Published 23 August 2021 12:00 AM
4 min. read

IOT in danger, new wiretap method and malware activity

#mozi #cisco #blackberry #realtek #starttls

In recent weeks, more and more vulnerabilities have been emerging for mobile devices. Cisco releases a new security patch every week. We continue to add reports from this year's major conferences and other useful materials to the Research section.

  • Vulnerabilities: Cisco unpatched bugs, mail servers;
  • Tools: ReverseSSH, XLMMacroDeobfuscator, Jsleak and SQLancer;
  • News: New method and Mozi botnet power;
  • Research: Latest conference materials and other content.

Feedback and Vulners docs

Vulnerabilities

Cisco without patch

Cisco has no plans to patch a critical vulnerability in older VPN routers designed for small businesses. The problem is known to be related to the Universal Plug-and-Play (UPnP) service.
The hole received the ID CVE-2021-34730. The essence of the flaw lies in the incorrect validation of incoming UPnP traffic.

Cisco has not released and does not plan to release a software update to address the described vulnerability. The reason is that the RV110W, RV130, RV130W and RV215W routers are no longer available for sale.

Cisco encourages companies with legacy devices to upgrade to something more modern, such as the Cisco RV132W, RV160, or RV160W. These models, by the way, are still receiving updates and patches.

Vulnerabilities in STARTTLS threaten popular email clients

German scientists have discovered more than 40 vulnerabilities in STARTTLS implementations in popular mail clients and servers Apple Mail, Gmail, Mozilla Thunderbird, Claws Mail, Mutt, Evolution, Exim, Mail.ru, Samsung Email, Yandex and KMail. Exploitation of these issues allows an attacker to steal credentials, intercept emails, and so on.

The researchers say that STARTTLS, created in the late 90s, worked by checking if a connection could be established over TLS and then negotiating a TLS connection with all parties involved before sending the email data. While the entire STARTTLS negotiation process was not very robust and error prone, STARTTLS came at a time when thee was still no massive support for encrypted connections in mail clients and servers. Since there were no better alternatives at the time, most users and administrators chose to enable STARTTLS as a temporary solution until TLS became more widespread.

Over the past few months, researchers have been actively collaborating with the developers of mail clients and servers to fix 40 bugs they discovered. Although users now have the ability to install the resulting patches and continue using STARTTLS, researchers still advise switching to TLS-only.

Realtek vulnerabilities

IoT Inspector published the results of a study finding critical vulnerabilities that affect at least 65 vendors and about 200 unique device types running RTL8xxx chips, including IP cameras, routers, home gateways, Wi-Fi repeaters and toys, including such well-known firms as ASUS, Belkin, D-Link, Huawei, LG, Logitech, Netgear, ZTE and Zyxe.

  • CVE-2021-35392: Heap buffer overflow vulnerability in ‘WiFi Simple Config’ server due to unsafe crafting of SSDP NOTIFY messages;
  • CVE-2021-35393: Stack buffer overflow vulnerability in ‘WiFi Simple Config’ server due to unsafe parsing of the UPnP SUBSCRIBE/UNSUBSCRIBE Callback header;
  • CVE-2021-35394: Multiple buffer overflow vulnerabilities and an arbitrary command injection vulnerability in ‘UDPServer’ MP tool;
  • CVE-2021-35395: Multiple buffer overflow vulnerabilities in HTTP web server ‘boa’ due to unsafe copies of some overly long parameters.

Realtek Jungle, Luna, and 2.x. SDK bugs can be used to deny service (DoS) and inject commands on the target device, and some of them allow attackers to gain full control over the target device without authentication.

BadAlloc vulnerabilities in BlackBerry software affect more than 200 million cars and thousands of process control systems in industry, medicine and other strategic industries.

The list of vulnerable devices representatives of CISA, and the BadAlloc bugs in IoT and OT were discovered earlier this year by Microsoft researchers. The package includes a set of 25 vulnerabilities caused by Integer Overflow or Wraparound memory allocation bugs.

CVE-2021-22156 allows a potential hacker to remotely cause a denial of service or execute arbitrary code on devices.

Tools

ReverseSSH: A statically-linked ssh server with a reverse connection feature for simple yet powerful remote access. Most useful during HackTheBox challenges, CTFs or similar.

XLMMacroDeobfuscator: Extract And Deobfuscate XLM Macros (A.K.A Excel 4.0 Macros).

Jsleak: A Go Code To Detect Leaks In JS Files Via Regex Patterns.

SQLancer: Detecting Logic Bugs In DBMS

News

New wiretap method from researchers at David Ben-Gurion University

Researchers from the Ben-Gurion University (Israel), studying hidden methods of transmitting data from isolated computers, have developed a new method of organizing a communication channel - AIR-FI, which allows, through manipulation of DDR memory chips, to generate a radio signal at a frequency of 2.4 GHz, which can be captured by any Wi-Fi enabled device at a distance of several meters. From a practical point of view, the method can be used to transfer encryption keys, passwords and secret data from a computer that has no network connection and is infected with spyware or malware.

Mozi botnet gets more aggressive and more dangerous

Mozi's peer-to-peer IoT P2P botnet has received new functionality that allows it to confidently cling to Netgear, Huawei and ZTE gateways, providing itself with a reliable base of entry points to access corporate networks. According to Microsoft Security Threat Intelligence Center and 52 in Azure Defender for IoT, the Mozi botnet, by infecting routers, is capable of conducting MITM attacks by intercepting HTTP and DNS spoofing, compromising endpoints and deploying payloads, twisting ransomware numbers.

Mozi now supports new commands that allow you to intercept HTTP sessions and perform DNS spoofing to redirect traffic to an attacker's domain.

Research

Feedback and Vulners docs
s that allow you to intercept HTTP sessions and perform DNS spoofing to redirect traffic to an attacker's domain.

Research

Feedback and Vulners docs