It looks like there’s finally hope for sane password policies. The US National Institue of Standards and Technology, NIST, has released a draft of SP 800-63-4, the Digital Identity Guideline.
There’s password guidance in there, like “SHALL NOT impose other composition rules (e.g., requiring mixtures of different character types) for passwords” and “SHALL NOT require users to change passwords periodically.” NIST approved passwords must be at least 8 characters long, with a weaker recommendation of at least 15 characters. Security questions like name of first pet get the axe. And it’s strongly recommended that all ASCII and Unicode characters should be acceptable for passwords.
This is definitely moving in the right direction. NIST guidelines are only binding for government services and contractors, though they do eventually get picked up by banks and other industries. So there’s hope for sane password policies eventually.
Tank Hacking
Researchers at Bitsight are interested in infrastructure security, and they opted to take a closer look at Automatic Tank Gauging (ATG) systems. Those are found at gas stations, as well as any other facility that needs automated monitoring of liquids or gasses in a tank. There is an actual ATG message format, originally designed for RS-232 serial, and woefully unprepared for the interconnected present. The protocol allows for an optional security code, but it maxes out at only six alpha-numeric characters.
Among the vulnerabilities getting announced today, we have a pair of CVSS 10 command injection flaws, a quartet of 9.8 authentication bypass flaws, with one of those being a hardcoded credential — AKA a backdoor. The other CVSS9+ flaw is a SQL injection, with a trio of slightly less serious flaws.
The really interesting question is what could theoretically be done with admin access and escape to shellcode in one of these systems? There’s the obvious path of Denial of Service. Once you have root, just delete files, flash random noise over the firmware, and walk away. The more interesting approach is to make changes that have physical consequences. If a fuel tank is reprogrammed to indicate that holds twice the volume, will it overflow? Researchers realized that relays have a maximum operation rate, and driving them on and off at faster rates has interesting effects — glowing and letting the magic smoke out.
More Tank Hacking?
Also this week is the story of a Kansas water treatment plant that has gone to manual mode after a cyberattack. It’s not clear whether this was actually an aimed attack at infrastructure, or just a ransomware attack that is impacting the water treatment facility as a side-effect.
The Linux Mystery 9.9 CVE
This week we’ve been watching a story develop after [Simone Margaritelli] sounded the warning about a very serious GNU/Linux vulnerabiltiy on Twitter/X. The claim was a CVSS 9.9 in all Linux systems. Well apparently it’s time, because the details have dropped, and it’s a wild ride.
* Unauthenticated RCE vs all GNU/Linux systems (plus others) disclosed 3 weeks ago.
* Full disclosure happening in less than 2 weeks (as agreed with devs).
* Still no CVE assigned (there should be at least 3, possibly 4, ideally 6).
* Still no working fix.
* Canonical, RedHat and… pic.twitter.com/N2d1rm2VeR— Simone Margaritelli (@evilsocket) September 23, 2024
So first, the actual vulnerabilities: Part of the Common Unix Printing System (now just CUPS) is cups-browsed, a helper daemon that automatically installs printers discovered on the local network. This binds to all IP addresses on UDP port 631, and an incoming UDP packet will trigger a printer install. The quirk here is that this incoming request can include an arbitrary URL as the source of the IPP printer driver information. That IPP data isn’t sanitized, allowing for arbitrary information upload and subsequent file creation with that arbitrary data. The cherry on top is the foomatic-rip
driver that includes the helpful feature of running a shell command as part of the printing process. Oh, and to be clear, the CVSS 9.9 isn’t strictly accurate, because it does require a user interaction to print to the malicious printer, to trigger the code execution.
Now here’s the tricky question: How many of those quirks are vulnerabilities? Cups-browsed seems obviously architected without an authentication layer, and therefore not at all intended to be exposed to the Internet. Downloading an arbitrary IPP file seems to be working as intended, and the FoomaticRIPCommandLine
is a documented feature, not a vulnerability.
And yet, pretty obviously, a printer on the local network shouldn’t be able to trigger arbitrary code execution when printing to it, especially when it’s so easy for any computer to fake being a printer. It’s very surprising that there are over 100,000 systems that expose UDP port 631 and the cups-browsed service to the Internet. I look forward to other researchers double-checking that claim. If it wasn’t obvious, don’t expose CUPS to the Internet. It shouldn’t have taken a CVE to make that abundantly clear. That is probably why it was so hard for [Simone] to get the CUPS developers to take this seriously.
As per the Red Hat notice, you can check your Linux systems for this issue by running sudo systemctl status cups-browsed
and check a remote machine using sudo nmap -sU -p 631 -v ip.address.of.machine
watching for “631/udp open|filtered ipp” in the output. There is already a Proof of Concept that has leaked, so do check and pull the plug on any systems that expose this service.
The Other One
The “9.9” CVE was just a bit of a letdown, but we do have CVE-2024-20017, a confirmed high severity vulnerability in MediaTek’s wappd
daemon that seems to weigh in at 9.8.
The vulnerability is specifically in the handling of the Security Block message that’s part of WiFi roaming handoffs. wappd
allocates a fixed-size buffer, and doesn’t validate the actual message size before copying that data. This can overflow by up to 1433 bytes, and that’s certainly enough to trigger full RCE. There’s Proof of Concept code available, so watch for updates for Wireless gear.
Bits and Bytes
Kaspersky has done something unexpected, pulling a switcheroo. Users who still had Kaspersky installed have found UltraAV now automatically installed on their machines. It’s reported that Kaspersky was sending email notices out earlier this month that the update was coming.
There’s a really impressive chain of tricks that redirects from a Youtube URL to an arbitrary Google Docs URL. That may not sound particularly interesting, but the whole chain of redirects means that a page that looks like a Google Form with a simple poll could actually grant permissions to arbitrary Google Drive files on submit. Google paid a juicy $4133.70 for the find, and rolled the fix out on the same day.
ChatGPT has a new feature, long-term memory. The idea is that your conversations with the LLM can become part of the training data, making the model even more useful as you use it. There is a really powerful feature available in ChatGPT now, that the LLM can pull data from the Internet in real time. Turns out if you can get one of these instances to pull some manipulated data, the model can keep it in long term storage. The real trick is that this injection can convince the model to keep revisiting an arbitrary URL, leaking data. Impressive.
And finally, the Kia dealer and owners websites leak a bit too much data. With nothing more than the car’s VIN, an attacker can generate a fake dealer token, and demote and replace the previous owner. From there, it’s trivial to remote start, honk, or otherwise mess with the vehicle. It wasn’t great, but Kia got it fixed over a month ago.
“There is already a Proof of Concept that has leaked, so do check and pull the plug on any systems that expose this service.”
Wouldn’t blocking Port 631 on the router be sufficient?
Also looks like there is a cups-browsed.conf file that can be modified as well. There is a BrowseAllow and BrowseDeny entries. Simple for me as I have two networks. So only allow machines on local network to browse cups.
how about
/ussr/sbin/cupsctl –[no-]remote-any
?
Or, if you don’t need printer auto-discovery (do you?):
systemctl stop cups-browsed
systemctl disable cups-browsed
I actually like the auto-discovery feature. My Brother printers just ‘showed up’ and ‘worked’! No drivers, no setup, just ‘there’ ready to go to work. I remember the days of getting the printers working headaches…. Finding drivers, etc. One of those things that made you not want to upgrade/install new distro.
But does it need to run non-stop? or only for a few seconds when you press the “find printers” button?
“Cups-browsed seems obviously architected without an authentication layer, and therefore not at all intended to be exposed to the Internet.”
“The system will only be used as indended” isn’t a security policy. It’s somewhere between wishful thinking and outright denial of reality.
It didn’t make it into the article, but I was thinking about this. You can expose passwordless telnet to the Internet. You can set your password to “password” and expose SSH to the Internet. At some point the user has to take responsibility for not using insecure settings on their machine.
“Security questions like name of first pet get the axe.” , took way too long, like 15 year too late.
Cynic in me thinks someone must have retired to finally allow the removal of “My Contribution are the security questions.”
yea im not going to miss those. tired of digging up my brutal past every time a password system screws up.
also enforced password requirements. just show users their password strength and dont tell them how to be. use of emojis in passwords not only ups the entropy by a factor of four, but also allows a personalized lexicon and grammar which is immune to dictionary attacks. they also stand to be easy to remember. i for one will continue to use random hashes.
Security questions to reset a password are a very bad idea in general. There is plenty of evidence that this information (the answer) can be obtained way to easily. The underlying problem is that the information is not considered a secret by the user.
Also passwords with a length of 8 characters are just way to weak. They can be cracked in a femtosecond, they are more susceptible to shouldersurfing and guessing. Passwords sentences of ate least 15 characters are the way forward as long as we have to use passwords. And for not having to change your password periodically, it’s essential to have some sort of professional breach monitoring set up. Home computers/smartphones are still compromised a lot and passwords are harvested.
thanks for giving me more reasons not to use ai. now i regret asking copilot how to uninstall copilot. it probibly has me flagged in a database of people hostile to ai, so that when the uprising comes i will be immediately targeted by combat drones.
What happened to batteryhorsestaple?
Correct!
Given that Kia and Hyundai collaborate on a number of platforms, that makes me wonder if Hyundai might be prone to a similar vulnerability.