Downgrades and Attacking Security Things & Things Not to Miss at BH/DC – Trent Lo – PSW #838
Full Audio
View Show IndexSegments
1. Downgrades and Attacking Security Things – PSW #838
This week, Downgrade attacks, bootloader fun, check your firmware before you wreck your firmware, you've got mail server issues, Ivanti is the new Rhianna, you should update your BIOS, Openwrt dominates, and attacking the security tools for fun and profit!
Announcements
We're always looking for great guests for all of the Security Weekly shows! Submit your suggestions by visiting https://securityweekly.com/guests and completing the form!
Hosts
- 1. Announcing the Vulnerability Management program pack 1.0
- 2. Data Centers Alert: AMD Addresses SEV-SNP Vulnerabilities in EPYC Processors
- 3. Firmware Vulnerabilities Run Rampant in Cellular Routers – Forescout
- 4. Attention: Microsoft’s UEFI certificate expires on Oct. 19, 2026 – Secure Boot affected
- 5. Extending Red Hat Unified Kernel Images More Securely By Using Addons
- 6. Vulnerability in LZMA implementation
- 7. Linux kernel impacted by new SLUBStick cross-cache attack
- 8. grsecurity – CVE-2021-4440: A Linux CNA Case Study
- 9. Uncovering Hardcoded Root Password in VStarcam CB73 Security Camera
- 10. Bypassing Rockwell Automation Logix Controllers’ Local Chassis Security Protection
- 11. DSA-2024-030: Security Update for Dell Client BIOS for an Improper Input Validation Vulnerability
- 12. WifiForge – WiFi Exploitation for the Classroom – Black Hills Information Security
- 13. Windows Update Flaws Allow Undetectable Downgrade Attacks
"The Israeli researcher said he found a way to manipulate an action list XML file to push a ‘Windows Downdate’ tool that bypasses all verification steps, including integrity verification and Trusted Installer enforcement. In an interview with SecurityWeek ahead of the presentation, Leviev said the tool is capable of downgrading essential OS components that cause the operating system to falsely report that it is fully updated." - So it appears you can fool a Windows system into believing, and reporting, that it is fully patched, when, in fact, critical patches have been removed leaving it vulnerable to known vulnerabilities. I can't wait to see and hear more details.
- 14. Students scramble after security breach wipes 13,000 devices
"According to news reports, the mass wiping came as a shock to multiple students in Singapore, where the Mobile Guardian app has been the country’s official mobile device management provider for public schools since 2020. Singapore’s Ministry of Education said Monday that roughly 13,000 students from 26 secondary schools had their devices wiped remotely in the incident." - Yet another security tool being used to cause a disruption. What do we do when our security tools are used against us? Is this a new trend? I mean, from an attacker's point of view, why not?
- 15. 7 Ways to Check Firmware Version in Linux Command Line
I created cheat sheets for Windows, Linux, and Android on how to validate the supply chain of your firmware(s), with many more commands and tools:
- 16. Bootloaders explained
- "A bootloader is typically the first piece of software that runs on a device when it is powered on." - If you are labeling all of the software/firmware that runs before the bootloader as "firmware", then technically this would be correct. There are several pieces of software/firmware that run before the bootloader.
- "Attackers may target bootloaders to alter the operating system files and gain privileged access, which allows for complete control over the operating system, allowing for modification of system files, disabling security features, and more. Because the bootloader is responsible for loading the kernel and setting up the system environment, it is a juicy target for attackers. By compromising the bootloader an attacker can bypass several security checks designed to protect the integrity of the OS." - This is a great reminder that we focus heavily on OS security, but tend to forget to monitor the bootloader, which can be used to bypass OS protections. Typically on PCs and servers the bootloader is stored in the EFI partition, making it accessible, but also easier to restore than platform firmware.
- The article seems to reference bootloaders on devices such as smartphones and similar devices, where they play a larger role in the enforcement of a root of trust and validating software components during boot. Android hackers are familiar with this as you have to unlock your bootloader (meaning disabling the secure boot process) to install a custom operating system.
- 17. Certified evil: Investigating signed malicious binaries – Red Canary
"Ultimately, certificate or signature metadata is an important piece of the puzzle to consider when analyzing a potential threat. Sometimes the information contained within a certificate is sufficient to verify whether a binary is benign or legitimate." - I really love this strategy and believe it's something not many organizations have a handle on. We tend to update and patch software, including updates to certificates and roots of trust when available, but do a poor job of looking at, and validating, the signatures and certificates that bless the software and firmware on our systems. We should get better at this because attackers are abusing the trust we are trying to create.
- 18. CERT/CC Vulnerability Note VU#244112
This is interesting, and somewhat similar to the Sitting Ducks DNS attacks: "Hosting providers who have published SPF records, and, in some cases, also add DKIM signatures, do not sufficiently verify the trust relationship of authenticated user against the allowed domains. This allows an authenticated attacker to spoof an identity in the email Message Header to send emails as anyone in the hosted domains of the hosting provider, while authenticated as a user of a different domain name."
- 19. Ivanti is the Rihanna of CVEs, Qualys’ exploit chart shows
"Ivanti is the gift that keeps on giving to cyber-attackers, taking three of the top ten spots in Qualys’ list of most exploited vulnerabilities." - So, like Rhianna, these vulnerabilities are still popular even though they have been released for some time. Musical tastes aside, I am struggling to understand the difference between weaponized and exploited in the wild based on this snippet:
- "in the first half of the year, the “annual count of reported Common Vulnerabilities and Exposures (CVEs) rose by about 30%, from 17,114 in 2023 to 22,254 in 2024.” Of these, just 0.91% were “weaponised”. Of the 204 weaponised CVEs, only a quarter (54) made it onto CISA’s KEV list, while just six were exploited by ransomware."
- 20. You should update your BIOS, but maybe not as often as you think
The short answer is yes, you should update your BIOS (UEFI in an overwhelming majority of cases). Updating your BIOS often provides crucial security updates, including (but not in all cases) updates to Secure Boot revocation lists and/or certificate updates (to address things such as PK fail), CPU microcode updates (Spectre/Meltdown), and general UEFI security updates. As with any software or firmware, there are risks to applying updates. The risk of your computer not booting is higher for UEFI updates than for many other types of software/firmware updates. Depending on your platform, there are ways to recover as some servers have multiple SPI flash chips and create backups. Many of the computer builds I've done also have a hardware reset which reverts all BIOS settings back to the default (which I've had to do more than once). BIOS updates can also fix bugs, for example, I recently updated the BIOS on my workstation and it fixed some USB bus errors that were driving me nuts when it came to audio devices. While I was quick to blame Linux (and who wouldn't when it comes to Linux and audio), it turns out the problem lay in the BIOS. So, my advice, apply BIOS updates, and don't blame me if your computer gets bricked :).
- 21. Hijacked: How Cybercriminals Are Turning Anti-Virus Software Against You
Can we call this a trend now? - "The discovery of SbaProxy underscores a troubling trend in the cyber threat landscape: sophisticated adversaries' weaponization of trusted security tools. By hijacking legitimate anti-virus software, these threat actors have found a way to operate under the radar, making traditional detection methods less effective. The use of valid certificates and the careful crafting of malicious binaries that closely resemble their legitimate counterparts highlight the growing complexity of these threats."
- 22. Chipsec: Platform Security Assessment Framework – New version 1.13.4
Most notably: "Add Meteor Lake SPI Support" - If you have a newer PC you can now get an SPI flash dump. Cool!
- 23. OpenWrt dominates, but vulnerabilities persist in OT/IoT router firmware
Hey, I know that guy! - "The report reveals a troubling trend of outdated software components in OT/IoT routers, with many devices running modified versions of OpenWrt that include known vulnerabilities,” said Larry Pesce, Director of Product Research and Development at Finite State. “These findings highlight the critical importance of addressing software supply chain risks, as our analysis identified an average of 161 known vulnerabilities per firmware image, including 24 with critical scores." - Also, even though vendors are using OpenWrt which has regular updates and addresses vulnerabilities quickly, the devices still are not being updated. So, even with great tools, vendors still hold back on updates, largely (in my opinion) due to dependencies that are not easily upgraded and/or customizations that make it hard to take an upstream update. Look what I can do! I can customize OpenWrt for our hardware! Great, now you are responsible for updates. Updates? You guys have updates?
- 24. 12 wide-impact firmware vulnerabilities and threats
It's so nice to see others saying things that I've been saying for some time now, such as:
- "Attackers have long developed malware implants that infect computer BIOS or UEFI, providing them with low-level persistence and stealth and the ability to reinfect a computer even if the OS is reinstalled or the hard drive is replaced. Because of this, modern UEFI comes with cryptographic code validation features such as Secure Boot and Intel Boot Guard, but vulnerabilities are still found that allow attackers to bypass these mechanisms."
- "It’s safe to say that there’s no shortage of UEFI vulnerabilities, and even if some of them can be specific to one vendor or IBV, the problem is that PC manufacturers do not release UEFI updates for motherboards that reach the end of life. Furthermore, users are not in the habit of manually installing UEFI updates and these updates are not performed automatically through mechanisms such as Windows Update. This means a very large number of PCs are likely to have known UEFI vulnerabilities at any time."
While it's not the most common attack vector for malware today, UEFI is a ripe attack surface that allows attackers to hide, maintain persistence, and, importantly, bypass OS security protections. This will be a more common tactic in malware for years to come, especially given that largely we do not have visibility into UEFI (I mean we could, but we don't implement the correct detections) and updates are super difficult to 1) even get a fix from a vendor due to the supply chain(s) 2) fixes not being issued for end of life gear and 3) many organizations do not prioritize firmware updates.
2. Things Not to Miss at BH/DC/Bsides – PSW #838
Learn what is most interesting at hacker summer camp this year!
Announcements
We're always looking for great guests for all of the Security Weekly shows! Submit your suggestions by visiting https://securityweekly.com/guests and completing the form!
Guest
As part of his role as Director of Security Research, Trent is responsible for evaluating current cybersecurity risks and vulnerabilities. He leverages his industry relationships to obtain early notifications from partner groups such as Network Security Information Exchange (NSIE), Multilateral Network Security Information Exchange (MNSIE), National Cyber-Forensics and Training Alliance (NCFTA), and other private intelligence groups. This allows Trent to stay ahead of emerging threats and develop proactive strategies to protect the organization from cyber-attacks.
Trent leads efforts to protect the organization from cyber threats. With a distinguished career defending a Tier 1 Network from skillful adversaries, Trent has developed a versatile background in both offense and defense, which has helped him architect visionary security solutions that are deployed within numerous Fortune 500 companies. Trent is an established security researcher who has reported vulnerabilities in organizations such as Zoom, Microsoft, Google, and Southwest Airlines.
In addition, Trent serves on a Technical Advisory Board for a leading cybersecurity company. This position allows him to contribute his expertise and insights to help shape the industry’s strategic direction and enhance cybersecurity practices.