GetVariable Strikes Again, Linux Santa, AMD Vulns, & Remote Computer Detonation – PSW #770
This week in the Security News: GetVariable strikes again, attackers could blow up your computer remotely, escaping containers, null-dereferences and faulty evaluations, 31 new CPU vulnerabilities for AMD, a look into Chrome, santa, not-so-secure secure booting, and malware included!
Announcements
Thank you for listening to or watching our podcasts! We want to ensure that we are creating the most relevant and useful content for our audience across our network! It is crucial to us that we are delivering to you more of what you want to hear and learn about. Please take a few minutes to complete our listener survey so that we can craft our content based on your needs. Visit https://securityweekly.com/survey to submit your feedback.
Hosts
- 1. Jason Haddix on Twitter
- 2. Caido – A lightweight web security auditing toolkit
- 3. TikTok, WebMD and University: How People Use Cell Phones Behind Bars
- 4. Assessing Potential Exploitation of Sophos Firewall and CVE-2022-3236 – Blog – VulnCheck
- 5. Inside ShmooCon 2023: The wacky, the weird and, of course, the cybers
We're back baby. Shmoocon was amazing. Also, I did not eat the cereal (though I heard it was awful, like if you were to eat the pages of a musty book from your grandparents basement)
- 6. StarkeBlog – CVE Wednesday – CVE-2022-34400
"Often times when EFI Modules make multiple (G|S)etVariable calls in the same function, there is a vulnerability. The DataSize variable must be reinitialized to 0 before subsequent Variable calls in order to avoid this vulnerability." - Wow, I remember getting yelled at for improper variable initialization or re-initialization. This is a great example of UEFI variable abuse that we talked about in the SMM segment with Jesse.
- 7. Attacks Targeting Realtek SDK Vulnerability Ramping Up
- 8. PMFault: Faulting and Bricking Server CPUs through Management Interfaces Or: A Modern Example of Halt and Catch Fire
This is a real thing. Remember when I warned you that updating your BMC firmware is important? This is why. This is also why we can't have nice things.
- 9. ManageEngine CVE-2022-47966 Technical Deep Dive
"Reference validation is performed before signature validation, allowing for the execution of malicious XSLT transforms. Execution of XSLT transforms allows an attacker to execute arbitrary Java code."
- 10. Exploiting CVE-2021-3490 for Container Escapes
Amazing work, the takeaway (other than deep technical details): " Not much effort is needed to turn a full exploit chain for a local privilege escalation into one that is able to escape containers as well."
- 11. Exploiting null-dereferences in the Linux kernel
"For a fair amount of time, null-deref bugs were a highly exploitable kernel bug class. Back when the kernel was able to access userland memory without restriction, and userland programs were still able to map the zero page, there were many easy techniques for exploiting null-deref bugs. However with the introduction of modern exploit mitigations such as SMEP and SMAP, as well as mmap_min_addr preventing unprivileged programs from mmap’ing low addresses, null-deref bugs are generally not considered a security issue in modern kernel versions. This blog post provides an exploit technique demonstrating that treating these bugs as universally innocuous often leads to faulty evaluations of their relevance to security." - The last sentence applies to more than just kernel null dereference bugs.
- 12. AMD Quietly Lists 31 New CPU Vulnerabilities, Issues Patch Guidance
"AMD has listed the various AGESA revisions it has issued to its OEMs to patch the vulnerabilities (AGESA code is used to build BIOS/UEFI code). However, the availability of new BIOS patches with the new AGESA code will vary by vendor. That means you'll have to check with your motherboard or system vendor to see if it has posted new BIOS revisions with the correct AGESA code." - Because, well, reasons. Your UEFI code is customized by the OEM, which means in order to update it, the OEM has to update it. This also depends on your hardware.
- 13. Crassus Windows privilege escalation discovery tool
- 14. Forward into 2023: Browser and O/S Security Features – Black Hills Information Security
If you are looking for a foundation to learn how to find vulnerabilities in Chrome, look no further thanks to Joff Thyer!
- 15. Introducing RPC Investigator
- 16. santa for linux proof-of-concept
I love this, from the Google project for macOS: "Santa is a binary authorization system for macOS. It consists of a system extension that monitors for executions, a daemon that makes execution decisions based on the contents of a local database, a GUI agent that notifies the user in case of a block decision and a command-line utility for managing the system and synchronizing the database with a server. It is named Santa because it keeps track of binaries that are naughty or nice." This project is that, but for Linux.
- 17. Cacti: Unauthenticated Remote Code Execution
- 18. Netcomm – Unauthenticated Remote Code Execution
I love how using the serial interface they just pulled off all the binaries using netcat, I mean why go hard with SPI or a flash reader interface if you don't have to? The results are typical, poorly coded protections and buffer overflows.
- 19. MSI’s (in)Secure Boot – Dawid Potocki
This, THIS, is why we cannot trust suppliers and have to pay attention to supply chain issues. The hardware, software and firmware that you acquire DOES NOT come with perfect security 100% of the time, and never will!
- 20. Taking over a Dead IoT Company
Crazy story: "Now, 5 years after the company collapsed, I acquired one of their signs to investigate why the company failed. Along the way I ended up taking over the company’s sign control domain and writing an exploit to get full control of any signs still in the field."
- 21. Critical Architectural Vulnerabilities in Siemens SIMATIC S7-1500 Series Allow for Bypass of All Protected Boot Features
So many flaws: "However, this ATECC CryptoAuthentication implementation contains flaws that can be leveraged to compromise the integrity of the system. The secure element shared secret is exposed, as shown in Figure 1, which allows attackers to abuse the secure element. The shared secret resides in the device’s nonvolatile storage which can be accessed by attackers. The CryptoAuthentication chip can be used as an oracle to generate the decryption seed which is used to derive AES keys for encrypted firmware. The plaintext bootloader reveals the firmware AES key derivation and decryption scheme. "
- 22. PKCS#11. hardware keystores, and Apple frustrations
This is an interesting read: "with it immediately failing if the key isn't RSA. Which it isn't, since the Secure Enclave doesn't support RSA. Apple's PKCS#11 module appears incapable of making use of keys generated on Apple's hardware."
- 1. Appliance makers sad that 50% of customers won’t connect smart appliances
- 2. US Marines Defeat DARPA Robot by Hiding Under a Cardboard Box
- 3. FAA finds outage was unintentionally caused by contractors
- 4. Breaking EA Desktop’s pathetic Encryption
- 5. Google plans AirTag clone, will track devices with 3 billion Android phones
- 6. Entire software suite of Israeli security firm Cellebrite leaks online
- 7. GhostSec Makes Big Claims on “RTU” ICS Hack
- 8. Embedded System Ransomware and the Meaning of Criminal Operations
- 9. Malware Comes Standard With This Android TV Box on Amazon
- 1. Former Senior F.B.I. Official in New York Charged With Aiding Oligarch
Charles McGonigal, who was chief of counterintelligence, worked secretly for Oleg Deripaska, a Russian oligarch associated with acts of bribery, extortion and violence.
Mr. McGonigal, while working for the bureau, took $225,000 in secret cash payments and concealed that relationship from the F.B.I.
Mr. Deripaska was a client of Paul Manafort, who for several months in 2016 served as Donald J. Trump’s campaign chairman and in 2018 was convicted of financial fraud and other crimes.
- 2. CNET’s AI Journalist Appears to Have Committed Extensive Plagiarism
CNET has been quietly publishing machine learning-generated stories. CNET's AI-written articles aren't just riddled with errors. They also appear to be substantially plagiarized.
- 3. New iOS Login Tech Makes It Super Hard to Hack Your iCloud Account
Apple now lets you protect your Apple ID and iCloud account with hardware security keys, a significant upgrade for those who want maximum protection from hackers, identity thieves, or snoops.
- 4. Botnets exploited Realtek SDK critical bug in millions of attacks
From August 2021 to December 2022, we have observed 134 million exploit attempts in total, targeting CVE-2021-35394. CVE-2021-35394 is a critical (CVSS v3: 9.8) vulnerability in Realtek Jungle SDK version 2.x to 3.4.14B, caused by multiple memory corruption flaws that allow remote unauthenticated attackers to perform arbitrary command injection. Realtek chipsets are omnipresent in the IoT world, and even when the Taiwanese chip maker pushes security updates to address problems in its products quickly, supply chain complexities delay their delivery to end users.