Last Week’s Security news: Pegasus, SeriousSAM, Sequoia

Hello everyone! After 4 episodes of the Last Week's Security news, I decided to change the format. I will no longer try to cover all the important news, because it takes a long time to prepare such reviews. So, from now on, I will focus only on a few news of the past week, which I subjectively consider the most interesting.

So, the last week, July 19 - July 25. In my opinion, the most interesting news was the scandal related to the iPhone Pegasus spyware and two Elevations of Privileges: SeriousSAM for Windows and Sequoia for Linux.

NSO Group's Pegasus

Let's start with Pegasus.

"An investigation finds Israeli NSO Group's Pegasus spyware, intended for use on criminals and terrorists, has been used in targeted campaigns against journalists, human rights groups, politicians, and attorneys. Pegasus is a malware that infects iPhones and Android devices to enable operators of the tool to extract messages, photos and emails, record calls and secretly activate microphones."

The news itself is not particularly interesting. The spyware was used to spy on people. Well, ok. But the following public discussion deserves some attention. Some famous people have even called for a ban on such Offensive Security businesses.

What do I think about it. First of all, I don't share the surprise that the software that was supposed to be used against the bad guys was being used against other guys. The vendor cannot control this, even if they wanted to. And, of course, another question is who decide who the bad guys are.

Secondly, I don't think the public Offensive Security businesses should be banned. They provide some insights into what is technically doable right now. Without them, the visibility will decrease. And highly qualified professionals will have to look for work in the secret services or criminal organizations. It will only get worse.

Last but not least, if you really think about privacy, the iPhone is an odd choice. This platform is too centralized, popular, trendy. This is the perfect target. If you want more privacy, try something more exotic like Jolla Sailfish. But something custom based on the Raspberry Pi would be even better. Yes, it may be uncomfortable and strange, but such is the reality of the modern world.

SeriousSAM

Now let's see the nice Windows EoP SeriousSAM (CVE-2021-36934):

"Multiple versions of Windows grant non-administrative users read access to files in the %windir%\system32\config directory. […] If a VSS shadow copy of the system drive is available, a non-privileged user may leverage access to these files to achieve a number of impacts, including but not limited to:
Extract and leverage account password hashes.
Discover the original Windows installation password.
Obtain DPAPI computer keys, which can be used to decrypt all computer private keys.
Obtain a computer machine account, which can be used in a silver ticket attack."

It looks very simple and impressive. So what can you do about it? Firstly, the patches are already available (upd. 02.08 Patches are NOT available, only lists of vulnerable systems; Sorry my mistake), in addition, you canRestrict access to the contents of %windir%\system32\configandDelete Volume Shadow Copy Service (VSS) shadow copies.

Sequoia

And finally, EoP for Linux, which the guys from Qualys found (CVE-2021-33909). They named it Sequoia.

"The Qualys Research Team has discovered a size_t-to-int type conversion vulnerability in the Linux Kernel’s filesystem layer affecting most Linux operating systems. Any unprivileged user can gain root privileges on a vulnerable host by exploiting this vulnerability in a default configuration. […] Successful exploitation of this vulnerability allows any unprivileged user to gain root privileges on the vulnerable host. Qualys security researchers have been able to independently verify the vulnerability, develop an exploit, and obtain full root privileges on default installations of Ubuntu 20.04, Ubuntu 20.10, Ubuntu 21.04, Debian 11, and Fedora 34 Workstation. Other Linux distributions are likely vulnerable and probably exploitable."

When I see vulnerabilities like these that have gone unnoticed for years, I think about the certification procedures. Many Linux distributions have been certified to be free of undeclared features. If such vulnerabilities are not found in the certification process, then what does this mean?