Tag: Bug’ | Page 4

This Week In Security: Not A Vulnerability, BGP Bug Propogation, And Press Enter To Hack

September 1, 2023/in Computer Security

Curl was recently notified of a CVE, CVE-2020-19909, rated at a hair-raising 9.8 on the CVSS scale. And PostgreSQL has CVE-2020-21469, clocking in with a 7.5 severity. You may notice something odd about those two vulnerabilities, but I promise the 2020 date is only the tip of the iceberg here.

Let’s start with PostgreSQL. That vulnerability was only present in version 12.2, which released in February of 2020, and was fixed with the 12.3 release in May of that same year. The problem is a stack buffer overflow, which doesn’t seem to enable code execution, but does cause a denial of service situation. To trigger the bug? Repeatedly send the PostgreSQL daemon the SIGHUP signal.

If you’re familiar with Linux signals, that might sound odd. See, the SIGHUP signal technically indicates the end of a user session, but most daemons use it to indicate a restart or reload request. And to send this signal, a user has to have elevated privileges — elevated enough to simply stop the daemon altogether. Put simply, it’s not a security vulnerability, just a minor bug.

And now on to curl — This one is just bizarre. The issue is a integer overflow in the --retry-delay argument, which specifies in seconds how often curl should retry a failing download. The value is multiplied by 1000 to convert to milliseconds, resulting in an overflow for very large values. The result of that overflow? A smaller value for the retry delay.

[Daniel Stenberg] makes the point that this tale is a wonderful demonstration of the brokenness of the CVE system and NVD’s handling of it. And in this case, it’s hard not to see this as negligence. We have to work really hard to construct a theoretical scenario where this bug could actually be exploited. The best I’ve been able to come up with is an online download tool, where the user can specify part of the target name and a timeout. If that tool had a check to ensure that the timeout was large enough to avoid excess traffic, this bug could bypass that check. Should we be assigning CVEs for that sort of convoluted, theoretical attack?

But here’s the thing, that attack scenario should rate something like a CVSS of 4.8 at absolute worst. NVD assigned…

Source…

WinRAR patches zero-day bug that targeted stock and crypto traders

August 28, 2023/in Internet Security

The developers behind file compression software WinRAR have patched a zero-day vulnerability that allowed hackers to install malware onto unsuspecting victims’ computers, enabling them to hack into their crypto and stock trading accounts.

On Aug. 23, Singapore-based cybersecurity firm Group-IB reported a zero-day vulnerability in the processing of the ZIP file format by WinRAR.

The zero-day vulnerability tracked as CVE-2023-38831 was exploited for approximately four months, allowing hackers to install malware when a victim clicked on files in an archive. The malware would then allow hackers to breach online crypto and stock trading accounts, according to the report.

Using the exploit, the threat actors were able to create malicious RAR and ZIP archives that displayed seemingly innocent files such as JPG images or PDF text documents. These weaponized ZIP archives were then distributed on trading forums targeting crypto traders, offering strategies such as “best Personal Strategy to trade with Bitcoin.”

“Once extracted and executed, the malware allows threat actors to withdraw money from broker accounts. This vulnerability has been exploited since April 2023.”

The report confirmed that the malicious archives found their way onto at least eight public trading forums infecting at least 130 devices, however, the victim’s financial losses were unknown.

*WinRar exploit infection chain. Source: Group-IB*

On execution, the script launches a self-extracting (SFX) archive that infects the target computer with various malware strains, such as the DarkMe, GuLoader and Remcos RAT.

These provide the attacker with remote access privileges on the infected computer. DarkMe malware has previously been used in crypto and financially motivated attacks.

The researchers notified RARLABS which patched the zero-day vulnerability in WinRAR version 6.23, released on Aug. 2.

In August, smartphone giant BlackBerry identified several malware families that actively aimed to hijack computers to mine or steal cryptocurrencies.

The same month also revealed a newly discovered remote access tool called HVNC (Hidden Virtual Network Computer) that…

Source…

Apple patches zero-day bug used in cyberattacks — update your iPhone, iPad and Mac now

July 11, 2023/in Internet Security

Apple has released a fix for a recently discovered zero-day bug in its latest round of Rapid Security Response (RSR) updates.

As reported by BleepingComputer, this new zero-day affects all iPhones, iPads and Macs including those that are fully up to date.

In a security advisory on its site, Apple explained that this new emergency security update patches a zero-day vulnerability (tracked as CVE-2023-37540) which was discovered by an anonymous security researcher.

If you’re the kind of person that puts off installing security updates for your devices, you might want to think twice about that, especially with this one as “Apple is aware of a report that this issue may have been actively exploited.” This means that hackers may already be exploiting this flaw in their cyberattacks and they love to prey on users that don’t apply the latest security patches when they become available.

Yet another WebKit zero-day

Just like with a similar flaw Apple patched back in February, this new zero-day was discovered in the company’s WebKit browser engine which powers Safari, Mail, the App Store and many other macOS and iOS apps.

If exploited on a compromised Apple device, this zero-day can allow an attacker to gain arbitrary code execution by tricking unsuspecting users into opening websites that contain malicious content.

As this flaw impacts iOS, iPadOS and macOS, it’s highly recommended that you install Apple’s new emergency patches as soon as they become available. They include macOS Ventura 13.4.1 (a), iOS 16.5.1 (a) and iPadOS 16.5.1 (a).

Once installed on your Apple devices, this emergency security update adds improved checks to prevent hackers from exploiting the zero-day flaw in question.

How to keep your iPhone, iPad and Mac safe from hackers

A padlock resting next to the Apple logo on the lid of a gold-colored Apple laptop.

(Image credit: robert coolen/Shutterstock)

When it comes to keeping your Apple devices safe from cyberattacks, the first and most important thing you can do is to keep them updated and running the latest software. As I mentioned before, hackers often target vulnerable devices that haven’t been updated yet and by waiting to install the updates Apple releases, you’re putting both yourself and your devices at risk.

Although Macs come with…

Source…

Microsoft Teams bug allow hackers to sidestep security, plant malware

June 26, 2023/in Computer Security

A Microsoft Teams vulnerability allows adversaries to sidestep security controls to plant malware on targeted systems. The Teams attack vector was found by researchers who warn as traditional routes of infection, such as inboxes and websites, become more heavily scrutinized communications platforms such as Teams, Slack and Zoom are becoming a more attractive target.

In a research note posted last week, Jumsec researchers said the issue impacts organizations that use Microsoft Teams in its default configuration. “This is done by bypassing client-side security controls which prevent external tenants from sending files (malware in this case) to staff in your organization,” wrote Max Corbridge researcher with Jumpsec’s Red Team research group.

IDOR Bug

The bug is based on the Teams feature that allows for two businesses running the Teams platform to interact with one another. The collaboration feature does have security measures in place to prevent one business to send the other business a malicious file via Teams. However, Jumpsec found a way to bypass those protections and successfully plant a malicious file on recipients system.

“Microsoft Teams allows any user with a Microsoft account to reach out to ‘external tenancies’… These organizations each have their own Microsoft tenancy, and users from one tenancy are able to send messages to users in another tenancy,” he wrote.

The loophole relies on a common hack called insecure direct object references (IDOR), where the file sender switches the internal and external recipient ID on a POST request, researchers said. A POST is used to send data to a server to create/update a resource.

When a file is hosted on a SharePoint domain an adversary can simply craft a malicious URL and send it to a target via Teams and plant malware on the target’s computer. The “payload is delivered directly to into the target’s inbox” as a file, not a link, researchers said.

The next step in the attack, researchers said, would be to use a social engineering tactic to con the recipient into clicking on the malicious payload.

“[This technique] avoids the now-rightfully-dangerous act of clicking on a link in an email, something that staff have been trained to…

Source…

Tag Archive for: Bug’

IDOR Bug