Search This Blog

Showing posts with label Flaws. Show all posts

Several Vulnerabilities Identified In Emerson OpenEnterprise


Recently four vulnerabilities were found in Emerson OpenEnterprise and were accounted for to the vendor in December 2019 with the patches released a couple of months later.

Roman Lozko, a researcher at Kaspersky's ICS CERT unit, was responsible for the identification of the flaws, and the security holes found by him have been depicted as 'heap-based cushion buffer, missing authentication, improper ownership management, and weak encryption issues.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Kaspersky published advisories for three of the vulnerabilities a week ago. The rest of the vulnerability was described by Kaspersky in a previous advisory.

As indicated by Emerson, OpenEnterprise is explicitly intended to address the prerequisites of associations focusing on oil and gas production, transmission, and distribution.

The initial two followed as CVE-2020-6970 and CVE-2020-10640 are depicted as critical, as they can allow an attacker to remotely execute discretionary code with 'elevated privileges' on devices running OpenEnterprise.

Vladimir Dashchenko, a security expert at Kaspersky, says an attacker could misuse these vulnerabilities either from the system or directly from the internet. Notwithstanding, there don't give off an impression of being any occurrences of the affected product exposed to the internet.

“The most critical vulnerabilities allow remote attackers to execute any command on a computer with OpenEnterprise on it with system privileges, so this might lead to any possible consequences,”

 “Based on Shodan statistics, currently there are no directly exposed OpenEnterprise SCADA systems available,” Dashchenko explained. “It means that asset owners with installed OpenEnterprise are definitely following the basic security principles for industrial control systems.”

The rest of the vulnerabilities can be exploited to 'escalate privileges' and to acquire passwords for OpenEnterprise user accounts, yet exploitation in the two cases requires local access to the targeted system.

Biometric Data Exposure Vulnerability in OnePlus 7 Pro Android Phones Highlighted TEE Issues


In July 2019, London based Synopsys Cybersecurity Research Center discovered a vulnerability in OnePlus 7 Pro devices manufactured by Chinese smartphone maker OnePlus. The flaw that could have been exploited by hackers to obtain users' fingerprints was patched by the company with a firmware update it pushed in the month of January this year. As per the findings, the flaw wasn't an easy one to be exploited but researchers pointed out the possibility of a bigger threat in regard to TEEs and TAs.

Synopsys CyRC's analysis of the vulnerability referred as CV toE-2020-7958, states that it could have resulted in the exposure of OnePlus 7 pro users' biometric data. The critical flaw would have allowed authors behind malicious android applications with root privileges to obtain users' bitmap fingerprint images from the device's Trusted Execution Environment (TEE), a technique designed to protect sensitive user information by keeping the Android device's content secure against illicit access.

As it has become increasingly complex for malicious applications to acquire root privileges on Android devices, the exploitation of the flaw would have been an arduous task and might also be an unlikely one given the complexity of the successful execution. Meanwhile, the fix has been made available for months now– ensuring the protection of the users.

However, the issue with Trusted Execution Environments (TEEs) and Trusted Applications (TAs) remains the major highlight of Synopsys's advisory released on Tuesday, “Upon obtaining root privileges in the REE [Rich Execution Environment], it becomes possible to directly communicate with the factory testing APIs exposed by Trusted Applications (TAs) running in the TEE. This attacker invokes a sequence of commands to obtain raw fingerprint images in the REE,” it read.

While explaining the matter, Travis Biehn, principal consultant at Synopsys, told, “Of course, people’s fingerprints don’t usually change. As attackers become successful in retrieving and building large datasets of people’s fingerprints, the usefulness of naïve fingerprint recognition in any application as a security control is permanently diminished,”

“A further possible consequence is that fingerprints become less trustworthy as evidence in our justice systems.”

“...this vulnerability shows that there'there are challenges with Trusted Execution Environments (TEEs) and Trusted Applications (TAs); these are software components that are opaque to most (by design), expertise is limited, and typically involve long supply chains. These factors together mean there'there are opportunities for organizations to make a mistake, and hard for security experts to catch at the right time,” he further added.

The flaw would have allowed attackers to recreate the targeted user's complete fingerprint and then use it to generate a counterfeit fingerprint that further would have assisted them in accessing other devices relying upon biometric authentication.

Vulnerabilities Discovered In Four Popular Open Source VNC Systems


Numerous vulnerabilities in the four well-known open sources virtual network computing (VNC) systems have been as of late identified by Kaspersky researchers however luckily most of them have just been patched.

After breaking down the four broadly utilized open source VNC systems, including LibVNC, UltraVNC, TightVNC and TurboVNC, the cybersecurity firm says UltraVNC and TightVNC are frequently prescribed by industrial automation system vendors for associating with human-machine interfaces (HMIs).

A sum of 37 CVE identifiers has been allowed to the vulnerabilities discovered by Kaspersky in server and client software.

A portion of the defects are said to have been exploited for remote code execution, enabling the attacker to make changes to the targeted system and more than 20 of the security bugs have been thusly identified in UltraVNC.

Sometimes, the security firm noticed, the flaws were found as a major aspect of the research project were varieties of previously distinguished weaknesses. While the majority of the 37 vulnerabilities have been fixed, on account of TightVNC, however, TightVNC 1.X has been discontinued and package maintainers have not discharged any fixes, in spite of being advised of in January 2019.

Pavel Cheremushkin, a scientist at Kaspersky ICS CERT said that, Kaspersky called attention to that while a portion of these vulnerabilities can represent a genuine hazard, especially on account of industrial systems, exploitation of the server-side bugs much of the time requires verification, and the software might be structured not to allow authentication without a password.

This implies setting a strong password on the server can avoid numerous attacks. On the client-side, the best defense prescribed is to ensure that users don't associate with untrusted VNC servers.

GDPR privacy law exploited to reveal personal data

About one in four companies revealed personal information to a woman's partner, who had made a bogus demand for the data by citing an EU privacy law.

The security expert contacted dozens of UK and US-based firms to test how they would handle a "right of access" request made in someone else's name.

In each case, he asked for all the data that they held on his fiancee.

In one case, the response included the results of a criminal activity check.

Other replies included credit card information, travel details, account logins and passwords, and the target's full US social security number.

University of Oxford-based researcher James Pavur has presented his findings at the Black Hat conference in Las Vegas.

It is one of the first tests of its kind to exploit the EU's General Data Protection Regulation (GDPR), which came into force in May 2018. The law shortened the time organisations had to respond to data requests, added new types of information they have to provide, and increased the potential penalty for non-compliance.

"Generally if it was an extremely large company - especially tech ones - they tended to do really well," he told the BBC.

"Small companies tended to ignore me.

"But the kind of mid-sized businesses that knew about GDPR, but maybe didn't have much of a specialised process [to handle requests], failed."

He declined to identify the organisations that had mishandled the requests, but said they had included:

- a UK hotel chain that shared a complete record of his partner's overnight stays

- two UK rail companies that provided records of all the journeys she had taken with them over several years

- a US-based educational company that handed over her high school grades, mother's maiden name and the results of a criminal background check survey.

Mr Pavur has, however, named some of the companies that he said had performed well.

A Bunch of Loopholes in Apple’s iMessage App?


Apple’s devices could be vulnerable to attacks owing it to a few flaws that the researchers have uncovered in its iMessage app.

Where, in one case, the extent of severity of the attack happens to be so large that the only way to safe-guard the device would be to delete all data on it.

The other case saw some files being copied off the device without needing the user to do anything. The fixes were released last week by Apple.

But somehow there was a problem which couldn’t be fixed in the updates, which was brought to the attention of the company by the researchers.

Google’s Project Zero Team was established in July 2014 with an aim to dig all the “previously undocumented cyber vulnerabilities”.

Samaung, Microsoft, Facebook and a few others were warned off by this team regarding the problems in their code.

The unrepaired flaw, according to Apple’s own sources could aid the hackers to crash an app or execute commands of its own accord on iPads, iPhones and iPod Touches.

Installation of new version of the iOS (iOS 12.4) has been strongly advised by the organization. The attacks/dangers could be easily handled by keeping the software up-to-date.