News

3649 Articles

This Week In Security: Gitlab, VMware, And PixeFAIL

January 19, 2024 by 3 Comments

There’s a Gitlab vulnerability that you should probably pay attention to. Tracked as CVE-2023-7028, this issue allows an attacker to specify a secondary email during a the password reset request. Only one email has to match the one on record, but the password reset link gets sent to both emails. Yikes!

What makes this worse is there is already a Proof of Concept (PoC) released, and it’s a trivial flaw. In an HTTP/S post containing the password reset request, just include two email addresses. Thankfully, a fix is already out. Versions 16.7.2, 16.6.4, and 16.5.6 contain this patch, as well as fixes for a flaw that allowed sneaking unauthorized changes into a previously approved merge request, and an issue with Slack and Mattermost where slash commands could be spoofed.

VMware

We don’t want to over-dramatise this vulnerability, but VMware is calling it an emergency. This one affects VMware vRealize and Aria Automation. According to the the CVSS calculator, it’s a low complexity network flaw, but does require at least some privileges. Hopefully more information will come out about this vulnerability, but for now that’s about all we know.

Continue reading “This Week In Security: Gitlab, VMware, And PixeFAIL”

Haier Threatens Legal Action Against Home Assistant Plugin Developer

January 19, 2024 by 109 Comments

Appliance manufacturer Haier has been integrating IoT features into their newer products, and as is so common these days, users are expected to install their “hOn” mobile application to access them. Not satisfied with that limitation, [Andre Basche] reverse engineered the protocol used by the app, and released a Python library and associated Home Assistant plugin to interface with a wide array of Haier appliances, which includes brands like Hoover, Candy, GE Appliances and others.

Unfortunately, it looks like his efforts have gotten him into a bit of legal hot water. In an issue recently opened on the project’s GitHub page, [Andre] explains the circumstances and legal options that have led him to consider pulling the repositories completely — mostly due to the cost of mounting a legal defense to the cease & desist from Haier Europe.

What’s ironic here is that Haier has been part of the Connectivity Standard Alliance (CSA) since 2022, whose goal is to ‘promote universal open IoT standards’, including Matter.

It’s possible that a legal defense will be mounted against this C&D from Haier within the coming days. Yet regardless of the outcome here, it remains problematic that these IoT-enabled Haier appliances are connected to the Haier servers. Ideally they would be controlled locally, which is the goal of projects like [Miguel Ángel López Vicente]’s ESP Haier, that uses an ESP8266 to connect Haier AC units to the local WiFi and e.g. HA instances, all without requiring internet access.

This is sadly just one more example of why building your own off-line smart home can be such an incredible struggle.

Thanks to [Ar3itrary] for the tip.

Crippled Peregrine Lander To Make Fiery Return Home

January 18, 2024 by 9 Comments

Within a few hours of this post going live, Astrobotic’s Peregrine spacecraft is expected to burn up in the Earth’s atmosphere — a disappointing end to a mission that was supposed to put the first US lander on the Moon since the Apollo program ended in 1972.

In their twentieth mission update since Peregrine was carried into space on the inaugural flight of the United Launch Alliance Vulcan Centaur rocket, Astrobotic explains that the craft has been put on a trajectory designed to ensure it breaks up over a remote area of the South Pacific.

Predicted re-renty point for the Peregrine lander.

It was previously hoped the lander, which suffered a severe system malfunction just hours after liftoff, could have at least made a close pass of the Moon in lieu of touching down. But mission controllers felt the more responsible approach was to have Peregrine make a controlled re-entry while they still had the ability to maneuver it. The alternative, allowing the craft to remain in an uncontrolled orbit between the Earth and Moon, could potentially have caused problems for future Artemis missions.

Over the last ten days, ground controllers at Astrobotic have been working to piece together what happened to the doomed lander, while at the same time demonstrating a remarkable level of transparency by keeping the public informed along the way. It’s now believed that the stream of gas being expelled from a rupture in one of the craft’s propellant tanks was acting as a sort of impromptu thruster. This not only made the craft difficult to keep oriented, but also wasted the propellants that were necessary to perform a soft landing on the lunar surface.

Although the craft was eventually brought under control, the damage to the mission had already been done. While this obviously isn’t the ending that Astrobotic was hoping for, we have no doubt that the company collected valuable data during the craft’s flight through space, which took it approximately 390,000 kilometers (242,000 miles) from Earth.

As for us space nerds, we won’t have to wait long before another lunar lander makes its attempt. Japan’s Smart Lander for Investigating Moon (SLIM) should be touching down at around 10 AM Eastern on Friday (YouTube Live Stream), and the Nova-C lander from Intuitive Machines is scheduled to be launched aboard a Falcon 9 rocket sometime next month.

Betavoltaic Battery Rated To Provide Power For 50 Years

January 16, 2024 by 47 Comments

A newly introduced battery called the BV100 by Chinese Betavolt Technology promises to provide half a century of power, at 100 μW in a 15x15x5 mm package. Inside the package are multiple, 2 micron-thick layers nickel-63 isotope placed between 10 micron-thick diamond semiconductor, with each diamond layer using the principle of betavoltaics to induce an electrical current in a similar fashion to a solar panel using light. Ni-63 is a β emitter with a half-life of 100 years, that decays into copper-63 (Cu-63), one of the two stable forms of copper.

From the battery’s product page we can glean a bit more information, such as that the minimum size of the betavoltaic battery is 3x3x0.03 mm with one layer of Ni-63 and two semiconductor layers, allowing for any number of layers to be stacked to increase the power output within a given package. Also noted is that the energy conversion rate of the β energetic event is about 8.8%, which could conceivably be improved in the future.

Although this battery may seem new, it’s actually based on a number of years of research  in diamond semiconductors in betavoltaics, with V. S. Bormashov and colleagues in 2018 reporting on a similar diamond semiconductor with Ni-63 isotope layer battery. They noted a battery specific energy of 3300 mWh/g. Related research by Benjian Liu and colleagues in 2018 showed an alphavoltaic battery, also using diamond semiconductor, which shows another possible avenue of development, since alpha particles are significantly more energetic.

Whether we’ll see Betavolt’s BV100 or similar products appear in commercial products is still uncertain, but they plan to have a 1 Watt version ready by 2025, which when packaged into the size of an average Li-ion battery pack could mean a mobile power source that will power more than a pacemaker, and cost less than the nuclear batteries powering the two Voyager spacecraft and all active Mars rovers today.

This Week In Security: AI Is Terrible, Ransomware Wrenches, And Airdrop

January 12, 2024 by 8 Comments

So first off, go take a look at this curl bug report. It’s a 8.6 severity security problem, a buffer overflow in websockets. Potentially a really bad one. But, it’s bogus. Yes, a strcpy call can be dangerous, if there aren’t proper length checks. This code has pretty robust length checks. There just doesn’t seem to be a vulnerability here.

OK, so let’s jump to the punch line. This is a bug report that was generated with one of the Large Language Models (LLMs) like Google Bard or ChatGPT. And it shouldn’t be a surprise. There are some big bug bounties that are paid out, so naturally people are trying to leverage AI to score those bounties. But as [Daniel Stenberg] point out, LLMs are not actually AI, and the I in LLM stands for intelligence.

There have always been vulnerability reports of dubious quality, sent by people that either don’t understand how vulnerability research works, or are willing to waste maintainer time by sending in raw vulnerability scanner output without putting in any real effort. What LLMs do is provide an illusion of competence that takes longer for a maintainer to wade through before realizing that the claim is bogus. [Daniel] is more charitable than I might be, suggesting that LLMs may help with communicating real issues through language barriers. But still, this suggests that the long term solution may be “simply” detecting LLM-generated reports, and marking them as spam. Continue reading “This Week In Security: AI Is Terrible, Ransomware Wrenches, And Airdrop”

Bambu Lab To Allow Installing Open Firmware After Signing Waiver

January 12, 2024 by 26 Comments

On January 10th Bambu Lab published a blog post in which they address the issue of installing custom firmware on your Bambu Lab X1 3D printer. This comes hot on the heels of a number of YouTube channels for the first time showing off the X1Plus firmware that a number of X1 users have been working on as an open source alternative to the closed, proprietary firmware. Per the Bambu Lab blog post, there is good and bad news for those wanting to use X1Plus and similar projects that may pop up in the future.

After Bambu Lab consulted with the people behind X1Plus it was decided that X1 users would be provided with the opportunity to install such firmware without complaints from Bambu Lab. They would however have to sign a waiver that declares that they agree to relinquish their rights to warranty and support with the printer. Although some details are left somewhat vague in the blog post, it appears that after signing this waiver, and with the target X1 printer known to Bambu Lab, it will have a special firmware update (‘Firmware R’) made available for it.

This special firmware then allows for third-party firmware to be installed, with the ability to revert to OEM firmware later on. The original exploit in pre-v1.7.1 firmware will also no longer be used by X1Plus. Hopefully Bambu Lab will soon clarify the remaining questions, as reading the Reddit discussion on the blog post makes it clear that many statements can be interpreted in a variety of ways, including whether or not this ‘Firmware R’ is a one-time offer only, or will remain available forever.

It’s not the first time we’ve seen a 3D printer manufacturer give users this sort of firmware ultimatum. Back in 2019 Prusa added a physical “appendix” to their new 32-bit control board that the user would have to snap off before they could install an unsigned firmware, which the company said signified the user was willing to waive their warranty for the privilege.

Thanks to [Aaron] for the tip.

NASA Adjusts Course On Journey To The Moon

January 11, 2024 by 61 Comments

It’s already been more than fifty years since a human last stepped foot on another celestial body, and now that NASA has officially pushed back key elements of their Artemis program, we’re going to be waiting a bit longer before it happens again. What’s a few years compared to half a century?

The January 9th press conference was billed as a way for NASA Administrator Bill Nelson and other high-ranking officials within the space agency to give the public an update on Artemis. But those who’ve been following the program had already guessed it would end up being the official concession that NASA simply wasn’t ready to send astronauts out for a lunar flyby this year as initially planned. Pushing back this second phase of the Artemis program naturally means delaying the subsequent missions as well, though during the conference it was noted that the Artemis III mission was  already dealing with its own technical challenges.

More than just an acknowledgement of the Artemis delays, the press conference did include details on the specific issues that were holding up the program. In addition several team members were able to share information about the systems and components they’re responsible for, including insight into the hardware that’s already complete and what still needs more development time. Finally, the public was given an update on what NASA’s plans look like after landing on the Moon during the Artemis III mission, including their plans for constructing and utilizing the Lunar Gateway station.

With the understanding that even these latest plans are subject to potential changes or delays over the coming years, let’s take a look at the revised Artemis timeline.

Continue reading “NASA Adjusts Course On Journey To The Moon”