on the security controls defined in NIST’s SP 800-53. As firmware and supply chain security have become priorities within SP 800-53, they have likewise become priorities in the CJIS Security Policy. And for law enforcement agencies, this means that they will likely have hard new cybersecurity requirements that aren’t addressed by their traditional security tools. Let’s take a closer look."

EMBA and EMBark are really cool projects. I am working on an article, and looking forward to sharing some more details about the project. It has become my go-to framework to begin analyzing all sorts of firmware.

Ahh, supply chain: "The vulnerabilities affect Sierra Wireless AirLink cellular routers and some of their open source components, such as TinyXML and OpenNDS, which are used in a variety of other products." So much this: "TinyXML has not been maintained for nearly a decade. The project already had one public vulnerability without a known fix prior to this research (CVE-2021-42260, details in 9.4), and now there are two new issues which we found and that will not be fixed either. Using open-source intelligence (OSINT) – mainly searching for product documentation mentioning the TinyXML license – we were able to identify over 30 different products that still use TinyXML. Most of those are either other open-source projects or security software, but there are also several automotive infotainment systems, building automation devices and other IoT"

They ignored this! Wow! Some details: "The vulnerability — CVE-2023-6248 — gives a hacker access to the software and the commands used to manage up to thousands of vehicles. Using just an IP address and a bit of python, someone can access a Linux server through the gateway and access a suite of tools, including live locations, detailed engine diagnostics, speakers, airbags and execute arbitrary code on vulnerable devices. Most alarmingly, however, is the software’s ability to turn off a vehicle."

I'm still trying to understand how this works, it seems the example exploit is a video in Spanish (with running water in the background that makes me have to pee): "For those that do not have Driving mode activated, an attacker can access your recent and favorite locations (like home and work) as well as your contacts. From here, they can also share the location of your phone in real time with any of your contacts or via an email that they need to enter manually. If you do have Driving mode activated though, an attacker can chain together this exploit with another one to access photos stored on your device, and they can also publish them or add them as a profile image to your Google Account. At the same time, the attacker can also access extensive information about your account and how it’s configured."

Well yea, and neither is Coreboot. Does this make them better? Perhaps, in this case. It just means the code is different, not more secure.

"During the initialization phase, the rootkit conceals its own presence. It then proceeds to hook the kill() syscall, network-related functions, and file listing operations, thereby obscuring its activities and evading detection." - I believe attackers know that we put too much faith in Linux and do not implement the modern detections available for Windows and Mac. This should be pretty easy to detect and prevent, but it requires some extra effort and/or 3rd party tools.

Chris sums it up nicely: ""At a surface level, the numbers above show that the massive effort to remediate the Log4Shell vulnerability was effective in mitigating risk of exploitation of the zero-day vulnerability. That should not be surprising," said Chris Eng, chief research officer at Veracode. "The bigger story at the two-year anniversary, however, is that there is still room for improvement when it comes to open source software security. If Log4Shell was another example in a long series of wake-up calls to adopt more stringent open source security practices, the fact that more than one in three applications currently run vulnerable versions of Log4j shows there is more work to do. "The major takeaway here is that organizations may not be aware of how much open source security risk they are exposed to and how to mitigate it.""

"The attacker can now connect to the phone via a secure shell as an admin user with the password 123456. No authentication was needed to get here." - Authentication and authorization on embedded devices is still really poor. This has to change as I am growing tired of reading vulnerability reports like this. Not taking anything away from the research as its solid, but the vendors need to step up their game when it comes to authentication, like not having a default password.

This is awesome research, no exploits have been released, but here's some of what we know so far: "The vulnerabilities work by tricking the Bluetooth host state-machine into pairing with a fake keyboard without user-confirmation. The underlying unauthenticated pairing mechanism is defined in the Bluetooth specification, and implementation-specific bugs expose it to the attacker. Unpatched devices are vulnerable under the following conditions: Android devices are vulnerable whenever Bluetooth is enabled, Linux/BlueZ requires that Bluetooth is discoverable/connectable, iOS and macOS are vulnerable when Bluetooth is enabled and a Magic Keyboard has been paired with the phone or computer" - ChromeOS had enabled the fix from 2020 and is not vulnerable. It means an attack, within proximity, can connect to your device and inject keystrokes. This a great find! Bad news for security, but good that it was disclosed and we'll get fixed before more information is available (I hope).

Be careful of advice on the Internet, its not always correct. Lets pick this apart, its not all wrong: "Macs, smartphones, and other devices that don't use UEFI are not vulnerable." - This is actually correct. On an upcoming episode we will air an interview with Xeno Kovah, who provides details on why this statement is true, its an amazing interview. Next: "Most Dell computers aren't vulnerable, either. That's because the company uses Intel Boot Guard to make it impossible to replace the images." - I think its early in the game to make this statement. The research on LogoFail states there are ways to compromise systems even with Boot Guard enabled, but myself and the Eclypsium team do not have all the details yet to validate. My gues is that it will depend on the configuration, meaning some systems with Boot Guard will be protected, but others will not. Next up: "If you do have vulnerable machines, you first need to make sure no one can get into the device in the first place." - When you come back from your fairytale land, we can have a discussion on why this will never be true, and if it were, we could all retire. Next up: "The trick is to keep attackers from getting access to the EFI System Partition (ESP) in the first place." - If we were able to wipe out all privilege escalation exploits, this would be a great strategy. Again, more fairytales. Next up: ". Next up: *"The real fix is to upgrade your firmware. Fixes are on their way from AMI, Intel, Insyde, Phoenix, and Lenovo. They're not coming out quickly, though." - This is accurate but missing many details. AMI, Insyde, and Pheonix are the only ones that have issues security advisories, but not patches just yet. Intel has not issues patches. Until this happens, OEMs like Dell, HP, Lenovo, and others can't implement a UEFI firmware update. But then users have to apply the update. There are currently 4 CVEs issued for LogoFAIL, some have a CVSS score, and some do not. Some have different CVSS scores from Binarly, the CNA, and NVD. I still think you need to patch, once those are available.

The US Securities and Exchange Commission’s (SEC’s) new rule for security breach reporting takes effect on Monday, December 18. The rule requires companies to report “material“ breaches to the SEC within four working days. The FBI has outlined procedures for organizations that want to delay reporting. In this case the FBI is giving an option to delay, but not eliminate, the 8k filing, but you have to engage them immediately upon determination you need to file the 8K.

A cyberattack against an Irish water utility in a rural area of County Mayo left about 160 households without water for two days. The attackers reportedly targeted Unitronics programmable logic controllers (PLCs). The Irish government has “identified all of the equipment in Ireland vulnerable to this attack, and notified the owners.”

This appears to be a side-effect of attackers going after the Unitronics PLC flaw (CVE-2023-6448), versus specifically targeting the Irish water utility. If you have any Unitronics PLCs or HMIs, make sure that default passwords are changed, updates are applied, and they are not exposed to the Internet.

Researchers from Binarly say that most Windows and Linux-based devices are vulnerable to the LogoFAIL firmware attack, which exploits vulnerabilities in UEFI firmware image parsers. LogoFAIL includes more than 20 vulnerabilities in UEFI firmware, some of which have been around for years. Interesting twist here is the exploits are not platform specific, equally working on Intel and ARM systems, but rather UEFI/IBV version specific as they are leveraging flaws in the specific image parsers embedded in the firmware. At core is that the image parsing libraries don't change frequently, so they likely include unpatched flaws which can be used to bypass Secure Boot, Intel Boot Guard, and other endpoint protections.

The US Department of Health and Human Services (HHS) Office of Information Security and the Health Sector Cybersecurity Coordination Center (HC3) have published a document outlining the risks that open source software poses to the health sector. The report lists open source software concerns – publicly accessible code, constant updates, and lack of testing and accountability – and suggests options for bolstering open source software security.

This is good information for more than the health sector consider the LogoFAIL scenario.

The Cybersecurity Infrastructure Security Agency (CISA) is hosting its 5th annual President’s Cup Cybersecurity Competition. Open to US federal employees, this nationwide competition seeks to identify, recognize, and reward the best cyber talent in the federal government. The competition will take teams and individuals on an adventure through classic gaming. The Individual competition offers both a defense track and an offense track to choose from. Teams can include up to five players, from different departments or agencies. Registration opens on January 3rd, 2024.

The practice range is open now, and the GitHub page is available with descriptions, solution guides, virtual machine builds and other artifacts from prior challenges. Be sure to read the rules/code of conduct. Participants can be from any federal Executive Branch department or agency, which means you can be a contractor, not just a Fed. Teams of 2-5 have from Jan 3rd to 23rd to compete, Individuals have from Jan 3rd to Feb 6th. If you're eligible, give it a go.

Apple released updates for iOS, iPadOS, macOS, tvOS, and watchOS, addressing a total of 43 security issues. The updates include fixes for six critical flaws in ncurses that could lead to unexpected app termination or arbitrary code execution; a pair of critical flaws in ImageIO that could lead to arbitrary code execution; and several vulnerabilities in WebKit.

Quick breakdown of addressed CVES: iOS/iPadOS 17.2: 12, iOS/iPadOS 16.7.3: 8, watchOS 10.2: 9, Safari 17.2: 2, macOS 14.2: 39, macOS 13.6.: 17. The fixes for iOS 17 include addressing a Siri flaw which allows someone with physical access to use Siri to reveal sensitive information, as well as similar issues with the Accounts and AVEVideoEncoder services.

https://support.apple.com/en-us/HT201222

Atlassian Jira, Confluence, Bitbucket and macOS Companion app users are warned to update their software immediately due to four critical vulnerabilities allowing for remote code execution (RCE).

Note this applies to your data center servers as well as your macOS users. macOS companion will update automatically when running, you just need to make sure the new version is present.

Have you considered the hosted option for Atlassian?

Security researchers developed a new attack, which they named AutoSpill, to steal account credentials on Android during the autofill operation.

In a presentation at the Black Hat Europe security conference, researchers from the International Institute of Information Technology (IIIT) at Hyderabad said that their tests showed that most password managers for Android are vulnerable to AutoSpill, even if there is no JavaScript injection.

Google has published guidance for password manager developers to use to prevent exploiting of WebView. Keeper, LastPass and 1Password have implemented fixes to prevent the exploit.

Part of the equation is a malicious app which enables the attack to work....

Presentation: https://www.blackhat.com/eu-23/briefings/schedule/index.html#autospill-zero-effort-credential-stealing-from-mobile-password-managers-34420