Weekly review of the top vulnerability issues of the week: This week Focus on PWN 2 OWN in Vancuver

This week we hear from Pwn2OWN – Trend Micro, ZDI, Tesla and more bugs found for a total of 1,155,000 Awarded

This week features Apple IoS & Remediation, QNAP, Windows, Firefox, Ubuntu & Tesla explits at Pwn2OWN, PyPI

PWN 2 OWN Summary with all the vulnerabilities Discovered

Microsoft Teams

Hector “p3rr0” Peralta was able to demonstrate an improper configuration against Microsoft Teams. He earns $150,000 and 15 Master of Pwn points.

Daniel Lim Wee Soong (@daniellimws), Poh Jia Hao (@Chocologicall), Li Jiantao (@CurseRed) & Ngo Wei Lin (@Creastery) of STAR Labs successfully demonstrated their zero-click exploit of 2 bugs (injection and arbitrary file write) on Microsoft Teams. 

Mozilla Firefox

Manfred Paul (@_manfp) successfully demonstrated 2 bugs – prototype pollution and improper input validation – on Mozilla Firefox

Advisory: https://www.mozilla.org/en-US/security/

Special – Tesla

For the Full video: https://www.youtube.com/watch?v=K5i0rQNYRNI

David BERARD and Vincent DEHORS from @Synacktiv exploited 2 unique bugs (Double-Free & OOBW) with a collision on a known sandbox escape on a Telsa Model 3 Infotainment System

For full: https://www.zerodayinitiative.com/blog/2022/5/18/pwn2own-vancouver-2022-the-results

Windows

nghiadt12 from Viettel Cyber Security was able to successfully show an escalation of privilege via Integer Overflow on Microsoft Windows 11 

vinhthp1712 successfully achieved Elevation of Privilege via Improper Access Control on Microsoft Windows 11

Bruno PUJOS (@brunopujos) from REverse Tactics successfully achieved Elevation of Privilege via Use-After-Free on Microsoft Windows 11

Ubuntu

Bien Pham (@bienpnn) was able to execute a Use After Free bug leading to elevation of privilege on Unbuntu Desktop

Appsec

PyPI – Library pymafka Expose data via open backdoor

A malicious library pymafka has been released on PyPI with the intent to exfiltrate data

PyKafka is a widely used Apache Kafka client that counts over four million downloads on the PyPI registry.

The library implemented the attack known as typosquatting where users mistake the library capital for lowercase

The library was fortunately promptly removed, nonetheless there are 325 users who downloaded the library

the infection begins with the execution of the ‘setup.py’ script found in the package.

This script detects the host operating system and, depending on whether it is Windows, Linux, or Darwin (macOS), fetches a compatible malicious payload that is executed on the system.

For Linux systems, the Python script connects to a remote URL at 39.107.154.72 and pipes the output to the bash shell. Unfortunately, that host is down at the time of this writing, so it is unclear what commands are executed, but it is believed to open a reverse shell.

For Windows and macOS, the payload is a Cobalt Strike beacon, which provides remote access to the infected device. 

Cobalt Strike is a widely abused penetration testing suite that features powerful traits such as command execution, keylogging, file actions, SOCKS proxying, privilege escalation, credential stealing, port scanning, and more.

More info https://blog.sonatype.com/new-pymafka-malicious-package-drops-cobalt-strike-on-macos-windows-linux

To avoid similar attacks always check if the package has description and is from a reputable author as well as checking for typos

Software developers should scrutinize package names and details and double-check their selection of building blocks when something appears funky.

INFRA/Network

IOS – Remote Execution of malware via Bluetooth

Security researchers were able to exploit successfully vulnerability in the  Bluetooth, NFC, and ultra-wideband (UWB) that are all hardwired to the phone’s secure element. The researchers were able to write to the Bluetooth chip in an iPhone 13 by exploiting a legacy feature that requires iOS to be able to write to the executable RAM regions using a vendor-specific host-controller interface (HCI) command.

Workaround: disable the Find My network as a device policy this can be implemented as policy for your workforce with iPhones running iOS 15

Follow Apple Security Advisory: https://support.apple.com/en-gb/HT201222

Previous Vulnerability Covered here: https://phoenix.security/security-vulnerability-of-the-week-16-05-22/ has not been fixed: https://support.apple.com/en-gb/HT213258

QNAP

QNAP has warned of a new series of attack bots to the vulnerabilities recently fixed

 “a new wave of DeadBolt ransomware attacks. Please install the latest updates”  

 CVE-2022-23121 and others were discovered by NCC Group EDG team at Pwn2Own

We covered the Qnap Vulnerability: https://phoenix.security/security-vulnerability-of-the-week-16-05-22/ and https://phoenix.security/security-vulnerability-of-the-week-09-05-22/

More details: https://www.qnap.com/en-uk/securitydvisories

Affected Versions

• QTS 5.0.x and later
• QTS 4.5.4 and later
• QTS 4.3.6 and later
• QTS 4.3.4 and later
• QTS 4.3.3 and later
• QTS 4.2.6 and later
• QuTS hero h5.0.x and later
• QuTS hero h4.5.4 and later
• QuTScloud c5.0.x

Cloud

Current Year Research on Vulnerabilities Discovered

For the Deep dive on previous Cloud Vulnerabilities: https://phoenix.security/security-vulnerability-of-the-week-02-04-22/

Here https://phoenix.security/security-vulnerability-of-the-week-09-05-22/

and here https://phoenix.security/security-vulnerability-of-the-week-16-05-22/

AutoWrap Vulnerability in Microsoft Azure Automation Service – Orca – CVSS 8.5

What Is the Microsoft Azure Automation Service? 

Microsoft Azure Automation allows customers to execute automation code in a managed fashion. You can schedule jobs, provide input and output, and more. Each customer’s automation code runs inside a sandbox, isolated from other customers’ code executing on the same virtual machine. 

The vulnerability was discovered by the orca team on December 2021 and Public disclosure to Microsoft on March 07 2022

You have been exposed to the vulnerability if

1. You have been using the Azure Automation service
2. The Managed Identity feature in your automation account is enabled (which is enabled by default)

AutoWarp is a critical vulnerability in the Azure Automation service that allowed unauthorized access 

Microsoft Has responded to the incident here: https://msrc-blog.microsoft.com/2022/03/07/13943/

Microsoft has also issued Automation customers to follow Security best practices outlined here.

For full detail of the vulnerability: https://orca.security/resources/blog/autowarp-microsoft-azure-automation-service-vulnerability/

logicApp – NetSPI – CVSS 6

Vulnerability  CVE-2021-42306 (CredManifest) reported to Microsoft on Nov 17 2021

The vulnerability Is triggered when running an account in azure with automation. the vulnerability can be triggered by running an Automation Account with a “Run as” account

Microsoft has issued guidance https://msrc-blog.microsoft.com/2021/11/17/guidance-for-azure-active-directory-ad-keycredential-property-information-disclosure-in-application-and-service-principal-apis/

For the disclosure: https://www.netspi.com/blog/technical/cloud-penetration-testing/azure-cloud-vulnerability-credmanifest/

credManifest – NetSPI – CVSS 6.5 – CVE 2021-42306

extraReplica – Wiz – CVSS 6.8

Bonus

Conti Ransomware group closes and split in more independent units

New from Advanced Intel’s Yelisey Boguslavskiy, who tweeted this afternoon that the gang’s internal infrastructure was turned off.

Conti Has been recently at war with Costa Rica

Advanced Intel report explains that Conti has partnered with numerous well-known ransomware operations, including HelloKitty, AvosLocker, Hive, BlackCat, BlackByte, and more.

Snapshot of costa rica attack:

On Sunday, May 8th, the newly elected Costa Rican President Chaves declared a national emergency citing ongoing Conti ransomware attacks as the reason.

Conti’s data leak site had been updated to state that the group had leaked 97% of the 672 GB data dump allegedly containing information stolen from government agencies: