Vulnerabilities Archives – Gridinsoft Blog https://gridinsoft.com/blogs/tag/vulnerabilities/ Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Fri, 02 Feb 2024 15:33:00 +0000 en-US hourly 1 https://wordpress.org/?v=66421 200474804 New FritzFrog Botnet Sample Exploits Log4Shell and PwnKit https://gridinsoft.com/blogs/fritzfrog-botnet-exploits-log4shell-pwnkit/ https://gridinsoft.com/blogs/fritzfrog-botnet-exploits-log4shell-pwnkit/#respond Fri, 02 Feb 2024 15:33:00 +0000 https://gridinsoft.com/blogs/?p=19338 Researchers detected a new sample of FritzFrog malware, that is known for creating significant botnets. The new threat sample includes the functionality to exploit flaws in network assets, including the infamous Log4Shell vulnerability. As it turns out, even 2 years past the discovery and feverish updating, there are quite a few instances vulnerable to such… Continue reading New FritzFrog Botnet Sample Exploits Log4Shell and PwnKit

The post New FritzFrog Botnet Sample Exploits Log4Shell and PwnKit appeared first on Gridinsoft Blog.

]]>
Researchers detected a new sample of FritzFrog malware, that is known for creating significant botnets. The new threat sample includes the functionality to exploit flaws in network assets, including the infamous Log4Shell vulnerability. As it turns out, even 2 years past the discovery and feverish updating, there are quite a few instances vulnerable to such attacks.

FritzFrog Botnet is Back, Spreads with Exploitation of Web Vulnerabilities

The research from Akamai Labs uncovers a version of FritzFrog malware, armed with a set of exploitation capabilities. In the report they pay a lot of attention to its Log4Shell vulnerability exploitation, which is performed in a rather unusual manner. Upon the discovery of this flaw, all corporations were concentrated on patching main elements of the network infrastructure. At the same time, all the internal network components based off the Apache’s Log4j were mostly ignored, as they are less likely to be attacked. Well, until now.

By abusing the lack of input sanitization during logging, FritzFrog is able to make the target to execute the arbitrary code. Prior to it, malware scans for the vulnerable network assets by searching on ports 9000, 8090 and 8888. To make the vulnerable app instance execute the malicious code, malware spams it with HTTP requests with the said code injected into the request header. This way, the threat ensures that at least one command will make its way to the logs and will be further executed.

HTTP header Log4J exploit
Example of an HTTP header, sent by a malicious LDAP server. Every part of the header contains the malicious request

Aside from the Log4Shell flaw, the malware also gained the ability to exploit the PwnKit – a flaw in polkit, the privileges control utility present in the majority of Linux distributions. Abusing this flaw, FritzFrog makes itself run with highest privileges possible, shall it detect less than max privileges level assigned upon execution.

What is FritzFrog?

FritzFrog is a rather old malware sample, which has been traced since March 2020. Being a peer-to-peer botnet tool, it quickly gained a significant number of attacks. Though all this rapid success was only to cease the activity in September 2020. In December of the same year it resurrected with even more violent activity – and appears to be active ever since.

FritzFrog statistics 2020

Since its first days, it was using SSH brute forcing for self-propagation. It is actually surprising how many hosts open to Internet connections have weak login credentials even today. After the successful exploitation, FritzFrog was starting to scan thousands of other IP addresses, seeking for other weakly protected servers. Aside from self-propagation, the malware is capable of delivering other malware, providing remote access to the infected environment, and performing DDoS attacks.

Protection Against SSH-Targeting Malware

Besides having a rather unique spreading approach, FritzFrog infection vectors are nothing new. Attacking weakly protected servers through brute forcing is a several-decades-old tactic, and both of the vulnerabilities are from 2021. Patches for both flawed software packages are available – update them, and FritzFrog will have much less chances to get in, along with other software.

Methods to counteract SSH brute force are well known and easy to implement, too. Either set the instances to accept only trusted connections, or make them work on a different port. Strong passwords will add to overall security, but will not solve the server overload due to the enormous amount of login requests during a brute force attack. All security measures should work together – this makes them much more effective.

New FritzFrog Botnet Sample Exploits Log4Shell and PwnKit

The post New FritzFrog Botnet Sample Exploits Log4Shell and PwnKit appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/fritzfrog-botnet-exploits-log4shell-pwnkit/feed/ 0 19338
2 Citrix RCE Under Active Exploitation, CISA Notifies https://gridinsoft.com/blogs/2-citrix-rce-exploited-cisa-updates/ https://gridinsoft.com/blogs/2-citrix-rce-exploited-cisa-updates/#respond Fri, 19 Jan 2024 11:37:19 +0000 https://gridinsoft.com/blogs/?p=19158 CISA has given a timeframe of one to three weeks to fix three vulnerabilities related to Citrix NetScaler and Google Chrome. These zero-day vulnerabilities were actively used in cyber attacks. 2 Citrix RCEs Exploited In The Wild, CISA Urges to Update Wednesday, January 17, the Cybersecurity and Infrastructure Security Agency (CISA) issued an alert regarding… Continue reading 2 Citrix RCE Under Active Exploitation, CISA Notifies

The post 2 Citrix RCE Under Active Exploitation, CISA Notifies appeared first on Gridinsoft Blog.

]]>
CISA has given a timeframe of one to three weeks to fix three vulnerabilities related to Citrix NetScaler and Google Chrome. These zero-day vulnerabilities were actively used in cyber attacks.

2 Citrix RCEs Exploited In The Wild, CISA Urges to Update

Wednesday, January 17, the Cybersecurity and Infrastructure Security Agency (CISA) issued an alert regarding actively exploiting three vulnerabilities. The involved vulnerabilities are CVE-2023-6548 and CVE-2023-6549. The agency immediately added these vulnerabilities to its Known Exploited Vulnerabilities Catalog and demanded that U.S. federal agencies patch it ASAP.

The first has a CVSS score of 5.5 and affects NetScaler ADC and Gateway management interfaces. Its deadline to fix it is January 24. As for the other two vulnerabilities, one of them can cause a denial of service condition on specific configurations. It concerns vulnerable Gateway appliances like VPN, ICA Proxy, CVPN, RDP Proxy services, or AAA virtual servers. This vulnerability has a CVSS score of 8.2, more than the previous one. However, CISA has given three weeks to fix these two vulnerabilities.

So, why would you prioritize fixing vulnerabilities with lower CVSS? When they are easy to exploit, this decision becomes more obvious and demanded. While exploiting some vulnerabilities with maximum CVSS requires certain conditions close to the laboratory, other issues require much less effort. It’s no wonder CISA so strongly recommends that this vulnerability be fixed first and foremost.

Citrix RCE Vulnerability Details

CVE-2023-6548 is a medium-severity (CVSS score of 5.5) Remote Code Execution (RCE) vulnerability that affects Citrix NetScaler ADC and Gateway appliances. It allows an authenticated attacker with low-level privileges to execute code on the management interface of the affected devices via NSIP, SNIP, or CLIP.

Next, the CVE-2023-6549 vulnerability is a Denial of Service (DoS) vulnerability. It was also found in the Citrix NetScaler ADC and has a CVSS score 8.2. Threat actors can exploit it under specific configurations of vulnerable appliances. As mentioned, VPN, ICA Proxy, CVPN, RDP Proxy services, or an AAA virtual server are at risk. The vulnerability can disrupt services by overwhelming the system, leading to a denial of service condition.

Citrix Responds to New Vulnerabilities

Citrix promptly published an advisory and recommended that customers immediately apply updates for affected versions. Customers using Citrix-managed cloud services or Adaptive Authentication are not required to take action. The company suggests separating network traffic to the appliance’s management interface and not exposing it to the internet, as outlined in their secure deployment guide.

In addition, the company strongly recommended that network traffic to the appliance’s management interface be separated, either physically or logically, from regular network traffic. Furthermore, the management interface should not be exposed to the internet, as outlined in their secure deployment guide.

2 Citrix RCE Under Active Exploitation, CISA Notifies

The post 2 Citrix RCE Under Active Exploitation, CISA Notifies appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/2-citrix-rce-exploited-cisa-updates/feed/ 0 19158
9 PixieFail Vulnerabilities Discovered in TianoCore’s EDK II https://gridinsoft.com/blogs/pixiefail-vulnerabilities-discovered/ https://gridinsoft.com/blogs/pixiefail-vulnerabilities-discovered/#respond Wed, 17 Jan 2024 18:06:42 +0000 https://gridinsoft.com/blogs/?p=19122 A chain of 9 vulnerabilities in UEFI’s Preboot Execution Environment (PXE), dubbed PixieFail, was uncovered in a recent research. As the network boot process is a rather novice attack vector, only a few vulnerabilities received high severity status. Nonetheless, their sheer volume, along with the location in rather sensitive places, can create a mess if… Continue reading 9 PixieFail Vulnerabilities Discovered in TianoCore’s EDK II

The post 9 PixieFail Vulnerabilities Discovered in TianoCore’s EDK II appeared first on Gridinsoft Blog.

]]>
A chain of 9 vulnerabilities in UEFI’s Preboot Execution Environment (PXE), dubbed PixieFail, was uncovered in a recent research. As the network boot process is a rather novice attack vector, only a few vulnerabilities received high severity status. Nonetheless, their sheer volume, along with the location in rather sensitive places, can create a mess if someone manages to exploit those vulnerabilities in a chain.

Analysts Discover Numerous Vulnerabilities in TianoCore EDK II

The extensive research from Quarklabs uncovers the grand total of nine vulnerabilities present in a widely used UEFI implementation from TianoCore, called EDK II. This open-source variant of unified EFI is seeing particularly large applications in various corporations, both in their own machines and in products. Among other functions, it contains a network boot option and a whole bunch of related functionality, which is where all the vulnerabilities are concentrated.

Network boot itself bears on a Preboot Execution Environment (PXE), often shortened to Pixie boot. This place is, eventually, the host to all nine security flaws. Not all vulnerabilities from PixieFail collection are of the utmost severity, but for 3 of them, NIST assigned the CVSS score of 8.3/10.

List of PixieFail Vulnerabilities

Vulnerability Severity score Description
CVE-2023-45229 6.5 Out-of-bounds data read with a crafted DHCPv6 Advertise message
CVE-2023-45230 8.3 Buffer overflow possibility using a crafted Server ID option
CVE-2023-45231 6.5 Out-of-bounds data read with a specifically crafted ND Redirect message
CVE-2023-45232 7.5 Possibility of throwing the machine into infinite boot loop with a wrong Destination option header
CVE-2023-45233 7.5 Possibility of throwing the machine into infinite boot loop with a wrong PadN option
CVE-2023-45234 8.3 Buffer overflow possibility using a crafted DNS Servers option
CVE-2023-45235 8.3 Buffer overflow possibility using a crafted Server ID option from DHCPv6 Advertise message
CVE-2023-45236 5.8 Predictability of TCP Initial Sequence number
CVE-2023-45237 5.3 Weakness of Pseudo Random Number Generator

As you can see, the list is rather vast, with buffer overflow vulnerabilities rated as the most severe. All this is due to the reason that such flaws can enforce arbitrary code execution. Such an action is useful for both initial access and lateral movement within the environment. And since we are talking about doing all this mess almost on a bare metal, outcomes may be rather bad.

Vendors Offer Patches for PixieFail Vulnerabilities

Upon detecting the vulnerabilities back in early August 2023, Quarkslab contacted a selection of software vendors who use EDK II in their products. Among them are such known names as Arm, Insyde Software, Microsoft, American Megatrends and Phoenix Technologies. Throughout half a year, both vendors, authorities and researchers elaborated on creating a fix without leaking any information before the fixes are implemented.

As a result, on January 16, 2024, when the detailed analysis from Qarkslab was published, all the notified vendors got the issue fixed. So, check out the updates for your firmware – it may contain the patch which fixes PixieFail all at once.

9 PixieFail Vulnerabilities Discovered in TianoCore’s EDK II

The post 9 PixieFail Vulnerabilities Discovered in TianoCore’s EDK II appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/pixiefail-vulnerabilities-discovered/feed/ 0 19122
Sierra AirLink Vulnerabilities Expose Critical Infrastructure https://gridinsoft.com/blogs/sierra-airlink-21-vulnerabilities/ https://gridinsoft.com/blogs/sierra-airlink-21-vulnerabilities/#respond Wed, 06 Dec 2023 16:00:03 +0000 https://gridinsoft.com/blogs/?p=18200 The grand total of 21 security flaws was discovered in Sierra Wireless AirLink routers firmware. The vulnerabilities allow for remote code injection, unauthenticated access, DoS attacks, and else. As such network devices are commonly used in industrial manufacturing and applications the like, the impact of such attacks may be rather serious. Sierra AirLink Routers Have… Continue reading Sierra AirLink Vulnerabilities Expose Critical Infrastructure

The post Sierra AirLink Vulnerabilities Expose Critical Infrastructure appeared first on Gridinsoft Blog.

]]>
The grand total of 21 security flaws was discovered in Sierra Wireless AirLink routers firmware. The vulnerabilities allow for remote code injection, unauthenticated access, DoS attacks, and else. As such network devices are commonly used in industrial manufacturing and applications the like, the impact of such attacks may be rather serious.

Sierra AirLink Routers Have 21 Vulnerabilities

As Forescout Vedere researchers describe in their research, the AirLink lineup of devices contains 21 software vulnerabilities. Among them, only one issue got the CVSS score over 9, which is considered critical. RCE vulnerabilities and a couple of ones that may allow for unauthorized access are rated 8.1 to 8.8. Several other noteworthy issues, particularly ones that cause Denial of Service, are rated at CVSS 7.5.

Vulnerability Description CVSS Score
CVE-2023-41101 RCE vulnerability in OpenNDS 9.6 (Critical)
CVE-2023-38316 RCE vulnerability in OpenNDS 8.8
CVE-2023-40461 XSS vulnerability in ACEmanager 8.1
CVE-2023-40464 Unauthorized Access in ALEOS firmware 8.1
CVE-2023-40463 Unauthorized Access in ALEOS firmware 8.1

Researchers did a detailed description of the potential exploitation cases for two of the most critical vulnerabilities. For CVE-2023-41101, a hacker can take over the router by overflowing the buffer in OpenNDS captive portal. Using the lack of length limitation in GET requests, it is possible to make the router execute arbitrary code. By controlling the router, adversaries can disrupt the operations related to the mentioned interface.

CVE-2023-41101 exploitation

#2 in the list, CVE-2023-40463, requires an attacker to possess a router similar to the one it tries to attack. By digging through the device’s software elements and applying some hash cracking magic, it is possible to obtain the diagnostic shell password. Further, using a bit of social engineering, adversaries may connect to the actual router and enter its diagnostic interface using the password they’ve obtained earlier. With such access, it is possible to inject malware to the router, force it to malfunction, or execute your commands remotely.

Available Mitigations

Despite such a worrying amount of exploits, all of them allegedly receive a fix in the latest version of the firmware for AirLink devices. ALEOS 4.17.0 should address all the flaws, and, if some incompatibilities are in the way, customers may stick to version 4.9.9. The latter is not vulnerable to named vulnerabilities except for ones that touch OpenNDS captive portals.

Researchers who found all the issues also offer their own mitigation for the vulnerabilities that allow delaying the patch installation. Though, as it usually happens to all the stopgap solutions, they are not ideal and do not guarantee the effect.

  1. Disable unused captive portals and related services, or put them under restricted access. This reduces the attack surface for vulnerabilities that target OpenNDS.
  2. Use a web app firewall to filter the requests and block the packets of a suspicious source. This mitigation works against XSS and DoS vulnerabilities.
  3. Change the default SSL certificates. Forescout recommends doing this to all the routers, not only to Sierra Wireless ones.
  4. Implement an intrusion detection system that monitors IoT/OT devices as well. This allows for controlling both connections from outside the network and ones within it.

What are Sierra AirLink Routers?

Have you ever wondered, how does the Wi-Fi in a public transport function? Or how all the machinery in a huge workshop is connected and centrally managed even though it is not static? Well, Sierra’s devices are the answer. Their routers are industrial-grade wireless connectivity devices that are used in dozens of industries – starting from public transportation and all the way up to aerospace & defense.

Sierra Airlink stats by countries

What is particularly concerning for this story is the extensive use of AirLink routers in critical infrastructure. Factories, transportation – they are important, though not as continuously demanded as water treatment, emergency services and energy management. And since IoT more and more often attracts hackers’ attention, the actions should be taken immediately. Considering the extensive use of vulnerable AirLink devices in the US, it may be the perfect Achilles’ heel for cyberattacks that target critical infrastructure and even government.

The post Sierra AirLink Vulnerabilities Expose Critical Infrastructure appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/sierra-airlink-21-vulnerabilities/feed/ 0 18200
Vulnerability in HP BIOS causes system takeover https://gridinsoft.com/blogs/hp-uefi-bios-vulnerability/ https://gridinsoft.com/blogs/hp-uefi-bios-vulnerability/#respond Fri, 13 May 2022 12:43:58 +0000 https://gridinsoft.com/blogs/?p=7846 Following recent fixes for a large number of UEFI vulnerabilities, worldwide-known PC and laptop vendor HP is releasing a new BIOS update. This time around, two serious vulnerabilities affecting a wide range of over 200 PC and laptop models that allow code to run with kernel privileges, including driver management and BIOS access, were the… Continue reading Vulnerability in HP BIOS causes system takeover

The post Vulnerability in HP BIOS causes system takeover appeared first on Gridinsoft Blog.

]]>
Following recent fixes for a large number of UEFI vulnerabilities, worldwide-known PC and laptop vendor HP is releasing a new BIOS update. This time around, two serious vulnerabilities affecting a wide range of over 200 PC and laptop models that allow code to run with kernel privileges, including driver management and BIOS access, were the trigger.

Vulnerabilities in HP BIOS may lead crooks to takeover your PC

Analysts defined those vulnerabilities as CVE-2021-3808 and CVE-2021-3809, and gave a baseline CVSS score of 8.8. HP does not provide technical details at this time, only publishing the list of affected devices. Those are:

  • Zbook Studio
  • ZHAN Pro
  • EliteBook
  • ProBook
  • Elite Dragonfly
  • EliteDesk
  • ProDesk desktops
  • PoS Engage
  • Z1 and Z2 workstations
  • Thin client PCs [that run the same firmware version on the server]

The bugs were discovered back in November 2021 thanks to researcher Nicholas Starke, who explained in his blog that the vulnerability could allow an attacker running with kernel-level privileges (CPL == 0) to elevate privileges to system management mode (SMM). At the same time, SMM gives the attacker full privileges over the host for further attacks.

The problem is that it is possible to run the SMI handler from the OS environment, for example through a Windows kernel driver. Therefore, an attacker needs to find the memory address of the LocateProtocol function and overwrite it with malicious code. It can initiate code execution by instructing the SMI handler to do so.

Is that breach easy to exploit?

To exploit the vulnerability, an attacker should have root/SYSTEM-level privileges on the target system and execute code in System Management Mode (SMM). In addition, some models of HP computers have security features that an attacker needs to bypass in order for the exploit to work, such as HP Sure Start, which will shut down the host if the memory is corrupted. However, there are enough ways to get such privileges – from other exploits to tricking the user to install a trojan virus.

Driver updater PUP
Driver Updater app – the example of the program that may act as malware downloader

When the ultimate goal is achieved, the attacker, by overwriting the UEFI (BIOS), can achieve an outstanding persistency of malware on the machine. After such a trick, you can’t remove malware using antivirus tools or reinstalling the OS. So, that’s an obvious advice for all owners of HP hardware who do not want to become part of the ART operations that practice attacks through UEFI. Update the BIOS before cybercriminals update it without your participation.

Why are BIOS vulnerabilities so critical?

BIOS, as well as its modern replacement – UEFI, is the firmware of the lowest level. It runs on your hardware even before you launch the regular OS – Windows or Linux. Contrary to operating systems that interact with hardware using drivers, BIOS interacts directly. In the early ‘10s, Unified Extensible Firmware Interfacewas presented as a substitute for BIOS, which was considered obsolete to the moment.

Breach that allows the hackers to call the hardware on the kernel lever, i.e. circumventing the drivers, means that the one who exploits that breach may do literally anything. Turn off the computer, reboot it, delete the BIOS, substitute the latter with a malicious loader that will display the ransom banner over the screen – choose what you want. CVE Organisation, which tracks and documents all the detected vulnerabilities, still has not added the detailed description of CVE-2021-3808 and CVE-2021-3809. But I am pretty sure that they will increase the severity rating to 10/10 – that is a reall mess.

The post Vulnerability in HP BIOS causes system takeover appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/hp-uefi-bios-vulnerability/feed/ 0 7846
Vulnerabilities Allow Hijacking of Most Ransomware to Prevent File Encryption https://gridinsoft.com/blogs/vulnerability-in-ransomware-can-prevent-the-encryption/ https://gridinsoft.com/blogs/vulnerability-in-ransomware-can-prevent-the-encryption/#respond Wed, 11 May 2022 15:44:07 +0000 https://gridinsoft.com/blogs/?p=7826 Not a long time ago, a cybersecurity analyst posted a video on YouTube where he shows the vulnerability in ransomware samples used by well-known ransomware groups. In the footage, expertly shows this exploit usage on the REvil ransomware sample, but there are half a dozen of ransomware products vulnerable to that thing. The crooks’ weapon… Continue reading Vulnerabilities Allow Hijacking of Most Ransomware to Prevent File Encryption

The post Vulnerabilities Allow Hijacking of Most Ransomware to Prevent File Encryption appeared first on Gridinsoft Blog.

]]>
Not a long time ago, a cybersecurity analyst posted a video on YouTube where he shows the vulnerability in ransomware samples used by well-known ransomware groups. In the footage, expertly shows this exploit usage on the REvil ransomware sample, but there are half a dozen of ransomware products vulnerable to that thing.

The crooks’ weapon struck them back

The YouTube user Malvuln published a chain of videos regarding the exploitation of the breach in popular ransomware. This exploitation is based on how ransomware launches its executable files with high privileges. Exactly, this is the exploit inside of the other exploit. Let’s check out how that works.

Originally, when crooks launch the ransomware in the infected system, they palm off the malicious DLL to a legit program. Any application requires dynamic-link libraries to function, and if the used DLLs are not checked diligently, it is easy to substitute the original one with the library you need. Cybercriminals know about that breach and know which apps are vulnerable. Giving the malicious DLL to the legit program allows the ransomware to be launched with increased privileges.

However, ransomware itself is not ideal. As the researcher mentioned above figured out, it is also vulnerable to DLL interception. However, the exact method is different compared to how cybercriminals use it. That vulnerability lies in the way of naming the libraries used by ransomware to run the ciphering process. A specially compiled DLL named the one used by ransomware ends the encryption process right after its beginning.

How can that be used?

As Malvuln showed in his videos, ransomware of 6 popular cybercrime gangs is vulnerable to that security breach. Those are AvosLocker, LokiLocker, Black Basta, REvil, Conti, and LockBit. All of them are well-known, and each of them attacks hundreds of companies each month. Some of them may ask for up to $1M ransoms. Using such a vulnerability, companies may easily protect themselves from having their files encrypted. Still, spyware those groups usually inject together with ransomware is still able to extract a lot of valuable data.

Avos Locker ransom note
The ransom note of Avos Locker – one of the vulnerable. You will still find it even after the encryption failure.

Adding a small DLL file on each computer in the network is pretty easy, and hard to detect for threat actors. In contrast to security solutions that are running in the network, DLL is not active and cannot be detected. Hence, crooks may get a very unpleasant surprise. Nonetheless, that does not mean that you can throw away your security solutions. EDR systems may be very effective against spyware, at least with data extraction. Keep in mind that you will likely pay a much bigger sum of money as a ransom than you will spend on an endpoint protection solution.

Thoughts on ransomware vulnerability

Cybercriminals like ones that belong to the named gangs love their brainchildren. And having such a vulnerability, they will not delay fixing it. That is their bread and butter, and they depend on that money flow. Hence, deploying the DLL as I have offered above is not a panacea. Sooner or later (likely sooner) that breach will be fixed, as it was to all other vulnerabilities that leaked to the public. And still – no one names a way to stop the complementary spyware.

This or another way, having the chance to stop the ransomware and prevent disruptions is better than not having it.

The post Vulnerabilities Allow Hijacking of Most Ransomware to Prevent File Encryption appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/vulnerability-in-ransomware-can-prevent-the-encryption/feed/ 0 7826
A DNS vulnerability in uClibc/uClibs-ng libraries jeopardizes IoT devices https://gridinsoft.com/blogs/c-standard-libraries-dns-vulnerability/ https://gridinsoft.com/blogs/c-standard-libraries-dns-vulnerability/#respond Fri, 06 May 2022 07:00:13 +0000 https://gridinsoft.com/blogs/?p=7754 A vulnerability has been discovered (CVE not yet issued) in uClibc and uClibc-ng C standard libraries. These libraries are vastly used in IoT devices. The newly found vulnerability makes it possible to place forged data into the DNS cache, allowing to set an arbitrary IP address in that cache with the subsequent rerouting of all… Continue reading A DNS vulnerability in uClibc/uClibs-ng libraries jeopardizes IoT devices

The post A DNS vulnerability in uClibc/uClibs-ng libraries jeopardizes IoT devices appeared first on Gridinsoft Blog.

]]>
A vulnerability has been discovered (CVE not yet issued) in uClibc and uClibc-ng C standard libraries. These libraries are vastly used in IoT devices. The newly found vulnerability makes it possible to place forged data into the DNS cache, allowing to set an arbitrary IP address in that cache with the subsequent rerouting of all domain-directed queries to the malefactors’ server.

The flaw affects Linux firmware used in various routers, hotspots, and other IoT devices. It also hits Linux distributives for the embedded operating systems like Embedded Gentoo and OpenWRT. The vulnerability reveals itself in many different devices. For example, Linksys, Netgear, and Axis all use uClibc libraries. Since the vulnerability is not yet cured in uClibc and uClibc-ng, the details about specific devices and manufacturers in whose products the problem occurs are not brought to the public yet.

The vulnerability mechanism

The vulnerability comes from the usage of predictable transaction identifiers in the library-generated DNS requests. DNS request IDs are formed by simple incrementing of the counter without any additional randomization of the port numbers. This mechanism, in turn, allowed DNS cache poisoning through the proactive sending of a UDP packet with a forged response. The spoof will be accepted if it features a correct request ID and arrives before the genuine server’s response. Unlike the Kaminsky method proposed in 2008, the current approach doesn’t even require guesswork since the transaction ID is initially predictable. The initial value (1) gets incremented with each query, not chosen randomly.

Security recommendations against ID breaking include randomizing numbers of source network ports whence the DNS request. This measure must compensate for the short length of the identifier. If randomization is activated, the forgery of a 16-bit ID is not enough – hackers then would have to additionally brute-force the network port number. In uClibc and uClibc-ng, the random source UDP port didn’t show during the bind request. Therefore, the randomizer was turned off, and its application required changing settings in the operating system.

With the randomization switched off, the problem of guessing an incremented request ID becomes trivial. But even if the randomization were applied, the attackers would only need to pick up a port number from a range of 32768–60999 (Linux uses such.) They could have used a massive simultaneous sending of fake responses to different network ports yet to win against the legitimate DNS response.

History of the inquiry

The problem has been confirmed in all working versions of the uClibc and uClibc-ng, including the latest uClibc 0.9.33.2 and uClibc-ng 1.0.40. In September 2021, the information on the vulnerability was sent to CERT/CC for coordinated fixes preparation. Moreover, In January 2022, the data was delivered to more than 200 manufacturers working with CERT/CC. In March, there was communication with the uClibc-ng project support. They admitted they could not fix the vulnerability themselves and recommended disclosing the information to the community so that it could assist with the development of the fix. Nozomi Networks, the company that detected the flaw, brought the information to the public in a thorough report on May 2, 2022. In the meantime, Netgear has announced an update wherein they promise to deal with the vulnerability.

The post A DNS vulnerability in uClibc/uClibs-ng libraries jeopardizes IoT devices appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/c-standard-libraries-dns-vulnerability/feed/ 0 7754
F5 warns of critical BIG-IP RCE vulnerability https://gridinsoft.com/blogs/f5-big-ip-vulnerability/ https://gridinsoft.com/blogs/f5-big-ip-vulnerability/#respond Thu, 05 May 2022 18:18:49 +0000 https://gridinsoft.com/blogs/?p=7736 F5, Inc warned the users about the critical vulnerability that harms the iControl REST users. That solution is a framework offered by the F5 Corporation as an advanced tool for software developers. The detected flaw is noted as critical, since it makes the device takeover possible for non-authorised users. F5 warns its customers of a… Continue reading F5 warns of critical BIG-IP RCE vulnerability

The post F5 warns of critical BIG-IP RCE vulnerability appeared first on Gridinsoft Blog.

]]>
F5, Inc warned the users about the critical vulnerability that harms the iControl REST users. That solution is a framework offered by the F5 Corporation as an advanced tool for software developers. The detected flaw is noted as critical, since it makes the device takeover possible for non-authorised users.

F5 warns its customers of a new vulnerability

The CVE-2022-1388, according to the analysts from the company, allows the potential threat actors to remotely execute arbitrary code and disable services on BIG-IP without any authentication. This threat is classified as severe, with a CVSS v3 rating of 9.8 – that indicator classifies it as critical. Vulnerability in one of the components of iControl REST makes it possible to bypass the authentication in BIG-IP. Afterward, crooks are free to execute any code in the framework. Here is the list of BIG-IP versions that reportedly contain that breach:

  • 16.1.0 to 16.1.2;
  • 15.1.0 to 15.1.5;
  • 14.1.0 to 14.1.4;
  • 13.1.0 to 13.1.4;
  • 12.1.0 to 12.1.6;
  • 11.6.1 to 11.6.5.

F5 offers a fast fix for the issue

As you can see, almost all versions of BIG-IP that are currently in use are exposed. F5 Inc. has already released fixed versions of this software, and recommends installing it as soon as possible. Those versions are:

  • 17.0.0;
  • 16.1.2.2;
  • 15.1.5.1;
  • 14.1.4.6;
  • 13.1.5.

The company emphasizes that older versions of the software (12.x and 11.x) will not receive the fix of that flaw, and it is recommended to move on to the newer version. If the client is not able to apply the update for some reason, F5 recommends applying the following settings to prevent vulnerability exploitation:

Until it is possible to install a fixed version, you can use the following sections as temporary mitigations. These mitigations restrict access to iControl REST to only trusted networks or devices, thereby limiting the attack surface.

Block iControl REST access through the self IP address
You can block all access to the iControl REST interface of your BIG-IP system through self IP addresses. To do so, you can change the Port Lockdown setting to Allow None for each self IP address in the system. If you must open any ports, you should use the Allow Custom option, taking care to disallow access to iControl REST. By default, iControl REST listens on TCP port 443 or TCP port 8443 on single NIC BIG-IP VE instances. If you modified the default port, ensure that you disallow access to the alternate port you configured.

F5 Inc. advice on the case of CVE-2022-1388 vulnerability in BIG-IP.

How serious is the CVE-2022-1388?

Since the iControl framework, as well as BIG-IP, are generally used by corporations, they are the main place where CVE-2022-1388 may harm. The ability to remotely execute the code without the authorisation allows the cybercriminals to extend their presence pretty quickly, up to the full control over the network. Any malware distributor will be pleased with such an ability, especially considering the amount of valuable data that is present in such corporations. Moreover, using such advanced and expensive solutions as the ones offered by F5 Corporation means that attackers may ask for a huge ransom.

Besides that, having such a vulnerability in your software product also impacts you image as a developer. F5 did a pretty good job – they detected the flaw and issued a fix for it before cybercriminals did. However, that does not mean that crooks lost the ability to exploit it – they just lost the suddenness – it is not a zero-day vulnerability anymore. A lot of companies will be slow with updates, and some may just ignore it. The absence of a fast reaction often leads to bad consequences. Fortunately for the F5, they already have disclaimed the responsibility for any case of a malware attack with that breach.

The post F5 warns of critical BIG-IP RCE vulnerability appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/f5-big-ip-vulnerability/feed/ 0 7736
Hackers Use Fresh Vulnerability in Windows Print Spooler in Real Attacks https://gridinsoft.com/blogs/vulnerability-in-windows-print-spooler-in-real-attacks/ https://gridinsoft.com/blogs/vulnerability-in-windows-print-spooler-in-real-attacks/#respond Thu, 21 Apr 2022 20:47:31 +0000 https://gridinsoft.com/blogs/?p=7441 The US Infrastructure and Cybersecurity Agency (CISA) warned that a vulnerability in the Windows Print Spooler component, patched by Microsoft in February 2022, is being actively exploited by hackers. The issue in question is tracked as CVE-2022-22718 (CVSS score of 7.8) and, according to Microsoft, affects all versions of Windows. At the same time, the… Continue reading Hackers Use Fresh Vulnerability in Windows Print Spooler in Real Attacks

The post Hackers Use Fresh Vulnerability in Windows Print Spooler in Real Attacks appeared first on Gridinsoft Blog.

]]>
The US Infrastructure and Cybersecurity Agency (CISA) warned that a vulnerability in the Windows Print Spooler component, patched by Microsoft in February 2022, is being actively exploited by hackers.

The issue in question is tracked as CVE-2022-22718 (CVSS score of 7.8) and, according to Microsoft, affects all versions of Windows.

At the same time, the company did not disclose almost any technical details of the bug, it was only reported that attackers can use the vulnerability locally, in attacks of low complexity and without any user interaction.

CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities Catalogue, based on evidence of active exploitation. These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise.CISA representatives stated.

It is worth recalling that last year, Microsoft fought for a long time (and not always successfully) with various bugs in Print Spooler, including a critical PrintNightmare vulnerability that allows remote arbitrary code execution. Then, after accidentally leaking the technical details of the bug and PoC exploit, CISA experts warned administrators that they urgently needed to disable the Print Spooler service on domain controllers and systems not used for printing in order to block potential attacks.

Due to the possibility for exposure, domain controllers and Active Directory admin systems need to have the Print spooler service disabled. The recommended way to do this is using a Group Policy Object.Microsoft also recommended.

Now, the nature of the attacks on CVE-2022-22718 and the identities of the perpetrators behind them are almost unknown, as the authorities are apparently trying to prevent further exploitation of the problem by other hack groups.

Vulnerability in Windows Print Spooler
Vulnerability in Windows Print Spooler in CISA catalog

In addition, this week two other issues were added to the CISA catalogue of known exploited vulnerabilities, although they date back to 2018 and 2019:

  • CVE-2018-6882 (CVSS score 6.1) – XSS Vulnerability in Zimbra Collaboration Suite (ZCS)
  • CVE-2019-3568 (CVSS score of 9.8) is a stack buffer overflow vulnerability in WhatsApp VOIP.

The post Hackers Use Fresh Vulnerability in Windows Print Spooler in Real Attacks appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/vulnerability-in-windows-print-spooler-in-real-attacks/feed/ 0 7441
Chinese hackers use Zimbra 0-day vulnerability to hack European media and authorities https://gridinsoft.com/blogs/chinese-hackers-use-zimbra-0-day-vulnerability/ https://gridinsoft.com/blogs/chinese-hackers-use-zimbra-0-day-vulnerability/#respond Fri, 04 Feb 2022 22:41:26 +0000 https://gridinsoft.com/blogs/?p=7083 Security firm Volexity has warned that a previously unknown Chinese hack group is exploiting a 0-day vulnerability in Zimbra’s collaborative software. According to official statistics, more than 200,000 enterprises in 140 countries around the world use Zimbra, including more than 1,000 government and financial institutions. The researchers write that using the 0-day vulnerability, attackers gain… Continue reading Chinese hackers use Zimbra 0-day vulnerability to hack European media and authorities

The post Chinese hackers use Zimbra 0-day vulnerability to hack European media and authorities appeared first on Gridinsoft Blog.

]]>
Security firm Volexity has warned that a previously unknown Chinese hack group is exploiting a 0-day vulnerability in Zimbra’s collaborative software.

According to official statistics, more than 200,000 enterprises in 140 countries around the world use Zimbra, including more than 1,000 government and financial institutions. The researchers write that using the 0-day vulnerability, attackers gain access to the mailboxes of European authorities and the media.

The attacks were discovered in mid-December, and although Volexity notified the Zimbra developers about the bug as early as December 16, the company has not yet released a patch.

Attackers first started exploiting the vulnerability on December 14, 2021, when the first attacks on some Volexity clients were recorded).the researchers report.

The attacks were divided into two stages. Initially, the hackers sent a harmless email to victims to determine if the right accounts were active and whether users would open suspicious emails from unknown individuals.

0-day vulnerability in Zimbra
An example of a hacker letter

The actual attack only happened with a second email, in which the hackers included a link. If the user accessed this URL, they were taken to a hacker site where malicious JavaScript code performed an XSS attack on Zimbra webmail at the victim’s organization.

The vulnerability works against Zimbra webmail clients versions 8.8.15 P29 and P30 and allows stealштп Zimbra session cookies. These files allow hackers to connect to someone else’s Zimbra account, from where they gain access to email (they can view emails in victims’ mailboxes and steal their contents), after which they send additional phishing messages to the user’s contacts, and also offer targets to download malware.

0-day vulnerability in Zimbra
Attack scheme

While there are currently over 33,000 Zimbra servers on the web, Volexity says 0-day is thankfully safe for Zimbra 9.x (the most recent version of the platform).

Based on the attacker infrastructure used in these attacks, experts were unable to link what was happening to any previously known hack group. As a result, the grouping was given the name TEMP_Heretic. At the same time, experts report that “the attacker is probably of Chinese origin.”

Let me remind you that we reported that Chinese hackers attacked US organizations and exploit bugs in F5, Citrix and Microsoft Exchange and also that Hackers attacked Microsoft Exchange servers of the European Banking Authority.

The post Chinese hackers use Zimbra 0-day vulnerability to hack European media and authorities appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/chinese-hackers-use-zimbra-0-day-vulnerability/feed/ 0 7083