Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

RCE Vulnerability In - Of All Things - Cobalt Strike

IBM X-Force researchers have found a remote code execution vulnerability in the Cobalt Strike post-exploitation C2 framework. Their interest was drawn by a September out-of-band update for Cobalt Strike which was intended to fix an XSS vulnerability (CVE-2022-39197); the release notes for this patch stated that the vulnerability could lead to RCE, and so they set about checking to see whether the patch really did fix the problem.

The researchers started by decompiling the Cobalt Strike Java client application, and took a close look at the XSS mitigation code, identifying two validator functions but realizing that the note input field was not being passed through either XSS validator. Further experimentation on the client, which is written using the Swing UI framework, revealed that it was possible to include HTML in a Swing component, and then include Java components with the HTML by using the HTML <object> tag.

From there, automated code analysis revealed the final component of the vulnerability: a deserialization vulnerability in a library which is used to load SVG (Scalable Vector Graphics) files. Putting the whole chain together, the X-Force researchers created a PoC which injects some JavaScript into the graphical file explorer menu to hook the FileNextFileA function, which allowed them to inject the name of an SVG file into the back end, which, in turn, loads the SVG which contains JavaScript code which can then load and run arbitrary Java code, right up to a full-featured back door.

Sherri, Rio, Analysis of a Remote Code Execution (RCE) Vulnerability in Cobalt Strike 4.7.1, blog post, 17 October 2022. Available online at https://securityintelligence.com/posts/analysis-rce-vulnerability-cobalt-strike/.

New Google OS Based on seL4

Attendees at my CISSP review courses will have heard me talk about the seL4 microkernel, which was originally developed at UNSW under the auspices of Data61, and was spun off into its own foundation a few years ago. seL4 is unique in being a formally verified kernel; its logic was expressed in a mathematical notation (Higher Order Logic) and then interatively proven to be secure using the Isabelle proof assistant, fixing the HOL and the corresponding source code along the way until the security properties (confidentiality, integrity, availability) of the microkernel were proven.

The result is an OS kernel that is ideal for embedded systems with high security and reliability requirements, such as in avionics, medical, automotive and defence applications.

Now Google has picked up on the benefits of building security in from the ground up, rather than trying to add it later, and has created a new operating system which is intended to be a provably secure platform for embedded devices that run machine learning applications. The OS, called KataOS, is implemented almost entirely in Rust - a good move for security, since it eliminates some of the major classes of vulnerabilities such as off-by-one errors and buffer overflows.

The reference implementation of KataOS (important, since formal verification is hardware-dependent) is called Sparrow, and combines KataOS with a silicon root of trust (OpenTitan) on a RISC-V architecture. An interim release will run on 64-bit ARM running in simulation with QEMU.

Call me old-fashioned, but I'm glad to see someone taking security engineering seriously, rather than throwing a system together with COTS and then playing whack-a-mole with pentesters and bad guys.

Sam, Scott and June, Announcing KataOS and Sparrow, Google Open Source blog, 14 October 2022. Available online at https://opensource.googleblog.com/2022/10/announcing-kataos-and-sparrow.html.

seL4 Project, The seL4 Microkernel, project home page, 2022. Available online at https://sel4.systems/.

Medibank Breach Turns Nasty

Earlier this week we reported on a likely breach at healthcare and general insurer Medibank, and in response to the company's claim that, "we have found no evidence that our customer data has been accessed", I could only comment, "Let's hope they're right".

It seems they weren't, with Nine Media mastheads receiving a message from the hackers, who claim to have exfiltrated 200 GB of sensitive information and are now threatening to release it. In broken English, the hackers wrote:

“We offer to start negotiations in another case we will start realizing our ideas like 1. Selling your Database to third parties 2. But before this we will take 1k most media persons from your database (criteria is: most followers, politicians, actors, bloggers, LGBT activists, drug addictive people, etc) Also we’ve found people with very interesting diagnoses. And we’ll email them their information.”

Medibank had also received a threat, which is was taking seriously. In the meantime, trading in Medibank shares on the ASX has been halted - a move which doubtless refocus the attention of the Medibank board members on cybersecurity.

Bonyhady, Nick and Colin Kruger, Medibank hackers threaten to release stolen health data in ransom demand, The Age, 19 October 2022. Available online at https://www.theage.com.au/technology/medibank-hackers-threaten-to-release-stolen-health-data-in-ransom-demand-20221019-p5br2s.html.

Russia Buys Chips from China, Finds 40% Are Duds

Sanctions against Russia are hitting its electronics manufacturing sector, quite possibly affecting its ability to produce weapons systems. Prior to the imposition of sanctions, Russia was able to buy semiconductor components on the open market, and in those days approximately 2% of parts were faulty. But bear in mind that 2% is quite damaging, since a typical product has multiple components. With 10 components, a completed circuit board has a reliability of just 82% (or a failure rate of 18%).

But with a 40% failure rate, almost nothing is going to work (do the math: for one component, the reliability is 60% or 0.6, but with 10 components, \(.6^{10}\) or 0.006 - that is, 0.6% of completed boards will work. A 99% failure rate.

It seems that China is capitalizing on the fact that Russia is caught between a rock and a hard place. This is also a useful reminder that not only the software supply chain has its vulnerabilities.

Sharwood, Simon, China dumps dud chips on Russia, Moscow media moans, The Register, 18 October 2022. Available online at https://www.theregister.com/2022/10/18/russia_china_semiconductro_failure_rates/.

Soccer Fans: Qatar Wants You (Or Your Data, More Likely)

According to a report in Norwegian media outlet NRK, two mobile apps which everyone (over 18) visiting Qatar for the soccer World Cup will have to install, pose a very severe risk to privacy.

The first app, called Ehteraz, is a COVID-19 tracking app (haven't we moved on from these?). Alarmingly, it asks for a lot of privileges on the phone, including acess to read, delete and change all content on the hone, the ability to connect to wi-fi and Bluetooth, to override other apps and to prevent the phone from switching off to sleep mode. It also accesses accurate location services, make calls and even disable the screen lock.

The other app, called Hayya, is used to access event tickets as well as the Metro public transit system. It also accesses accurate location services, network connections, and disables sleep mode, but also asks for permission to share the user's personal information with almost no restrictions.

Experts consulted by NRK agree that the apps are very intrusive, with no granularity of control over permissions and no ability to opt out: the apps are mandatory. Anyone attending the World Cup should undoubtedly acquire a burner phone and limit their access to cloud services. Employers should prohibit the use of work devices and applications by employees visiting Qatar.

Sande, Egil, et. al., Everyone going to the World Cup must have this app - experts are now sounding the alarm, NRK, 14 October 2022. Available online at https://www.nrk.no/sport/everyone-going-to-the-world-cup-must-have-this-app---experts-are-now-sounding-the-alarm-1.16139267.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.