Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Security Issues. Show all posts

Cisco Fixes Critical CVE-2024-20418 Vulnerability in Industrial Wireless Access Points

 

Cisco recently disclosed a critical security vulnerability, tracked as CVE-2024-20418, that affects specific Ultra-Reliable Wireless Backhaul (URWB) access points used in industrial settings. These URWB access points are essential for maintaining robust wireless networks in environments like manufacturing plants, transportation systems, and other infrastructure-intensive industries. The vulnerability allows remote, unauthenticated attackers to perform command injection attacks with root privileges by exploiting the device’s web-based management interface. 

This vulnerability results from inadequate validation of input data within Cisco’s Unified Industrial Wireless Software, specifically affecting the web management interface of URWB access points. By sending specially crafted HTTP requests, attackers could exploit this flaw to execute arbitrary commands with root-level access, potentially leading to unauthorized control over the device. This level of access could compromise critical network infrastructure, posing serious risks to businesses relying on URWB technology for uninterrupted connectivity. The vulnerability specifically impacts Cisco Catalyst models IW9165D, IW9165E, and IW9167E when URWB mode is enabled. 

For users concerned about their device’s security, Cisco advises checking vulnerability status by using the “show mpls-config” command in the command-line interface (CLI). If the command confirms URWB mode is active, the device may be vulnerable to potential attacks. Cisco’s Product Security Incident Response Team (PSIRT) has stated that it is not aware of any instances of this vulnerability being actively exploited in real-world scenarios. However, given the nature of this vulnerability, Cisco urges users to update their devices promptly to mitigate the risk. Currently, Cisco has not issued workarounds for this issue. 

As a result, companies relying on these models are advised to stay alert for firmware updates or patches that Cisco may release to resolve the vulnerability. The lack of a temporary fix underlines the importance of applying any future updates immediately, especially as remote exploitation could have significant consequences for the affected systems. For organizations using these Cisco models, securing network access and strengthening device-level defenses can be critical in mitigating potential risks. Limiting access to the web-based management interface, monitoring device activity, and conducting frequent security audits are some proactive steps administrators can take. These actions may help limit exposure while waiting for Cisco’s permanent fix. This incident serves as a reminder of the evolving threat landscape in industrial and operational technology environments. 

As organizations adopt more wireless technologies to improve operational efficiencies, the need for robust cybersecurity practices is crucial. Regularly updating network devices and addressing vulnerabilities promptly are fundamental to protecting systems from cyber threats. Cisco’s disclosure of CVE-2024-20418 underscores the vulnerabilities that even the most reliable industrial-grade devices can exhibit. It also highlights the critical importance of proactive device management and security measures in preventing unauthorized access. Industrial environments should consider this a timely reminder to prioritize cybersecurity protocols across all network-connected devices.

Controversy Surrounds Flipper Zero Amid Car Theft Concerns

 


In the midst of rising concerns over car thefts in Canada, the Flipper Zero, a popular device known for its penetration-testing capabilities, has found itself at the centre of a heated debate. Canadian officials have proposed a ban on the device, attributing it to a surge in car thefts due to its alleged ability to mimic wireless signals for remote keyless entry. However, the creators of Flipper Zero are vehemently denying these claims, stating that they are being unfairly scapegoated for the country's car theft problem.

In a recent statement published on their website, the developers of Flipper Zero argue against the proposed ban, asserting that it would hinder technological progress and fail to address the underlying issue of car theft. They emphasise the importance of fixing vulnerabilities in security systems rather than restricting cybersecurity tools. Additionally, they highlight the limitations of Flipper Zero compared to specialised tools designed for breaking into keyless car systems, such as signal repeaters.

Alex Kulagin, the COO of Flipper Devices, has reiterated that the device cannot be used to hijack cars. He points out that signal repeaters, readily available online, pose a greater threat as they intercept signals from car key fobs, enabling remote entry and activation of vehicles. Contrary to claims made by Canadian officials, Flipper Zero lacks the computing power required for such exploits, making it a less practical choice for car thieves.

The controversy surrounding Flipper Zero has drawn attention from both technical and non-technical communities. Automotive locksmiths, such as [Surlydirtbag], have debunked the notion that Flipper Zero can be used for keyless entry systems. They emphasise that RF relay-based attacks, which access real keys, have been prevalent for years. While Flipper Zero may be capable of cloning RFID chips in some older vehicles, it is ineffective against modern immobilisers, diminishing its appeal to car thieves.

Despite assurances from the Flipper Zero developers and automotive experts, Canadian officials remain steadfast in their pursuit of banning devices used for vehicle theft. François-Philippe Champagne, the Canadian Minister of Innovation, Science and Industry, has vowed to outlaw Flipper Zero, citing concerns over its potential misuse. However, critics argue that such measures overlook the root causes of car theft and fail to address broader security issues within the automotive industry.

As the debate continues, there are calls for a more nuanced approach to addressing car theft, including greater collaboration between government regulators and industry stakeholders. Proponents of cybersecurity advocate for proactive measures to improve security standards rather than reactive bans on specific devices. Ultimately, the outcome of this controversy will have implications not only for the future of Flipper Zero but also for the broader discourse surrounding cybersecurity and technological innovation.


AI Solutions Address Military Concerns: Speeding Up Soldier Recruitment Amidst Shrinking Forces

 


With the British Army facing a depleted workforce and an increased need for recruitment, artificial intelligence (AI) has been incorporated into its recruitment process to expedite its process. As part of a new AI system developed by outsourcing firm Capita, potential recruits' medical records are now analyzed rapidly to determine who is eligible for enlistment based on their medical documents. 

It enables recruiters to find and evaluate job candidates more efficiently by converting uploaded documents into searchable records, as well as putting emails, electronic documents, and voice messages into a single format, making them easier to find and evaluate. 

Since the service usually processes around 40,000 medical documents per year, the developer claims this technology is intended to improve efficiency. It has been reported that Capita's recruiters need to review more than 100 pages of complicated medical documents, a task that used to take almost an hour per applicant. 

By analyzing these records, the AI software simplifies the recruitment process, which lasts five months from application to basic training. AI recruiting has been instructed by the company to enrol 9,813 recruits this year, but the company is expected to only enrol 70% of that number. 

In a recent report issued by the British Parliament, "Ready for War?", the British Parliament asked the AI company to recruit. As a result, the Armed Forces are experiencing a crisis when it comes to recruitment and retention. According to a Tidio survey, 67% of HR professionals believe that AI recruiting technologies are valuable. 

The European Union reached an agreement on the world’s first extensive AI rules last year. However, 35% believe using technology still risks bias and overlooking unique and unconventional talents. A GP scanned or uploaded a patient’s documents onto a secure system a year ago, and this was a landmark agreement for the world. 

After the information has been converted by AI technology to searchable records, recruiters will be able to analyze the email, electronic documents, voice messages, and handwritten notes in one format, which can then be analyzed by recruiters in real-time. The military size of the United Kingdom has been falling sharply for many years. 

As a result, the efficiency of the military is improving, data security is improved, and applications are being scrutinized more rigorously. As part of the hiring process, recruiting staff needed to assess 40,000 of these medical documents manually, which were delivered by general practitioners each year. In an average case, recruiters analyze a health record that is between 50 and 100 pages long, taking at least an hour to evaluate each applicant. 

A Capita source said that since 2016 a 25 percent reduction in the amount of time it takes to process a job application had resulted from the changes, along with other modernizations. In recent months, more applications have been processed as a result of the use of artificial intelligence, according to a defence source who said that the firm had significantly reduced the timeframe for processing medical assessments after the tech was introduced to the company in the summer last year. 

The adoption of artificial intelligence in Army recruitment may have contributed to a positive outcome, but there are still concerns about its use by the Government despite its apparent success. As a few news agencies revealed last year, civil servants had been instructed not to use any ChatGPT services related to government work, due to security concerns, for any reason.

Vodafone Portugal Services were Disrupted due to a Cyberattack

 

Vodafone was the target of a network disruption that began on the night of February 7, 2022, as a result of an intentional and malicious cyberattack targeted at inflicting damage and disruption. As soon as the first indication of a network issue was noticed, Vodafone responded quickly to identify, contain, and restore services. This situation is affecting the provision of services based on data networks, such as 4G/5G networks, fixed voice, television, SMS, and voice/digital answering services. 

"We have already recovered mobile voice services and mobile data services are available exclusively on the 3G network almost throughout the country but, unfortunately, the size and severity of the criminal act to which we have been subjected implies for all other services a careful and prolonged recovery work involving multiple national, international teams and external partners," the company said in a statement. 

According to Vodafone Portugal CEO Mário Vaz, the attack affected millions of people, businesses, and public services such as ambulance services, fire departments, and hospitals. He stated that emergency services were prioritized in efforts to restore communications. He told reporters that whoever was behind the incident had not demanded a ransom. 

"The attack sought to make (Vodafone Portugal) inoperative," he said. He refused to go into detail about the company's and police's inquiry. According to the company, it delivers fiber services to 3.4 million Portuguese homes and businesses, and it has 4.7 million cellphone clients.

Vodafone said it is attempting to restore the remaining services with the assistance of local and international teams in what is presently the company's largest cybersecurity incident. The company also stated that it is cooperating with authorities to investigate the issue and that, based on existing evidence, no customer data appears to have been accessed or compromised. Despite the existence of various claims on the internet, Vodafone Portugal has not linked the ongoing situation to a ransomware attack. 

These rumors are currently making the rounds on the internet after a ransomware gang extorted Impresa and Cofina, two of Portugal's leading news media sites, over the past month. The Lapsus$ ransomware group, which was responsible for the two attacks, has not claimed responsibility for the Vodafone Portugal outage on any of its online accounts. 

When contacted through LinkedIn, a Vodafone Portugal employee stated that they were only aware of the technical disruption and were unaware of the company's press statement attributing the outage to a hack.

Servers for Dark Souls 3 Have Been Shut Down Due to a Critical RCE Bug

 

Bandai Namco has halted the Dark Souls role-playing game's online PvP feature, bringing its servers offline to investigate claims of a major security issue that may endanger players. According to Reddit user reports, the vulnerability is a remote code execution (RCE) vulnerability that might allow attackers to take control of the system, giving them access to sensitive information, allowing them to plant malware, or use resources for cryptocurrency mining. 

According to the reports, the exploit is currently being disseminated, and it may also work against Elden Ring, a Bandai Namco upcoming title. On Saturday, a Discord post clarified that the game developer received details about the RCE vulnerability via a responsible disclosure report directly from the individual who identified it. Bandai Namco is said to have ignored the report, but considering the gravity of the flaw, the reporter chose to demonstrate it on popular streamers to raise awareness and illustrate how critical it is. 

The exploit was demonstrated on the Twitch stream of a player named The Grim Sleeper. An unknown entity launched a PowerShell script on the streamer's PC, which used the Windows Narrator engine to read out crucial notes about the gameplay. 

"For example, the creator of the exploit has already shared information about the vulnerability with the developers of the Blue Sentinel plugin, a mod for Dark Souls designed to counteract cheats. And one can only guess who else could get this information," researchers wrote. "Also, once demonstrated, other hackers may try to replicate the exploit and use it to cause real harm to players," researchers continued. "There are various possible scenarios here: attackers can use it to steal passwords from game accounts or crypto-wallets, install good old ransomware, hidden miners and much more." 

According to Saryu Nayyar, CEO and Founder of Gurucul, this attack highlights the vulnerability of remote workers accessing corporate resources via home networks and personal devices. Because we connect our gaming systems to the same network as resources connected to the corporate network, the virus can simply migrate from home to a much larger operation, she explained. 

That is why, she adds, it is vital for security teams to understand how users use network resources and to include that knowledge into an evaluation of the risks and severity associated with attack campaigns. RCE vulnerabilities are not new, but they are hazardous when no one is aware of them, according to Jorge Orchilles, CTO of SCYTHE.

Millions of HP OMEN Gaming PCs Impacted by Driver Vulnerability

 

On Tuesday, security experts revealed data about a high-severity weakness in the HP OMEN driver software, which affects millions of gaming laptops worldwide and leaves them vulnerable to various cyberattacks. 

The vulnerability is tracked as CVE-2021-3437 with a CVSS score: 7.8. Threat actors may escalate privileges to kernel mode without having administrator rights, enabling them to deactivate security products, overwrite system components, and even damage the operating system. 

The complete list of vulnerable devices includes HP ENVY, HP Pavilion, OMEN desktop gaming systems, and OMEN and HP Pavilion gaming laptops. 

SentinelOne, a cybersecurity firm that identified and communicated the flaw to HP on February 17, claimed it discovered no trace of in-the-wild exploitation. Customers have subsequently received a security update from the company to address the flaw. 

The problems are caused by OMEN Command Center, a pre-installed component on HP OMEN laptops and desktops and can also be downloaded from the Microsoft Store. The program is meant to assist smooth network activity, overclock the gaming PC for quicker computer performance, and monitor the GPU, CPU, and RAM through a vitals dashboard. 

Souce of flaw

According to research shared with The Hacker News by SentinelOne, "The problem is that HP OMEN Command Center includes a driver that, while ostensibly developed by HP, is actually a partial copy of another driver full of known vulnerabilities." 

"In the right circumstances, an attacker with access to an organization's network may also gain access to execute code on unpatched systems and use these vulnerabilities to gain local elevation of privileges. Attackers can then leverage other techniques to pivot to the broader network, like lateral movement." 

HpPortIox64.sys is the driver in issue, and it gets its functionality from OpenLibSys-developed-WinRing0.sys, which was the origin of a local privilege escalation flaw in EVGA Precision X1 software last year (CVE-2020-14979, CVSS score: 7.8). 

In August 2020, researchers from SpecterOps highlighted, "WinRing0 allows users to read and write to arbitrary physical memory, read and modify the model-specific registers (MSRs), and read/write to IO ports on the host. These features are intended by the driver's developers. However, because a low-privileged user can make these requests, they present an opportunity for local privilege escalation." 

This is the second time WinRing0.sys has been identified as a source of security vulnerabilities in HP products. 

In October 2019, SafeBreach Labs discovered a critical vulnerability in HP Touchpoint Analytics software (CVE-2019-6333), which is included with the driver, possibly enabling malicious actors to read arbitrary kernel memory and effectively allowlist malicious payloads via a signature validation bypass. 

The discovery is the third in a series of security flaws affecting software drivers that SentinelOne has discovered since the beginning of the year. 

Earlier this year, they found a 12-year-old privilege escalation problem in Microsoft Defender Antivirus (previously Windows Defender) that hackers could exploit to acquire admin access on unpatched Windows computers.

And last month, SentinelOne reported on a 16-year-old security flaw discovered in an HP, Xerox, and Samsung printer driver that allows attackers to obtain administrative access to computers running the vulnerable software.

Several Critical Flaws Identified in WordPress Plugin

 

Wordfence researchers warned of multiple flaws in a popular WordPress plugin that allows an attacker to upload arbitrary files to a vulnerable site to achieve remote code execution (RCE). On May 27, researchers discovered four security vulnerabilities, which were all assigned a high CVSS score of 9.8. 

The first issue discovered was a privilege escalation flaw CVE-2021-34621. “During user registration, users could supply arbitrary user metadata that would get updated during the registration process. This included the wp_capabilities user meta that controls a user’s capabilities and role. This made it possible for a user to supply wp_capabilities as an array parameter while registering, which would grant them the supplied capabilities, allowing them to set their role to any role they wanted, including the administrator,” researchers explained.

In addition, there was no check to validate that user registration was enabled on the site, meaning users could register as an administrator even on sites where user registration was disabled. This meant that attackers could completely take charge of a susceptible WordPress site. 

CVE-2021-34622, the second flaw in the user profile update functionality, uses the same technique as above but requires an attacker to have an account on a vulnerable site for the exploit to work. 

“However, since the registration function did not validate if user registration was enabled, a user could easily sign up and exploit this vulnerability, if they were not able to exploit the privilege escalation vulnerability during registration,” according to Wordfence researchers. 

Arbitrary file upload is the third flaw present in the image uploader component (CVE-2021-34623). The image uploader in ProfilePress was insecurely implemented using the exif_imagetype function to determine whether a file was safe or not. An attacker could disguise a malicious file by uploading a spoofed file which would bypass the exif_imagetype check.

CVE-2021-34624, the fourth and the last flaw present in the plugin’s ‘custom fields’ functionality, which also checks for malicious files, could be exploited to achieve RCE.

ProfilePress, formerly known as WP User Avatar, facilitates the uploading of WordPress user profile images and is installed on over 400,000 sites. Its only functionality was to upload photos; however, a recent change saw the plugin augmented with new features including user login and registration. Unfortunately, the new features introduced several security flaws. 

Chloe Chamberland, threat analyst at Wordfence discovered the bug by using a tool called WPDirectory to search the WordPress plugin repository for specific lines of code. “I did a routine search for wp_ajax hooks and found that this plugin had introduced some new AJAX actions that I hadn’t previously noticed before, which led to me further investigating them,” the researcher told.