Search This Blog

Showing posts with label Upgrade. Show all posts

Due to Security Reasons, Chrome will Limit Access to Private Networks

 

Google has announced that its Chrome browser will soon ban websites from querying and interacting with devices and servers inside local private networks, due to security concerns and past abuse from malware. 

The transition will occur as a result of the deployment of a new W3C specification known as Private Network Access (PNA), which will be released in the first half of the year. The new PNA specification introduces a feature to the Chrome browser that allows websites to request permission from computers on local networks before creating a connection.

“Chrome will start sending a CORS preflight request ahead of any private network request for a subresource, which asks for explicit permission from the target server. This preflight request will carry a new header, Access-Control-Request-Private-Network: true, and the response to it must carry a corresponding header, Access-Control-Allow-Private-Network: true,” as perEiji Kitamura and Titouan Rigoudy, Google. 

Internet websites will be prohibited from connecting if local hardware such as servers or routers fails to respond. One of the most important security features incorporated into Chrome in recent years is the new PNA specification. 

Cybercriminals have known since the early 2010s that they can utilize browsers as a "proxy" to relay connections to a company's internal network. For example, malicious code on a website could attempt to reach an IP address such as 192.168.0.1, which is the standard address for most router administrative panels and is only reachable from a local network. 

When users visit a fraudulent site like this, their browser can issue an automatic request to their network without their permission, transmitting malicious code that can evade router authentication and change router settings. 

These types of attacks aren't simply theoretical; they've happened previously, as evidenced by the examples provided here and here. Other local systems, such as internal servers, domain controllers, firewalls, or even locally-hosted apps (through the http://localhost domain or other locally-defined domains), could be targeted by variations of these internet-to-local network attacks. Google aims to prevent such automated attacks by incorporating the PNA specification into Chrome and its permission negotiation system. 

According to Google, PNA was included in Chrome 96, which was published in November 2021, but complete support will be available in two parts this year, with Chrome 98 (early March) and Chrome 101 (late May).

Researchers Flag Serious Authentication Bypass Vulnerability After Pega Infinity Hotfix Released

 

After security researchers discovered a flaw in the Pega Infinity enterprise software platform, users are being advised to upgrade their installations. 

CVE-2021-27651 is a critical-risk vulnerability in Pega's Infinity program versions 8.2.1 to 8.5.2, according to the research team of Sam Curry, Justin Rhinehart, Brett Buerhaus, and Maik Robert. 

The proof-of-concept shows how an intruder can circumvent Pega Infinity's password reset system. Via administrator-only remote code execution, assailants could then use the reset account to “fully compromise” the Pega case. It includes modifying complex pages or templating. The researchers collaborated with the developer Pegasystems, to construct a hot patch. According to the vendor, customers running the program on-premises should check if their version is affected and apply the relevant hot patch. 

With over 2,000 users, Pega Infinity is a common enterprise software suite. Customer service and sales automation, an AI-driven ‘customer decision hub,' workforce intelligence, and a ‘no-code' development platform are all included in the kit. The Pega Infinity vulnerability was discovered as a result of the security researchers' involvement in Apple's bug bounty program. 

“We’d been hacking on Apple's bug bounty program for about six months and had spent a lot of time on software produced by Apple themselves,” UK-based hacker Sam Curry told The Daily Swig. 

“After reading a blog post from two amazing researchers, we agreed to take a different approach and target vendors [supplying technology to Apple].”Curry has written about his experiences with Apple's bug bounty program in the past. 

Burp Suite was used by the researchers to find the password reset flaw in Pega Infinity. According to Curry, this allows for a complete compromise of any Pega instance with "no prerequisite information." Justin Rhinehart also developed a Nuclei template for determining whether or not the software is running Pega Infinity. 

“Pega's customers are from every sector and at the time of reporting some of the customers included the FBI, US Air Force, Apple, American Express, and a few other huge names.” 

Curry states that Pega was able to collaborate with the researchers to patch the flaw, although they needed time for customers using Infinity on-premises to upgrade their installations. Curry mentioned that the procedure took more than three months.