Mar 14, 2024NewsroomContainer Security / Vulnerability

Details have been made public about a now-patched high-severity flaw in Kubernetes that could allow a malicious attacker to achieve remote code execution with elevated privileges under specific circumstances.

“The vulnerability allows remote code execution with SYSTEM privileges on all Windows endpoints within a Kubernetes cluster,” Akamai security researcher Tomer Peled said. “To exploit this vulnerability, the attacker needs to apply malicious YAML files on the cluster.”

Tracked as CVE-2023-5528 (CVSS score: 7.2), the shortcoming impacts all versions of kubelet, including and after version 1.8.0. It was addressed as part of updates released on November 14, 2023, in the following versions –

• kubelet v1.28.4
• kubelet v1.27.8
• kubelet v1.26.11, and
• kubelet v1.25.16

“A security issue was discovered in Kubernetes where a user that can create pods and persistent volumes on Windows nodes may be able to escalate to admin privileges on those nodes,” Kubernetes maintainers said in an advisory released at the time. “Kubernetes clusters are only affected if they are using an in-tree storage plugin for Windows nodes.”

Successful exploitation of the flaw could result in a complete takeover of all Windows nodes in a cluster. It’s worth noting that another set of similar flaws was previously disclosed by the web infrastructure company in September 2023.

The issue stems from the use of “insecure function call and lack of user input sanitization,” and relates to feature called Kubernetes volumes, specially leveraging a volume type known as local volumes that allow users to mount disk partition in a pod by specifying or creating a PersistentVolume.

“While creating a pod that includes a local volume, the kubelet service will (eventually) reach the function ‘MountSensitive(),'” Peled explained. “Inside it, there’s a cmd line call to ‘exec.command,’ which makes a symlink between the location of the volume on the node and the location inside the pod.”

This provides a loophole that an attacker can exploit by creating a PersistentVolume with a specially crafted path parameter in the YAML file, which triggers command injection and execution by using the “&&” command separator.

“In an effort to remove the opportunity for injection, the Kubernetes team chose to delete the cmd call, and replace it with a native GO function that will perform the same operation ‘os.Symlink(),” Peled said of the patch put in place.

The disclosure comes as a critical security flaw discovered in the end-of-life (EoL) Zhejiang Uniview ISC camera model 2500-S (CVE-2024-0778, CVSS score: 9.8) is being exploited by threat actors to drop a Mirai botnet variant called NetKiller that shares infrastructure overlaps with a different botnet named Condi.

“The Condi botnet source code was released publicly on Github between August 17 and October 12, 2023,” Akamai said. “Considering the Condi source code has been available for months now, it is likely that other threat actors […] are using it.”

Feb 23, 2024NewsroomData Privacy / iOS Security

Details have emerged about a now-patched high-severity security flaw in Apple’s Shortcuts app that could permit a shortcut to access sensitive information on the device without users’ consent.

The vulnerability, tracked as CVE-2024-23204 (CVSS score: 7.5), was addressed by Apple on January 22, 2024, with the release of iOS 17.3, iPadOS 17.3, macOS Sonoma 14.3, and watchOS 10.3.

“A shortcut may be able to use sensitive data with certain actions without prompting the user,” the iPhone maker said in an advisory, stating it was fixed with “additional permissions checks.”

Apple Shortcuts is a scripting application that allows users to create personalized workflows (aka macros) for executing specific tasks on their devices. It comes installed by default on iOS, iPadOS, macOS, and watchOS operating systems.

Bitdefender security researcher Jubaer Alnazi Jabin, who discovered and reporting the Shortcuts bug, said it could be weaponized to create a malicious shortcut such that it can bypass Transparency, Consent, and Control (TCC) policies.

TCC is an Apple security framework that’s designed to protect user data from unauthorized access without requesting appropriate permissions in the first place.

Specifically, the flaw is rooted in a shortcut action called “Expand URL,” which is capable of expanding and cleaning up URLs that have been shortened using a URL shortening service like t.co or bit.ly, while also removing UTM tracking parameters.

“By leveraging this functionality, it became possible to transmit the Base64-encoded data of a photo to a malicious website,” Alnazi Jabin explained.

“The method involves selecting any sensitive data (Photos, Contacts, Files, and clipboard data) within Shortcuts, importing it, converting it using the base64 encode option, and ultimately forwarding it to the malicious server.”

The exfiltrated data is then captured and saved as an image on the attacker’s end using a Flask application, paving the way for follow-on exploitation.

“Shortcuts can be exported and shared among users, a common practice in the Shortcuts community,” the researcher said. “This sharing mechanism extends the potential reach of the vulnerability, as users unknowingly import shortcuts that might exploit CVE-2024-23204.”

Feb 06, 2024NewsroomVulnerability / Cloud Security

Three new security vulnerabilities have been discovered in Azure HDInsight’s Apache Hadoop, Kafka, and Spark services that could be exploited to achieve privilege escalation and a regular expression denial-of-service (ReDoS) condition.

“The new vulnerabilities affect any authenticated user of Azure HDInsight services such as Apache Ambari and Apache Oozie,” Orca security researcher Lidor Ben Shitrit said in a technical report shared with The Hacker News.

The list of flaws is as follows –

• CVE-2023-36419 (CVSS score: 8.8) – Azure HDInsight Apache Oozie Workflow Scheduler XML External Entity (XXE) Injection Elevation of Privilege Vulnerability
• CVE-2023-38156 (CVSS score: 7.2) – Azure HDInsight Apache Ambari Java Database Connectivity (JDBC) Injection Elevation of Privilege Vulnerability
• Azure HDInsight Apache Oozie Regular Expression Denial-of-Service (ReDoS) Vulnerability (no CVE)

The two privilege escalation flaws could be exploited by an authenticated attacker with access to the target HDI cluster to send a specially crafted network request and gain cluster administrator privileges.

The XXE flaw is the result of a lack of user input validation that allows for root-level file reading and privilege escalation, while the JDBC injection flaw could be weaponized to obtain a reverse shell as root.

“The ReDoS vulnerability on Apache Oozie was caused by a lack of proper input validation and constraint enforcement, and allowed an attacker to request a large range of action IDs and cause an intensive loop operation, leading to a denial-of-service (DoS),” Ben Shitrit explained.

Successful exploitation of the ReDoS vulnerability could result in a disruption of the system’s operations, cause performance degradation, and negatively impact both the availability and reliability of the service.

Following responsible disclosure, Microsoft has rolled out fixes as part of updates released on October 26, 2023.

The development arrives nearly five months after Orca detailed a collection of eight flaws in the open-source analytics service that could be exploited for data access, session hijacking, and delivering malicious payloads.

In December 2023, Orca also highlighted a “potential abuse risk” impacting Google Cloud Dataproc clusters that take advantage of a lack of security controls in Apache Hadoop’s web interfaces and default settings when creating resources to access any data on the Apache Hadoop Distributed File System (HDFS) without any authentication.

Dec 21, 2023NewsroomZero-Day / Mobile Security

A new analysis of the sophisticated commercial spyware called Predator has revealed that its ability to persist between reboots is offered as an “add-on feature” and that it depends on the licensing options opted by a customer.

“In 2021, Predator spyware couldn’t survive a reboot on the infected Android system (it had it on iOS),” Cisco Talos researchers Mike Gentile, Asheer Malhotra, and Vitor Ventura said in a report shared with The Hacker News. “However, by April 2022, that capability was being offered to their customers.”

Predator is the product of a consortium called the Intellexa Alliance, which includes Cytrox (subsequently acquired by WiSpear), Nexa Technologies, and Senpai Technologies. Both Cytrox and Intellexa were added to the Entity List by the U.S. in July 2023 for “trafficking in cyber exploits used to gain access to information systems.”

The latest findings come more than six months after the cybersecurity vendor detailed the inner workings of Predator and its harmonious equation with another loader component called Alien.

“Alien is crucial to Predator’s successful functioning, including the additional components loaded by Predator on demand,” Malhotra told The Hacker News at the time. “The relationship between Alien and Predator is extremely symbiotic, requiring them to continuously work in tandem to spy on victims.”

Predator, which can target both Android and iOS, has been described as a “remote mobile extraction system” that’s sold on a licensing model that run into millions of dollars based on the exploit used for initial access and the number of concurrent infections, putting them out of reach of script kiddies and novice criminals.

Spyware such as Predator and Pegasus, which is developed by NSO Group, often rely on zero-day exploit chains in Android, iOS, and web browsers as covert intrusion vectors. But as Apple and Google continue to plug the security gaps, these exploit chains may be rendered ineffective, forcing them to go back to the drawing board.

However, it’s worth noting that the companies behind mercenary surveillance tools can also procure either full or partial exploit chains from exploit brokers and fashion them into an operational exploit that can be employed to effectively breach target devices.

Another key aspect of Intellexa’s business model is that offloads the work of setting up the attack infrastructure to the customers themselves, leaving it with room for plausible deniability should the campaigns come to light (as it inevitably does).

“The delivery of Intellexa’s supporting hardware is done at a terminal or airport,” the researchers said.

“This delivery method is known as Cost Insurance and Freight (CIF), which is part of the shipping industry’s jargon (‘Incoterms’). This mechanism allows Intellexa to claim that they have no visibility of where the systems are deployed and eventually located.”

On top of that, Intellexa possesses “first-hand knowledge” of whether their customers are performing surveillance operations outside their own borders owing to the fact that the operations are intrinsically connected to the license, which, by default, is restricted to a single phone country code prefix.

This geographic limitation, nonetheless, can be loosened for an additional fee.

Cisco Talos noted that while public exposure of private-sector offensive actors and their campaigns have been successful at attribution efforts, it has had little impact on their ability to conduct and grow their business across the world, even if it may affect their customers, such as governments.

“It may increase the costs by making them buy or create new exploit chains but these vendors appear to have seamlessly acquired new exploit chains, enabling them to remain in business by jumping from one set of exploits to another as a means of initial access,” the researchers said.

“What is needed is the public disclosure of technical analyses of the mobile spyware and tangible samples enabling public scrutiny of the malware. Such public disclosures will not only enable greater analyses and drive detection efforts but also impose development costs on vendors to constantly evolve their implants.”