Vulnrichment, Hardware Hacking, VPNs – PSW #829

Really neat DIY project, then Tyler told me you can buy keyboards and mice that will pair to up to 3 devices from Logitech. Still a really cool project though!

I've updated my 3 main machines to the latest Manjaro stable, which also makes 6.9 available. There are some performance and security enhancements in the latest kernel, and all seems to be well so far as my machines are now on 6.9. Before you update Manjaro, read the docs! Python has been updated and there are some extra steps involved to keep your AUR packages up-to-date. If you run KDE, make sure you read the forum for user experiences as some people reported losing customizations (so backups are important, e.g. timeshift). I was also able to get my Framework 16 back in operation, repairing the damaged power button (user error) and the heat shrink that was hitting the fan (LOL moment).

I have no idea if this is legit or not: "A threat actor has reportedly put up for sale a Remote Code Execution (RCE) 0-day exploit targeting various versions of Microsoft Outlook, with a staggering asking price of $1.8 million."

Consumer routers will just become part of botnets forever: "The vendor has been reached out three times in the past 30 days and have not responded to any of our attempts." - Also, there is a PoC here as well.

In May of 2008 there was a bug in Debian's openssl that led to keys being created with predictable not-so-random numbers. Many people created keys using the vulnerable openssl from 2008, and still have not replaced the keys for things like DKIM. This results in the following: " This trivially allowed sending emails with forged DKIM signatures for those hosts and thereby also passing DMARC checks." The author has a tool to check for bad keys. Key issues such as this have a long tail for sure!

"A new report from Fortinet found that in the second half of 2023, the average time between a vulnerability being disclosed and actively exploited in the wild shrunk to just 4.76 days – a staggering 43% decrease compared to the first half of the year." - This is a relatively short timeframe to measure this. It could mean so many things, and more likely that in this 6-month timeframe there just happened to be a series of vulnerabilities that were easily exploitable, the exploits were known and published. To more accurately measure this you'd need data from a longer timeframe to prove that vulnerabilities are being exploited more quickly.

Summary: DHCP option 121 can be used to push more specific routes and override the routes for the VPN tunnel, essentially decloaking VPN tunnels. My opinion is the best way to prevent this is to ignore DHCP option 121 (as with Android). Attackers have to be on the same network and set up a malicious DHCP server. Lastly, you can configure namespaces with Wireguard to avoid this vulnerability (Ref: https://www.wireguard.com/netns/#the-new-namespace-solution).

Great stuff here, on my project list now!

Great comment: "CISA’s ‘Vulnrichment’ initiative is a pivotal step in the right direction,” said Immanuel Chavoya, CEO of RiskHorizon.ai. “However, true resilience lies in preemptive enrichment of all CVEs before exploitation occurs. Waiting for indicators of exploitation to populate CVEs still introduces delays downstream." - Also, I like the idea of having ONE source for vulnerability tracking, categorizing, and scoring. "Vulnirichment" seems to be yet another data source I have to pull from.

"Under the hood, the tool uses the WebRTC protocol to establish a secure peer-to-peer connection between the web browser and your Raspberry Pi device. At the moment, the remote service uses a single relay (TURN) server located in the UK, which may lead to high latency." - While I don't believe this will lead to a security disaster, it could provide a more secure remote access method than most RPI users are able/willing to create. Experienced users will opt for SSH/VNC in a secure configuration (although articles do reference some of the challenges with this, specifically Wayland messing things up, and I experienced issued with certain VNC clients and servers not being able to negotiate the security protocols correctly). You do need to create an Raspberry PI ID, and make sure you enable and configure MFA for this account if you plan to use RPI connect.

This looks like a really cool project, keep in mind it's still 2.4Ghz Wifi only and it looks like you are on your own for the code that actually makes the hardware do useful things (at least a quick look at the Github repo only reveals the schematics to create the hardware platform, not the actual code to make menus and such).

I'm curious how this compares to the Bus Pirate 5... (Other than JTAG support)

This is really interesting: "Expanding our analysis to encompass weaponized vulnerabilities uncovers that between 2014 and 2023, 2% of all disclosed vulnerabilities have been weaponized. Given their heightened risk, weaponized vulnerabilities naturally warrant prioritized attention for remediation, as they possess a high likelihood of being exploited in the wild, if not already. What defines a weaponized vulnerability? It's one that has either been exploited in the wild or has an available exploit capable of delivering a significant payload." - Given this research, are we making a big deal about the increase in the number of vulnerabilities? Can't we just focus on the 2%?

The current bid is now up to $480,085.00 - What a bargain!

This one should come with cargo shorts, New Balance sneakers, and a Dad joke book. Perfect father's day gift!

Researchers at Phylum have detected a malicious Python package masquerading as a fork of the “requests” package. The package, “requests-darwin-lite,” contained a backdoor hidden in a PNG file. The package was downloaded more than 400 times before it was taken down. his exploit targets Macs. The exploit is a Golang library hidden in a 13Mb logo file (originally 300Kb. All versions of "requests-darwin-lite" were immediately removed after being reported by the Phylum team. If you're using the requests PyPy package, make sure that you don't have copies of the bogus package, irrespective of the platform.

Europol is investigating a threat actor’s claims that they stole data from the Europol Platform for Experts (EPE), a collaborative platform for law enforcement for sharing best practices and other information. EPE has been offline since Friday, May 10. A Europol spokesperson has told multiple news sites that they are “aware of the incident and [are] assessing the situation.”

The attacker seems to have accessed a test environment using their Zscalar proxy to access production data. With efforts tied to ZTA such as Zscalar facilitating access to internal systems, it's more important than ever to make sure that you have the same bar on access control, particularly authentication, to your non-production environments. While we could argue that dummy data should be used outside production, there are valid use cases for real data for acceptance testing or other activities, it makes sense to implement the same security on all platforms for such use cases.

A report from Bitsight examines the effect the US Cybersecurity and Infrastructure Security Agency’s (CISA’s) Known exploited Vulnerabilities (KEV) catalog has had on the speed of vulnerability remediation, both at Federal Civilian Executive Branch (FCEB) agencies and at private sector organizations. The report says that KEV-listed vulnerabilities are patched within an average of 175 days (around six months), while vulnerabilities not in the catalog are patched within an average of 621 days (one year, eight months).

While agencies struggle to meet the KEV timelines, on average only 40% are able to do so, the overall health of agency networks is improved as a result of the KEV, which is what is intended. It also provides insight into vulnerabilties being actively exploited, making it a valuable metric when assessing risk/prioritizing updates/fixes. Note that to be listed in the KEV, there has to be a remediation, evidence of exploitation and CVE number. The 175 day average, even caveated that more severe issues are resolved more quickly, still is an opportunity to improve.

Google has updated their Chrome browser to address a high-severity use-after-free vulnerability. The browser’s Stable channel has been updated to 124.0.6367.201/.202 for Mac and Windows and 124.0.6367.201 for Linux. Google is aware that there is an exploit for the flaw available in the wild. This is the fifth zero-day vulnerability Google has patched in Chrome so far this calendar year.

As my boss Matt would say, "We've seen this movie before." You already have processes to make sure the end-users have the update, and have set limits on how long they can ignore the restart prompt, just verify that it's done, hopefully you don't have to force/kill too many running browsers.

Financial Business and Consumer Solutions (FBCS), a Pennsylvania-based debt collection agency, has updated the breach report they submitted to the Maine Attorney General’s office (AGO). DFBCS has identified an additional 724,000 individuals affected by the breach that occurred earlier this year, bringing the total of affected individuals to 2.68 million. The notification letters FBCS sent to affected people says that the compromised data include Social Security numbers and account information. FBCS informed the Maine AGO that driver’s license and identification card numbers may also have been compromised.

FBCS consinues to notify affected users, even so, don't wait to see if you're in scope. You should already be getting notifications from your credit monitoring/ID protection service about breaches such as this, make sure you're following up to see if you are included. This is an area we all need to be proactive for both ourselves and family members not as well versed in what's at stake.

Researchers at Kaspersky ICS CERT are warning of multiple vulnerabilities in Telit Cinterion cellular modems. Exploitation of the flaws could lead to information leaks, privilege elevation , sandbox escape, arbitrary code execution, and unauthorized access to files and directories. Kaspersky initially detected the vulnerabilities more than a year ago, notified Cinterion in February 2023, and published advisories in November 2023. IJN this month’s report, Evgeny Goncharov, head of Kaspersky ICS CERT, notes that “since the modems are typically integrated in a matryoshka-style within other solutions, with products from one vendor stacked atop those from another, compiling a list of affected end products is challenging.”

A malicious DHCP server can add routes to the routing table that redirect traffic outside the VPN. The targeted user will have no way to detect this attack. It's not a bug, it's DHCP operating as designed. The only mitigations are to use Android, work in a virtual machine, or stay off shared wireless networks.

Microsoft's cloud security has been exposed as inadequate by recent hacks, so they are making a big push to improve security. This move is intended to reassure government and other customers, and it looks pretty good, although it's just general principles at this point.

This is the new version of Bill Gates' 2002 Trustworthy Computing memo, which really did lead to a major improvement in Microsoft's security.

WIndows 11 machines with this feature activated will be forced to use only a "Protective DNS" server which will limit resolutions to only an allow-list of sites. The feature is in development and not publicly available yet.

Windows 11 laptops with ARM processors! This should be great, like the Apple ARM laptops.

Zscaler seems to be a viable commercial zero-trust solution. Instead of connecting nearby devices to a switch or router, every device connects only to a central cloud service. Each device is individually evaluated and granted access only to resources matching the security policy. I don't have experience using this, but perhaps other hosts do.

Its goal is the enrichment of public CVE records with Common Platform Enumeration (CPE), Common Vulnerability Scoring System (CVSS), Common Weakness Enumeration (CWE), and Known Exploited Vulnerabilities (KEV) data. CISA says it has already enriched 1,300 CVEs — particularly new and recent CVEs — and is asking all CVE numbering authorities (CNAs) to provide complete information when submitting vulnerability information to CVE.org.

Thousands of planes and ships are facing GPS jamming and spoofing. Experts warn these attacks could potentially impact critical infrastructure, communication networks, and more. It mainly affects areas near Russia now, but there's no reason to expect it to stay contained. Aircraft navigation systems using atom interferometry are being developed, which work without GPS, but they are not yet commercially available.