BIND Updates Patch High-Severity, Remotely Exploitable DoS Flaws

bind-updates-patch-high-severity,-remotely-exploitable-dos-flaws

The Internet Systems Consortium (ISC) this week announced patches for multiple high-severity denial-of-service (DoS) vulnerabilities in the DNS software suite BIND.

The addressed issues could be exploited remotely to cause named – the BIND daemon that acts both as an authoritative name server and as a recursive resolver – to crash, or could lead to the exhaustion of the available memory.

The first of the security defects, tracked as CVE-2022-3094, can be exploited by sending a flood of dynamic DNS updates, which would cause named to allocate large amounts of memory, resulting in a crash due to a lack of free memory.

According to ISC, because allocated memory is only retained for clients for which access credentials are accepted, the scope of the vulnerability is limited to trusted clients that are allowed to make dynamic zone changes.

For BIND 9.11 and earlier branches, the flaw can be exploited to exhaust internal resources, which results in performance issues, but not a crash.

Tracked as CVE-2022-3736, the second issue leads to a crash “when stale cache and stale answers are enabled, option stale-answer-client-timeout is set to a positive integer, and the resolver receives an RRSIG query,” ISC explains. A remote attacker can trigger the bug by sending crafted queries to the resolver.

The third vulnerability, CVE-2022-3924, impacts the implementation of the stale-answer-client-timeout option, when the resolver receives too many queries that require recursion. If the number of clients waiting for recursion to complete is high enough, a race may occur between providing a stale answer to the longest waiting client and sending an early timeout SERVFAIL, causing named to crash.

All three vulnerabilities were resolved with the release of BIND versions 9.16.37, 9.18.11, and 9.19.9. ISC says it is not aware of any of these vulnerabilities being exploited, but encourages all users to update their BIND installations as soon as possible.

ISC also warns of CVE-2022-3488, a bug impacting all supported BIND preview edition versions (a special feature preview branch provided to eligible customers).

The issue can be triggered by sending two responses in quick succession from the same nameserver, both ECS pseudo-options, but with the first response broken, causing the resolver to reject the query response. When processing the second response, named crashes.

BIND preview edition version 9.16.37-S1 resolves all four security defects. Additional information on the addressed vulnerabilities can be found in the BIND 9 security vulnerability matrix.

Related: BIND Updates Patch High-Severity Vulnerabilities

Related: High-Severity Vulnerabilities Patched in BIND Server

Related: High-Severity DoS Vulnerability Patched in BIND DNS Software

The post BIND Updates Patch High-Severity, Remotely Exploitable DoS Flaws appeared first on SecurityWeek.

Arm Vulnerability Leads to Code Execution, Root on Pixel 6 Phones

arm-vulnerability-leads-to-code-execution,-root-on-pixel-6-phones

A security researcher has published technical details on an Arm Mali GPU vulnerability leading to arbitrary kernel code execution and root on Pixel 6 phones using a malicious app installed on the targeted device.

Tracked as CVE-2022-38181 (CVSS score of 8.8), the issue is described as a use-after-free bug that impacts Arm Mali GPU driver versions prior to r40p0 (released on October 7, 2022).

The issue, GitHub Security Lab researcher Man Yue Mo explains, is related to a special function for sending ‘job chains’ to the GPU, but which also supports jobs implemented in the kernel, which run on the CPU instead (and which are called software jobs or softjobs).

“Due to the complexity involved in managing memory sharing between user space applications and the GPU, many of the vulnerabilities in the Arm Mali GPU involve the memory management code. The current vulnerability is another example of this, and involves a special type of GPU memory: the JIT memory,” Man Yue Mo notes in a detailed technical description of the vulnerability.

Some of the softjobs instruct the kernel to allocate and free JIT memory, and CVE-2022-38181 is related to these: malicious code can be used to add a JIT memory region to an eviction list, then create memory pressure to trigger a vulnerable eviction function, resulting in the JIT region being freed without freeing the pointer.

What the researcher discovered was that a freed JIT region could be replaced with a fake object, which could be used to potentially free arbitrary pages and then exploit these to gain read and write access to arbitrary memory.

As a final step in exploiting the vulnerability, an attacker would need to “map kernel code to the GPU address space to gain arbitrary kernel code execution, which can then be used to rewrite the credentials of our process to gain root, and to disable SELinux,” the researcher says.

Man Yue Mo reported the vulnerability to the Android security team in July 2022, along with proof-of-concept (PoC) code demonstrating how the issue can be exploited to execute code and gain root access on Pixel 6.

Initially, the Android team marked the flaw ‘high severity’, but it then informed the researcher that no patch will be released and redirected the report to the Arm team.

After Arm’s patch in October 2022, Google included a fix for this vulnerability in the January 2023 security update for Pixel devices, but without mentioning the CVE ID or the original bug IDs, the researcher says.

Related: Over 75 Vulnerabilities Patched in Android With December 2022 Security Updates

Related: Google Migrating Android to Memory-Safe Programming Languages

Related: Vulnerabilities in Popular Keyboard and Mouse Android Apps Expose User Data

The post Arm Vulnerability Leads to Code Execution, Root on Pixel 6 Phones appeared first on SecurityWeek.

Attacks Targeting Realtek SDK Vulnerability Ramping Up

attacks-targeting-realtek-sdk-vulnerability-ramping-up

Palo Alto Networks warns of an increase in cyberattacks targeting CVE-2021-35394, a remote code execution (RCE) vulnerability in the Realtek Jungle SDK.

Disclosed in August 2021, the vulnerability impacts hundreds of device types that rely on Realtek’s RTL8xxx chips, including routers, residential gateways, IP cameras, and Wi-Fi repeaters from 66 different manufacturers, including Asus, Belkin, D-Link, Huawei, LG, Logitech, Netgear, ZTE and Zyxel.

The bug allows unauthenticated attackers to execute code on vulnerable devices, gaining complete control over them.

The first in-the-wild attacks targeting CVE-2021-35394 were observed days after details of the bug were made public, with an estimated one million devices exposed to attacks at the time.

In a new report, Palo Alto Networks warns of an increase in attacks attempting to exploit the security defect.

“As of December 2022, we’ve observed 134 million exploit attempts in total leveraging this vulnerability, and about 97% of these attacks occurred after the start of August 2022. At the time of writing, the attack is still ongoing,” Palo Alto Networks says.

The end goal of many of the observed attacks was malware distribution, as threat groups are targeting the flaw in large-scale attacks aimed at Internet of Things (IoT) devices, which underscores the need for organizations to ensure that these devices are properly protected.

A Shodan search performed by Palo Alto Networks security researchers has revealed the existence of more than 80 different IoT device models from 14 unique vendors that have port 9034 open.

Looking at mid-to-large sized deployments, the researchers discovered that D-Link devices are the most popular devices (31 models), followed by LG (8) and Belkin and Zyxel (6 each).

According to Palo Alto Networks, while the impacted vendors might have released software updates to resolve the issue or mitigation recommendations for their users, many organizations continue to use vulnerable devices.

To date, the researchers observed three types of attacks: a script is used to fetch malware from a remote location, an injected command directly writes the payload to a file and executes it, or an injected command is used to cause a denial-of-service (DoS) condition.

Most of the observed malicious payloads are Mirai, Gafgyt and Mozi malware variants. A Golang-based distributed denial-of-service (DDoS) botnet called RedGoBot has been distributed as well, starting early September 2022.

An analysis of the observed 134 million exploit attempts shows that 30 regions were the source of attacks, with the US leading the fray at 48.3%, followed by Vietnam with 17.8% and Russia at 14.6%.

“The surge of attacks leveraging CVE-2021-35394 shows that threat actors are very interested in supply chain vulnerabilities, which can be difficult for the average user to identify and remediate. These issues can make it difficult for the affected user to identify the specific downstream products that are being exploited,” Palo Alto Networks concludes.

Related: Most Cacti Installations Unpatched Against Exploited Vulnerability

Related: Remote Code Execution Vulnerabilities Found in TP-Link, NetComm Routers

Related: Chinese Hackers Exploited Fortinet VPN Vulnerability as Zero-Day

The post Attacks Targeting Realtek SDK Vulnerability Ramping Up appeared first on SecurityWeek.

Samsung Galaxy Store Flaws Can Lead to Unwanted App Installations, Code Execution

samsung-galaxy-store-flaws-can-lead-to-unwanted-app-installations,-code-execution

Cybersecurity firm NCC Group has shared details on two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

An alternative app marketplace, the Galaxy Store comes pre-installed on Samsung’s Android devices and can be used alongside Google Play to download and install software.

Tracked as CVE-2023-21433, the first of the vulnerabilities that NCC Group has identified could allow rogue applications on a device to download and install additional software from the Galaxy Store, without the user’s knowledge.

The issue is described as an improper access control flaw, where the app store contained an exported activity that failed to safely handle incoming intents. The bug, NCC explains, only impacted devices running Android 12 and older.

The second vulnerability, CVE-2023-21434, is described as an improper input validation issue that could allow a local attacker to execute JavaScript code by launching a web page.

“It was found that a webview within the Galaxy App Store contained a filter which limited which domains that webview could browse to. However, the filter was not properly configured, which would allow the webview to browse to an attacker-controlled domain,” NCC Group explains.

The vulnerability can be exploited by tapping a malicious URL in Chrome or a pre-installed rogue application, which would bypass existing URL filtering.

The cybersecurity firm has published proof-of-concept (PoC) code for both these vulnerabilities.

The security defects were reported to Samsung in November and December 2022. Both issues were addressed in Galaxy Store version 4.5.49.8.

Owners of Samsung devices running Android 12 or below are advised to update to the latest version of Galaxy Store as soon as possible.

Related: VMware Warns of Exploit for Recent NSX-V Vulnerability

Related: CISA Warns of Attacks Exploiting Recent Atlassian Bitbucket Vulnerability

Related: Owl Labs Patches Severe Vulnerability in Video Conferencing Devices

The post Samsung Galaxy Store Flaws Can Lead to Unwanted App Installations, Code Execution appeared first on SecurityWeek.