A major flaw in Delinea's Secret Server SOAP API was discovered this week, prompting security professionals to rush to implement a fix. However, a researcher claims he contacted the privileged access management provider weeks ago to notify them of the flaw, only to be informed he was not authorized to file a case.
Delinea first revealed the SOAP endpoint issue on April 12. The next day, Delinea teams released an automatic remedy for cloud deployments and a download for on-premises Secret Servers. But Delinea was not the first to sound the alarm.
The vulnerability, which has yet to be issued a CVE, was first publicly exposed by researcher Johnny Yu, who presented a full study of the Delinea Secret Server issue and stated that he had been attempting to contact the vendor since February 12 to responsibly disclose the bug. After working with Carnegie Mellon University's CERT Coordination Center and seeing no reaction from Delina for weeks, Yu decided to publish his findings on February 10.
The lack of information regarding the reaction indicates "issues" with Delina's patching protocols, according to Callie Guenther, senior manager of threat research at Critical Start. However, she emphasizes that the crushing weight of vulnerability management is harming everyone.
The National Institute of Science and Technology (NIST) recently stated that it is unable to keep up with the number of vulnerabilities submitted to the National Vulnerability Database and has requested assistance from both the government and the commercial sector.
1. Inclusivity Matters
Vendors must revisit their bug submission policies. Excluding independent researchers like Yu can hinder the discovery of critical flaws. A more inclusive approach—one that welcomes input from all corners—can only strengthen our collective security posture.
2. Communication Is Key
Prompt communication is essential. When researchers encounter vulnerabilities, they need a clear channel to report them. Vendors should actively engage with the security community, acknowledge submissions promptly, and provide transparent timelines for fixes.
3. Transparency Builds Trust
Delinea’s delayed response eroded trust. Transparency about the vulnerability’s impact, the timeline for resolution, and the steps taken to mitigate risk fosters goodwill. Vendors should be open about their processes and demonstrate commitment to security.
4. Collaboration Over Competition
Researchers and vendors share a common goal: securing systems. Rather than racing against each other, they should collaborate. A cooperative approach benefits everyone—vendors get timely fixes, and researchers contribute to a safer digital ecosystem.
The vulnerability resides within the Lighttpd web server, a lightweight and efficient open-source server commonly used for high-traffic websites. Researchers at the Binary firmware security firm stumbled upon this flaw, which had remained unnoticed for years. The flaw lies in the handling of “folded” HTTP request headers, leading to a heap out-of-bounds (OOB) read vulnerability.
The Lighthttpd developers stealthily patched the issue in version 1.4.51 without issuing a tracking ID (CVE), even though it was resolved in August 2018.
Because of this, the AMI MegaRAC BMC developers overlooked the change and neglected to incorporate it into the final version. As a result, system vendors and their clients were affected further down the supply chain by the vulnerability.
BMCs are microcontrollers that are integrated into server-grade motherboards, such as those found in cloud and data center systems, and allow for firmware updates, remote management, restarting, and monitoring of the device.
Binary discovered that AMI neglected to implement the Lighttpd patch from 2019 until 2023, which resulted in the deployment of numerous devices that were susceptible to the remotely exploitable flaw throughout this time.
The vulnerability allows attackers to exfiltrate process memory addresses, a critical piece of information. Armed with this data, malicious actors can bypass security mechanisms like Address Space Layout Randomization (ASLR). In essence, the flaw undermines the very protection mechanisms designed to prevent unauthorized access.
The story takes an unexpected twist as we trace the flaw’s journey through the supply chain. The maintainers of Lighttpd patched the vulnerability silently in August 2018 (version 1.4.51), without assigning a tracking ID (CVE). Unfortunately, this stealthy fix allowed the flaw to persist in the wild.
Several vendors unwittingly shipped devices with this vulnerability, including Intel, Lenovo, and Supermicro. Let’s explore the impact of each:
The vulnerability affects the M70KLP series firmware (latest version).
Internal identifier: BRLY-2024-002.
Approximately 2000+ Intel server models remain vulnerable.
Lenovo’s BMC firmware (latest version) harbors the same flaw.
Impacted server models: HX3710, HX3710-F, and HX2710-E.
Internal identifier: BRLY-2024-003.
While not explicitly mentioned, Supermicro devices are likely affected due to their reliance on Lighttpd. The flaw underscores the need for thorough security assessments across the board.
The oversight in communication between vendors, maintainers, and end-users has resulted in the shipment of hackable hardware. These devices unwittingly expose sensitive information, jeopardizing the security of data centers, cloud services, and critical infrastructure.
As the flaw’s existence becomes public knowledge, vendors must act swiftly:
Patch and Update: Vendors should release patches addressing the vulnerability promptly.
Security Audits: Rigorous security audits are essential to identify and rectify hidden flaws.
Transparency: Clear communication channels between maintainers, vendors, and end-users are crucial.
According to a recent discovery by Varonis Threat Labs, two new techniques have emerged that pose a significant threat to data security within SharePoint, a widely used platform for file management. These techniques enable users to evade detection and retreat files without triggering alarm bells in audit logs.
Technique 1: Open in App Method
The first technique leverages SharePoint's "open in app" feature, allowing users to access and download files while leaving behind only access events in the file's audit log. This method, which can be executed manually or through automated scripts, enables rapid exfiltration of multiple files without raising suspicion.
Technique 2: SkyDriveSync User-Agent
The second technique exploits the User-Agent for Microsoft SkyDriveSync, disguising file downloads as sync events rather than standard downloads. By mislabeling events, threat actors can bypass detection tools and policies, making their activity harder to track.
Implications for Security
These techniques pose a significant challenge to traditional security tools such as cloud access security brokers and data loss prevention systems. By hiding downloads as less suspicious access and sync events, threat actors can circumvent detection measures and potentially exfiltrate sensitive data unnoticed.
Microsoft's Response
Despite Varonis disclosing these methods to Microsoft, the tech giant has designated them as a "moderate" security concern and has not taken immediate action to address them. As a result, these vulnerabilities remain in SharePoint deployments, leaving organisations vulnerable to exploitation.
Recommendations for Organisations
To alleviate the risk posed by these techniques, organisations are advised to closely monitor access events in their SharePoint and OneDrive audit logs. Varonis recommends leveraging User and Entity Behavior Analytics (UEBA) and AI features to detect and stop suspicious activities, such as mass file access.
What Are the Risks?
While SharePoint and OneDrive are essential tools for facilitating file access in organisations, misconfigured permissions and access controls can inadvertently expose sensitive data to unauthorised users. Threat actors often exploit these misconfigurations to exfiltrate data, posing a significant risk to organisations across various industries.
Detection and Prevention Strategies
To detect and prevent unauthorised data exfiltration, organisations should implement detection rules that consider behavioural patterns, including frequency and volume of sync activity, unusual device usage, and synchronisation of sensitive folders. By analysing these parameters, organisations can identify and mitigate potential threats before they escalate.
At the heart of this vulnerability lies a seemingly innocuous process called Data Memory-dependent Prefetchers (DMP). These prefetchers play a crucial role in predicting memory addresses that running code is likely to access shortly. By doing so, they reduce latency between the CPU and main memory, enhancing overall system performance. Unfortunately, within the DMP mechanism, there exists a bug—a tiny but devastating flaw.
Imagine a scenario where data stored in the chip is mistaken for a memory address and cached. This seemingly harmless error becomes the Achilles’ heel of Apple Silicon Macs. Here’s how the attack unfolds:
Malicious App Exploitation: A malicious app leverages the DMP bug repeatedly. Each time it does so, it gains a tiny piece of information—like a cryptographer deciphering a code.
Data Leakage via Cache Side Channels: The DMP treats certain data values as pointers, even when they aren’t. As a result, it leaks information via cache-side channels. These channels allow an attacker to infer what’s happening inside the chip, akin to eavesdropping on a conversation.
Decrypting Cryptographic Keys: Over time, the attacker accumulates enough leaked data to decrypt cryptographic keys. These keys protect sensitive information, including cryptocurrencies stored on the Mac.
The gravity of this flaw lies in its unmatchable nature. Unlike software vulnerabilities that can be fixed with a timely update, this issue is deeply ingrained in the architecture of the chips themselves. Seven researchers from different universities collaborated to uncover this vulnerability and aptly named their proof-of-concept app GoFetch.
The implications are far-reaching:
Cryptocurrency Holders Beware: If you’re a cryptocurrency enthusiast who stores digital assets on your Mac, this flaw should send shivers down your spine. Attackers could potentially gain access to your private keys, rendering your holdings vulnerable.
Corporate Espionage: Beyond cryptocurrencies, corporate secrets, intellectual property, and sensitive documents could be at risk. Imagine a corporate espionage scenario where a competitor gains unauthorized access to critical information.
National Security: Even national security agencies rely on secure communication channels. If their Macs are compromised, it could have severe consequences.
Apple faces a Catch-22 situation. While they can’t retroactively fix existing devices, they must address this flaw in future chip designs. Balancing security and performance is a tightrope walk, and this vulnerability underscores the need for rigorous scrutiny during chip development.
Until a hardware-level solution emerges, users can take the following steps:
Limit Sensitive Activities: Avoid performing sensitive tasks (such as cryptocurrency transactions) on affected Macs.
Air-Gapped Systems: Consider using air-gapped systems for critical operations. These systems are physically isolated from the internet, reducing exposure.
Third-Party Solutions: Explore third-party security tools that monitor and detect anomalous behavior.
At the core of this story lies the Aiohttp Python library, a famous web synchronous framework that makes web apps and APIs. Sadly, a bug in the library has allowed hackers to break in.
The vulnerability, known as CVE-2024-23334 is a "directory traversal vulnerability." In other words, it lets unauthorized remote actors obtain files from a server they aren't ethically allowed to.
This is how the vulnerability works:
1. Not enough Proper Validation: When setting routes for server files, Aiohttp is unable to execute proper validation. Particularly, the problem hits when the follow_symlinks option is set to true.
2. Accessing files outside the Root Directory: Attackers exploit this flaw to traverse directories and steal files beyond the specified root directory. In simple terms, the attackers can steal sensitive information like databases, configuration files, and other important data.
The flaw rates 7.5 on the CVSS scale.
The impact of the flaw is concerning:
1. Ransomware Attacks: Ransomware as a service (RaaS) attacks are monetizing on this flaw. Threat actors gain account critical files, encrypt them, and demand heavy randoms for decryption keys.
2. Global Penetration: Cyble has found around 43,000 web-exposed Aiohttp incidents across the world. A lot of these servers are situated in the USA, Spain, Germany, and different Asian regions.
3. Data Exposure: Companies using Aiohttp may cluelessly expose sensitive files on the internet. Threat actors can misuse this loophole and steal important data, disrupting user privacy and business operations.
Follow these steps to protect your systems
1. Security Audits: Perform routine security audits of your web apps. Keep an eye out for incidents of Aiohttp and cross-check that they are using patched versions.
2. Access Controls: Have strict access controls. Restrict the Aiohttp accessible directories to avoid unauthorized traversal.
3. Update Aiohttp: The Aiohttp development team immediately addressed the problem by releasing version 3.9.2. Make sure to update your Aiohttp installations as soon as possible.
Surprisingly, one of the IP addresses related to the hackers was earlier associated with the infamous ShadowSyndicate group. The group has a notorious history of foul play in ransomware attacks. This makes the exploitation of the Aiohttp flaw even more problematic.
The digital landscape is evolving, but so do cyber threats. The Aiohttp flaw is a sign that caution and routine updates are a must. We should stay informed, patch our systems timely, and strengthen defenses against ransomware attacks.
Prevention is better than cure, a vigilant approach today will protect us from tomorrow's data hostility.
As Mysk Inc. cybersecurity experts Tommy Mysk and Talal Haj Bakry have shown in a recent YouTube video hackers only require a simple $169 hacking tool known as Flipper Zero, a Raspberry Pi, or just a laptop to pull the hack off.
This means that with a leaked email and a password, the owner could lose their Tesla car. The rise of AI technologies has increased phishing and social engineering attacks. As a responsible company, you must factor in such threats in your threat models.
And it's not just Tesla. You'll be surprised to know cybersecurity experts have always cautioned about the use of keyless entry in the car industry, which often leaves modern cars at risk of being hacked.
The problem isn't hacking- like breaking into software, it's a social engineering attack that tricks a car owner into handing over their information. Using a Flipper, the experts create a WiFi network called "Tesla Guest," the same name Tesla uses for its guest networks at service centers. After this, Mysk created a fake website resembling Tesla's login page.
After this, it's a cakewalk. In this case, hackers broadcast networks around a charging station, where a bored driver might be looking to connect over WiFi. The owner (here, the victim) connects to the WiFi and fills in their username and password on the fake Tesla website.
The hacker uses the provided login credentials and gains access to the real Tesla app, which prompts a two-factor authentication code. The victim puts the code into the fake site, and hackers get access to their account.
Once you've trespassed into the Tesla app, you can create a "phone key" to unlock and control the car via Bluetooth using a smartphone. Congratulations, the car is yours!
Mysk has demonstrated the attack in a YouTube video.
Mysk says that Tesla doesn't alert the owner if a new key is created, so the victim doesn't know they've been breached. And the bad guy doesn't have to steal the car right away, because the app shows the location of the car.
The Tesla owner can charge the car and take it somewhere else, the thief just has to trace the location and steal it, without needing a physical card. Yes, it's that easy.
Mysk tested the design flaw on his own Tesla and discovered he could easily create new phone keys without having access to the original key card. But Tesla has mentioned that's not possible in its owner manual.
When Mysk informed Tesla about his findings, the company said it was all by design and "intended behaviour," underplaying the flaw.
Mysk doesn't agree, stressing the design to pair a phone key is only made super easy at the cost of risking security. He argues that Tesla can easily fix this vulnerability by alerting users whenever a new phone key is created.
But without any efforts from Tesla, the car owners might as well be sitting ducks.
A sophisticated computer/machine doesn't always mean it's secure, the extra complex layers make us more vulnerable. Two decades back, all you needed to steal a car was getting a driver's key or hot-wiring the vehicle. But if your car key is a bundle of ones and zeroes, you must rethink the car's safety.