Weekly News Digest #32

Memory allocation holes found by Microsoft in IoT and industrial technology 

Microsoft recommends users to monitor their network for any anomalies, segment network, and, when applicable, remove internet connections in case there is no possibility to patch an IoT/OT device. 

A batch of bad memory allocation operations in code in operational technology (industrial control systems) and the Internet of Things that could enable malicious code execution has been detected by the Azure Defender for IoT security research group. The vulnerabilities lead to heap overflows since the input is not validated properly. The research team wrote that the vulnerabilities stem from the usage of vulnerable memory functions such as pvalloc, realloc, malloc, and others. The heap overflow takes place since the memory allocation payload is greater than the actual allocated buffer and, thus, hackers can execute malicious code on the victim’s device. 

Microsoft cooperated with the US Department of Homeland security to alert the impacted parties and patch vulnerabilities. Among the affected devices there are devices from Amazon, Google Cloud, Samsung Tizens, Red Hat, Arm, and Texas Instruments.  

Read more

macOS Gatekeeper bypass vulnerability patched by Apple 

The bug has been widely exploited by Shlayer Malware. The macOS Big Sur 11.3 security patch round was issued on Monday. One of the most important fixes is for the vulnerability tracked CVE-2021–30657 found by Cedric Owens. The vulnerability enables malicious actors to bypass Apple’s code signing and verification built-in protection mechanism Gatekeeper. 

Cedric Owens was cooperating with the other security researcher Patrick Wardle. They identified that the policy subsystem logic bug has been the root of the issue enabling bypassing of Apple’s security mechanisms by malicious apps. The researchers suggest that the vulnerability may have been exploited since January 2021. They reported on the detected vulnerability to Apple on 25 April and within 5 days the company issued the patch.  

The separate vulnerability tracked CVE-2021-1810 was discovered at the end of 2020 by F-secure researchers. This vulnerability also enabled bypassing code signature and notarization checks performed by macOS Gatekeeper. Apart from security fixes, Apple has also introduced data collection limitations in iOS 14.5.

Read more

4.3 million email addresses harvested by Emotet botnet

FBI is working with Have I Been Pwned data breach service to alert people that the botnet may have harvested their information. The law enforcement agency handed over 4.3 mln email addresses to the data breach service so that people may easily get know whether their information has been compromised.

The email addresses have been collected by the FBI from the Emotet’s servers that were taken down by the agency in the USA, Canada, and Europe. According to Europol, it has been the most dangerous botnet detected since 2014. Emotet used phishing and malware-laden spam to distribute ransomware such as banking trojans. 

Have I Been Pwned data breach service is run by Troy Hunt, the Australian security researcher. The Service contains information on approximately 11 billion “pwned” accounts from various data breaches including the most famous ones like LinkedIn’s 2012 breach. The Emotet breach has been tagged as “sensitive” and, thus, the email addresses are not publicly searchable so that to prevent adverse impact on the victims.   

Read more

Most Americans’ credit scores have been exposed through Experian API

A researcher is claiming that the Experian credit bureau API tool was left open without any elementary protection on a lender site. The tool is called Experian Connect API and is used by lenders to automate  FICO-score queries. The issue was detected by Bill Demirkapi, a sophomore at Rochester Institute of Technology, when he was looking for student loans offered by lenders. He found that one lender was checking his eligibility using only the publicly available information such as name, date of birth, and address. He also identified by looking at the code that behind the tool there was the connection to Experian API.

Experian reported on fixing the issue in question. However, researchers are afraid that there may be other unprotected APIs. Experian spokesperson also noted that the entity timely alerted the clients and resolved the issue. The security community suggests that leaky APIs are the key risk factor affecting Experian.  

Read more

Security-bypass bug makes F5 Big-IP vulnerable to cyberattacks

The Key Distribution Center (CDC) spoofing vulnerability in the F5 Networks’ Big-IP Application Delivery Services appliance could be used by attackers to bypass security measures protecting sensitive workloads. The Kerberos security could be bypassed through the exploitation of the security flaw tracked as CVE-2021-23008. The vulnerability is related to the appliance’s core software component – The Access Policy Manager. As a result, an attacker could sign into the Big-IP Access Policy Manager. Kerberos is a network authentication protocol that uses secret-key cryptography to provide strong authentication for client/server applications. Besides, the bug could be also exploited to bypass Big-IP admin console authentication. Malicious actors without any legitimate credentials could access Big-IP applications.

The score of the potential damage may be colossal since F5 provides enterprise networking to tech giants including Microsoft, Oracle, and Facebook, as well as to the companies from the Fortune 500 list like the biggest financial corporations. The issue has been discovered by Silverfort researchers.

Read more