There’s a VMWare problem that’s being exploited in the wild, according to the NSA (PDF). The vulnerability is a command injection on an administrative console. The web host backing this console is apparently running as root, as the vulnerability allows executing “commands with unrestricted privileges on the underlying operating system.”
The wrinkle that makes this interesting is that VMWare learned about this vuln from the NSA, which seems to indicate that it was a zero-day being used by a foreign state. The compromise chain they list is also oddly specific, making me suspect that it is a sanitized account of observed attacks.
Microsoft Teams, And the Non-CVE
[Oskars Vegeris] found a pair of interesting problems in the Microsoft Teams client, which together allows an interactionless, wormable RCE. The first vuln is an XSS problem, where a message containing a “mention” can be modified in transit to include arbitrary Javascript. To get that JS past the XSS protection filter, a unicode NULL byte is included in the payload. The second vuln is using the built-in file download code in the Teams app to download and auto-run a binary. Put together, anyone who simply loads the message in their Teams app runs the code.
Vegeris points out that since so many users have a presence in multiple rooms, it would be trivial to use this exploit to build a worm that could infect the majority of Teams users worldwide. The bug was reported privately to Microsoft and fixed back in October. A wormable RCE in a widely used tool seems like a big deal, and should net a high CVE score, right? Microsoft gave two ratings for this attack chain, for the two versions of Teams that it can affect. For the Office365 client, it’s “Important, Spoofing”, which is about as unimportant as a bug can be. The desktop app, at least, was rated “critical” for an RCE. The reason for that seems to be that the sandbox escape only works on the standalone desktop app.
But no CVE was issued for the exploit chain. In the security community, collecting CVEs is an important proof of work for your resume. Microsoft replied that they don’t issue CVEs for products that get updated automatically without user interaction. Kerfuffle ensued.
Fuzzing with Atheris
Google released Atheris, a new open-source fuzzing tool, specifically written for Python programs. Fuzzing is the process of running a program or library with generated input, usually input that would be considered malformed, and tracking what happens. Many vulnerabilities have been found and fixed this way in recent years. Atheris is a coverage-guided fuzzer, meaning it keeps track of which lines of code are executed in each iteration, and tries to maximize the lines covered.
The announcement post points out a fascinating use case for Atheris — testing two implementations of a library for bug-for-bug compatibility. An example might be a JSON parser written in Python, compared to a browser’s version. You would set up a test run that started with valid JSON, and then transforms that input slightly for each iteration. Run the same input through both implementations, and then compare the outputs.
Not to be outdone, Intel also just announced a bug-finding tool, ControlFlag. This tool operates on a very different principle, using machine learning to find anomalies in written source code. I wish I could tell you the source is available to go play with, but it appears that this tool has been announced only, and not released for public use.
SSL Root Cert Abuse
Kazakhstan seems to be engaging in some strange security practices, likely intended to enable snooping on internet traffic. ISPs in the capital city are blocking access to Google, Twitter, and the like, until a government issued root certificate is installed and trusted in the connecting browser. The government is calling this a “training exercise”, but as the certificate is valid for 20 years, it seems like a blatant attempt to enable HTTPS MitM attacks against the public. Stories like this are a reminder of how important things like OCSP stapling and DNS Certification Authority Authorization are. Both of those protocol extensions are intended to protect users from fraudulent certificates that are issued by a trusted root certificate.
Trickbot Evolves and Gains a New Skill
The Trickbot malware platform is an all-in-one tool for stealing credentials, controlling bots, and installing ransomware. It seems a new trick is being added to the already-overflowing bag — firmware modification. The core library from RWEverything has been found in recent samples of Trickbot, and the malware has been observed doing recon against machine firmware. So far, no one has observed a malicious firmware write by Trickbot, but the capability is now there, and that’s worrying enough.
“Microsoft replied that they don’t issue CVEs for products that get updated automatically without user interaction.”
For online webapps not assigning a CVE would be in line with MITRE rules ( https://cve.mitre.org/cve/list_rules_and_guidance/counting_rules.html , INC3). But it sounds like the clients in this case are installed programs that either automatically update, or (like so many programs nowadays) are just specialized web browsers. Sounds like a bit of gray area, if there is nothing an user could do to upgrade or to block an upgrade.
It sounds like someone has a job where the number of CVEs counts negatively on their performance review, and they’re bending the rules to avoid assigning them.
Depends on the country, normally performance is either a bonus or stock options. Fail to tick all the boxes and get little or no bonus that year, or your options are revoked (buy X shares effectively at today’s price, at a future date provided you are still employed there – basically a way to keep some key people from jumping ship).
RE VMWare, “making me suspect that it is a sanitized account of observed attacks”–what makes me suspect is the title of the PDF. “Russian State-Sponsored Actors Exploiting Vulnerability in VMware® Workspace ONE Access Using Compromised Credentials?”
Hah. It’s possible to try so hard to be clever, one misses the obvious.
> Stories like this are a reminder of how important things like OCSP stapling and DNS Certification Authority Authorization are.
Or the entire SSL Certificate Authority system could he been designed day one without the legal intercept built in.
Take a look at what the Chinese state is doing to the Uyghur people, and ask yourself if you really want to give them unfettered access to decrypting their comms, too.
So, rather than tolerating government attacks on the privacy of people’s comms, has anyone staretd working on defeat methods against whatever trick ISPs in Kazakhstan are using to force the ue of the certificate? Methods of general use to overcome this kind of thing, ways to fake the existence of such certificates, as far as the ISP will see, and methods which won’t just be subject to a cat and mosue game of evasion followed by new methods of censorship? Having an arsenal of future-proof anti-censorship techniques would be a valuable project to aid people in oppressive places all around the world. Thanks
Certificate Transparancy is the way forward: http://www.certificate-transparency.org/how-ct-works
But if a country is in control of your Internet traffic and they don’t want to be covert about it, things can be difficult. Especially when your clever evasion tactics might impact your personal safety.