SANS NewsBites

Devices Using Blackberry QNX Must Be Patched; Fortinet WAF Management Interface is Vulnerable; T-Mobile Breach Exposed PINs of 850,000 Users

August 20, 2021  |  Volume XXIII - Issue #65

Top of the News


2021-08-19

BlackBerry QNX RTO BadAlloc Vulnerability

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert warning of a vulnerability affecting BlackBerry’s QNX Real Time Operating System (RTOS). The issue is due to an integer overflow in the C Runtime Library and is one of the vulnerabilities in a group of flaws known as BadAlloc.

Editor's Note

Assessing the impact of this vulnerability is very difficult. BlackBerry QNX is used in various devices: medical, industrial, automotive and more. The vulnerability is only exploitable if it is exposed via software running on a BlackBerry QNX device. This software is likely not part of BlackBerry QNX but created for a particular device. First try to get a handle on which devices actually use BlackBerry QNX in your environment, or if you use it in any products. The safe option is to patch regardless of exposure. Finally, any devices like this should always be segregated as much as possible.

Johannes Ullrich
Johannes Ullrich

The wide variety of embedded systems with QNX means updates are not going to be available at a specific point in time. Make sure only authorized connections are allowed, and apply the updates when available. Monitor for malfeasance or other signs of tampering.

Lee Neely
Lee Neely

Read more in

CISA: BadAlloc Vulnerability Affecting BlackBerry QNX RTOS

BlackBerry: QNX-2021-001 Vulnerability in the C Runtime Library Impacts BlackBerry QNX Software Development Platform (SDP), QNX OS for Medical, and QNX OS for Safety

The Register: After reportedly dragging its feet, BlackBerry admits, yes, QNX in cars, equipment suffers from BadAlloc bug

The Register: BadAlloc: Microsoft looked at memory allocation code in tons of devices and found this one common security flaw (April 29, 2021)

SC Magazine: ‘BadAlloc’ flaws in Blackberry QNX RTOS impacts health care, critical infrastructure

ZDNet: CISA releases alert on BadAlloc vulnerability in BlackBerry products

ZDNet: Patch released for Fortinet command injection vulnerability

Health IT Security: CISA Says BlackBerry Vulnerability to Impact Medical Device Security


2021-08-18

Fortinet FortiWeb Web App Firewall Vulnerability

A command injection flaw in the FortiWeb web application firewall could be exploited to gain elevated privileges and take control of vulnerable devices. The vulnerability was detected and disclosed by cybersecurity firm Rapid7. The flaw affects the FortiWeb management interface versions 6.3.11 and older. Fortinet plans to release FortiWeb version 6.4.2 before the end of August.

Editor's Note

A patch will hopefully be released soon. But the vulnerable web based admin interface should not be exposed anyway, limiting exploitability.

Johannes Ullrich
Johannes Ullrich

2021-08-18

T-Mobile Discloses More Information About Data Breach

T-Mobile has released additional details about a data breach that com[promised customer information. The incident affected more than 48 million people. The compromised data include names, dates of birth, Social Security numbers, and driver’s license numbers. The names, phone numbers, and PINs of an additional 850,000 customers were also compromised. T-Mobile has reset PINs on compromised accounts.

Editor's Note

T-Mobile, like other carriers, requires a full credit check across all three credit agencies for any new postpaid account. In supporting these credit checks, carriers are building large targets that are impossible to protect. The cost of this leak will be minimal to T-Mobile and is unlikely to change any behavior. As a consumer: Freeze your credit file, make it painful for companies like T-Mobile to make you a customer and maybe eventually they will realize that some fraud is less costly then storing excessive amounts of information that they do not know how to protect.

Johannes Ullrich
Johannes Ullrich

Of the 48M people impacted, almost 40M weren’t even current T-Mobile customers but the data was still stored and left unprotected. The GDPR regulations require data minimization be followed in data collection, defined as “limited to what is necessary in relation to the purposes for which they are processed” but unfortunately the mish-mash of outdated national privacy and fraud regulations in the US does not. The compromise of PIN numbers meant those 850,000 customers were vulnerable to SIM-swapping attacks.

John Pescatore
John Pescatore

Retention of data, particularly for past customers is tricky with privacy laws. The mantra needs to be keep data for the minimum possible time. Make sure that you have clear retention policies, and they are followed, now update those processes and policies to incorporate relevant privacy laws. If you are archiving old data, monitor access to that archive carefully.

Lee Neely
Lee Neely

It appears that this breach could be similar to the OPM breach of 2015. In that breach, one of the biggest issues is OPM had thousands if not millions of records online that were no longer needed. It appears the same could be for the T-Mobile breach, with data on almost 40 million people who are no longer T-Mobile customers, or never even were. The first rule of data security is the best way to secure data is not to collect / store the data.

Lance Spitzner
Lance Spitzner

The Rest of the Week's News


2021-08-17

Kalay P2P SDK Vulnerability

Researchers from Mandiant and the US Cybersecurity and Infrastructure Security Agency (CISA) have disclosed an improper access control vulnerability in ThroughTek’s Kalay P2P Software Development Kit (SDK), which is used in tens of millions of devices. The flaw affects Kalay P2P SDK versions 3.1.5 and earlier. To address the issue, users will need to enable two optional features: the encrypted communication protocol DTLS and the API authentication mechanism AuthKey.

Editor's Note

If there is a theme this week, it is SDK vulnerabilities. Kalay, ThroughTek and in some ways BlackBerry QNX fall into this category. The product itself may only be vulnerable if specific features in the SDK are used by third party software, making it difficult to identify vulnerable devices. The Kalay vulnerability is probably the easiest one to identify as it is linked to the use of the specific P2P protocol.

Johannes Ullrich
Johannes Ullrich

This is a “supply chain” issue in which the end user is unlikely to know that he is using affected products.

William Hugh Murray
William Hugh Murray

2021-08-19

Google Project Zero Discloses Windows Privilege Elevation Vulnerability

Google Project Zero disclosed a privilege elevation flaw in Windows just six weeks after notifying Microsoft of the issue. Project Zero normally waits 90 days before disclosing a vulnerability, but on July 18, Microsoft had indicated that it did not intend to issue a patch for the flaw. When a vendor says they do not plan to patch the vulnerability, Project Zero designates it as ”WontFix” and treats it as a non-security bug. However, on Wednesday, August 18, Microsoft said it would release a fix.

Editor's Note

So far, no information from Microsoft on why they originally decided this was not a security flaw, even though in July they did issue a patch for a very similar vulnerability in Windows, or why a month later they changed their mind. When a vendor declares they will not patch a proven exploitable flaw, disclosure has to happen in order for vulnerable users to take mitigation steps and for security vendors to add capabilities to detect and block attempts to exploit.

John Pescatore
John Pescatore

2021-08-19

Cisco Has No Plans to Patch Critical Flaw in Older SMB Routers

Cisco says it will not release a fix for a vulnerability in the Universal Plug-and-Play (UPnP) service that could be exploited to execute arbitrary code or create denial-of-service conditions. The affected products have reached end-of-life and users are being encouraged to migrate to newer routers. There are no workarounds, but users can disable UPnP on affected devices.

Editor's Note

These routers are no longer supported, and have not been supported by Cisco for a while. You may still mitigate the vulnerability by disabling UPnP. UPnP should be disabled anyway. But in general: Track the EoL status of any equipment in your network. Not all vendors will even announce vulnerabilities once a device is no longer supported. When purchasing equipment: Note the EoL date and do not purchase equipment if a vendor is not willing to commit to a minimum support time frame.

Johannes Ullrich
Johannes Ullrich

Lifecycle replacements, particularly for something which “isn’t broken” are a hard sell, particularly for SMB where margins are already tight. While we can argue the breach is more expensive than the fix, working with management to include these with other capital improvements in the long term budget lessons the blow. Prioritize replacements based on accessibility. Short term, there is no fix; if you have one of these devices (RV110W, RV130, RV130W or RV215W) replace it with a current model now.

Lee Neely
Lee Neely

I’d be willing to bet that Cisco isn’t pushing a fix since these orgs simply do not demand it. Small and Medium Businesses often don’t have dedicated IT staff, let alone security staff to identify issues like this. If the router works and the business believes they are “too small to target” (or they don’t know they are vulnerable), there’s no push to fix. SMB is a in a tough spot as usual.

Tim Medin
Tim Medin

2021-08-19

Commerce OIG: Census Bureau Mishandled Cybersecurity Incident

An audit report from the US Department of Commerce Office of Inspector General examined the US Census Bureau’s response to a January 2020 cybersecurity incident. The report found that “the Bureau missed opportunities to mitigate a critical vulnerability, which resulted in the exploitation of vital servers.” In addition, the Bureau was operating unsupported servers; failed to maintain adequate logs, hindering the investigation; and failed to “discover and report the incident in a timely manner.”

Editor's Note

Lots to unpack here. Patching, lifecycle management, monitoring, and incident reporting are all key cybersecurity activities. With EO14028 pushing for Zero Trust, as well as increased incident response and communication, these basic activities have to be addressed, and not all agencies are prepared. Begin with a discovery activity to make sure you know all your assets and what they do, then move to patching. While you’re touching things, make sure they are sending logs to a centralized repository, and have your SOC monitor and create alerts. DHS/CISA have resources you can leverage to help with this as well as reporting.

Lee Neely
Lee Neely

As is usually the case, there are cautions for us all in these public audit reports.

William Hugh Murray
William Hugh Murray

2021-08-17

Protecting Sensitive US Data During Withdrawal from Afghanistan

Some security experts say that the US withdrawal from Afghanistan poses minimal cyber risks. Others are concerned about data shared with Afghanistan’s government, non-governmental organizations (NGOs), and others. The US Department of Defense (DoD) Office of Inspector General has released a management advisory offering guidance for protecting data during the US withdrawal.

Editor's Note

Embassy personnel are actually trained on emergency destruction processes to leave no useable systems or data (digital or paper) behind. With today’s practices, where more and more data is cloud based, when leaving a facility, it’s important to make sure that no information is left behind which could be used to access or recover an account to access that data. Sweep your old facility before handing it over to ensure nothing is overlooked.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

When Lightning Strikes: What works and doesn't work

https://isc.sans.edu/forums/diary/When+Lightning+Strikes+What+works+and+doesnt+work/27766/


Laravel Exploit Attempts Targeting Vulnerability in "Ignition"

https://isc.sans.edu/forums/diary/Laravel+v842+exploit+attempts+for+CVE20213129+debug+mode+Remote+code+execution/27758/


5 Things to Consider Before Moving Back to the Office

https://isc.sans.edu/forums/diary/5+Things+to+Consider+Before+Moving+Back+to+the+Office/27762/


SANS.edu Student: Mark Morowcynzski; Decreasing Attacker Dwell Time in Azure Active Directory

https://www.sans.org/white-papers/40390/


Cisco Small Business Router Vulnerabilities

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cisco-sb-rv-overflow-htpymMB5


BlackBerry QNX Products Vulnerability

https://support.blackberry.com/kb/articleDetail?articleNumber=000082334


Adobe Patches

https://helpx.adobe.com/security.html


Several Web Sites Infected with Chinese Spyware

https://imp0rtp3.wordpress.com/2021/08/12/tetris/


Trickbot Tricks Users with 1Password

https://www.ehackingnews.com/2021/08/trickbot-employs-bogus-1password.html


ThroughTek "Kalay" Protocol Vulnerability

https://www.fireeye.com/blog/threat-research/2021/08/mandiant-discloses-critical-vulnerability-affecting-iot-devices.html


Fortinet FortiWeb Vulnerability

https://www.rapid7.com/blog/post/2021/08/17/fortinet-fortiweb-os-command-injection/