Brief

Brief #10: SEC Cyber Disclosure Mandate, Ubuntu Vulnerabilities

Mandos Brief, Week 30 2023: LSEC's new cyber attack disclosure rules, privilege escalation vulnerabilities in Ubuntu, flaws in TETRA radio encryption and more.

6 min read
mandos brief #10 - week 30 2023

TL;DR


SEC Mandates Cyber Attack Disclosures Within Four Days - A Game Changer in Cybersecurity Transparency

The US Securities and Exchange Commission (SEC) has approved new rules that mandate publicly traded companies to disclose details of a cyber attack within four days of identifying its material impact on their finances. This marks a major shift in how computer breaches are disclosed.

The new obligations require companies to reveal the nature, scope, and timing of the incident, as well as its impact. However, this disclosure may be delayed by up to 60 days if it is determined that providing such specifics would pose a substantial risk to national security or public safety.

Moreover, the rules necessitate companies to describe, on an annual basis, the methods and strategies used for assessing, identifying, and managing material risks from cybersecurity threats. They must detail the material effects or risks arising as a result of these events and share information about ongoing or completed remediation efforts.

However, the rules do not extend to specific technical information about the company's planned response to the incident or its cybersecurity systems, networks, and devices, or potential system vulnerabilities in such detail as would impede the company's response or remediation of the incident.

The policy, first proposed in March 2022, is seen as an effort to bring more transparency into the threats faced by US companies from cybercrime and nation-state actors, close the gaps in cybersecurity defense and disclosure practices, and harden the systems against data theft and intrusions.

New Privilege Escalation Vulnerabilities Threaten 40% of Ubuntu Cloud Workloads

Researchers at cloud security firm Wiz have discovered two easily exploitable privilege escalation vulnerabilities in Ubuntu’s OverlayFS module, affecting a significant portion of Ubuntu cloud workloads. OverlayFS is a union filesystem that allows one filesystem to overlay another, enabling file modifications without changing the base. The vulnerabilities, CVE-2023-2640 and CVE-2023-32629, dubbed 'GameOver(lay)', allow specialized executables to escalate privileges to 'root' on the affected machine.

CVE-2023-2640 is enabled because the Ubuntu OverlayFS module does not convert file security capabilities before files are copied. As a result, an unprivileged user can create a new directory structure and enter a new user namespace with administrative-like capabilities. They can then mount an OverlayFS mount, ultimately creating a file with capabilities applicable to the init user namespace and effectively escalating the user’s privileges to root.

CVE-2023-32629 is similar to CVE-2023-2640, but affects slightly different kernel versions, and exploitation results from a different code flow. The result is the same: the file has capabilities that are applicable to the init user namespace, which effectively escalates the user’s privileges to root.

Ubuntu has released a security bulletin about these issues and has made fixing updates available. Users are urged to update their kernels to mitigate these vulnerabilities.

Unveiling the Hidden Flaws in TETRA Radio Encryption

For over 25 years, TETRA, a technology used for critical data and voice radio communications, has been shrouded in secrecy to prevent scrutiny of its security properties. However, a group of researchers in the Netherlands has recently exposed serious flaws in its encryption algorithm, including a deliberate backdoor. This backdoor, known to vendors but not necessarily to customers, exists in radios sold for commercial use in critical infrastructure. It could allow someone to snoop on communications, learn how a system operates, and potentially send commands that could disrupt critical services.

The researchers discovered a total of five vulnerabilities in the TETRA standard, which they've named TETRABURST. These vulnerabilities could allow for real-time decryption, message injection, user deanonymization, or session key pinning. The impact of these vulnerabilities is significant, particularly for law enforcement, military, and critical infrastructure operators who rely on TETRA for secure communications.

The researchers have coordinated with radio manufacturers to create patches and mitigations for these vulnerabilities. However, not all issues can be fixed with a patch, and it's unclear which manufacturers have prepared them for customers. The researchers plan to present their findings at the BlackHat security conference, releasing detailed technical analysis and the previously secret TETRA encryption algorithms.

AI researchers have found 'virtually unlimited' ways to bypass Bard and ChatGPT's safety rules

A recent study by researchers at Carnegie Mellon University and the Center for AI Safety has revealed a significant vulnerability in Large Language Models (LLMs). They have found a way to automatically construct adversarial attacks on these models. These attacks involve specially crafted sequences of characters that, when appended to a user query, can induce the LLM to produce harmful content, even if it goes against the model's safety measures.

What makes these attacks particularly concerning is their universal and transferable nature. They were initially built to target open-source LLMs, but the researchers found that they also work on many closed-source, publicly available chatbots like ChatGPT, BARD, and CLAUDE. This raises serious safety concerns, especially as LLMs are increasingly used in more autonomous systems.

The researchers have disclosed their findings to the companies hosting the attacked LLMs. However, it remains unclear how to address the underlying challenge posed by adversarial attacks on LLMs. The researchers hope that their work will spur future research in these directions, emphasizing the importance of considering these potential threats as we increase our usage and reliance on AI models.

Critical Citrix ShareFile RCE Vulnerability CVE-2023-24489: Exploitation Begins

CVE-2023-24489 is a cryptographic bug in Citrix ShareFile's Storage Zones Controller, a .NET web application running under IIS. This vulnerability allows unauthenticated attackers to upload arbitrary files, leading to remote code execution. Attackers can exploit this vulnerability by taking advantage of errors in ShareFile's handling of cryptographic operations. The application uses AES encryption with CBC mode and PKCS7 padding but does not correctly validate decrypted data. This oversight allows attackers to generate valid padding and execute their attack, leading to unauthenticated arbitrary file upload and remote code execution.

Researchers at Assetnote dissected the vulnerability and published the first proof-of-concept (PoC) for this CVE. Other PoCs for this have been released on GitHub, increasing the likelihood of attackers leveraging this vulnerability in their attacks and further demonstrating the severity of the issue. As of the publishing timestamp of this post, GreyNoise has observed IPs attempting to exploit this vulnerability.

Citrix has released a security update addressing the ShareFile vulnerability. Users are advised to apply the update to protect their systems from potential attacks. The fixed version of the customer-managed ShareFile Storage Zones Controller is ShareFile Storage Zones Controller 5.11.24 and later versions.

Share This Post

Check out these related posts

Brief #72: NVIDIA flaw, 3.8 Tbps Cloudflare DDoS, AWS AI hijacking

  • Nikoloz Kokhreidze
by Nikoloz Kokhreidze | | 9 min read

Brief #71: Storm-0501 Targets Hybrid Clouds, CUPS RCE Flaw, AI Security Challenges, Wiz's $20B Valuation

  • Nikoloz Kokhreidze
by Nikoloz Kokhreidze | | 9 min read

Brief #70: China's 260K-Device Botnet Thwarted, SolarWinds RCE Flaw, macOS Zero-Click Exploit, AI in Compliance

  • Nikoloz Kokhreidze
by Nikoloz Kokhreidze | | 10 min read