Cisco stories, ICS and Apple features

Apple recently released its new OS Bg Sur and immediately started fixing vulnerabilities. Also, undocumented features were found in new platform. Cisco is fixing vulnerabilities in its products strangely. Pair of funny tools and a couple of interesting stories in news section.

  • Vulnerabilities: Cisco story, “bugs” in messagers and ICS;
  • Tools: Bloodhound continues to be updated, the tool in the Microsoft store and others;
  • News: Apple features, ZOOM “hack” and Trump;
  • Research: Regular personal observations of the author with the most useful research.

Really short feedback -> here


Vulnerabilities

Cisco released fixes for three vulnerabilities CVE-2020-3441, CVE-2020-3471, and CVE-2020-3419 in the Webex conferencing application. The vulnerabilities allowed outsiders to join the conference and stay in the chat, even after they were kicked.

The vulnerabilities were discovered by IBM researchers when they audited tools that were used by the company during the coronavirus pandemic. The researchers say that the vulnerabilities allowed an attacker to join someone else’s conference as a ghost user that other chat participants would not see. In doing so, a hacker could gain access to audio and video content, chat itself, and other Webex features.

https://vulners.com/threatpost/THREATPOST:8A5B77A578DFAA9ED756B8B13294B030

What about Cisco Security Manager (CSM)?
Several pre-auth vulnerabilities were submitted to Cisco on 2020-07-13 and (according to Cisco) patched in version 4.22 on 2020-11-10. Release notes didn’t state anything about the vulnerabilities, security advisories were not published. All payload are processed in the context of NT AUTHORITY\SYSTEM.:

“A day after proof-of-concept (PoC) exploit code was published for a critical flaw in Cisco Security Manager, Cisco has hurried out a patch.”

https://vulners.com/threatpost/THREATPOST:F499FA7121782ED3385983D16DC7D743

CVE-2020-27125, CVE-2020-27130, CVE-2020-27131: Pre-Authentication Vulnerabilities in Cisco Security Manager Disclosed. Full time-line in the next research with all details about this situation:
https://www.tenable.com/blog/cve-2020-27125-cve-2020-27130-cve-2020-27131-vulnerabilities-in-cisco-security-manager

Trustwave researchers found a vulnerability in GO SMS Pro application installed more than 100 000 000 times. Due to the bug, the multimedia files exchanged by users were available to anyone. The potential attacker is able to view these files without even knowing the URLs themselves and without any authentication.

The guys from Trustwave notified the developers of the problem on August 20, 2020, but they still did not receive answers to their three letters. As a result, the experts disclosed the vulnerability data publicly. Bleeping Computer notes that their attempts to contact the developers also failed, and the company’s website is generally unavailable: instead, visitors see a message about the successful installation of the Tengine web server.

https://vulners.com/threatpost/THREATPOST:A9437435DAA03AED786FCFF49E8C8E15

Facebook fixed a critical vulnerability in the Facebook Messenger app for Android. Its operations allowed callers, without permission, to listen to the surroundings of other users before the caller on the other end answered the call.

The vulnerability was discovered in the Android version of Facebook Messenger 284.0.0.16.119 last month.

https://vulners.com/threatpost/THREATPOST:5121F056A99F51D23A4BB71AF117FA3C

Researchers at Claroty discovered a vulnerability in the implementation of the ENIP Real Time Automation 499ES stack, which is one of the most common in ICS. Exploitation of the vulnerability allows an attacker to carry out a denial of service attack and remotely execute malicious code, that is, in fact, take control of the attacked device. In this regard, the vulnerability was rated at 9.8 out of 10 on the severity scale.

Vulnerability affected versions of ENIP before 2.28, and RTA, after it was notified about bug, found out that it was really fixed in 2012 update.

The researchers found 11 ICS components from 6 vendors that were vulnerable and some of them can be accessed from the network. The manufacturers were urgently contacted by RTA, but whether the owners of the production will be able to quickly update their devices is unknown.

https://vulners.com/ics/ICSA-20-324-03

https://vulners.com/threatpost/THREATPOST:10A61064425D5FB56709F9F97FD8E209


Tools

BloodHound 4.0
The Azure Update has released! This release supports enumeration of accounts on Azure AD.

https://posts.specterops.io/introducing-bloodhound-4-0-the-azure-update-9b2b26c5e350

Wanna learn how to hack Bluetooth devices?
Try BLE HackMe, a free tool for Windows 10 that simulates various BLE devices without the need for any dedicated hardware and offers various hands-on hacking challenges for practice.

http://smartlockpicking.com/ble_hackme

Teler
It is an real-time intrusion detection and threat alert based on web log that runs in a terminal with resources that we collect and provide by the community.

https://vulners.com/kitploit/KITPLOIT:366565016451105274

Doctrack
Tool to manipulate and insert tracking pixels into Office Open XML documents.

https://vulners.com/kitploit/KITPLOIT:5572469956845416435


News

Apple Big Sur has a new feature that allows its own applications and processes to bypass firewalls and VPN, which not only can lead to the potential use of this loophole by hackers, but also significantly undermines the privacy of users.

ProtonVPNs reported that they checked and confirm that their VPN client for macOS does not allow dedicated Apple applications to bypass it. The only limitation is that it works with the Kill Switch function enabled.

https://vulners.com/threatpost/THREATPOST:DD8706D395FF6FDA26BB819FB28DD1B1

Dutch journalist Daniel Verlaan from RTL Nieuws accidentally joined a secret conference of EU ministers. He got access to a confidential video conference of EU defense ministers thanks to a confidential photo posted on the Dutch Defense Minister’s Twitter account.

The secret videoconference was attended by EU ministers. The main topic was the discussion of the document, which had been prepared for a long time by all EU intelligence services. It is dedicated to potential threats to European countries.

The journalist was immediately informed that his appearance at a secret conference would lead to a criminal offense – and they demanded to immediately disconnect. He didn’t have to ask twice.
P.S. But why again ZOOM ???

Video and source: https://www.dailymail.co.uk/news/article-8973021/Dutch-journalist-smiles-waves-gatecrashes-secret-EU-Zoom-meeting.html

On November 18, US President Donald Trump fired the head of the Cybersecurity and Infrastructure Security Agency (CISA), a structure formed by his administration specifically to protect American computer networks from hackers.

The reason for Christopher Krebs’s dismissal was the signing of an official report last week, which described the 2020 US presidential election as “the safest in American history.”

https://vulners.com/threatpost/THREATPOST:6480801743E59B5727479BAEB4CB4B6A


Research

Dumping Memory with AV – Avast Home Security: https://www.archcloudlabs.com/projects/dumping-memory-with-av

Purgalicious VBA: Macro Obfuscation With VBA Purging: https://vulners.com/fireeye/FIREEYE:8D779B306613055FC0293190F461093D

“Hypervisor Vulnerability Research: State of the Art” (with a deep focus on Hyper-V & ESXi) https://alisa.sh/slides/HypervisorVulnerabilityResearch2020.pdf

IT threat evolution Q3 2020 report:
https://vulners.com/securelist/SECURELIST:73735B62C781261398E44FFF82262BCD


Really short feedback -> here

Leave a Reply