What good is a popup asking for your approval if an attacker can bypass it simply by suppressing it?Read More
The all in one place for non-profit security aid.
What good is a popup asking for your approval if an attacker can bypass it simply by suppressing it?Read More
Wi-Fi Test Suite Command Injection Vulnerability Found in Arcadyan Routers
A serious security vulnerability has been uncovered in Arcadyan routers, stemming from the unexpected presence of Wi-Fi Alliance’s testing software in production devices.
Security researchers have identified a command injection flaw (CVE-2024-41992) that could allow attackers to gain complete control over affected routers.
The problem is with the Wi-Fi Test Suite, a tool that the Wi-Fi Alliance developed for certification testing. This software, never intended for production use, was found deployed on commercial Arcadyan router models, specifically the FMIMG51AX000J.
According to security experts, successful exploitation of this vulnerability could have severe consequences:
Complete administrative control over affected routers
Ability to modify system configurations
Potential disruption of network services
Possible compromise of network data
Risk of service outages for connected users
Security researchers have found that the Wi-Fi Test Suite, a development tool created by the Wi-Fi Alliance for certification testing, was unexpectedly present on commercial Arcadyan router models, specifically the FMIMG51AX000J.
The issue lies in the tool’s susceptibility to command injection attacks. Attackers can exploit the vulnerability and gain complete control over the devices by sending specially crafted packets to the affected routers.
The Wi-Fi Test Suite listens on TCP ports 8000 and 8080, accepting TLV (Type-Length-Value) packets. Researchers discovered that by manipulating these packets, they could inject malicious commands and achieve remote code execution.
The vulnerability enables unauthorized local attackers to execute commands with root privileges by sending specially crafted network packets to affected devices.
Successful exploitation of this vulnerability grants attackers full administrative access to the affected routers. With this level of control, attackers can modify system configurations, disrupt network services, and potentially compromise the security of all connected devices and users.
Researchers discovered alternatives to overcome the short input length that some functions accepted during initial attempts to exploit the vulnerability.
By targeting functions that accept larger inputs, such as the “wfaTGSendPing” function, attackers can inject more complex commands and achieve their malicious goals.
Noam Rathaus from SSD Disclosure made the initial discovery, and Timur Snoke at CERT/CC documented it
Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Watch Here
CERT/CC has issued clear recommendations for addressing this security concern:
Vendors should immediately update the Wi-Fi Test Suite to version 9.0 or later
Alternatively, the test suite should be completely removed from production devices
Network administrators should assess their devices for the presence of this vulnerability
This incident highlights the importance of proper security practices in production environments and the risks of leaving testing tools in deployed devices.
Network administrators and users of Arcadyan routers are urged to check their devices and implement the recommended solutions as soon as possible.
The National Cybersecurity Agency of France (ANSSI) has coordinated this vulnerability with Bouygues Telecom and confirmed that they have deployed a fix on all of their equipment.
Protecting Your Networks & Endpoints With UnderDefense MDR – Request Free Demo
The post Wi-Fi Test Suite Command Injection Vulnerability Found in Arcadyan Routers appeared first on Cyber Security News.
Cybercriminals Deploy 100K+ Malware Android Apps to Steal OTP Codes
A new malicious campaign has been observed making use of malicious Android apps to steal users’ SMS messages since at least February 2022 as part of a large-scale campaign.
The malicious apps, spanning over 107,000 unique samples, are designed to intercept one-time passwords (OTPs) used for online account verification to commit identity fraud.
“Of those 107,000 malware samples, over 99,000 of Read More
Microsoft Entra ID (Azure AD) Vulnerability Let Attackers Gain Global Admin Access
Security researchers have uncovered vulnerabilities in Microsoft’s Entra ID (formerly Azure Active Directory) dubbed “UnOAuthorized,” which could allow unauthorized actions beyond expected controls.
The findings, centered on the OAuth 2.0 scope permissions, could have enabled attackers to elevate privileges and persist within Microsoft environments.
The most alarming discovery involved the ability to add and remove users from privileged roles, including the Global Administrator role, the highest level of access in Entra ID.
If exploited, this vulnerability could have allowed threat actors to perform privilege escalation and lateral movement across Microsoft 365, Azure, and connected SaaS applications.
The discovery required the initiator to hold the Application Administrator or Cloud Application Administrator role in Entra ID. Despite their privileged status, these roles are often not treated with the necessary security precautions, making them attractive targets for attackers.
Download Free Cybersecurity Planning Checklist for SME Leaders (PDF) – Free Download
According to the research team at Semperis, the vulnerability was discovered in the OAuth 2.0 scope (permissions) of Entra ID, which enabled attackers to perform actions beyond expected authorization controls. The most concerning discovery involved the ability to add and remove users from privileged roles, including the Global Administrator role.
The research team found that select Microsoft application service principals were allowed to perform certain actions that were not defined in the list of authorized permissions.
This enabled attackers to perform privileged actions, such as adding a user to the Global Administrator role, without appearing to have permission to do so.
The vulnerability was discovered in several Microsoft applications, including Viva Engage (Yammer), Microsoft Rights Management Service, and Device Registration Service. MSRC classified the Device Registration Service finding as an important severity vulnerability, as it allowed attackers to modify the membership of privileged roles, including the Global Administrator role.
“In Entra ID, customers can assign credentials to most Microsoft application service principals. We used this to assign a credential to the Device Registration Service, allowing us to access Microsoft Graph as that service.” Semperis Researchers said.
The research found that specific Microsoft application service principals could perform privileged actions without having explicitly authorized permissions for the following.
Adding a user to the Global Administrator role as Device Registration Service.
Empty scopes (permissions) for Device Registration Service.
Entra ID audit log results showing successful role management.
While it remains unclear if any organizations were compromised via these vulnerabilities, the potential impact was extensive. Attackers could have used the access to install persistent threats or manipulate role assignments undetected.
Organizations are advised to scrutinize their Entra ID audit logs and check for any suspicious credentials on service principals, particularly those associated with the Device Registration Service.
Upon uncovering these vulnerabilities, Semperis promptly reported the findings to the Microsoft Security Response Center (MSRC).
Microsoft has since implemented additional controls to restrict the use of credentials on service principals, significantly reducing the risk of unauthorized access.
To mitigate risks, organizations should treat Application Administrators and Cloud Application Administrators with the same level of security as Global Administrators.
Implementing best practices such as privilege separation, privileged access workstations, and strong, phishing-resistant authentication is crucial
The discoveries underscore the importance of continuous monitoring and robust security practices in safeguarding digital environments. Semperis and Microsoft continue to enhance security measures to protect users from emerging threats.
Are you from SOC and DFIR Teams? – Analyse Live Malware Incidents with ANY.RUN -> Get 14 Days Free Access
The post Microsoft Entra ID (Azure AD) Vulnerability Let Attackers Gain Global Admin Access appeared first on Cyber Security News.