InSpectre, Rust/PANOS CVEs, X URL blunder and More-April 8-14, 2024-F5 SIRT-This Week in Security

Editor's Introduction 

Hello, Arvin is your editor for This Week in Security. As usual, I collected some interesting security news. Credit to the original articles.

Intel processors are affected by a Native Branch History Injection (Native BHI) attack and the tool InSpectre, a tool that can find gadgets (code snippets that can serve as a jumping point to bypass sw and hw protections) in an OS kernel on vulnerable hardware. Spectre style attacks that abuses speculative execution on processors has been around for a while now. Intel updated their previous published article on "Branch History Injection and Intra-mode Branch Target Injection" guidance and included an "Additional Hardening Options" section. The silver lining in this, is the CVEs CVSS score are Medium severity. See the section snippets from the research paper of the researchers from VU Amsterdam that illustrates the use InSpectre tool. 

Rust has a critical CVE - CVE-2024-24576. It affects the Rust standard library, which was found to be improperly escaping arguments when invoking batch files on Windows using the library's Command API – specifically, std::process::Command. It is specific to the Windows OS cmd exe as it has complex parsing rules and allowed untrusted inputs to be safely passed to spawned processes.

Next is a PAN OS Critical CVE, where it affects devices with firewall configurations with GlobalProtect gateway and device telemetry enabled. CVE-2024-3400 affects PAN-OS 10.2, PAN-OS 11.0 and PAN-OS 11, Updates to fully fix this CVE were made available from April 14. Refer to https://security.paloaltonetworks.com/CVE-2024-3400

Change Healthcare's worries on effects of a previous breach due to ALPHV ransomware group appears to be not over. Per the report, the victim organization was potentially "exit" scammed by ALPHV and is being pursued by the "contactor/affiliate" of the ransomware attack, RansomHub, demanding another round of ransom to be paid, else, they sell the exfiltrated data to the highest bidder.

X/Twitter had an URL blunder where it converts anything with the string twitter in their site's tweets and then converts it to the letter X - example, netflitwitter[.]com will be converted to netflix[.]com. This behavior was reversed and back to usual, but X twitter[.]com URLs now properly converts to X[.]com. 

Lastly, a round up of issues from MS, Fortinet, SAP, Cisco, Adobe, Google/Android. 

As in previous TWIS editions, some of these news were a recurrence/follow up. In general, keep your systems up to date on software versions, secure access to them and allow only trusted users and applications to run. Implement layers of protections - updated AV/ED/XDR on Server and End User systems, Firewall/network segmentation rules/IPS to prevent further spread/lateral movement in the event of a ransomware attack (BIG-IP AFM have network firewall, IPS features that you can consider), a WAF to protect your web applications and APIs - BIG-IP ASM/Adv WAF, F5 Distributed Cloud Services, NGINX App Protect have security policy configuration and attack signatures that can mitigate known command injection techniques and other web exploitation techniques. End user security training and awareness, incident response and reporting will help an organization should that first phishing email reaches a target end user mailbox. If it feels "off" and looks suspicious, stop and ponder before clicking.

I hope this edition of TWIS is educational. You can also read past TWIS editions and other content from the F5 SIRT , so check those out as well. Till next time!

Rust rustles up fix for 10/10 critical command injection bug on Windows in std lib

Programmers are being urged to update their Rust versions after the security experts working on the language addressed a critical vulnerability that could lead to malicious command injections on Windows machines.

The vulnerability, which carries a perfect 10-out-of-10 CVSS severity score, is tracked as CVE-2024-24576. It affects the Rust standard library, which was found to be improperly escaping arguments when invoking batch files on Windows using the library's Command API – specifically, std::process::Command.

"An attacker able to control the arguments passed to the spawned process could execute arbitrary shell commands by bypassing the escaping," said Pietro Albini of the Rust Security Response Working Group, who wrote the advisory.

The main issue seems to stem from Windows' CMD.exe program, which has more complex parsing rules, and Windows can't execute batch files without it, according to the researcher at Tokyo-based Flatt Security who reported the issue.

Albini said Windows' Command Prompt has its own argument-splitting logic that works differently from the usual Command::arg and Command::args APIs provided by the standard library, which typically allow untrusted inputs to be safely passed to spawned processes.

"On Windows, the implementation of this is more complex than other platforms, because the Windows API only provides a single string containing all the arguments to the spawned process, and it's up to the spawned process to split them," said Albini. "Most programs use the standard C run-time argv, which in practice results in a mostly consistent way arguments are split.

"Unfortunately it was reported that our escaping logic was not thorough enough, and it was possible to pass malicious arguments that would result in arbitrary shell execution."

https://www.theregister.com/2024/04/10/rust_critical_vulnerability_windows/

It's 2024 and Intel silicon is still haunted by data-spilling Spectre

Intel CPU cores remain vulnerable to Spectre data-leaking attacks, say academics at VU Amsterdam.

We're told mitigations put in place at the software and silicon level by the x86 giant to thwart Spectre-style exploitation of its processors' speculative execution can be bypassed, allowing malware or rogue users on a vulnerable machine to steal sensitive information – such as passwords and keys – out of kernel memory and other areas of RAM that should be off limits.

The boffins say they have developed a tool called InSpectre Gadget that can find snippets of code, known as gadgets, within an operating system kernel that on vulnerable hardware can be abused to obtain secret data, even on chips that have Spectre protections baked in.

InSpectre Gadget was used, as an example, to find a way to side-step FineIBT, a security feature built into Intel microprocessors intended to limit Spectre-style speculative execution exploitation, and successfully pull off a Native Branch History Injection (Native BHI) attack to steal data from protected kernel memory.

"We show that our tool can not only uncover new (unconventionally) exploitable gadgets in the Linux kernel, but that those gadgets are sufficient to bypass all deployed Intel mitigations," the VU Amsterdam team said this week. "As a demonstration, we present the first native Spectre-v2 exploit against the Linux kernel on last-generation Intel CPUs, based on the recent BHI variant and able to leak arbitrary kernel memory at 3.5 kB/sec."

https://www.theregister.com/2024/04/10/intel_cpus_native_spectre_attacks/

from https://download.vusec.net/papers/inspectre_sec24.pdf

2.2 Spectre v2
In 2018, the disclosure of Spectre [29] famously demonstrated how speculation can be used to leak data across security domains. One variant presented in the paper, originally known as Spectre v2 or Branch Target Injection (BTI), shows how speculation of indirect branches can be used to transiently divert the control flow of a program and redirect it to an attackerchosen location. The attack works by poisoning one of the CPU predictors, the Branch Target Buffer (BTB), which is used to decide where to jump on indirect branch speculation. Initially, mitigations were proposed at the software level and, later, in-silicon mitigations such as Intel eIBRS [5] an ARM CSV2 [12] were added to newer generations of CPUs to isolate predictions across privilege levels.

2.3 Branch History Injection
In 2022, Branch History Injection (BHI) [13] showed that, despite mitigations, cross-privilege Spectre v2 is still possible on latest Intel CPUs by poisoning the Branch History Buffer (BHB). Figure 1 provides a high-level overview of the attack.

In summary, by executing a sequence of conditional branches (HA and HV ) right before performing a system call, an unprivileged attacker can cause the CPU to transiently jump to a chosen target (TA) when speculating over an indirect call in the kernel (CV ). This happens because the CPU picks the speculative target forCV from a shared structure, the BTB, that is indexed using both the address of the instruction and the history of previous conditional branches, which is stored in the Branch History Buffer (BHB). Finding the right combination of histories that will result in a collision can be done with brute-forcing. To ensure the injected target, TA, contains a disclosure gadget, the original BHI attack relied on the presence of the extended Berkeley Packet Filter (eBPF), through which an unprivileged user can craft code that lives in the kernel.

Figure 2: InSpectre gadget workflow. The analyst provides a kernel image and a list of target addresses to InSpectre Gadget ⃝1 , which performs in-depth inspection to find gadgets that can leak secrets and output their characteristics. The gadgets can be filtered ⃝2 based on the available attacker-controlled registers and the mitigations enabled, and used to craft Spectre v2 exploits against the kernel ⃝3 .

Zero-day exploited right now in Palo Alto Networks' GlobalProtect gateways

Palo Alto Networks on Friday issued a critical alert for an under-attack vulnerability in the PAN-OS software used in its firewall-slash-VPN products.

The command-injection flaw, with an unwelcome top CVSS severity score of 10 out of 10, may let an unauthenticated attacker execute remote code with root privileges on an affected gateway, which to put it mildly is not ideal. It can, essentially, be exploited to take complete control of equipment and drill into victims' networks.

Updates to fully fix this severe hole are due to arrive by Sunday, April 14, we're told.

CVE-2024-3400 affects PAN-OS 10.2, PAN-OS 11.0 and PAN-OS 11.1 firewall configurations with a GlobalProtect gateway and device telemetry enabled.

Cloud firewalls, Panorama appliances, and Prisma Access are not affected, Palo Alto says.

Zero-day exploitation of this vulnerability was detected on Wednesday by cybersecurity shop Volexity, on a firewall it was monitoring for a client. After an investigation determined that the firewall had been compromised, the firm saw another customer get hit by the same intruder on Thursday.

"The threat actor, which Volexity tracks under the alias UTA0218, was able to remotely exploit the firewall device, create a reverse shell, and download further tools onto the device," the networks security management firm said in a blog post.

"The attacker focused on exporting configuration data from the devices, and then leveraging it as an entry point to move laterally within the victim organizations."

The intrusion, which begins as an attempt to install a custom Python backdoor on the firewall, appears to date back at least to March 26, 2024.

Palo Alto Networks refers to the exploitation of this vulnerability as Operation MidnightEclipse, which at least is more evocative than the alphanumeric jumble UTA0218. The firewall maker says while the vulnerability is being actively exploited, only a single individual appears to be doing so at this point.

mitigations include applying a GlobalProtect-specific vulnerability protection, if you're subscribed to Palo Alto's Threat Prevention service, or "temporarily disabling device telemetry until the device is upgraded to a fixed PAN-OS version. Once upgraded, device telemetry should be re-enabled on the device."

It urged customers to follow the above security advisory and thanked the Volexity researchers for alerting the company and sharing its findings. ®

https://www.theregister.com/2024/04/12/palo_alto_pan_flaw/

https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/

https://unit42.paloaltonetworks.com/cve-2024-3400/

Change Healthcare faces second ransomware dilemma weeks after ALPHV attack

Change Healthcare is allegedly being extorted by a second ransomware gang, mere weeks after recovering from an ALPHV attack.

RansomHub claimed responsibility for attacking Change Healthcare in the last few hours, saying it had 4 TB of the company's data containing personally identifiable information (PII) belonging to active US military personnel and other patients, medical records, payment information, and more.

The miscreants are demanding a ransom payment from the healthcare IT business within 12 days or its data will be sold to the highest bidder.

"Change Healthcare and United Health you have one chance in protecting your clients data," RansomHub said. "The data has not been leaked anywhere and any decent threat intelligence would confirm that the data has not been shared nor posted.

The org is alleged to have paid a $22 million ransom to ALPHV following the incident – a claim made by researchers monitoring a known ALPHV crypto wallet and one backed up by RansomHub. However, Change Healthcare has never officially confirmed this to be the case.

If all of the claims are true, it means the embattled healthcare firm is deciding whether to pay a second ransom fee to keep its data safe.

the prevailing theory among infosec watchers is that ALPHV pulled what's known as an exit scam after Change allegedly paid its ransom.

While the ratios vary slightly between gangs, generally speaking, ransomware payments are split 80/20 – 80 percent for the affiliate that actually carried out the attack and 20 percent for the gang itself.

It's believed that ALPHV took 100 percent of the alleged payment from Change Healthcare, leaving the affiliate responsible for the attack without a commission.

Angry and searching for what they believed they were "owed," the affiliate is thought to have retained much of the data it stole and now switched allegiances to RansomHub in one last throw of the dice to earn themselves a payday, or so the theory goes.

UnitedHealth, parent company of Change Healthcare, disclosed a cybersecurity incident on February 22, saying at the time it didn't expect it to materially impact its financial condition or the results of its operations.

It originally suspected nation state attackers to be behind the incident, but the ALPHV ransomware gang later claimed responsibility.

Many of its systems were taken down as a result while it assessed and worked to remediate the damage.

Hospitals and pharmacies reported severe disruption to services following the attack, with many unable to process prescriptions, payments, and medical claims. Cashflow issues also plagued many institutions, prompting the US government to intervene.

The IT biz's data protection standards are soon to be subject to an investigation by the US healthcare industry's data watchdog, which cited the "unprecedented magnitude of this cyberattack" in its letter to Change.

https://www.theregister.com/2024/04/08/change_healthcare_ransomware/

X fixes URL blunder that could enable convincing social media phishing campaigns

Elon Musk's X has apparently fixed an embarrassing issue implemented earlier in the week that royally bungled URLs on the social media platform formerly known as Twitter.

Users started noticing on Monday that X's programmers implemented a rule on its iOS app that auto-changed Twitter.com links that appeared in Xeets to X.com links.

Attackers could feasibly copy legitimate web pages to steal credentials, or skip the trouble and simply use it as a malware-dropping tool, or any number of other possibilities.

The potential for abuse here would be rife, given the number of legitimate, well-known brands most people would blindly trust. Netflix, Plex, Roblox, Clorox, Xerox – you get the picture.

According to tests at Reg towers on Wednesday morning, the issue appears to have been reversed. Netflitwitter[.]com now reads as such, but Twitter.com is auto-changed to X.com.

Updated Apr 22, 2024
Version 2.0
No CommentsBe the first to comment