British giant Sky finally fixes broadband router bug • The Register


In short Sky fixed a flaw in six million of its home broadband routers, and it only took the UK telecoms giant a year to do so, infosec researchers said.

We’re told the vulnerability could be exploited by tricking a subscriber into a malicious web page. If an attack were successful, their router would fall under the attacker’s control, allowing the scammer to open ports to access other devices on the local network, change the local network’s default DNS settings to redirect browsers to malicious sites, reconfigure the gateway and cause other general mischief and irritation.

This exploitation is not trivial: it consists in attracting people to a web page which uses JavaScript so that the browser first uses a DNS server controlled by an attacker to find the IP address of a subdomain in order to connect to an outside server, then the browser is encouraged to reconnect to the server, the IP address is looked up again, and this time the subdomain resolves to the local IP address of the router rather than the server outside.

Now the browser starts talking to the router as if it were the remote server, and the JavaScript on the page can access the router’s web-based control panel. The browser thinks it is still talking to the remote server and is not interfering.

This will work reliably if the subscriber has not changed the username and password of their default admin and sky router; if the credentials have been changed, they will have to be brutally forced. It is not too easy to achieve, but not impossible. Pen Test Partners (PTP), who said they found and disclosed this DNS binding vulnerability to Sky, made this video demonstrating the hole:

Youtube video

The security company said last week that it informed Sky about the issue in May 2020 and developed a proof of concept exploit. Sky, according to PTP, said it would fix the issue in a November software update this year for its routers, but that was pushed back to December and then “early 2021”. It wasn’t until vulnerability researchers started talking to the press that Sky got angry and released the patch, PTP said.

“Sky communications were particularly poor and had to be continued several times to get answers,” said Rafael Fini of PTP.

The police are investigating the current computer failure and over nearly a month to Simplify, who operates Real estate lawyers and other brands.

It is understood that the UK property transfer giant has been hit by some sort of potentially criminal cybersecurity drama, with the end result of the tech blackout being that home buyers and sellers were, or still are, unable to close deals. transactions and move.

In a note posted on its website Monday this week, Premier Property Lawyers said: “We are delighted to report that by the end of today the majority of our transfer colleagues will be back up and running on the basic systems and will actively work on files. .

“Our team, supported by external experts, have worked tirelessly over the past two weeks to safely get our systems back up and running and to ensure that we prioritize the most urgent cases, allowing clients to relocate. “

Microsoft fixes Azure privilege escalation bug

Microsoft fixed a flaw in Azure which, according to the infosec company which found and reported the problem privately, could be exploited by a malicious user inside an Azure Active Directory instance “to step into the role of contributor”.

“If access to the Azure Contributor role is granted, the user will be able to create, manage, and delete all types of resources in the affected Azure subscription,” NetSPI said of the vulnerability, titled CVE-2021-42306 .

Essentially, an employee of a company using Azure Active Directory, for example, could end up exploiting this bug to ruin an IT department or an RSSI’s month. Microsoft said last week that it fixed the issue within Azure:

“The discovery of this vulnerability,” said Karl Fosaaen of NetSPI, who discovered the security vulnerability, “highlights the importance of the model of shared responsibility between cloud providers and customers. It is vital for the security community to put the world’s most important technologies to the test. . “

Oh look, this is a new way to poison DNS caches in Linux

It seems that the boffins have found a way to bypass some defenses against DNS cache poisoning and, under the right circumstances, trick a DNS cache into accepting the wrong IP address as a response to a name lookup query. domain. Subsequent requests for this domain name from the cache by clients will return the wrong IP address. This could be exploited to, for example, redirect Internet users to malicious websites that masquerade as legitimate sites in order to harvest login credentials.

It is said that 38% of open resolvers intended for the public are vulnerable to this latest attack. Whether or not a DNS cache is vulnerable depends on the version of the Linux kernel it is running on and the software involved, whether it is BIND, Unbound, or dnsmasq. See Table 1 in this academic article [PDF] on the attack to determine if your service is at risk of poisoning.

You can also use ID CVE-2021-20322 to track kernel-level fixes to thwart attacks: here are Debian and Red Hat pages for the vulnerability, for example.

The poisoning technique builds on last year’s SADDNS approach. First, understand that DNS cache poisoning, as the late Dan Kaminsky pointed out, was possible while waiting for a DNS cache to query another server for a domain name lookup and responding to that query. from another machine before the server. If you managed to guess, or by brute force, the correct transaction ID in the response in time, your response would be accepted on the server, allowing you to poison the cache with the wrong IP address.

To counter this, a random UDP port would be used for the request, meaning the attacker would have to brute force guess the 16-bit transaction ID and the correct UDP port, making poisoning impossible. Last year, SADDNS showed that it is possible to understand the UDP port, reducing the complexity of the attack and prompting various fixes.

The latter technique, devised by Keyu Man, Xin’an Zhou, and Zhiyun Qian at the University of California Riverside, is a side-channel attack: it involves spraying the cache with ICMP errors to determine which UDP port to use. The trio wrote the aforementioned paper, which was presented at the ACM IT and Communications Security Conference this month.

“This article introduces new secondary channels during the ICMP error handling process, a previously overlooked attack surface,” they wrote.

“We are finding that secondary channels can be leveraged to perform high-speed off-path UDP ephemeral port scans. By taking advantage of this, the attacker could effectively poison the cache of a DNS server within minutes. We show that secondary channels affect many open resolvers and therefore have serious repercussions.

FBI warns of FatPipe zero-day exploit

In a flash [PDF] The FBI has warned that criminals have been able to hijack FatPipe VPN devices using the zero-day bug since May.

Federal authorities said they conducted forensic analysis in an attack and found the vulnerability exploited in all FatPipe WARP, MPVPN, and IPVPN device firmware prior to the latest versions, 10.1.2r60p93 and 10.2.2r44p1. An attacker could use the security hole to download a web shell on the device that would provide root access to the device. The FBI said it was used to requisition VPN boxes and route malicious traffic to targeted parts of the US infrastructure.

However, knowing if you are one of the victims can be tricky, as attackers frequently used cleanup scripts to hide evidence of their activities. If you find any evidence of an attack, please keep it as the FBI would love to hear from you.

The US government wants you! If you do security

As part of its ongoing efforts to modernize and build cybersecurity skills, the US Department of Homeland Security has unveiled new methods to find and retain talent.

Dubbed the Cyber ​​Security Talent Management System (CTMS), the framework may make it easier for Uncle Sam to recruit types of infosec by allowing recruiters to hire people on the basis of ‘demonstrated skills’ rather than to hold industry certificates, streamlining the hiring process so candidates don’t have months of waiting and allow pay rates more in line with private sector positions.

“The DHS Cyber ​​Security Talent Management System fundamentally reinvents the way the department hires, develops and retains top-notch and diverse cybersecurity talent,” 23 / in_brief_security / said Secretary of Internal Security Alejandro Mayorkas. “As our nation continues to face an ever-changing threat landscape, we cannot rely solely on traditional recruiting tools to fill mission critical vacancies. “

For once, WordPress users are not affected by ransomware

Over the past week or so, hundreds of WordPress users have been greeted with a sight every webmaster dreads: their websites replaced with a message requiring 0.1 Bitcoin to decrypt and restore site data.

Sucuri was called in one of these cases and got some good news. It is not actually ransomware.

The content of the site is not actually encrypted: it is simply hidden. A malicious plugin called directorist generated messages and hid posts. See here for more information on which plugin to remove and how to restore missing content with an SQL database command. ®

Source link


Comments are closed.