The Zero Day Initiative (ZDI) posted a message thanking those involved in the event: “Thank you again to all competitors and participating suppliers for their cooperation and for fixing the errors revealed.” Affected product vendors have 120 days to release patches for the reported flaws in Pwn2Own.

The main winners of the Pwn2Own Miami 2022 event are Daan Keuper and Thijs Alkemade of Computest Sector 7. During the first day, the team earned $20,000 USD by demonstrating a code execution attack on the Inductive Automation Ignition SCADA solution, exploiting a missing authentication flaw. During this day Computest Sector 7 also demonstrated a remote code execution (RCE) attack on AVEVA Edge HMI/SCADA, receiving a reward of $20,000 USD.

On the second day, the researchers exploited an infinite loop error to trigger a denial of service (DoS) condition against Unified Automation’s C++ demo server, earning $5,000 USD, in addition to demonstrating an authentication evasion attack on OPC Foundation OPC UA .NET Standard, earning $40,000 USD more.

Computest Sector 7 won the Master of Pwn title after winning a total of $90,000 over the three days of the contest and taking first place on the leaderboard with a total of 90 points.

This year’s Pwn2Own Miami was held in person and also allowed the remote participation of some researchers. During the first edition of Pwn2Own Miami, with the theme of ICS, held in January 2020, ZDI awarded $280,000 for the reporting of 24 zero-day vulnerabilities in ICS and SCADA products.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Pwn2Own Miami paid $400,000 USD for 26 zero-day exploits on ICS and SCADA products appeared first on Information Security Newspaper | Hacking News.

According to this report, the flaws allow local threat attackers to execute arbitrary code on affected smartphone models. Before the attack, malicious hackers must gain the ability to execute least-privilege code on the compromised system.

Apparently, the flaw resides within Web Bridge WebView. WebView exposes a JavaScript interface that allows threat actors to launch arbitrary applications; this flaw can be exploited along with other vulnerabilities to execute arbitrary code in the context of the current user.

The flaw was reported to developers in late 2021 and, in the absence of a functional patch, the researchers who reported it announced their intention to publicly disclose it as a zero-day vulnerability.

In addition, given the nature of the affected implementation and the type of attack, it is considered that the only recommended mitigation mechanism is to restrict interaction with the exposed application.

This Model of Samsung Galaxy is one of the company’s most popular smartphones, so the scope of successful exploitation could be huge. However, reports of the successful exploitation of the fault are still unknown.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Zero-day privilege escalation vulnerability in Samsung Galaxy S21 smartphones: No patch available appeared first on Information Security Newspaper | Hacking News.

This flaw was reported by researcher Le Xuan Tuyen, in collaboration with The Zero Day Initiative (ZDI). The expert mentions that the vulnerability is related to the authentication of requests to services within the ecp web application, and could be exploited by sending requests specially designed to evade the authentication process.

On the other hand, the ZDI report notes that: “Unauthenticated threat actors can perform arbitrary configuration actions on the affected email accounts.” As a result of these malicious actions, it is possible to copy all emails received by the affected user and redirect them to a location controlled by the attackers.

Experts point out that the flaw exists because the sites that Exchange creates in IIS (front-end and back-end) authenticate specific requests when the delegated authentication feature is not enabled and a cookie known as SecurityToken is used.

“When the front-end sees the SecurityToken cookie, it knows that only the back-end is responsible for authenticating this request. Meanwhile, the backend is completely unaware that it needs to authenticate some incoming requests based on the SecurityToken cookie, as DelegatedAuthModule is not loaded on installations that have not been configured to use the special delegated authentication feature,” the ZDI report states.

Threat actors with an account on the same Exchange server as the affected user could abuse the flaw to establish a forwarding rule that allows access to information in the affected inbox. Additionally, if Exchange administrators set a global configuration value to allow the use of forwarding rules to arbitrary Internet targets, the attack will not require authentication on the affected system.

For security, users of vulnerable deployments are encouraged to upgrade Exchange to a secure version.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post ProxyToken: Critical vulnerabilities in Exchange allow hackers to taken control of your business emails appeared first on Information Security Newspaper | Hacking News.

The notice mentions that the affected solutions are Siemens JT2Go, a tool for 3D visualization, and Teamcenter Visualization, for viewing documents, 2D designs, and 3D models. In a second notice, the company revealed six vulnerabilities in Siemens Solid Edge, a suite of 3D design and visualization software tools.

The vast majority of these reports refer to high severity flaws that can lead to arbitrary code execution in vulnerable solution processes. According to CISA, these vulnerabilities are related to incorrect validation of user input when analyzing particular file formats; to complete an attack, threat actors must trick the target user into opening a specially designed file. Hackers could trigger this flaw using formats like JT, CG4, CGM, PDF, RGB, TGA, PAR, ASM, PCX, SGI and DFT.

After receiving the report, Siemens began working on the necessary fixes and publishing alternative solutions for those flaws that have not been corrected up to this point. Finally, Siemens issued a separate notice describing a couple vulnerabilities in SCALANCE X. These security flaws, considered as critical, could trigger Man-in-The-Middle (MiTM) attacks and denial of service (DoS) conditions.

Similar flaws at Schneider Electric

CISA also referred to the finding of at least three vulnerabilities in Schneider Electric products, including a flaw in its Sepam ACE850 communication interface, in the Operator Terminal Expert and Pro-face BLUE solutions. According to the Agency, these flaws would allow arbitrary code to run on vulnerable systems when processing specially designed SSD files.

The post Critical vulnerabilities enable code execution in Siemens products; update now appeared first on Information Security Newspaper | Hacking News.

Apparently, these vulnerabilities exist in versions of this software for the Windows operating system and, if exploited, would allow a remote threat actor to execute arbitrary code on the target system. Vulnerabilities have to do with Foxit Reader and Foxit PhantomPDF tools for Windows. This is a popular tool with over 500 million active users (free version only).

A report, published by the Zero Day Initiative (ZDI) vulnerability disclosure platform, mentions: “There are multiple flaws that could trigger remote code execution; all these failures must be considered critical.”

The first two flaws found in Foxit Reader (CVE-2020-10899 and CVE-2020-10907) allow remote code execution. For this, threat actors require tricking the user into visiting a page or downloading a malicious file. Both failures exist due to insufficient validation of the existence of an object before performing certain operations, as mentioned by digital forensics services specialists.

Also revealed was the presence of CVE-2020-10906, a flaw in the resetForm method within the Foxit Reader software. Because there is no verification of an object before performing certain operations, an opportunity window is created to deploy a remote code execution attack.

Regarding PhantomPDF some critical flaws were also fixed, including CVE-2020-10890 and CVE-2020-10892, which exist due to improper handling of the ConvertToPDF and CombineFiles commands. Exploiting these flaws would allow arbitrary writing of files with hacker-controlled data, digital forensics services experts said.

According to Foxit, any of the flaws described in this article can trigger remote code execution, although a potential threat actor requires user interaction to complete the attack. 

For further reports on vulnerabilities, exploits, malware variants and computer security risks you can access the website of the International Institute of Cyber Security (IICS), as well as the official platforms of technology companies.

The post Foxit PDF Reader & Foxit PhantomPDF, the most dangerous PDF tools. Critical vulnerabilities allow hackers to spy on you appeared first on Information Security Newspaper | Hacking News.

The report was submitted to ZDI by an anonymous investigator. However, technical details about the exploit have been leaked on the Internet, so malicious hacker groups could start exploiting this flaw in the wild, exposing millions of users. Microsoft has released a security alert to ask users to install security patches, released a few days ago.

Update patches for this vulnerability were released from February 18 as part of Microsoft’s monthly update package for February. However, this does not mean that all affected organizations install them immediately, since updates are sometimes deferred to avoid long periods of inactivity or unforeseen side effects, so thousands of implementations could remain exposed.

Even though anonymous web application security mentioned that exploiting requires user authentication, there are multiple methods to extract login credentials from a target user, so this is a minor setback. In addition, the report specifies that companies that present Exchange directly to the Internet are most at risk.

Apparently, the flaw resides in the Exchange Control Panel component and exists because of a quite simple reason: Instead of having randomly generated keys for each installation, all Exchange Server installations have the same validationKey and decryptionKey values in web.config.

These keys are used to provide security to ViewState, which is the server-side data that web applications ASP.NET stored in serialized format on the client. The client returns this data to the server using the _VIEWSTATE parameter. Due to the use of static keys, an authenticated hacker can trick the server into deserializing ViewState data created for malicious purposes.

International Institute of Cyber Security (IICS) web application security specialists recommend that administrators of exposed deployments patch their systems as soon as possible.

The post All versions of Microsoft Exchange Server are vulnerable to CVE-2020-0688; exploit now available appeared first on Information Security Newspaper | Hacking News.

How could something fixed for more than 60 days wreak so much havoc around the globe? Why can’t people simply patch? Sometimes patching isn’t as easy as it sounds – especially for enterprises.

Step 1: Prepare for the patch 

To establish a complete patching strategy, organizations need to identify the assets they own. This task is usually more difficult than it sounds. Enterprises have the choice of using a mixture of Open Source Software (OSS) or commercial tools to identify and catalog all the systems and devices on their network. Even if the software they use is free, implementing the solution has costs. Once an enterprise determines what needs to be protected, they must then create and document a process to update these devices. This includes updates for not just workstations and servers, but networking devices such as routers and switches. Decisions need to be made.

Will an automated system be used or will an administrator need to physically touch a machine? Since security patches often need a system reboot, or another type of workflow disruption, at what time will the patches be applied? Documenting the patching strategy ensures uniformity and consistency of patching throughout the enterprise.

Step 2: Find the patch 

Now all you need to do is find some patches. Having a robust strategy is somewhat pointless if those in charge are not subscribed to the appropriate email lists, RSS feeds, Twitter accounts, and other methods used by vendors to announce the release of a new patch. Some vendors communicate more robustly than others. Once you find the patch, you must determine how to install it. Small enterprises may consider doing this manually. However, any enterprise with more than a handful of machines should invest in automated tools. Similar to tools intended to identify assets, there are many choices of varying costs. Still, the costs of an automated system far outweigh the costs of manual installation.

Step 3: Test the patch 

There is just one final step an enterprise should consider before deploying any patch: testing. Repairing and restoring systems affected by a faulty patch is both disruptive and costly. To prevent this, there are various forms of testing. If resources exist, the minimum amount of testing should involve applying the patch to a similar system in a non-production environment to make sure business functions continue after the patch is installed.

Step 4: Patch! 

Once you identify your assets, document your processes, find your relevant patches, institute automated patch deployment, and test the patch – congratulations! You may now install that patch!

Beyond the complexity of patching in the enterprise, there’s also a psychological barrier with patching that many people need to overcome. Simply put, people are afraid of security patches for several reasons.

While the industry as a whole has improved over the years, problems – including historic fears – remain.

The vulnerability used in Wcry was listed in a dump of tools purportedly used by the NSA alongside something called EwokFrenzy. We knew EwokFrenzy in the ZDI program as ZDI-07-011 – when it came through 10 years prior. Does that imply the exploit was still effective 10 years after the vendor released a patch? That does seem likely. It’s also the latest data point in more than two decades of imploring regularly patches and strong backup policies.

It isn’t easy. It isn’t simple. It often isn’t cheap. But the potential cost (both financially and to the organization’s reputation) of leaving vulnerabilities unpatched far outweighs the cost of patching. Recovery after attacks is harder, more complex, and more expensive – it’s time we admit patches matter.

Source:https://blog.trendmicro.com/just-patch-isnt-easy-think/

The post Why “Just Patch It!” Isn’t as Easy as You Think appeared first on Information Security Newspaper | Hacking News.