Paul’s Security News – June 1, 2023

Larry and I were supplied with a handle of Dewars Scotch this week (yea, things go downhill when I am not in the studio all the time). Rather than complain about it (er, okay, we complained about it anyway), we’d make Old Fashioneds. They were pretty good, but not as good as bourbon. Jeff Man returned as a co-host for this episode, so we did talk about PCI, and it was nice to have Jeff back. We always have fun with the news, go down several tangents, and cover many stories. These are just the ones I’ve added for the week. I’ve included descriptions for the stories we didn’t get to cover on the show. Check out “Plain Text Keystrokes, WPBT, One Packet Exploits, & Sock Puppets! – PSW #787” for the full discussion.

  1.  Trusted publishing: a new benchmark for packaging security – A rather long article about how to add a layer of authentication to PyPi packages for maintainers. It’s pretty slick: “At its core, trusted publishing is “just” another authentication mechanism. In that sense, it’s no different from passwords or long-lived API tokens: you present some kind of proof to the index that states your identity and expected privileges; the index verifies that proof and, if valid, allows you to perform the action associated with those privileges. What makes trusted publishing interesting is how it achieves that authentication without requiring a preexisting shared secret. “
  2.  Find My AirTag – The Hacker Factor Blog – A very detailed post from Neil on AirTags. Make sure you check out Larry Pesce’s technical segment on this topic, it was very good.
  3.  Technical Advisory – Multiple Vulnerabilities in Faronics Insight – There is a list of 11 vulnerabilities in this software that is described as: “Faronics Insight is a feature rich software platform which is deployed on premises in schools. The application enables teachers to administer, control and interact with student devices.”. This is one of the vulnerabilities: “Keystroke Logs Are Stored in Plaintext in a World Readable Directory”
  4.  Supply Chain Risk from Gigabyte App Center Backdoor – Eclypsium – WPBT is the gift that keeps on giving (for attackers and pen testers, anyhow).
  5.  PCI DSS 4.0: How to Delight the Auditors– This was just for Jeff Man, the PCI man.
  6.  Ubuntu Details Initial Plans For Immutable Linux Desktop With Ubuntu Core & Snaps – Phoronix – We didn’t cover this on the show, but I think this is an excellent idea for security. Even though Snap may not be your thing, putting a system back in its original state (Without the overhead of a VM) wipes away all of the previous “sins”.
  7.  Google Nest Hub Teardown “The main SOC is an Amlogic S905D3G, a 4-core A55-based SoC. The important chips are meticulously documented, and it’s a fascinating look inside a device common in many people’s homes. One chip that’s of note is the BGT60TR13C, otherwise known as Project Soli. It is an 8x10mm chip that uses radar to detect movement with sub-millimeter accuracy.” – Some hardware reversing for you all.
  8.  CVE-2023-28771-PoC – If you want to try the latest Zyxel exploit out for yourself, in a lab, or with permission (of course).
  9.  CVE-2023-28771“CVE-2023-28771 is an unauthenticated command injection vulnerability affecting the WAN interface of several Zyxel network devices, as reported by TRAPA Security.” – How about a one-packet UDP exploit that gives you root? Love it.
  10.  secimport – “secimport is production-oriented sandbox toolkit. It traces your code, and runs an executable that allows only the same syscalls per module.” – I like the concept, but I fear this may cause a wide variety of other issues.
  11.  Critical Barracuda 0-day was used to backdoor networks for 8 months – Neat features in the malware: “Malware identified to date includes packages tracked as Saltwater, Seaside, and Seaspy. Saltwater is a malicious module for the SMTP daemon (bsmtpd) that the Barracuda ESG uses. The module contains backdoor functionality that includes the ability to upload or download arbitrary files, execute commands, and provide proxy and tunneling capabilities. Seaside is an x64 executable in ELF (executable and linkable format), which stores binaries, libraries, and core dumps on disks in Linux and Unix-based systems. It provides a persistence backdoor that poses as a legitimate Barracuda Networks service and establishes itself as a PCAP filter for capturing data packets flowing through a network and performing various operations.” Blog – What if we had the SockPuppet vulnerability in iOS 16? – Apple Security Research“The SockPuppet vulnerability was a use-after-free in the XNU kernel’s in6_pcbdetach() function that was reachable through a series of socket-related syscalls.” – Apple believes that iOS 16 is resilient to this style of attack. Amazing post!
  12. 13. Announcing The BlueHat Podcast: Listen and Subscribe Now! – I will check this out and let you all know what I think.
  13.  PyPI enforces 2FA authentication to prevent maintainers’ account takeover“The attacker doesn’t care if they get you from a widely used or a niche project, just that they got you.” – I get both sides. I think, in the end, this is the right decision, given the level of malicious packages today.
  14.  Microsoft found a new bug that allows bypassing SIP root restrictions in macOSSystem Integrity Protection (also referred to as rootless) is a macOS security feature introduced in OS X El Capitan (2015) (OS X 10.11). SIP technology restricts a root user from performing operations that may compromise system integrity.”
  15. Hackers Win $105,000 for Reporting Critical Security Flaws in Sonos One Speakers– “On the speaker, there exists a daemon named anacapad that handles all Sonos-specific functions, including accessing music services, LED control, and audio playback. The vulnerability exists in the way anacapad handles SMBv2 replies from a server, specifically in the smb2_process_query_directory_fixed() function that processes query directory reply data.” – Curious about what goes into the decision to use SMB here…