Destructive Firmware, Keys to the Kingdom, the Device Level, & 5 CyberSec Myths – PSW #746

"CISA must ensure its efforts include: Virtual and in-person training and courses provided at no cost to participants; Training and courses available for different skill levels, including introductory-level courses; Training and courses that cover cybersecurity defense strategies for industrial control systems, including an understanding of the unique cybersecurity threats facing industrial control systems and the mitigation of security vulnerabilities in industrial control systems technology..."

"I have a firewall, so I’m safe from attacks."

"According to CrowdStrike researcher Patrick Bennett, the ransomware actor performed a novel remote code execution exploit on the Mitel MiVoice Connect appliance and went to lengths to perform anti-forensic techniques on the VOIP appliance to cover their tracks. The vulnerability, patched by Mitel without acknowledgement of the zero-day exploitation, is rated “critical” and affects a component of Mitel’s MiVoice Connect"

"Oracle has patched a remote code execution (RCE) vulnerability impacting Oracle Fusion Middleware and various other Oracle systems. Security researchers ‘Peterjson’ and ‘Jang’ reported a pair of severe flaws to Oracle that can be chained to achieve RCE, which they dubbed the ‘Miracle Exploit’."

"This also includes Zimbra collaboration suite, wherein the vulnerability could lead to pre-authenticated remote code execution on a vulnerable instance, giving the attacker complete access to an email server and even abuse it to access or overwrite other internal resources within the organization's network. The vulnerability, at its heart, relates to a symbolic link attack in which a RAR archive is crafted such that it contains a symlink that's a mix of both forward slashes and backslashes (e.g., "......tmp/shell") so as to bypass current checks and extract it outside of the expected directory."

And the winner is, still, and you guessed it: Out-Of-Bounds Write (e.g. memory corruption, buffer overflow) https://cwe.mitre.org/data/definitions/787.html

Yea no, this is like advice from 20+ years ago, and its not complete zero trust: "Unlike other IT systems, zero-trust for printing primarily involves putting printers into a separate, controlled environment (network) and closely regulating and monitoring who has access to those printers." Fight me.

"The good news is that security at the device level is simple to achieve. While new vulnerabilities will constantly emerge, most of these security issues can be addressed through password, credential, and firmware management, as well as through basic device hardening. " Except when you can't do any or all of those things because you can't change the password (esp. if its a backdoor in the firmware), the device does not have authentication at all, there is a web application vulnerability (or 10), and you can't update the firmware because its no longer supported by the vendor and they stopped making updates.

"The signature check was performed only on the code region specified in the header. As long as the original header, code, and signature were unmodified, the bootloader would boot the image. A quick test proved this to be the case. An image with extra data appended booted successfully, with the extra data being ignored. Since all flash memory on this device is executable, I could simply jump to extra code appended to a valid update image." and then: "My payload was simple: Erase the original public key from flash and write the new key in its place. On subsequent reboots, the bootloader would accept new firmware images signed with the new key—one the client now keeps in a couple of safe places." - nice hack!

According to an HP survey: "(83%) IT leaders say firmware attacks against laptops and PCs now pose a significant threat, while 76% of ITDMs said firmware attacks against printers pose a significant threat." and "More than two-thirds (67%) of IT leaders say protecting against, detecting, and recovering from firmware attacks has become more difficult and time-consuming due to the increase in home working, with 64% saying the same of analyzing the security of firmware configuration." and "Despite the clear risks that destructive firmware attacks pose to organizations, device security is not always a major consideration in the hardware procurement process, with many organizations continuing to use technologies that are not built with security in mind. " - Like my MSI laptop, which has not seen a firmware update in years, because well, they haven't made one. Talk to me about updating the DBX...