In today’s Security Center, we revolve around big numbers. We will start with… Dell. The popular computer vendor has a serious problem. Due to a bug that is over 12 years old, millions of users are vulnerable to attack. 2nd: nearly 30% of all mobile phones can become the “entry point” for a more complex attack. The culprit? The Qualcomm’s Mobile Station Modem. 3rd: 21 serious vulnerabilities were detected in Exim mail servers. They are a kind of package, so they also got a collective name – 21Nails. Are they really the proverbial final nails in the coffin? Check for yourself. In this issue, we also describe the apps – downloaded more than 100 million times – with the hard-coded Amazon Web Services private keys. At this point, we can only say that the risk of cyber attacks is really high. Hungry for knowledge? Then please, go ahead and read the rest.
Dell red alert – hundreds of millions of computers vulnerable to attack
Hundreds of millions of Dell laptops, notebooks, and tablets are at risk of compromise from a set of five high-severity flaws that have been undetected since at least 2009. The flaws allow an attacker who already has some level of initial access on a system to escalate privileges and gain kernel-level access on it. But that does not mean the attacker needs actual physical access to it. All that is required is an initial foothold on a system via something as trivial as a malicious attachment.
Security researchers from SentinelOne discovered the bugs in Dell’s DBUtil, a driver that is installed and loaded during the BIOS update process on Dell Windows machines. Four of the five vulnerabilities (identified as CVE-2021-21551) that SentinelOne discovered in the driver were local elevation of privileges issues, and one resulted in denial-of-service conditions if exploited. Two of the privilege escalation flaws resulted from a memory corruption issue, while the other two stemmed from a lack of input validation. The denial-of-service bug, meanwhile, resulted from a code logic issue.
The bugs give adversaries a way to bypass security products, wipe a hard drive, or install a malicious driver on a domain controller. The attacker could effectively become a system administrator – the threat is severe.
How to remediate Dell driver bugs? The vendor has issued patches, available in Dell Security Advisory DSA-2021-088.
Qualcomm vulnerability impacts nearly 30% of all mobile phones
A high severity security vulnerability found in Qualcomm’s Mobile Station Modem (MSM) chips could enable attackers to access mobile phone users’ text messages, call history, and listen in on their conversations.
This vulnerable Qualcomm MSM with QMI is used in roughly 30% of mobile phones by multiple vendors, including Samsung, Google, LG, OnePlus, and Xiaomi. The chip has been in cellphones and smartphones since the 1990s and has been continuously updated over the years to support the transitions from 2G to 3G, 4G, and now 5G.
The heap overflow vulnerability, tracked as CVE-2020-11292 resides in the QMI voice service API exposed by the modem to the high-level operating system, and could be exploited by a malicious app to conceal its activities “underneath” the OS in the modem chip itself, thus making it invisible to the security protections built into the device.
In short: if exploited, it would have allowed an attacker to use Android OS itself as an entry point. It could also enable attackers to unlock the subscriber identification module (SIM) used by mobile devices to securely store network authentication info and contact information.
Patches were sent to smartphone makers in the fall of 2020, according to a Qualcomm statement, however, like with most hardware patches, they will be slow to roll out.
Most of Exim email servers could be hacked by exploiting 21Nails flaws
The maintainers of Exim have released patches to remediate the 21(!) security vulnerabilities in its software that could enable unauthenticated attackers to achieve complete remote code execution and gain root privileges.
Collectively named 21Nails, the flaws include 11 vulnerabilities that require local access to the server and 10 other weaknesses that could be exploited remotely. The Shodan search engine shows right now more than 3.86 million Exim servers that are exposed online. And each one of them is exposed to a potential attack.
All Exim server versions released since 2004 are affected by 21Nails. Some of the vulnerabilities can be chained together to obtain a full remote unauthenticated code execution and gain root privileges on the Exim Server. A summary of the 21 bugs is listed below.
21Nails’ local vulnerabilities:
CVE-2020-28007: Link attack in Exim’s log directory
CVE-2020-28008: Assorted attacks in Exim’s spool directory
CVE-2020-28014: Arbitrary file creation and clobbering
CVE-2021-27216: Arbitrary file deletion
CVE-2020-28011: Heap buffer overflow in queue_run()
CVE-2020-28010: Heap out-of-bounds write in main()
CVE-2020-28013: Heap buffer overflow in parse_fix_phrase()
CVE-2020-28016: Heap out-of-bounds write in parse_fix_phrase()
CVE-2020-28015: New-line injection into spool header file (local)
CVE-2020-28012: Missing close-on-exec flag for privileged pipe
CVE-2020-28009: Integer overflow in get_stdinput()
21Nails’ remote vulnerabilities:
CVE-2020-28017: Integer overflow in receive_add_recipient()
CVE-2020-28020: Integer overflow in receive_msg()
CVE-2020-28023: Out-of-bounds read in smtp_setup_msg()
CVE-2020-28021: New-line injection into spool header file (remote)
CVE-2020-28022: Heap out-of-bounds read and write in extract_option()
CVE-2020-28026: Line truncation and injection in spool_read_header()
CVE-2020-28019: Failure to reset function pointer after BDAT error
CVE-2020-28024: Heap buffer underflow in smtp_ungetc()
CVE-2020-28018: Use-after-free in tls-openssl.c
CVE-2020-28025: Heap out-of-bounds read in pdkim_finish_bodyhash()
Experts will not publish the 21Nails’ exploits for now. So it’s imperative for administrators to apply security patches immediately, as email servers have emerged as a lucrative target for espionage campaigns – to get more information check MS Exchange zero-day and ProxyLogon blog posts. The first active campaign is going to start with no time – that’s one thing we can be sure of.
Over 40 apps with over 100M installs found leaking AWS keys
Most mobile app users tend to blindly trust that the apps they download from app stores are safe and secure. But that isn’t always the case.
Specialists from CloudSEK identified over 40 apps with more than a cumulative 100 million downloads that had hardcoded private Amazon Web Services (AWS) keys embedded within them, putting their internal networks and their users’ data at risk of cyberattacks.
The AWS key leakage was spotted in some of the major apps such as Adobe Photoshop Fix, Adobe Comp, Hootsuite, IBM’s Weather Channel, and online shopping services Club Factory and Wholee.
“The possibilities for misuse are endless here since the attacks can be chained and the attacker can gain further access to the whole infrastructure, even the code base and configurations.” – say researchers from CloudSEK to The Hacker News.
The exposed AWS key had access to multiple AWS services, including credentials for the S3 storage service, which in turn opened up access to 88 buckets containing 10,073,444 files and data amounting to 5.5 terabytes.
Also included in the buckets were source code, application backups, user reports, test artifacts, configuration, and credential files which could be used to gain deeper access to the app’s infrastructure, including user databases.
The company said it responsibly disclosed these security concerns to AWS and the affected companies independently.
Do you have thirst for knowledge? There are nine more cybersecurity stories below
1. Panda Stealer dropped in Excel files, spreads through Discord to steal user cryptocurrency (ZDNet)
2. Apple fixes four zero-days under attack (Help Net Security)
3. This malware has been rewritten in the Rust programming language to make it harder to spot (ZDNet)
4. Expert released PoC exploit for Microsoft Exchange flaw (Security Affairs)
5. New Attacks Slaughter All Spectre Defenses (Threat Post)
6. Anti-Spam WordPress Plugin Could Expose Website User Data (Threat Post)
7. Windows Moriya rootkit used in highly targeted attacks (Security Affairs)
8. New TsuNAME DNS bug allows attackers to DDoS authoritative DNS servers (Bleeping Computer)
9. Authorities take down scam campaign impersonating the WHO (HackRead)