Weekly in Security 202240

2022-10-06 to 2022-10-06

3 min read - 437 words

Introduction

Weekly in Security is a summary of the cybersecurity news from the past week. This post covers 2022-10-06 to 2022-10-06.

Vulnerabilities

Zero-day Vulnerabilities in Microsoft Exchange Server continued

The initial mitigation provided by Microsoft was quickly bypassed by Janggggg. So Microsoft had to update the mitigations. Then, Kevin Beaumont found another bypass. The problem was that Microsoft Exchange replaces .. with @. Consequently, Microsoft had to update the mitigations again. The next bypass was based on URL encoding, e.g., P encoded as %50. The utilized mitigation did not take this into account. Then, the next bypass abused the fact that Exchange accepted anything if autodiscover.json was at the end. Consequently, Microsoft had to update the mitigation once again. At the end of the week, the mitigations change quite a lot from

.*autodiscover\.json.*\@.*Powershell.*

to

(?=.*autodiscover)(?=.*powershell)

DoublePulsar has a good summary of the fiasco.

RCE in Zimbra Collaboration Suite

The newly discovered CVE-2022-41352 is almost identical to CVE-2022-30333. The difference is only the usage of a different file format, e.g., .cpio and .tar as opposed to .rar.

The vulnerable component is Zimbra’s antivirus engine’s (Amavis). To exploit the vulnerability, an attacker would email a respective file to an affected server. When Amavis inspects it for malware, it uses cpio to extract the file. As cpio cannot securely treat untrusted files, an attacker can write to any path on the filesystem that the zimbra user can access.

Zimbra provided mitigations in their article. Rapid7 provides a good analysis.

Interesting Reads

Former Uber Security Chief Found Guilty of Hiding Hack From Authorities

In 2014 a hacker breached Uber and exfiltrated PII of drivers and riders. Uber did not publicly disclose the incident or inform the F.T.C. but rather had the hackers sign a NDA. Joe Sullivan, the former Uber security chief, was found guilty by jury in federal court. The New York Times provides some additional details.

The case could change how security professionals handle data breaches. However, Sullivan tried to hide the breach from the government regulartors. As such, there will probably be no major change in policy.

China forces bus drivers to wear emotion-tracking bracelets

China seems to be leading the digitization of its work force. This article provides a glimbse in the lastest development.

Beijing Public Transport Holding Group claimed the electronic bracelets were necessary to protect public safety. The wristbands are reportedly able to monitor a wearer’s vital signs, such as heart rate and blood oxygen level, as well as their sleep stats and overall emotional state.

Why does the public safety suddenly need to be protected? Rampaging bus drivers would probably have made the news.