Vulnerability Chains – PSW #835

"This paper introduces a method called STASE (STatic Analysis guided Symbolic Execution) to identify and characterize vulnerabilities in UEFI firmware, which is crucial for computer security. The approach combines scalable static analysis with precise symbolic execution to detect vulnerabilities more effectively. By using rule-based static analysis to find potential targets and then applying symbolic execution for precise detection, STASE overcomes the limitations of each individual technique. The method has been tested on UEFI code, successfully identifying multiple known and new vulnerabilities."

"There are pre-auth stored XSS and post-auth remote command injection vulnerabilities in SonicWall SMA100. These vulnerabilities allow unauthenticated attackers to execute arbitrary command when an authenticated user is exposed to the stored XSS. The vulnerabilities were silently patched without any CVE assignment. The whole feature named Classic mode, where stored XSS vulnerability exists, was removed, and a new user input filtering code was added against command injection vulnerability." - Regardless of how its fixed, this should have been two separate CVE entries. Its really neat how the two vulnerabilities are combined, first the unauthenticated stored XSS places a payload in the UI that steals the session token, then the attacker can login and exploit the post-authentication command injection. Current scoring systems do not take this into account, the combined severity of two or more different vulnerabilities chained together.

I'm surprised this has not gotten more coverage: "This potential vulnerability in Supermicro BMC may come from a buffer overflow in the “GetValue” function of the firmware that is caused by a lack of checking the input value. An unauthenticated user can post specially crafted data to the interface, which will trigger a stack buffer overflow and may lead to arbitrary remote code execution on a BMC." Of course, the first thing people will say is "Don't explode your BMC to the Internet". This is rubbish. You still need to patch and you still need to assign a high priority to this one. Why? Because an attacker with a successful RCE on the BMC has super high privileges on the server. They can do things such as lock you out of all of your servers by causing a continuous reboot. I know this because one of Eclypsium's researchers has proven this using different vulnerabilities to access a BMC.

I believe Netgear is trying to do the right thing here. They have one of the few bug bounties for firmware on the Bugcrowd platform, which is why I believe we are seeing vulnerabilities get patched. However, if you dig into the firmware there is a ton of outdated and vulnerable software, including a 4.x Linux kernel. There exist vulnerabilities that have published exploits. I'm also concerned at the lack of transparency, there are just not enough details to make any decisions about upgrading firmware, e.g.:

• PSV-2023-0122 - "NETGEAR has released fixes for a stored cross site scripting security vulnerability"
• PSV-2023-0119 - "NETGEAR has released fixes for a post-authentication command injection security vulnerability"
• PSV-2023-0116 "NETGEAR has released fixes for a security misconfiguration security vulnerability" - What does this even mean?
• PSV-2023-0113 - "NETGEAR has released fixes for a authentication bypass security vulnerability" - I am assuming this is pre-auth?

We need better vulnerability reporting standards!

And all this leads to this: "The Mirai botnet was discovered targeting 22 different known vulnerabilities within D-Link, Zyxel and Netgear devices for the purposes of distributed denial-of-service (DDoS) attacks intended to disrupt or stall targeted networks. Signs of a compromise within a device have been identified as persistent issues with slow connection, device overheating and significant changes within the device’s configuration."

Okay, well, there was one vulnerability observed being exploited quickly: "A notable example is the exploitation attempt of CVE-2024-27198 (JetBrains TeamCity authentication bypass) occurring just 22 minutes after the PoC was published." Not all, so read the details and not the sensational headline.

This is the best part of this article: "Vendors want researchers to trust them, but they aren’t taking the necessary steps to earn our trust. What’s sad is that we aren’t asking for a lot. Tell us you’ve received the report. Confirm or deny our findings. Tell us when a patch is coming. Acknowledge us appropriately (and spell our name right). And finally, once the patch is available, tell us where we can find the patch. Strangely, one of the biggest problems we have at the ZDI is just getting vendors to tell us when something is fixed."

This is crazy, had they not caught this, it could have been bad: " The holder of such a token would have had administrator access to all of Python’s, PyPI’s and Python Software Foundation’s repositories, supposedly making it possible to carry out an extremely large scale supply chain attack. Various forms of supply chain attacks were possible in this scenario. One such possible attack would be hiding malicious code in CPython, which is a repository of some of the basic libraries which stand at the core of the Python programming language and are compiled from C code. Due to the popularity of Python, inserting malicious code that would eventually end up in Python’s distributables could mean spreading your backdoor to tens of millions of machines worldwide!"

"Tracked as CVE-2024-39929 and carrying a severity rating of 9.1 out of 10, the vulnerability makes it trivial for threat actors to bypass protections that normally prevent the sending of attachments that install apps or execute code. Such protections are a first line of defense against malicious emails designed to install malware on end-user devices." - It is the first line of defense, and I would be shocked if malicious attachments weren't caught further downstream or filtered out by an email protection service. I also really love this comment: "If Debian would finally just throw in the towel and replace exim as their default mta this kind of issue wouldn't be important enough to merit being a news story on Ars." - Why not Qmail or Postfix?

This is interesting, what do you think about the lesson's learned, straight from the report they are:

• The assessed organization had insufficient controls to prevent and detect malicious activity.
• The organization did not effectively or efficiently collect, retain, and analyze logs.
• Bureaucratic processes and decentralized teams hindered the organization’s network defenders.
• A “known-bad” detection approach hampered detection of alternate TTPs.

My prediction is that once either Microsoft or EDR vendors can really nail the Windows driver threats, we will continue to see this as a way to get around defenses. Once we get better detections and prevention for malicious/LOL drivers, attackers will continue to drive deeper into things such as the bootloader, Secure Boot bypasses, and UEFI.

The US Cybersecurity and Infrastructure Security Agency (CISA) has published a report detailing a cybersecurity assessment of an unnamed US Federal Civilian Executive Branch (FCEB) agency. The SILENTSHIELD red-team assessment was conducted over an eight-month period, starting with a “no-notice, long-term simulation of nation-state cyber operations,” and culminating three months of collaboration with agency staff and technical personnel to address their cybersecurity posture.

CISA is emulating the behavior of a nation-state attacker, to include attempting to exploit trust relationships with third parties. In this case, they not only compromised an unpatched Solaris web server, they also used phishing to obtain Windows credentials, elevated to an unsecured administrator account, obtained domain admin, and pivot into their partner networks, while remaining undetected in the first phase.

After around two decades of allowing one-time passwords (OTPs) delivered by text message to assist log ins to bank accounts in Singapore, the city-state will move from SMS based OTP to mobile app based OTP.

While this does raise the bar, it's best to ensure that your solution is both phishing and authenticator fatigue resistant. Consider that smartphones are also able to support passkeys and other stronger authenticators.

Advance Auto Parts has begun notifying 2.3 million people that their personal information was compromised in a breach of the automotive parts company’s Snowflake account. Other companies impacted by breaches of inadequately protected Snowflake accounts include Neiman Marcus, State Farm, and Anheuser-Busch.

It's trivial to stand up a cloud service using reusable passwords, to include skipping implementing the provider's security best practices. Your cloud service approval process should include both (regular) verification of the security profile and adherence to company security standards, such as MFA and logging/monitoring and BC/DR.

CDK Global, the car dealership software company that experienced a ransomware attack in June, reportedly paid the ransomware operators roughly US$25 million. While CDK Global has not commented, analysis of blockchain data indicates that on June 21, 387 bitcoin (US$24.5 million at the time) was sent to a known ransomware group. A week later, CDK Global began restoring service.

Indications are CDK paid the ransom within two days of the attack and was able to commence service restoration immediately. Given that the estimated financial impact of the outage is estimated at least $600 million, payment makes financial sence in hindsight

Late last week, telecommunications company AT&T disclosed that they experienced a data breach affecting call and text records of nearly all of their customers. AT&T has begun notifying approximately 110 million people that their communications data were compromised. The breach appears to be yet another that was conducted through inadequately protected Snowflake accounts.

Note that the data compromised was from May 1 to October 31, 2022, as well as January 2, 2023. While the breach doesn't seem to include decrypted message bodies, it does include not only the meta-data about the messages/calls but also often the cell tower location data. While the dataset doesn't include subscriber names, it's not difficult to map that using OSINT, allowing mapping of not only who is talking to who, but from where, which makes the data set attractive.

A member of a hacking group told Wired journalists that in May, AT&T paid them 5.7 bitcoins (roughly US$ 380,000 at the time) to delete the stolen data and provide a video demonstrating proof of their deletion. The ransomware operators initially demanded USD$1 million, but agreed to reduce the demand by two-thirds.

While it's tempting to hire someone to help clean up such a mess, it's important to remember that transactions can be tracked through the blockchain, so consider that arrangement will not remain confidential, you may want to be completely transparent with all such actions, paid removal, paid ransom, rather than awkward damage control post-discovery.

Openwall founder and CTO Alexander Peslyak has detected a race condition in the core sshd daemon in RHEL 9.x and related releases. The flaw (CVE-2024-6409) was discovered during analysis of the RegreSSHion OpenSSH vulnerability (CVE-2024-6387), disclosed several weeks ago; the disclosure was delayed until vendors had time to prepare fixes.

This particular flaw is specific to the RedHat change to OpenSSH, which affects Fedora 36 & 37 (both are EOL) and RHEL 9.x and its offshoots (or RHELatives) like AmaLinux.

In the six weeks since the Synnovis breach, two of the UK National Health Service’s trusts has cancelled, postponed, or referred to other facilities nearly 8,000 medical appointments and procedures, including organ transplants and cancer treatments. The June 3 breach has had significant impacts on London's King's College Hospital NHS Foundation Trust and Guy’s and St Thomas' NHS Foundation Trust.

In addition to cancelled or rescheduled services, NHS is still calling for type O donations, which are universal, to bridge the gap in blood type matching operations. Time to reflect on how long your planned mitigations in such an outage are viable.

esearchers at Barracuda have detected phishing campaigns that leverage URL protection services to obfuscate malicious links. Since the middle of May, the researchers have seen the campaigns target hundreds of companies. The researchers surmise that the attackers have obtained access to the URL protection services by compromising legitimate accounts.

Many enterprises use URL security servcies which encapsulate URL's in email and restrict access to kown malicious sites by wrapping links to route through their security services when accessed. The hackers are turning these services on themselves by compromising the URL protection service to allow their services or by using their own protected version of the phishing link, allowing a bypass.

A critical vulnerability in the Exim mail transfer agent could be exploited to bypass filename extension blocking protections and deliver malicious attachments to inboxes. The issue is due to a bug in RFC 2231 header parsing. The vulnerability is fixed in Exim version 4.98. CVE-2024-39929, mis parsing RFC 2231 headers, CVSS score 5.4, has no workaround, and applies if you are using a block list leveraging $mime_filename as a multiline filename isn't parsed properly and the last part is omitted.