❌

Normal view

There are new articles available, click to refresh the page.
Yesterday β€” 31 May 2024Main stream

Multiple Vulnerabilities Reported in LenelS2 NetBox Entry Tracking and Event Monitoring Tool

βœ‡Cybersecurity News and Magazine
By: Alan J
31 May 2024 at 14:59

LenelS2 NetBox Carrier Multiple Vulnerabilities

Carrier has issued a serious product security advisory confirming the existence of several vulnerabilities in its LenelS2 NetBox access control and event monitoring platform. These vulnerabilities expose the monitoring system to potential compromise, such as remote code execution. The reported vulnerabilities are significant, as NetBox is often used to guard entries at critical facilities such as government-controlled sites and major corporations.

Multiple Vulnerabilities in Carrier's LenelS2 NetBox

Three vulnerabilities were identified in Carrier's product security advisory for NetBox. The most critical (CVE-2024-2420) of these vulnerabilities could potentially enable an attacker to circumvent authentication requirements and obtain elevated permissions, presenting a serious risk to enterprises which deploy the tool. [caption id="attachment_73894" align="alignnone" width="1478"]Carrier LenelS2 NetBox Multiple Vulnerabilities Source: Carrier Product Security Advisory[/caption] Successful compromise could allow an attacker to install programs, view, edit, modify data, delete data from the platform or create new user accounts with full privileges. However, this depends on the access level of accounts that had been compromised in the event of an attack. The impact of a potential attack could be lower on systems configured with low level of user access. The vulnerabilities affect all LenelS2 NetBox versions prior to 5.6.2. The identified vulnerabilities are as follows:
  • CVE-2024-2420 (CVSS v3.1 Base Score 9.8, Critical): A vulnerability involving a hard-coded password in the system that could permit an attacker to bypass authentication requirements.
  • CVE-2024-2421 (CVSS v3.1 Base Score 9.1, Critical): An unauthenticated remote code execution vulnerability that could permit an attacker with elevated permissions to run malicious commands
  • CVE-2024-2422 (CVSS v3.1 Base Score 8.8, High): An authenticated remote code execution vulnerability that could permit an attacker to execute malicious commands.
The Center of Internet Security stated that these vulnerabilities pose higher risks to large and medium government or business entities, while posing lower risks to small businesses and individual home owners. [caption id="attachment_73896" align="alignnone" width="1128"]LenelS2 NetBox Multiple Vulnerabilities Carrier Source: cisecurity.org[/caption]

Vulnerability Remediation

Carrier has attempted to address these vulnerabilities in its latest release of NetBox version 5.6.2. Carrier has advised customers to immediately upgrade to the latest release version by reaching out to their authorized NetBox installer. As mitigation, Carrier also advised customers to follow the recommended deployment guidelines, which are detailed in its NetBox hardening guide accessible through NetBox's built-in help menu. The Center of Internet Security has advised customers to take additional measures such as applying appropriate updates to NetBox systems, applying the principle of least privilege to user accounts, rigorous scanning of vulnerabilities and isolating critical systems, functions, or resources. The lack of basic security safeguards along with poor code practices such as the presence of hard-coded authentication tokens and improper input sanitization raises concerns about the usage of NetBox to guard physical access to important business and government areas or critical infrastructure. While there are no confirmed reports of the NetBox vulnerabilities being exploited in the wild, the severity of these vulnerabilities mark them as an important security consideration as countless organizations could be at risk of devastating attacks. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
Before yesterdayMain stream

Chinese Threat Actors Employ Operational Relay Box (ORB) Networks to Evade IOCs

βœ‡Cybersecurity News and Magazine
By: Alan J
23 May 2024 at 09:15

ORB Networks China

Cybersecurity defenders have widely relied on blocking attacker IP addresses through identified IOCs in response to threat actor campaigns. However, Chinese threat actors are rapidly rendering this usual strategy obsolete through the widespread adoption of ORB Networks. ORBs are complex, multi-layered networks, typically managed by private companies or entities within the Chinese government. They offer access to a constantly shifting pool of IP addresses, allowing multiple threat actors to mask their activities behind seemingly innocuous traffic.

Use of ORB Networks by Threat Actors Present Additional Challenges to Defenders

Researchers from Mandiant stated that the sheer size and scope of these networks, often hundreds of thousands of nodes deep, provide a great deal of cover and make it difficult for defenders to attribute and learn more about attackers. Additionally, the geographic spread of ORBs allows hackers in China to circumvent geographic restrictions or appear less suspicious by connecting to targets from within their own region. Most importantly, ORB nodes are short-lived, with new devices typically cycled in and out every month or few months, making it difficult for defenders to tie IPs to their users for any good amounts of time. These operational relay box networks (ORBs) are maintained by private companies or elements within the Chinese government and are made up of five layers: Chinese servers, virtual private servers (VPS), traversal nodes, exit nodes, and victim servers. ORBs can be classified into two groups: provisioned, which use commercially rented VPS's, and nonprovisioned, built on compromised and end-of-life routers and Internet of Things (IoT) devices. These networks are akin to botnets and ORB network administrators can easily grow the size of their network with little effort and create a constantly evolving mesh network that can be used to conceal espionage operations. The researchers cited two prominent examples to illustrate the sophistication of these networks:
  • ORB3/SPACEHOP: A provisioned network linked to APT5 and APT15, targeting entities in North America, Europe, and the Middle East. Known for exploiting vulnerabilities like CVE-2022-27518.
  • ORB2/FLORAHOX: A hybrid network employing compromised Cisco, ASUS, and DrayTek routers, alongside TOR network relays and VPS servers. Linked to APT31 and Zirconium, demonstrating a multi-layered approach to traffic obfuscation.

Adapting to the Threat of ORB Networks

Researchers have advised that instead of simply blocking adversary infrastructure, defenders must now consider temporality, multiplicity of adversaries, and ephemerality. They recommend approaching these ORB networks as distinct entities with distinct tactics, techniques, and procedures (TTPs) rather than the use of inert indicators of compromise. By analyzing their evolving characteristics - including infrastructure patterns, behaviors, and TTPs - defenders can gain valuable insights into the adversary's tactics and develop more effective defenses. While leveraging proxy networks for attack obfuscation isn't new, the rise of the ORB network industry in China points to long-term investments in equipping cyber operators with more sophisticated tactics and tools. The evolution of these ORBs networks also highlight that a static defense may be a losing defense. To counter this growing threat and level the playing field, enterprises must embrace a mindset of continuous adaptation, while investing in advanced threat intelligence, behavioral analysis tools, and skilled personnel. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Here’s what’s really going on inside an LLM’s neural network

βœ‡Ars Technica
By: Kyle Orland
22 May 2024 at 14:31
Here’s what’s really going on inside an LLM’s neural network

Enlarge (credit: Aurich Lawson | Getty Images)

With most computer programsβ€”even complex onesβ€”you can meticulously trace through the code and memory usage to figure out why that program generates any specific behavior or output. That's generally not true in the field of generative AI, where the non-interpretable neural networks underlying these models make it hard for even experts to figure out precisely why they often confabulate information, for instance.

Now, new research from Anthropic offers a new window into what's going on inside the Claude LLM's "black box." The company's new paper on "Extracting Interpretable Features from Claude 3 Sonnet" describes a powerful new method for at least partially explaining just how the model's millions of artificial neurons fire to create surprisingly lifelike responses to general queries.

Opening the hood

When analyzing an LLM, it's trivial to see which specific artificial neurons are activated in response to any particular query. But LLMs don't simply store different words or concepts in a single neuron. Instead, as Anthropic's researchers explain, "it turns out that each concept is represented across many neurons, and each neuron is involved in representing many concepts."

Read 12 remaining paragraphs | Comments

Patch now! VMWare escape flaws are so serious even end-of-life software gets a fix

βœ‡Malwarebytes Labs
8 March 2024 at 09:16

VMWare has issued secuity fixes for its VMware ESXi, Workstation, Fusion, and Cloud Foundation products. It has even taken the unusual step of issuing updates for versions of the affected software that have reached thier end-of-life, meaning they would normally no longer be supported.

This flaws affect customers who have deployed VMware Workstation, VMware Fusion, and/or VMware ESXi by itself or as part of VMware vSphere or VMware Cloud Foundation.

A virtual machine (VM) isΒ a computer program that emulates a physical computer. A physical β€œhost” computer can run multiple separate β€œguest” VMs that are isolated from each other, and from the host. The physical resources of the host are allocated to the VMs by a software layer called the hypervisor, which acts an intermediary between the host and the VM (the guest system).

VMWare’s decision to offer fixes for end-of-life software is because the vulnerabilities patched in these updates are escape flaws that allow a computer program to breack of the confines of a VM and affect the host operating system. Specifically, an attacker with privileged access, such as root or administrator, on a guest VM can access the hypervisor on the host.

Besides instructions about how to update the affected products, the advisory lists possible workarounds that would block an attacker from exploiting the vulnerabilities. Since three of the vulnerabilities affect the USB controller, applying the workarounds will effectively block the use of virtual or emulated USB devices. For guest operating systems that do not support using a PS/2 mouse and keyboard, such as macOS, this means they will effectively be unable to use a mouse and keyboard.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVEs patched in these updates are:

CVE-2024-22252 and CVE-2024-22253 are use-after-free vulnerabilities in the XHCI and UHCI USB controllers of VMware ESXi, Workstation, and Fusion. A malicious actor with local administrative privileges on a virtual machine can exploit the issues to execute code as the virtual machine’s VMX process running on the host. On ESXi, the exploitation of either is contained within the VMX sandbox, but on Workstation and Fusion this may lead to code execution on the machine where Workstation or Fusion is installed.

The VMX process is a process that runs in the kernel of the VM and is responsible for handling input/output (I/O) to devices that are not critical to performance. The VMX is also responsible for communicating with user interfaces, snapshot managers, and remote consoles.

Use-after-free vulnerabilities are the result of the incorrect use of dynamic memory during a program’s operation. If, after freeing a memory location, a program does not clear the pointer to that memory, an attacker can exploit the error to manipulate the program. Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.

CVE-2024-22254 is an out-of-bounds write vulnerability in VMWare ESXi. A malicious actor with privileges within the VMX process can trigger an out-of-bounds write leading to an escape of the sandbox.

A sandbox environment is another name for an isolated VM in which potentially unsafe software code can execute without affecting network resources or local applications.

An out-of-bounds write can occur when a program writes outside the bounds of an allocated area of memory, potentially leading to a crash or arbitrary code execution. This can happen when the size of the data being written to memory is larger than the size of the allocated memory area, when the data is written to an incorrect location within the memory area, or when the program incorrectly calculates the size or location of the data to be written

CVE-2024-22255 is an information disclosure vulnerability in the UHCI USB controller of VMware ESXi, Workstation, and Fusion. A malicious actor with administrative access to a VM may be able to exploit this issue to leak memory from the VMX process.

We don’t just report on vulnerabilitiesβ€”we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by usingΒ ThreatDown Vulnerability and Patch Management.

❌
❌