VERT’s Cybersecurity News Roundup – Week of February 21, 2022
All of us at Tripwire’s Vulnerability Exposure and Research Team (VERT) are constantly looking out for interesting stories and developments in the infosec world. Here’s what cybersecurity news stood out to us during the week of February 21, 2022. I’ve also included some comments on these stories.
18 High-Severity Vulnerabilities Patched by Intel
According to SecurityWeek, Intel released 22 security advisories detailing 18 high-severity vulnerabilities. Malicious actors require local access to an affected device to exploit the flaws. At that point, they can use the vulnerabilities to escalate privileges, disclose information, or produce a denial-of-service (DoS) condition.
Dylan D’Silva | Security Researcher at Tripwire
Patching and vulnerability management should continue to be a top priority in the overall toolset of security and IT professionals who are tasked with the responsibility of maintaining systems and their respective security posture.
Last week, Intel disclosed 18 high-severity vulnerabilities, most of which are related to privilege escalation. A few other flaws discovered at that time can lead to information disclosure or a denial-of-service (DoS) condition.
There seems to be an interesting situation here. The author points out that while Intel software and firmware is widely deployed, the vulnerabilities identified could be useful to threat actors. In November 2021, CISA published a “Known Exploited Vulnerabilities Catalog” detailing 300+ vulnerabilities that attackers have exploited over the past 10 years. Of note, only one of those vulnerabilities traced back to Intel.
Last year alone, Intel patched 226 vulnerabilities in its products, and as with previous years, it paid out about $800K in total through its bug bounty program. Bug bounty programs help strength the wider security community as they help to promote responsible disclosure.
On February 23, SecurityWeek shared how the U.S. Cybersecurity & Infrastructure Security Agency (CISA) had warned of attackers exploiting vulnerabilities in the Zabbix monitoring tool. Malicious actors could use the two vulnerabilities, tracked as CVE-2022-23131 and CVE-2022-23134, to bypass authentication and gain administrative privileges. They could then execute arbitrary commands.
Dylan D’Silva | Security Researcher at Tripwire
Two flaws in Zabbix’s Enterprise Monitoring Solution allows attackers to bypass authentication and gain admin privileges, allowing them to achieve RCE.
What makes this interesting to me is that this is an open-source platform, making it an enticing resource to leverage as it is free to use with no restrictions for commercial or non-commercial use. There are no limitations on the number of monitored devices. Looking at the product further, they offer several versions including local, on-prem packages, cloud-based images, as well as container- and appliance-based solutions.
The two discovered vulnerabilities are related to how Zabbix stores session data on the client side, which could lead to a complete network compromise. Once authentication has been bypassed and privileges have been escalated to admin level, it could give an attacker the ability to execute commands on linked Zabbix Servers and Agents. Interestingly, these vulnerabilities only impact instances where SAML SSO Authentication has been enabled.
These vulnerabilities have been exploited in the wild. Not only that, but PoC exploits exist in the wild.
The affected product is Zabbix Web Front End, affecting all versions prior to 5.4.8, 5.0.18, and 4.0.36
Good news is that these vulnerabilities were addressed in updated versions starting with 6.0.0beta, 5.4.9, 5.0.19, and 4.0.37.
Patches were also released in late December, with full technical details released last week: https://support.zabbix.com/browse/ZBX-20350.
Recommendation:
- Apply the security patch as recommended by the vendor as soon as possible. Also, note that there is a workaround of disabling SAML authentication, but doing that would be a less preferred method of resolution.
- Review CISA’s Known Exploited Vulnerabilities Catalog and compare it against your software catalog. Identify vulnerable software you have deployed and take the appropriate measures to patch and update as required.
- If you do not have a patching and vulnerability management program in place, consider implementing one to reduce your overall attack surface and attack vectors.
100M Samsung Phones Shipped with Flawed Encryption
Researchers at the Tel Aviv University in Israel uncovered design flaws in five Samsung phone models that enabled malicious actors to extract cryptographic keys. They reverse engineered a trusted application called Keymaster TA and learned that they could perform an Initialization Vector (IV) reuse attack to obtain secret keys, reported The Register. In all, they determined 100 million Samsung phones to be vulnerable to the security issues.
Andrew Swoboda | Senior Security Researcher at Tripwire
Samsung Galaxy S8, S9, S10, S20, and S21 phones were shipped with an encryption issue. This issue allows attackers to extract cryptographic keys, and it exists in the Trusted Execution Environment that runs on its own operating system. The TrustZone Operating System requires vendors to implement cryptographic functions within it.
Samsung improperly implemented the Keymaster TA, allowing researchers to conduct an Initialization Vector reuse attack. The vulnerabilities that researchers found were CVE-2021-25444 and CVE-2021-25490. These vulnerabilities were fixed, and patches were released for vulnerable devices.
High-Severity Bug in UpdraftPlus Plugin Force Fixed by WordPress
WordPress force-updated UpdraftPlus, a plugin which assists WordPress site owners with their data backup strategies. The vulnerability enabled a digital attacker to download site owners’ latest data backups including credentials and personally identifiable information (PII), noted Bleeping Computer. Three million websites were running vulnerable versions of the plugin before WordPress forced its fix through.
Andrew Swoboda | Senior Security Researcher at Tripwire
Users that have the UpdraftPlus plugin for WordPress have been forced to update, as CVE-2022-0633 allows attackers to download database backups. These backups usually contain private identifiable information. It is estimated that around three million sites use this particular plugin. This vulnerability affects versions 1.16.7 to 1.22.2, and it is fixed in 1.22.3 or 2.22.3 (premium version).
Firepower Firewall Customers Given Four-Day Window to Update Kit
Cisco released a bulletin warning Firepower firewall customers that it will be replacing the SSL certificate authority (CA) used for signing Talos security intelligence updates. Once it brings on the new CA, Firepower customers might not be able to receive Talos updates. Cisco therefore urged customers to update their devices within a four-day window or risk not receiving updates in the future, explained The Register on February 23.
Tyler Reguly | Manager of Software Development at Tripwire
These are the types of notices that are often overlooked by busy teams. This creates an unexpected urgency that will require projects to be paused and schedules to be shifted. Organizations with change management windows or change review boards may struggle to meet this timeline, even if they are aware of the notice. For that reason, I think it is important to share this information to ensure that it is seen by as many people as possible.
“Remove Everything” Might Not Remove Everything, Warns Microsoft
Microsoft informed customers that Windows users might not remove all their data when they use the “Remove everything” option to reset their devices. If their Windows devices have folders with reparse data, users might find that the reset attempt will not remove files downloaded or synced locally from OneDrive. The tech giant said that it’s currently working on a fix, as Bleeping Computer noted on February 25.
Dylan D’Silva | Security Researcher at Tripwire
Here is a good reminder that if you want to ensure your data is fully and completely wiped, you should incorporate a multi-pronged approach. This can include using an open-source tools such as DBAN for HDDs, not SSDs. (Note that DBAN is typically meant for personal use. Commercial and Business-purposes tools are also widely available.)
For users and businesses that recycle, donate, or throw out their older/aging PC hardware, use the “Windows Reset” functionality, and leverage OneDrive for data backup, Microsoft has acknowledged a known issue. During the process of attempting to reset a Windows device that has folders and data synced locally, some of that data may not be deleted when selecting the “Remove everything” option. Both remote and local wipes appeared to leave user data readable in the “Windows.old” folder, as a result.
Of further interest, BitLocker-encrypted data will also be moved into a non-encrypted and readable form to the same “Windows.old” folder.
“Windows Reset” may be labelled slightly differently depending on the vendor. Keep an eye out for “Push Button Reset,” “PBR,” “Reset This PC,” “Reset PC,” or “Fresh Start.”
This bug affects all current Windows versions under support including Windows 11 21H2 as well as Windows 10 20H2 and up to 21H2.
While Microsoft is working on a fix that will address this issue in an upcoming Windows update, it has identified a workaround/mitigation to ensure that no user data is left behind when resetting your PC. This issue can be mitigated by signing out or unlinking your OneDrive before resetting. See Microsoft’s KB Article for specific instructions.
Additionally, Microsoft notes that customers could also remove any remaining files on devices that have been reset using the “Storage Sense” feature within Settings. See here.
Entropy Ransomware’s Code Traces Back to Dridex
For our final story this week, Bleeping Computer shared on February 23 that Entropy ransomware shares some code-level similarities with Dridex malware. Security researchers detected the similarity in Entropy’s first layer of unpacking. They went so far to call it “very much like a Dridex v4loader.”
Samantha Zeigler | Security Researcher at Tripwire
Ransomware is a continuing threat that will likely never fully go away. Entropy is shown to be similar to many existing ransomware families, and it is suggested that it may come form the same developers of some of those strains. Rebranding of ransomware has happened a number or times and will continue to occur as attackers try to avoid detection and sanctions. The best way to stay safe is to keep your systems up to date with the latest security patches available.
Keep in Touch with Tripwire VERT
Want more insights from Tripwire VERT before our next cybersecurity news roundup comes out? Subscribe to our newsletter here.