Weekly in Security is a summary of the cybersecurity news from the past week. This post covers 2022-08-08 to 2022-08-15.
The CVE-2022-34713 DogWalk has been exploited and is related to Follina. It is a vulnerability in Microsoft Windows Support Diagnostic Tool (MSDT). DogWalk was publicly disclosed by security researcher Imre Rad more than two years ago, in January 2020, after Microsoft replied to his report saying it won’t provide a fix because this isn’t a security issue.
Years after claiming DogWalk wasn’t a vulnerability, Microsoft confirms flaw is being exploited and issues patch
A threat actor using a Lenstra side-channel attack against a vulnerable device could exploit the security bug to retrieve the RSA private key.
AEPIC Leak is the first architectural CPU bug that leaks stale data from the microarchitecture without using a side channel. It architecturally leaks stale data incorrectly returned by reading undefined APIC-register ranges.
James Kettle from PortSwigger presented his research on Browser-Powered Desync Attacks: A New Frontier in HTTP Request Smuggling (whitepaper / slides). The debuted new class of HTTP request smuggling attack allowed him to compromise Amazon and Akamai, break TLS, and exploit Apache servers.
Lennert Wouters present his research on Starlink UT (slides). He managed to bypass the firmware signature verification. With a modified second stage bootloader we could extract the ROM bootloader and eFuse memory. Additionally, he created a custom printed circuit board modchip that automatically performs the voltage fault injection attack. This is only the first step to freely explore the Starlink network. SpaceX responded to Wouters’ presentation and invited security researchers to “bring on the bugs”. Expect future talks in this area.
Sick Codes presented his work on jailbreaking John Deer tractors. The targeted a John Deere tractor 4240 touchscreen controller with an Arm-compatible NXP I.MX 6 system-on-chip running Wind River Linux 8. One goal was putting Doom on the jailbroken John Deer @sickcodes, @kwiens. Another was to promote the right-to-repair. Farmers need to be able to repair their equipment and had to resort to hacking their traktors. However, manufacturer have been implementing digital locks on their vehicles and undermining private property. At DEF CON 29 Sick Codes also did a talk about Agricultural Data Arms Race.
Emoji Shellcoding was presented at DEF CON 30 (slides). Hаdrien Ваrrаl and Georges-Axel Jaloyan presented their respective tool. Basically, it is an emoji unpacker. For any target shellcode (non-emoji), the tool will produce an emoji shellcode with the unpacker and the packed version of your shellcode. Run it on a RISC-V simulator/cpu and enjoy!
CloudGuard Spectral detects 10 malicious packages on PyPI, the leading Python package index used by developers for the Python programming language Malicious packages install info-stealers that enable attackers to steal developer’s private data and personal credentials
Was presented at DEF CON 30 Demo Labs.
AWSGoat is a vulnerable by design infrastructure on AWS featuring the latest released OWASP Top 10 web application security risks (2021) and other misconfiguration based on services such as IAM, S3, API Gateway, Lambda, EC2, and ECS. AWSGoat mimics real-world infrastructure but with added vulnerabilities. It features multiple escalation paths and is focused on a black-box approach.
Was presented at DEF CON 30 Demo Labs.
AzureGoat is a vulnerable by design infrastructure on Azure featuring the latest released OWASP Top 10 web application security risks (2021) and other misconfiguration based on services such as App Functions, CosmosDB, Storage Accounts, Automation and Identities. AzureGoat mimics real-world infrastructure but with added vulnerabilities. It features multiple escalation paths and is focused on a black-box approach.