EU member states request permission to surveil journalists. Vacant US cyber leadership position fuels worries from experts.
EU member states request permission to surveil journalists. Vacant US cyber leadership position fuels worries from experts. DOJ announces new unit devoted to foreign cyberactivity. Read More
Linux version of TargetCompany ransomware focuses on VMware ESXi
Researchers observed a new Linux variant of the TargetCompany ransomware family that targets VMware ESXi environments using a custom shell script to deliver and execute payloads. […] Read More
MobSF Pen-Testing Tool Input Validation Flaw Leads to SSRF
[[{“value”:”
The Mobile Security Framework (MobSF), a widely used pen-testing, malware analysis, and security assessment framework, has been found to contain a critical input validation flaw that could lead to server-side request forgery (SSRF) attacks.
The vulnerability, tracked as CVE-2024-29190, affects MobSF version 3.9.5 Beta and prior.
While investigating the “App Link assetlinks.json file could not be found” vulnerability, the Trendyol Application Security team discovered that MobSF sends a GET request to the “/.well-known/assetlinks.json” endpoint for all hosts specified with “android: host” in the AndroidManifest.xml file.
Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.
:
The problem of vulnerability fatigue today
Difference between CVSS-specific vulnerability vs risk-based vulnerability
Evaluating vulnerabilities based on the business impact/risk
Automation to reduce alert fatigue and enhance security posture significantly
AcuRisQ, which helps you to quantify risk accurately:
However, due to a lack of input validation when extracting hostnames from the android: host attribute, MobSF could inadvertently send requests to local hostnames, potentially leading to SSRF.
GitHub has recently published a blog post regarding a Server-Side Request Forgery (SSRF) vulnerability that affects the assetlinks_check functionality.
The android: host is defined as “192.168.1.102/user/delete/1#” in the example above.
Including the “#” character at the host’s end is critical as it prevents requests from being sent to the “/.well-known/assetlinks.json” endpoint, ensuring that requests are sent to the specified endpoint before it.
Proof of Concept (PoC)
A proof of concept video demonstrating the SSRF vulnerability has been made available by the Trendyol Application Security team.
The SSRF vulnerability poses a significant risk as it allows an attacker to cause the server to make unauthorized connections to internal-only services within an organization’s infrastructure.
This could lead to the exposure of sensitive internal systems and data.
Mitigation and Hotfix
A hotfix for this issue has been implemented in commit 5a8eeee73c5f504a6c3abdf2a139a13804efdb77.
Users of MobSF are urged to update to the latest version to mitigate the risk associated with CVE-2024-29190.
The discovery of CVE-2024-29190 highlights the importance of thorough input validation in software development, especially in security-critical applications like MobSF.
Organizations relying on MobSF for their security assessments should take immediate action to apply the hotfix and protect their infrastructure from potential SSRF attacks.
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.
The AI Fix #32: Agentic AI, killer robot fridges, and the robosexual revolution
In episode 32 of The AI Fix, our hosts learn the meaning of “poronkusema”, Mark discovers his dream job, a school tries using AI instead of teachers, the “Godfather of AI” says AI will see us as toddlers, and Graham lifts the lid on the hidden threat of killer robot fridges.
Mark explains why 2025 is the year of the autonomous AI agent, and Graham investigates the robosexual revolution, and the claim that robots will be more popular than men in the bedroom this year.
All this and much more is discussed in the latest edition of “The AI Fix” podcast by Graham Cluley and Mark Stockley. Read More