Microsoft warned customers today that multiple editions of Windows 11, version 21H2, will reach the end-of-service (EOS) in three months, on October 10, 2023. […] Read More
BleepingComputer
The all in one place for non-profit security aid.
Microsoft warned customers today that multiple editions of Windows 11, version 21H2, will reach the end-of-service (EOS) in three months, on October 10, 2023. […] Read More
BleepingComputer
WinRAR Flaw Let Attackers Deceive Users with ANSI Escape Sequences
A critical vulnerability has been discovered in WinRAR, a popular file compression and archiving utility for Windows.
The flaw, tracked as CVE-2024-36052, affects WinRAR versions prior to 7.00 and allows attackers to spoof the screen output using ANSI escape sequences.
The issue arises from WinRAR’s lack of proper validation and sanitization of file names within ZIP archives. Siddharth Dushantha identified the vulnerability.
When a specially crafted ZIP archive containing a file with ANSI escape sequences in its name is extracted using WinRAR, the application fails to properly handle the escape sequences.
Instead, it interprets them as control characters, allowing attackers to manipulate the displayed file name and potentially trick users into running malicious files.
Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers
ANSI escape sequences are special codes used to control the formatting and appearance of text in command-line interfaces and terminals. Most sequences start with an ASCII escape character (ESC, x1B) followed by a bracket character ([) and are embedded into the text.
By crafting malicious archives containing these sequences, attackers can manipulate the displayed output and deceive users into believing they are opening a harmless file, such as a PDF or image.
When a user attempts to open the seemingly benign file from within WinRAR, the vulnerability is triggered due to improper handling of file extensions.
Instead of launching the expected file, WinRAR’s ShellExecute function receives an incorrect parameter and executes a hidden malicious script, such as a batch file (.bat) or command script (.cmd), Dushantha said.
This script can then install malware on the victim’s device while simultaneously displaying the decoy document to avoid raising suspicion.
It’s important to note that this vulnerability is specific to WinRAR on Windows and differs from CVE-2024-33899, which affects WinRAR on Linux and UNIX platforms.
WinRAR’s Linux and UNIX versions are also susceptible to screen output spoofing and denial-of-service attacks via ANSI escape sequences.
To mitigate the risk posed by this vulnerability, users are advised to update to WinRAR version 7.00 or later, which includes a fix for the issue.
Additionally, exercising caution when opening archives from untrusted sources and enabling file extension visibility in Windows can help prevent this type of attack.
The vulnerability was publicly disclosed on May 23, 2024, and it is crucial for WinRAR users to take immediate action to protect their systems from potential exploitation by malicious actors.
ANYRUN malware sandbox’s 8th Birthday Special Offer: Grab 6 Months of Free Service
The post WinRAR Flaw Let Attackers Deceive Users with ANSI Escape Sequences appeared first on Cyber Security News.
Google Shares Details on Accidental File Deletion that Impacts Pension Fund’s Accounts
In a recent blog post, Google Cloud has shared details about an incident that impacted one of its Australian customers, UniSuper, a pension fund.
The incident involved accidentally deleting the customer’s Google Cloud VMware Engine (GCVE) Private Cloud due to a misconfiguration by Google operators.
According to the post, the incident occurred when Google operators deployed a GCVE Private Cloud for UniSuper using an internal tool.
An inadvertent misconfiguration occurred when a parameter was left blank. This had the unintended consequence of defaulting the customer’s GCVE Private Cloud to a fixed term with automatic deletion at the end of that period.
Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers
After one year, the customer’s GCVE Private Cloud was automatically deleted due to this misconfiguration. No customer notification was sent because the deletion was triggered by the blank parameter in the internal tool, not by a customer deletion request.
Google notes that a notification to the customer would have preceded any customer-initiated deletion.
Following the incident, the customer and Google teams worked several days to recover UniSuper’s GCVE Private Cloud, restore the network and security configurations, and restore its workloads from backups.
Fortunately, the customer had data stored outside of Google Cloud, which aided the recovery process.
Google has taken steps to prevent similar incidents in the future, including deprecating the internal tool that caused the misconfiguration and automating the deployment process to remove the possibility of human error.
Many tech experts have criticized Google’s response, deeming it the “bare minimum.” They advocate for more comprehensive measures, such as implementing manual review processes before carrying out large-scale deletions and considering temporary suspension instead of immediate deletion of services.
This incident emphasizes the dangers of relying only on cloud providers for infrastructure and the necessity of maintaining off-site backups.
It also underscores the need for robust processes and safeguards against human error when dealing with critical customer data and services.
ANYRUN malware sandbox’s 8th Birthday Special Offer: Grab 6 Months of Free Service
The post Google Shares Details on Accidental File Deletion that Impacts Pension Fund’s Accounts appeared first on Cyber Security News.
Researchers Hacked Industrial Remote Access Gateway Tool to Gain Root Access
Security researchers have uncovered severe vulnerabilities in the Ewon Cosy+, a widely used industrial remote access gateway tool, allowing them to gain root access and compromise the device’s security. The findings, presented at DEF CON 32, highlight significant risks to industrial infrastructure and remote access systems.
The Ewon Cosy+, developed by HMS Networks, is designed to provide secure remote access to industrial systems through VPN connections. However, researchers from SySS GmbH discovered multiple critical flaws that undermine its security promises.
Free Webinar on Detecting & Blocking Supply Chain Attack -> Book your Spot
Key vulnerabilities identified include:
OS Command Injection (CVE-2024-33896): Researchers found a way to bypass filters in user-provided OpenVPN configurations, allowing arbitrary command execution.
Insecure Permissions (CVE-2024-33894): Affecting devices running firmware versions 21.x below 21.2s10 or 22.x below 22.1s3.
Certificate Request Vulnerability (CVE-2024-33897): A compromised Cosy+ device could be used to request certificates for unauthorized devices, potentially leading to VPN session hijacking.
The exploit chain for gaining root access to the Ewon Cosy+ device involved a series of steps leveraging an OS command injection vulnerability (CVE-2024-33896). Researchers first discovered a filter bypass in the device’s OpenVPN configuration functionality by prefixing parameters with two dashes (–).
They then crafted a malicious OpenVPN configuration file that included the “–up” parameter to execute arbitrary shell commands, along with “script-security 2” to allow user-defined scripts. This configuration was uploaded to the Cosy+ device.
When the VPN connection was established, the device executed the specified command (in this case, “id”) as root, confirming successful command execution and granting the researchers root access.
With this elevated privilege, they were able to exploit the device further, decrypting encrypted firmware files, accessing sensitive data including passwords in configuration files, and obtaining correctly signed X.509 VPN certificates for unauthorized devices.
This chain of exploitation demonstrated how a seemingly simple configuration file upload feature, combined with insufficient input validation, could lead to complete compromise of the industrial remote access gateway.
With root access, researchers uncovered additional security issues:
Ability to decrypt encrypted firmware files
Access to encrypted data, including passwords in configuration files
Acquisition of correctly signed X.509 VPN certificates for foreign devices
These findings have severe implications for the security of industrial networks relying on Cosy+ devices. Attackers could hijack VPN sessions, gaining unauthorized access to sensitive industrial systems and data.
HMS Networks has responded to these discoveries by releasing firmware updates to address the identified vulnerabilities. Users are strongly advised to update their Cosy+ devices to the latest firmware versions:
21.2s10 or later for 21.x firmware
22.1s3 or later for 22.x firmware
In light of these findings, industrial organizations using Ewon Cosy+ or similar remote access solutions should take immediate action to mitigate risks:
Update device firmware to the latest secure versions
Implement strong network segmentation and access controls
Regularly audit and monitor remote access activities
Consider additional security layers, such as multi-factor authentication
This research underscores the critical importance of thorough security assessments for industrial remote access tools, as vulnerabilities in these systems can have far-reaching consequences for critical infrastructure and industrial operations.
Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Access
The post Researchers Hacked Industrial Remote Access Gateway Tool to Gain Root Access appeared first on Cyber Security News.