USN-5478-1: util-linux vulnerability

Read Time:14 Second

Christian Moch and Michael Gruhn discovered that the libblkid library
of util-linux did not properly manage memory under certain
circumstances. A local attacker could possibly use this issue
to cause denial of service by consuming all memory through
a specially crafted MSDOS partition table.

Read More

SEC Consult SA-20220614-0 :: Reflected Cross Site Scripting in SIEMENS-SINEMA Remote Connect

Read Time:18 Second

Posted by SEC Consult Vulnerability Lab, Research via Fulldisclosure on Jun 14

SEC Consult Vulnerability Lab Security Advisory < 20220614-0 >
=======================================================================
title: Reflected Cross Site Scripting
product: SIEMENS-SINEMA Remote Connect
vulnerable version: <=V3.0.1.0-01.01.00.02
fixed version: V3.1.0
CVE number: CVE-2022-29034
impact: medium
homepage: https://siemens.com

Read More

Ransomware Group Debuts Searchable Victim Data

Read Time:2 Minute, 54 Second

Cybercrime groups that specialize in stealing corporate data and demanding a ransom not to publish it have tried countless approaches to shaming their victims into paying. The latest innovation in ratcheting up the heat comes from the ALPHV/BlackCat ransomware group, which has traditionally published any stolen victim data on the Dark Web. Today, however, the group began publishing individual victim websites on the public Internet, with the leaked data made available in an easily searchable form.

The ALPHV site claims to care about people’s privacy, but they let anyone view the sensitive stolen data.

ALPHV recently announced on its victim shaming and extortion website that it had hacked a luxury spa and resort in the western United States. Sometime in the last 24 hours, ALPHV published a website with the same victim’s name in the domain, and their logo on the homepage.

The website claims to list the personal information of 1,500 resort employees, and more than 2,500 residents at the facility. At the top of the page are two “Check Yourself” buttons, one for employees, and another for guests.

Brett Callow, a threat analyst with security firm Emsisoft, called the move by ALPHV “a cunning tactic” that will most certainly worry their other victims.

Callow said most of the victim shaming blogs maintained by the major ransomware and data ransom groups exist on obscure, slow-loading sites on the Darknet, reachable only through the use of third-party software like Tor. But the website erected by ALPHV as part of this new pressure tactic is available on the open Internet.

“Companies will likely be more concerned about the prospect of their data being shared in this way than of simply being posted to an obscure Tor site for which barely anyone knows the URL,” Callow said. “It’ll piss people off and make class actions more likely.”

It’s unclear if ALPHV plans to pursue this approach with every victim, but other recent victims of the crime group include a school district and a U.S. city. Most likely, this is a test run to see if it improves results.

“We are not going to stop, our leak distribution department will do their best to bury your business,” the victim website reads. “At this point, you still have a chance to keep your hotel’s security and reputation. We strongly advise you to be proactive in your negotiations; you do not have much time.”

Emerging in November 2021, ALPHV is perhaps most notable for its programming language (it is written in Rust). ALPHV has been actively recruiting operators from several ransomware organizations — including REvilBlackMatter and DarkSide — offering affiliates up to 90 percent of any ransom paid by a victim organization.

Many security experts believe ALPHV/BlackCat is simply a rebrand of another ransomware group — “Darkside” a.k.a. “BlackMatter,” the same gang responsible for the 2021 attack on Colonial Pipeline that caused fuel shortages and price spikes for several days last summer.

Callow said there may be an upside to this ALPHV innovation, noting that his wife recently heard directly from a different ransomware group — Cl0p.

“On a positive note, stunts like this mean people may actually find out that their PI has been compromised,” he said. “Cl0p emailed my wife last year. The company that lost her data still hasn’t made any public disclosure or notified the people who were impacted (at least, she hasn’t heard from the company.)”

Read More

Microsoft’s June 2022 Patch Tuesday Addresses 55 CVEs (CVE-2022-30190)

Read Time:6 Minute, 12 Second

Microsoft addresses 55 CVEs in its June 2022 Patch Tuesday release, including three critical flaws.

3Critical
52Important
0Moderate
0Low

Microsoft patched 55 CVEs in its June 2022 Patch Tuesday release, with three rated as critical, 52 rated as important.

This month’s update includes patches for:

.NET and Visual Studio
Azure OMI
Azure Real Time Operating System
Azure Service Fabric Container
Intel
Microsoft Edge (Chromium-based)
Microsoft Office
Microsoft Office Excel
Microsoft Office SharePoint
Microsoft Windows ALPC
Microsoft Windows Codecs Library
Remote Volume Shadow Copy Service (RVSS)
Role: Windows Hyper-V
SQL Server
Windows Ancillary Function Driver for WinSock
Windows App Store
Windows Autopilot
Windows Container Isolation FS Filter Driver
Windows Container Manager Service
Windows Defender
Windows Encrypting File System (EFS)
Windows File History Service
Windows Installer
Windows iSCSI
Windows Kerberos
Windows Kernel
Windows LDAP – Lightweight Directory Access Protocol
Windows Local Security Authority Subsystem Service
Windows Media
Windows Network Address Translation (NAT)
Windows Network File System
Windows PowerShell
Windows SMB

Remote code execution (RCE) vulnerabilities accounted for 49.1% of the vulnerabilities patched this month, followed by elevation of privilege (EoP) vulnerabilities at 21.8%.

Critical

CVE-2022-30136 | Windows Network File System Remote Code Execution Vulnerability

CVE-2022-30136 is a RCE vulnerability in the network file system (NFS) that can be exploited by an unauthenticated attacker using a specially crafted call to a NFS service. The vulnerability received a 9.8 CVSSv3 score and Microsoft rated this as “Exploitation More Likely” according to its Exploitability Index. The advisory notes that NFS versions 2.0 and 3.0 are not affected and administrators can disable NFS version 4.1 to mitigate this flaw. Disabling NFSv4.1 could have adverse impacts, so organizations should carefully consider this step before adopting it. Microsoft does note that this is only a temporary mitigation option, organizations should apply the patch as soon as possible. The advisory also provides a warning that you should not disable NFSv4.1 unless you have installed the May 2022 Windows security updates, specifically the updates addressing CVE-2022-26937.

Both CVE-2022-30136 and CVE-2022-26937 are credited to Yuki Chen, a prolific researcher with Cyber KunLun who has been credited with discovering nine vulnerabilities in Microsoft products in June 2022.

Important

CVE-2022-30160 | Windows Advanced Local Procedure Call Elevation of Privilege Vulnerability

CVE-2022-30160 is an EoP vulnerability affecting the advanced local procedure call (ALPC), a message-passing mechanism for internal operating system communications. With a CVSSv3 score of 7.8, this vulnerability can be exploited by a local, authenticated attacker. Researcher Jarvis_1oop is credited with discovering this flaw, which was rated as“Exploitation More Likely.” patches are available for all supported Windows variants including Windows Server Core installations.

Important

CVE-2022-30147 | Windows Installer Elevation of Privilege Vulnerability

CVE-2022-30147 is an EoP vulnerability affecting the Windows Installer. The flaw received a 7.8 CVSSv3 score and can be exploited by a local, authenticated attacker. Microsoft’s exploitability assessment rates this vulnerability as “Exploitation More Likely” and patches are available for all supported Windows variants including Windows Server Core Installations. This vulnerability was an internal discovery at Microsoft credited to Levi Broderick with Microsoft and Andrew Ruddick.

Critical

Seven Remote Code Execution Vulnerabilities in Windows Lightweight Directory Access Protocol

This month Microsoft patched seven vulnerabilities in the Lightweight Directory Access Protocol (LDAP).

CVE-2022-30139
CVE-2022-30141
CVE-2022-30143
CVE-2022-30146
CVE-2022-30149
CVE-2022-30153
CVE-2022-30161

Two of the CVEs, CVE-2022-30153 and CVE-2022-30161 received CVSSv3 scores of 8.8, CVE-2022-30141 was scored at 8.1, and the remainder of the flaws each were scored at 7.5. Microsoft has rated all of these vulnerabilities as “Exploitation Less Likely.” The vulnerability descriptions for CVE-2022-30139, CVE-2022-30141 and CVE-2022-30143 provide the same caveat that the vulnerability only exists if the “MaxReceiveBuffer” LDAP policy is configured to a higher value than the default value (i.e. a higher maximum number of threads LDAP requests can contain per processor). A system with the default value for the policy would not be affected. In the case of both CVE-2022-30139 and CVE-2022-30141, no user interaction is required, however an attacker must “prepare the target environment to improve exploit reliability.” The remainder of the CVEs all require some form of user interaction in order to exploit the vulnerability.

Vulnerabilities not present in release notes

While no release notes or official documentation from Microsoft have been released, Tenable Research has responsibly disclosed two vulnerabilities to Microsoft. The vulnerabilities found in Microsoft’s Azure Synapse Analytics were found by Tenable Researcher Jimi Sebree. These flaws allow a user to escalate privileges to that of the root user within the underlying Apache Spark virtual machines, or to poison the hosts file of all nodes in an Apache Spark pool. The keys, secrets and services accessible via these vulnerabilities have traditionally allowed further lateral movement and compromise of Microsoft-owned infrastructure, which could potentially lead to a compromise of other customers’ data as we’ve seen in other research reports. The privilege escalation vulnerability has been patched and no action is required for Azure Synapse Analytics users. You can read more about these vulnerabilities in the Tenable Blog and a detailed write up can be found on our technical blog.

Important

CVE-2022-30190 | Microsoft Windows Support Diagnostic Tool Remote Code Execution Vulnerability

CVE-2022-30190, also known as “Follina” — the RCE vulnerability in the Microsoft Windows Support Diagnostic Tool that was disclosed in late May and exploited in the wild — has now received patches for affected Windows systems. While Microsoft had provided mitigation guidance in an advisory on May 30, patches were not released until June 14.

Internet Explorer 11 End Of Support

On Wednesday June 15, support for Internet Explorer (IE) 11 will end for certain versions of WIndows 10. Microsoft recommends switching to Microsoft Edge and notes that IE 11 is the last major version for Internet Explorer. Tenable customers can utilize Plugin ID 22024 – Microsoft Internet Explorer Unsupported Version Detection to identify systems that have an unsupported version of IE. An update to the plugin will be released on June 15 to account for these updates from Microsoft.

Tenable Solutions

Users can create scans that focus specifically on our Patch Tuesday plugins. From a new advanced scan, in the plugins tab, set an advanced filter for Plugin Name contains June 2022.

With that filter set, click the plugin families to the left and enable each plugin that appears on the right side. Note: If your families on the left say Enabled, then all the plugins in that family are set. Disable the whole family before selecting the individual plugins for this scan. Here’s an example from Tenable.io:

A list of all the plugins released for Tenable’s June 2022 Patch Tuesday update can be found here. As always, we recommend patching systems as soon as possible and regularly scanning your environment to identify those systems yet to be patched.

Get more information

Microsoft’s June 2022 Security Updates
Tenable plugins for Microsoft June 2022 Patch Tuesday Security Updates

Join Tenable’s Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Read More

End-of-Support Software Report List – May 2022

Read Time:18 Second

The importance of replacing software before its End-of-Support (EOS) is critical. EOS occurs when software updates, patches, and other forms of support are no longer offered, resulting in software becoming prone to future security vulnerabilities. Using unsupported software and firmware/hardware, puts organizations at risk in the following ways: Subsequent vulnerability disclosures place your organization at […]

Read More

Hacking Tesla’s Remote Key Cards

Read Time:51 Second

Interesting vulnerability in Tesla’s NFC key cards:

Martin Herfurt, a security researcher in Austria, quickly noticed something odd about the new feature: Not only did it allow the car to automatically start within 130 seconds of being unlocked with the NFC card, but it also put the car in a state to accept entirely new keys­with no authentication required and zero indication given by the in-car display.

“The authorization given in the 130-second interval is too general… [it’s] not only for drive,” Herfurt said in an online interview. “This timer has been introduced by Tesla… in order to make the use of the NFC card as a primary means of using the car more convenient. What should happen is that the car can be started and driven without the user having to use the key card a second time. The problem: within the 130-second period, not only the driving of the car is authorized, but also the [enrolling] of a new key.”

Read More