Author Archives: CERT

Overview

Multiple vulnerabilities were discovered in the TCP/IP stack (NetworkPkg) of Tianocore EDKII, an open source implementation of Unified Extensible Firmware Interface (UEFI). Researchers at Quarkslab have identified a total of 9 vulnerabilities that if exploited via network can lead to remote code execution, DoS attacks, DNS cache poisoning, and/or potential leakage of sensitive information. Quarkslab have labeled these set of related vulnerabilities as PixieFail.

Description

UEFI represents a contemporary firmware standard pivotal in initiating the operating system on modern computers and in facilitating communication between the hardware and OS. TianoCore‘s EDKII stands as an open-source implementation adhering to UEFI and UEFI Platform Initialization (PI) specifications, offering an essential firmware development environment across platforms. Within EDKII, the NetworkPkg software encompasses a TCP/IP stack, enabling crucial network functionalities available during the initial Preboot eXecution Environment (PXE) stages. The PXE environment, when enabled, allows machines to boot via network connectivity, eliminating the need for physical interaction or keyboard access. Typically employed in larger data centers, PXE is vital for automating early boot phases, particularly in high-performance computing (HPC) environments.

Quarkslab researchers have discovered several vulnerabilities within the EDKII’s NetworkPkg IP stack, introduce due to classic issues like buffer overflow, predictable randomization, and improper parsing. These vulnerabilities pose risks, allowing unauthenticated local attackers (and in certain scenarios, remotely) to execute various attacks. Successful exploits can result in denial of service, leakage of sensitive data, remote code execution, DNS cache poisoning, and network session hijacking. To successfully exploit this vulnerable NetworkPkg implementation, the attacker requires the PXE boot option to be enabled.

Tianocore’s EDKII is used as a reference code or adopted as-is by many vendors for their UEFI implementation and distributed via supply-chain to other vendors in the PC market. Due to the widespread use of these libraries, these vulnerabilities may be present in a large number of implementations. We recommend users consult vendor specific advisory and details that will help resolve these issues.

Impact

The impact and exploitability of these vulnerabilities depend on the specific firmware build and the default PXE boot configuration. An attacker within the local network (and, in certain scenarios remotely) could exploit these weaknesses to execute remote code, initiate DoS attacks, conduct DNS cache poisoning, or extract sensitive information.

Solution

Apply updates

Update to the latest stable version of UEFI firmware that includes fixes to these vulnerabilities. Please follow the advisory and any details provided by your vendor as part of this advisory. Downstream users of Tianocore EDKII that incorporate NetworkPkg should update to the latest version provided by Tianocore project. Please follow any vendor provided recommended configurations that can limit the exposure of these vulnerabilities as suitable to your environment.

Enforce network security

In operations environments, you may consider the following workarounds to prevent exposure and potential exploitation of these vulnerabilities
* Disable PXE boot if it is not used or supported in your computing environment.
* Enforce Network Isolation so the UEFI Preboot environment is available to specific network that is protected from unauthorized access.
* Deploy available protection to your computing environment from rogue DHCP services using capabilities such as Dynamic ARP inspection and DHCP snooping.

Employ secure OS deployments

Follow security best practices in design of the preboot environment that provide OS deployment capabilities to your organization. UEFI supply-chain vendors should also consider migration to modern network boot environments that employ secure protocols such as UEFI HTTPS Boot that can limit abuse of the legacy PXE boot related security issues.

Acknowledgements

Thanks to the Quarkslab for researching and reporting these vulnerabilities and support coordinated disclosure.

This document was written by Vijay Sarvepalli.

Continue reading VU#132380: Vulnerabilities in EDK2 NetworkPkg IP stack implementation.→

Overview

Implementation of Unified Extensible Firmware Interface (UEFI) by Vendors provide a way to customize logo image displayed during the early boot phase. Binarly has uncovered vulnerabilities in the image parsing libraries that provide this capability. An attacker with local privileged access can exploit these vulnerability to modify UEFI settings.

Description

UEFI firmware provides an extensible interface between an operating system and hardware platform. UEFI software stores a number of settings and files in a customized Extensible Firmware Interface (EFI) partition known as EFI system partition (ESP). ESP is a special privileged file system that is independent of the OS and essentially acts as the storage place for the UEFI boot loaders, applications, hardware drivers and customizable settings to be launched by the UEFI firmware. The ESP partition is mandatory for UEFI boot and is protected from unprivileged access. The information stored in ESP is probed and processed during the early phases of an UEFI based OS. One such information stored in the ESP is a personalizable boot logo.

Binarly has discovered a number of vulnerabilities in the image parsing libraries that read and process these image files. As these files are processed by executables that run under a high privilege, it is possible to exploit these vulnerabilities in order to access and modify high-privileged UEFI settings of a device. UEFI supply-chain allows for many of these shared libraries to be integrated in various ways, including compiled from source, licensed for modification and reuse and finally as a dynamic or static linked executable. Binarly has also observed that in some cases an attacker can create a bundled firmware update that contains a corrupt or malicious image to trigger these vulnerabilities. This can also allow an attacker to exploit vulnerability while flashing the PCI with a firmware update. Due to the complex nature of these vulnerabilities and their potential wide impact, Binarly would like to use the label LogoFAIL to track and support coordination and mitigation of these vulnerabilities.

Note: Major Independent BIOS Vendors (IBV) have obtained CVE to track this set of vulnerabilities for their supply-chain partners and their customers.

Continue reading VU#811862: Image files in UEFI can be abused to modify boot behavior→

Overview

Multiple BGP implementations have been identified as vulnerable to specially crafted Path Attributes of a BGP UPDATE. Instead of ignoring invalid updates they reset the underlying TCP connection for the BGP session and de-peer the router.

This is undesirable because a session reset impacts not only routes with the BGP UPDATE but also the other valid routes exchanged over the session. RFC 7606 Introduction

Description

The Border Gateway Protocol (BGP, RFC 4271) is a widely used inter-Autonomous System routing protocol. BGP communication among peer routers is critical to the stable operation of the Internet. A number of known BGP security issues were addressed in RFC 7606 Revised Error Handling for BGP UPDATE Messages in 2015.

Recent reports indicate that multiple BGP implementations do not properly handle specially crafted Path Attributes in the BGP UPDATE messages. An attacker with a valid, configured BGP session could inject a specially crafted packet into an existing BGP session or the underlying TCP session (179/tcp). A vulnerable BGP implementation could drop sessions when processing crafted UPDATE messages. A persistent attack could lead to routing instability (route flapping).

This vulnerability was first announced as affecting OpenBSD based routers. Further investigation indicates that other vendors are affected by the same or similar issues. Please see the Systems Affected section below.
Here are the CVE IDs that were reserved by the reporter for different vendors that were tested:

• CVE-2023-4481 (Juniper)
• CVE-2023-38802 (FRR)
• CVE-2023-38283 (OpenBGPd)
• CVE-2023-40457 (EXOS)

Impact

A remote attacker could publish a BGP UPDATE with a crafted set of Path Attributes, causing vulnerable routers to de-peer from any link from which such an update were received. Unaffected routers might also pass the crafted updates across the network, potentially leading to the update arriving at an affected router from multiple sources, causing multiple links to fail.

Solution

The CERT/CC is currently unaware of a practical solutions for every vendor but some of the vendors allow you to change the response to errors in BGP path updates. Networks using appliances from Juniper and Nokia can mitigate this behavior by enabling:

(Juniper)
set protocols bgp bgp-error-tolerance

(Nokia)
[router bgp group]
error-handling update-fault-tolerance

Acknowledgements

Thanks to the reporter Ben Cartwright-Cox. This document was written by Timur Snoke.

Continue reading VU#347067: Multiple BGP implementations are vulnerable to improperly formatted BGP updates→

Overview

An authentication bypass vulnerability exists in the N300 Wireless N VDSL2 Modem Router manufactured by Tenda. This vulnerability allows a remote, unauthenticated user to access sensitive information.

Description

CVE-2023-4498 is an authentication bypass vulnerability that enables an unauthenticated attacker who has access to the web console, either locally or remotely, to access resources that would normally be protected. The attacker can construct a web request that includes a white-listed keyword in the path, causing the URL to be served directly (rather than blocked or challenged with an authentication prompt).

Impact

Successful exploitation of this vulnerability could grant the attacker access to pages that would otherwise require authentication. An unauthenticated attacker could thereby gain access to sensitive information, such as the Administrative password, which could be used to launch additional attacks.

Solution

There is no known solution to the vulnerability. Always update your router to the latest available firmware version. Disabling both the remote (WAN-side) administration services and the web interface on the WAN on any SoHo router is also recommended.

Acknowledgements

Thanks to the reporter from the Spike Reply Cybersecurity Team. This document was written by Timur Snoke.

Continue reading VU#304455: Authentication Bypass in Tenda N300 Wireless N VDSL2 Modem Router→

Overview

Groupnotes Inc. Videostream Mac client installs a LaunchDaemon that runs with root privileges. The daemon is vulnerable to a race condition that allows for arbitrary file writes. A low privileged attacker can escalate privileges to root on affected systems.

Description

Every five hours the Videostream LaunchDaemon runs with root privileges to check for updates. During the download, it’s possible to replace the update file as any user with a crafted tar archive. The LaunchDaemon process will extract the archive and replace any requested file on the system.

Impact

An attacker with low privilege access can overwrite arbitrary files on the affected system. This can be leveraged to escalate privileges to control the root account.

Solution

The CERT/CC is currently unaware of a practical solution to this problem.

Acknowledgements

Thank you to Dan Revah for reporting this issue.

This document was written by Kevin Stephens.

Continue reading VU#757109: Groupnotes Inc. Videostream Mac client allows for privilege escalation to root account→

Overview

Parsec updater for Windows was prone to a local privilege escalation vulnerability, this vulnerability allowed a local user with Parsec access to gain NT_AUTHORITY/SYSTEM privileges.

Description

The vulnerability is a time-of-check time–of-use (TOCTOU) vulnerability. There existed a small window between verifying the signature and integrity of the update DLL and the execution of DLL main.

By exploiting this race condition, a local attacker could swap out the officially signed Parsec DLL with a DLL that they created, which would subsequently be executed as the SYSTEM user as described in CVE-2023-37250.

CVE-2023-37250
The application launches DLLs from a User owned directory. Since the user owns both the DLL file and the directory, it is possible to (successfully) attempt tricking Parsec into loading an unsigned/arbitrary DLL file and execute its DllMain() method with SYSTEM privileges, creating a Local Privilege Escalation vulnerability.

Impact

By exploiting this race condition, a local attacker could swap out the officially signed Parsec DLL with a DLL that they created, which would subsequently be executed as the SYSTEM user.

Solution

The vulnerability applies to a “Per User” installation as opposed to a “Shared User”. There is an update that has been made available. To force an update, you can either completely quit, and re-open the application several times until the loader is updated (by confirming in the logs). Or you can download a special installer that only updates the files inside of the program files that can be downloaded from https://builds.parsec.app/package/parsec-update-executables.exe.

Acknowledgements

Thanks to the reporter, Julian Horoszkiewicz.This document was written by Timur Snoke.

Continue reading VU#287122: Parsec Remote Desktop App is prone to a local elevation of privilege due to a logical flaw in its code integrity verification process→

Overview

urllib.parse is a very basic and widely used basic URL parsing function in various applications.

Description

An issue in the urllib.parse component of Python before v3.11 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters.

urlparse has a parsing problem when the entire URL starts with blank characters. This problem affects both the parsing of hostname and scheme, and eventually causes any blocklisting methods to fail.

URL Parsing Security *

The urlsplit() and urlparse() APIs do not perform validation of inputs. They may not raise errors on inputs that other applications consider invalid. They may also succeed on some inputs that might not be considered URLs elsewhere. Their purpose is for practical functionality rather than purity.

Instead of raising an exception on unusual input, they may instead return some component parts as empty strings. Or components may contain more than perhaps they should.

We recommend that users of these APIs where the values may be used anywhere with security implications code defensively. Do some verification within your code before trusting a returned component part. Does that scheme make sense? Is that a sensible path? Is there anything strange about thathostname? etc.

What constitutes a URL is not universally well defined. Different applications have different needs and desired constraints. For instance the living WHATWG spec describes what user facing web clients such as a web browser require. While RFC 3986 is more general. These functions incorporate some aspects of both, but cannot be claimed compliant with either. The APIs and existing user code with expectations on specific behaviors predate both standards leading us to be very cautious about making API behavior changes.

*Note: This was added as part of the documentation update in https://github.com/python/cpython/pull/102508

Impact

Due to this issue, attackers can bypass any domain or protocol filtering method implemented with a blocklist. Protocol filtering failures can lead to arbitrary file reads, arbitrary command execution, SSRF, and other problems. Failure of domain name filtering may lead to re-access of blocked bad or dangerous websites or to failure of CSRF referer type defense, etc.

Because this vulnerability exists in the most basic parsing library, more advanced issues are possible.

Solution

The fixes are in the following releases:

fixed in >= 3.12

fixed in 3.11.x >= 3.11.4

fixed in 3.10.x >= 3.10.12

fixed in 3.9.x >= 3.9.17

fixed in 3.8.x >= 3.8.17

fixed in 3.7.x >= 3.7.17

Acknowledgements

Thanks to the reporter, Yebo Cao for researching and reporting this vulnerability.

This document was written by Ben Koo.

Continue reading VU#127587: Python Parsing Error Enabling Bypass CVE-2023-24329→

Overview

Freewill Solutions IFIS new trading web application version 20.01.01.04 is vulnerable to unauthenticated remote code execution. Successful exploitation of this vulnerability allows an attacker to run arbitrary shell commands on the affected host.

Description

Freewill Solutions IFIS new trading web application passes a user controlled variable directly to a shell_exec function call on a specific report page. To exploit the vulnerability, an attacker can add shell meta characters to the user controlled variable so that the application executes attacker specified commands.

Impact

An attacker with access to the applications web interface can execute code on the remote host. This level of access allows for complete compromise of the affected machine.

Solution

The CERT/CC is currently unaware of a practical solution to this problem.

Acknowledgements

Thanks to Sameer Mohite (Mandiant) for reporting the vulnerability.

This document was written by Kevin Stephens.

Continue reading VU#947701: Freewill Solutions IFIS new trading web application vulnerable to unauthenticated remote code execution→

Overview

The software driver for D-Link DWA-117 AC600 MU-MIMO Wi-Fi USB Adapter contains a unquoted service path privilege escalation vulnerability. In certain conditions, this flaw can lead to a local privilege escalation.

Description

D-Link DWA-117 AC600 MU-MIMO is a Wi-Fi USB Adapter that enables Wi-Fi network accessible over USB. D-Link provides a software driver for Microsoft Windows operating system that enables proper operation of the device with the operating system. The latest software driver (as of Arpil 19, 2023) was found susceptible to an unquoted service path vulnerability. Given certain conditions are met, there is potential for a local privilege escalation allowing an attacker to escalate privileges to local administrative user.

The following conditions are required to trigger this bug
* The software is installed in a directory with a space in it. (The default settings for directory will work)
* An unprivileged user should have write access to the directory above the folder that contains the space in its name. (Typical default Windows user permissions is sufficient)

Impact

An attacker with low level access can execute code as the system account. The increased privileges allow for access to sensitive files and malicious modifications to the system.

Solution

D-Link has provided a patch that addresses the issue. Customers should update their driver to the latest version.

Acknowledgements

Thanks to @L1v1ng0ffTh3L4n for reporting the vulnerability.

This document was written by Kevin Stephens.

Continue reading VU#813349: Software driver for D-Link Wi-Fi USB Adapter vulnerable to service path privilege escalation→

Overview

A command injection vulnerability can be used in the Perimeter81 macOS application to run arbitrary commands with administrative privileges.

Description

At the time, the latest Perimeter81 MacOS application (10.0.0.19) suffers from local privilege escalation vulnerability inside its com.perimeter81.osx.HelperTool. This HelperTool allows main application to setup things which require administrative privileges such as VPN connection, changing routing table, etc.

By combining insufficient checks of an XPC connection and creating a dictionary with the key “usingCAPath” a command can be appended within that value to be run with administrative privileges.

Impact

By exploiting the vulnerability, attackers can run arbitrary commands with administrative privileges.

Solution

Perimeter81 has released a fix in version 10.1.2.318
(https://support.perimeter81.com/docs/macos-agent-release-notes)

Acknowledgements

Thanks to Erhad Husovic who also published vulnerability details via (https://www.ns-echo.com/posts/cve_2023_33298.html)

This document was written by Ben Koo.

Continue reading VU#653767: Perimeter81 macOS Application Multiple Vulnerabilities→