This Week In Security: REvil Goes Dark, Kaseya Cleanup, Android Updates, And Terrible Firmware

The funniest thing happened to REvil this week. Their online presence seems to have disappeared.
Their Tor sites as well as conventional sites all went down about the same time Tuesday morning, leading to speculation that they may have been hit by a law enforcement operation. This comes on the heels of a renewed push by the US for other countries, notably Russia, to crack down on ransomware groups operating within their borders. If it is a coordinated takedown, it’s likely a response to the extremely widespread 4th of July campaign launched via the Kaseya platform. Seriously, if you’re going to do something that risks ticking off Americans, don’t do it on the day we’re celebrating national pride by blowing stuff up.

Speaking of Kaseya, they have finished their analysis, and published a guide for safely powering on their VSA on-premise hardware. Now that the fixes are available, more information about the attack itself is being released. Truesec researchers have been following this story in real time, and even provided information about the attack back to Kaseya, based on their observations. Their analysis shows that 4 separate vulnerabilities were involved in the attack. First up is an authentication bypass. It takes advantage of code that looks something like this:

if password == hash(row[nextAgentPassword] + row[agentGuidStr]) 
    login ok 
elseif password == hash(row[curAgentPassword] + row[agentGuidStr])
    login ok
elseif password == hash(row[nextAgentPassword] + row[displayName])
    login ok
elseif password == hash(row[curAgentPassword] + row[displayName])
    login ok
elseif password == row[password]
    login failed 
else 
    login ok

Yeah, their code fails open, rather than failing closed. I have spent some time trying to understand how that code could have ever worked, or what the engineer was thinking that wrote it, and I’ve got nothing. I have to hope the original version makes more sense. One thing to note, in order to get this far in the login process, an attacker would need a valid agentGuid.

Next in the attack flow, an unexpected request to the done.asp endpoint triggered an unrestricted upload vulnerability. This would theoretically be thwarted by a Cross Site Request Forgery protection token, but that token wasn’t being properly vetted, allowing for another easy bypass. Two files were uploaded by the attacker, a payload to send to the victim machines, as well as an ASP script to execute on the appliance itself. The final step from the attacker was to trigger the execution of this script through another faulty endpoint. From there the attack would be carried out automatically and the logs of the appliance wiped to cover the trail.

Android Wifi Scan RCE

There is always something fun hidden in the monthly Android security updates, and this month is no exception. CVE-2021-1965 is a flaw in Qualcomm driver code, a buffer overflow in how BSSID beacons are handled when scanning for networks. Part of those beacons is the “Information Element”, which additional information about the network. The code in question didn’t properly handle long IE fields, resulting in a potential buffer overflow.

This is an interesting bug, because unless you put it in airplane mode, a modern phone is always running scans for WiFi networks, and simply being in range of a malicious network is enough to trigger the vulnerability.

PrintNightmare Is Over?

Microsoft pushed a pair of fixes, both aimed at the PrintNightmare flaw, one of which being an Out Of Band (OOB) patch, AKA not put out on Patch Tuesday. Several researchers stepped forward to point out that the vulnerability was still present, if you had a certain system configuration. Microsoft has responded to those claims:

Our investigation has shown that the OOB security update is working as designed and is effective against the known printer spooling exploits and other public reports collectively being referred to as PrintNightmare. All reports we have investigated have relied on the changing of default registry setting related to Point and Print to an insecure configuration.

It seems like the ride isn’t quite over, though this time maybe it really is limited to local users:

You Don’t Need to See My Credentials

Sage X3 is an Enterprise Resource Planning system. Think Quickbooks, but for enterprise scale. Researchers at Rapid7 found a few problems with the program, but the big one is CVE-2020-7388. The server and client elements of Sage X3 communicate over a TCP connection, and use a proprietary authentication mechanism to protect that connection. So long as the authentication is successful, commands can be sent back over the connection to execute on the server as the authenticated user. That proprietary authentication mechanism has a little bug in it. If you change one of the bytes in the auth initialization, the server never actually asks for the hashed username and password, and instead runs commands as its own user, SYSTEM. That’s one to hurry up and update.

Insecure Cameras, or, Why Use A VLAN

Researchers at Randorisec seem to have a hobby of finding security vulnerabilities in UDP Technology cameras. Continuing in their favorite pasttime, they grabbed the latest firmware for their cameras, and set about looking for vulnerabilities. The problem? Those firmware files were encrypted. Not deterred, they simply looked for an undiscovered RCE on the firmware version they still had access to, and then used that to pop the up-to-date cameras and grab the filesystems. They found twelve more CVEs. The writeup is great, walking through the process of turning a vulnerability into a working exploit — go read it.

There’s a lesson to be learned here. Code that a vendor assumes to be unimportant and never to be seen is almost guaranteed to be garbage in one way or another. How many devices do you have on your networks that are probably in this category? We’re not even talking about hardware that might have intentional backdoors. IP Cameras are useful tools for physical security, but they can be a terrible problem for network security. Is there a solution? Separate networks, most easily done via VLANs. Keep your untrusted devices away from your important network, and even better, keep your cameras off the internet.

16 thoughts on “This Week In Security: REvil Goes Dark, Kaseya Cleanup, Android Updates, And Terrible Firmware

    1. “the professionals” don’t actually exist, they are fictional creations. Humans can’t make secure software, it’s beyond their abilities, like 400 yard field goals or 2 seconds for a 100 yard dash. If you don’t believe me, look at the CVE database, every company is in there.

      1. Not entirely true, what we are not doing is making the complex, ‘user friendly’, ubiquitous, and pervasive computing secure – but secure, reliable ‘computers’ and software for them does exist – its just the scope is much smaller.

        To make something as fully featured as basically everything you would think of as computer tasks requires so many steps, and such breadth of interoperation between Kernel, hardware, and other software, some flaws that slip through are inevitable.

        Add in that much software is written by folks under massive time and budget constraints to get the job done, not get it done right, while probably being rather underqualified for the job they are doing – because they were cheaper than hiring/retaining enough really experienced people, and for good measure usually needs a whole pile of knobs and buttons to make it so it can be fitted to all usecases by any ol muppet with very little knowledge of how the software actually works… Serious flaws are very much more likely.

        Though I don’t see why a human team couldn’t make a secure computing system that does what we expect when we think computer now – it is just doing so would be putting a priority on simple and very robust operating mechanisms so that the top priority of security could be maintained and easily verified. Rather than chasing ever greater feature sets, and taking short cuts for performance, or just to get a somewhat functional system out to the sale room to rake in lots and lots of profit. Would also really need more static and simple hardware – when you can have any one of several billion hardware combinations and it needs to work, and those hardware elements are constantly getting revisions and upgrades that work differently it is impossible to really nail secure and functional at the same time.

        1. “but secure, reliable ‘computers’ and software for them does exist ”

          No, there is no such thing.

          ” the top priority of security could be maintained and easily verified”

          How can security be verified when we are not aware of the vulnerabilities??? Currently we think software is “secure” until a new issue is found. Thinking that we have already found all of the vulnerabilities is just wrong.

      2. Most common OS security models are user-based – a process is owned by a user and then every other object in the system has permissions saying whether or not that user can do things. The better model is capability-based – where objects respond to a capability id that processes obtain through limited means. That means everything is NO by default from the start instead of YES by default which is the result of the path DOS->Windows 9x->Windows NT->Windows 10.

    2. Doesn’t the entire article cleary denote that everyone writing code is a security professional? Espcially the junior devs writing junk code that no one will ever see. Flaws we notice in the public facing part of the code are the gateway to the juicy bits where junk code was written that ignored best practices and security and “left it to professionals.”

      I can’t think of any statement about security that I disagree with more.

      1. From his forum posts he was open about it being there to allow him to debug devices.
        But definitely a mistake
        A) for it not to be secure
        B) for it to be enabled by default, rather than by ticking a “enable remote debugging” checkbox or something.

        1. Multi vendor buzzphrase alert! “Zero Trust”. (in the end, you ain’t paranoid enough. because they are out to get and even if you have no data of value, the processing power of a ZX81 and bottom tier DSL bandwidth, you still are a potential resource)

          1. “even if you have no data of value,” yeah the password to your banks web site has no value. Wow and your wife just found fake letters to your fake girlfriend, how did they get there? And the cops are here to arrest you for the “interesting” stuff that “someone” put on your computer.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.