Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Code Execution Flaw. Show all posts

LogoFAIL: UEFI Vulnerabilities Unveiled

The discovery of vulnerabilities is a sharp reminder of the ongoing conflict between innovation and malevolent intent in the ever-evolving field of cybersecurity. The tech community has been shaken by the recent discovery of LogoFAIL, a set of vulnerabilities hidden in the Unified Extensible Firmware Interface (UEFI) code that could allow malicious bootkit insertion through images during system boot.

Researchers have delved into the intricacies of LogoFAIL, shedding light on its implications and the far-reaching consequences of exploiting image parsing vulnerabilities in UEFI code. The vulnerability was aptly named 'LogoFAIL' due to its origin in the parsing of logos during the boot process. The severity of the issue is evident from the fact that it can be exploited to inject malicious code, potentially leading to the deployment of boot kits — a type of malware capable of persistently infecting the system at a fundamental level.

The vulnerability was first brought to public attention through a detailed report by Bleeping Computer, outlining the specifics of the LogoFAIL bugs and their potential impact on system security. The report highlights the technical nuances of the vulnerabilities, emphasizing how attackers could exploit weaknesses in UEFI code to compromise the integrity of the boot process.

Further exploration of LogoFAIL is presented in a comprehensive set of slides from a Black Hat USA 2009 presentation by researcher Rafal Wojtczuk. The slides provide an in-depth analysis of the attack vectors associated with LogoFAIL, offering valuable insights into the technical aspects of the vulnerabilities.

In a more recent context, the Black Hat Europe 2023 schedule includes a briefing on LogoFAIL, promising to delve into the security implications of image parsing during system boot. This presentation will likely provide an updated perspective on the ongoing efforts to address and mitigate the risks that LogoFAIL poses.

The gravity of LogoFAIL is underscored by additional resources such as the analysis on binarly.io and the UEFI Forum's document on firmware security concerns and best practices. Collectively, these sources highlight the urgency for the industry to address and remediate the vulnerabilities in the UEFI code, emphasizing the need for robust security measures to safeguard systems from potential exploitation.

Working together to solve these vulnerabilities becomes critical as the cybersecurity community struggles with the consequences of LogoFAIL. The industry must collaborate to establish robust countermeasures for the UEFI code, guaranteeing system resilience against the constantly changing cyber threat environment.


RCE Vulnerability patched in vm2 Sandbox

Researchers from Oxeye found a serious vm2 vulnerability (CVE-2022-36067) that has the highest CVSS score of 10.0. R&D executives, AppSec engineers, and security experts must make sure they rapidly repair the vm2 sandbox if they utilize it in their apps due to a new vulnerability known as SandBreak.

The most widely used Javascript sandbox library is vm2, which receives about 17.5 million downloads each month. It offers a widely used software testing framework that may synchronously execute untrusted code in a single process.

The Node.js functionality that allows vm2 maintainers to alter the call stack of failures in the software testing framework is the primary culprit in the vulnerability, which Oxeye's researchers have dubbed SandBreak.

According to senior security researcher Gal Goldshtein of Oxeye, "when examining the prior issues revealed to the vm2 maintainers, we observed an unusual technique: the bug reporter leveraged the error mechanism in Node.js to escape the sandbox."

Modern applications use sandboxes for a variety of functions, including inspecting attached files in email servers, adding an extra layer of protection in web browsers, and isolating running programs in some operating systems. Bypassing the vm2 sandbox environment, a hacker who takes advantage of this vulnerability would be able to execute shell commands on the computer hosting it.

The vm2 vulnerability can still have serious repercussions for apps that use vm2 without a fix due to the nature of the use cases for sandboxes. Given that this vulnerability does have the highest CVSS score and is quite well-known, its potential impact is both significant and extensive.

Nevertheless, an attacker might offer its alternative implementation of the prepareStackTrace technique and escape the sandbox because it did not cover all particular methods.

The researchers at Oxeye also were able to substitute their own implementation, which contained a unique prepareStackTrace function for the global Error object. When it was called, it would discover a CallSite object outside the sandbox, enabling the host to run any code.

Users are advised to upgrade as quickly as possible to the most recent version due to the vulnerability's serious severity and to reduce potential risks.


Microsoft Hit by Huge Service Outage


This week's 6-hour-long global outage of Microsoft 365 was caused by a flawed Enterprise Configuration Service (ECS) deployment, as per a preliminary post-incident review. This deployment caused cascade errors and availability effects across numerous locations.

ECS is an internal central configuration repository created to allow Microsoft services to make targeted updates, such as particular configurations per tenant or user, as well as broad-scope dynamic changes affecting many services and features.

According to Microsoft, a recent deployment that featured a "broken link to an internal storage service" was the most likely reason for an outage that prevented many customers from accessing or using a variety of Microsoft 365 products for several hours.

Access to several Microsoft services, including Microsoft Teams, Exchange Server, Microsoft 365 admin center, Microsoft Word, and other Office programs, was slowed down as a result of the service issues, which began on Wednesday, July 20 in the evening and persisted into Thursday morning. Microsoft Managed Desktop and other services were also not able to auto-patch due to the problem.

Overview of the outage

Through its public Twitter statements, Microsoft failed to mention the location of the disruptions. According to comments in Microsoft's Twitter statement, the Teams outage appears to have impacted users in Los Angeles, Dallas, New York City, Hong Kong, and Eastern Australia.

With its cloud computing, Microsoft does have a complex service level agreement. Accordingly, the sole form of compensation for any downtime that an organization can receive is a service-time credit. Additionally, since it is not automatically applied, they must ask for the service credit.

"Telemetry shows that this incident had an impact on about 300,000 calls. Due to business hours falling inside the effect timeframe, the Asia Pacific (APAC) region was the most impacted. Direct Routing and Skype MFA were also significantly affected," the company explained.


What sparked the outage?

In the end, the incident had an impact on users seeking to use one or more of the Microsoft 365 apps and services, according to Bleeping Computer.

The botched Enterprise Configuration Service (ECS) deployment was the initial root cause of this outage, as stated by Redmond in their incident report. "Backward compatibility with services that use ECS was impacted by a deployment of the ECS service that had a code flaw. The end result was that it would send inaccurate configurations to all of its partners for services using ECS " the firm stated.

As a result, downstream services received a status response with the code 200, suggesting that the pull was successful, but it just included a JSON object that was poorly formatted. How each Microsoft service used the flawed configuration supplied by ECS determined the impact's severity. Impact varied from services collapsing, like Teams, to low or no impact on other services.

Microsoft claims that as a result of this incident, they are working to strengthen the Microsoft Teams service's resilience so that it may fall back to a previous version of the ECS configuration in the case of a future ECS failure.


Microsoft: Provide Code for MacOS App Sandbox Flaw

 


MacOS has a vulnerability that was discovered by  Microsoft, it might allow specially created code to execute freely on the system and get past the App Sandbox. 

The security flaw, identified as CVE-2022-26706 (CVSS rating: 5.5), affects iOS, iPadOS, macOS, tvOS, and watchOS. It was patched by Apple in May 2022. In October 2021, Microsoft notified Apple of the problem via Microsoft Security Vulnerability Research (MSVR) and Coordinated Vulnerability Disclosure (CVD).

Sandbox Objective

A specifically written Office document with malicious macro code that allows for system command execution and sandbox limitation bypass can be used by an attacker to exploit the bug. Although Apple's App Sandbox is intended to strictly control a third-party app's access to system resources and user data, the vulnerability allows for obfuscation of these limitations and penetration of the system.

When a user runs malicious software, the main goal of the sandbox is to prevent damage to the system and the user's data.

Microsoft researchers showed that the sandbox rules may be evaded by utilizing specially written software. The sandbox escape vulnerability could be used by an attacker to take charge of the vulnerable device with elevated privileges or to carry out malicious operations like downloading malicious payloads.

The experts originally developed a proof-of-concept (POC) exploit to produce a macro that starts a shell script using the Terminal app, but it was intercepted by the sandbox since it had been given the extended attribute com.apple.quarantine, which inhibits the execution by the Terminal, automatically. The experts then attempted to use Python scripts, but the Python application had a similar problem running files with the mentioned attribute.

"However, this restriction can be removed by using the -stdin option for the open command in the Python exploit code. Since Python had no way of knowing that the contents of its standard input came from a quarantined file, -stdin was able to get around the 'com.apple.quarantine' extended attribute restriction," according to a report by Jonathan Bar Or of the Microsoft 365 Defender Research Team.


Several Dell Systems are Affected by New BIOS Bugs

 

Active exploitation of all of the identified problems cannot be detected by firmware integrity monitoring systems, as per Firmware Insyde Software's InsydeH2O and HP Unified Extensible Firmware Interface (UEFI), which discovered the vulnerabilities. As previously stated, secure remote health attestation systems are unable to detect compromised systems due to technical limitations. 

The high-severity vulnerabilities are identified as CVE-2022-24415, CVE-2022-24416, CVE-2022-24419, CVE-2022-24420, and CVE-2022-24421 on the CVSS scoring system. 

All of the weaknesses are related to poor input validation vulnerabilities in the firmware's System Management Mode (SMM), permitting a local privileged attacker to execute arbitrary code via the management system interrupt (SMI). System Management Mode in x86 microcontrollers is a special-purpose CPU mode for performing system-wide functions like power efficiency, hardware and system control, temperature monitoring, and other exclusive manufacturer-developed code. 

A non-maskable interrupt (SMI) is activated at runtime whenever one of these tasks is requested, and SMM code installed by the BIOS is executed. The method is ripe for misuse because SMM code runs at the greatest privilege level and is transparent to the underlying operating system, making it ideal for implanting persistent firmware. A variety of Dell products are affected, including the Alienware, Inspiron, Vostro, and Edge Gateway 3000 Series, with the Texas-based PC company advising customers to replace their BIOS as soon as possible. 

"The ongoing identification of these vulnerabilities demonstrates what we call repeatable failures' around input cleanliness or, in general, insecure coding habits," according to Binarly researchers. "These errors are directly related to the codebase's complexity or support for legacy components which receive less security attention but are nevertheless frequently used in the field. In many cases, the same vulnerability can be addressed numerous times, yet the attack surface's complexity still leaves open gaps for malicious exploitation." 

Dell SupportAssist is a program which manages support functions such as troubleshooting and recovery on Windows-based Dell workstations. The BIOSConnect feature can be used to restore a corrupted operating system as well as upgrade firmware. 

The functionality does this by connecting to Dell's cloud infrastructure and pulling required code to a user's device. 

Businesse's Pascom Cloud Phone System Contains Severe RCE Flaws

 

Pascom's Cloud Phone System has been completely compromised since a combination of three unique vulnerabilities was discovered by security researchers. Daniel Eshetu of Ethiopian infosec firm Kerbit utilized a trio of less critical security issues to gain full pre-authenticated remote code execution (RCE) on the business-focused Voice over IP (VoIP) and generic communication platform. 

A path traversal vulnerability, a web server request forgery (SSRF) fault in an arbitrary piece of software, and a post-authentication RCE flaw were the three components of the successful exploit. 

The Pascom Cloud Phone Software is a complete collaboration and communication solution which enables enterprises to host and build up private telephone networks across several platforms, as well as manage, maintain, and upgrade virtual phone systems. 

According to the company's LinkedIn, "Pascom, which was founded in 1997 and is the creator of the unique pascom IP phone system software, has over 20 years of expertise providing custom VoIP telecommunications and network infrastructure solutions. By offering organizations a unique, highly professional software-based IP PBX solution, our VoIP phone systems help them add value to the communications."

An arbitrary path traversal flaw in the web interface, a server-side request forgery (SSRF) owing to an outdated third-party dependency (CVE-2019-18394), and a post-authentication command injection utilizing a daemon service are among the three flaws ("exd.pl"). 

  • The SSRF issue was caused by an out-of-date Openfire (XMPP server) jar it was vulnerable to CVE-2021-45967. This is related to CVE-2019-18394, a vulnerability in Openfire's technology that was found three years ago.
  • Instant messaging, presence, and contact list functions are all handled by XMPP, an open communication protocol. 
  • The most recent flaw was command injection in a scheduled task (CVE-2021-45966). 
To look at it another way, the vulnerabilities can be chained together to acquire access to non-exposed endpoints by sending arbitrary GET requests to obtain the administrator password, then utilizing those passwords to gain remote code execution via the scheduled job.

"This provides users full control of the device and an easy means to escalate privileges," Daniel Eshetu said, adding the attack chain may be used "to execute commands as root." The issues were reported to Pascom on January 3, 2022, and patches were released as a result. Customers who host CPS should update to the most recent version (pascom Server 19.21) as soon as possible to avoid any potential dangers.

Log4j 2.17.1 Is Out, And Fixes Yet Another Code Execution Flaw.

 

Apache has published Log4j version 2.17.1, which fixes CVE-2021-44832, a newly found code execution flaw. Prior to that, the most recent version of Log4j, 2.17.0, was considered the safest release to update, however that advice has since changed the Log4j vulnerability resource center to reflect current download trends and statistics for 2.17.1.

CheckMarx researchers have revealed details about the vulnerability in Log4j version 2.17.0, which was just released. Apache released this version a few days after two other patches that addressed the major Log4Shell attack and related problems. By altering the Log4j logging configuration file, attackers might execute remote code on a variety of servers or apps. It's one of the most well-known security weaknesses on the internet, affecting enterprise and government customers who use Log4j versions 2.0 through 2.14.1 in their environments.

Last month, a security researcher discovered yet another zero-day vulnerability in the Apache Log4j Java-based logging library, which threat actors may use to execute malicious code on compromised frameworks. This week, Apache released another version (Log4j rendition 2.17.1) that aims to fix the remote code execution (RCE) flaw in v2.17.0. 

Log4j is a well-known Java library built by the Apache Software Foundation, which is open-source. Designers use it to log error messages in large commercial systems and cloud administrations such as Minecraft, Steam, and Apple iCloud. 

Apache acknowledged the issue in an advisory, describing the moderate-severity flaw (CVSS 6.6) as follows – Attribution link: An attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI, which can execute remote code, in Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4).

The new Log4j CVE "only applies if an attacker can already edit the Log4j config file," according to security researcher Kevin Beaumont. "An attacker already owns your web app or host if they can edit your Log4j config file."

One of the most important lessons learned from the events surrounding Log4j is that it is humanly impossible for open source project maintainers to cover every possible attack vector while also correcting known vulnerabilities. This is why community-led vulnerability research and reporting is a benefit to open source. However, if not done properly, it can rapidly become a nuisance. 

"Irresponsible disclosures jeopardize the work of open source projects and their maintainers, and if not handled, this problem will only get worse." 

Another crucial point to note is that unlike the previous four Log4j CVEs revealed thus far, no one was credited with identifying CVE-2021-44832 according to Apache's official warning.

Severe Code Execution Flaws Impact OpenVPN-Based Applications

 

Claroty security experts have issued the alert for several serious code execution vulnerabilities affecting OpenVPN-based virtual private network (VPN) solutions. 

HMS Industrial Networks, MB Connect Line, PerFact, and Siemens all have security flaws that allow intruders to get code execution by misleading prospective victims into accessing a maliciously designed web page, according to the firm. 

VPN solutions are intended to give users the ability to encrypt traffic flowing between their devices and a specified network, ensuring that potentially sensitive data is sent safely, and OpenVPN is the most widely used VPN implementation. 

Claroty revealed during its investigation of OpenVPN-based solutions that vendors typically deploy OpenVPN as a service with SYSTEM rights, posing security vulnerabilities because any remote or local app can manage an OpenVPN instance to begin or end a secure connection. A VPN client-server architecture typically includes a front end (a graphical user interface), a back end (which takes commands from the front end), and OpenVPN (a service controlled by the back end and responsible for the VPN connection). 

Because the front end controls the back end through a dedicated socket channel without any form of authentication, "anyone with access to the local TCP port the back end listens on could potentially load an OpenVPN config and force the back end to spawn a new OpenVPN instance with this configuration," Claroty explained. 

To exploit this issue, an attacker would simply mislead the user into visiting a malicious website with embedded JavaScript code that sends a blind POST request locally, injecting commands into the VPN client back end. This is a classic example of SSRF (Server-Side Request Forgery). 

According to Claroty's documentation, “Once the victim clicks the link, an HTTP POST request will be fired locally to the dedicated TCP port, and since HTTP is a cleartext based protocol which every line ends with \n, the back end server will read and ignore all the lines until reaching a meaningful command.” 

As the back end server would automatically read and execute all legal instructions it receives, it might be told to import a remote configuration file containing particular commands that lead to code execution or malicious payload installation. 

Claroty stated, “The attacker does not need to set up a dedicated OpenVPN server of their own because the up OpenVPN directive command is being executed before the connection to the OpenVPN server occurs.” 

However, connection to the attacker-controlled SMB server is required for remote code execution, which means the attacker must either be on the same domain as the target system or have the victim device enabled to allow SMB access to other servers, according to the researchers. 

Claroty's study resulted in the issuance of five CVE identifiers: CVE-2020-14498 (CVSS 9.6 – HMS Industrial Networks AB’s eCatcher), CVE-2021-27406 (CVSS 8.8 – PerFact’s OpenVPN-Client), CVE-2021-31338 (CVSS 7.8 – Siemens’ SINEMA RC Client), and CVE-2021-33526 and CVE-2021-33527 (CVSS 7.8 – MB connect line GmbH’s mbConnect Dialup).