TL;DR
- SEC Mandates Cyber Attack Disclosures Within Four Days - A Game Changer in Cybersecurity Transparency
- New Privilege Escalation Vulnerabilities Threaten 40% of Ubuntu Cloud Workloads
- Unveiling the Hidden Flaws in TETRA Radio Encryption
- AI researchers have found 'virtually unlimited' ways to bypass Bard and ChatGPT's safety rules
- Critical Citrix ShareFile RCE Vulnerability CVE-2023-24489: Exploitation Begins
SEC Mandates Cyber Attack Disclosures Within Four Days - A Game Changer in Cybersecurity Transparency
- The US Securities and Exchange Commission (SEC) has approved new rules requiring publicly traded companies to disclose details of a significant cyber attack within four days.
- The disclosure may be delayed by up to 60 days if it is determined that revealing such specifics would pose a substantial risk to national security or public safety.
- Companies are also required to describe their methods and strategies for assessing, identifying, and managing material risks from cybersecurity threats annually.
- The rules do not extend to specific technical information about the company's planned response to the incident or its cybersecurity systems, networks, and devices.
The US Securities and Exchange Commission (SEC) has approved new rules that mandate publicly traded companies to disclose details of a cyber attack within four days of identifying its material impact on their finances. This marks a major shift in how computer breaches are disclosed.
The new obligations require companies to reveal the nature, scope, and timing of the incident, as well as its impact. However, this disclosure may be delayed by up to 60 days if it is determined that providing such specifics would pose a substantial risk to national security or public safety.
Moreover, the rules necessitate companies to describe, on an annual basis, the methods and strategies used for assessing, identifying, and managing material risks from cybersecurity threats. They must detail the material effects or risks arising as a result of these events and share information about ongoing or completed remediation efforts.
However, the rules do not extend to specific technical information about the company's planned response to the incident or its cybersecurity systems, networks, and devices, or potential system vulnerabilities in such detail as would impede the company's response or remediation of the incident.
The policy, first proposed in March 2022, is seen as an effort to bring more transparency into the threats faced by US companies from cybercrime and nation-state actors, close the gaps in cybersecurity defense and disclosure practices, and harden the systems against data theft and intrusions.
New Privilege Escalation Vulnerabilities Threaten 40% of Ubuntu Cloud Workloads
- Two new vulnerabilities, CVE-2023-2640 and CVE-2023-32629, dubbed 'GameOver(lay)', have been discovered in Ubuntu's OverlayFS module.
- These vulnerabilities could affect approximately 40% of Ubuntu cloud workloads.
- The flaws allow unprivileged users to escalate their privileges to 'root' on the affected machine.
- Ubuntu has released a security bulletin and updates to fix these vulnerabilities.
Researchers at cloud security firm Wiz have discovered two easily exploitable privilege escalation vulnerabilities in Ubuntu’s OverlayFS module, affecting a significant portion of Ubuntu cloud workloads. OverlayFS is a union filesystem that allows one filesystem to overlay another, enabling file modifications without changing the base. The vulnerabilities, CVE-2023-2640 and CVE-2023-32629, dubbed 'GameOver(lay)', allow specialized executables to escalate privileges to 'root' on the affected machine.
CVE-2023-2640 is enabled because the Ubuntu OverlayFS module does not convert file security capabilities before files are copied. As a result, an unprivileged user can create a new directory structure and enter a new user namespace with administrative-like capabilities. They can then mount an OverlayFS mount, ultimately creating a file with capabilities applicable to the init user namespace and effectively escalating the user’s privileges to root.
CVE-2023-32629 is similar to CVE-2023-2640, but affects slightly different kernel versions, and exploitation results from a different code flow. The result is the same: the file has capabilities that are applicable to the init user namespace, which effectively escalates the user’s privileges to root.
Ubuntu has released a security bulletin about these issues and has made fixing updates available. Users are urged to update their kernels to mitigate these vulnerabilities.
Unveiling the Hidden Flaws in TETRA Radio Encryption
- Researchers have discovered serious flaws, including a deliberate backdoor, in the encryption algorithm used in TETRA (Terrestrial Trunked Radio) systems.
- TETRA is a technology used for critical data and voice radio communications globally, including in critical infrastructure, police forces, and military intelligence agencies.
- The backdoor could allow someone to snoop on communications, learn how a system works, and potentially send commands that could disrupt critical infrastructure.
- The vulnerabilities, collectively referred to as TETRABURST, were discovered by Dutch security analysts and are being addressed through patches and mitigations.
For over 25 years, TETRA, a technology used for critical data and voice radio communications, has been shrouded in secrecy to prevent scrutiny of its security properties. However, a group of researchers in the Netherlands has recently exposed serious flaws in its encryption algorithm, including a deliberate backdoor. This backdoor, known to vendors but not necessarily to customers, exists in radios sold for commercial use in critical infrastructure. It could allow someone to snoop on communications, learn how a system operates, and potentially send commands that could disrupt critical services.
The researchers discovered a total of five vulnerabilities in the TETRA standard, which they've named TETRABURST. These vulnerabilities could allow for real-time decryption, message injection, user deanonymization, or session key pinning. The impact of these vulnerabilities is significant, particularly for law enforcement, military, and critical infrastructure operators who rely on TETRA for secure communications.
The researchers have coordinated with radio manufacturers to create patches and mitigations for these vulnerabilities. However, not all issues can be fixed with a patch, and it's unclear which manufacturers have prepared them for customers. The researchers plan to present their findings at the BlackHat security conference, releasing detailed technical analysis and the previously secret TETRA encryption algorithms.
AI researchers have found 'virtually unlimited' ways to bypass Bard and ChatGPT's safety rules
- Researchers have discovered a method to automatically construct adversarial attacks on Large Language Models (LLMs), causing them to produce harmful content.
- These attacks are universal and transferable, affecting both open-source and closed-source LLMs, including popular ones like ChatGPT, BARD, and CLAUDE.
- The adversarial attacks are difficult to patch, raising concerns about the safety of LLMs, especially as they are increasingly used in autonomous systems.
- The researchers have disclosed their findings to the companies hosting the attacked LLMs, but the fundamental challenge of addressing adversarial attacks on LLMs remains.
A recent study by researchers at Carnegie Mellon University and the Center for AI Safety has revealed a significant vulnerability in Large Language Models (LLMs). They have found a way to automatically construct adversarial attacks on these models. These attacks involve specially crafted sequences of characters that, when appended to a user query, can induce the LLM to produce harmful content, even if it goes against the model's safety measures.
What makes these attacks particularly concerning is their universal and transferable nature. They were initially built to target open-source LLMs, but the researchers found that they also work on many closed-source, publicly available chatbots like ChatGPT, BARD, and CLAUDE. This raises serious safety concerns, especially as LLMs are increasingly used in more autonomous systems.
The researchers have disclosed their findings to the companies hosting the attacked LLMs. However, it remains unclear how to address the underlying challenge posed by adversarial attacks on LLMs. The researchers hope that their work will spur future research in these directions, emphasizing the importance of considering these potential threats as we increase our usage and reliance on AI models.
Critical Citrix ShareFile RCE Vulnerability CVE-2023-24489: Exploitation Begins
- A critical vulnerability, CVE-2023-24489, has been discovered in Citrix ShareFile, a popular cloud-based file-sharing application.
- The vulnerability allows unauthenticated arbitrary file upload and remote code execution (RCE).
- The vulnerability has been assigned a CVSS score of 9.8, indicating its critical severity.
- The first attempts to exploit this vulnerability have been observed, and users are advised to apply the latest security updates as soon as possible.
CVE-2023-24489 is a cryptographic bug in Citrix ShareFile's Storage Zones Controller, a .NET web application running under IIS. This vulnerability allows unauthenticated attackers to upload arbitrary files, leading to remote code execution. Attackers can exploit this vulnerability by taking advantage of errors in ShareFile's handling of cryptographic operations. The application uses AES encryption with CBC mode and PKCS7 padding but does not correctly validate decrypted data. This oversight allows attackers to generate valid padding and execute their attack, leading to unauthenticated arbitrary file upload and remote code execution.
Researchers at Assetnote dissected the vulnerability and published the first proof-of-concept (PoC) for this CVE. Other PoCs for this have been released on GitHub, increasing the likelihood of attackers leveraging this vulnerability in their attacks and further demonstrating the severity of the issue. As of the publishing timestamp of this post, GreyNoise has observed IPs attempting to exploit this vulnerability.
Citrix has released a security update addressing the ShareFile vulnerability. Users are advised to apply the update to protect their systems from potential attacks. The fixed version of the customer-managed ShareFile Storage Zones Controller is ShareFile Storage Zones Controller 5.11.24 and later versions.
