Paul’s Security Weekly #748

From the research report: "The exploitation of these vulnerabilities could have disastrous and even life-threatening implications. For example, an attacker could exploit some of the vulnerabilities to cut fuel to an entire fleet of commercial or emergency vehicles. Or, the attacker could leverage GPS information to monitor and abruptly stop vehicles on dangerous highways. Attackers could choose to surreptitiously track individuals or demand ransom payments to return disabled vehicles to working condition. There are many possible scenarios which could result in loss of life, property damage, privacy intrusions, and threaten national security." (Ref: https://www.bitsight.com/sites/default/files/2022-07/MiCODUS-GPS-Report-Final.pdf)

"To sum up, I found a heap buffer overflow within the Netfilter subsystem of the Linux kernel. This vulnerability could be exploited to get a privilege escalation on Ubuntu 22.04. The source code of the exploit is available on our GitHub (https://github.com/randorisec/CVE-2022-34918-LPE-PoC)."

"Dragos is reporting that one such group offering password cracking for 15 vendors worth of PLCs and HMIs is using the password recovery software to install the Sality botnet. Sality is used for distributed criminal tasks, including cryptomining."

Interesting thread on the MicrocodeDecryptor

"Today, we’re releasing a little side project a few of our developers have been working with the community on: the Decompiler Explorer! This new (free, open source) web service lets you compare the output of different decompilers on small executables. In other words: It’s basically the same thing as Matt Godbolt’s awesome Compiler Explorer, but in reverse."

"At the beginning of 2020, we discovered the Red Unlock technique that allows extracting Intel Atom Microcode. We were able to research the internal structure of the microcode and then x86 instruction implementation. Also, we recovered a format of microcode updates, algorithm and the encryption key used to protect the microcode (see RC4)." Amazing: "Using vulnerabilities in Intel TXE we had activated undocumented debugging mode called red unlock and extracted dumps of microcode directly from the CPU. We found the keys and algorithm inside."

"In the final data reception phase, the transmitted data is captured through a hidden receiver or relies on a malicious insider in an organization to carry a radio receiver near the air-gapped system. "The receiver monitors the 6GHz spectrum for a potential transmission, demodulates the data, decodes it, and sends it to the attacker," Dr. Guri explained." - NVME anyone? :)

"As responsible security researchers, we have reached out to Okta with our findings and confirmed that these risks do not represent vulnerabilities. Okta responded that the features are performing as designed and should not be categorized as vulnerabilities. It is important to note that while not categorized as vulnerabilities, these findings expose customers to potential attacks. As a vendor focused on securing the identity and access layer, we believe it is important to share our findings and to provide a way to detect and mitigate these risks."

"Schulte watched without visibly reacting as U.S. District Judge Jesse M. Furman announced the guilty verdict on nine counts, which was reached in mid-afternoon by a jury that had deliberated since Friday. The so-called Vault 7 leak revealed how the CIA hacked Apple and Android smartphones in overseas spying operations, and efforts to turn internet-connected televisions into listening devices. Prior to his arrest, Schulte had helped create the hacking tools as a coder at the agency’s headquarters in Langley, Virginia."