Microsoft warns of vulnerabilities in dozens of IoT operating systems
Microsoft researchers have discovered multiple memory allocation and remote code execution vulnerabilities in the operating systems for a wide range of commercial, medical and operational technology Internet of Things devices. The reported flaws affect at least 25 different products made by more than a dozen organisations, including Amazon, ARM, Google Cloud, Samsung, RedHat, Apache and others. As of now, exploits leveraging the vulnerabilities haven’t been spotted in the wild, but they offer potential attackers a broad surface area to do damage.
“Given the pervasiveness of IoT and OT devices, these vulnerabilities, if successfully exploited, represent a significant potential risk for organisations of all kinds,” Microsoft wrote.
Operational technology devices, hardware and machinery that connect to the internet and support medical facilities, enterprise businesses or critical infrastructure, differ substantially in their challenges from their commercial brethren. There are often technical obstacles to patching or updating, and any downtime has the potential to carry more direct or serious consequences for the delivery of medical care, power, water and other essential services. Meanwhile, the US National Security Agency (NSA) also released a cybersecurity advisory focusing on the security of operational technology (OT) systems, particularly in terms of connectivity to IT systems. The advisory shares recommendations for evaluating risks and improving the securing of connections between IT systems – which can often serve as an entry point into industrial networks – and OT systems.
“Each IT-OT connection increases the potential attack surface,” the NSA said. “To prevent dangerous results from OT exploitation, OT operators and IT system administrators should ensure only the most imperative IT-OT connections are allowed, and that these are hardened to the greatest extent possible.”
For maximum cyber safety, ideally there should be no connections between enterprise networks and OT networks, but the agency admits that in some cases such connections are necessary. Organisations should review these connections and remove ones that are not truly required, and ensure that the remaining connections are secure, to prevent them from being abused in malicious attacks.
Spectre side-channel attack concern returns
All defences against Spectre side-channel attacks can now be considered broken, leaving billions of computers and other devices just as vulnerable today as they were when the hardware flaw was first announced three years ago. A paper published on Friday by a team of computer scientists from the University of Virginia and the University of California, San Diego, describes how all modern AMD and Intel chips with micro-op caches are vulnerable to this new line of attack, given that it breaks all defences. That includes all Intel chips that have been manufactured since 2011, which all contain micro-op caches.
The vulnerability in question is called Spectre because it’s built into modern processors that perform branch prediction. It’s a technique that makes modern chips as speedy as they are by performing what’s called “speculative execution”, where the processor predicts instructions it might end up executing and prepares by following the predicted path to pull the instructions out of memory.
The new line of attacks exploits the micro-op cache: an on-chip structure that speeds up computing by storing simple commands and allowing the processor to fetch them quickly and early in the speculative execution process, as the team explains in a write-up from the University of Virginia. The new lines of attack demolish current defences because they only protect the processor in a later stage of speculative execution. The team was led by UVA Engineering Assistant Professor of Computer Science Ashish Venkat, who picked apart Intel’s suggested defence against Spectre, which is called LFENCE. That defence tucks sensitive code into a waiting area until the security checks are executed, and only then is the sensitive code allowed to execute, he explained.
“But it turns out the walls of this waiting area have ears, which our attack exploits. We show how an attacker can smuggle secrets through the micro-op cache by using it as a covert channel. It would be very difficult to create a focused attack looking for specific information,” he said. “Instead, attacks are expected to take the form of passive surveillance, collecting random information. That information is collected from deep inside the processor, though, and could contain anything processed by the computer.”
The research team reported their findings to international chip makers in April and plan to present at the International Symposium on Computer Architecture, ISCA, which will be held virtually in June.
Leaking hardcoded private Amazon Web Services (AWS) keys
Most mobile app users tend to blindly trust that the apps they download from app stores are safe and secure. But that isn't always the case. The CloudSEK BeVigil search engine has identified over 40 apps – with more than a cumulative 100 million downloads – that had hardcoded private Amazon Web Services (AWS) keys embedded within them, putting their internal networks and their users' data at risk of cyberattacks. The AWS key leakage was spotted in some of the major apps such as Adobe Photoshop Fix, Adobe Comp, Hootsuite, IBM's Weather Channel, and online shopping services.
"AWS keys hardcoded in a mobile app source code can be a huge problem, especially if its Identity and Access Management role has wide scope and permissions," CloudSEK researchers said. "The possibilities for misuse are endless here, since the attacks can be chained and the attacker can gain further access to the whole infrastructure, even the code base and configurations."
CloudSEK said it responsibly disclosed these security concerns to AWS and the affected companies independently. In an app analysed by the cybersecurity firm, the exposed AWS key had access to multiple AWS services, including credentials for the S3 storage service, which in turn opened up access to 88 buckets containing 10,073,444 files and data amounting to 5.5 terabytes. Also included in the buckets were source code, application backups, user reports, test artefacts, configuration and credential files which could be used to gain deeper access to the app's infrastructure, including user databases.
"Hardcoded API keys are like locking your house but leaving the key in an envelope labelled 'Do not open,'" said Shahrukh Ahmad, CTO BeVigil. "These keys could easily be discovered by malicious hackers or competitors who could use them to compromise their data and networks."
XSS vulnerability patched in open source firewall pfSense
These bugs are used to manipulate browser sessions, circumvent same-origin policies, and can be exploited by attackers in a variety of scenarios including impersonating users, phishing, malicious payloads deployment, the theft of credentials and user data, and potentially the full hijack of a vulnerable application when a victim has high levels of privilege. The XSS flaw was acknowledged in release notes for pfSense 2.5.1 and pfSense Plus 21.02.2, which both contain a patch for the bug.
Apple reports 2 iOS zero-days that let hackers compromise fully patched devices
A week after Apple issued its biggest iOS and iPadOS update since last September’s release of version 14.0, the company has released a new update to patch two zero-days that allowed attackers to execute malicious code on fully up-to-date devices. Monday’s release of version 14.5.1 also fixes problems with a bug in the newly released App Tracking Transparency feature rolled out in the previous version. Both vulnerabilities reside in Webkit, a browser engine that renders Web content in Safari, Mail, App Store, and other select apps running on iOS, macOS, and Linux. CVE-2021-30663 and CVE-2021-30665, as the zero-days are tracked, have now been patched. Last week, Apple fixed CVE-2021-30661, another code-execution flaw in iOS Webkit, that also might have been actively exploited.
“Processing maliciously crafted web content may lead to arbitrary code execution,” Apple said in its security notes, referring to the flaws. “Apple is aware of a report that this issue may have been actively exploited.” MacOS 11.3.1, which Apple also released on Monday, also fixed CVE-2021-30663 and CVE-2021-30665.
CVE-2021-30665 was discovered by researchers from China-based security firm Qihoo 360. The other vulnerability was discovered by an anonymous source. Apple provided no details about who is using the exploits or who is being targeted by them. Apple rolled out App Tracking Transparency in last week’s release of iOS 14.5. The addition has roiled Facebook because it prevents the company’s app from tracking user activity across other apps users have installed without explicit permission.
Stay in the know
Subscribe to our monthly Learning Matters newsletter and stay up to date with QA's latest news, views, offers, must-go-to events and more.
And if you want to keep up with the latest cyber news, why not subscribe to our weekly Cyber Pulse newsletter.
Richard Beck is Director of Cyber at QA. He works with customers to build effective and successful learning solutions tailored for business needs, helping to solve business problems. Richard has designed and architected numerous enterprise and nationwide cyber programmes for QA customers. Responsible for the QA cyber portfolio, products, proposition and cyber partner community. He has over 15 years' experience in senior Information Security roles.
Prior to QA, Richard was Head of Information Security for an organisation who underpin 20% of the UK's Critical National Infrastructure. Richard also held Security and Technical Management posts in Defence, Financial Services and HMG. He holds a number of leading cyber professional certifications, including CISSP, CISM, CISA.
Richard sits on a number of industry boards and security advisory panels, and previously chaired the Communication Industry Personnel Security Information Exchange (CPNI). He is the work stream lead for Cyber Skills & Diversity on the techUK Cyber Management Committee, in addition Richard is also supporting a work stream for the UK Cyber Security Council Formation project. Richard is a regular contributor for cyber insights and industry collaboration including speaker engagements.
He is also a STEM Ambassador working to engage and enthuse young people in the area of cyber security. Providing a unique perspective on the world of cyber security to teachers and encourage young people to consider a career in cyber security.
More articles by Richard
Cyber Pulse: Edition 154 | 14 June
Cyber Pulse: Edition 153 | 4 June
Cyber Pulse: Edition 152 | 21 May
Cyber Pulse: Edition 150 | 23 April
Cyber Pulse: Edition 149 | 9 April
Stop your search for cyber security talent
Cyber Pulse: Edition 148 | 1 April
Cyber Pulse: Edition 147 | 16 March
Cyber Pulse: Edition 146 | 4 March 2021
Cyber Pulse: Edition 145 | 19 February 2021