Various zero day vulnerabilities in home baby monitor could be compromised that lets threat actors hack into camera feed and put malicious codes like malware. The security issues were find in the IoT gadgets, made by China based developer Victure, that were found by BitDefender experts. In a security report, BitDefender revealed about the stack-based buffer flaw present in ONVIF server Victure PC420 component camera that allows hackers to plant remote codes on the victim device. When compromised, hacker can discover cameras (not owned by them) and command devices to broadcast camera feeds to third party and exploit the camera firmware.
"When choosing a baby monitor, the security aspect should trump features or price point.This is because similar vulnerabilities have been used in the past by threat actors to directly communicate with children, thus exposing them to interactions with adults outside the family’s circle of trust," Daily Swig reports. As of now, Victure isn't aware about the complete attack scenerio, but it believes that the hacker could exploit the vulnerabilities and spy on residents using these cameras constantly or let other users do the same.
Cloud users rely on using camera and cloud features and according to experts, around 4 million cameras across the world are impacted by the issue. The vulnerability impacts Victure PC420 firmware variants 1.2.2 and earlier. BitDefender released a report on the vulnerabilities after trying to contact Victure to inform them about the issues. BitDefender tried to make various attempts to get in touch with the company to offer them assistance to deal with the issues. The firm then decided to release a report on the issue to let users know about the vulnerabilities, as their privacy is on stake when their devices are connected.
Experts advice users to stop using devices immediately and residents should give security priority rather than device." We have been warning about the dangers of vulnerable video equipment for years and we started this vulnerability research project to help parents protect their privacy, as well as their children’s. Sometimes, vendors choose to ignore these gaping holes and leave customers exposed instead" said the researcher to Daily Swig.
Much like how Icarus flew too close to the sun.In trying to catch up with Moors law the CPU's manufacturers have left open a serious vulnerability that will haunt us for years to come. Whats the cause for the vulnerability ?
Almost all modern CPU's have a feature called "Speculative execution" which increases speed by predicting the path of a branch which is most likely to be taken, and will speculatively continue execution down that path even before the branch is completed.
What is Meltdown and Spectre?
Both exploits abuse speculative execution to access "privileged memory" and allows a lower privilege user process to read them.
So why is this a big issue ?
One of the core security mechanisms is isolation of programs. Most programs run in an isolated space and they can only access their own data and information. This stops malicious programs from reading/modifying others. This vulnerability breaks this core security principle and since the vulnerability is in the hardware level any software patch is limited in capacity.
Essentially almost all the rules that protect programs in a computer from each other are now null and void.
How does this affect me ?
This would allow for any process in user memory. For example, JavaScript running on a browser to read sensitive information in memory eg: sessions, passwords etc. This would also allow programs running in lower privileges to read kernel memory. Cloud service providers who heavily rely on isolation are also affected.
There are innumerable combinations of attacks possible due to this vulnerability. We will be seeing many more "exploits" that make use of this vulnerability for specific systems and programs in the future.
POC:
How are they different ?
Meltdown breaks the mechanism that keeps applications from accessing arbitrary system memory. Consequently, applications can access system memory. Spectre tricks other applications into accessing arbitrary locations in their memory. Both attacks use side channels to obtain the information from the accessed memory location.
Spectre is easier to fix than Meltdown.
Why is it called Meltdown?
The bug basically melts security boundaries which are normally enforced by the hardware.
Why is it called Spectre?
The name is based on the root cause, speculative execution. As it is not easy to fix, it will haunt us for quite some time.
How do I know if I am vulnerable ?
Almost all Intel processor made since 1995 are vulnerable to Meltdown.
Almost all devices Desktops,Laptops,Smartphones etc are affected by Spectre. Vulnerability has been verified on AMD, Intel and ARM processors.
How do I patch ?
Please have a look at this great list that gizmodo provides:
There have been reports that the patches have cause 10 - 30% reduction in speeds of systems (Which Intel Denies). We might to wait and watch for at least a week to get clarity on this issue.
A note to the security community:
It would be easy to blame the chipset manufacturers and point fingers at them. But we really dropped the ball on this one. What should have been found much much earlier has taken decades to come to light and now it is gonna affect us for years.
Why is that ?
Have all of us been too concentrated on OS,Application,Networking and Web level vulnerabilities that we have completely forgotten to check the base they all run on ?
I think all of us (Including me) should start to looking into how we can help to identify such vulnerabilities in the future.
We should also have a serious look into disclosure time-lines and practices . Who decides how to approach disclosure of such high impact vulnerabilities ? Yes I understand the logic that the "bigger" tech companies are given first priority so that majority of users are patched. But such a long drawn out time-line (This bug was found in June 2017, 6 months ago) seriously puts the small guys at risk as it increases the chances of one rouge person exploiting such vulnerabilities silently.
While the US CERT might have been aware of this vulnerability.Were regional CERT's like CERT-IN informed ? Why not ?
From reading the first set of advisories I can see that only "WESTERN" companies seems to have been aware of this vulnerability before Jan3rd. Why is that ? Does our industry have a bias ? Think on this.
This also brings in ethically gray issues like this:
https://www.businessinsider.in/intel-was-aware-of-the-chip-vulnerability-when-its-ceo-sold-off-24-million-in-company-stock/articleshow/62359605.cms
Should our CIOS , CTO's and CEO's be allowed to sell company stock once they know that there is security breach or a vulnerability ? Who watches them and ensures compliance ? Are the current laws against insider trading enough ? All such questions that need to answered sooner or later. ..
Flaws in Sauter’s moduWEB Vision SCADA product can be exploited by
remote attackers to take full control of the product. The flaw was
identified by researchers at vulnerability Management Company,
Outpost24.
Sauter is a Switzerland-based company that
specializes in building automation and system integration products.
moduWEB Vision is a web-based visualization solution designed to allow
users to operate and monitor building technologies remotely.
One
of the flaw in the product is that though Sauter tells its users to
change the password of the administrator account but there are other
default accounts which are not covered in the vendor’s documentation
thus making them vulnerable to the attackers.
The
attackers then can reset the system to its default configuration, change
the configuration or disable devices, and modify all passwords.
The
attackers do not need to crack the hash to access the admin account,
instead they can use it directly to authenticate on the system.
The
researcher team found that some of the passwords are transmitted in
clear text (CVE-2015-7915) when populating the password field in cases
where the “keep me logged in” feature is enabled, but this feature is
only enabled in newer versions of the SCADA system.
In
addition, the attacker can also leverage a persistent cross-site
scripting vulnerability found in the user and events management panels
to elevate privileges and execute commands on behalf of an
administrator.
The installations of the product are
exposed to the internet which makes it easy to find its flaws because
the product runs on web server that has specific header information.
The
vendor has released 1.6.0 of the firmware to address the issues but
Outpost 24 alleges that some of the vulnerabilities are still left
untouched.
The vulnerabilities were reported to the company last year in April.
Security Company FireEye is not new to vulnerabilities that are found in their products. This time, FireEye has rushed to Google’s Project Zero researchers Tavis Ormandy and Natalie Silvanovichto patch a remote code execution (RCE) vulnerability affecting Malware Protection System (MPS).
FireEye toldthat the RCE vulnerability affected the company’s Network Security (NX), Email Security (EX), Malware Analysis (AX), and File Content Security (FX) products.
Researchers have earlier also found vulnerabilities in FireEye’s products. In September, FireEye patched vulnerabilities reported by Kristian Erik Hermansen and Ron Perris. Hermansen claimed that he had disclosed the details of a flaw 18 months prior to its public disclosure and before FireEye could release a fix.
In September, five other vulnerabilities were reported by German security firm ERNW. The issues including command injection, code execution, privilege escalation and memory corruption vulnerabilities affected NX, EX, AX, FX, HX (Endpoint Security) and CM (Central Management) products.
FireEye spokesman Kyrksen Storer said that due to the vulnerability’s severity, the company had released an automated remediation to customers just 6 hours after its notification.
“We are thankful for the opportunity to support the Google team in this process, will continue to support their efforts, and fully support the broader security research community’s efforts to test and improve our products,” Storer added.
Researchers from Trend Micro have found out suspicious URLs that hosted a newly discovered Zero-day exploit, which refers to a hole in software that is exploited by hackers before the vendor becomes aware of it, in Java.
Brooks Li, a threat analyst and Feike Hacquebord, a senior threat researcher, who spotted this exploit, said that this was the first time in nearly two years that a new Java zero-day vulnerability was reported.
The researchers came to know about this exploit after receiving a feedback in their Smart Protection Network.
According to the report, this new zero-day Java Exploit is being used in spear-phishing attacks targeting a certain forces of NATO country and a US Defence Organization
This zero-day bug affects only the latest Java version 1.8.0.45 not the older versions, Java 1.6 and 1.7.
The vulnerability is still not patched by the company concerned.
According to the report, the URLs hosting the new Java zero-day exploit are similar to the URLs seen in the attack launched by the threat actors behind Pawn Storm that targeted North Atlantic Treaty Organization (NATO) members and White House last April 2015.
The researchers have asked the users to disable Java in browsers if installed due to an application.
Drupal, an open source content management system which is used by several organizations including the White House, the Prince of Wales, British Council EAL and Amnesty International, has urged its users who are using either Drupal 6 or Drupal 7 to upgrade their websites versions immediately.
Drupal 6 users are requested to upgrade it to version 6.36 and Drupal 7 users to version 7.38.
The Drupal Security Team has released critical software updates in order to stop the flaws that leave numerous businesses and government organizations open to attack.
“A vulnerability was found in the OpenID module that allows a malicious user to log in as other users on the site, including administrators, and hijack their accounts,” the company’s advisory reads.
“This vulnerability is mitigated by the fact that the victim must have an account with an associated OpenID identity from a particular set of OpenID providers (including, but not limited to, Verisign, LiveJournal, or StackExchange),” the advisory explains.
The vulnerability could allow the attackers to impersonate other users, including all-powerful administrators, and thereby gain control of an unpatched website.
“The Field UI module uses a "destinations" query string parameter in URLs to redirect users to new destinations after completing an action on a few administration pages. Under certain circumstances, malicious users can use this parameter to construct a URL that will trick users into being redirected to a 3rd party website, thereby exposing the users to potential social engineering attacks,” the advisory reads.
“Similarly, the overlay module displays administrative pages as a layer over the current page (using JavaScript), rather than replacing the page in the browser window. The Overlay module does not sufficiently validate URLs prior to displaying their contents, leading to an open redirect vulnerability,” the advisory explains.
The vulnerability is mitigated by the fact that it can only be used against site users who have the "Access the administrative overlay" permission, and that the Overlay module must be enabled.
A flaw has been disclosed by a security researcher in Samsung's Android, including the recently released Galaxy S6, keyboard installed on over 600 million Samsung mobile device users that could allow hackers to take full control over the smartphones or tablet.
Ryan Welton, a mobile security researcher at NowSecure, who discovered the vulnerability, wrote in the blog, “A remote attacker capable of controlling a user’s network traffic can manipulate the keyboard update mechanism on Samsung phones and execute code as a privileged (system) user on the target’s phone. The Swift keyboard comes pre-installed on Samsung devices and cannot be disabled or uninstalled. Even when it is not used as the default keyboard, it can still be exploited.”
Researcher said that the vulnerability was discovered last year. Samsung was notified in December 2014. However, Samsung asked NowSecure not to disclose the flaw until it could fix the problem.
NowSecure also notified CERT who assigned CVE-2015-2865, and also informed the Google Android security team.
The researcher pointed out the flaw could attacker to do:
- - Access sensors and resources like GPS, camera and microphone.
- - Secretly install malicious app(s) without the user knowing.
- - Tamper with how other apps work or how the phone works.
- - Eavesdrop on incoming/outgoing messages or voice calls.
- - Attempt to access sensitive personal data like pictures and text messages.
According to the researcher, the defected keyboard application can’t be uninstalled. Similarly, it is not easy for the Samsung mobile device user to tell if the carrier has patched the problem with a software update.
“However, in order to reduce the risk, avoid insecure Wi-Fi networks, use a different mobile device and contact your carrier for patch information and timing,” the researcher added.
Zomato, an online restaurant search and discovery service providing information on home delivery, dining-out, cafés and nightlife to various cities across India and 21 other countries, has fixed a bug which could allow an attacker to gain access to personal information of million users.
Anand Prakash, discovered Insecure Direct Object Reference(IDOR) vulnerability in the Zomato website.
IDOR occurs when an application provides direct access to objects based on user-supplied input. The vulnerability allows the attackers to bypass authorization and access resources in the system directly by modifying the value of a parameter used to directly point to an object, for example database records or files.
One of the API calls used for retrieving the users information is insecurely coded. It gets the information only based on the "browser_id" parameter passed in a HTTP GET request and fails to verify the user is authorized to access the requested data.
By sequentially changing the 'browser_id' value, an attacker is able to access the users' personal information, such as Names, Email addresses, phone numbers, Date of birth.
"The data leaked also had Instagram access token which could be used to see private photos on Instagram of respective Zomato users,” Prakash wrote in his blog.
Prakash reported the vulnerability to Deepinder Goyal, CEO of Zomato, On June 1. And the next day (June 2), the flaw was fixed by Gunjan Patidar along with his engineering team.
