This Week Safe: Scamming the FBI, In The Wild, and AI Security

If you are part of a government agency responsible for the alphabet, particularly if you run an information-sharing program to combat cybercrime, be sure to properly verify the identity of new members before their admission. Oh, and make sure the API is rate-limited so a malicious member can't grab the entire user database and sell it on a dark web forum.

Snark aside, that's exactly what happened to the FBI's InfraGuard program. A smart user applied to the program using a CEO's name and phone number, along with a compelling email address. The program administrators did not do much due diligence and approved the application. Annoying.

First of all, the good folks at FreeBSD have released some errata on the ping issue we covered last week. First, note that although ping elevates root privileges via setuid, these privileges are removed before any data manipulation. And the FreeBSD ping runs inside a Capsicum sandbox, a huge barrier to compromising the system from the ping. And finally, closer examination of the bug in a real-world context casts doubt on the idea that Remote Code Execution (RCE) is actually possible due to the stack layout.

If someone is wrong somewhere, see if you were wrong in the same or similar way elsewhere.

Wise advice from [Florian Obser], OpenBSD developer. So, seeing the ping problem in FreeBSD, he proceeded to check the OpenBSD ping implementation for the same or similar issues. The vulnerable code is not shared between versions, so he opted for afl++, a fuzzing tool with an impressive list of finds. Connect afl++ to the function in ping that handles incoming data and see what happens. The conclusion? No crashes found in this particular effort, but several deadlocks were identified and fixed. And that's a win.

A vulnerability in Citrix ADC (Application Delivery Controller), a load balancer for complex web applications, is being actively exploited. This prompted the NSA to publish a PDF notice, blaming the attacks on the feet of APT5, considered an Iranian actor.

The actual vulnerability is old, apparently quietly patched a few years ago. This was just discovered to be a serious issue, allowing a vulnerable device configured to perform SAML authentication to be remotely compromised. Patches are now available for several vulnerable versions and Indicators of Compromise (IoC) have been released.

This section header has strong Sneakers vibes, and my eyes keep trying to rearrange those letters to "Too Many Secrets", but it just doesn't fit. "NEGOEX" refers to Extended NEGOtation. "SPNEGO" is an acronym for "Simple and Protected GSSAPI Trading Mechanism". And of course, GSSAPI is "Generic Security Service Application Program Interface". All of this alphabet soup ultimately comes down to a method for negotiating authentication protocols. The important thing is that, by design, this protocol runs before any authentication, and it's accessible in a bunch of different services. SMB, RDP, SMTP, and even HTTP can expose SPNEGO negotiation. And of course there was a critical security flaw in Microsoft's implementation.

The vulnerability, CVE-2022-37958, was patched in September and classified as high severity. Just a few days ago, [Valentina Palmiotti] demonstrated that the vulnerability could be used for remote execution, and it was brought to critical severity. Full details will be released in 2023, giving everyone plenty of time to get this one corrected. From what's been released so far, that's going to be pretty big. The race is now on to see if any malicious groups find out the details by then.

Demonstration of CVE-2022-37958 RCE Vuln. Accessible through any Windows application protocol that authenticates. Yes, that means RDP, SMB and many more. Thanks for patching this one, it's serious!