There is vulnerability in many Hyundai and Kia vehicles, where the ignition switch can be bypassed with a USB cable. And it’s getting a patch rollout right now, but it’s not a USB vulnerability, in quite the way you might think. In most cars, the steering column is easily disassembled, but these vehicles have an extra-bad design problem. The ignition cylinder can be disassembled while locked, just by depressing a pin.
Physical security has some parallels to computer security, and one such parallel is that good security can often be bypassed by a simple mistake. When it comes to lock design, one such potential bypass is the ability to disassemble a lock while it’s still locked. And somehow, Kias after 2010, and Hyundais after 2015 were made with exactly this flaw. The lock could be disassembled, and the interface between the lock and the ignition switch just happens to be the right shape and size for USB A. Oh, and these cars don’t have an engine immobilizer — there isn’t a chip built into the keys for extra security.
The problem became widespread late last year when the flaw went viral on TikTok, and thousands of copycat crimes were inspired. Beyond the obvious problem, that teenagers were getting an early start on a life of crime with grand theft auto, there were at least 8 deaths directly attributed to the inane stunt. And this brings us back to this week’s news, that a software update is rolling out to address the issue.
Honestly, I have questions. A software update doesn’t add in-key security chips. At best, it could attempt to detect the key position, and sabotage the engine management control, in an ad-hoc immobilizer. That’s likely a paper clip-turned-jumper away from being bypassed. The other new feature, doubling the alarm time from 30 second to a minute, doesn’t inspire much confidence. Hopefully the changes are enough to kill the trend.
Reddit Gets Phished
On February 5th, a Reddit employee fell for a phishing attack, handing both credentials and a 2FA token over to an attacker. This exposed internal documentation, code, and dashboards. While falling for the initial phish, the unfortunate employee was sharp enough to realize what had happened, and inform Reddit security shortly after.
(Phishing happens. If it happens to you, call the right person as soon as you realize it. It’s not hard for security to backtrack the breach, and figure out who’s credentials were used. It’s far better for everyone to deal with the problem head on as soon as possible.)
It seems like the breach and lockdown were all pulled off within a day, and it doesn’t look like any private user data was accessed. While a breach is never a good thing, this looks to be a textbook good response to such a problem, including an Ask Me Anything by the CTO after the announcement. How very Reddit.
Word and PEAP
Microsoft just lifted the lid on a pair of high-severity vulnerabilities, CVE-2023-21689 and CVE-2023-21716. The first one is a Remote Code Execution (RCE) in PEAP, the Protected Extensible Authentication Protocol. That’s a WiFi technology, so each user can be authenticated upon connection to the wireless network. That’s both good news and bad news. The good news is that this isn’t a service generally exposed to the internet. The bad news is that it’s part of the authentication process for enterprise WiFi. It appears that an attacker with a working exploit would simply need to get close enough to attempt a wireless connection. Send the exploit as part of the authentication process, and it’s code execution on the authentication server.
The other problem is in Microsoft Word, in handling Rich Text Format documents. This also leads to code execution, and Microsoft’s guidance warns that the preview pane is enough to trigger the vulnerability. The real danger is an email containing RTF, with that code potentially getting auto-run when viewing the email. There are SharePoint patches available as well. Both of these vulnerabilities have the potential to be quite serious, particularly for enterprise networks.
CVE-2023-0669 is a serious pre-auth vulnerability in the Fortra GoAnywhere Managed File Transfer solution. Version 7.1.2 has been released to fix the issue, but there are reports of active exploitation, with the Clop ransomware gang claiming to have compromised about 130 such endpoints.
The problem is deserialization. The GoAnywhere appliance is written in Java, and it’s the licensing endpoint with the vulnerability. Making this issue worse is that the endpoint is vulnerable to Cross-Site Request Forgery. So it doesn’t take an administrative panel exposed to the internet, just a browser redirect or link in a phishing email — given the attacker knows enough about the target network to craft the payload.
PLCs and Lateral Movement
Forescout has published yet another set of vulnerabilities in Programmable Logic Controllers. This is part of their earlier OT:ICEFALL research.
The new vulnerabilities are in Schneider Electric Modicon devices. CVE-2022-45788 is an arbitrary code execution, triggered by an undocumented Modbus command. And CVE-2022-45789 is a way to bypass authorization and run those Modbus commands. This allows for a really sneaky trick, what Forescout calls “deep lateral movement”, using the PLC devices themselves as a pivot point, and compromising devices that aren’t connected to the outside network. They use a new term I find quite clever, “network crawl space”, to describe the unexpected connection pathways used in the example attack. Tip of the hat to [Herr Brain] for pointing this story out on our Discord.
Bits and Bytes
Ever wish there was a single tool to search for security presentations? That’s exactly what we have this week with Hack Dojo. Doing research on PLC hacks? There are six presentations on file on that topic. Trying to remember who ran doom on a tractor? There’s one presentation that comes up when searching for “tractor”. There are over 1500 presentations with video available to peruse.
Researchers at Phylum have discovered yet another malware campaign pushing malicious packages onto the PyPI repository. It’s typosquatting on more than 450 packages, many mimicking cryptocurrency and finance-related packages. The malware payload is obscured with an interesting technique, which installs a browser extension on any machine where it runs. That extension watches for cryptocurrency wallet addresses in the clipboard, and replaces the address with one controlled by the malware authors.
The TerraMaster NAS platform had a pair of vulnerabilities that together allowed remote code execution over the network. The first is an information leak — the
mobile/webNasIPS endpoint doesn’t require any authentication, and returns way too much information. One of those information fields is actually a hash of the system’s admin password. Guess what some of the other endpoints use to authorize requests? Yep, that exact hashed password, along with some other discoverable bits of information. Patches are available.
While the researchers at Trail of Bits were auditing
curl, somebody jokingly asked if they had tried
curl AAAAAAAAA... yet. They say that the best humor has some truth to it, and it turns out that applies to security research, too. Fuzzing the
curl command line interface turned up a handful of vulnerabilities, many of which had their root in the
libcurl library itself. The writeup is a good overview of fuzzing techniques, and the full audit report is linked there as well. Enjoy!