TIPC Kernel Vulns, SBDCs, Truckloads of GPUs, & Hardcoded SSH Keys – PSW #718

"This new test, called EPOCH (Express Probe for On-site Cannabis Inhalation) instead works by collecting and concentrating your saliva to evaluate it for current levels of THC. It evaluates whether or not THC levels are above one nanogram of THC per milliliter of saliva within a twelve-hour consumption window." Also, there's an app for that: "By reacting to different game-like stimuli from DRUID, the app determines if a user has impaired response time, coordination, or balance — signs of impairment that could be deadly when driving or operating heavy machinery."

Interesting usage of subprocess with shlex to run Nmap from within a Python script. Awesome write-up and examples, a must read.

Network, web app, red team and social engineering are the types. Really? The rabbit hole goes deeper.

"The vulnerability chain consists of a method for bypassing validations made by an external web server (HTTP smuggling) and a stack-based buffer overflow. It affects Palo Alto firewalls running the 8.1 series of PAN-OS with GlobalProtect enabled (specifically versions < 8.1.17). Exploitation of the vulnerability chain has been proven and allows for remote code execution on both physical and virtual firewall products. Publicly available exploit code does not exist at this time. Patches are available from the vendor."

Neat phishing trick!

"In the beginning, by means of an accessible Docker REST API a container will be created on the susceptible host;" - Really, just don't do this. NEVER expose the Docker REST API to the Internet, unless you want to run a honeypot.

"All vulnerabilities were privately disclosed and fixed by BusyBox in version 1.34.0, which was released Aug. 19." - It will be a long time, and for some never, before these fixed are pushed to firmware projects and products. However, these do not appear to be very impactful: "The DoS vulnerabilities are trivial to exploit, but the impact is usually mitigated by the fact that applets almost always run as a separate forked process. The information leak vulnerability is nontrivial to exploit (see, next section). The use-after-free vulnerabilities may be exploitable for remote code execution, but currently we did not attempt to create a weaponized exploit for them. In addition, it is quite rare (and inherently unsafe) to process an awk pattern from external input."

hrmmm: "We thank Cisco Talos for sharing their continued research into Azure Sphere, which first started during the Azure Sphere Security Research Challenge in 2020. After reviewing the findings on TALOS-2021-1341 and TALOS-2021-1344, Microsoft believes the approach described is implemented by design and does not present a security risk to customer production environments."

Interesting: "The Small Business Development Center Cyber Training Act would establish a cyber counseling certification program at Small Business Development Centers (SBDCs) so that they can better assist small businesses with their cybersecurity and cyber-strategy needs."

"The US Commerce Department has added NSO to its Entity List, effectively banning trade with the firm. The move bars American companies from doing business with NSO unless they receive explicit permission. That's unlikely, too, when the rule doesn't allow license exceptions for exports and the US will default to rejecting reviews. NSO and fellow Israeli company Candiru (also on the Entity List) face accusations of enabling hostile spying by authoritarian governments. They've allegedly supplied spyware like NSO's Pegasus to "authoritarian governments" that used the tools to track activists, journalists and other critics in a bid to crush political dissent. This is part of the Biden-Harris administration's push to make human rights "the center" of American foreign policy, the Commerce Department said."

"While TIPC itself isn't loaded automatically by the system but by end users, the ability to configure it from an unprivileged local perspective and the possibility of remote exploitation makes this a dangerous vulnerability for those that use it in their networks,"

"The two libraries in question are "coa," a parser for command-line options, and "rc," a configuration loader, both of which were tampered by an unidentified threat actor to include "identical" password-stealing malware."

"The post takes care to warn people about purchasing any of these cards that surface, as EVGA has listings of the serial numbers involved. So trying to register the warranty for any of these cards won’t work and may get you a visit from authorities. If you can register a card warranty, that’s a clear sign that your GPU is clean. It’s a better idea than ever to check the serial number before buying off Craigslist at the moment." - heh, criminals won't care if it's stolen, nor would they ever register for the warranty.

There is a vulnerability in SSH, but also: "Cisco Policy Suite Releases 21.2.0 and later will also automatically create new SSH keys during installation, while requiring a manual process to change the default SSH keys for devices being upgraded from 21.1.0." An important step, changing your keys, which should be automated in the first place. Also, if this allows access to the traffic (or not) its a great place to hide: "Also addressed by Cisco are multiple critical vulnerabilities affecting web-based management interface of the Cisco Catalyst Passive Optical Network (PON) Series Switches Optical Network Terminal (ONT) that could enable an unauthenticated, remote attacker to log in using an inadvertent debugging account existing in the device and take over control, perform a command injection, and modify the configuration of the device."

Patches didn't fix everything: "None of the public analysis of this vulnerability mentions a Java class upload. The CISA report also mentions that "Subsequent requests are then made to different API endpoints to further exploit the victim's system." which is not the case here. Chances are in-the-wild attackers made use of another exploitation path. Anyway, the patch applied by ManageEngine only fixes the path traversal issue. While actually preventing our exploitation, this leaves opened the file upload and parameter injection issues for future use."