Les Bell
Blog entry by Les Bell
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
Golang SAML Library Allowed Authentication Bypass
One of the more popular distributed authentication protocols for web services is SAML, the Security Assertions Markup Language. When a user wants to authenticate to a service provider, she obtains a SAML assertion from her identity provider (to which she has previously authenticated using - probably - multi-factor authentication). She will then relay the SAML assertion to the service provider, which will validate the assertion and - because it trusts the identity provider - will then trust the user.
However, because the SAML assertion passes through the hands of the putative user, who could tamper with it, the assertion must be signed. But a twist in the way SAML assertions are constructed has led to a vulnerability (CVE-2022-41912), discovered by Google's Project Zero, in the crewjam SAML library for the Go programming language. A single SAML XML element can contain multiple assertions, and the crewjam library only validated the signature on the first. An attacker could therefore construct a SAML message containing one signed assertion and one or more unsigned assertions, allowing an authentication bypass awarded a CVSS score of 9.1.
There are no workarounds for this vulnerability - the only fix is to updated to crewjam/saml version 0.4.9 or later.
crewjam, crewjam/saml vulnerable to signature bypass via multiple Assertion elements due to improper authentication, security advisory, 2 December 2022. Available online at https://github.com/advisories/GHSA-j2jp-wvqg-wc2g.
Florida Man Gets 18 Months for Part in SIM Swap, Crypto Heist
A US District Court sentenced a Florida man to 18 months in prison last week for his part in a cryptocurrency theft which netted over $US20 million. US Attorney Damian Williams said,
"Nicholas Truglia and his associates stole a staggeting amount of cryptocurrency from the victim through a complex SIM swap scheme. Nevertheless, today's sentencing goes to show that no matter how sophisticated the crime is, this Office will continue to successfully prosecute those who choose to defraud others."
SIM swapping, also known as phone number porting, allows an attacker to link a victim's phone number to a new Subscriber Identity Module controlled by the attacker. Once this has been done, mTAN's (mobile transaction authentication numbers) and other messages sent to the victim will be received by the attacker, who can use this to access the victim's accounts.
In this case, the attackers were able to obtain access to the vctim's cryptocurrency wallet, and used Truglia's online account to plunder the victim's wallet, converting the proceeds into Bitcoin and then dividing up the loot. Truglia's share amounted to roughly $US673,000. In addition to his 18 month sentence, Truglia, aged 25, was sentenced to 3 years of supervised release, ordered to forfeit $US983,010.72 and further ordered to pay $US20,379,007 in restitution to the victim within 60 days.
Biase, Nicholas, Florida Man Sentenced To 18 Months For Theft Of Over $20 Million In SIM Swap Scheme, press release, 1 December 2022. Available online at https://www.justice.gov/usao-sdny/pr/florida-man-sentenced-18-months-theft-over-20-million-sim-swap-scheme.
Compromised Android Platform Certificates User to Sign Malware
Malware reverse engineer Łukasz Siewierski has discovered a new exploit against Android mobile devices. Android apps are signed with private keys and validated with the matching certificates. In particular, platform certificates (and their keys) are used - by platform vendors like Samsung, LG and others - to sign the 'android' application on the system image, which runs with a highly privileged user ID, android.uid.system, and holds system permissions including permissions to access user data.
Any other application signed with the same certificate can declare that it wants to run with the same user ID, getting the same level of privileged access.
Now it appears that some platform certificates have been leaked or stolen - as long ago as 2016 - and used to sign malware samples. Searching for the SHA2-256's of some of the samples on VirusTotal shows they are backdoors, loaders and various other exploits which remain undetected by most engines. Fortunately, in the last few days, the various affected platform vendors have rotated their keys and issued updates, and Google has also added detections in the Google Play Store as well as their Build Test Suite.
However, the extent to which these signed malware samples spread in the wild is unknown.
antho...@google.com, Issue 100: Platform certificates used to sign malware, APVI issue, 12 November 2022. Available online at https://bugs.chromium.org/p/apvi/issues/detail?id=100.
Siewierski, Łukasz, New AVPI entry: platform certificates used to sign malware, tweet, 1 December 2022. Available online at https://twitter.com/maldr0id/status/1598068216391405568.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.