Widely used VxWorks OS impacted by serious ‘URGENT11’ zero-day vulnerabilities

A team of security researchers at Armis has discovered a total of eleven zero-day vulnerabilities in the VxWorks operating system that is used by over two billion IoT devices. These IoT devices are spread across different industrial, medical and enterprise environments. According to the researchers, the vulnerabilities are collectively dubbed as ‘URGENT11’ and reside in IPnet, VxWorks’ TCP/IP stack. The vulnerabilities range from memory corruption vulnerabilities to RCE flaw and have been assigned from CVE-2019-12255 to CVE-2019-12262. Six out of eleven flaws are critical and can enable an attacker to remotely execute malicious code on to the systems. Five of these flaws can lead to denial of service condition, causing leak or information or errors. While three of the eleven flaws were already existing in the IPnet code, the rest of the vulnerabilities have been introduced lately. The vulnerabilities can be exploited by attackers to take control of a device situated either on the network perimeter or within it. It is important to note that in all scenarios, an attacker can gain complete control over the targeted device remotely with no user interaction required, and the difference is only in how the attacker reaches it. Given the wide usage of VxWorks across the industries, it is estimated that the SCADA systems, elevators, industrial controllers, patient monitors, and MRI machines are impacted by the vulnerabilities. The ‘URGENT11’ vulnerabilities also affect firewalls, routers, satellite modems, VOIP phones, and printers. Organizations and device manufacturers using VxWorks OS should patch impacted devices immediately. The patches were disseminated to manufacturers by Wind River in June. The company has provided a new version - VxWorks 7 SR0620 - to address the flaws. SonicWall and Xerox have already pushed out security updates for their firewalls and printers.

 

Attackers are deleting files on Iomega NAS devices and demanding ransom

Attackers are deleting files on publicly accessible Lenovo Iomega NAS devices and leaving ransom notes asking for a ransom payment in bitcoins. The bitcoin address associated with this ransom note has received a total of 9 payments since June 27, 2019. BleepingComputer analyzed and determined that unsecured Iomega devices have publicly accessible front ends which will allow anyone to remotely access the files. If not properly secured, this web interface could also allow a remote user to upload and delete files and folders from the NAS devices. In conversations with victims, BleepingComputer learned that the files are being deleted rather than being encrypted and hidden somewhere on the drive. A few victims reported difficulty in recovering the deleted files as the NAS devices are with ext2 filesystems. However, one victim noted that he has used file recovery software and successfully recovered the deleted files by attaching the NAS device to his PC via a USB port.

 

Glasgow City Council inadvertently leaked details of children who applied for clothing grant

Low-income families who applied to Glasgow City council for school clothing grant for their children have had their full application details sent to people who were not intended to receive. The leak came to light when a parent who applied for the clothing grant for her son, received around 15 emails from the council, containing the information of other families who had also applied. Following this, she contacted the council immediately and raised a complaint. The council replied thanking her for “bringing this matter to our attention” and said that they will carry out a thorough investigation on this matter. Emails contained information about the children and their parent's personal details, which include: Parents’ names, addresses, phone numbers, email addresses, national insurance numbers, and bank details; Information regarding their children such as name, date of birth, and which school they attend. Glasgow City Council said that the emails containing application details were accidentally sent to the wrong people due to a ‘procedural error’. “Unfortunately due to a procedural error, personal information was shared with third parties and we have apologised and informed everyone concerned,” a spokesperson for Glasgow City Council said, The Herald reported. Upon learning the incident, Glasgow City Council notified the Information Commissioner about the data leak. The council also implemented new security procedures in order to avoid such incidents from happening in the future. Meanwhile, the Information Commissioner is currently investigating the breach. Organisations have a legal duty to ensure the security of any personal information they hold. We are aware of an incident concerning Glasgow City Council and will be assessing the information provided,” a spokesperson for ICO said.

 

Vulnerabilities in Western Digital and SanDisk SSD Dashboard can put user data at risk

Two severe vulnerabilities in the Western Digital and SanDisk SSD Dashboard can allow threat actors to trick users into running arbitrary code on the computers. Discovered by Trustwave researchers, one of the vulnerabilities is detected as CVE-2019-13466. The flaw is related to the use of a hard-coded password for protecting the archived customer-generated system and diagnostic reports. Trustwave researchers found the bug after dumping strings from the main binary file-SanDiskSSDDashboard.exe. They found that one of the strings was a hardcoded password used for encrypting report information. The password is the same for every installation. By exploiting the vulnerability, an attacker can intercept the report to read all the sensitive data included in the SSD Dashboard. The second vulnerability - CVE-2019-13467 - is more severe. The flaw exists as the application uses HTTP instead of HTTPS for communication with the SanDisk site. This can allow an attacker to create a rogue hotspot and perform a man-in-the-middle attack. Through the MiTM attack, attackers can serve malicious content instead of the data requested by the app. “This makes it trivial to attack users running this application in untrusted environments (e.g. using public internet hotspot). Specifically, a malicious user can create a rogue hotspot that the computer will join or launch a man-in-the-middle attack and then serve malicious content instead of the data requested by the app,” said researchers. The flaw affects Western Digital SanDisk SSD Dashboard applications prior to version 2.5.1.0. Western Digital has confirmed the issues and urged the customers to install security updates to stay safe. The flaws have been addressed in the latest version 2.5.1.0.

 

Vulnerability in Apple iMessage Allows Attackers to Read User Data on iPhones

Apple’s instant messaging service iMessage contains a major security flaw in the application. The bug, which is an out-of-bounds issue, was actually fixed by Apple in iOS 12.4. However, security researcher Natalie Silvanovich of Google Project Zero came across this flaw in iMessage despite it being patched. According to Silvanovich, the issue stems from a class called ‘_NSDataFileBackedFuture’ in the application, which could allow access to read files on the iPhone. In a bug report, Silvanovich describes the issue in detail. “The class _NSDataFileBackedFuture can be deserialized even if secure encoding is enabled. This class is a file-backed NSData object that loads a local file into memory when the [NSData bytes] selector is called,” she told. Tracked as CVE-2019-8646, the flaw is an out-of-bounds reads issue which is also said to lead to out-of-bounds write errors. It impacts all iPhones starting from iPhone 5s and later as well as devices such as iPad Air and iPod touch 6th generation. The researcher also developed a proof-of-concept for the flaw that includes recreating the issue with files on the phone. However, Silvanovich mentions that it only works for iOS 12 or later. Apart from CVE-2019-8646, Silvanovich also disclosed multiple bugs in the iMessage application. This includes a use-after-free issue (CVE-2019-8647), memory corruption bug (CVE-2019-8660) and another out-of-bounds read (CVE-2019-8624). However, all of these are fixed by Apple in iOS 12.4. As of now, the resurfaced out-of-bounds issue is yet to be resolved by Apple.

 

Edited and compiled by cyber security specialist James Aguilan.