Blog entry by Les Bell

Les Bell
by Les Bell - Monday, 31 October 2022, 8:02 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


Google Issues Chrome Update in Response to 0Day

You should be aware of this by now, but Google has issued an update for the Chrome browser Stable channel in response to a 0day exploit. The new versions are 107.0.5304.87 for Mac and Linux, and 107.0.5304.87/88 for Windows. The update fixes CVE-2022-3723, which is a type confusion vulnerability in V8, Google's high-performance runtime for JavaScript and WebAssembly.

You know what to do. . .

Bommana, Prudhvikumar, Stable Channel Update for Desktop, Google Chrome Releases blog, 27 October 2022. Available online at https://chromereleases.googleblog.com/2022/10/stable-channel-update-for-desktop_27.html.

More Trojan Droppers in Google Play Store

The idea of relying on mobile OS app stores to filter out malicious apps before they get to the public is getting less and less sustainable. Now comes a report of five more trojan droppers found on the Google Play Store, with a cumulative installation count of over 130,000 installs.

Since these apps are dropping banking trojans like Sharkbot and Vulture, which can steal online banking credentials and PII, perform keystroke logging and even (in the case of Vultur) run a VNC session to allow the attacker to perform any action on the infected device.

The droppers have been carefully designed to fit in with the security policies of the Play Store, and request as few permissions as possible on the victim's device - only three, and those so common as to not arouse suspicion. While the Sharkbot trojan seems to be interested only in Italian victims, Vultur has a long list of target instiations, including many Australian and European banks.

Uncredited, Malware wars: the attack of the droppers, blog post, 28 October 2022. Available online at https://www.threatfabric.com/blogs/the-attack-of-the-droppers.

How Not to Handle a Privacy Breach

See Tickets, a major event ticketing company, has disclosed a major data breach dating back to June 2019. I'm not sure if that is a record, but it ought to be.

According to See's consumer notification letter, a third party had obtained unauthorized access to event checkout pages on the See website; although they were alerted to the activity in April 2021, a later paragraph reveals that the pages may have been affected as early as 25 June 2019. We can only speculate, but this may have been some kind of supply-chain attack involving a JavaScript framework or subsystem - Ticketmaster suffered this type of breach in 2018 - or some kind of XSS attack. The data exposed includes name, address and credit card numbers, expiry dates and CVV numbers.

The firm engaged forensics consultants, but it took them until 8 January 2022 to fix the exposure and a further nine months before concluding, on 12 September 2022, that "the event may have resulted in unauthorized access to the payment card information of certain of our customers". Finally, in late October, they are notifying customers that their information may have been exposed - although "we are not certain your information was affected".

If that is an "abundance of caution", it's deeply unimpressive. The notification letter provides the obvious advice to affected consumers, but some evidence that See was raising its game would do a lot more to regain consumer trust.

Murphy, James, Re: Notice of Data Breach, letter template, October 2022. Available online at https://dojmt.gov/wp-content/uploads/Consumer-Notification-Letter-638.pdf.

Multiple Juniper JunOS Vulnerabilities

Researchers at Octagon Networks have revealed multiple vulnerabilities in Juniper's JunOS, including one (CVE-2022-22241) with a CVSS score of 8.1. This particular vulnerability allows an unauthenticated attacker to write an arbitrary file, which in turn leads to remove code execution. The exploit would merit a CVSS score of 9.8, were it not for the difficulty of finding a suitable object to make use of in the required deserialization code.

The researchers found five other vulnerabilities. The full list is:

  1. CVE-2022-22241: Remote pre-authenticated Phar Deserialization to RCE
  2. CVE-2022-22242: pre-authenticated reflected XSS on the error page
  3. CVE-2022-22243: XPATH Injection in jsdm/ajax/wizards/setup/setup.php
  4. CVE-2022-22244: XPATH Injection in send_raw() method
  5. CVE-2022-22245: Path traversal during file upload leads to RCE
  6. CVE-2022-22246: PHP file include /jrest.php

All were previously disclosed to Juniper and have been patched, so customers are advised to update to the latest release of the OS, or alternatively disable J-Web or at least, limit access to only trusted hosts.

Uncredited, Juniper SSLVPN / JunOS RCE and Multiple Vulnerabilities, blog post, 28 October 2022. Available online at https://octagon.net/blog/2022/10/28/juniper-sslvpn-junos-rce-and-multiple-vulnerabilities/.


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons LicenseCopyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Tags:
[ Modified: Monday, 31 October 2022, 8:04 AM ]