Today’s Security Center edition will make the temperature rise not only outside the window … but also among the owners of hundreds of millions of printers. A 16-year-old security bug found in HP, Xerox, and Samsung printers driver allows attackers to gain admin rights. But that’s not the end of the privilege escalation bugs. Other news should be of interest to Linux and Windows users, including all those waiting for the release of Windows 11 – this system has also been found vulnerable to a bug called Sequoia. What else? MosaicLoader malware and SEO poisoning attacks, and some interesting facts about ChromePass credential theft.
16-Year-Old Security Bug Affects Millions of Samsung, HP, and Xerox Printers
A 16-year-old security vulnerability found in an HP, Xerox, and Samsung printers driver allows attackers to gain admin rights on systems using the vulnerable driver software. It affects hundreds of millions of devices and millions of users worldwide
Tracked as CVE-2021-3438 (CVSS score: 8.8), the issue concerns a buffer overflow in a print driver installer package named “SSPORT.SYS” that can enable remote privilege and arbitrary code execution.
According to the researchers, some HP, Xerox, and Samsung printer models contained vulnerable driver software, sold worldwide since 2005.
Specifically, the issue hinges on the fact that the printer driver doesn’t sanitize the size of the user input, potentially allowing an unprivileged user to escalate privileges and run malicious code in kernel mode on systems that have the buggy driver installed.
According to SentinelOne researcher, Asaf Amir the vulnerable function inside the driver accepts data sent from User Mode via IOCTL (Input/Output Control) without validating the size parameter. This function copies a string from the user input using ‘strncpy’ with a size parameter that is controlled by the user. Essentially, this allows attackers to overrun the buffer used by the driver.
Successfully exploiting a driver vulnerability might allow attackers to potentially install programs, view, change, encrypt or delete data, or create new accounts with full user rights
However, there is no evidence that the flaw was abused in real-world attacks however, with millions of users and enterprises vulnerable, it is inevitable that attackers will seek out those that do not take the appropriate action. HP, Xerox, and Samsung enterprise, and home customers are urged to apply the patches provided by the vendors as soon as possible.
This is not the first time security flaws have been discovered in old software drivers. Do you remember 12-year-old vulnerabilities in Dell’s firmware? Well, cyber-history repeats itself.
New Windows and Linux vulnerabilities give attackers the highest system privileges
Microsoft’s Windows 10 and the upcoming Windows 11 have been found vulnerable to a new local privilege escalation vulnerability. It permits users with low-level permissions to access Windows system files, enabling them to unmask the operating system installation password and even decrypt private keys.
The files in question are as follows:
c:\Windows\System32\config\sam
c:\Windows\System32\config\system
c:\Windows\System32\config\security
Microsoft acknowledged the issue tracked as CVE-2021-36934 but has yet to roll out a patch or provide a deadline for this fix.
According to the company, an elevation of privilege vulnerability exists because of overly permissive Access Control Lists (ACLs) on multiple system files, including the Security Accounts Manager (SAM) database. Successful exploitation could let an attacker run arbitrary code with SYSTEM privileges and then install programs, view, change or delete data or even create new accounts with full user rights.
However, it requires the attacker to already have a foothold and be in possession of the ability to execute code on the victim system. Users should restrict access to sam, system, and security files and delete VSS shadow copies of the system drive.
It is not just Windows. Remediations have been released for a security shortcoming affecting all Linux kernel versions from 2014 that can be exploited by malicious users and malware already deployed on a system to gain root-level privileges. Dubbed “Sequoia” (CVE-2021-33909) affects default installations of Ubuntu 20.04, Ubuntu 20.10, Ubuntu 21.04, Debian 11, and Fedora 34 Workstation. Red Hat Enterprise Linux versions 6, 7, and 8 are also affected.
In short: the flaw concerns a size_t-to-int type conversion vulnerability in the Linux Kernel’s “seq_file” file system interface, permitting an unprivileged local attacker to create, mount, and delete a deep directory structure whose total path length exceeds 1GB, resulting in a privilege escalation on the vulnerable host.
MosaicLoader malware hides among Windows Defender Exclusions to evade detection
MosaicLoader malware arrives on target systems by posing as cracked installers. It downloads a malware sprayer that obtains a list of URLs from the C2 server and downloads the payloads from the received links. Worth mentioning – the malware can deliver any payload on the system, making it potentially profitable as a delivery service.
Attacks involving MosaicLoader rely on SEO poisoning. Cybercriminals purchase ad slots in search engine results to boost their malicious links as top results when users search for terms related to – in this particular campaign – pirated software.
Upon successful infection, the initial Delphi-based dropper acts as an entry point to fetch next-stage payloads from a remote server and also add local exclusions in Windows Defender for the two downloaded executables in an attempt to thwart antivirus scanning:
“appsetup.exe,” is conceived to achieve persistence on the system,
“prun.exe” functions as a downloader for a sprayer module that can retrieve and deploy various threats from a list of URLs. This one is also notable for its barrage of obfuscation and anti-reverse techniques that involve separating code chunks with random filler bytes, with the execution flow designed to “jump over these parts and only execute the small, meaningful chunks.”
The best line of defense against MosaicLoader is to avoid downloading cracked software from any source. What if cybercriminals make the next move and go beyond just pirated software? Remember to always check the source domain of every download to make sure that the files are legitimate.
NPM package steals passwords via Chrome’s account-recovery tool
In this software supply-chain attack, the password-stealer is filching credentials from Chrome on Windows systems via ChromePass. Where does the threat hide? It’s lurking in the npm open-source code repository, waiting to be pulled from the source.
About npm
npm (Node Package Manager, or NPM) is the default package manager for the JavaScript runtime environment Node.js, which is built on Chrome’s V8 JavaScript engine. npm hosts more than 1.5 million unique packages, and serves up more than 1 billion requests for JavaScript packages per day, to around 11 million developers worldwide.
Researchers at ReversingLabs caught the malware filching credentials from Chrome on Windows systems. The two malicious npm packages are:
- nodejs_net_server – which contains the core malware functionality. The malware targets Windows machines to steal user credentials and also sets up a persistent remote backdoor for the attacker to conduct surveillance activities. the malware—specifically “nodejs_net_server,” uses the legitimate ChromePass freeware utility for Windows.
- and temptesttempfile
The password-stealer is multifunctional: It also listens for incoming commands from the attacker’s command-and-control (C2) server and can upload files, record from a victim’s screen and camera, and execute shell commands.
Fun fact #1
It is unclear how the author intended to trick users into installing the package. However, there is a download activity on the package statistics page – 2.1k total downloads. Researchers contacted NPM to take the package down, which they did.
Fun fact #2
It looks like the malware author exposed his/her own passwords. Some versions of nodejs_net_server contain text files with usernames and plaintext passwords extracted from Chrome. The author may have tested the ChromePass tool on the personal computer. The login credentials were stored in the ‘a.txt’ file located in the same folder as the password recovery tool named ‘a.exe’ – some of them could still be valid.
How to protect software against supply-chain attacks?
Over the last few months, attacks on open source ecosystems including, npm, PyPI and RubyGems have grown steadily. And the problem isn’t going away anytime soon. Start with the knowledge of what’s inside your software, or having a Software Bill of Materials (SBOM). Every component should be looked with scrutiny before installation, or there’s a chance malicious code can slip by unnoticed.
Do you have thirst for knowledge? There is ten more cybersecurity stories below
1. Microsoft Cracks Down on Malicious Homoglyph Domains (Security Week)
2. WiFiDemon – Recently discovered iPhone Wi-Fi bug could also allow RCE (Security Affairs)
3. A bug in Fortinet FortiManager and FortiAnalyzer allows unauthenticated hackers to run code as root (Security Affairs)
4. Vulnerability Exposes MicroLogix PLCs to Remote DoS Attacks (Security Week)
5. Oracle fixes critical RCE vulnerabilities in Weblogic Server (Security Affairs)
6. XLoader malware steals logins from macOS and Windows systems (Bleeping Computer)
7. Kaseya obtains universal decryptor for REvil ransomware victims (Bleeping Computer)
8. Leaked NSO Group Data Hints at Widespread Pegasus Spyware Infections (Threat Post)
9. Some URL shortener services distribute Android malware, including banking or SMS trojans (We Live Security)
10. Atlassian asks customers to patch critical Jira vulnerability (Bleeping Computer)