Some weeks are slow, and the picking are slim when discussing the latest security news. This was not one of those weeks.
First up is Fragattacks, a set of flaws in wireless security protocols, allowing unauthenticated devices to inject packets into the network, and in some cases, read data back out. The flaws revolve around 802.11’s support for packet aggregation and frame fragmentation. The whitepaper is out, so let’s take a look.
Fragmentation and aggregation are techniques for optimizing wireless connections. Packet aggregation is the inclusion of multiple IP packets in a single wireless frame. When a device is sending many small packets, it’s more efficient to send them all at once, in a single wireless frame. On the other hand, if the wireless signal-to-noise ratio is less than ideal, shorter frames are more likely to arrive intact. To better operate in such an environment, long frames can be split into fragments, and recombined upon receipt.
There are a trio of vulnerabilities that are built-in to the wireless protocols themselves. First up is CVE-2020-24588, the aggregation attack. To put this simply, the aggregation section of a wireless frame header is unauthenticated and unencrypted. How to exploit this weakness isn’t immediately obvious, but the authors have done something clever.
First, for the purposes of explanation, we will assume that there is already a TCP connection established between the victim and an attacker controlled server. This could be as simple as an advertisement being displayed on a visited web page, or an image linked to in an email. We will also assume that the attacker is performing a Man in the Middle attack on the target’s wireless connection. Without the password, this only allows the attacker to pass the wireless frames back and forth unmodified, except for the aggregation header data, as mentioned. The actual attack is to send a special IP packet in the established TCP connection, and then modify the header data on the wireless frame that contains that packet.
When the victim tries to unpack what it believes to be an aggregated frame, the TCP payload is interpreted as a discrete packet, which can be addressed to any IP and port the attacker chooses. To put it more simply, it’s a packet within a packet, and the frame aggregation header is abused to pop the internal packet out onto the protected network.
The second protocol-level vulnerability is CVE-2020-24587, the mixed key attack. This one is borderline theoretical, as the stars have to align to be able to pull it off. This could be called the cut-and-paste attack. Or if you prefer, “My voice is my passport, verify me.” In a similar vein, a local attacker can mix encrypted packet fragments together, to achieve an unintended combination, like resending login information to an attacker-controlled server.
The final protocol flaw is CVE-2020-24586, the fragment cache attack. This one is a bit different, as it requires full access to the encrypted wireless network ahead of time. The short explanation is that an attacker sends the first fragment of a fragmented frame, specifying the destination IP address, then disconnects. When a victim sends a fragmented message, the attacker makes sure that the first fragment is dropped, and the frame is reassembled from different clients. It’s another hard-to-pull-off attack.
In addition to these three protocol flaws, there are a handful of vendor dependent vulnerabilities, like CVE-2020-26144, where a wireless frame contains multiple aggregated packets, but appears to be initiating a connection handshake. This handshake is expected to be unencrypted, so it’s processed, and faulty logic results in the aggregated packets also being accepted. A network with this flaw can be trivially port scanned, and malicious connections launched, as the attacker can spoof the source IP of those connections with an outside IP he controls.
Silent as an XcodeGhost
Remember XcodeGhost? Quick refresher, it was a repackaging of Xcode, but included malicious code, so that any iOS app it compiled would also contain malware. It was spread by dropping download links on developer forums and the like, and the big sell was that it downloaded much quicker in China. At the time, it was reported to be responsible for 40 malicious apps. Then Qihoo360 suggested that they had found 344 affected apps, and finally FireEye detected over 4000. Apple’s response to this was radio silence. Now, thanks to the Epic Games lawsuit, we have some insight into the incident.
At the time the released emails were written, Apple knew they had 2500 malicious applications on their app store, and about 128 million impacted users. They apparently began the process of contacting the users via email, but opted to back down, and instead post a notice on the Chinese version of their site. It’s interesting to get the inside scoop on this and a few other security problems. Lawsuit discovery has a way of airing out laundry, dirty and otherwise.
Do Not Fill Plastic Bags with Gasoline
Ransomware has obviously been the hottest thing in computer crime in quite a while. It’s kinda rare, though, for a ransomware attack to affect so many people all at once, like the ransomware attack against Colonial Pipeline. Sources have confirmed to multiple outlets that Colonial paid the ransom of 75 bitcoins, or five million US dollars, apparently within hours of the discovery of the ransomware. Even though recovery efforts started right away, the supply of gasoline to the southeastern US was impacted enough to trigger shortages and a bit of panic buying. There’s a lot that’s still unknown about the attack, but everyone seems to agree that the attack was facilitated by DarkSide, a Ransomware as a Service group based in Russia. It’s unclear who actually launched the attack, or how they initially breached the company.
A quartet of serious Windows vulnerabilities got patched this Tuesday, with CVE-2021-31166 being the most serious. That one is a problem in the HTTP provider in Windows 10 and an unknown set of the Windows Server versions. Because it’s a 0-click flaw in an often exposed service, this is considered wormable and very important. You might think that your Windows machines are all behind a firewall, so maybe you could let it slide, right? Stick around and we’ll chat about how your firewall might not be as locked down as you think, at the bottom of the article.
CVE-2021-26419 is a flaw in Internet Explorer 9 and 11. It seems that it can be launched simply by viewing a malicious website. On top of that, this one can potentially be triggered from an office document. If you don’t have a good reason to keep IE around, it might be time to uninstall it altogether.
Part of the Codecov system, the Bash Uploader script, was maliciously modified to send environment variables to a remote server. The breech happened as a result of credentials unintentionally included in a Codecov docker image, that allowed an attacker to make changes to the script. Thankfully, there doesn’t seem to have been any further malicious action included in the modified script, but any secrets that get exported as environment variables in your Codecov build process should be considered compromised.
Clever Airtag Hacks
Apple recently announced and released their new Airtag devices, much to the dismay of Tile and the like. The community has already found some interesting uses for the little gadgets, like using them to send information at about 3 bytes per second. Yes, [Fabian Bräunlein] has invented an Airtag powered 24 baud modem. Really, it’s a microcontroller sending Bluetooth Low Energy packets with one of several public keys to the Apple Find My network. The upside is that you could piggyback on everyone else’s iPhones to dribble data from a sensor somewhere with no Wifi or cell connection.
And on the other hand, you might wonder what happens if you use an airtag as a tracking device. Well, curious reader, naturally someone has already sent an Airtag through the mail. It worked every bit as well as you would hope (or fear), giving fairly constant updated on the location of the package. I can’t help but think about the other possible uses. Sending a kid on a field trip? Throw an Airtag in their pocket to know where they are.
As a new Starlink customer (review coming soon), and consequently using IPv6 for the first time, I’m excited and a bit concerned by IPv6. The excitement should be obvious, but I’m concerned because so many of our security habits and assumptions don’t necessarily translate to IPv6. For example, you probably know exactly what ports, if any, you’re exposing on your public IPv4 address. Have you stopped and thought about what ports are exposed on your IPv6 addresses? Remember that Windows HTTP hack from above? I fully expect to eventually see a worm that replicates over IPv6, though various means.
There are, thankfully, already some IPv6 port scanning services. It might be worth taking a minute to double-check that your IPv6 firewall is working as intended, if you have IPv6 service. IPv6 is working seamlessly enough that your ISP may have rolled out support without you noticing, but if you are concerned with security, you should notice — we’ve all gotten a bit lax, taking IPv4 NAT routing for granted.