SMBleed vulnerability allows an attacker to leak kernel memory

Welcome to the next episode of the Xopero Security Center! There is a new SMB protocol vulnerability called SMBleed and tracked as CVE-2020-1206 which allows an attacker to leak kernel memory remotely, without any authentication. How can it be exploited? Check below.

SMBleed: A New Critical Vulnerability Affects Windows SMB Protocol

Researchers uncovered a new critical vulnerability affecting the Server Message Block (SMB) protocol. It could allow attackers to leak kernel memory remotely, and when combined with a previously disclosed “wormable” bug, the flaw can be exploited to achieve remote code execution attacks.

Dubbed “SMBleed” (CVE-2020-1206), the flaw resides in SMB’s decompression function – the same function as with SMBGhost or EternalDarkness bug. And just to remind you – SMBGhost was deemed so serious that it received a maximum severity rating score of 10.

The SMBleed vulnerability impacts Windows 10 versions 1903 and 1909, for which Microsoft last week released security patches. 

The SMBleed flaw stems from the way the decompression function in question (“Srv2DecompressData”) handles specially crafted message requests (e.g., SMB2 WRITE) sent to a targeted SMBv3 Server, allowing an attacker to read uninitialized kernel memory and make modifications to the compression function.

“An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system. To exploit the vulnerability against a client, an unauthenticated attacker would need to configure a malicious SMBv3 server and convince a user to connect to it” – said Microsoft in its advisory.

Worse, SMBleed can be chained with SMBGhost on unpatched Windows 10 systems to achieve remote code execution.

To mitigate the vulnerability, it’s recommended that home and business users install the latest Windows updates as soon as possible. For systems where the patch is not applicable, it’s advised to block port 445 to prevent lateral movement and remote exploitation.

Read more

Plug-and-Play Protocol vulnerability is a serious threat for even a few billions of devices

The flaw was named “CallStranger” (CVE-2020-12695) – a very accurate name, it is based on a security vulnerability in a protocol that allows the devices to communicate with each other. A wide range of plug-and-play products is impacted, including Xbox gaming consoles, printers, routers, switches, and cameras – devices from over 20 vendors, including Microsoft, Cisco, Canon, HP, and Philips are vulnerable. The full list of affected devices can be found here.

Attackers can not only launch DDoS attacks but also scan internal ports for other similarly vulnerable devices on local networks.

The flaw discovered by Yunus Çadırcı, a Cyber Security Senior Manager at EY Turkey, is associated with an UPnP function called SUBSCRIBE that allows devices to monitor the status of other network-connected UPnP services and devices. The problem with UPnP is that devices running the protocol implicitly trust requests from other devices on the local network without any prior authentication.

Anatomy of an attack

Attackers can take control of the function via specifically crafted SUBSCRIBE requests over HTTP – the ‘Callback’ header value in the UPnP SUBSCRIBE function is not checked. Hackers could stuff their request with a large volume of target URLs across multiple vulnerable devices, overwhelming their target’s resources which results in a denial of service.

Attackers could also steal data with UPnP. Connected media devices often reveal unique identifiers. Printers may allow monitoring of print status, and routers may give detailed information about the names and addresses of devices on the network. The severity of this threat depends on the device. 

Open Connectivity Foundation (OCF) updated the UPnP protocol specification on April 17 and has notified vendors and ISPs about the need to upgrade to the new specification. However, because the flaw lies at the protocol level, it could take a long time before all vendors address the issue.

Read more: CallStranger.com | CERT Coordination Center | Dark Reading

Google is indexing the phone numbers of WhatsApp users raising privacy concerns

Google is indexing the phone numbers of WhatsApp users that could be abused by threat actors for malicious activities. 

Earlier this year, the Deutsche Welle journalist Jordan Wildon, noticed that invite links for WhatsApp and Telegram groups that may be intended for private access were available through search engines. These links could be abused by threat actors to join the group.

Now security researcher Athul Jayaram discovered a data leak with WhatsApp’s ‘wa.me’ domain that was revealing contact phone numbers on Google. The ‘wa.me’ domain is used to host ‘click to chat‘ links that allow users to start a chat with someone without having their phone number saved in the phone’s address book.

To create the click to chat links, use https://wa.me/<number> which is a full phone number in international format. The “wa.me” or “api.whatsapp.com” domains don’t’ prevent search engines from crawling phone numbers on the website allowing any link like “https://wa.me/” to get indexed by Google.

Even if Google Search only revealed the phone numbers and not the identities of associated users, ill-intentioned attackers could be able to see users’ profile pictures on WhatsApp and performing a reverse-image search the user’s profile picture to gather additional info on the potential victim (i.e. mining social media accounts where the victim use the same profile picture). It might allow attackers to message and call them, sell their numbers to marketers, spammers and scammers. 

Read more

CrossTalk a younger brother of Spectre and Meltdown

The newly discovered vulnerability can be used to leak data across Intel CPU cores. This is an example of another type of MDS (microarchitectural data sampling) attack. It enables attacker-controlled code executing on one CPU core to leak sensitive data from other software running on a different core. During the attack hacker targets user data while in a “transient” state, as it’s being processed by the CPU’s Line Fill Buffer (LBF).

Researchers from the Vrije University’s Systems and Network Security Group (Netherlands) have been working with Intel to develop a patch since September 2018. You probably ask yourself why it took almost 21 months… For the most part, this is because of the complexity of the issue. In the meantime, Intel has already made significant changes to the hardware design of its CPUs. Most of its recent products are not vulnerable to this attack. OK, and what with the older Intel CPU lines? Intel has released a microcode update (Intel-SA-00320) to patch the bug a few days ago. You can find detailed information here.

Read more

Do you have thirst for knowledge? There is ten more cybersecurity stories below

1. Windows 10 security alert – users warned over ‘wormable’ bug (TechRadar)
2. KingMiner botnet brute-forces MSSQL databases to install cryptocurrency miner (ZDNet)
3. Valak malware gets new plugin to steal Outlook login credentials (BleepingComputer)
4. PoC RCE exploit for SMBGhost Windows flaw released (HelpNetSecurity)
5. Stealthworker botnet targets Windows and Linux servers (InfoSecurity)
6. Kubernetes Falls to Cryptomining via Machine-Learning Framework (ThreatPost)
7. Gamaredon group grows its game (We Live Security)
8. A Bug in Facebook Messenger for Windows Could’ve Helped Malware Gain Persistence (The Hacker News
9. Phishers Hide #COVID19 Malware in CVs and Medical Leave Forms (InfoSecurity))
10. Fake SpaceX YouTube channels scam viewers out of $150K in bitcoin (BleepingComputer)