Electronics Arts (EA) is launching a new kernel-level anti-cheat system for its PC games. The EA AntiCheat (EAAC) will debut first in FIFA 23 later this fall and is a custom anti-cheat system developed in-house by EA developers. It’s designed to protect EA games from tampering and cheaters, and EA says it won’t add anti-cheat to every game and treat its implementation on a case-by-case basis.

“PC cheat developers have increasingly moved into the kernel, so we need to have kernel-mode protections to ensure fair play and tackle PC cheat developers on an even playing field,” explains Elise Murphy, senior director of game security and anti-cheat at EA. “As tech-inclined video gamers ourselves, it is important to us to make sure that any kernel anti-cheat included in our games acts with a strong focus on the privacy and security of our gamers that use a PC.”

Kernel-level anti-cheat systems have drawn criticism from privacy and security advocates, as the drivers these systems use are complex and run at such a high level that if there are security issues, then developers have to be very quick to address them.

[…]

EA’s anti-cheat system will run at the kernel level and only runs when a game with EAAC protection is running. EA says its anti-cheat processes shut down once a game does and that the anti-cheat will be limited to what data it collects on a system. “EAAC does not gather any information about your browsing history, applications that are not connected to EA games, or anything that is not directly related to anti-cheat protection,” says Murphy.

[…]

Source: EA announces kernel-level anti-cheat system for PC games – The Verge

The problem is that you can’t actually see what they are doing because it’s kernel level. It’s your OS running on your PC, they have no right to inflitrate your PC at this level – aside from it being dangerous from a security standpoint. This is a bit like putting a guy into each room of your house and saying it’s no problem, hopefully they won’t steal anything and most likely they won’t tell anyone what you are doing and what you are talking about. And they probably leave some when you are not using your house.

[…]

The newly discovered security issue impacts versions of the application for Windows, Linux, and Mac and refers to Microsoft Teams storing user authentication tokens in clear text without protecting access to them.

An attacker with local access on a system where Microsoft Teams is installed could steal the tokens and use them to log into the victim’s account.

[…]

Microsoft Teams is an Electron app, meaning that it runs in a browser window, complete with all the elements required by a regular web page (cookies, session strings, logs, etc.).

Electron does not support encryption or protected file locations by default, so while the software framework is versatile and easy to use, it is not considered secure enough for developing mission-critical products unless extensive customization and additional work is applied.

Vectra analyzed Microsoft Teams while trying to find a way to remove deactivated accounts from client apps, and found an ldb file with access tokens in clear text.

“Upon review, it was determined that these access tokens were active and not an accidental dump of a previous error. These access tokens gave us access to the Outlook and Skype APIs.” – Vectra

Additionally, the analysts discovered that the “Cookies” folder also contained valid authentication tokens, along with account information, session data, and marketing tags.

Finally, Vectra developed an exploit by abusing an API call that allows sending messages to oneself. Using SQLite engine to read the Cookies database, the researchers received the authentication tokens as a message in their chat window.

[…]

Using this type of malware, threat actors will be able to steal Microsoft Teams authentication tokens and remotely login as the user, bypassing MFA and gaining full access to the account.

[…]

With a patch unlikely to be released, Vectra’s recommendation is for users to switch to the browser version of the Microsoft Teams client. By using Microsoft Edge to load the app, users benefit from additional protections against token leaks.

[…]

Source: Microsoft Teams stores auth tokens as cleartext in Windows, Linux, Macs

Cisco patched three security vulnerabilities in its products this week, and said it will leave unpatched a VPN-hijacking flaw that affects four small business routers.

Those small-biz routers – the RV110W Wireless-N VPN Firewall, RV130 VPN Router, RV130W Wireless-N Multifunction VPN Router, and RV215W Wireless-N VPN Router – have reached their end-of-life (EoL) and the networking vendor is recommending customers upgrade to devices that aren’t vulnerable. To give you an idea of the potential age of this kit, Cisco stopped selling the RV110W and RV130 in 2017, and ended support for them this year.

“Cisco has not released and will not release software updates to address the vulnerability described in this advisory,” the supplier wrote in an advisory. “Customers are encouraged to migrate to Cisco Small Business RV132W, RV160, or RV160W Routers.”

It also said that there are no workarounds to mitigate the flaw.

That vulnerability, tracked as CVE-2022-20923 with a severity rating of “medium,” if exploited could enable an unauthenticated remote attacker to bypass authentication checks and freely access the device’s IPSec VPN.

“The attacker may obtain privileges that are the same level as an administrative user, depending on the crafted credentials that are used,” Cisco added. The flaw is the result of the improper implementation of a password validation algorithm, we’re told.

[…]

Source: Dump these routers, says Cisco, because we won’t patch them • The Register

Massive amounts of private data – including more than 300,000 biometric digital fingerprints used by five mobile banking apps – have been put at risk of theft due to hard-coded Amazon Web Services credentials, according to security researchers.

Symantec’s Threat Hunter Team said it discovered 1,859 publicly available apps, both Android and iOS, containing baked-in AWS credentials. That means if someone were to look inside the apps, they would have found the credentials in the code, and could potentially have used that to access the apps’ backend Amazon-hosted servers and steal users’ data. The vast majority (98 percent) were iOS apps.

In all, 77 percent of these apps contained valid AWS access tokens that allowed access to private AWS cloud services, the intelligence team noted in research published today.

Additionally, almost half (47 percent) contained valid AWS tokens providing full access to sometimes millions of private files via Amazon S3 buckets. These hard-coded AWS access tokens would be easy to extract and exploit, and reflect a serious supply-chain issue, Dick O’Brien, principal editor on Symantec’s Threat Hunter Team, told The Register.

[…]

In one case, a provider of B2B services gave out a mobile SDK to its customers to integrate into their applications. It turned out the SDK contained the provider’s cloud infrastructure keys, which potentially exposed all of its data — including financials, employee information, files on more than 15,000 medium and large-sized companies, and other information — that was stored on the platform.

The SDK had a hard-coded AWS token to access an Amazon-powered translation service. However, that token granted full access to the provider’s backend systems, rather than just the translation tool.

[…]

 

Source: Mobile banking apps put 300,000 digital fingerprints at risk • The Register

An MMORPG with cute anime-style characters and maybe a bit too much inspiration taken from another classic Nintento franchise, Genshin Impact is a relatively popular game across the PlayStation, iOS, Android, and PC platforms. That last one has already generated a bit of controversy, since the PC version game includes an anti-cheat kernel driver that runs in the Windows kernel context, and on initial release that module kept running even after the game was closed.

That anti-cheat driver is back in the news, with Trend Micro discovering a ransomware campaign that includes mhyprot2.sys, the anti-cheat driver, as a component of the infection. The module is known to have vulnerabilities, and is still a signed kernel driver, so the malware campaign loads the driver and uses its functions to disable anti-malware protections.

The rest of the campaign is straightforward. Starting with access to a single domain-connected machine, an attacker uses that foothold to gain access to the domain controller. The malicious script is hosted on shared storage, and PsExec is used to run it on all the domain member machines. The real novelty here is the use of the vulnerable anti-cheat kernel driver as the anti-malware bypass. As far as we can tell, this driver is *still* signed and considered trustworthy by Windows. We join the call to Microsoft, to revoke this vulnerable driver, as it’s now actively being used in ongoing malware campaigns. For more on security, check out our weekly column on the topic,

Source: Genshin Security Impact | Hackaday

Last Saturday, I sat in a crowded ballroom at Caesar’s Forum in Las Vegas and watched Sickcodes jailbreak a John Deere tractor’s control unit live, before an audience of cheering Defcon 30 attendees (and, possibly, a few undercover Deere execs, who often attend Sickcodes’s talks).

The presentation was significant because Deere – along with Apple – are the vanguard of the war on repair, a company that has made wild and outlandish claims about the reason that farmers must pay the company hundreds of dollars every time they fix their own tractors, and then wait for days for an authorized technician to come to their farm and type an unlock code.

Deere’s claims have included the astounding statement that the farmers who spend hundreds of thousands of dollars on tractors don’t actually own those tractors, because the software that animates them is only licensed, not sold:

https://memex.craphound.com/2017/04/22/john-deere-just-told-the-copyright-office-that-only-corporations-can-own-property-humans-can-only-license-it/

They’ve also claimed that locking farmers out of their tractors is for their own good, because otherwise hackers could take over those tractors and endanger the food supply. While it’s true that the John Deere tractor monopoly means that defects in the company’s products could affect farms all around the world, it’s also true that John Deere is very, very bad at information security:

https://pluralistic.net/2021/04/23/reputation-laundry/#deere-john

The company’s insistence that they are guardians of farmers and the agricultural sector is a paper-thin cover for monopolistic practices and rent-seeking. Monopolizing the repair and reconfiguration of Deere products gives the company all kinds of little gifts – for example, they can refuse to fix the tractors of dissatisfied customers unless they agree to gag-orders:

https://pluralistic.net/2022/05/31/dealers-choice/#be-a-shame-if-something-were-to-happen-to-it

And because so few of us understand information security, or monopoly, or agribusiness (let alone all three!) they can spin their dangerous, grossly unfair practices as features, not bugs. Remember when they trumpeted the fact that they’d remotely bricked some Ukrainian Deere products that had been looted by Russian soldiers?

https://doctorow.medium.com/about-those-kill-switched-ukrainian-tractors-bc93f471b9c8

What they didn’t say – and what almost no one pointed out – was that this meant that anyone who could hack John Deere’s system could brick any tractor – including, say, the Russian military’s hacking squads. They also didn’t say that Ukrainian farmers had long chafed under Deere’s corporate control, and had developed illegal third-party tractor firmware that farmers all over the world had covertly installed:

https://www.vice.com/en/article/xykkkd/why-american-farmers-are-hacking-their-tractors-with-ukrainian-firmware

And that means that the Russian looters who supposedly were foiled by Deere’s corporate remote killswitches can re-activate their tractors, by using the Ukrainian software developed in response to the company’s monopolistic practices.

Which brings me back to Sickcodes and his awesome presentation at Defcon 30 this weekend. I watched from the front row, sitting next to the repair champion Kyle Wiens, founder of Ifixit, who turned his notes into an excellent Twitter thread:

https://twitter.com/kwiens/status/1558688970799648769

As Kyle points out, Deere has repeatedly told state and federal lawmakers and regulators that farmers can’t be trusted to repair or modify their own tractors. This is obviously nonsense: indeed, for decades, Deere product development consisted of sending engineers out to document the improvements farmers had made to their tractors so the company could copy them:

https://securityledger.com/2019/03/opinion-my-grandfathers-john-deere-would-support-our-right-to-repair/

Writing for Wired, Lily Hay Newman provides some great technical details on the hack, including how Sickcodes acquired (and accidentally broke!) several 2630 and 4240 touchscreen control units, eventually demounting the main controller and soldering it into a new board that he used to probe the system:

https://www.wired.com/story/john-deere-tractor-jailbreak-defcon-2022/

He discovered that the system was designed to send an extraordinary amount of data to John Deere – his control unit tried to exfiltrate 1.5GB worth of data once he brought it online. He also discovered that as soon as he was able to conjure up a terminal, he had root access to the system.

This was great news for Sickcodes, but it raises serious questions about Deere’s information security practices. As Kyle points out, this entire system ran on deprecated, unpatched, elderly GNU/Linux software and Windows CE, an operating system that was end-of-lifed in 2018, and which was so bad that people forced to use it typically called it “Wince.”

Sickcodes discovered all kinds of security worst-practices in John Deere’s security – even in the parts of its security that were intended to secure the company’s profits from its own customers’ best interests. For example, at one point Sickcodes put the control unit into maintenance mode by repeatedly rebooting it, so that it refused to allow him to do anything until he brought it to a dealer. He discovered that all it took to convince the computer that he was a dealer was to create an empty text file on its hard-drive whose filename was something like “IAmADealer.txt” (I didn’t write down the exact filename, alas, but that’s not far off!).

Another revelation from Sickcodes: the company made extensive use of free/open source software but seems to be gravely out-of-compliance with the license terms (I’m told that organizations that do legal enforcement of free/open licenses are now aware of this).

So to recap: the company says it has to block farmers from having the final say over their own tractors because they could create security risks and also threaten Deere’s copyrights (the company even claims that locking down tractors is necessary to preventing music infringement, as though a farmer would spend $600k on a tractor so they could streamrip Spotify tracks).

But in reality, the company itself is a dumpster-fire of information security worst practices, whose unpatched, badly configured, out-of-date tractors are a bonanza of vulnerabilities and unforced errors. What’s more, the company – which claims to be staunch defenders of copyright – use their copyright locks to hide the fact that they are committing serious breaches of software copyright.

In serious information security circles, it’s widely understood that “there is no security in obscurity” – that is, hiding how a system works doesn’t make it secure. Usually, this is understood to be grounded in the fact that if you hide your work, you might make mistakes that others would spot and point out to you:

https://doctorow.medium.com/como-is-infosec-307f87004563

But there’s another problem with security through obscurity: when you don’t have to show your work to others, you can be sloppy. Whereas, if your work is open to inspection, your own aversion to being seen as slapdash will impose a rigor on your process, which will make the whole thing better:

https://doctorow.medium.com/the-memex-method-238c71f2fb46

With Deere’s security through obscurity, we see both pathologies on display. The company uses its opacity to commit sloppy security bugs, and also to cover up its violations of copyright law – and then, of course, it accuses its critics of being guilty of those two exact sins. Takes one to know one:

https://doctorow.medium.com/takes-one-to-know-one-104d7d749408

Sickcodes closed out by saying that while his hack required a lot of fiddling with the hardware, he was already scheming to build a little tool that could access and jailbreak a tractor without ripping chips off a board or doing a lot of soldering.

And then he played a custom, farm-themed version of Doom on his jailbroken tractor controller.

Source: Pluralistic: 15 Aug 2022 – Pluralistic: Daily links from Cory Doctorow

farmers around the world have turned to tractor hacking so they can bypass the digital locks that manufacturers impose on their vehicles. Like insulin pump “looping” and iPhone jailbreaking, this allows farmers to modify and repair the expensive equipment that’s vital to their work, the way they could with analog tractors. At the DefCon security conference in Las Vegas on Saturday, the hacker known as Sick Codes is presenting a new jailbreak for John Deere & Co. tractors that allows him to take control of multiple models through their touchscreens.

The finding underscores the security implications of the right-to-repair movement. The tractor exploitation that Sick Codes uncovered isn’t a remote attack, but the vulnerabilities involved represent fundamental insecurities in the devices that could be exploited by malicious actors or potentially chained with other vulnerabilities.

[…]

Sick Codes, an Australian who lives in Asia, presented at DefCon in 2021 about tractor application programming interfaces and operating system bugs. After he made his research public, tractor companies, including John Deere, started fixing some of the flaws. “The right-to-repair side was a little bit opposed to what I was trying to do,” he tells WIRED. “I heard from some farmers; one guy emailed me and was like ‘You’re fucking up all of our stuff!’ So I figured I would put my money where my mouth is and actually prove to farmers that they can root the devices.”

This year, Sick Codes says that while he is primarily concerned about world food security and the exposure that comes from vulnerable farming equipment, he also sees important value in letting farmers fully control their own equipment. “Liberate the tractors!” he says.

[…]

Facing mounting pressure, John Deere announced in March that it would make more of its repair software available to equipment owners. The company also said at the time that it will release an “enhanced customer solution” next year so customers and mechanics can download and apply official software updates for Deere equipment themselves, rather than having John Deere unilaterally apply the patches remotely or force farmers to bring products to authorized dealerships.

“Farmers prefer the older equipment simply because they want reliability. They don’t want stuff to go wrong at the most important part of the year when they have to pull stuff out of the ground,” Sick Codes says. “So that’s what we should all want too. We want farmers to be able to repair their stuff for when things go wrong, and now that means being able to repair or make decisions about the software in their tractors.”

[…]

He found that when the system thought it was in such an environment, it would offer more than 1.5 GB worth of logs that were meant to help authorized service providers diagnose problems. The logs also revealed the path to another potential timing attack that might grant deeper access. Sick Codes soldered controllers directly onto the circuit board and eventually got his attack to bypass the system’s protections.

“I launched the attack, and two minutes later a terminal pops up,” Sick Codes says of the program used to access a computer’s command-line interface. “I had root access, which is rare in Deere land.”

[…]

 

Source: A New Jailbreak for John Deere Tractors Rides the Right-to-Repair Wave | WIRED

Source: Github / ocsf

Still a lot of work to be done in the schema but it’s a start

[…]

The issue occurred when a user created or revoked a shared invitation link for their workspace. The good news is that the password wasn’t plaintext, and it wasn’t visible in any Slack clients. The bad news is that it could be picked up by monitoring encrypted traffic from Slack’s servers, and it appears that all users who created or revoked those links between April 17, 2017, and July 17, 2022, are affected.

Slack said only 0.5 percent of users were affected, which doesn’t sound too terrible until you consider how many Slack users are out there. While getting a definitive user figure for any chat platform is tricky and varies depending on what measure the vendor is using, it is safe to assume Slack has 10 million or more daily active users, meaning that at least 50,000 could have been affected. We asked the company to confirm this, and will update if there is a response.

Slack lays claim to over 169,000 paid customers and says “millions of people around the world use Slack to connect their teams.”

The company was informed of the issue by an independent security researcher on July 17, and swiftly fixed the issue before assessing the scale of the impact. “We have no reason to believe that anyone was able to obtain plaintext passwords because of this issue,” it insisted, but has still reset the passwords of affected users regardless.

It also recommends the inevitable move to two-factor authentication and the use of unique passwords for every service in use.

[…]

Source: Slack exposed hashed passwords for years • The Register

VMware has fixed a critical authentication bypass vulnerability that hits 9.8 out of 10 on the CVSS severity scale and is present in multiple products.

That flaw is tracked as CVE-2022-31656, and affects VMware’s Workspace ONE Access, Identity Manager, and vRealize Automation. It was addressed along with nine other security holes in this patch batch, published Tuesday.

Here’s the bottom line of the ‘31656 bug, according to VMware: “A malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate.” Quite a nice way to get admin-level control over a remote system.

The critical vulnerability is similar to, or perhaps even a variant or patch bypass of, an earlier critical authentication bypass vulnerability (CVE-2022-22972) that also rated 9.8 in severity and VMware fixed back in May. Shortly after that update was issued, CISA demanded US government agencies pull the plug on affected VMware products if patches can’t be applied.

While the virtualization giant isn’t aware of any in-the-wild exploits (so far at least) of the newer vulnerability, “it is extremely important that you quickly take steps to patch or mitigate these issues in on-premises deployments,” VMware warned in an advisory. “If your organization uses ITIL methodologies for change management, this would be considered an ’emergency’ change.”

In addition to the software titan and third-party security researchers urging organizations to patch immediately, Petrus Viet, the bug hunter who found and reported the flaw, said he’ll soon release a proof-of-concept exploit for the bug. So to be perfectly clear: stop what you are doing and immediately assess and if necessary patch this flaw before miscreants find and exploit it, which they are wont to do with VMware vulns.

Tenable’s Claire Tills, a senior research engineer with the firm’s security response team, noted that CVE-2022-31656 is especially worrisome in that a miscreant could use it to exploit other bugs that VMware disclosed in this week’s security push.

“It is crucial to note that the authentication bypass achieved with CVE-2022-31656 would allow attackers to exploit the authenticated remote code execution flaws addressed in this release,” she wrote.

She’s referring to two remote code execution (RCE) flaws, CVE-2022-31658 and CVE-2022-31659, also discovered by Petrus Viet that would allow an attacker with admin-level network access to remotely deploy malicious code on a victim’s machine. Thus someone could use the ‘31656 to login with administrative powers, and then exploit the other bugs to pwn a device.

Both of these, ‘31658 and ‘31659, are dubbed “important” by VMware and ranked with a CVSS score of 8.0. And similar to the critical vuln that can be used in tandem with these two RCE, both affect VMware Workspace ONE Access, Identity Manager and vRealize Automation products.

In other patching news, the rsync project released updates to fix a vulnerability, tracked as CVE-2022-29154, that could allow miscreants to write arbitrary files inside directories of connecting peers.

Rsync is a tool for transferring and syncing files between remote and local machines, and exploiting this vulnerability could allow “a malicious rysnc server (or Man-in-The-Middle attacker) [to] overwrite arbitrary files in the rsync client target directory and subdirectories,” according to researchers Ege Balci and Taha Hamad, who discovered the bug.

That means a malicious server or MITM could overwrite, say, a victim’s ssh/authorized_keys file.

While these three VMware vulns deserve top patching priority, there are some other nasty bugs in the bunch. This includes three local privilege-escalation vulnerabilities (CVE-2022-31660, CVE-2022-31661 and CVE-2022-31664) in VMware Workspace ONE Access, Identity Manager, and vRealize Automation.

All three received CVSS scores of 7.8 and successful exploits would allow criminals with local access to escalate privileges to root — and from there, pretty much do whatever they want, such as steal information, install a backdoor, inject a trojan, or shut down the system entirely.

[…]

Source: VMware patches critical admin authentication bypass bug • The Register

Atlassian has warned users of its Bamboo, Bitbucket, Confluence, Fisheye, Crucible, and Jira products that a pair of critical-rated flaws threaten their security.

The company’s July security advisories detail “Servlet Filter dispatcher vulnerabilities.”

One of the flaws – CVE-2022-26136 – is described as an arbitrary Servlet Filter bypass that means an attacker could send a specially crafted HTTP request to bypass custom Servlet Filters used by third-party apps to enforce authentication.

The scary part is that the flaw allows a remote, unauthenticated attacker to bypass authentication used by third-party apps. The really scary part is that Atlassian doesn’t have a definitive list of apps that could be impacted.

“Atlassian has released updates that fix the root cause of this vulnerability, but has not exhaustively enumerated all potential consequences of this vulnerability,” it added.

The same CVE can also be exploited in a cross-site scripting attack: a specially crafted HTTP request can bypass the Servlet Filter used to validate legitimate Atlassian Gadgets. “An attacker that can trick a user into requesting a malicious URL can execute arbitrary JavaScript in the user’s browser,” Atlassian explains.

The second flaw – CVE-2022-26137 – is a cross-origin resource sharing (CORS) bypass.

Atlassian explains it as follows: “Sending a specially crafted HTTP request can invoke the Servlet Filter used to respond to CORS requests, resulting in a CORS bypass. An attacker that can trick a user into requesting a malicious URL can access the vulnerable application with the victim’s permissions.”

Confluence users have another flaw to worry about: CVE-2022-26138 reveals that one of its Confluence apps has a hard-coded password in place to help migrations to the cloud. It explained:

Source: Atlassian reveals critical flaws across its product line • The Register

[…]

“The vulnerabilities,” explained the ESET Research team, “can be exploited to achieve arbitrary code execution in the early phases of the platform boot, possibly allowing the attackers to hijack the OS execution flow and disable some important security features.”

“It’s a typical UEFI ‘double GetVariable’ vulnerability,” the team added, before giving a hat tip to efiXplorer.

Lenovo has published an advisory on the matter this week: the CVE identifiers are CVE-2022-1890, CVE-2022-1891, CVE-2022-1892. All are related to buffer overflows and carry the risk that an attacker with local privileges will be able to execute arbitrary code. Their severity was rated as medium.

As for mitigation, updating the firmware is pretty much all customers can do, although not all products are affected by all three vulnerabilities. All of the products, however, do seem to be hit by CVE-2022-1892, a buffer overflow in the SystemBootManagerDxe driver.

The disclosure follows another three vulnerabilities patched in April, also concerned with UEFI on Lenovo kit. UEFI, or Unified Extensible Firmware Interface, is the glue connecting a device’s firmware with the operating system on top. A vulnerability there could potentially be exploited before a device gets a chance to boot its operating system and fire up malware protections, allowing the computer to become deeply infected and compromised.

ESET research noted that the flaws were a result of “insufficient validation of DataSize parameter passed to the UEFI Runtime Services function GetVariable.”

These vulnerabilities were caused by insufficient validation of DataSize parameter passed to the UEFI Runtime Services function GetVariable. An attacker could create a specially crafted NVRAM variable, causing buffer overflow of the Data buffer in the second GetVariable call. 3/6 pic.twitter.com/HC5ow6KTN0

— ESET research (@ESETresearch) July 13, 2022

ThinkPad hardware is not affected, probably to the relief of harassed enterprise administrators around the world. Other Lenovo device users should check the list and perform a firmware update if needed.

[…]

Source: Lenovo fixes trio of UEFI vulnerabilities • The Register

[…] CVE-2022-2319 and CVE-2022-2320 were made public this morning and both deal with the X.Org Server’s Xkb keyboard extension not properly validating input that could lead to out-of-bounds memory writes. Hopefully though in 2022 you aren’t relying on your xorg-server running as root.

Fixes for these XKB vulnerabilities have been patched in X.Org Server Git and xorg-server 21.1.4 point release is expected soon with these fixes. Both vulnerabilities were discovered by Trend Micro’s Zero Day Initiative.

More details in today’s X.Org Security Advisory.

Update: X.Org Server 21.1.4 is now available. In addition to these security fixes there is also a large number of XQuartz fixes from Apple, a GCC 12 build fix in the render code, a possible crash fix in the PRESENT code, and various other small fixes.

Source: X.Org Server Hit By New Local Privilege Escalation, Remote Code Execution Vulnerabilities – Phoronix

The directors of the UK Military Intelligence, Section 5 (MI5) and the US Federal Bureau of Investigation on Wednesday shared a public platform for the first time and warned of China’s increased espionage activity on UK and US intellectual property.

Speaking to an audience of business and academic leaders, MI5 director general Ken McCallum and FBI director Chris Wray argued that Beijing’s Made in China 2025 program and other self-sufficiency tech goals can’t be achieved without a boost from illicit activities.

“This means standing on your shoulders to get ahead of you. It means that if you are involved in cutting-edge tech, AI, advanced research or product development, the chances are your know-how is of material interest to the Chinese Communist Party,” said McCallum.

“And if you have, or are trying for, a presence in the Chinese market, you’ll be subject to more attention than you might think,” he added.

The Chinese Government sees cyber as the pathway to cheat and steal on a massive scale

McCallum described China’s efforts to acquire Western expertise, technology, research as a planned and professional “coordinated campaign on a grand scale” that has been strategically executed across decades.

China’s efforts have stepped up significantly, McCallum said, with MI5 running seven times as many investigations against Chinese activity today than in 2018.

“The most game-changing challenge we face comes from the Chinese Communist Party. It’s covertly applying pressure across the globe,” said McCallum. Threats MI5 is working to counter include covert theft of trade secrets, patient cultivation of contacts, and establishing a “debt of obligation.” Advanced persistent threats are deployed when needed, too.

The MI5 director also warned that China was working to change attitudes to suit the Chinese Communist Party’s interests and support it dominating the international order – and playing the long game to normalize mass theft as “the cost of doing business these days.”

Wray added that in the US, China’s efforts spare none and are visible in both big cities and small towns, Fortune 500s and startups, and across everything from aviation, to AI, to pharma.

The FBI director then referred to China’s hacking program as “lavishly resourced” and “bigger than that of every other major country combined.”

“The Chinese Government sees cyber as the pathway to cheat and steal on a massive scale,” said Wray.

Wray said the efforts were not just big, they were effective, offering the following insight on cyber attacks:

Over the last few years, we’ve seen Chinese state-sponsored hackers relentlessly looking for ways to compromise unpatched network devices and infrastructure.

And Chinese hackers are consistently evolving and adapting their tactics to bypass defenses. They even monitor network defender accounts and then modify their campaign as needed to remain undetected.

They merge their customized hacking toolset with publicly available tools native to the network environment—to obscure their activity by blending into the ‘noise’ and normal activity of a network.

However, he warned, it’s not just through hacking that the Chinese state-backed threats act, but “by making investments and creating partnerships that position their proxies to steal valuable technology.”

Wray described all Chinese companies as beholden to the Chinese Communist Party (CCP) in some form, with the government disguising its intent to obtain influence.

Efforts include creating elaborate shell games to outsmart government investment-screening programs, passing statutes like the 2015 critical infrastructure law that requires companies to store data domestically and convenient for government access. He cited a 2020 law that required malware-laden Chinese software be used by foreign companies filing taxes – forcing the companies into installing their own backdoors – as another example of the CCP at work.

On the same day as the two spook bosses issued their warnings, the US National Counterintelligence and Security Center issued a bulletin [PDF] offering more detail of China’s efforts by detailing tactics used by Beijing to infiltrate US business and government for the purpose of exerting influence.

Know your foe

The FBI, NCSC, and MI5 all warned against confusing the Chinese diaspora with the CCP and Beijing.

“If my remarks today elicit accusations of Sinophobia, from an authoritarian CCP, I trust you’ll see the irony,” said Wray.

Liu Pengyu, spokesperson for China’s embassy in Washington, responded on Wednesday denying interference, accusing the US of cyberattacks itself and characterizing criticism as “US politicians who have been tarnishing China’s image and painting China as a threat with false accusations.”

China’s foreign minister Wang Yi and US secretary of state Antony Blinken are scheduled to meet at the G20 Foreign Ministers’ meeting this week. The agenda, according to Chinese state-sponsored media is “to exchange views on current China-US relations and major international and regional issues.”

Source: FBI and MI5 bosses: China cheats and steals at massive scale • The Register

[…]

Jacuzzi’s SmartTub feature, like most Internet of Things (IoT) systems, lets users connect to their hot tub remotely via a companion Android or iPhone app. Marketed as a “personal hot tub assistant,” users can make use of the app to control water temperature, switch on and off jets, and change the lights.

But as documented by hacker Eaton Zveare, this functionality could also be abused by threat actors to access the personal information of hot tub owners worldwide, including their names and email addresses. It’s unclear how many users are potentially impacted, but the SmartTub app has been downloaded more than 10,000 times on Google Play.

[…]

Eaton first noticed a problem when he tried to log in using the SmartTub web interface, which uses third-party identity provider Auth0, and found that the login page returned an “unauthorized” error. But for the briefest moment Zveare saw the full admin panel populated with user data flash on his screen.

“Blink and you’d miss it. I had to use a screen recorder to capture it,” Zveare said. “I was surprised to discover it was an admin panel populated with user data. Glancing at the data, there is information for multiple brands, and not just from the U.S.” These brands include others under different Jacuzzi brands, including Sundance Spa, D1 Spas and ThermoSpas.

Eaton then tried to bypass the restrictions and obtain full access. He used a tool called Fiddler to intercept and modify some code that told the website that he was an admin rather than an ordinary user. The bypass was successful, enabling Zveare to access the admin panel in full.

“Once into the admin panel, the amount of data I was allowed to [access] was staggering. I could view the details of every spa, see its owner and even remove their ownership,” he said. “It would be trivial to create a script to download all user information. It’s possible it’s already been done.”

Things got worse when Zveare discovered a second admin panel while reviewing the source code of the Android app allowing him to view and modify the serial numbers of products, see a list of licensed hot tub dealers and view manufacturing logs.

[…]

 

Source: Security flaws in internet-connected hot tubs exposed owners’ personal data | TechCrunch

The US FBI issued a warning on Tuesday that it was has received increasing numbers of complaints relating to the use of deepfake videos during interviews for tech jobs that involve access to sensitive systems and information.

The deepfake videos include a video image or recording convincingly manipulated to misrepresent someone as the “applicant” for jobs that can be performed remotely. The Bureau reports the scam has been tried on jobs for developers, “database, and software-related job functions”. Some of the targeted jobs required access to customers’ personal information, financial data, large databases and/or proprietary information.

“In these interviews, the actions and lip movement of the person seen interviewed on-camera do not completely coordinate with the audio of the person speaking. At times, actions such as coughing, sneezing, or other auditory actions are not aligned with what is presented visually,” said the FBI in a public service announcement.

To lend an air of authenticity to their applications, the dodgy job seekers used stolen personal identification information. The victims whose data was stolen reported their identities being used for pre-employment background checks and more.

[…]

Source: FBI warns crooks are using deepfake videos in job interviews • The Register

[…]Cisco has just released fixes for seven flaws, two of which are not great.

First on the priority list should be a critical vulnerability in its enterprise security appliances, and the second concerns another critical bug in some of its outdated small business routers that it’s not going to fix. In other words, junk your kit or somehow mitigate the risk.

[…]

The first security flaw, tracked as CVE-2022-20798, is an authentication bypass vulnerability in the virtual and hardware versions of Cisco Secure Email and Web Manager, and the Cisco Email Security Appliance. It occurs when the device uses Lightweight Directory Access Protocol (LDAP) for external authentication, and the good news is that Cisco disables external authentication by default.

A remote user could exploit the flaw “by entering a specific input on the login page of the affected device,” the networking titan warned in a security advisory this week. Once the intruder has gained unauthorized access, they could perform any number of illicit actions from the web-based interface including crashing the device.

Another high-severity flaw, CVE-2022-20664, in these same virtual and hardware appliances could allow a remote, authenticated user to steal credentials from a LDAP external authentication server connected to a device. However, exploiting this bug would require valid operator-level, or higher, credentials. It received a CVSS score of 7.7, and Cisco issued a software update to fix this bug, too.

More e-waste

The second critical vulnerability exists in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W routers, which the vendor stopped selling [PDF] in 2019. Cisco isn’t issuing a fix for this one, and said there’s no workaround. Instead, customers should upgrade to newer hardware.

The flaw, tracked as CVE-2022-20825, also received a 9.8 CVSS score, and it’s due to insufficient user input validation of incoming HTTP packets.

“An attacker could exploit this vulnerability by sending a crafted request to the web-based management interface,” according to Cisco’s security alert. “A successful exploit could allow the attacker to execute arbitrary commands on an affected device using root-level privileges,” and also stop and restart the device, resulting in a denial of service.

In addition to the two critical and one high-severity vulnerabilities, Cisco disclosed an additional four medium-severity flaws on Wednesday.

[…]

Source: Time to throw out those older, vulnerable Cisco SMB routers • The Register

GitHub has revealed it stored a “number of plaintext user credentials for the npm registry” in internal logs following the integration of the JavaScript package registry into GitHub’s logging systems.

The information came to light when the company today published the results of its investigation into April’s unrelated OAuth token theft attack, where it described how an attacker grabbed data including the details of approximately 100,000 npm users.

The code shack went on to assure users that the relevant log files had not been leaked in any data breach; that it had improved the log cleanup; and that it removed the logs in question “prior to the attack on npm.”

GitHub already sent out notifications for “known victims of third-party OAuth token theft” in April but today said it planned to “directly notify affected users of the plaintext passwords and GitHub Personal Access Tokens based on our available logs.”

Credentials in plaintext, eh? How very last century.

The number of users affected and how long the plaintext storage took place was not mentioned, but we’ve asked Github for more information. GitHub completed its acquisition of NPM Inc on 15 April 2020. Techies have already taken to the Hacker News messaging board to detail emails they received from npm.

[…]

Source: GitHub saved plaintext passwords of npm users in log files • The Register

EU countries and lawmakers agreed on Friday to tougher cybersecurity rules for large energy, transport and financial firms, digital providers and medical device makers amid concerns about cyber attacks by state actors and other malicious players.

The European Commission two years ago proposed rules on the cybersecurity of network and information systems called NIS 2 Directive, in effect expanding the scope of the current rule known as NIS Directive.

The new rules cover all medium and large companies in essential sectors – energy, transport, banking, financial market infrastructure, health, vaccines and medical devices, drinking water, waste water, digital infrastructure, public administration and space.

All medium and large firms in postal and courier services, waste management, chemicals, food manufacturing, medical devices, computers and electronics, machinery equipment, motor vehicles, and digital providers such as online market places, online search engines, and social networking service platforms will also fall under the rules.

The companies are required to assess their cybersecurity risk, notify authorities and take technical and organisational measures to counter the risks, with fines up to 2% of global turnover for non-compliance.

EU countries and EU cybersecurity agency ENISA could also assess the risks of critical supply chains under the rules.

[…]

Source: EU governments, lawmakers agree on tougher cybersecurity rules for key sectors | Reuters

This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services. There is no data plane exposure; this is a control plane issue only.

Security Advisory Status

F5 Product Development has assigned IDs 1033837, 1051561, and 1052837 (BIG-IP) to this vulnerability. This issue has been classified as CWE-306: Missing Authentication for Critical Function.

Source: BIG-IP iControl REST vulnerability CVE-2022-1388

Three vulnerabilities were reported today: CVE-2021-3970, CVE-2021-3971, and CVE-2021-3972. The latter two are particularly embarrassing since they are related to UEFI firmware drivers used in the manufacturing process and can be used to disable SPI flash protections or the UEFI Secure Boot feature.

“UEFI threats can be extremely stealthy and dangerous,” said ESET researcher Martin Smolár, who discovered the vulnerabilities. “They are executed early in the boot process, before transferring control to the operating system, which means that they can bypass almost all security measures and mitigations higher in the stack that could prevent their operating system payloads from being executed.”

For the devices affected by CVE-2021-3971 and CVE-2021-3972 (consumer Lenovo Notebook hardware, by the look of things), Lenovo’s advice is to grab an update for the firmware. Some updates, however, will not be available until May.

CVE-2021-3970, which ESET researchers uncovered while digging into the other vulnerabilities, is a memory corruption issue, which could lead to deployment of an SPI flash implant.

Lenovo’s advisory describes CVE-2021-3970 as a “potential vulnerability in Lenovo Variable SMI Handler due to insufficient validation in some Lenovo Notebook models [that] may allow an attacker with local access and elevated privileges to execute arbitrary code.”

Source: ESET uncovers vulnerabilities in Lenovo laptops • The Register

The cloud-hosted software version control service released versions 14.9.2, 14.8.5, and 14.7.7 of its self-hosted CE and EE software, fixing one “critical” security vulnerability (CVE-2022-1162), as well as two rated “high,” nine rated “medium,” and four rated “low.”

“A hard-coded password was set for accounts registered using an OmniAuth provider (e.g. OAuth, LDAP, SAML) in GitLab CE/EE versions 14.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowing attackers to potentially take over accounts,” the company said in its advisory.

It appears from the changed files the password.rb module generated a fake strong password for testing by concatenating “123qweQWE!@#” with a number of “0”s equal to the difference of User.password_length.max, which is user-set, and DEFAULT_LENGTH, which hard-coded with the value 12.

So if an organization configured its own instance of GitLab to accept passwords of no more than 21 characters, it looks like that an account takeover attack on that GitLab installation could use the default password of “123qweQWE!@#000000000” to access accounts created via OmniAuth.

The bug, with a 9.1 CVSS score, was found internally by GitLab and the fix has been applied to the company’s hosted service already, in conjunction with a limited password reset.

[…]

Source: GitLab issues security fix for easy account takeover flaw • The Register

This article explores a phishing technique that simulates a browser window within the browser to spoof a legitimate domain.

Introduction

For security professionals, the URL is usually the most trusted aspect of a domain. Yes there’s attacks like IDN Homograph and DNS Hijacking that may degrade the reliability of URLs but not to an extent that makes URLs unreliable.

All of this eventually lead me to think, is it possible to make the “Check the URL” advice less reliable? After a week of brainstorming I decided that the answer is yes.

Pop-Up Login Windows

Quite often when we authenticate to a website via Google, Microsoft, Apple etc. we’re provided a pop-up window that asks us to authenticate. The image below shows the window that appears when someone attempts to login to Canva using their Google account.

Replicating The Window

Fortunately for us, replicating the entire window design using basic HTML/CSS is quite simple. Combine the window design with an iframe pointing to the malicious server hosting the phishing page, and its basically indistinguishable. The image below shows the fake window compared with the real window. Very few people would notice the slight differences between the two.

JavaScript can be easily used to make the window appear on a link or button click, on the page loading etc. And of course you can make the window appear in a visually appealing manner through animations available in libraries such as JQuery.

Demo

Custom URL on-hover

Hovering over a URL to determine if it’s legitimate is not very effective when JavaScript is permitted. HTML for a link generally looks like this:

<a href="https://gmail.com">Google</a>

If an onclick event that returns false is added, then hovering over the link will continue to show the website in the href attribute but when the link is clicked then the href attribute is ignored. We can use this knowledge to make the pop-up window appear more realistic.

<a href="https://gmail.com" onclick="return launchWindow();">Google</a>

function launchWindow(){
    // Launch the fake authentication window
    return false; // This will make sure the href attribute is ignored
}

Available Templates

I’ve created templates for the following OS and browser:

• Windows – Chrome (Light & Dark Mode)
• Mac OSX – Chrome (Light & Dark Mode)

The templates are available on my Github here.

Conclusion

With this technique we are now able to up our phishing game. The target user would still need to land on your website for the pop-up window to be displayed. But once landed on the attacker-owned website, the user will be at ease as they type their credentials away on what appears to be the legitimate website (because the trustworthy URL says so).

Source: Browser In The Browser (BITB) Attack | mr.d0x

The flaw, tracked as CVE-2022-0778, was reported to the OpenSSL Project by Google vulnerability researcher Tavis Ormandy.

The security hole affects OpenSSL versions 1.0.2, 1.1.1 and 3.0, and it has been fixed with the release of versions 1.0.2zd (for premium support customers), 1.1.1n and 3.0.2. Version 1.1.0 is also impacted, but it’s no longer supported and will not receive a patch.

Exploitation of the vulnerability is possible in certain situations, and it can lead to a DoS attack against a process that parses externally supplied certificates.

“The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli,” the OpenSSL Project explained in its advisory. “Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form.”

“It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters,” the advisory reads.

Source: High-Severity DoS Vulnerability Patched in OpenSSL | SecurityWeek.Com