Ripple20 affects hundreds of millions of devices

Welcome to the next episode of the Xopero Security Center! This time we are sharing security news about the Ripple20 vulnerability set, which affects a widely used low-level TCP/IP library. Researchers discovered 19 dangerous 0-day (sic!). Unfortunately, there is no easy solution. At last for now…

The Ripple20 effect – 19 zero-days impacts everything from printers to infusion pumps

Ripple20 is a set of 19 vulnerabilities which resides in a low-level TCP/IP software library developed by Treck, It could be weaponized and used by remote attackers to gain complete control over targeted devices without requiring any user interaction.

Ripple20 – 19 vulnerabilities which score between 3.1 and over 9 CVSS

There are four critical vulnerabilities in Treck TCP/IP stack, with CVSS scores over 9, which could let attackers execute arbitrary code on targeted devices remotely, and one critical bug affects the DNS protocol. The other 15 vulnerabilities are in ranging degrees of severity with CVSS score ranging from 3.1 to 8.2, and effects ranging from Denial of Service to potential Remote Code Execution.

Researchers from JSOF reported their findings to Treck company, who then patched most of the flaws with the release of TCP/IP stack version or higher. They also contacted vendors, including – HP, Schneider Electric, Intel, Rockwell Automation, Caterpillar, Baxter, and Quadros – many of which have already acknowledged the Ripple20 flaw. But there still is millions of devices which will not receive security patch updates anytime soon. The affected devices are in use across various industries, ranging from home/consumer devices to medical, healthcare, data centers, enterprises, telecom, oil, gas, nuclear, transportation, and many others across critical infrastructure.

Ripple20 – how to protect your organization against possible intrusion

Cybersecurity specialists recommend then that all control system devices should not be accessible from the Internet. Admins should hide control system networks and remote devices behind firewalls and isolate them from the business network. It is also recommended to make them not accessible from the Internet. 

Read more

There is a bug in „USB for Remote Desktop” which enables adding fake devices

The vulnerability identified as CVE-2020-9332 resides in the bus driver for “USB for Remote Desktop” developed by FabulaTech. It could be used to elevate privileges on a target machine by adding fake devices.

The USB redirection solutions work through client/server-side software. Information about the redirected device collected by the client-side software is sent to the server running on the remote machine. Using a bus driver, the server creates and instructs a virtual object to repeat all the input-output communication from the real device.

Possible attack scenario.
Image: Sentinel LABS

The bus driver calls the insecure IoCreateDevice routine that does not have security checks to block access from less privileged entities. This way the operating system on the remote system can be tricked to believe that a real USB‌ device is connected. Furthermore, FabulaTech services run under LocalSystem account, which has extensive privileges on the computer.

Attackers could simulate any USB‌ device, A fake mouse pointer could be used to bypass User Account Control security feature in Windows. There are also more advanced attacks are possible, like adding an ethernet network card for intercepting traffic. The sky is the limit…

Can we fix this problem?

Researchers from SentinelOne emailed FabulaTech, first on January 29 and then again on February 4 but received no reply… Every attempts to report a bug have been ignored. But now FabulaTech published a first official statement. The bug will be addressed in the shortest time possible in the near future. Nice to know the more so because they have a very high-profile customers list. Among them are Google, Microsoft, BMW, MasterCard, NASA, Reuters, Intel, Shell, Xerox, Harvard, General Electric, and Raiffeisen Bank.

Read more

Oracle E-Business Suite flaws let hackers hijack financial operations

If your business operations and security of sensitive data rely on Oracle’s E-Business Suite (EBS), make sure you recently updated and are running the latest available version of the software. Why?

A report released by cybersecurity firm Onapsis, discloses technical details for vulnerabilities reported in Oracle’s E-Business Suite (EBS), an integrated group of applications designed to automate CRM, ERP, and SCM operations for organizations.

The two vulnerabilities, dubbed “BigDebIT” and rated a CVSS score of 9.9, were patched by Oracle in a critical patch update (CPU) pushed out earlier in January. But the company admitted an estimated 50 percent of EBS customers have not deployed it to date.

The security flaws could be exploited by bad actors to target accounting tools such as General Ledger in a bid to steal sensitive information and commit financial fraud.

According to the researchers, “an unauthenticated hacker could perform an automated exploit on the General Ledger module to extract assets from a company (such as cash) and modify accounting tables, without leaving a trace.”

Successful exploitation of this vulnerability would allow an attacker to steal confidential information, financial fraud and cause delays in any financial reporting related to the company’s compliance processes.

Tracked as CVE-2020-2586 and CVE-2020-2587, the new flaws reside in its Oracle Human Resources Management System (HRMS) in a component called Hierarchy Diagrammer that enables users to create organization and position hierarchies associated with an enterprise. Together, they can be exploited even if EBS customers have deployed patches released in April 2019. That is why it is important to install the latest updates from January. Better do it now! 

Read more

AWS said it mitigated a 2.3 Tbps DDoS attack, the largest ever

Amazon said its AWS Shield service mitigated the largest DDoS attack ever, stopping a 2.3 Tbps attack in mid-February this year.

The incident was disclosed in the company’s AWS Shield Threat Landscape, a report detailing web attacks mitigated by Amazon’s AWS Shield protection service. The report didn’t identify the targeted AWS customer but said the attack was carried out using hijacked CLDAP (Connection-less Lightweight Directory Access Protocol) web servers and caused three days of “elevated threat” for its AWS Shield staff.

The protocol has been abused for DDoS attacks since late 2016, and CLDAP servers are known to amplify DDoS traffic by 56 to 70 times its initial size, making it a highly sought-after protocol and a common option provided by DDoS-for-hire services. 

The previous record for the largest DDoS attack ever recorded was of 1.7 Tbps, mitigated by NETSCOUT Arbor in March 2018.

Nowadays, most DDoS attacks usually peak in the 500 Gbps range, which is why news of the AWS 2.3 Tbps attack was a surprise for industry players.

Earlier same day, Akamai reported of mitigating a DDoS attack of 1.44 Tbps in the first week of June 2020.

Read more

Do you have thirst for knowledge? There is ten more cybersecurity stories below

1. Old GTP protocol vulnerabilities will also impact future 5G networks (ZDNet)
2. Exposed Cloud Databases Attacked 18 Times Per Day (Infosecurity Magazine)
3. Intel adds CPU-level malware protection to Tiger Lake processors (Bleeping Computer)
4. Black Kingdom ransomware hacks networks with Pulse VPN flaws (Bleeping Computer)
5. Tech firms suspend use of ‘biased’ facial recognition technology (Security Affairs)
6. T-Mobile Outage Mistaken for Massive DDoS Attack on U.S. (Security Week)
7 Eavesdroppers can use light bulbs to listen in from afar (Naked Security)
8. Plex fixes Media Server bugs allowing full system takeover (Bleeping Computer)
9. Cyber spies use LinkedIn to hack European defense firms (Reuters)
10. Windows 10 2004 may break Storage Spaces, avoid using chkdsk (Bleeping Computer)