expert-profile | Information Security Buzz

Satnam Narang

Senior Research Engineerfeature_status*/ ?>

Tenable

Comments Dotted : 18

April 14, 2021

Security Researcher “Chrome 0day” Tweet – Expert Insight

We strongly encourage users and organizations alike to ensure they are patching their browsers like Chrome and Edge as soon as possible.

There are reports of a 1-day vulnerability in the V8 JavaScript engine used by Google Chrome and Microsoft Edge (Chromium). This vulnerability was disclosed on social media on April 12 but appears to be the same flaw that was reported during the Pwn2Own contest held earlier this month. The known vulnerability has been patched in the V8 engine, but yet to be patched in both Chrome and Edge.

While it is concerning that details about a vulnerability in popular web browsers has been publicly

While it is concerning that details about a vulnerability in popular web browsers has been publicly disclosed, the cause for concern dissipates when you consider that the vulnerability by itself cannot escape Google’s sandbox. This means that an attacker could not compromise the underlying operating system or access confidential information. It’s sort of like clapping your hands; you can’t truly clap with just one hand, you need both. Similarly, in this instance, an attacker would need to chain this V8 vulnerability with a second vulnerability to escape the sandbox.

Despite that, we strongly encourage users and organizations alike to ensure they are patching their browsers like Chrome and Edge as soon as possible, as unpatched browsers and systems are ripe targets for cybercriminals and advanced persistent threat groups.

Read Less

March 31, 2021

Chained Vulnerabilities in VMware vRealize Operations Could Lead to Unauthenticated Remote Code Execution

his vulnerability is post-authentication, meaning an attacker needs to be authenticated with administrative credentials in order to exploit this flaw.

Researchers have disclosed a pair of vulnerabilities in VMware’s vRealize Operations (vROPs). The most severe flaw, CVE-2021-21975, is a server-side request forgery (SSRF) vulnerability in the vROPs Manager API. An unauthenticated, remote attacker could exploit this vulnerability by sending a specially crafted request to the vulnerable vROPs Manager API endpoint. Successful exploitation would result in the attacker obtaining administrative credentials.

VMware also patched CVE-2021-21983, an

VMware also patched CVE-2021-21983, an arbitrary file write vulnerability in the VROPs Manager API, which can be used to write files to the underlying operating system. This vulnerability is post-authentication, meaning an attacker needs to be authenticated with administrative credentials in order to exploit this flaw.

While on their own, these vulnerabilities may not seem as severe as CVE-2021-21972, a remote code execution vulnerability in VMware’s vCenter Server that was patched in February. However, if attackers chain both CVE-2021-21975 and CVE-2021-21983 together, they could also gain remote code execution privileges.

VMware has provided patches for both flaws across vROPs Manager versions 7.5.0 through 8.3.0. They’ve also provided a temporary workaround to prevent attackers from exploiting these flaws. The workaround should only be used as a temporary stop-gap until organizations are able to plan for applying the patches.

Read Less

March 03, 2021

Microsoft Multiple 0-Day Attack – Tenable Comment

We expect other threat actors to begin leveraging these vulnerabilities in the coming days and weeks.

Four zero-day vulnerabilities in Exchange Server have been exploited in the wild by a nation-state threat actor called HAFNIUM. The fact that Microsoft chose to patch these flaws out-of-band rather than include them as part of next week’s Patch Tuesday release leads us to believe the flaws are quite severe even if we don’t know the full scope of those attacks.

While Microsoft says that HAFNIUM primarily targets entities within the United States, other researchers say they have seen these

While Microsoft says that HAFNIUM primarily targets entities within the United States, other researchers say they have seen these vulnerabilities being exploited by different threat actors targeting other regions.

Based on what we know so far, exploitation of one of the four vulnerabilities requires no authentication whatsoever and can be used to potentially download messages from a targeted user’s mailbox. The other vulnerabilities can be chained together by a determined threat actor to facilitate a further compromise of the targeted organization’s network.

We expect other threat actors to begin leveraging these vulnerabilities in the coming days and weeks, which is why it is critically important for organizations that use Exchange Server to apply these patches immediately.

Read Less

February 25, 2021

VMware Advisory – Expert Comment

There are confirmed reports that attackers are probing for vulnerable vCenter Server systems.

At least four proof-of-concept exploit scripts for CVE-2021-21972, a critical remote code execution flaw in VMWare’s vCenter Server solution are currently available. We know that the availability of proof-of-concept code or exploit scripts following the publication of a critical vulnerability is a boon for threat actors.

While some cyber criminals may be adept at developing their own proof-of-concept exploits, threat actors are keen on leveraging what’s publicly available, as evidenced in

While some cyber criminals may be adept at developing their own proof-of-concept exploits, threat actors are keen on leveraging what’s publicly available, as evidenced in the Copy Paste Compromises report from the Australian Cyber Security Centre in June 2020 that arrived at the same conclusion.

There are confirmed reports that attackers are probing for vulnerable vCenter Server systems. According to a Shodan search, there are over 6,700 publicly accessible vCenter Servers. Coupled with the availability of these exploit scripts, it is all the more imperative for organizations to apply the available patches immediately instead of relying on temporary workarounds.

Read Less

February 24, 2021

Security A Glaring Issue For Chatroom App Clubhouse After Conversations Were Breached

Despite the exclusivity of Clubhouse being available on an invite-only basis and limited to iOS devices.

Despite the exclusivity of Clubhouse being available on an invite-only basis and limited to iOS devices, its popularity has surged over the last year. Therefore, it is unsurprising to see that individuals have found a way to reverse engineer the Clubhouse API and subsequently publish open source tools that can be used to extract audio from rooms and ultimately develop a clone of the app for Android devices.

In this case, the user's intentions were clear: they wanted to use the application

In this case, the user's intentions were clear: they wanted to use the application without the need for an iOS device. However, there could be other more nefarious individuals out there who might snoop in on conversations and/or speak as ghost users (not visible in a room, but able to chat) in both public and private rooms, infringing on what legitimate users believe is a limited audience.

There is also the likelihood of vulnerabilities lingering throughout the platform that have yet to be discovered and disclosed. We hope that Clubhouse will introduce an official vulnerability disclosure process so that researchers can help Clubhouse secure its growing platform and, ultimately, its users.

Read Less

November 12, 2020

Experts Reacted Microsoft’s New Patch Tuesday Format: “A Bad Move” And “Disappointing”

Chaining vulnerabilities is an important tactic for threat actors.

This month’s Patch Tuesday includes fixes for 112 CVEs, 17 of which are rated critical. This is a return to form for Microsoft, as the company ended a streak of patching over 100 CVEs last month when they patched 87 CVEs. One of the most notable fixes in this month’s release is for CVE-2020-17087, an elevation of privilege vulnerability in the Windows Kernel that was exploited in the wild as part of a vulnerability chain with CVE-2020-15999, a buffer overflow vulnerability in the FreeType 2 library used by Google Chrome. The elevation of privilege vulnerability was used to escape Google Chrome’s sandbox in order to elevate privileges on the exploited system. This is the second vulnerability chain involving a Google Chrome vulnerability and a Windows vulnerability that was exploited in the last year. Chaining vulnerabilities is an important tactic for threat actors. While both CVE-2020-15999 and CVE-2020-17087 were exploited in the wild as zero-days, the Cybersecurity and Infrastructure Security Agency (CISA) published a joint advisory with the FBI last month that highlighted threat actors chaining unpatched vulnerabilities to gain initial access into a target environment and elevate privileges. Even though Google and Microsoft have now patched these flaws, it is imperative for organisations to ensure they’ve applied these patches before threat actors begin to leverage them more broadly. Read Less

October 08, 2020

Multiple Vulnerabilities In HP Device Manager – Expert Insight

HP Device Manager is a popular software solution used to manage HP Thin Clients remotely.

HP Device Manager is a popular software solution used to manage HP Thin Clients remotely. The three vulnerabilities disclosed in HP’s recent security bulletin by themselves are notable. However, a pair of the flaws, CVE-2020-6926 and CVE-2020-6927, when combined could allow an attacker to gain remote command execution on the vulnerable system through the HP Device Manager. HP has so far released patches for the 5.0.x branch of HP Device Manager, so organizations using this particular branch release should upgrade to 5.0.4 as soon as possible. If an organization is using a previous version of HP Device Manager, there are mitigation steps in HP’s security bulletin that can be taken to protect against these attacks until a patch becomes available. Read Less

May 19, 2020

Industry Experts On Verizon DBiR 2020

Ransomware increased by 2.6% from last year, landing at number three in most common Malware breach.

The findings in the Data Breach Investigations Report (DBIR) 2020 show that while attack vectors may fluctuate over time, cybercriminals often set their sights on low-hanging fruit. Zero-days may garner most of the attention, but foundational cyber hygiene issues enable most breaches. The motivation for cybercriminals is primarily financial. As the Cybersecurity and Infrastructure Security Agency (CISA) recently underscored in a recent report about the top 10 routinely exploited vulnerabilities, cybercriminals focus their efforts on exploiting unpatched vulnerabilities. It’s a cost-effective measure that provides the most bang for the buck, because they don’t have to spend the capital needed to acquire zero-day vulnerabilities when there are so many unpatched systems to take advantage of. As the DBIR notes, even if a newly-discovered vulnerability wasn’t patched in a network, those same systems would likely also be vulnerable to a plethora of other vulnerabilities, which signifies a lack of basic cyber hygiene. Ransomware increased by 2.6% from last year, landing at number three in the most common Malware breach variety, while also taking the number two spot for most common malware incident variety, according to the DBIR. What’s changed in that time is that ransomware isn’t solely devoted to encrypting files anymore. Cybercriminals have escalated their attacks to another level, siphoning off sensitive information from organizations whose files they’ve encrypted. These cybercriminals threaten to publish this sensitive information publicly, often publicly sharing a teaser of files from organizations they’ve compromised. The belief is that naming and shaming these victims would encourage them to pay the ransom demand, and in many cases, that’s proven to be true. Another notable finding is that 43% of breaches involved web applications. This is often fueled by the exploitation of some of the most common vulnerabilities, such as SQL injection or PHP injection flaws. As more and more businesses have migrated to the cloud, their attack surface increases, especially with respect to web applications. The DBIR notes that web applications along with email application servers were involved in 73% of cloud breaches, while most of those were the result of breached credentials. Read Less

April 28, 2020

Comment: Symlink Race Bugs Discovered In 28 Antivirus Products

To successfully exploit these flaws, timing is of the essence as the flaws rely on a race condition.

To weaponise the “symlink race” flaws found in 28 popular antivirus products, attackers would first need to establish a local presence on the victim’s system or include the malicious code as part of malware to create a directory junction (Windows) or symlink (macOS/Linux). This code could be used to remove important system files including those associated with the operating system or antivirus software itself. In doing so, the machine may be rendered useless or the antivirus product would be disarmed. To successfully exploit these flaws, timing is of the essence as the flaws rely on a race condition. However, researchers found in some cases that timing wasn’t necessary if the malicious code was continually running over and over, it would eventually lead to successful exploitation. It’s positive that most of the vendors have worked to address this particular issue in their products. Unfortunately, because antivirus software runs with the highest privileges on the operating system, it will continue to be a high-value target for cybercriminals. Read Less

April 23, 2020

Expert Insight On iPhone Zero-Day Hack Found In The Wild

Exploitation of these flaws would allow an attacker to leak, modify or delete emails within the Mail application.

The recent disclosure that multiple zero-days in the Apple iOS Mail application were exploited in the wild is significant and noteworthy. One of the flaws can be exploited without user interaction (also known as zero click) on iOS 13. The vulnerabilities also affect iOS 12, though interaction is required in most cases. Exploitation of these flaws would allow an attacker to leak, modify or delete emails within the Mail application. However, the researchers note that combining these flaws with an unpatched kernel vulnerability would provide an attacker with full device access, though that information has not been identified as of yet. While Apple has issued fixes for these flaws in the beta version of iOS 13.4.5, devices are still vulnerable until the final version of iOS 13.4.5 is readily available to all iOS device owners. In the interim, the only mitigation for these flaws is to disable any email accounts that are connected to the iOS Mail application, and use an alternative application, such as Microsoft Outlook or Google’s GMail. Read Less