PSW #772 – Hal Pomeranz
Full Audio
View Show IndexSegments
1. Linux and FOSS Supply Chain Issues – Hal Pomeranz – PSW #772
Linux systems are a collection of free and Open Source software-- some packaged by your distro, some built from source. How do you verify that your upstream isn't polluted by bad actors?
Segment Resources: https://github.com/evilsocket/opensnitch https://securityonionsolutions.com/software/ https://deer-run.com/users/hal/ https://archive.org/details/HalLinuxForensics
Announcements
Security Weekly listeners save $100 on their RSA Conference 2023 Full Conference Pass! RSA Conference will take place April 24-27 in San Francisco and on demand. To register using our discount code, please visit https://securityweekly.com/rsac2023 and use the code 53UCYBER! We hope to see you there!
Guest
A dynamic and experienced technology authority, Hal Pomeranz is the Founder and Technical Lead of Deer Run Associates, a consulting company focusing on Computer Forensic Investigations and Information Security. He has spent more than twenty years providing pragmatic Information Technology and Security solutions for some of the world’s largest commercial, government, and academic institutions. An expert in the investigation of Linux/Unix systems, Hal has provided Computer Forensic investigative support for several high-profile cases to both law enforcement and commercial clients.
Hosts
2. The RIGHT Software, Docker vs. Root, CORS, Vuln Risk Scoring, & Cisco Attacks – PSW #772
In the Security News: VMware and Ransomware makes you want to run some where, double-free your OpenSSH, download the RIGHT software, you have Docker, I have root, we don't talk about CORS, to vulnerability or not to vulnerability, vulnerability risk scoring, a matter of perspective, very persistent Cisco attacks, running UPNP without all the protections, overflowing a buffer in your bootloader over HTTP, C can be memory safe (but developers will still screw it up), and lasers, microwaves, satellites and the Sun! All that, and more, on this episode of Paul’s Security Weekly!
Announcements
Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!
Hosts
- 1. OpenSSH Releases Patch for New Pre-Auth Double Free Vulnerability
"While the double-free vulnerability in OpenSSH version 9.1 may raise concerns, it is essential to note that exploiting this issue is no simple task," Abbasi explained. "This is due to the protective measures put in place by modern memory allocators and the robust privilege separation and sandboxing implemented in the impacted sshd process." - While true, how many embedded systems, IoT devices, appliances, OT systems do not have this protection?
- 2. Breaking Docker Named Pipes SYSTEMatically: Docker Desktop Privilege Escalation – Part 1
Named pipes are strange. Also, I thought this was going to be a Docker privilege escelation, which, as it turns out, is really easy and works on several implementations (including my own systems). Check out: * https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Linux%20-%20Privilege%20Escalation.md * https://hub.docker.com/r/chrisfosterelli/rootplease/
- 3. Secrets Patterns Database
Neat collection of patterns that you could easily integrate with existing tools or scripts to search for API keys and the like, either as a red team or as developers.
- 4. Dota 2 Under Attack: How a V8 Bug Was Exploited in the Game – Avast Threat Labs
Exploiting a game's V8 JavaScript engine: "One such issue affected the massively popular Dota 2 video game. Dota used an outdated build of v8.dll that was compiled in December 2018. It’s no surprise that this build was vulnerable to a range of CVEs, many of them even being known exploited vulnerabilities with public proof-of-concept (PoC) exploits."
- 5. Fearless CORS: a design philosophy for CORS middleware libraries (and a Go implementation) :: jub0bs.com
A LOT of information about CORS, very interesting: "Cross-Origin Resource Sharing (CORS) is a mechanism that lets servers instruct browsers to relax, for select clients, some restrictions (in terms of both sending and reading) enforced by the Same-Origin Policy (SOP) on cross-origin network access." - Seems developers hate it. This typically is bad news for security.
- 6. ImageMagick: The hidden vulnerability behind your online images
"In a recent APT Simulation engagement, the Ocelot team identified that ImageMagick was used to process images in a Drupal-based website, and hence, the team decided to try to find new vulnerabilities in this component, proceeding to download the latest version of ImageMagick, 7.1.0-49 at that time. As a result, two zero days were identified" - Not a high risk (DoS and arbitrary file read that is permission dependent), but an interesting read.
- 7. KeePass disputes vulnerability allowing stealthy password theft
Is this a vulnerabilty or not? "The new vulnerability is now tracked as CVE-2023-24055, and it enables threat actors with write access to a target's system to alter the KeePass XML configuration file and inject a malicious trigger that would export the database, including all usernames and passwords in cleartext. The next time the target launches KeePass and enters the master password to open and decrypt the database, the export rule will be triggered, and the contents of the database will be saved to a file the attackers can later exfiltrate to a system under their control."
- 8. Massive ESXiArgs ransomware attack targets VMware ESXi servers worldwide
- 9. When Pwning Cisco Persistence Is Key When Pwning Supply Chain Cisco Is Key
Run hidden and persistent processes on Cisco devices: "Cisco heavily prioritizes security in a way that attempts to prevent an attack from remaining a problem through reboots and system resets. Still, in this case, the command injection bypasses mitigations Cisco has in place to ensure vulnerabilities do not persist in a system. CVE-2023-20076 gains unrestricted access, allowing malicious code to lurk in the system and persist across reboots and firmware upgrades. Side-stepping this security measure means that if an attacker exploits this vulnerability, the malicious package will keep running until the device is factory reset or until it is manually deleted. At this point, countless damages could have occurred."
- 10. NETGEAR Nighthawk upnpd Pre-authentication Buffer Overflow
"A global memory corruption vulnerability exists in the upnpd server. A specially-crafted SUBSCRIBE request can lead to a stack buffer overflow. An attacker can send a malicious request to trigger this vulnerability and modify the execution flow to an arbitrary address somewhere in the memory of the upnpd process. This vulnerability can be exploited from the WAN or LAN." - Weird though, they have ASLR support, but not for this particular case: "The upnpd binary is not ASLR compiled and the executable addresses are in the range 0x2a000000 and 0x2a055000. All other mapped modules run with ASLR." Also, I mean, why do we not do this: "Also, it is necessary to replace sprintf() with safer functions -- such as snprintf() -- to control the size of the processed data in order to avoid memory safety problems. Use appropriate compiler options (like -Wformat-overflow=2, -Wformat-security, -Wfortify-source, -Wformat=2, ...) to detect these issues preemptively." - Does it break stuff? Laziness? Ignorance? Whyyyyy?
- 11. Vulnerability Provided Access to Toyota Supplier Management Network
- 12. OpenSSL Ships Patch for High-Severity Flaws
- 13. Over 83,000 ESXi servers are internet-exposed as mass attack continues
- 14. StarkeBlog – U-Boot HTTP Client
"As it currently is implemented, there is a buffer overflow in the HTTP Client implementation. I was able to take control of the Instruction Pointer ($PC) using a relatively simple proof of concept rogue web server" - So keep in mind this is a feature that allows the bootloader code (U-Boot) to download any file via HTTP, and it has a buffer overflow...
- 15. Unserializable, but unreachable: Remote code execution on vBulletin
- 16. HPE, NetApp warn of critical open-source bug
- 17. lexmark printer haxx
Make sure you read the write-up, its awesome: https://github.com/blasty/lexmark/blob/main/writeup/writeup.md (And shows how multiple vulnerabilities are chained to gain remote code execution as root).
- 18. C can be memory-safe
I really like this idea, though I believe refactoring to be a tad more difficult than Rob describes: "As the above function shows, the OpenSSL code is already somewhat memory safe, just based upon the flawed principle of relying upon diligent programmers. We need the compiler to enforce it. With such features, the gap is relative small, mostly just changing function parameter lists and data structures to link a pointer with its memory-bounds. The refactoring effort would be small, rather than a major rewrite. This would be a soft-fork. The memory-bounds would work only when compiled with new compilers. The macro would be ignored on older systems. " - Lets just say there are a lot of variables that determine the difficulty (e.g. complexity of the code, platform, developer skill, etc...)
- 19. Ronin 2.0.0 finally released!
"Ronin is a free and Open Source Ruby toolkit for security research and development. Ronin contains many different CLI commands and Ruby libraries for a variety of security tasks, such as encoding/decoding data, filter IPs/hosts/URLs, querying ASNs, querying DNS, HTTP, scanning for web vulnerabilities, spidering websites, install 3rd party repositories of exploits and/or payloads, run exploits, write new exploits, managing local databases, fuzzing data, and much more."
- 20. Discrepancies Discovered in Vulnerability Severity Ratings
"An analysis by VulnCheck of 120,000 CVEs with CVSS v3 scores associated with them shows almost 25,000 — or some 20% — had two severity scores. One score was from NIST, which maintains the NVD, and the other from the vendor of the product with the bug. In many cases, these two scores differed, making it hard for security teams to know which to trust." Turns out vendors either assign a lower score or don't even classify it as a vulnerability: "Microsoft assigned the vulnerability a "high" severity rating of 7.5 on the 10-point CVSS scale. NIST gave it a score of 9.1" and "typically NIST — assigned 12,969 of the 120,000 CVEs in the database as an XSS vulnerability, while secondary sources listed a much smaller 2,091 as XSS. VulnCheck found that secondary sources were much less likely to indicate that an XSS flaw requires user interaction to exploit. CSRF flaw scores showed similar differences."
- 1. Massive Ransomware Campaign Targets VMware ESXi Servers
Both France’s and Italy’s Computer Emergency Response Teams (CERTs) have issued alerts warning “of attack campaigns targeting VMware ESXi hypervisors with the aim of deploying ransomware on them.” The vulnerability (CVE-2021-21974) affects ESXi 7.0, 6.7 and 6.5. Support for ESXi 6.7 and 6.5 ended in October 2022. The flaw was disclosed, and a fix was released in February 2021.
If you're not using it, disable SLP service, also if you're still on 6.x look to ESXi 8.0a.
- 2. CISA Releases ESXiArgs Ransomware Recovery Script
CISA has released a recovery script for organizations that have fallen victim to ESXiArgs ransomware. The ESXiArgs ransomware encrypts configuration files on vulnerable ESXi servers, potentially rendering virtual machines (VMs) unusable.
- 3. HeadCrab: A Novel State-of-the-Art Redis Malware in a Global Campaign
In a blog post, researchers from Aqua Nautilus detail their findings about malware called HeadCrab that has infected more than 1,200 Redis database servers in the past year-and-a-half. The threat actor has been using their access to the servers to mine virtual currency.
his malware takes advantage of trust relationships, such as SLAVEOF, between Redis servers to load and transfer modules which add C&C commands to the targeted server. Make sure you've secured your Redis installations; don't expose them directly to the Internet, enable protected mode for cloud installations, bind the instance to a specific address to limit communication to trusted hosts and disable the slaveof feature if not actively used.
- 4. OpenSSH Releases Version 9.2/9.2p1 to Fix Security Issues
OpenSSH maintainers have released an updated version to fix three security issues. OpenSSH 9.2/9.2p1 includes a fix for a pre-authentication double-free memory vulnerability that was introduced in OpenSSH 9.1.
- 5. A surge of malvertising across Google Ads is distributing dangerous malware – Spamhaus Technology
Spamhaus researchers say they have seen a significant surge in malvertising affecting Google Ads. The spike involved ads impersonating well-known brands, including Adobe, Microsoft Teams, Thunderbird, Slack, and Tor.
While Google is raising the bar on advertisers, threat actors are still finding ways to slip through. Detection is tricky, and your best defense is going to be a combination of ad blockers and encouraging users to only download software from known, verified sources.
hile Google is raising the bar on advertisers, threat actors are still finding ways to slip through. Detection is tricky, and your best defense is going to be a combination of ad blockers and encouraging users to only download software from known, verified sources.
- 6. Finland’s Most-Wanted Hacker Nabbed in France – Krebs on Security
Julius “Zeekill” Kivimäki, a 25-year-old Finnish man charged with extorting a local online psychotherapy practice and leaking therapy notes for more than 22,000 cyber crimes was arrested this week in France.
This guy has been at it since he was a teenager, and was convicted of over 50,000 cybercrimes, yet as he was a minor, given a 2-year suspended sentence with a fine of 6,558 Euros. As he is now an adult, and the prior conviction didn't seem to quelch his desire to commit malfeasance,
- 7. Atlassian Advisory Warns of Critical Flaw in Jira Service Management Server and Data Center
Atlassian has released a security advisory warning of a critical authentication bypass issue in Jira Service Management. The vulnerability affects Jira Management Server and Jira Service Manager Data Center versions 5.3.0, 5.3.1, 5.3.2, 5.4.0, 5.4.1, and 5.5.0. Users are urged to update to versions 5.3.3, 5.4.2, 5.5.1, or 5.6.0 or later. The vulnerability does not affect Atlassian Cloud sites.
You can update to the fixed version or manually replace the "servciedesk-variable-substitution-plugin" JAR file as a workaround. Since you have to stop and start Jira to deploy the JAR file, you may as well schedule the update.
- 8. Linux Variant of Clop Ransomware Spotted, But Uses Faulty Encryption Algorithm
The first-ever Linux variant of the Clop ransomware has been detected in the wild, but with a faulty encryption algorithm that has made it possible to reverse the encryption. This is not a direct port of the windows version which means it's likely to evolve and change rapidly.
- 9. 20 Million Users Impacted by Data Breach at Instant Checkmate, TruthFinder
Cybercrime Instant Checkmate and TruthFinder have disclosed data breaches affecting a total of more than 20 million users.
- 1. Bloatware pushes the Galaxy S23 Android OS to an incredible 60GB
Samsung sells space in its devices to the highest bidder via pre-installed crapware from Facebook, Netflix, Microsoft Office, Spotify, Linkedin, and more. The Pixel 7's system partition is 15 GB, but Samsung's is 60 GB. And they even removed the rapid update feature to free up space to sell, so updates can cause 30 minutes of downtime.
- 2. Rust Compiler v Greek Question Mark
A Greek question mark looks like a semicolon. Inserting it in JavaScript code will cause a mysterious error, difficult to debug. However, the Rust compiler efficiently finds the problem and provides a useful error message. This is one of the many reasons developers love Rust.
- 3. Sansec analysis: 12% of online stores leak private backups
One in nine online stores accidentally expose private backups. It is a common practice to make ad-hoc backups during store platform maintenance. The problem, however, is that these backups often end up in a public folder. We have observed automated attacks against online stores, where thousands of possible backup names are tried over the course of multiple weeks.
- 4. A Bold Plan to Beam Solar Energy Down From Space
The European Space Agency is exploring a unique way to dramatically cut carbon emissions by tapping sunlight closer to the source. Various systems of satellites are proposed, each with systems to beam the concentrated power down to the ground using lasers of microwaves. If this concept comes to fruition, by sometime in the 2030s Solaris could begin providing always-on space-based solar power. Eventually, it could make up 10 to 15 percent of Europe’s energy use, playing a role in the European Union’s goal of achieving net-zero carbon emissions by 2050.
- 5. Eurocops shut down Exclu encrypted messaging app, arrest dozens
An encrypted messaging service that has been on law enforcement's radar since a 2019 raid on an old NATO bunker has been shut down after a sweeping series of raids across Europe last week. The Dutch police spent five months monitoring its communications, so they could identify and trace the developers, administrators and owners of the service, many of whom were arrested in the raids. Police also seized two drug labs, several kilos of narcotics, more than €4 million in cash, "various luxury goods and several firearms."
- 6. HOW DUOLINGO’S AI LEARNS WHAT YOU NEED TO LEARN
Duolingo teaches language skills using a gamelike approach and a cast of bright cartoon characters. But behind the scenes, sophisticated artificial-intelligence (AI) systems are at work. One system in particular, called Birdbrain, is continuously improving the learner’s experience with algorithms based on decades of research in educational psychology, combined with recent advances in machine learning. Birdbrain tracks the learner's skill and the difficulty of the problems to keep the learner engaged and happy, but also challenged and progressing.
- 7. There isn’t enough copper in the world — and the shortage could last till 2030
A copper deficit is set to inundate global markets throughout 2023, fueled by increasingly challenged South American supply streams and higher demand pressures. The reopening of China and growth in the automotive and energy transition industry have stoked demand for copper. This could fuel global inflation and compel central banks to maintain their hawkish stances for longer.
- 8. Catalytic converter thieves have decimated SF city vehicles
In the last several fiscal years, some 217 city vehicles have had their catalytic converter stolen. This represents some 7.3 percent of the city’s fleet, and came at a cost of nearly $600,000. 1 in every 14 city vehicles is a Prius. But they made up over a third of catalytic converter thefts Thieves also gravitate toward big Ford trucks, like the F-150s, 250s and 350s cruising around city streets. These are easy to get underneath and, on some models, have two catalytic converters.
- 9. Researchers can now pull hydrogen directly from seawater, no filtering required
Hydrogen fuel is a clean energy source that only produces water when burned. Researchers at the University of Adelaide have split natural seawater into oxygen and hydrogen with nearly 100 per cent efficiency, to produce green hydrogen by electrolysis, using a non-precious and cheap catalyst in a commercial electrolyser. The team says its results, using cobalt oxide with chromium oxide on its surface as the catalyst, had similar performance to a standard process of applying platinum and iridium catalysts to highly purified and deionized water.
- 10. NIST Standardizes Ascon Cryptographic Algorithm for IoT and Other Lightweight Devices
"The chosen algorithms are designed to protect information created and transmitted by the Internet of Things (IoT), including its myriad tiny sensors and actuators," NIST said. "They are also designed for other miniature technologies such as implanted medical devices, stress detectors inside roads and bridges, and keyless entry fobs for vehicles." The suite comprises authenticated ciphers ASCON-128, ASCON-128a, and a variant called ASCON-80pq that comes with resistance against quantum key-search. It also offers a set of hash functions ASCON-HASH, ASCON-HASHA, ASCON-XOF, and ASCON-XOFA.