Search This Blog

Showing posts with label Flaws. Show all posts

New Vulnerabilities in Cellebrite's Tools Discovered by a Researcher

 

Signal, the messaging app that has recently become a new focus for Cellebrite's data-collection tools for law enforcement, raised the question late last month. 

Moxie Marlinspike, the creator of Signal, claimed that software flaws discovered in Cellebrite's tools could be used to tamper with facts. As a result, one lawyer has already requested a new trial. But Marlinspike isn't the only one who has scrutinized Cellebrite's gadgets. At the Black Hat Asia conference on Friday, Matt Bergin of KoreLogic will present his latest findings, which are related to Cellebrite's Universal Forensic Extraction Device, or UFED. KoreLogic's senior information security researcher, Bergin, claims to have discovered three vulnerabilities in UFED.

Despite the fact that Cellebrite has now fixed those problems, Bergin believes that forensics software should be placed through rigorous penetration testing to find bugs that might jeopardize proof. Bergin will also display up Lock Up, an Android app he created that can factory reset a phone if it detects Cellebrite software attempting to copy data. All of his research stems from a fear that Cellebrite's forensic instruments might be tampered with by bad actors, resulting in the false accusation of innocent people. 

"My whole goal for this project was to really highlight the fact that forensics tools are not immune to software vulnerabilities. And those issues, when exploited, do have real-life implications for people. That could be the rest of your life in jail," Bergin stated. 

Bergin obtained an inside look at how the UFED starts probing devices by cracking its cryptography. He was also able to write detection signatures for how UFED communicates with a target system as a result of this experience. He then developed Lock Up, an Android application. Bergin states he will not release Lock Up because he does not want to obstruct legal law enforcement investigations. 

However, he plans to make the source code accessible, as well as the indicators of compromise, which are checksums and hashes of files that Cellebrite's UFED installs on devices before collecting data.

Cellebrite also fixed CVE-2020-12798, a privilege escalation flaw, as well as CVE-2020-14474, an issue in which Cellebrite left hard-coded keys for encrypted data right next to the encrypted data. Given the value of digital evidence's credibility, Bergin believes the software should be expanded to include penetration tests. "We need functional testing, and we need security testing," he states "It should be part of the CFTT process before any evidence collected by these tools can be used in a court of law." 

There are also questions about supply chain tampering. Bergin and Marlinspike's results, according to Hank Leininger, co-founder of KoreLogic, have raised doubts about the factuality of data. Self-integrity checks could provide some assurance that software hasn't been manipulated, he added.

Another way Cellebrite might strengthen its procedures is to issue influential public notices detailing newly found and patched vulnerabilities. "Airing your own dirty laundry after you've washed it is a good way to create trust in your security commitment," says Leininger.

Several Vulnerabilities Identified In Emerson OpenEnterprise


Recently four vulnerabilities were found in Emerson OpenEnterprise and were accounted for to the vendor in December 2019 with the patches released a couple of months later.

Roman Lozko, a researcher at Kaspersky's ICS CERT unit, was responsible for the identification of the flaws, and the security holes found by him have been depicted as 'heap-based cushion buffer, missing authentication, improper ownership management, and weak encryption issues.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Kaspersky published advisories for three of the vulnerabilities a week ago. The rest of the vulnerability was described by Kaspersky in a previous advisory.

As indicated by Emerson, OpenEnterprise is explicitly intended to address the prerequisites of associations focusing on oil and gas production, transmission, and distribution.

The initial two followed as CVE-2020-6970 and CVE-2020-10640 are depicted as critical, as they can allow an attacker to remotely execute discretionary code with 'elevated privileges' on devices running OpenEnterprise.

Vladimir Dashchenko, a security expert at Kaspersky, says an attacker could misuse these vulnerabilities either from the system or directly from the internet. Notwithstanding, there don't give off an impression of being any occurrences of the affected product exposed to the internet.

“The most critical vulnerabilities allow remote attackers to execute any command on a computer with OpenEnterprise on it with system privileges, so this might lead to any possible consequences,”

 “Based on Shodan statistics, currently there are no directly exposed OpenEnterprise SCADA systems available,” Dashchenko explained. “It means that asset owners with installed OpenEnterprise are definitely following the basic security principles for industrial control systems.”

The rest of the vulnerabilities can be exploited to 'escalate privileges' and to acquire passwords for OpenEnterprise user accounts, yet exploitation in the two cases requires local access to the targeted system.

Biometric Data Exposure Vulnerability in OnePlus 7 Pro Android Phones Highlighted TEE Issues


In July 2019, London based Synopsys Cybersecurity Research Center discovered a vulnerability in OnePlus 7 Pro devices manufactured by Chinese smartphone maker OnePlus. The flaw that could have been exploited by hackers to obtain users' fingerprints was patched by the company with a firmware update it pushed in the month of January this year. As per the findings, the flaw wasn't an easy one to be exploited but researchers pointed out the possibility of a bigger threat in regard to TEEs and TAs.

Synopsys CyRC's analysis of the vulnerability referred as CV toE-2020-7958, states that it could have resulted in the exposure of OnePlus 7 pro users' biometric data. The critical flaw would have allowed authors behind malicious android applications with root privileges to obtain users' bitmap fingerprint images from the device's Trusted Execution Environment (TEE), a technique designed to protect sensitive user information by keeping the Android device's content secure against illicit access.

As it has become increasingly complex for malicious applications to acquire root privileges on Android devices, the exploitation of the flaw would have been an arduous task and might also be an unlikely one given the complexity of the successful execution. Meanwhile, the fix has been made available for months now– ensuring the protection of the users.

However, the issue with Trusted Execution Environments (TEEs) and Trusted Applications (TAs) remains the major highlight of Synopsys's advisory released on Tuesday, “Upon obtaining root privileges in the REE [Rich Execution Environment], it becomes possible to directly communicate with the factory testing APIs exposed by Trusted Applications (TAs) running in the TEE. This attacker invokes a sequence of commands to obtain raw fingerprint images in the REE,” it read.

While explaining the matter, Travis Biehn, principal consultant at Synopsys, told, “Of course, people’s fingerprints don’t usually change. As attackers become successful in retrieving and building large datasets of people’s fingerprints, the usefulness of naïve fingerprint recognition in any application as a security control is permanently diminished,”

“A further possible consequence is that fingerprints become less trustworthy as evidence in our justice systems.”

“...this vulnerability shows that there'there are challenges with Trusted Execution Environments (TEEs) and Trusted Applications (TAs); these are software components that are opaque to most (by design), expertise is limited, and typically involve long supply chains. These factors together mean there'there are opportunities for organizations to make a mistake, and hard for security experts to catch at the right time,” he further added.

The flaw would have allowed attackers to recreate the targeted user's complete fingerprint and then use it to generate a counterfeit fingerprint that further would have assisted them in accessing other devices relying upon biometric authentication.

Vulnerabilities Discovered In Four Popular Open Source VNC Systems


Numerous vulnerabilities in the four well-known open sources virtual network computing (VNC) systems have been as of late identified by Kaspersky researchers however luckily most of them have just been patched.

After breaking down the four broadly utilized open source VNC systems, including LibVNC, UltraVNC, TightVNC and TurboVNC, the cybersecurity firm says UltraVNC and TightVNC are frequently prescribed by industrial automation system vendors for associating with human-machine interfaces (HMIs).

A sum of 37 CVE identifiers has been allowed to the vulnerabilities discovered by Kaspersky in server and client software.

A portion of the defects are said to have been exploited for remote code execution, enabling the attacker to make changes to the targeted system and more than 20 of the security bugs have been thusly identified in UltraVNC.

Sometimes, the security firm noticed, the flaws were found as a major aspect of the research project were varieties of previously distinguished weaknesses. While the majority of the 37 vulnerabilities have been fixed, on account of TightVNC, however, TightVNC 1.X has been discontinued and package maintainers have not discharged any fixes, in spite of being advised of in January 2019.

Pavel Cheremushkin, a scientist at Kaspersky ICS CERT said that, Kaspersky called attention to that while a portion of these vulnerabilities can represent a genuine hazard, especially on account of industrial systems, exploitation of the server-side bugs much of the time requires verification, and the software might be structured not to allow authentication without a password.

This implies setting a strong password on the server can avoid numerous attacks. On the client-side, the best defense prescribed is to ensure that users don't associate with untrusted VNC servers.

GDPR privacy law exploited to reveal personal data

About one in four companies revealed personal information to a woman's partner, who had made a bogus demand for the data by citing an EU privacy law.

The security expert contacted dozens of UK and US-based firms to test how they would handle a "right of access" request made in someone else's name.

In each case, he asked for all the data that they held on his fiancee.

In one case, the response included the results of a criminal activity check.

Other replies included credit card information, travel details, account logins and passwords, and the target's full US social security number.

University of Oxford-based researcher James Pavur has presented his findings at the Black Hat conference in Las Vegas.

It is one of the first tests of its kind to exploit the EU's General Data Protection Regulation (GDPR), which came into force in May 2018. The law shortened the time organisations had to respond to data requests, added new types of information they have to provide, and increased the potential penalty for non-compliance.

"Generally if it was an extremely large company - especially tech ones - they tended to do really well," he told the BBC.

"Small companies tended to ignore me.

"But the kind of mid-sized businesses that knew about GDPR, but maybe didn't have much of a specialised process [to handle requests], failed."

He declined to identify the organisations that had mishandled the requests, but said they had included:

- a UK hotel chain that shared a complete record of his partner's overnight stays

- two UK rail companies that provided records of all the journeys she had taken with them over several years

- a US-based educational company that handed over her high school grades, mother's maiden name and the results of a criminal background check survey.

Mr Pavur has, however, named some of the companies that he said had performed well.

A Bunch of Loopholes in Apple’s iMessage App?


Apple’s devices could be vulnerable to attacks owing it to a few flaws that the researchers have uncovered in its iMessage app.

Where, in one case, the extent of severity of the attack happens to be so large that the only way to safe-guard the device would be to delete all data on it.

The other case saw some files being copied off the device without needing the user to do anything. The fixes were released last week by Apple.

But somehow there was a problem which couldn’t be fixed in the updates, which was brought to the attention of the company by the researchers.

Google’s Project Zero Team was established in July 2014 with an aim to dig all the “previously undocumented cyber vulnerabilities”.

Samaung, Microsoft, Facebook and a few others were warned off by this team regarding the problems in their code.

The unrepaired flaw, according to Apple’s own sources could aid the hackers to crash an app or execute commands of its own accord on iPads, iPhones and iPod Touches.

Installation of new version of the iOS (iOS 12.4) has been strongly advised by the organization. The attacks/dangers could be easily handled by keeping the software up-to-date.