Search This Blog

Showing posts with label Security Flaws. Show all posts

CISA’s vulnerabilities in KEV: Federal Agencies Have to Fix Them


CISA has included 6 vulnerabilities to its “Known Exploited Vulnerabilities Catalog” and has ordered the federal agencies to patch them with the help of vendor’s instructions. 

The CISA, U.S.-based cybersecurity and infrastructure security agency has given a deadline of 6th October to the government agencies to fix the security flaws that surfaced between 2010 and 2022. CISA has instructed the federal agencies to fix the newly added security vulnerabilities as per the directive. 

Exploiting the majority of the vulnerabilities that have been added to the list, gives cyber attackers local privilege escalation or admin-level access to the system, whereas the two of them permit to execution of a malicious code remotely, known as Remote Code Execution. 

These vulnerabilities that were found between the stretch of 2010 and 2022 comprise the most that were identified in 2013 and were engineered as spyware  especially for getting into the social media accounts of android users by using Tizi malware. 

The list of security flaws discovered in 2013 includes: 

  • CVE-2013-6282: it gives local privilege escalation and is used for rooting android devices.
  • CVE-2013-2597: it gives local privilege escalation and is used for overflow in Code Aurora audio driver.
  • CVE-2013-2596: it gives local privilege escalation and deals with Linux kernel integer overflow.
  • CVE-2013-2094: it gives local privilege escalation and manages Linux kernel privilege escalation. 

The CISA also added the oldest bug in KEV which was disclosed in 2010; this was the bug held responsible for spreading the Stuxnet worm, which caused a slowdown in the country’s development in the field of nuclear weapons by destroying the machines at the Natanz Uranium Enrichment Plant. 

The bug found in 2010 was named CVE-2010-2568,  it allows remote access to inject malicious code into the system. The latest security issue added to the vulnerability list was identified a month ago. It was also the only security flaw found this year. The cyber attackers exploited it and affected Trend Micro Apex One and Apex one as services. The recently identified bug was CVE-2022-40139, it was described as an improper validation issue. 

The list of all of the vulnerabilities is available publically on the official website of known exploited vulnerabilities. The directive from November 2021, “Binding operational directive 22-01”, legally states, that resolving all the vulnerabilities added by CISA and making them 'Known Exploited Vulnerabilities' is the responsibility of all federal civilian agencies to regulate a secure environment.

Major Vulnerabilities Found in Wireless LAN Devices in Airlines

The two major vulnerabilities were found in the series of the flexlan, a LAN device providing internet services in airlines. The Necrum security labs’ researchers Samy Younsi and Thomas Knudsen, initiated the research which led to tracking two critical vulnerabilities which were identified as CVE-2022-36158 and CVE-2022-36159. 

The vulnerabilities were detected in the Flexlan series named FXA3000 and FXA2000 and have been associated with a Japan-based firm known as Contec. 
The researchers said while considering the first vulnerability, that during the execution of reverse engineering on firmware, we found a hidden web page, which was not entailed in the list of wireless LAN manager interfaces. They also added that it simplifies the enforcement of the Linux command over the device with root privileges. The researchers mentioned that the first vulnerability gave access to all the system files along with the telnet port which allows to access the whole device.   
Regarding the second vulnerability, the researchers said, it makes use of hard-coded, weak cryptographic keys and backdoor accounts. While carrying out the research, the researchers were also able to recover and get access to a shadow file within a few minutes with the help of a brute-force attack. The file contained the hash of two users including root and users. 
The researchers explained the issue that the device owner is only able to change the password from the interface of the web admin as the root account is reserved for maintenance purposes by Contec. This allows the attacker with a root hard-coded password able to access all Flexlan FXA2000 and FXA3000 series effortlessly. 
With respect to the solutions, researchers emphasized the importance of mentioned to maintaining cyber security, with regard to the first Vulnerability. They said, “the hidden engineering web pages should be removed from all unfortified devices. As weak passwords make access easier for cyber attackers.” For the second vulnerability, the advisory commented, “the company should create new strong passwords, for every single device with the manufacturing process."

Kaspersky VPN Secure Connection Vulnerability Discovered

Kaspersky's VPN Secure Connection for Microsoft Windows has a local privilege-escalation (LPE) vulnerability that could allow an already-authenticated hacker to access administrative privileges and potentially seize total control of a victim's computer.

Researchers disagree over the bug's CVSS score, which is tracked as CVE-2022-27535. The bug has a high-severity CVSS score of 7.8 out of 10 as per a Synopsys alert published, but Kaspersky scores it as moderate with a 5.0 CVSS level.

In either case, it is present in the Support Tools section of the app and would enable root access to Server, the highest level possible in the Windows environment, allowing an authenticated hacker to delete any file at will from the system.

The Kaspersky team has fixed a flaw in the Kaspersky VPN Secure Connection that was exploited by an authorized hacker to trigger arbitrary file deletion on the host. It might result in device malfunction or the deletion of crucial system files necessary for proper system operation. 

An attacker needed to create a specific file and persuade customers to utilize the 'Delete all service data and reports' or 'Save report on your computer' product capabilities in order to carry out this attack.

Users should upgrade to version 21.6 or later to patch their systems because Kaspersky has solved the problem.

Synology Alerts Users of Severe Netatalk Bugs in Multiple Devices

Synology warned its customers that few of its network-attached storage (NAS) appliances are vulnerable to cyberattacks compromising various critical Netatalk vulnerabilities. Various vulnerabilities allow remote hackers to access critical information and may execute arbitrary code through a vulnerable variant of Synology Router Manager and DiskStation Manager (DSM). 

Netatalk is an Apple Filing Protocol (AFP) open-source platform that lets devices running on *NIX/*BSD work as AppleShare file servers (AFP) for Mac OS users for viewing files stored on Synology NAS devices. 

The development team of Netatalk fixed the patches in version 3.1.1, issued in March, following the Pwn2Own hacking competition in 2021. The vulnerabilities were first found and exploited in the competition. The EDG team of the NCC group exploited the vulnerability rated 9.8/10 severity score and tracked as CVE-2022-23121 to deploy remote code execution without verification on a Western Digital PR4100 NAS that runs on My Cloud OS firmware during the Pwn2Own competition. Synology mentioned three vulnerabilities in the latest warning- CVE-2022-23125, CVE-2022-23122, CVE-2022-0194, all three having high severity ratings. 

They are also letting malicious hackers deploy arbitrary codes on unfixed devices. The Netatalk development team released the security patches to resolve the issues in April, even then according to Synology, the releases for some affected devices are still in process. The NAS maker hasn't given any fixed timeline for future updates, according to Synology, it usually releases security patches for any impacted software within 90 days of publishing advisories. "

QNAP said the Netatalk vulnerabilities impact multiple QTS and QuTS hero operating system versions and QuTScloud, the company's cloud-optimized NAS operating system. Like Synology, QNAP has already released patches for one of the affected OS versions, with fixes already available for appliances running QTS build 20220419 and later," reports Bleeping Computers.

82% Applications in Public Sector Have Security Flaws

According to a new study from Veracode, more than 82% (4/5th) of public sector apps have security vulnerabilities, the highest found in any industry. The experts also found that the apps in the public sector take twice the time to get patch the flaws once identified, compared to other industry security fixes. Besides this, around 60% of flaws in third-party libraries in the public sector haven't been patched for two years. It is twice the time frame compared to industry data and almost 15 months behind the cross-industry average. 

The report is based on the data collected via 20 million scans across half a million apps in the public sector, financial services, manufacturing, retail, healthcare, technology, and hospitality. Veracode simplifies AppSec programs by combining five application security analysis types in one solution, integrated into the development pipeline. With comprehensive analysis, you’re covered today and as your program evolves Joint lowest fix rate for vulnerability in the public sector is 22% which is the lowest. 

The study suggests that public sector organizations are more prone to software supply chain attacks because they are more vulnerable, for instance, solar winds, which led to huge disruptions and breaches of critical data. Fortunately, the findings suggest that public sector entities have improved in battling high severity flaws. As per analysis, high-level flaws were found in 16% of public sector apps and the total numbers fell by 30% in the last year. 

The experts believe that the data hints toward new government cybersecurity measures. Public sector lawmakers and politicians know that dated technology and a large amount of sensitive data are the reason for public organizations to become a primary target for hackers. 

This is why Congress and the White House are working together to update regulations that govern cybersecurity compliance.  "In January, President Biden signed a National Security Memorandum (NSM) requiring national security systems to implement network cybersecurity measures that are at least as good as those required of federal civilian networks. Earlier this month, the US passed new legislation that will force critical infrastructure companies to report cyber incidents within 72 hours" reports Infosecurity. 

Horde Webmail Software has a 9-year-old Unsecure Email Theft Risk


A nine-year-old unsecure security flaw in the Horde Webmail functionality might be exploited to acquire total access to the email accounts merely by viewing an attachment. Horde Webmail is a Horde project-developed free, enterprise-ready, browser-based communication package. Universities and government institutions use this webmail option extensively. 

According to Simon Scannell, a vulnerability researcher at SonarSource, "it provides the hackers to gain access to all confidential and possibly classified documents a user has recorded in an email address and might allow them to obtain further access to an organization's internal services." 

SonarSource detected a stored Xss attack which was implemented with commit 325a7ae, which was 9 years ago. Since the commit on November 30, 2012, the bug has affected all versions. The vulnerability can be exploited by previewing a specially designed OpenOffice document and allowing a malicious JavaScript payload to be executed. The attacker can take all emails sent and received by the victim by exploiting the flaw. 
"An attacker can create an OpenOffice document which will launch a malicious JavaScript payload when converted to XHTML by Horde for preview." the report continues "When a targeted person sees an attached OpenOffice document in the browser, the vulnerability is activated." according to SonarSource experts.

Worse, if an executive account with a personalized, phishing email is successfully hacked, the attacker might use this unprecedented access to take control of the entire webmail service. Despite the vendor's confirmation of the problem, no fixes have been given to the project managers as of August 26, 2021. Horde was contacted for more comments, but none were made to address the situation.

Meanwhile, Horde Webmail users should deactivate the rendering of OpenOffice attachments by adding the 'disable' => true configuration option to the OpenOffice mime handler in the config/mime drivers.php file.

Brizy WordPress Plugin Exploit Chains Permit Full Site Takeovers


According to researchers, flaws in the Brizy Page Builder plugin for WordPress sites may be linked together to allow attackers to totally take over a website. 

Brizy (or Brizy - Page Builder) is used on over 90,000 websites. It's advertised as an easy-to-use website builder for individuals with no technical knowledge. It has over 500 pre-designed blocks, maps and video integration, and drag-and-drop creation capability. 

Before version 2.3.17, it also had a stored cross-site scripting (XSS) vulnerability and an arbitrary file-upload vulnerability, according to researchers. 

“During a routine review of our firewall rules, we found traffic indicating that a vulnerability might be present in the Brizy – Page Builder plugin, though it did not appear to be under active attack,” researchers at Wordfence explained in a Wednesday posting. 

“This led us to discover two new vulnerabilities as well as a previously patched access-control vulnerability in the plugin that had been reintroduced.” 

According to the researchers, the two new flaws may be chained together with the reintroduced access control weakness to enable total site takeover. Any logged-in user, in combination with the stored XSS flaw, would be able to edit any published post and inject malicious JavaScript into it. Meanwhile, a combination with the other flaw may allow any logged-in user to post potentially executable files and achieve remote code execution. 

A Reintroduced Access Control Bug Serves as the Attack's Foundation

The previous access-control problem (now listed as CVE-2021-38345) was fixed in June 2020 but reappeared this year in version 1.0.127. According to Wordfence, it's a high-severity problem caused by a lack of adequate authorisation checks, allowing attackers to edit posts. The plugin used a pair of administrator functions for a wide range of authorization checks, and any user that passed one of these tests was considered to be an administrator.

"Being logged in and visiting any endpoint in the wp-admin directory was sufficient to pass this check," as per the researchers. 

As a result, all logged-in users, such as newsletter subscribers, were able to alter any post or page made or updated with the Brizy editor, even if it had already been published. 

According to Wordfence’s analysis, “While this vulnerability might only be a nuisance on its own, allowing attackers to replace the original contents of pages, it enabled two additional vulnerabilities that could each be used to take over a site.” 
The first follow-on bug (CVE-2021-38344) is a medium-severity stored XSS flaw that allows intruders to insert malicious scripts into web pages. Because it is a stored XSS issue rather than a reflected one, victims are only required to visit the affected page to be attacked. 

The flaw allows a less-privileged user (such as a contributor or subscriber) to attach JavaScript to an update request, which is subsequently executed if the post is read or previewed by another user, such as an administrator. It becomes hazardous, however, when paired with the authorisation bypass, according to the researchers. 

The second new vulnerability is a high-severity arbitrary file-upload flaw (CVE-2021-38346), which might allow authenticated users to post files to a website. According to Wordfence researchers, the authorization check vulnerability allows subscriber-level users to elevate their privileges and subsequently upload executable files to a place of their choice via the brizy_create_block_screenshot AJAX method. According to the evaluation, other types of assaults are also possible.

“While the plugin appended .JPG to all uploaded filenames, a double extension attack was also possible,” researchers explained. 

“For instance, a file named shell.php would be saved as shell.php.jpg, and would be executable on a number of common configurations, including Apache/modPHP with an AddHandler or unanchored SetHandler directive. An attacker could also prepend their filename with ../ to perform a directory traversal attack and place their file in an arbitrary location, which could potentially be used to circumvent execution restrictions added via .htaccess.” 

Thus, “by supplying a file with a .PHP extension in the id parameter, and base64-encoded PHP code in the ibsf parameter, an attacker could effectively upload an executable PHP file and obtain full remote code execution on a site, allowing site takeover,” they added. 

Users can protect themselves by switching to the most recent version of the plugin, 2.3.17.

Ransomware Assaults on AWS' S3 Buckets Have Become More Likely


AWS is the most popular cloud service provider, with a solid reputation for security and dependability. Despite this, Ermetic's research demonstrates that identities pose a severe security concern and expose buckets to the risk of a ransomware attack. According to new research, 90% of S3 buckets are vulnerable to ransomware attack. 

Ermetic conducted the survey in order to better understand the security posture of AWS environments and their susceptibility to ransomware attacks, as well as to assist enterprises in identifying system flaws and mitigating risks. “Very few companies are aware that data stored in cloud infrastructures like AWS is at risk from ransomware attacks, so we conducted this research to investigate how often the right conditions exist for Amazon S3 buckets to be compromised,” said Shai Morag, CEO of Ermetic. 

A stunning 70% of machines had permissions that might be exploited and were openly exposed to the internet. The privileges of third-party identities could be extended to admin level in 45% of situations. Furthermore, 80% of IAM Users had access credentials that had not been used in at least 180 days but were still active. 

According to Saumitra Das, Blue Hexagon CTO and Cofounder, this report emphasises the critical need to “detect threats” in the cloud rather than focusing solely on misconfigurations. According to research from the Cloud Security Alliance, even if misconfigurations in S3 buckets or IAM access keys have been inactive for a long time, it might take days, weeks, or even months for these to be discovered and remedied. 

 It also emphasises that ransomware is not just an on-premises issue; as the pandemic has increased cloud transfer of workloads, attackers and ransomware criminal operators have also accelerated cloud migration.  

Firms must monitor three things, according to Das, including runtime activity of identities; cloud storage, including read/write patterns, and network activity, which can assist companies determine when instances are exposed to the internet and their identities are misused.

According to the research, here are a few methods that organizations can take to protect their AWS S3 buckets from ransomware: 

 • Deploy Minimum Privilege - implement an authorization system that only allows identities to conduct their business functions with the bare minimum of entitlements, decreasing the possibility of ransomware infecting buckets. 

 • Reduce the risk of ransomware by following best practises to avoid/remove common problems that ransomware can use to steal identities and install malware. 

 • Use logging and monitoring tools like CloudTrail and CloudWatch to spot suspicious activity that can lead to early detection and response in the event of a ransomware attack.

Researchers Make Contactless Visa Payment Using iphone Flaw


Cybersecurity experts in a video showed how to make a contactless Visa payment of €1,000 from a locked iphone. These unauthorised payments can be made while the iPhone is locked, it is done via exploiting an Apple Pay feature built to assist users transaction easily at ticket barriers payments with Visa. 

Apple responded by saying the problem is concerned with a Visa system. However, Visa says that its payments are safe and the such attacks lie outside of its lab and are impractical. Experts believe that the problem exists in the Visa cards setup in 'Express Transit' mode in iPhone wallet. 

It is a feature (express transit) which allows users to make fast contactless payments without unlocking their phone. However, the feature turned out to be a drawback with Visa system, as experts found a way to launch an attack. While scientists demonstrated the attack, the money debited was from their personal accounts. 

How does the attack look? 

  • A small radio is placed beside the iPhone, the device thinks of it as a legit ticket barrier. 
  • Meanwhile an android phone runs an application to relay signals (developed by experts) from the iPhone to a contactless transaction platform, it could be in a shop or a place that is controlled by the criminal. 
  • As the iPhone thinks the payment is being done to a ticket barrier, it doesn't unlock. 
However, the iPhone's contact with the transaction platform is altered to make it think that the iPhone has been unlocked and an authorized payment is done which allows high value payments, without the need of fingerprint, PIN, or Face Id verification. 

The experts while demonstrating in a video did a €1,000 Visa transaction without unlocking the iPhone, or authorizing the payment. According to experts, the payment terminals and android phones used here don't need to near the targeted iPhone. 

As of now, the demonstration has only been done by experts in the lab and no reports of the feature exploit in the wild have been reported. "The researchers also tested Samsung Pay, but found it could not be exploited in this way.They also tested Mastercard but found that the way its security works prevented the attack. 

Co-author Dr Ioana Boureanu, from the University of Surrey, said this showed systems could be "both usable and secure". The research is due to be presented at the 2022 IEEE Symposium on Security and Privacy," reports BBC.

Confluence Servers are Being Targeted by the New Atom Silo Malware


A new ransomware operator is targeting Confluence servers, gaining initial access to susceptible systems by exploiting a recently reported vulnerability. According to Sean Gallagher and Vikas Singh of Sophos, the new threat actors, called Atom Silo, are exploiting the flaw in the hopes that Confluence server owners have yet to apply the essential security patches to fix the vulnerability. 

Atlassian Confluence is a web-based virtual workspace for businesses that allows teams to collaborate on projects and communicate. Atom Silo recently launched a two-day cyberattack, according to Sophos. The attackers were able to get initial access to the victim's corporate environment due to a vulnerability identified as CVE-2021-08-25. 

Atlassian released security fixes on August 25 to address a Confluence remote code execution (RCE) vulnerability that had been exploited in the wild and was tracked as CVE-2021-26084. They also discovered that the ransomware utilized by this new gang is nearly comparable to LockFile, which is quite similar to the LockBit malware.

Several innovative approaches that made it exceedingly difficult to examine, including the side-loading of malicious dynamic-link libraries targeted to disrupt endpoint protection software, according to Atom Silo operators. Following the compromise of Confluence servers and the installation of a backdoor, the threat actors use DLL side-loading to execute a second-stage stealthier backdoor on the compromised machine. 

"The incident investigated by Sophos shows how quickly the ransomware landscape can evolve. This ultra-stealthy adversary was unknown until a few weeks ago," said Sean Gallagher, a senior threat researcher at Sophos. "In addition, Atom Silo made significant efforts to evade detection prior to launching the ransomware, which included well-worn techniques used in new ways. Other than the backdoors themselves, the attackers used only native Windows tools and resources to move within the network until they deployed the ransomware." 

According to Sophos, ransomware operators and other malware authors are becoming increasingly competent at exploiting these flaws, latching on publicly available proof-of-concept exploits for freshly discovered vulnerabilities and weaponizing them quickly to benefit from them. 

"To reduce the threat, organizations need to both ensure that they have robust ransomware and malware protection in place, and are vigilant about emerging vulnerabilities on Internet-facing software products they operate on their networks," they added.

Vulnerabilities Found In Moxa Railway Devices, Can Cause Disruption


Railway and other wireless communication devices developed by Moxa have been affected by 6p vulnerabilities. Moxa is a Taiwan based industrial networking and automation firm. Earlier this week, cybersecurity firm SEC (owned by Atos) revealed that an expert at SEC found two new flaws in Moxa devices along with various out of date third party software components filled with flaws. 

As per the experts, Moxa devices are infected with a Command injection vulnerability that can be abused by an authenticated actor to hack the device's OS (operating system) (CVE-2021-39279), along with a reflected XSS (cross site scripting) flaw which can be exploited using a special configuration file (CVE-2021-39278). Besides this, the products are affected by an estimated 60 other vulnerabilities in third party softwares like GNU C Library, Dropbear SSH software, BusyBox client, Open SSL, and Linux Kernel. Moxa has released two different reports for the Vulnerabilities. 

The Security Week reports "one of them describes the impact on TAP-323, WAC-1001 and WAC-2004 series devices, which are designed for railways. The TAP-323 device is a trackside wireless access point designed for train-to-ground wireless communications, while the WAC devices are described as rail wireless access controllers." It is also building patches for the Tap-323 and WAC-1001 products, however, WAC-2004 series devices are discontinued and the seller has asked customers to take precautions for reducing the risk of exploitation. 

According to Thomas Weber, the researcher at SEC who found about the vulnerability in Moxa, currently no analysis has been done to check whether the XSS and command injection flaws can be constrained, however, it might be possible. A hacker would have to fool an authenticated user into opening a link which would enable the XSS to steal necessary information to get verified on system and exploit the command injection. 

Experts are not sure about the damage that an attacker can cause, but it all depends on the critical messages sent through the devices. "If an attacker gains access to the web-based management interface of the affected devices and they obtain login credentials — the login credentials could be obtained through various methods — they would be able to take over the whole device with persistent access," says the security week.

BrakTooth Vulnerability Puts Bluetooth Users At Risk, Flaws Left Unpatched


White Hat hackers revealed a set of vulnerabilities named as BrakTooth, which affects commercial bluetooth gadgets, raising suspicions about vendor's intent to fix the flaws. Automated Systems Security (ASSET) Research Group at Singapore University of Technology and Design said that they released BrakTooth, "a family of 16 new security vulnerabilities (20+ CVEs) in commercial Bluetooth Classic (BR/EDR) stacks that range from denial of service (DoS) via firmware crashes and deadlocks in commodity hardware to arbitrary code execution (ACE).

"The team has shown off arbitrary code execution on an ESP32 microcontroller, commonly found in Internet of Things (IoT) devices which are rarely if ever updated by their manufacturers, denial of service attacks against laptops and smartphones with the Intel AX200 and Qualcomm WCN3390 chips, and the ability to freeze or shut down headphones and other Bluetooth audio devices,"said the Register. It said BrakTooth affects major SoC (System on Chip) vendors like Qualcomm, Intel, Texas Instruments, Silicon Labs, Infeneon and others.

BrakTooth represents around 1400 commercial products including Microsoft Surface Pro 7, Surface Laptop 3, Surface Book 3, and Surface Go 2, and Volvo FH infotainment systems which threaten to leak "fundamental attack vectors in the closed BT [Bluetooth] stack." 

This is not the first time that the group has made such claims, earlier, ASSET was behind the SweynTooth vulnerabilities in 2020. Vendors have been informed about the sixteen vulnerabilities, however, the feedbacks recieved vary. 

"Espressif, whose popular ESP32 microcontroller family was affected, was one of the first to release a patch closing the holes, along with Bluetrum Technology and Infineon. Intel, Actions, and Zhuhai Jieli Technology have confirmed they are either investigating the flaws or actively developing patches. Harman International and SiLabs, by contrast, "hardly communicated with the team," the researchers claimed, "and the status of their investigation is unclear at best," reports the Register. 

Qualcomm and Texas Instruments had it worse, latter said that it won't release the patches until the customers demand so, and the former is only patching few parts even though unpatched chips appear in brand new products releasing across the world.

Experts Find Vulnerabilities in AMD Zen Processor


German cybersecurity experts at TU Dresden discovered that Zen processor of AMD is susceptible to data-bothering meltdown like attacks in the end. Exploiting this vulnerability is an academic drill, turns out, there exist much easier and simpler techniques to meddle with systems. In simpler terms, it's a reminder that modern CPU designs have various kinds of side channels, and many yet to be discovered. 

The Register reports "in a paper [PDF] titled "Transient Execution of Non-Canonical Accesses," released via ArXiv, Saidgani Musaev and Christof Fetzer analyzed AMD Zen+ and Zen 2 chips – namely the Epyc 7262, Ryzen 7 2700X, and the Threadripper 2990WX – and found that they were able to adversely manipulate the operation of the CPU cores." When Spectre and Meltdown vulnerabilities came out, in the beginning experts said that Meltdown was only authenticated on Intel x86 chipsets. The list then included IBM hardwares and an Arm Cortex core, however, it was not clear if IBM parts had vulnerabilities. AMD in a statement said that Meltdown didn't affect the processors. 

"The way its chips executed load instructions meant data would not be fetched if architecturally disallowed in the processor's current execution context, it said. In other words, load instructions executed in user mode can't be used to discern the contents of kernel-mode memory, as expected."

"Musaev and Fetzer say that's true for classical Meltdown attacks that rely on fetching data from the L1 data cache and for a variant called Microarchitectural Data Sampling (MDS) that targets specific buffers. But they found another way to poison the way in which a CPU core access data in memory "that is very similar to Meltdown-type behavior," said The Register. 

Most importantly, this technique can't be used by a single process to read a kernel or different process memory, however, a thread in the program can use it to affect different thread in the same memory space. It isn't similar to a classic meltdown, where a Rogue app rips off keys from kernel memory. "The violation we report does not lead to cross address space leaks, but it provides a reliable way to force an illegal dataflow between microarchitectural elements," said the experts.

Four Critical Flaws Identified in Sage X3 ERP Software


Cybersecurity firm Rapid7 announced on Wednesday that it discovered four security flaws in the Sage X3 ERP software, resource, and planning (ERP) supply chain software that if left unpatched, could have allowed attackers to take over the system and run commands. 

The first two were protocol-related issues involving remote administration of Sage X3, and the latter two are web application flaws. Rapid7 recommends that Sage X3 installations should not be exposed directly to the internet, and should instead be made available via a secure VPN connection where required. The company states that this will effectively mitigate all four flaws, but users will need to update according to their regular patch cycle schedule. 

Rapid7 researchers Jonathan Peterson, Aaron Herndon, Cale Black, Ryan Villarreal, and William Vu, who identified the flaws (CVE-2020-7387 through -7390), said that the most critical vulnerabilities exist in the remote administrator function of the platform. Companies rely on Sage X3 as an ERP system that’s primarily used for supply chain management in medium to large companies. The product has become quite popular in the UK and other European markets.

Cybersecurity experts found the case concerning because the flaws identified by Rapid7 are linked to an authentication bypass that’s critical in any context, but the fact that the application can execute commands by design makes it a truly serious vulnerability for those with the software installed, said AJ King, CISO at BreachQuest. 

King explained that because the software can execute commands by design, any authentication bypass immediately offers the unauthenticated threat actor the ability to run commands.

“In a typical authentication bypass, the threat actor would not automatically gain the ability to execute programs. The Rapid7 researchers also discovered that the application communicates using a custom encryption protocol. This is such a departure from best practices that security professionals are often heard saying ‘friends don’t let friends roll their own crypto.’ This sort of behavior has no place in enterprise software,” King stated.

Following recent cyberattacks on the Colonial Pipeline and JBL, companies should be extra vigilant with their ERP software. Sage X3 is commonly used in supply chain management for medium and large organizations and can be a target for this particular type of attacker.