This Week In Security: Not A Vulnerability, BGP Bug Propogation, And Press Enter To Hack

Curl was recently notified of a CVE, CVE-2020-19909, rated at a hair-raising 9.8 on the CVSS scale. And PostgreSQL has CVE-2020-21469, clocking in with a 7.5 severity. You may notice something odd about those two vulnerabilities, but I promise the 2020 date is only the tip of the iceberg here.

Let’s start with PostgreSQL. That vulnerability was only present in version 12.2, which released in February of 2020, and was fixed with the 12.3 release in May of that same year. The problem is a stack buffer overflow, which doesn’t seem to enable code execution, but does cause a denial of service situation. To trigger the bug? Repeatedly send the PostgreSQL daemon the SIGHUP signal.

If you’re familiar with Linux signals, that might sound odd. See, the SIGHUP signal technically indicates the end of a user session, but most daemons use it to indicate a restart or reload request. And to send this signal, a user has to have elevated privileges — elevated enough to simply stop the daemon altogether. Put simply, it’s not a security vulnerability, just a minor bug.

And now on to curl — This one is just bizarre. The issue is a integer overflow in the --retry-delay argument, which specifies in seconds how often curl should retry a failing download. The value is multiplied by 1000 to convert to milliseconds, resulting in an overflow for very large values. The result of that overflow? A smaller value for the retry delay.

[Daniel Stenberg] makes the point that this tale is a wonderful demonstration of the brokenness of the CVE system and NVD’s handling of it. And in this case, it’s hard not to see this as negligence. We have to work really hard to construct a theoretical scenario where this bug could actually be exploited. The best I’ve been able to come up with is an online download tool, where the user can specify part of the target name and a timeout. If that tool had a check to ensure that the timeout was large enough to avoid excess traffic, this bug could bypass that check. Should we be assigning CVEs for that sort of convoluted, theoretical attack?

But here’s the thing, that attack scenario should rate something like a CVSS of 4.8 at absolute worst. NVD assigned this a 9.8. There’s no way you can squint at this bug hard enough to legitimately rank it that severe. At the time of writing, the NVD lists this as “UNDERGOING REANALYSIS”.

BGP Allergies

In early June, a Border Gateway Protocol (BGP) route started announcing from a small network in Brazil. That route had a BGP Entropy Label Capability Attribute as part of the attribute fields, but the length of that field set to zero. Most other BGP routers have no idea what this attribute means, so it’s ignored but passed on.

Juniper routers, however, are quite well aware of what that attribute is, and are quite opinionated on how it should be formatted. And this route got it wrong. The old response to a decoding error is to trigger a BGP session shutdown, dropping the router from the wider Internet temporarily. Because the route that caused the problem is still being announced, that process can continue to iterate, keeping the affected routers offline until someone steps in to fix the problem. RFC 7606 fixes this problem, by specifying that only the bad routes are to be dropped. But rollout on this RFC has been slow.

Which leads to the actual research of this story. [Benjojo] decided to set some BGP routers up on a testbench, and fuzz some BGP packets. There’s an impressive list of vendors that didn’t fall to the attack, but Juniper, Nokia, FRR, OpenBSD, and Extreme Networks all had somewhat unexpected results. Of those, the OpenBSD security team stood out for taking the report seriously, and rapidly preparing a patch to address it. The other vendors were less responsive, to put it mildly.

TPM Hacking Made Easy

Here on Hackaday, we’ve covered a couple different Trusted Platform Module (TPM) attacks, where an encryption key can be sniffed off a physical trace on the motherboard. It turns out, those attacks way over-complicate the matter, and you can just mash the enter key like a 6-year-old playing street fighter.

This attack works on Linux machines that use the TPM to power unattended unlocking for LUKS disk encryption. This sounds odd at first, but it’s the solution to doing disk encryption for the server in the network closet, without having to walk over and type a password in for every reboot. The TPM supplies the encryption key, and the OS takes over security. The trick is to shoot that gap, hitting enter multiple times before the TPM unlocks the disk, each counting as a password entry attempt. Rate limiting kicks in, preventing the normal boot flow, and eventually the system fails to boot and drops the user to a root privileged shell.

The hard drive is still locked, but it’s easy enough to use the boot-time tools to ask the TPM to unlock the disk. It’s apparently possible to rapid-fire the enter key fast enough by hand to hit this issue. The solution is actually a bit complicated. You can add rd.shell=0 and rd.emergency=reboot to the kernel command line, and it closes the gap, but that might not be the best option for most users.

Bits and Bytes

Remember Wardriving? Where you could take a laptop and WiFi card, and drive around looking for vulnerable wireless networks? Chances are, you have a more powerful computer in your pocket, so why not put it to work? The entire mobile-hacker series is about the Kali NetHunter Android toolkit, and walks us through installation, picking some peripherals, and getting to work auditing WiFi. Enjoy responsibly!

One of our favorite tools in the anti-malware toolkit, Malwarebytes, is prepping for some big changes. Sadly, about 100 employees were let go as part of the groundwork for splitting the business into consumer and enterprise arms. No work yet on how the flagship anti-malware product will be affected.

An new malware strain, “Infamous Chisel”, has been found apparently targeting Ukrainian Android devices. The malware permanently installs itself over the netd daemon, and uses the TOR network for communications. It even includes Dropbear SSH for remote access. With the permanent installation and file replacement, this malware doesn’t seem to be intended for stealth installs.

6 thoughts on “This Week In Security: Not A Vulnerability, BGP Bug Propogation, And Press Enter To Hack

  1. Completely agree on the security ratings, every time I get a notification of a new vulnerability on a service we use I have to go over the report and make sure we should fix it instead of trusting the rate it’s provided.
    I guess it’s another way of tricking non-aware businesses of spending money on cybersecurity tools that don’t improve the overall security of a company.
    It’s just ridiculous.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.