Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label firmware. Show all posts

D-Link Urges Replacement of End-of-Life VPN Routers Amid Critical Security Vulnerability

 

D-Link has issued a strong warning to its customers, advising them to replace certain end-of-life (EoL) VPN router models immediately. This follows the discovery of a critical unauthenticated remote code execution (RCE) vulnerability that will not be addressed with security patches for the affected devices. The vulnerability was reported to D-Link by security researcher “delsploit,” although technical details have been withheld to prevent widespread exploitation. The flaw impacts all hardware and firmware versions of the DSR-150, DSR-150N, DSR-250, and DSR-250N models, particularly firmware versions 3.13 to 3.17B901C. 

These routers, which have been popular among home offices and small businesses worldwide, officially reached their end-of-service (EoS) status on May 1, 2024. D-Link’s advisory makes it clear that no further security updates will be issued for these devices. Customers are strongly encouraged to replace the affected models to avoid potential risks. For users who continue using these devices despite the warnings, D-Link suggests downloading the latest available firmware from their legacy website. 

However, it is important to note that even the most up-to-date firmware will not protect the routers from the RCE vulnerability. The company also cautions against using third-party open-firmware solutions, as these are unsupported and will void any product warranties. D-Link’s policy not to provide security fixes for EoL devices reflects a broader strategy within the networking hardware industry. The company cites factors such as evolving technologies, market demands, and product lifecycle maturity as reasons for discontinuing support for older models. The issue with D-Link routers is not an isolated case. 

Earlier this month, researcher “Netsecfish” revealed CVE-2024-10914, a command injection flaw affecting thousands of EoL D-Link NAS devices. Similarly, three critical vulnerabilities were recently disclosed in the D-Link DSL6740C modem. In both instances, the company chose not to release updates despite evidence of active exploitation attempts. The growing trend of security risks in EoL networking hardware highlights the importance of timely device replacement. 

As D-Link warns, continued use of unsupported routers not only puts connected devices at risk but may also leave sensitive data vulnerable to exploitation. By replacing outdated equipment with modern, supported alternatives, users can ensure stronger protection against emerging cybersecurity threats.

DrayTek Patches 14 Vulnerabilities, Including Critical Buffer Overflow Flaws

 

DrayTek recently patched 14 vulnerabilities in 24 router models, including a critical buffer overflow flaw that could allow remote code execution (RCE) or denial of service (DoS). The vulnerabilities, identified by Forescout Research’s Vedere Labs and described in their “DRAY:BREAK” report, include two critical flaws, nine high-severity flaws, and three medium-severity issues. 

The most severe flaw, CVE-2024-41492, involves the “GetCGI()” function in the web user interface, allowing attackers to exploit query string parameters and execute RCE or DoS attacks. Another critical flaw, CVE-2024-41585, involves OS command injection via the “recvCmd” binary, which could lead to a virtual machine escape. Forescout’s analysis of exposed DrayTek devices revealed more than 700,000 connected devices vulnerable to similar flaws. Of these, nearly 38% remain susceptible to exploitation due to outdated firmware or years-old vulnerabilities. 

Notably, less than 3% of exposed devices have installed the latest firmware, with many still using version 3.8.9.2, which is over six years old. Furthermore, a significant portion of these devices, often used in business sectors such as healthcare and manufacturing, are vulnerable as they haven’t been updated to the latest firmware despite vendor recommendations. To mitigate the risk, organizations using DrayTek routers should immediately patch their devices with the latest firmware updates. Disabling remote access, enabling two-factor authentication, and implementing Access Control Lists (ACLs) are also vital measures to secure the devices. 

Furthermore, continuous monitoring using syslog logging for any unusual activity can help detect and mitigate potential threats. Forescout’s report emphasizes that outdated routers pose a serious threat, with about 63% of the exposed devices being end-of-sale or end-of-life (EoL) models. Such outdated devices are a prime target for attackers, as demonstrated by the addition of older DrayTek vulnerabilities to the Cybersecurity and Infrastructure Security Agency (CISA)’s Known Exploited Vulnerabilities catalog. 

Although no evidence currently exists of exploitation of these newly discovered vulnerabilities, the risk remains high, especially given the long-standing pattern of recurring flaws in DrayTek devices. The security of DrayTek routers hinges on timely updates and robust security measures. The newly patched vulnerabilities, while not yet exploited, demonstrate the importance of ongoing vigilance and proactive cybersecurity measures, especially in industries reliant on these devices for network access.

Firmware Caution Advises MSI Cyberattack

 


Aside from gaming hardware manufacturers, modern corporations face constant attacks from malicious hackers and other digital no-goodniks. Corporations are not the only ones attacked by malicious hackers. MSI confirmed to its customers it had been attacked. 

MSI has enumerated its responsibility for how much damage has been caused. As a result, the company threatened to release proprietary software and source code. It has been reported that the Taiwanese computer manufacturer MSI (short for Micro-Star International)'s network has been compromised in a cyberattack. 

As reported earlier this week, a ransomware group has infiltrated MSI systems with the help of the Money Message ransomware attack. Unless the company pays a $4 million ransom fee to the hackers, well-protected corporate data will be released online next week. 

Asus advises all of its customers to ensure the latest BIOS and firmware updates are delivered only to the MSI website and not from anywhere else.

As expected, there are not many details, but it seems that MSI initiated "defense mechanisms and recovery measures" after detecting network anomalies and then notified law enforcement and the government. 

Earlier this week, in a filing with Taiwan's Stock Exchange (TWSE), first spotted by PCMag, MSI revealed that a cyberattack had occurred against some of its information service systems. The terrorist attack has been reported to the appropriate authorities. 

This group of criminals is demanding a $4 million ransom to avert the release of the entire data cache available on the web by the criminals. Although MSI does not specify details, the company warns customers not to download BIOS/UEFI files or firmware from any source other than the company's website. In light of this, it appears that compromised software is a current problem in the wild. 

It has been reported yesterday that there has been a cyberattack against the customer. The report stated that the attacker, a ransomware group called Money Message, has claimed to have stolen source code, a framework for developing bios and private keys. 

Moreover, the chat logs on this site showed that the group claimed to have stolen 1.5 TB of data. They wanted a ransom payment of over four million dollars for the stolen data. Whether these are connected or if MSI paid a ransom for these files is unclear. 

In a report, MSI representatives said that the company regained normal operations after restoring its systems. They have seen a minimal impact of the attack on their day-to-day operations. As long as customers exercise the usual level of due diligence when downloading software, drivers, and updates, they should not have too much to worry about if the company is telling the truth. According to rumors, this hack is unrelated to fraudulent emails in February. These emails purported to offer lucrative sponsorship deals to content creators through MSI.

In addition, MSI advises its customers to stick to the official MSI website exclusively for BIOS and firmware updates. This is preferable to downloading from unreliable sources like unknown websites or torrent download sites. If users search for unofficial - yet perfectly safe - firmware dumps on the internet for their devices, it would be rather pointless for them to look for modified or unofficial firmware dumps that are perfectly safe.

CISA Alerts on Serious Flaws in Industrial Equipment & Infrastructure

 

According to the US government's CISA and private security researchers, 56 vulnerabilities have been discovered in industrial operational technology (OT) systems from ten global manufacturers, including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk. 

Some of these flaws obtained CVSS severity ratings as high as 9.8 out of 10. This is especially unfortunate given that these devices are employed in vital infrastructure throughout the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining, and construction and automation industries. 

Remote code execution (RCE) and firmware vulnerabilities are the most serious security problems. If exploited, these flaws might allow criminals to shut down electricity and water infrastructure and damage the food supply. This is not to claim that all or any of these situations are practically achievable; rather, these are the kind of devices and processes involved. 

Forescout's Vedere Labs uncovered the flaws in devices produced by 10 vendors and used by the security firm's customers and termed them OT:ICEFALL. As per the researchers, the vulnerabilities affect at least 324 enterprises worldwide – a figure that is likely to be far higher in reality because Forescout only has access to its own clients' OT devices. In addition to the previously mentioned firms, the researchers discovered weaknesses in Bently Nevada, Emerson, JTEKT, Omron, Phoenix Contact, and Yokogawa devices.

OT Devices are insecure by design

The majority of issues are found in level 1 and level 2 OT devices. Physical processes are controlled by level 1 devices such as programmable logic controllers (PLCs) and remote terminal units (RTUs), whereas level 2 devices include supervisory control and data acquisition (SCADA) and human-machine interface systems.

In addition to the 56 highlighted in a Vedere report today, the threat-hunting team uncovered four more that are still being kept under wraps owing to responsible disclosure. One of the four allows an attacker to compromise credentials, two let an attacker to change the firmware of OT systems, and the fourth is an RCE through memory write flaw. 

Many of these flaws are the consequence of OT products' "insecure-by-design" build, according to Forescout's head of security research Daniel dos Santos. Several OT devices lack fundamental security protections, making them simpler for criminals to exploit, he said. 

Since that earlier analysis, "there have been real-word real incidents, real malware that has abused insecure-by-design functionality of devices to cause disruption and physical damage, like Industroyer in Ukraine in 2016, or Triton in the Middle East in 2017. One instance of insecure-by-design is unauthenticated protocols. So basically, whenever you interact with the device you can call sensitive functions on the device, invoke this function directly without it asking for a password," dos Santos stated.

The security researchers found nine vulnerabilities related to protocols that have no authentication on them: CVE-2022-29953, CVE-2022-29957, CVE-2022- 29966, CVE-2022-30264, CVE-2022-30313, CVE-2022-30317, CVE-2022-29952 and CVE-2022-30276. 

The majority of these may be used to download and run firmware and logic on other people's devices, resulting in RCEs, or shutdowns and reboots that can create a denial of service circumstances. In an ideal world, equipment employing these protocols is not linked to computers and other systems in such a way that a network intruder may abuse them. 

Credential compromise: Most common issue

Five of the flaws were noted more than once by Vedere Labs because they had various possible consequences. More than a third of the 56 vulnerabilities (38%) can be exploited to compromise user login credentials, while 21% might allow a criminal to change the firmware if exploited, and 14% are RCEs. 

Other vulnerability categories include denial of service and configuration manipulation (eight percent), authentication bypass (six percent), file manipulation (three percent), and logic manipulation (two percent). 

Fixing these security flaws will be difficult, according to the researchers, since they are the consequence of OT products being vulnerable by design, or because they need modifications in device firmware and supported protocols. 

As a result, they did not reveal all of the technical information for the faulty OT devices, which explains the lack of depth. They did, however, advise users to read each vendor's security advisory, which is expected to be released today or soon. Furthermore, where possible, the security shop suggests disconnecting OT and industrial control system networks from corporate networks and the internet.

Firmware Attacks can Leave Persistent Malware in the SSD's Hidden Section

 

Korean researchers have created a set of assaults against some solid-state drives (SSDs) that could allow malware to be planted at a position beyond the user's and security solutions' reach. The attack models are designed for drives with flex capacity characteristics and target a hidden section on the device known as over-provisioning, which is extensively used by SSD manufacturers these days for performance improvement on NAND flash-based storage systems. 

The over-provisioning region is invisible to the operating system and any applications that run on it, including security and anti-virus software. The SSD manager dynamically adjusts this space against the workloads when the user runs different applications, depending on how write or read-intensive they are. 

Flex capacity is a feature of Micron Technology SSDs that allows storage devices to automatically modify the sizes of raw and user-allocated space to improve performance by absorbing write workload volumes. It is a dynamic system that builds and changes a buffer of space which typically consumes between 7% and 25% of total disk capacity. 

Hardware-level assaults provide the highest level of persistence and stealth. In the past, sophisticated actors worked hard to execute such concepts against HDDs, concealing dangerous code in unreachable disk sectors. One assault modeled by researchers at Korea University in Seoul targets an invalid data area containing non-erased information that resides between the usable SSD space and the over-provisioning (OP) area, the amount of which depends on the two. According to the research article, a hacker can adjust the size of the OP region using the firmware manager, resulting in exploitable invalid data space. 

In a second attack model, the OP region is used as a covert location where a threat actor can hide malware that users cannot monitor or remove. According to the research article, "It is assumed that two storage devices SSD1 and SSD2 are connected to a channel in order to simplify the description. Each storage device has 50% OP area. After the hacker stores the malware code in SSD2, they immediately reduce the OP area of SSD1 to 25% and expand the OP area of SSD2 to 75%." 

"At this time, the malware code is included in the hidden area of SSD2. A hacker who gains access to the SSD can activate the embedded malware code at any time by resizing the OP area. Since normal users maintain 100% user area on the channel, it will not be easy to detect such malicious behaviour of hackers," the article added.

To counteract the first type of assault, the researchers advise that SSD manufacturers wash the OP area with a pseudo-erase algorithm that has no effect on real-time performance. Implementing valid-invalid data rate monitoring systems that monitor the ratio inside SSDs in real-time is a potentially effective security measure against injecting malware in the OP area for the second type of attack.

Hackers are Remotely Erasing Western Digital Hard Drives

 

The whole goal of using a network-attached storage device is to have a hard drive where you can back up vital data and then retrieve the files when you're out and about. Unknown hackers, on the other hand, are turning Western Digital My Book NAS hard drives into nightmare backup tools by infiltrating users' computers and deleting all of their data. The My Books are controlled by WD My Book Live, an app that allows consumers to access their data and manage their NAS from anywhere. 

Last week, the drive manufacturer stated that certain owners' network-connected storage had been accessed unofficially and a complete reset had been triggered, though specifics on how seriously individuals should be concerned are still emerging. Western Digital said the WD My Book Live and WD My Book Live Duo drives are affected. They were first introduced in 2010, and the most recent firmware update was in 2015. The business has not stated how many drives are in circulation or estimated how many people are still using them. 

“Western Digital has determined that some My Book Live and My Book Live Duo devices are being compromised through exploitation of a remote command execution vulnerability,” the company said in a security bulletin. "In some cases, the attackers have triggered a factory reset that appears to erase all data on the device.” 

There is currently no proof that Western Digital's cloud services, firmware update servers, or client credentials have been compromised. Rather, the My Book Live drives were left directly available over the internet, “either through direct connection or by port forwarding that was enabled either manually or automatically via UPnP,” according to the report. According to the firm, hackers employed port scanning to identify possible victims.

“We do not yet understand why the attacker triggered the factory reset; however, we have obtained a sample of an affected device and are investigating further,” Western Digital added. “Additionally, some customers have reported that data recovery tools may be able to recover data from affected devices, and we are currently investigating the effectiveness of these tools.” 

While Western Digital advises customers to disconnect hard drives from the internet for safety, Reddit users' suggestions are much more cautious. On the assumption that hackers may have already loaded a malware or other exploit on the drives, the advice is to switch them off completely. This may then be set to activate, wiping the drive even if it isn't connected at the time.

Industrial Switches Given by the Vendors Affected by a Same Vulnerability

Industrial switches that were given by the vendors have been affected by a same vulnerability, the reason being they all have the same firmware from Korenix Technology, an industrial networking solutions provider based in Taiwan. SEC Consult, an Austrian-based cyber security company revealed the vulnerability. The company (which is owned by Atos) was trying to get the security holes patched since last year, but it took more than an year for Korenix to release security fixes. 

Security Week reports "Properl+Fuchs did release some patches and workarounds last year after being notified about the vulnerabilities, but the company’s response was limited due to the fact that the flaws existed in the Korenix firmware. SEC Consult’s initial attempts to get Korenix to patch the vulnerabilities failed, until late November 2020, when the company had been preparing to make its findings public." Westermo for PMI-110-F2G and Pepperl+Fuchs for Comtrol RocketLinx industrial switches also use the same firmware made for Jetnet Industrial switches by Korenix. Beijer Electronics Group owns both Westermo and Pepperl+Fuchs. 

As per SEC consult, the companies which made these devices have the same firmware base, hence, a single vulnerability affects all of them. SEC Consult found 5 kinds of vulnerabilities, assigned high severity, and critical ratings. It includes unauthorised device administration, cross-site request forgery, authentication command injection, TFTP file/read/write issues, and backdoor accounts. If a hacker has network access, he can attack a device and make unauthorised changes in configuration, steal sensitive data, or make it enter into a DoS state. The affected devices are used in automation, transportation, heavy industry, surveillance, power and energy, and other sectors. 

These switches, according to experts, hold a crucial position in a network and attacker can exploit these vulnerabilities and disruption the connection to the attached network systems.  Apart from releasing firmware updates for the security fixes, Korenix has also suggested some measures to prevent from potential threats. "This vulnerability can also be exploited via Cross-Site Request Forgery attacks as there is no protection for that kind of attack. The NMS (Network Management System) of Korenix, also known as JetView or Korenix NMS, communicates via UDP and triggered all actions without prior authentication," reports Security Week.

Interview Spotlight: Israeli Hardware Solutions, Sepio Systems

On 19 November, E-Hacking News conducted an interesting interview with Sepio Systems. The company provides its customers with the highest level of visibility, policy enforcement, and Rogue Device Mitigation capabilities. The guest speaker for the interview was Mr.Bentsi Ben-Atar, CMO, and Co-Founder, Sepio Systems.

Founded in 2016 by veterans from the Israeli Intelligence Community, Sepio HAC-1 is the first platform that provides visibility, control, and mitigation to zero trust, insider threat, BYOD, IT, OT, and IoT security programs. Sepio is a strategic partner of Munich Re, the world’s largest reinsurance company, and Merlin Cyber, a leading cybersecurity federal solution provider.

1.       Can you please introduce yourself to our readers?

Bentsi Ben-Atar: I am one of the co-founders for Sepio Systems, the company was founded by a group of founders that have been working together for almost 30 years now. We have a strong background in cybersecurity and “rogue device management” in general.

2.       Can you please tell us about your company Sepio Systems?

The company deals with a very unique domain within the cybersecurity industry and that’s the issue of managing the hardware within the enterprises. What we have built is a solution that provides all the aspects related to hardware access control, we call it “HAC” and our solution is called “HAC-1.

We see that Enterprises are struggling with three elements of hardware access control. The first one is the fact they have limited visibility to whatever is connected and sometimes a very significant gap between what people think is connected and to what is actually connected. So, there are visibility gaps that need to be addressed and they need to be addressed regardless of the device itself.

Once you have visibility and now you are aware of your assets, then you can move to the policy enforcement features of your enterprises. It means that now you can apply certain policies while you are working from home and a different policy while you are at the office.

And once you have these two pillars in place then you can move into the more interesting part of the solution, and those are the security aspects. You know what devices are connected, you know how to disable or mitigate any risk associated with it. Now you need to provide the Rogue Device Mitigation.

 

3.       Please explain to us about Hardware Access Control.

Hardware Access Control is the term used to describe a solution that manages all aspects of hardware devices. Hardware devices may be network elements possibly controlled by NAC (Network Access Control or a USB peripheral connected to an endpoint (controlled by EPS/EDR). HAC does not distinguish devices by its interface and provides an aggregated holistic approach to hardware asset management.

 

4.       What are Rogue Devices and what is their impact on the enterprises?

Rogue devices are devices that are either hardware manipulated or firmware manipulated devices that are introduced into the enterprises. The main channels for the attack vehicles are either the supply chain which is a significant risk for enterprises as hardware screening is a huge challenge. The other popular attack vehicle is the human factor, in that case, human beings will always be the weakest links because people can be threatened, they could be paid off, they could be extorted. I think that history along the way has shown that any human being has a weak point. If you, as a cybercrime organization can extort a certain bank, gain access to a certain system, in most of the cases you will get away with that.

 

5.       Why do you think that these “Rogue Attacks” are on the rise?

We see a growing number of attacks that are based on hardware tools. From the attacker's perspective, they have the option of either going head to head against existing cybersecurity products, or they can find an alternative path to the enterprises. There are a lot of hardware-based attacks happening all around the world on critical infrastructures like banks, data centres, retail, etc. It doesn’t get to the public eye in most cases due to several reasons.

First, companies in most cases are very reluctant to admit the fact that they have been breached through this domain because it also implies on their level of physical security and no one wants to admit that someone was able to plug in a rogue device. On the other hand there are a lot of attacks that create a signature that may be wrongfully attributed to other types of attacks.

One of the demos that we really love to do is using and demoing the vulnerability of wireless keyboards and mouse, these devices can be easily manipulated and spoofed. For example, let’s say you’re sitting in your home or office, there could be a guy sitting in the next building, it doesn’t have to be next to your endpoint. By using a very simple publicly available payload that runs on a raspberry pi, you can actually spoof the communication between that wireless keyboard and mouse. You can do a remote keylogging, and most importantly, you can point that endpoint to a certain URL that a certain piece of malware is waiting to be downloaded.

At the end, you even have to go over the human factor which is convincing the user that this link is not a suspicious link. So, there are a lot of obstacles that need to be dealt with. Compared with the option of coming with out of bound raspberry pi with a spoofing capability, you open up the browser independently, and forensic wise it would look like this was an act of an employee within the organization.

So sometimes it would be attributed to a phishing attack or wrongful doings of an employee while in real life the story is completely different.

 

6.       How do Sepio Systems counter these Rogue Devices?

Sepio Systems HAC-1 “dives deeper” into the the physical layer, revealing the true entity of a given device, not according by what it “says” it is, but for what it is really is.These capabilities are achieved through a unique algorithm, a combination of physical layer fingerprinting and Machine Learning augmentation.

7.       The Data Security Council of India (DSCI) has also talked about your company. Can you please tell us more about this project and ‘Sepio Prime Rogue Device Mitigation Solution?’

Without referring to any specific name (a customer or not), our solution provides enterprises, especially the ones concerned with their data. These enterprises can be financial institutes, government agencies or other entities extremely concerned with the attack vehicles.

We provide them with solutions that cover two main interfaces. One is the USB interface and the other is the Network interface. Our solution actually monitors and analyses the physical layer information. It means that we don’t look into user traffic, user log files. We read out all the physical layer related information by analyzing it with an algorithm which is a combination of physical layer fingerprinting and machine learning. We can actually detect the existence of such passive devices.

One of the coolest features of our solution is that it doesn’t require a baseline or training period. Obviously in today’s cybersecurity atmosphere, no single solution provides a complete seal for the entire enterprise. Therefore, the capability with integrating other solutions is extremely important, and all these solutions are easily integrated with our solutions so that we can actually extend the visibility of the enterprise into the deeper layer.

8.       Can you explain how this Layer-1 solution works?

Our solution is actually comprised of two main functionalities. The first one deals with Network Security and the second one deals with Peripheral Security/ End Point security. The way Network Security works are that we communicate with the existent networking infrastructure by using read-only commands. The only thing the enterprise needs to do is to provide restricted user credentials for our solutions.

Before our deployment, we actually provide a list of commands that we will be using. Once we get the information, we will compile it using an algorithm that is a combination of physical fingerprinting and machine learning enhanced solution. The fingerprinting is extremely important because when we get a hit, we can actually name the attack tool. The deployment process itself is straight forward, it takes less than 24 hours to have everything up and running.

The output and value of this solution are instantly delivered, you can actually see all the rogue devices and visibility. In a very interesting incident, we found a gaming console connected to a secured network, approved by NAC but never reported.

Now, the second part of this solution deals with the peripheral. It is a bit different because in the endpoint case, the endpoints could be offline, and you want to make sure that the mitigation, once a rogue device has been detected or even just a brief of policy. The mitigation needs to be immediately so that the USB device will be blocked. When the attacker comes in, they can configure their attack tools to present the same façade as a legitimate device.

So, the difference between Network Security and End Point Security (algorithm wise) is the fact that on the peripheral we also fingerprint ‘known to be good’ devices, so that we have a full database of good devices and bad devices. One of the nicest features we also have is the ‘threat intelligence database,’ it means that every installation has a local copy of our threat intelligence database which includes a list of all ‘known to be vulnerable devices.’


9.       Tell us more about the leadership team behind Sepio Systems?

Our leadership is something that we take great pride in. We are a U.S-Israel based company, we are headquartered in Rockville, Maryland. We have a very strong all-women U.S board which we take great pride in, led by the current CISO for HSBC. We have interviews posted on social media which I think are a fascinating array of women that bring tremendous value to our company.

We have a strong backup from various industry leaders and veterans from various government agencies. We perceive to be kind of a task force to deal with this domain which was until now significantly underserved.

10.   During the COVID-19 pandemic, everyone has started working from home, sometimes it can be a kid playing a video game on a pc. How does an organization keep the family’s data separate from the employee’s? How do you make sure that the family’s data is not being taken by your systems?

Enterprises first need to have a clear policy about their equipment. Having a policy without the capability of enforcing it is ineffective. First of all, the employee needs to understand the risks associated with it. And for that, we have a very interesting video series called Captain RDM which actually illustrates very serious cases in a non-technical way.

You can do one or two things. As a CSO, we can issue (this is what a lot of enterprises do) a company-issued device for it. If you are in need of an additional keyboard, we will provide you with that. If this is not the case, we make sure to know that if a ‘known to be vulnerable device’ is connected and block it.

For work from home cases, we have allowed the ‘1 + 1’ option, it means that for every license that our user got they were eligible for another license without any additional costs.

11.   On your website, people talked about how Sepio Systems has efficiently countered Rogue Device Threats and Internet of Threats (IoT)? Before we conclude the interview, do you have anything to say about that?

One thing that we’ve learned is never disrespect your opponent. They will always be innovative and smart. They are able to provide attack tools that are cocooned within legitimate looking device in ways that you can only imagine. When there is enough motivation for the attacking party for a specific side, because its specifically lucrative target, they will find a way to get into it even if it’s a data centre, or a highly secured facility, anything can be achieved.

With IoT, smart nations and smart cities coming up, a lot of hardware getting installed all over, and the Covid pandemic making people work from home, this issue becomes more relevant. It is more relevant today than it was yesterday and it is going to get even more relevant as the days go by.

 

 

 


HP Issues Advisory Informing Users to Expect SSD Failure around October 2020


Computer enterprise company HP (Hewlett Packard Enterprise) warns its customers about a bug that it has recently found in its SSD (Solid State Drives). The company HP has made a new firmware patch to prevent some of its hard drives from crashing after 40,000 hours of consumer use. In a firmware incident last week, HP informed its consumers about a bug in some of its hard drives that will cause them to stop working after 40,000 hours of use, which is around four years and 200 days. SAS SSDs (Serial-Attached SCSI solid-state drives) is the model of the hard drives that are likely to be affected by this firmware bug.


According to HP, the hard disks manufactured during that period will crash around October this year, and these will be among the earliest failures. To solve this issue, HP has released some firmware updates to fix this bug last week. It has asked the companies to update to the latest firmware updates, and if they fail to do so, the companies might risk losing both the SSD and the data. If the SSD crashes, users can't restore their data, says HP in its security advisory.

This firmware bug incident is similar to another hard drive crash incident that happened in November last year. In the latter event, the HPE SAS SSDs crashed after nearly three years and 270 days of use. This time, however, this bug will affect far fewer SSDs than it did last year. According to HP, the company learned about this issue from a different SSD company that uses HP's SSDs, similar to last year. The list of SAS SSD models affected by the bug is available on HP's customer support website.

"This HPD8 firmware is considered a critical fix and is required to address the issue detailed below. HPE strongly recommends the immediate application of this crucial fixture. Neglecting to update to SSD Firmware Version HPD8 will result in drive failure and data loss at 32,768 hours of operation and require restoration of data from the backup in non-fault tolerance, such as RAID 0 and fault tolerance RAID mode if more drives fail than what is supported by the fault tolerance RAID mode logical drive," reads HP's notification.

Multiple Vulnerabilities found in SATCOM internet access terminal Cobham EXPLORER 710



CERT/CC researchers found multiple vulnerabilities as they examined Satcom terminal Cobham EXPLORER 710 as an extension of IOActive’s findings in 2014. These new vulnerabilities could affect both the device and firmware.

These frailties could give attackers unauthentic access to sensitive information, control of the device, create or implant backdoor, DoS attack and more.

Cobham EXPLORER 710 is a portable satellite terminal, broadband global area network (bgan) through telephony. The device provides internet connection through satellite communications setting new standards for size, speed and features.

 EXPLORER 710 is a sophisticated communication tool for broadcasting, streaming and other IP based industry applications with a speed of 1 Mbps and higher. It is used in various sectors as Commercial aerospace, military defenses, space systems, SATCOM and more.

 The sat-com terminal, firmware version 1.07 is affected with 6 vulnerabilities listed below-

 • CVE-2019-9529 – Authentication Failure 

This failure arises due to the web portal having no authentication by default, this could lead to any attacker connected to the device to gain access to the portal and perform changes.

 • CVE-2019-9530 – Unrestricted Directory Access

There are no restrictions on access to the webroot directory, creating a liability as hackers can read, access or download any file in the webroot directory.

 • CVE-2019-9531 – Authentication Failure to port 5454 

This vulnerability allows attackers to connect to port 5454 through Telnet and execute 86 Attention (AT) commands, and gain illegal access.

 • CVE-2019-9532 – Text Data Exchange 

The web application portal passes the login password in cleartext, it could easily give way to miscreant to intercept the password.

 • CVE-2019-9533 – Default Login Credentials

The root password is the same for all devices, this could allow to reverse-engineer the password in all available versions.

 • CVE-2019-9534 – Validate Failure

According to CERT/CC researchers, "The device does not validate its firmware image. Development scripts left in the firmware can be used to upload a custom firmware image that the device runs. This could allow an unauthenticated, local attacker to upload their own firmware that could be used to intercept or modify traffic, spoof or intercept GPS traffic, exfiltrate private data, hide a backdoor, or cause a denial-of-service."

Apart from the above gaps in security, the researchers also discovered some configuration issues, missing security headers and problems in default wifi password ( being same as same as serial number) which are gravely dangerous to the device and leave it susceptible to cross-site scripting and clickjacking.

 The researchers said they currently don't have any practical solutions to these problems.