Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label MOVEitm Vulnerabilities and Exploits. Show all posts

Android App Security Alert: Proactive Measures to Prevent Unauthorized Control

 


Approximately a billion Android users have been threatened by a new malware infection. The latest security alert comes from Microsoft's team who discovered a new vulnerability that may give hackers complete control of your smartphone. The latest security alert is triggered by the discovery of a new security flaw which can allow hackers complete access to users' devices. 

Security vulnerabilities in multiple Android apps discovered last week by Microsoft could be exploited to gain access to apps and sensitive information on a mobile device without the user's permission. As it turns out, the security flaw is not caused by the system code itself but instead by developers who improperly use the system, leading to loopholes that can be exploited by malicious actors. 

It is important to note that Google has been made aware of this flaw, and it has taken steps to inform the Android app developer community about the issue. This flaw is caused by improper use of Android's content provider system, which facilitates the sharing of structured data sets among different applications via a mechanism called the content provider system. 

To prevent unauthorized access, data leaks, and path traversal attacks, this system incorporates data isolation, URI permissions, and path validation security measures. Earlier this week, Microsoft Threat Intelligence published a post on its Security Blog stating, “Microsoft discovered a path traversal vulnerability pattern related to multiple popular Android apps. 

This vulnerability can be exploited to overwrite files located within the home directory of vulnerable Android applications.” Additionally, the researchers noted that the vulnerability was found in several apps on Google Play with over four billion installations in total, revealing an important fact about the vulnerability. It is possible to bypass these security measures when custom intents, which are messaging objects that facilitate communication between components across multiple Android apps, are implemented incorrectly. 

Intents that are incorrectly implemented include trusting unvalidated filenames and paths, using the 'FileProvider' component incorrectly, and ignoring path validations properly. A malicious application can use Dirty Stream to send manipulated files to another app using a custom intent, but this method requires a custom intent to be used. A malicious application is tricked into trusting a filename or path and executes or stores the file in a critical location after being fooled into believing it.

A common OS-level function can be transformed into a weaponized tool when it is manipulated between two Android apps and may result in unauthorized code execution, data theft, or another malicious outcome resulting from the manipulation of the data stream. 

To secure data exchange between different applications on a smartphone, the content provider system on Android is designed to protect data when a developer incorrectly uses it. Several security measures are used to prevent unauthorised access to the application by apps as well as by anyone else who may be trying to break into the app. These measures include data isolation, URI permissions, and path validation, among others. 

There is one major issue related to the implementation of the system, however, and that is the custom intents component of the system. The various messaging objects in the app are what enable the app to communicate with each other two-way to accomplish their goals. As long as this vulnerability exists, apps can ignore the security measures introduced to prevent data theft, allowing other apps (or hackers under their control) to access sensitive information stored inside of them. Dirty Stream's deviousness comes from how it manipulates the system to exploit it in such a devious way. 

It has been found that hackers have been able to create custom intents to bypass these security measures via messaging objects, which enable communication between components across Android apps, which are distributed across different apps. A malicious app being able to exploit this loophole allows it to send files to another app using a custom intent, allowing harmful code to be sent disguised as legitimate files to sneak into the system. 

Upon a hacker succeeding in fooling a vulnerable app into overwriting critical files within its private storage space, they can then cause the app to be compromised - and the consequences can be devastating. Dirty Stream allows bots to hijack apps, execute unauthorized code, steal data, and even hijack apps without the user being aware of any of this, according to BleepingComputer, which describes it as an OS-level attack tool that can behave like a normal one.  

Xiaomi's File Manager application, which has more than a billion installations worldwide, and WPS Office, which has more than 500 million installs, are two apps which have been highlighted within Microsoft's report as being vulnerable to Dirty Stream attacks. Both companies responded to the findings and collaborated with Microsoft to deploy patches to mitigate the risks posed by the vulnerabilities that had been discovered. 

Through an article published on the Android Developer's website, Microsoft shared its findings regarding similar vulnerabilities with the Android developer community to prevent the disclosure of similar flaws in future releases. Google has recently revised its app security guidelines to underscore prevalent implementation errors within the content provider system, which could potentially facilitate security breaches. 

Regarding end users, while their proactive measures may be limited, there are still actionable steps they can take to bolster their security posture. Primarily, users should prioritize maintaining the latest versions of the applications they utilize, as updates often include patches for known vulnerabilities. Furthermore, users must exercise caution when sourcing applications, avoiding downloading APKs from unofficial third-party app repositories and other inadequately vetted sources. By adhering to these precautions, users can significantly reduce their exposure to security risks associated with app usage on the Android platform.

Patch Now or Peril: MOVEit Transfer Customers Urged to Address Critical Vulnerability

 


MOVEit Transfer software has been identified as vulnerable to a critical vulnerability. This prompts customers to patch their systems urgently to prevent vulnerability spread. The flaw, identified as CVE-2023-36934, allows an attacker to gain elevated privileges without the user being prompted to authenticate. It also allows an attacker to execute arbitrary commands on an affected system without the user being required to do so. 

The unfixable nature of this vulnerability can result in unauthorized access to information, data breaches, and disruptions to critical business functions. This is if the problem is not addressed. It is recommended that Barracuda MSP users apply the latest vendor patch as soon as possible to mitigate the risk in MOVEit Transfer.

An SQL injection vulnerability lets attackers execute code to gain access to a database or tamper with it by triggering a special query that causes the database to be compromised. There must be a lack of adequate input/output data sanitization in the target application to make these attacks possible.

In the past few months, Progress, the company that developed MOVEit Transfer, has discovered multiple SQL injection vulnerabilities, including one that can be exploited without authentication credentials in the application, named CVE-2023-36934. 

There are several security flaws known as SQL Injection vulnerabilities. If exploited, attackers could manipulate databases and run any code they wanted. Some attacks are used to change or expose sensitive data in a database. This is done when the attackers send specially designed payloads to certain endpoints of the application that is affected. 

Is There a Threat? 

An unauthenticated remote attacker could exploit the CVE-2023-36934 vulnerability to execute arbitrary commands on vulnerable MOVEit Transfer systems without requiring authentication. An attacker can exploit this vulnerability by gaining access to the system without authorization, compromising sensitive data, or being able to perform malicious activities on the system with elevated privileges. The vulnerability can be exploited without any user interaction and authentication, which makes it extremely dangerous due to the lack of user interaction or authentication required. 

A second vulnerability is referred to as CVE-2023-36932, while the third vulnerability is designated as CVE-2023-36933. Even though the CVE-2023-36932 vulnerability exists, attackers can exploit it while logged in to gain unauthorized access to the MOVEit Transfer database through the SQL injection flaw. MOVEit Transfer is vulnerable to a vulnerability called CVE-2023-36933, which is a vulnerability that can allow attackers to shut down the program unexpectedly in case they exploit it.

These vulnerabilities affect multiple MOVEit Transfer versions, including 12.1.10 and previous versions, 13.0.8 and earlier, 13.1.6 and earlier, 14.0.6 and older, 14.1.7 and older, and 15.0.3 and previous versions. 


Are There Any Risks or Exposures? 

There is a potential for further compromise of the system as a result of this vulnerability. Using the MOVEit Transfer software to gain unauthorized access to the affected system can then allow the attacker to exploit the compromised system and move laterally across the network as soon as they have gained access. There is a possibility that they will elevate privileges and compromise additional systems or resources as a result. There is a possibility of a massive breach to occur, as well as the exfiltration of sensitive information, or the disruption of interconnected systems within an organization as a result. 

To exploit this vulnerability, there is no need for users to interact with it or provide authentication. Thus, this poses a significant risk to any organization that is using the affected software. In a wide range of industries, such as finance, healthcare, government, and manufacturing, companies say that secure file transfers are essential to the smooth operation of their organizations.

Depending on the severity of the damage caused, organizations handling sensitive or regulated forms of data, such as personally identifiable information (PII) or protected health information (PHI), may face severe consequences if this vulnerability leads to the compromise of this data. HackerOne and Trend Micro's Zero Day Initiative report that they have responsibly reported these vulnerabilities to Progress Software. 

There are multiple vulnerabilities in the MOVEit Transfer product which affect the following versions: 12.1.10 and older, 13.0.8 and earlier, 13.1.6 and earlier, 14.0.6 and older, 14.1.7 and older, as well as 15.0.3 and older. Several important updates have been made available by Progress Software to make MOVEit Transfer compatible with all major versions of the program.

To reduce the risks posed by these vulnerabilities, it is strongly recommended that users update their versions of MOVEit Transfer to the latest versions.