This Week In Security: Scamming The FBI, In The Wild, And AI Security

If you’re part of a government alphabet agency, particularly running a program to share information to fight cybercrime, make sure to properly verify the identity of new members before admission. Oh, and make sure the API is rate-limited so a malicious member can’t scrape the entire user database and sell it on a dark web forum.

Putting snark aside, this is exactly what has happened to the FBI’s InfraGuard program. A clever user applied to the program using a CEO’s name and phone number, and a convincing-looking email address. The program administrators didn’t do much due diligence, and approved the application. Awkward.

BSD Ping

First off, the good folks at FreeBSD have published some errata about the ping problem we talked about last week. First off, note that while ping does elevate to root privileges via setuid, those privileges are dropped before any data handling occurs. And ping on FreeBSD runs inside a Capsicum sandbox, a huge obstacle to system compromise from within ping. And finally, further examination of the bug in a real-world context casts doubt on the idea that Remote Code Execution (RCE) is actually possible due to stack layouts.

If someone messes up somewhere, go look if you messed up in the same or similar way somewhere else.

Sage advice from [Florian Obser], OpenBSD developer. So seeing the ping problem in FreeBSD, he set about checking the OpenBSD ping implementation for identical or similar problems. The vulnerable code isn’t shared between the versions, so he reached for afl++, a fuzzing tool with an impressive list of finds. Connect afl++ to the function in ping that handles incoming data, and see what shakes out. The conclusion? No crashes found in this particular effort, but several hangs were identified and fixed. And that is a win.

Citrix In The Wild

A vulnerability in the Citrix ADC (Application Delivery Controller), a load balancer for complex web applications, is being actively exploited. This one prompted the NSA to issue a PDF advisory, laying blame for the attacks at the feet of APT5, thought to be an Iranian actor.

The actual vulnerability is an old one, apparently quietly fixed a couple years ago. It has just now been discovered to be a serious problem, allowing a vulnerable device configured to do SAML authentication to be remotely compromised. Patches have now been made available for multiple vulnerable versions, and Indicators of Compromise (IoCs) have been published.

SPNEGO NEGOEX

That section header has strong Sneakers vibes, and my eyes keep trying to rearrange those letters into “Too Many Secrets”, but it just doesn’t fit. The “NEGOEX” refers to EXtended NEGOtation. “SPNEGO” is an acronym for “Simple and Protected GSSAPI Negotiation Mechanism”. And of course, GSSAPI is the “Generic Security Service Application Program Interface”. All that alphabet soup eventually boils down to a method to negotiate authentication protocols. The important bit is that by design, this protocol runs before any authentication takes place, and it’s accessible in a bunch of different services. SMB, RDP, SMTP, and even HTTP can expose SPNEGO negotiation. And of course, there was a critical security vulnerability in Microsoft’s implementation.

The vulnerability, CVE-2022-37958, was patched back in September, and classified as high severity. Just a couple days ago, [Valentina Palmiotti] demonstrated that the vulnerability could be used for Remote Execution, and It’s been bumped to critical severity. The full details will release in 2023, giving everyone plenty of time to get this one patched. Based on what’s been released so far, that’s going to be pretty important. The race is now on, to see whether any malicious groups figure out the details before then.

Demonstrating CVE-2022-37958 RCE Vuln. Reachable via any Windows application protocol that authenticates. Yes, that means RDP, SMB and many more. Please patch this one, it’s serious! https://t.co/ikOrTvQIJs pic.twitter.com/bOTmL5Fh2H

— chompie (@chompie1337) December 13, 2022

FortiOS RCE

And rounding out the hair-on-fire section of the news, a pre-auth RCE in FortiOS is being actively exploited to compromise Fortinet devices. The update has been out for a month, but wasn’t marked as a security fix, so rollout has been a bit slow. It’s a buffer overflow in the SSL-VPN service, and appears to exist all the way back to the 5.x release series. As the older 5.x and 6.0.x firmwares are beyond support, so may not receive updates fixing this one. Disabling the Internet-facing VPN appears to be a valid workaround to the issue.

AI “Improves” Security

The new hotness in machine learning is OpenAI’s chat bot, which has been full of surprises. [Rick Osgood] does Red Team penetration testing, and just had to try out using the tool for simulated evil. He asked it to generate a phishing email, promising a gift card for filling out a survey. And the results were depressingly good. So good in fact, that [Osgood] had to tell the AI to make the email seem just a little shady, with hilarious results.

SVG Smuggling

Scalable Vector Graphics (SVG) is bit of an odd duck. It’s an image format, particularly useful because the resulting images are infinitely scalable. It’s also a markup language based on XML, and all sorts of interesting bits of data can be included. That apparently includes HTML and JavaScript code, and that code can be Base64 encoded. And this makes for a useful way to sneak malicious code past a security solution. For even more creative mayhem, once the JavaScript code starts running, it can even be used to build an executable file in memory, and download it to the local machine. Sneaky.