Vulnerebility Articles - H 2020 1 2 3 4 5 6 7 8 9 Vulnerebility List - H 2021 2020 2019 2018 Vulnerebility blog Vulnerebility blog
DoppelPaymer Hacked Bretagne Télécom Using the Citrix ADC Flaw
24.2.2020 Bleepingcomputer Vulnerebility
Cloud services provider Bretagne Télécom was hacked by the threat actors behind the DoppelPaymer Ransomware using an exploit that targeted servers unpatched against the CVE-2019-19781 vulnerability.
Bretagne Télécom is a privately held French cloud hosting and enterprise telecommunications company that provides telephony, Internet and networking, hosting, and cloud computing services to roughly 3,000 customers, operating around 10,000 managed servers.
In their case, it's a story with a happy outcome (at least partially, as explained below) seeing that the ransomware attack didn't lead to any lost data or a paid ransom since the company was able to restore all the encrypted systems from readily available backups on Pure Storage FlashBlade arrays.
Almost 30 TB of encrypted data
As Bretagne Télécom CEO Nicolas Boittin says, the servers were vulnerable to attacks because there were no patches available yet from Citrix for the CVE-2019-19781 vulnerability when the threat actors managed to drop the DoppelPaymer Ransomware payload on the compromised servers.
DoppelPaymer confirmed this information in an email sent to BleepingComputer, saying that the attack took place "Somewhere at the 1st half of January."
Attackers have started scanning for vulnerable servers on January 8, with exploits becoming available two days later. Citrix started releasing permanent fixes for all vulnerable Citrix Application Delivery Controller (ADC), Citrix Gateway, and Citrix SD-WAN WANOP appliances on January 19, with the final patch being published on January 24.
After infiltrating one of Bretagne Télécom's server farms, DoppelPaymer's operators were able to encrypt infiltrate 148 machines running application servers on Windows 7, Windows 8, and Windows 10, and containing data belonging to "around thirty small business customers", as Bretagne Télécom CEO Nicolas Boittin told LeMagIT.
The attack happened in the middle of the night, leaving every bit of information on the hacked systems "completely encrypted" according to Boittin.
As the company later found out, the operators behind DoppelPaymer Ransomware were asking for a ransom of 35 bitcoins (~$330K) for their 'decryption services'.
Bretagne Télécom's info on the DoppelPaymer leak site
Fortunately, unlike many other victims that had their data encrypted by DoppelPaymer before them, Bretagne Télécom was able to restore customers' data quite fast using the Pure Storage FlashBlade arrays' Rapid Restore feature and the five days worth of backup snapshots they provided.
The recovery process began by restarting all encrypted servers one by one without a network connection, Boittin said.
"We found the time when the attackers installed the scheduled encryption tasks. Once these tasks and the malware were removed, we were able to return to operational conditions."
While for some customers who had less stored on their servers the restoration process took around six hours, there were cases were Bretagne Télécom had to work for as much as three days on a row to restore some of their customers' impacted systems.
"It is not the first time that this has happened to customers. But most of the time, they are self-managing, so we didn't interfere," Boittin added.
"Ransomware from our customers, there may not be one per month, but not far. And we never paid. I refuse to fuel a parallel economy where we would give pirates the means to improve their systems to attack us again."
Some data was stolen during the attack
While Bretagne Télécom's CEO says that the company wasn't taken hostage, the DoppelPaymer actors did upload some sample data to their leak site over the weekend as shown in the screenshot above.
They also published sample stolen data from a US merchant account firm that was asked to pay a 15 bitcoins (~$150K) ransom, a South African logistics & supply chain company that was sent a 50 bitcoins (~$500K) ransom, and Mexico's state-owned oil company Pemex that got hit with a 568 bitcoins ($4.9 million at the time) on November 10th, 2019.
Although in the case of Pemex the hackers stole a large number of files before encrypting the company's servers, DoppelPaymer told BleepingComputer that they barely stole a small number of files because there was "nothing interesting" to be stolen and it was not their goal.
DoppelPaymer has been encrypting victims' data since at least mid-June 2019, it comes with a continuously upgraded feature set and it got its name from BitPaymer, with which it's sharing large portions of code. Its operators, however, have added modifications such as a threaded encryption process for quicker operation.
This once again goes to show that ransomware attacks should be treated as data breaches as we've been saying for a while now given that starting with Maze Ransomware in November 2019, Sodinokibi, Nemty, and BitPyLock have all shared their plans to adopt the same tactic (1, 2, 3).
Companies that have their systems encrypted by ransomware aren't yet treating such incidents as data breaches although sensitive records now also get harvested and exfiltrated before the actual encryption takes place.
This will most likely no longer be the case soon enough, as lawmakers will most likely take notice and push out legislation requiring data breach notifications following ransomware attacks.
Kr00k Bug in Broadcom, Cypress WiFi Chips Leaks Sensitive Info
24.2.2020 Bleepingcomputer Vulnerebility
A vulnerability in some popular WiFi chips present in client devices, routers, and access points, can be leveraged to partially decrypt user communication and expose data in wireless network packets.
The flaw received the name Kr00k and was identified in components from Broadcom and Cypress, which are integrated into mobile phones, tablets, laptops, IoT gadgets. By current conservative estimates, over one billion devices are affected.
All-zero session key
Researchers at security company ESET, who found the vulnerability, explain that exploitation leads to unpatched devices to "use an all-zero encryption key to encrypt part of the user’s communication."
Kr00k is now identified as CVE-2019-15126 and affects both WPA2-Personal and WPA2-Enterprise protocols using AES-CCMP encryption for data integrity and confidentiality, the researchers say.
It is related to KRACK (Key Reinstallation Attack), a flaw in the 4-way handshake of the WPA2 protocol, discovered by security researchers Mathy Vanhoef and Frank Piessens, and disclosed publicly in October 2017.
"In the beginning of our research, we found Kr00k to be one of the possible causes behind the “reinstallation” of an all-zero encryption key, observed in tests for KRACK attacks."
A device establishes a connection to an access point in multiple stages, with WPA 2 (Wi-Fi Protected Access II) protocol ensuring mutual authentication of the two parties via the Pre-Shared Key (PSK), which is the WiFi password.
The 4-way handshake process establishes cryptographic keys for data integrity and confidentiality, one of them being the Pairwise Transient Key (PTK). This is split into other keys that have various purposes.
The one relevant in the context of Kr00k exploitation is the 128-bit Temporal Key (TK), which encrypts unicast data frames between the client and the access point.
A client moving from one point to another may connect to multiple access points (association, reassociation), lose connection due to interference (disassociation).
ESET researchers explain that Kr00k occurs after a disassociation stage, when the TK stored in the WiFi chip is set to zero, a.k.a. cleared in memory.
While this is a normal process, sending out all the data frames left in the chip's transmit buffer (Tx) after being encrypted with the all-zero TK is not.
Unlike KRACK, which is an attack occurring during the 4-way handshake, Kr00k is a vulnerability that can be leveraged after triggering a disassociation state.
Exploitation potential
Exploiting the vulnerability is possible by inducing a disassociation state on the target device - a trivial thing to do via a deauthentication attack that requires the victim device MAC address and sending a management data frame that is processed as is: unauthenticated and unencrypted.
An adversary can intercept the data frames remnant in the transmit buffer and decrypt them, potentially capturing sensitive information.
"This is possible even if the attacker is not connected (authenticated and associated) to the WLAN (e.g. doesn’t know the PSK) – by using a WNIC in monitor mode – which is what would make Kr00k advantageous for the attackers, compared to some other attack techniques used against Wi-Fi security," explains ESET.
An attacker in the proximity of the victim can keep triggering disassociations to capture a larger number of network packets (DNS, ARP, ICMP, HTTP, TCP) that could contain sensitive information.
Vulnerable products
Given that Broadcom chips are used in most WiFi gadgets and those from Cypress are preferred IoT makers, it is safe to assume that at the time of the discovery Kr00k impacted at least one billion devices.
Prior to patching, ESET found that the following devices were vulnerable to Kr00k:
Amazon Echo 2nd gen
Amazon Kindle 8th gen
Apple iPad mini 2
Apple iPhone 6, 6S, 8, XR
Apple MacBook Air Retina 13-inch 2018
Google Nexus 5
Google Nexus 6
Google Nexus 6S
Raspberry Pi 3
Samsung Galaxy S4 GT-I9505
Samsung Galaxy S8
Xiaomi Redmi 3S
Asus RT-N12
Huawei B612S-25d
Huawei EchoLife HG8245H
Huawei E5577Cs-321
The researchers did not see the vulnerability in products with WiFi chips from Qualcomm, Realtek, Ralink, and Mediatek.
The flaw was disclosed responsibly to Broadcom, Cypress, who issued a firmware fix to vendors. The update should be available for devices that are still in support and users should install it where it is not applied automatically.
The Industry Consortium for Advancement of Security on the Internet (ICASI) was also notified of the problem to make sure that other WiFi chip manufacturers learn about Kr00k and check if their products are vulnerable.
Full details about Kr00k are available on a dedicated page as well as in a technical paper authored by Miloš Èermák, Štefan Svorenèík and Robert Lipovský, in collaboration with Ondrej Kuboviè.
ESET is scheduled to present their findings at the RSA Conference today and at Nullcom in early March.
Multiple WordPress Plugin Vulnerabilities Actively Being Attacked
24.2.2020 Bleepingcomputer Vulnerebility
Cybercriminals are taking advantage of the recent security flaws reported recently in popular WordPress plugins and are targeting websites that still run vulnerable versions.
At least two threat actors are actively attacking unpatched variants of ThemeGrill Demo Importer, Profile Builder, and Duplicator plugins which are installed on.
What the three WordPress components have in common are recent reports of a critical severity bug that could be exploited to compromise the website they run on.
Researchers estimate that there are hundreds of thousands of WordPress website currently at risk of exploitation because admins have not updated the three plugins.
Lazy Tony
One adversary security researchers call 'tonyredball' gets backdoor access to websites that run a vulnerable version of the following two plugins:
ThemeGrill Demo Importer (below 1.6.3) - the bug allows unauthenticated users to log in as administrator and wite the site's entire database
Profile Builder free and Pro (below 3.1.1) - flaw allows an unauthenticated user to gain administrator privileges
WordPress security experts at Defiant observed tonyredball exploiting the administrator registration vulnerability in Profile Builder via requests that contained the username, email, and other profile details of the new administrator account.
However, the researchers noticed that this threat actor engaged in a much larger number of attacks that took advantage of the database deletion flaw in ThemeGrill Demo Importer.
The reason for this behavior is likely easier exploitation of this glitch, which only requires sending a request to a vulnerable installation. They would have to put in more effort in the case of Profile Builder because they have to find the vulnerable form first.
"The end result of exploiting either of these vulnerabilities is administrative access to the victim’s site. With this access, the attacker uploads malicious scripts through the plugin and theme uploaders in the WordPress dashboard" - Mikey Veenstra, threat analyst at Defiant, maker of Wordfence
The attacker uses multiple variants of the script, which is associated with several filenames, the most common being blockspluginn.php, wp-block-plugin.php, supersociall.php, wp-block-plugin.php, and wp-hello-plugin.php.
Following exploitation, the threat actor delivers payloads designed to infect more files, for persistence. Looking for other vulnerable WordPress sites is another behavior the researchers observed.
In some cases, the attacker injects malicious code in legitimate JavaScript files. The purpose of the code is to load another script from an external source, which redirects site visitors to a potentially malicious location.
The redirect is not sophisticated and easy to spot at the moment but the attacker can modify the scripts to be sneakier. In one example, visitors are taken to a website ('talktofranky.com') that asks them to press Allow on the browser notification pop up, to prove they are human.
If visitors comply, they give permission to receive notifications from that site, including spam and. Veenstra found a discussion forum about this campaign, suggesting that it made some victims.
According to the researcher, the attacks from tonyredball originate from one primary IP address, 45.129.96.17, allocated to the Estonian hosting provider GMHost, known for its loose policy inviting cybercriminal activity.
There is no definite figure on how many websites are vulnerable because of unpatched plugins. Veenstra told BleepingComputer that Defiant's estimation places Profile Builder with about 37,000 vulnerable sites and ThemeGrill Demo Importer with about 40,000.
Another player with a larger list
A more sophisticated attacker identified by Defiant is "solarsalvador1234," named so because of an email address used in the requests leading to exploitation.
Besides the two plugins targeted by tonyredball, this threat actor also has Duplicator on the list, a WordPress component with over one million active installations that allows cloning and migrating a website from one location to another. It can also copy or move, so it can be used as a backup solution, too.
Duplicator versions lower than 1.3.28 have a security bug that allows unauthenticated users to download arbitrary files from victim sites.
This can be used to retrieve the site's configuration file, wp-config.php, where credentials for database access are stored; and this is exactly what solarsalvador1234 does. The immediate purpose is to establish long-term access to the compromised site.
Administrative access to a victim site is what attackers obtain by exploiting any of the three vulnerabilities already disclosed publicly and patched.
Based on update rates in the network, Defiant estimates that around 800,000 sites may still run a vulnerable installation of the Duplicator plugin.
Veenstra warns that these campaigns are not the only ones active but serve as a reminder to website owners to keep updated the WordPress components they use.
"When a security update is released, make it an immediate priority to install it. The threat actors facing the WordPress ecosystem quickly identify and exploit vulnerabilities, which compounds the importance of timely action to protect your infrastructure."
New Critical RCE Bug in OpenBSD SMTP Server Threatens Linux Distros
24.2.2020 Bleepingcomputer Vulnerebility
Security researchers have discovered a new critical vulnerability in the OpenSMTPD email server. An attacker could exploit it remotely to run shell commands as root on the underlying operating system.
OpenSMTPD is present on many Unix-based systems, including FreeBSD, NetBSD, macOS, Linux (Alpine, Arch, Debian, Fedora, CentOS).
Bug present since late 2015
Tracked as CVE-2020-8794, the remote code execution bug is present in OpenSMTPD's default installation. Proof-of-concept (PoC) exploit code has been created and will be released tomorrow, February 26.
Researchers at Qualys published a technical report, noting that the issue is an out-of-bounds read introduced in December 2015 with commit 80c6a60c.
They explain that leveraging it for code execution with root privileges is possible only on OpenSMTPD versions released after May 2018, commit a8e22235. On previous releases, shell commands can run as non-root.
PoC ready, to be released
There are two exploitation scenarios possible. On the client-side, the glitch can be exploited remotely if OpenSMTPD with a default configuration. By default, the installation accepts messages from local users and delivers them to remote servers.
"If such a remote server is controlled by an attacker" (either because it is malicious or compromised, or because of a man-in-the-middle, DNS, or BGP attack -- SMTP is not TLS-encrypted by default), then the attacker can execute arbitrary shell commands on the vulnerable OpenSMTPD installation" - Qualys
Server-side exploitation is possible when the attacker connects to the OpenSMTPD server and sends an email that creates a bounce.
When OpenSMTPD connects back to deliver the bounce, the attacker can take advantage of the client-side vulnerability.
"Last, for their shell commands to be executed, the attacker must (to the best of our knowledge) crash OpenSMTPD and wait until it is restarted (either manually by an administrator, or automatically by a system update or reboot)" - Qualys
The PoC created by Qualys has been tested successfully on the current OpenBSD 6.6, OpenBSD 5.9, Debian 10, Debian 11 and Fedora 31. Given that it will become public tomorrow, system administrators are urged to apply the latest patches.
The fix is delivered in OpenSMTPD 6.6.4p1, available here, which the developer recommends installing "AS SOON AS POSSIBLE."
On OpenBSD, binary patches are available by running the 'syspatch' command and confirming that OpenSMTPD restarted:
$ doas syspatch
Tesla Pays $10K for Microsoft SQL Server Reporting Services Bug
23.2.2020 Bleepingcomputer Vulnerebility
Tesla paid a $10,000 bounty for a vulnerability in Microsoft SQL Server Reporting Services (SSRS) that had received a patch five days before getting the bug report.
The issue was tagged as a server-side injection that led to remote code execution. German bug hunter parzel found it in a Tesla server for partners, which qualified for a reward.
Easy pickings
Tracked as CVE-2020-0618, the vulnerability received a patch on February 11, just four days before parzel submitted his report via the crowdsourced security platform Bugcrowd.
parzel's found the unpatched Tesla server by searching for domains that hosted a vulnerable service.
He then chose from the source code some strings that could be used as fingerprints and checked them for matches on Tesla domains that were included in the bug bounty program.
Tesla responded to parzel's report by acknowledging the security lapse, awarding him $10,000, and taking the vulnerable SQL reporting service offline. The report was made public on Wednesday.
PoC available
SSRS is used to create, deploy, and manage reports that can be viewed in a web browser and a layout optimized for the device that accesses them.
MDSec researcher Soroush Dalili, found CVE-2020-0618 and reported it to Microsoft. On February 14, after a patch had been available for three days, he published technical details about the vulnerability and provided details about how it could be exploited.
In the proof-of-concept (PoC), Dalili showed the exact steps that led to obtaining a reverse shell after sending an HTTP request with a payload generated in PowerShell.
Unpatched SSRS servers have trouble handling correctly some specially crafted page requests and a deserialization issue emerges. Hackers exploiting the security vulnerability need just be authenticated, even if they have minimum privileges.
The technical write-up published by MDSec helped parzel speed up the process of finding the vulnerable Tesla server. The bug hunter in a tweet on Wednesday acknowledges the effort and clarity of the information in Dalili's report.
Thanks to @MDSecLabs for their awesome writeup: https://t.co/bFYNAZzhll
— parzel (@parzel2) February 18, 2020
Applying as soon as they become available is not an easy thing for a larger company but some effort should be made to strengthen the security of known vulnerable assets.
In this case, Tesla got a tip about the unpatched server and awarded the reporter but considering the low difficulty in exploiting the bug and that the details were already public, the company may actually have saved some money by paying the bounty.
Firefox 73.0.1 Released With Fixes for Linux, Windows Crashes
22.2.2020 Bleepingcomputer Vulnerebility
Mozilla has released Firefox 73.0.1 today, February 18th, 2020, to the Stable desktop channel for Windows, macOS, and Linux with crash fixes for users of Windows and Linux devices.
This release also fixes a loss of browser functionality in certain circumstances and RBC Royal Bank website connectivity problems.
Windows, Mac, and Linux desktop users can upgrade to Firefox 73.0.1 by going to Options -> Help -> About Firefox and the browser will automatically check for the new update and install it when available.
Bugs fixed in 73.0.1
Firefox 73.0.1 resolved startup crashes caused by third-party security software such as G DATA and 0patch when running on Windows systems, an issue reported a month ago that would cause the web browser's user interface to lock and prevent opening any URLs.
Mozilla also mentioned this issue in the release notes for the 73.0 version saying that "Users with 0patch security software may encounter crashes at startup after updating to Firefox 73. This will be fixed in a future Firefox release. As a workaround, an exclusion for firefox.exe can be added within the 0patch settings."
This release also fixed a loss of browser functionality when the users enable custom anti-exploit settings or when the web browser is running in Windows compatibility mode. This bug would prevent users from opening any URLs as user reports confirmed (1, 2, 3) after updating to Firefox 73.
Browser crashes affecting some Linux users (Arch, Fedora Rawhide, and more) when playing encrypted content with the new Widevine plugin were also resolved in the 73.0.1 build.
Last but not least, Firefox 73.0.1 fixes an issue that would lead to an unexpected exit when leaving Print Preview mode and resolves connectivity problems when trying to visit the RBC Royal Bank website.
Download Firefox 73.0.1
You can download Firefox 73.0.1 from the following links:
Firefox 73.0.1 for Windows 64-bit
Firefox 73.0.1 for Windows 32-bit
Firefox 73.0.1 for macOS
Firefox 73.0.1 for Linux 64-bit
Firefox 73.0.1 for Linux 32-bit
If the above download links have not yet been updated to point to the Firefox 73.0.1 release, you can download it for your platform from Mozilla's FTP release directory.
New DNS over HTTPS provider added in 73.0
The previous Firefox stable release added NextDNS as a new DoH provider, bug fixes and developer changes, as well as default zoom setting and high contrast theme improvements.
NextDNS can now be used as an additional provider that can be used with Firefox's DNS over HTTPS (DoH) feature to encrypt all DNS requests to prevent tracking and improve privacy while browsing the web.
To enable DoH in Firefox and configure it to use NextDNS, you can go to Options -> General -> Network Settings. Then you have to scroll down and check 'Enable DNS over HTTPs' and select NextDNS as the provider.
NextDNS DoH provider in Firefox
This is a welcomed change by users since, when the DoH feature was first released, Mozilla only included support for Cloudflare's DoH servers by default which made people think about too much control over Firefox users' data being given to a single company.
Unsafe WordPress Plugin Installed on Nearly 200,000 Sites
22.2.2020 Bleepingcomputer Vulnerebility
The developers of the ThemeGrill Demo Importer for WordPress have updated the plugin to remove a critical bug that gives admin privileges to unauthenticated users.
In the process of getting logged in as an administrator, the attackers also restore the site's entire database to its default state.
Most active versions vulnerable
The component, which is used for easy import of ThemeGrill themes demo content, widgets, and settings, is present on more than 200,000 WordPress sites. A vulnerable version runs on most of them.
The bug is present in versions of the ThemeGrill Demo Importer plugin 1.3.4 up to 1.6.1. The most popular active versions, according to statistics from the official WordPress plugin repository, are 1.4 through 1.6, which account for more than 98% of the current installations.
Wiping the database of a vulnerable site requires a theme developed by ThemeGrill to be active. Since the plugin is installed, there is a chance that a theme from the developer is active.
Getting logged in automatically as an administrator account also has a prerequisite, which is the presence in the dropped database of a user called "admin," note the researchers from WebARX, a web security company that provides vulnerability detection and virtual patching software to keep websites safe from bugs in third-party components.
"Once the plugin detects that a ThemeGrill theme is installed and activated, it loads the file /includes/class-demo-importer.php which hooks reset_wizard_actions into admin_init on line 44."
The researchers explain that the 'admin_init' hook runs in the admin environment and also calls to '/wp-admin/admin-ajax.php' that does not require an authenticated user.
The lack of authentication is what makes exploitation possible. An unauthenticated attacker could use this to be logged in, if the "admin" user exists in the database, and drop all the WordPress tables that start with a defined database prefix.
"Once all tables have been dropped, it will populate the database with the default settings and data after which it will set the password of the “admin” user to its previously known password."
WebARX researchers discovered the vulnerability on February 6 and reported it to the developer on the same day. 10 days later, on Sunday, ThemeGrill released a new version that fixes the bug.
At the moment of writing, the download count for the patched plugin is around 23,000, indicating that a large number of sites with ThemeGrill Demo Importer may still be at risk.
In mid-January, two bugs that achieved to the same results when exploited were reported for WordPress Database Reset, a plugin specifically designed to offer admins an easy way to reset databases to default.
One of them, CVE-2020-7048, allowed unauthenticated users to reset tables from any database, while the other, tracked as CVE-2020-7047, gave admin privileges to accounts with minimal permissions.
SweynTooth Bug Collection Affects Hundreds of Bluetooth Products
16.2.2020 Bleepingcomputer Vulnerebility
Security researchers have disclosed a dozen flaws in the implementation of the Bluetooth Low Energy technology on multiple system-on-a-chip (SoC) circuits that power at least 480 from various vendors.
Collectively named SweynTooth, the vulnerabilities can be used by an attacker in Bluetooth range can crash affected devices, force a reboot by sending them into a deadlock state, or bypass the secure BLE pairing mode and access functions reserved for authorized users.
Devices running on SoCs from Texas Instruments, NXP, Cypress, Dialog Semiconductors, Microchip, STMicroelectronics, and Telink Semiconductor are impacted by SweynTooth. However, SoCs from other vendors may contain SweynTooth flaws.
A group of three researchers (Matheus E. Garbelini, Sudipta Chattopadhyay, and Chundong Wang) from the Singapore University of Technology and Design found the vulnerabilities in 15 SoCs from the aforementioned vendors, six of them being unpatched at the moment of the disclosure.
SoC Vendor
SoC Model
Vendor Patches
Cypress (PSoC 6) CYBLE-416045 BLE_PDL 2.2
Cypress (PSoC 4) CYBL11573 BLE Component 3.63
NXP KW41Z 2.2.1 (2019-11-28)
Texas Instruments CC2640R2 v3.40.00.10
Texas Instruments CC2540 v1.5.1
Telink TLSR8258 v3.4.0 (SMP fix)
Telink TLSR8232 v1.3.0 (SMP fix)
Telink TLSR826x v3.3 (SMP fix)
Dialog DA1469X 10.0.8.105
Dialog DA14585/6 Unpatched (End March 2020)
Dialog DA14680 Unpatched (End February 2020)
Dialog DA14580 Unpatched (End March 2020)
Microchip ATSAMB11 Unpatched
STMicroelectronics WB55 Unpatched
STMicroelectronics BlueNRG-2 Unpatched
The trio verified their findings on multiple electronic products powered by the vulnerable SoCs. Among them are Fitbit Inspire smartwatch, products from smart home vendor Eve Systems, (Light Switch, Eve Motion MKII, Eve Aqua, Eve Thermo MKII, Eve Room, Eve Lock, Eve Energy), August Smart Lock, CubiTag tracker for lost items, and eGee Touch smart lock.
A cursory search for other products running on one of the vulnerable circuits showed returned 480 results. Most of them (307) have the CC2540 SoC from Texas Instruments, where a patch has been implemented.
However, the list includes products used in the healthcare industry, where a denial-of-service scenario could prove critical to a patient's life.
Some examples are the Azure XT DR MRI from Medtronic, the Syqe Inhaler from Syqe Medical, and the Blood Glucose Meter from VivaCheck Laboratories, all three powered by the still unpatched DA14580 SoC. Other products from these companies are in the same state.
The SweynTooth vulnerabilities
The three researchers discovered the security flaws in 2019 and disclosed them responsibly to the affected vendors. They published technical details on a dedicated website after more than 90 days since informing the manufacturers.
The severity of each flaw in the SweynTooth depends on the type of product affected. A crash on a wearable or tracking device does not have the same impact as on a medical device.
Another important factor is that a threat actor needs to be in proximity to the device to send a payload that triggers the bug.
Zero LTK Installation (CVE-2019-19194):
affects all products that use the Telink SMP implementation with support for secure connection enabled
sending an out of order encryption request that completes with a zero-size LTK (long term key), which is used to derive the session key (SK); the attacker can therefore get the SK to send back a correct encryption response
it can be used to completely bypass security on BLE devices that rely on secure connection
Link Layer Length Overflow (CVE-2019-16336, CVE-2019-17519):
identified in Cypress PSoC4/6 BLE Component 3.41/2.60 (CVE-2019-16336) and NXP KW41Z 3.40 SDK (CVE-2019-17519)
attacker can send a packet that manipulates the LL Length Field to cause a denial-of-service condition on the device
Link Layer LLID deadlock (CVE-2019-17061, CVE-2019-17060):
affects Cypress (CVE-2019-17061) and NXP devices (CVE-2019-17060)
attacker can send a packet with the LLID field cleared to trigger a deadlock state: the BLE stack can no longer processes new requests and the user needs to restart the device to restore communication over BLE
Truncated L2CAP (CVE-2019-17517):
found in Dialog DA14580 devices running SDK 5.0.4 or earlier.
attacker can overflow the buffer of the logical link control and adaptation protocol (L2CAP) by sending a malformed packet and cause a denial-of-service state
with a careful sequence of packets, an attacker might achieve remote code execution
Silent Length Overflow (CVE-2019-17518):
discovered in Dialog DA14680
an attacker could send a Layer Length packet that is larger than expected to crash the device
Invalid Connection Request (CVE-2019-19193):
identified in Texas Instruments CC2640R2 BLE-STACK SDK (v3.30.00.20 and prior) and CC2540 SDK (v1.5.0 and prior)
threat actors can exploit it to cause a DoS condition or a deadlock state
Unexpected Public Key Crash (CVE-2019-17520):
found in Texas Instruments CC2640R2 BLE-STACK-SDK (v3.30.00.20 and lower)
can be exploited with a legacy pairing process, which is handled by the Secure Manager Protocol (SMP) to cause a DoS or deadlock state
it occurs when an SMP public key packet is sent before the SMP pairing process begins
Sequential ATT Deadlock (CVE-2019-19192):
found in STMicroelectronics WB55 SDK V1.3.0 and earlier
sending just two consecutive ATT request packets in each connection event places the vulnerable device in a deadlock state
Invalid L2CAP fragment (CVE-2019-19195):
discovered in Microchip ATMSAMB11 BluSDK Smart v6.2 and earlier
can be exploited to crash the device by sending it a L2CAP PDU of length one
Key Size Overflow (CVE-2019-19196):
found in all BLE SDKs from Telink Semiconductor
pairing procedure is rejected when receiving a pairing request with a maximum encryption key higher than the standard 7-16 bytes; the bug is then triggered because the LL Encryption process occurs without pairing having taken place
exploiting the bug triggers a crash but an attacker might be able to write memory contents next to the key buffer to bypass encryption and leak user info
The researchers demonstrated their findings in two videos. The one below shows them crashing a Fitbit Inspire and sending a CubiTag tracker into a deadlock state:
In the second video the researchers show how they crashed an Eve Energy smart plug and an August Smart Lock:
While these vulnerabilities do not have a critical or a high severity impact for most of the vulnerable devices, they are still meaningful in the overall context Bluetooth communication and compliance with implementation standards of this technology.
The SweynTooth bug collection exposes attack vectors against BLE stacks that have passed multiple verifications and are believed to be safe from such flaws. However, the researchers found a possible explanation as to why this was possible:
"We believe this is due to the imposed isolation between the link layer and other Bluetooth protocols, via the Host Controller Interface (HCI) protocol. While such a strategy is reasonable for hardware compatibility, this adds complexity to the implementation. Moreover, it overly complicates the strategies to systematically and comprehensively test Bluetooth protocols. Specifically, during testing, it is complex to send arbitrary Link Layer messages during other protocol message exchanges. Such added complexity is likely the reason for inadequate security testing of BLE stack implementation."
Adobe Releases the February 2020 Security Updates
16.2.2020 Bleepingcomputer Vulnerebility
Adobe has released its monthly security updates that fix vulnerabilities in numerous Adobe products. As many of these vulnerabilities are classified as Critical, all users are advised to install the applicable updates as soon as possible.
This round of updates fixes 42 different security vulnerabilities in Adobe Framemaker, Adobe Flash Player, Adobe Reader and Acrobat, Adobe Digital Editions, and Adobe Experience Manager.
Below are the Adobe February 2020 security updates:
APSB20-04 Security Updates Available for Adobe Framemaker
This update fixes twenty-one vulnerabilities in Adobe Framemaker.
Of the 21 vulnerabilities that were fixed by this update, all are classified as 'Critical' as they are classified as they allow Arbitrary code execution.
Vulnerability Category Vulnerability Impact Severity CVE Numbers
Buffer Error Arbitrary code execution Critical CVE-2020-3734
Heap Overflow Arbitrary code execution Critical
CVE-2020-3731
CVE-2020-3735
Memory Corruption Arbitrary code execution Critical
CVE-2020-3739
CVE-2020-3740
Out-of-Bounds Write Arbitrary code execution Critical
CVE-2020-3720
CVE-2020-3721
CVE-2020-3722
CVE-2020-3723
CVE-2020-3724
CVE-2020-3725
CVE-2020-3726
CVE-2020-3727
CVE-2020-3728
CVE-2020-3729
CVE-2020-3730
CVE-2020-3732
CVE-2020-3733
CVE-2020-3736
CVE-2020-3737
CVE-2020-3738
Users should download the latest version of Adobe Framemaker 2019.0.5 to resolve these vulnerabilities.
APSB20-05 Security update available for Adobe Acrobat and Reader
This update resolved seventeen vulnerability in Adobe Acrobat and Reader.
Of these 17 vulnerabilities, 2 are moderate, 3 are Important, and the rest are Critical as they resolve arbitrary code execution flaws.
Vulnerability Category Vulnerability Impact Severity CVE Number
Out-of-Bounds Read Information Disclosure Important
CVE-2020-3744
CVE-2020-3747
CVE-2020-3755
Heap Overflow Arbitrary Code Execution Critical CVE-2020-3742
Buffer Error Arbitrary Code Execution Critical
CVE-2020-3752
CVE-2020-3754
Use After Free Arbitrary Code Execution Critical
CVE-2020-3743
CVE-2020-3745
CVE-2020-3746
CVE-2020-3748
CVE-2020-3749
CVE-2020-3750
CVE-2020-3751
Stack exhaustion Memory Leak Moderate
CVE-2020-3753
CVE-2020-3756
Privilege Escalation Arbitrary file system write Critical
CVE-2020-3762
CVE-2020-3763
Users should upgrade to the latest version of Adobe Acrobat and Reader.
APSB20-06 Security updates available for Adobe Flash Player
A new update for Adobe Flash Player is available that fixes a Critical arbitrary code execution vulnerability.
Vulnerability Category Vulnerability Impact Severity CVE Number
Type Confusion Arbitrary Code Execution Critical CVE-2020-3757
Users should upgrade to Adobe Flash Player 32.0.0.330 to resolve this vulnerability.
APSB20-07 Security update available for Adobe Digital Editions
Two vulnerabilities in Adobe Digital Editions have been fixed that could lead to information disclosure and arbitrary code execution.
Vulnerability Category Vulnerability Impact Severity CVE Numbers
Buffer Errors Information Disclosure Important CVE-2020-3759
Command Injection Arbitrary Code Execution Critical CVE-2020-3760
Users should upgrade to Adobe Digital Editions 4.5.11 to fix these vulnerabilities.
APSB20-08 Security update available for Adobe Experience Manager
Adobe fixes a denial of service vulnerability in Adobe Experience Manager.
Vulnerability Category
Vulnerability Impact
Severity
CVE Number
Affected Versions
Uncontrolled Resource Consumption Denial-of-service Important CVE-2020-3741
AEM 6.4
AEM 6.5
Users should upgrade to the latest version of Adobe Experience Manager to resolve these vulnerabilities.
Firefox 73 Released With Security Fixes, New DoH Provider, More
15.2.2020 Bleepingcomputer Vulnerebility
Mozilla has released Firefox 73 today, February 11th, 2020, to the Stable desktop channel for Windows, macOS, and Linux with bug fixes, new features, and security fixes.
Included with this release are new features such as a default zoom setting, high contrast theme improvements, and NextDNS as a new DoH provider.
Windows, Mac, and Linux desktop users can upgrade to Firefox 73.0 by going to Options -> Help -> About Firefox and the browser will automatically check for the new update and install it when available.
With the release of Firefox 73, the other development branches of Firefox have also moved up a version. This brings Firefox Beta to version 74 and the Nightly builds to version 76.
You can download Firefox 73 from the following links:
Firefox 73 for Windows 64-bit
Firefox 73 for Windows 32-bit
Firefox 73 for macOS
Firefox 73 for Linux 64-bit
Firefox 73 for Linux 32-bit
If the above links have not been updated for Firefox 73 as of yet, you can download it from their FTP release directory.
Below are the major changes in Firefox 73, but for those who wish to read the full changelog, you can do so here.
NextDNS as a DNS over HTTPS provider
With the release of Firefox 73, Mozilla has added NextDNS as an additional provider that can be used with their DNS over HTTPS (DoH) feature.
When using DoH, all DNS requests will be encrypted so that they cannot be monitored and tracked by governments and Internet providers.
When first released, Mozilla only supported Cloudflare's DoH servers by default and people were concerned that this put too much control over Firefox user's data with one company.
To enable DNS over HTTPS and configure it to use NextDNS, you can go to Options -> General -> Network Settings. Then scroll down and put a checkmark in 'Enable DNS over HTTPs' and select NextDNS as the provider.
NextDNS as a new DoH Provider
Global default zoom setting
In previous versions of Firefox, when you changed the zoom level on a site it was configured just for that site and would reset back to the default 100% when visiting other sites.
With Firefox 73, Mozilla has introduced a default zoom level that will be used for all sites that you visit.
The 'Default zoom' setting can be accessed under 'Language and appearance' in the General section of the Firefox options.
Default Zoom Setting
When configuring the default zoom level, you can configure it to 30% through 300%. You can also specify that it should only zoom the text and images and other elements will not be zoomed.
High Contrast theme improvements
When Firefox detects that the operating system is using a high contrast theme, it will automatically switch to this theme for the browser. This includes the Firefox interface itself (all menus, windows, and dialog boxes) and the content of the web sites that you visit.
In previous versions of Firefox, when high contrast mode was enabled, Firefox would not display a background image of a web page.
With Firefox 73, background images are now displayed but the text will be backplated with the theme's background color to make it easier to read the text.
"Many users with low vision rely on Windows' High Contrast Mode to make websites more readable. Traditionally, to increase the readability of text, Firefox has disabled background images when High Contrast Mode is enabled. With today’s release of Firefox 73, we introduce a “readability backplate” solution which places a block of background color between the text and background image. Now, websites in High Contrast Mode are more readable without disabling background images," Mozilla states in their Firefox 73 release notes.
With this release, Firefox also added a High Contrast Mode for GTK.
Other bug fixes and developer changes
In addition to new features, Firefox 73 also adds a variety of improvements and bug fixes, which are listed below:
The tab overflow menu, which used to only appear when you had more tabs than fit in the tab strip, can now be made permanent with the about:config flag browser.tabs.tabmanager.enabled In this configuration, it's called the Tab Manager.
In Dev Tools, the "Omniscient Browser Toolbox" has been enabled by default. This should allow you to inspect and debug any resource of Firefox, no matter in which thread or process this resource is.
Several Accounts Menu items have been renamed to increase clarity.
about:crashes now has a "submit all crashes" button.
Media control key event on OSX has been enabled on Nightly.
The Contextual Identity indicator has been moved up the tab so it' still visible with the addressbar's new expanded area.
Find no longer fails when you enter text with diacritics or accented characters.
Gecko now has support for CSS3 text module text-underline-position.
Firefox no longer sets the User-Agent header for DoH requests.
The OS compositor has been enabled by default on Windows.
Picture-in-Picture window will now resize when the video changes dimensions.
Picture-in-Picture now has an audio toggle.
WebExtension install/uninstall has been implemented for GeckoView.
Improved audio quality when playing back audio at a faster or slower speed.
Firefox will now only prompt you to save logins if a field in a login form was modified.
WAMP-formatted WebSocket messages (JSON, MsgPack and CBOR) are now nicely decoded for inspection in the Network panel.
Improved auto-detection of legacy text encodings on old web pages that don’t explicitly declare the text encoding.
Security vulnerabilities fixed
With the release of Firefox 73, Mozilla has also fixed numerous security vulnerabilities in the browser.
These vulnerabilities will be outlined on Mozilla's Security Advisories for Firefox page when they are available.
Mozilla notes that users of the 0patch security software may receive crashes in Firefox 73 and that firefox.exe should be excluded in the 0patch software.
"Users with 0patch security software may encounter crashes at startup after updating to Firefox 73. This will be fixed in a future Firefox release. As a workaround, an exclusion for firefox.exe can be added within the 0patch settings."
SoundCloud Fixed API Flaws That Could Lead to Account Takeover
15.2.2020 Bleepingcomputer Vulnerebility
Social audio platform SoundCloud fixed multiple security vulnerabilities affecting its application programming interface (API) that could allow potential attackers to take over accounts, launch denial of service attacks, and exploit the service according to the Checkmarx Security Research team.
SoundCloud is an open audio platform founded in 2007 that provides access to more than "200 million tracks from 25 million creators heard in 190 countries."
It is also "the world’s largest open audio platform, powered by a connected community of creators, listeners, and curators on the pulse of what's new, now and next in culture," according to SoundCloud.
Taking over SoundCloud accounts
According to a report shared with BleepingComputer, while investigating the online music platform for API security flaws, the Checkmarx researchers found several vulnerabilities in SoundCloud's API endpoints that attackers could exploit to launch attacks directed at the platform and its users.
Among these API bugs, the researchers discovered:
• Broken authentication & user enumeration opening the door for account takeovers
• Lack of resource request limiting & rate limiting that could be abused for site denial of service attacks
• Security misconfiguration & improper input validation leading to service exploitation attempts
A Broken Authentication issued affecting the /sign-in/password endpoint of api-v2.soundcloud.com could have allowed attackers to launch automated credential stuffing attacks that would help them harvest valid access tokens.
In combination with a user enumeration bug in the /sign-in/identifier and /users/password_reset endpoints that could be used to obtain valid user account identifiers, it would have allowed threat actors to completely takeover SoundCloud user accounts.
"We have no hint of attackers exploiting these vulnerabilities directly. Nevertheless, we found evidence of past incidents that could have been caused by a Broken Authentication issue exploitation," Checkmarx security researcher Paulo Silva told BleepingComputer.
"You can read the user complaint regarding 'Leak of User Data' and SoundCloud's blog post 'Help Us, Help You Keep Your SoundCloud Account Safe.'
Denial of service attacks
Two other bugs in the /tracks and /me/play-history/tracks endpoints of api-v2.soundcloud.com could have allowed for DoS and DDoS attacks because of the lack of improper rate and resources limiting.
The first buggy API endpoint could "be used to perpetrate a Distributed Denial of Service (DDoS) attack: using a specially crafted list of track IDs to maximize the response size, and if requests from several sources are made at the same time to deplete resources in the application layer will make the target’s system services unavailable."
In the case of the second one, "the lack of rate limiting may compromise the system availability, making it vulnerable to DoS attacks" prior to patching.
"From a business perspective, not limiting the amount of requests to this endpoint may compromise the data integrity, since it may create biased tracks-statistics."
Software Used Version Latest Version
Phusion Passenger 6.0.4 6.0.4
Nginx 1.17.3 1.17.5
The Checkmarx Security Research team also found a security misconfiguration in the /users/{user_id} endpoint that would give attackers access to info needed to launch attacks by targeting vulnerabilities in unpatched software used by SoundCloud's platform.
"Having SoundCloud users as a target, Broken Authentication and User Enumeration could have been used together to take control of user accounts," Silva added.
"Unfortunately, industry-wide incidents that expose user data, such as usernames and passwords, are quite common, making leaked data generally available.
"Being a fact that users tend to reuse passwords across multiple sites, along with other bad practices (e.g. guessable passwords), attackers could have exploited:
the User Enumeration weakness to check whether a leaked username also exists on SoundCloud
the Broken Authentication weakness to test the associated leaked password, as well as a bunch of other leaked and/or known common passwords, until they achieved a successful sign-in.
SoundCloud runs a Responsible Disclosure program through the Bugcrowd crowdsourced security platform since April 2019, and it just announced that it increased rewards on January 29, with researchers that report critical vulnerabilities being eligible for rewards of up to $4,500.
"At SoundCloud, the security of our users’ accounts is extremely important to us," the company said in a statement.
"We are always looking for ways to enhance the security of our platform for our users. We appreciate Checkmarx reaching out to discuss their findings."
Update February 11, 16:16 EST: Added more information provided by Checkmarx security researcher Paulo Silva.
Dell SupportAssist Bug Exposes Business, Home PCs to Attacks
15.2.2020 Bleepingcomputer Vulnerebility
Dell published a security update to patch a SupportAssist Client software flaw which enables potential local attackers to execute arbitrary code with Administrator privileges on vulnerable computers.
According to Dell's website, the SupportAssist software is "preinstalled on most of all new Dell devices running Windows operating system."
SupportAssist also "proactively checks the health of your system’s hardware and software. When an issue is detected, the necessary system state information is sent to Dell for troubleshooting to begin."
Could be used in binary planting attacks
As explained by Dell in its advisory, "A locally authenticated low privileged user could exploit this vulnerability to cause the loading of arbitrary DLLs by the SupportAssist binaries, resulting in the privileged execution of arbitrary code."
This uncontrolled search path vulnerability reported by Cyberark's Eran Shimony is tracked as CVE-2020-5316, comes with a high severity CVSSv3 base score of 7.8, and it affects the following Dell SupportAssist versions:
• Dell SupportAssist for business PCs version 2.1.3 or earlier
• Dell SupportAssist for home PCs version 3.4 or earlier.
The company released Dell SupportAssist version 2.1.4 for business PCs and Dell SupportAssist version 3.4.1 for home PCs with fixes for the vulnerability.
Dell advises all customers to update the Dell SupportAssist software on their computers 'at the earliest opportunity,' seeing that all unpatched versions are vulnerable to attacks. If exploited, this vulnerability allows attackers to load and execute malicious payloads within the context of SupportAssist's binaries on unpatched machines.
While this flaw's threat level is not immediately obvious given that it requires local access and a low privileged user on the system to be abused, such security issues — some also requiring Admin privileges — are regularly rated with high severity CVSS 3.x base scores (1, 2).
Attackers abuse DLL search-order hijacking bugs like this one in binary planting attacks that allow for further compromise of the device and help them gain persistence in later stages of attacks.
Update to fix the bug
Dell says that all versions of SupportAssist will automatically auto-install the latest released versions if automatic upgrades are enabled.
If auto-update is not toggled on, home customers can manually check for updates by opening the SupportAssist software and clicking ‘About SupportAssist’ in the Settings window to check for newer versions, and then hitting the 'Update Now' link displayed.
For business customers, the process is a bit more convoluted and Dell recommends following the Dell SupportAssist for business PCs deployment guide for deployment instructions.
Dell previously patched a remote code execution vulnerability in the SupportAssist Client software in May 2019 which allowed unauthenticated attackers on the same Network Access layer with the targeted system to remotely execute arbitrary executables on vulnerable devices.
A similar RCE flaw was found by security researcher Tom Forbes in the Dell System Detect software in 2015. Forbes said at the time that the flaw "allowed an attacker to trigger the program to download and execute an arbitrary file without any user interaction."
Bug in Philips Smart Light Allows Hopping to Devices on the Network
9.2.2020 Bleepingcomputer Vulnerebility
Security researchers taking a closer look at the Philips Hue smart bulbs and the bridge device that connects them discovered a vulnerability that helped them compromise more meaningful systems on the local network.
The security flaw was discovered is in the ZigBee wireless communication protocol that is used by a wide range of smart home devices.
From bulb to bridge to network
Tracked as CVE-2020-6007, the bug has a severity score of 7.9 out of 10. It is a heap buffer overflow that can be exploited remotely in Philips Hue Bridge model 2.x to execute arbitrary code. Affected firmware versions are up to 1935144020, released on January 13.
Security researchers at Check Point discovered the issue and developed an attack that allowed them to hack into other devices on the same network as the vulnerable Philips Hue bulb.
They started by fitting the smart light with malicious firmware. Then they moved to take control of the bulb's control bridge by triggering a heap buffer overflow in it. For this to happen, they needed to bombard it with large amounts of data.
"This data also enables the hacker to install malware on the [control] bridge – which is in turn connected to the target business or home network," the researchers explain in a summary of their discovery.
According to the researchers, an attacker can jump to other systems on the network using known exploits, such as the infamous EternalBlue. At this point, the threat actor can deploy whatever type of malware they want on the network (backdoor, spyware, info-stealer, cryptocurrency miner, ransomware).
A video published today demonstrates a risk scenario for devices connected to a compromised control hub:
Check Point reported their finding to Signify, the Philips Hue parent company, who acknowledged the vulnerability and fixed it in firmware version 1935144040, the researchers say.
If automatic updates are enabled, users don't have to lift a finger to get the latest software. Otherwise, they can check if a new firmware release is available from the Settings menu of the Hue app.
Full technical details for this attack will emerge in the near future, to give enough time for a significant number of Philips Hue customers to install the latest firmware.
Cisco Patches Critical CDP Flaws Affecting Millions of Devices
9.2.2020 Bleepingcomputer Vulnerebility
Five critical vulnerabilities found in various implementations of the Cisco Discovery Protocol (CDP) could allow attackers on the local network to take over tens of millions of enterprise devices as discovered by IoT security company Armis.
CDP is a proprietary Layer 2 (Data Link Layer) network protocol used by Cisco devices for discovering info on other Cisco equipment on the local network, with the end goal of mapping Cisco products within the network.
This protocol is enabled by default in practically all Cisco products including routers, switches, and IP phones and cameras, with a vast majority of them not being able to work properly without using CDP. Many of these vulnerable devices also do not provide users with the ability to turn CDP off as a workaround.
To underline the seriousness of this discovery, more than 95% of all Fortune 500 companies and over 200,000 customers use Cisco Collaboration solutions according to Cisco's stats.
Armis also provides a video explanation of how threat actors could use CDPwn vulnerabilities during their attacks.
Remote code execution and denial of service
The five vulnerabilities — four critical remote code execution (RCE) and a denial of service (DoS) — dubbed CDPwn reside in how CDP (Cisco Discovery Protocol) packets are processed.
Cisco firmware versions released over the past 10 years are impacted by these flaws that could enable local attackers that have infiltrated an enterprise network to execute a man in the middle attacks, spy on voice or video calls, collect and exfiltrate data, and disrupt network segmentation according to Armis' researchers.
As Armis explains, after successfully exploiting one of the five RCE or DoS vulnerabilities, attackers will be able to:
• Eavesdrop on voice and video data/calls and video feeds from IP phones and cameras, capturing sensitive conversations or images.
• Steal sensitive corporate data flowing through the corporate network's switches and routers.
• Break network segmentation, allowing attackers to move laterally across the corporate networks to other sensitive systems and data.
• Compromise device communications by leveraging man-in-the-middle attacks to intercept and alter traffic on the corporate switch.
More exactly, attackers could get a foothold within a corporate network and take over the rest of it by first exploiting unmanaged and IoT devices like security cameras and smart TVs usually placed on a separate network.
Unpatched Cisco switches would then be taken over by exploiting one of the CDPwn vulnerabilities, allowing the attackers to compromise other parts of the network via man-in-the-middle attacks or network-wide broadcast packets that can take over all Cisco devices in one go.
The CDPwn vulnerabilities impact a wide range of Cisco devices including Cisco IOS XR routers, Cisco NX-OS switches, Cisco NCS systems, Cisco FirePower firewalls, Cisco 8000 IP Camera series, and Cisco IP Phone 7800 and 8800 series, among many others.
A full list of all Cisco devices affected by the CDPwn vulnerabilities can be found on this dedicated page.
Below you can find a video demo of how CDPwn flaws can be used to take over Cisco IP Phones Series 7841 and 8851 to record phone calls, download calls from the phones, and even play games on the IP phones' screens.
Armis also demoed a Cisco Nexus Switch 3048 takeover attack here.
Security fixes available
Cisco has provided updates, additional info, and mitigation details for the CDPwn vulnerabilities on its Security Advisory page on February 5, after closely working with Armis' researchers through the responsible disclosure process since the initial disclosure from August 29, 2019.
Direct links to the Cisco security advisories for each of the flaws are available below:
• Cisco FXOS, IOS XR and NX-OS Software Cisco Discovery Protocol Denial of Service Vulnerability — CVE-2020-3120
• Cisco NX-OS Software Cisco Discovery Protocol Remote Code Execution Vulnerability — CVE-2020-3119
• Cisco IOS XR Software Cisco Discovery Protocol Format String Vulnerability — CVE-2020-3118
• Cisco IP Phone Remote Code Execution and Denial of Service Vulnerability — CVE-2020-3111
• Cisco Video Surveillance 8000 Series IP Cameras Cisco Discovery Protocol Remote Code Execution and Denial of Service Vulnerability — CVE-2020-3110
"The findings of this research are significant as Layer 2 protocols are the underpinning for all networks, and as an attack surface are an under-researched area and yet are the foundation for the practice of network segmentation," VP of Research at Armis Ben Seri said.
"Network segmentation is often utilized as a means to provide security. Unfortunately, as this research highlights, the network infrastructure itself is at risk and exploitable by an attacker, so network segmentation is no longer a guaranteed security strategy."
More information on the CDPwn vulnerabilities can be found in the Armis Disclosure Report, the Armis Technical White Paper, and within the CERT/CC advisory.
Google Bug Sent Private Google Photos Videos to Other Users
9.2.2020 Bleepingcomputer Vulnerebility
In a serious privacy lapse, Google is notifying users that videos stored in their Google Photos account were mistakenly shared with other unrelated users.
Yesterday, Google began sending email notifications to users explaining that a bug caused their videos to be included in other user's data when it downloaded via the Google Takeout service.
This notification tells affected users that between November 21st, 2019, and November 25th, 2019, "some videos in Google Photos were incorrectly exported to unrelated user's archives. One or more videos in your Google Photos account was affected by this issue."
Google Takeout Notification
Source: Jon Oberheide
The Google Takeout service allows users to download content that has been uploaded to various services operated by Google.
This includes the content and data that has been uploaded to Google Photos, YouTube, Chrome, and many other services.
When users downloaded their data using Google Takeout, this bug would have caused other people's videos to also be included in their Google Photos data archive.
For those who received another user's private video, Google recommends that you just delete it.
"The underlying issues has been identified and resolved. We recommend you perform another export of your content and delete your prior export at this time," the Google notification stated.
As you can imagine, for those who are affected, this is a serious privacy lapse as users expect their photos and videos to remain private and not be shared with any others.
This bug also illustrates the inherent risks of storing your data in the cloud.
Unless you can encrypt your cloud data using a passphrase you supply and that only you know, bugs like this or inappropriate access by cloud storage employees could lead to your private information, photos, and videos being exposed.
New Intel Microcodes for Windows 10 Released to Fix CPU Bugs
2.2.2020 Bleepingcomputer Vulnerebility
Microsoft has released a new Intel Microcode update for Windows 10 1909, 1903, and older versions that contains software fixes for hardware bugs in Intel CPUs.
Intel Microcode updates are optional updates that mitigate hardware-based security vulnerabilities and bugs through a software patch.
This allows Intel to fix, or at least mitigate, security flaws such as speculative execution vulnerabilities or bugs that are discovered after a CPU has been manufactured.
With yesterday's release, the following additional CPUs now receive mitigations for various security vulnerabilities and bugs.
Denverton
Sandy Bridge
Sandy Bridge E, EP
Valley View
Whiskey Lake U
Intel Microcode updates are not installed via Windows Update and must be installed manually. Links to the Intel Microcode update for the supported versions of Windows can be found below:
KB4497165: Intel microcode updates for Windows 1909 and 1903
KB4494174: Intel microcode updates for Windows 10 1809
KB4494451: Intel microcode updates for Windows 10 1803
KB4494452: Intel microcode updates for Windows 1709
KB4494453: Intel microcode updates for Windows 10 1703
KB4494175: Intel microcode updates for Windows 1607
KB4494454: Intel microcode updates for Windows 10
While we highly recommend that users install new Microcode updates, it should be noted that previous updates have caused performance issues on older CPUs or system hangs in the past due to how they mitigated vulnerabilities.
If you wish to install the update, you should check the above bulletins to confirm that your processor is supported.
If you are unsure what CPU your computer is using, you can look in Device Manager or download CPU-Z to view your processors Family and Model numbers.
For example, my processor is an Intel i7-8700k Coffee Lake processor, which the support bulletin states is supported by the latest update.
When installing the update, Microsoft will require you to restart your computer, so be sure to save any open documents before starting the update procedure.