Cyber Security Weekly Briefing April 24-30

April 30, 2021

BadAlloc - Critical Vulnerabilities in Industrial IoT and OT Devices

Microsoft security researchers have discovered 25 critical remote code execution (RCE) vulnerabilities, collectively referred to as BadAlloc, affecting a wide range of devices, from consumer and medical IoT to industrial control operational technology (OT) systems. An attacker could exploit the flaws to bypass security controls and execute malicious code on the devices or cause the system to crash. The vulnerabilities would be present in real-time operating systems (RTOS) widely used in industrial sectors, in embedded software development kits (SDKs) and even in implementations of the standard C library (libc). The findings have been shared with suppliers for updating their systems. The full list of vulnerabilities can be found on the US Homeland Security department' s website.

More info:

Critical vulnerability identified in Homebrew for MacOS and Linux

A Japanese security researcher named RyotaK reported on 18 April a vulnerability in the official Homebrew Cask repository that could be exploited by attackers to execute arbitrary code on users' machines that have Homebrew installed. Homebrew is a free and open-source software package management system that allows the installation of software on Apple's macOS operating system as well as Linux. Homebrew Cask extends the functionality to include command-line workflows for GUI-based macOS applications, fonts, plugins and other non-open-source software. The reported bug, for which a PoC was published and which was fixed just a day after it was reported, lay in the way it handled code changes in its Github repository, which could result in a malicious request being automatically reviewed and approved. Homebrew would also have removed the "automerge" action from GitHub, as well as the GitHub "review-cask-pr" from all vulnerable repositories.

All the details:

MacOS flaw allows Shlayer malware to be distributed

Apple has released a patch for the macOS Big Sur operating system, fixing a vulnerability for which no further details have been released by Apple but which some researchers describe as the worst vulnerability for Apple's operating systems in years. Despite its severity, there is a first step necessary for exploitation that may have somewhat limited the impact, and that is that in order to exploit it, the user must be convinced to download or run an application that is not in the Apple Store or would not be allowed by Apple. Once this initial access is gained, the attackers manage to deploy malware that is poorly classified by Apple's operating system, thanks to a logical error in the macOS code. This malware can bypass all checks performed by Apple's security mechanisms, which are designed to stop unapproved dangerous applications from running. Researchers at Jamf have named the malware Shlayer and confirm that it has been in distribution since at least January this year. The bug was reported to Apple by security researcher Cedric Owens in mid-March. Apple spokespeople have confirmed that the company has addressed the problem in macOS 11.3 and has updated XProtect, its malware detection, to block malware using this technique. According to specialised media, the vulnerability has been exploited for the distribution of malware against Mac computers since at least January.

Learn more:

Critical vulnerability in Citrix ShareFile

The Citrix team has released a security update to fix a critical resource mismanagement vulnerability in its Citrix ShareFile software. The flaw (CVE-2021-22891) is in the Citrix ShareFile storage zone driver and could allow an unauthenticated remote attacker to exploit the storage zone driver. However, the threat agent would need to have prior access to the driver's network in order to exploit this flaw. The versions affected by this vulnerability are 5.7 prior to 5.7.3, 5.8 prior to 5.8.3, 5.9 prior to 5.9.3, 5.10 prior to 5.10.1 and 5.11 prior to 5.11.18. Citrix recommends updating to a version that fixes this flaw as soon as possible.

More info:

Authentication Vulnerability in BIG-IP APM AD

Researchers at Silverfort have disclosed a new evasion vulnerability (CVE-2021-23008 CVSSv3 8.1) in the Kerberos Key Distribution Center (KDC) security feature that would affect the BIG-IP Access Policy Manager (APM). This vulnerability allows an attacker to bypass Kerberos authentication to the BIG-IP Access Policy Manager (APM), bypass security policies and, in some cases, bypass authentication to the BIG-IP management console. F5 Networks has released patches to address the vulnerability with fixes introduced in BIG-IP APM versions 12.1.6, 13.1.4, 14.1.4 and 15.1.3. A similar patch for version 16.x is expected soon.

More details: