The Hacker News — Cyber Security, Hacking, Technology News

Chinese security researchers have discovered more than a dozen vulnerabilities in the onboard compute units of BMW cars, some of which can be exploited remotely to compromise a vehicle.

The security flaws have been discovered during a year-long security audit conducted by researchers from Keen Security Lab, a cybersecurity research unit of Chinese firm Tencent, between January 2017 and February 2018.

In March 2018, the team responsibly disclosed 14 different vulnerabilities directly to the BMW Group, which affects its vehicles since at least 2012.

These are the same group of researchers who have previously found multiple vulnerabilities in various in-car modules used by Tesla, that could have been exploited to achieve remote controls on a target car.

Now that BMW started rolling out patches for the vulnerabilities to car owners, the researchers have gone public with a 26-page technical report [PDF] describing their findings, though they avoided publishing some important technical details to prevent abuse.

The researchers said a full copy of their research is expected to appear sometime in early 2019, by which the BMW group entirely mitigates against the vulnerabilities.

The team of Chinese infosec researchers focused on three critical vehicular components—Infotainment System (or Head Unit), Telematics Control Unit (TCU or T-Box), and Central Gateway Module in several BMW models.
Here's the list of flaws uncovered by the researchers:

• 8 flaws impact the internet-connected Infotainment System that plays music and media
• 4 flaws affect the Telematics Control Unit (TCU) that provides telephony services, accident assistance services, and ability to lock/unlock the car doors remotely.
• 2 flaws affect the Central Gateway Module that has been designed to receive diagnostic messages from the TCU and the infotainment unit and then transfer them to other Electronic Control Units (ECUs) on different CAN buses.

Exploiting these vulnerabilities could allow attackers to send arbitrary diagnostic messages to the target vehicle's engine control unit (ECU), which control electrical functions of the car, and to the CAN bus, which is the spinal cord of the vehicle.

This would eventually allow miscreants to take complete control over the operation of the affected vehicle to some extent.
Four flaws require a physical USB access or access to the ODB (On-board diagnostics) port, which means attackers need to be inside your vehicle to exploit them by plugging a malware-laden gadget into the USB port.

Another four vulnerabilities require physical or "indirect" physical access to the car.

However, six vulnerabilities can be exploited remotely to compromise vehicle functions, including one conducted over a short range via Bluetooth or over long range via cellular networks, even when the vehicle is being driven.

The team confirmed that the vulnerabilities existed in Head Unit would affect several BMW models, including BMW i Series, BMW X Series, BMW 3 Series, BMW 5 Series, BMW 7 Series.

However, researchers said the vulnerabilities uncovered in Telematics Control Unit (TCB) would affect "BMW models which equipped with this module produced from the year 2012."

BMW has confirmed the findings and already started rolling out over-the-air updates to fix some bugs in the TCU, but other flaws will need patches through the dealers, which is why the researchers have scheduled their full technical report to March 2019.

BMW also rewarded Keen Security Lab researchers with the first winner of the BMW Group Digitalization and IT Research Award, describing their research "by far the most comprehensive and complex testing ever conducted on BMW Group vehicles by a third party."

For the second time in less than a week, users of the popular end-to-end encrypted Signal messaging app have to update their desktop applications once again to patch another severe code injection vulnerability.

Discovered Monday by the same team of security researchers, the newly discovered vulnerability poses the same threat as the previous one, allowing remote attackers to inject malicious code on the recipients' Signal desktop app just by sending them a message—without requiring any user interaction.

To understand more about the first code injection vulnerability (CVE-2018-10994), you can read our previous article covering how researchers find the Signal flaw and how it works.

The only difference between the two is that the previous flaw resides in the function that handles links shared in the chat, whereas the new vulnerability (CVE-2018-11101) exists in a different function that handles the validation of quoted messages, i.e., quoting a previous message in a reply.
In other words, to exploit the newly patched bug on vulnerable versions of Signal desktop app, all an attacker needs to do is send a malicious HTML/javascript code as a message to the victim, and then quote/reply to that same message with any random text.

If the victim receives this quoted message containing the malicious payload on its vulnerable Signal desktop app, it will automatically execute the payload, without requiring any user interaction.

Exploiting Signal Code Injection to Steal Plaintext Chats

Until now the proof-of-concept payloads used to demonstrate code injection vulnerabilities in Signal were limited to embedding an HTML iFrame, or image/video/audio tags onto the victim's desktop app.

However, researchers have now managed to craft a new PoC exploit that could allow remote attackers to successfully steal all Signal conversations of the victims in the plaintext just by sending them a message.

This hack literally defeats the purpose of an end-to-end encrypted messaging app, allowing remote attackers to easily get the hold on users' plain-text conversations without breaking the encryption.

Attackers Could Possibly Steal Windows Password As Well

What's worse?

In their blog post, the researchers also indicated that an attacker could even include files from a remote SMB share using an HTML iFrame, which can be abused to steal NTLMv2 hashed password for Windows users.

"In the Windows operative system, the CSP fails to prevent remote inclusion of resources via the SMB protocol. In this case, remote execution of JavaScript can be achieved by referencing the script in an SMB share as the source of an iframe tag, for example: <iframe src=\\DESKTOP-XXXXX\Temp\test.html> and then replying to it," the researchers explain.

Though they haven't claimed anything about this form of attack, I speculate that if an attacker can exploit code injection to force Windows OS to initiate an automatic authentication with the attacker-controlled SMB server using single sign-on, it would eventually hand over victim's username, and NTLMv2 hashed password to the attackers, potentially allowing them to gain access to the victim's system.

We have seen how the same attack technique was recently exploited using a vulnerability in Microsoft Outlook, disclosed last month.

I can not verify this claim at this moment, but we are in contact with few security researchers to confirm this.

Researchers—Iván Ariel Barrera Oro, Alfredo Ortega, Juliano Rizzo, and Matt Bryant—responsibly reported the vulnerability to Signal, and its developers have patched the vulnerability with the release of Signal desktop version 1.11.0 for Windows, macOS, and Linux users.

However, The Hacker News has learned that Signal developers had already identified this issue as part of a comprehensive fix to the first vulnerability before the researchers found it and reported them.

Signal app has an auto-update mechanism, so most users must have the update already installed. You can read this guide to ensure if you are running updated version of Signal.

And if you don’t, you should immediately update your Signal for desktop as soon as possible, since now the vulnerability poses a severe risk of getting your secret conversations exposed in plaintext to attackers and further severe consequences.

A Google security researcher has discovered a critical remote command injection vulnerability in the DHCP client implementation of Red Hat Linux and its derivatives like Fedora operating system.

The vulnerability, tracked as CVE-2018-1111, could allow attackers to execute arbitrary commands with root privileges on targeted systems.

Whenever your system joins a network, it’s the DHCP client application which allows your system to automatically receive network configuration parameters, such as an IP address and DNS servers, from the DHCP (Dynamic Host Control Protocol) server.

The vulnerability resides in the NetworkManager integration script included in the DHCP client packages which is configured to obtain network configuration using the DHCP protocol.

Felix Wilhelm from the Google security team found that attackers with a malicious DHCP server, or connected to the same network as the victim, can exploit this flaw by spoofing DHCP responses, eventually allowing them to run arbitrary commands with root privileges on the victim's system running vulnerable DHCP client.

Although full details of the vulnerability have not been released, Wilhelm claims his PoC exploit code is so short in length that it even can fit in a tweet.

Meanwhile, Barkın Kılıç, a security researcher from Turkey, has released a tweetable proof-of-concept exploit code for the Red Hat Linux DHCP client vulnerability on Twitter.
In its security advisory, Red Hat has confirmed that the vulnerability impacts Red Hat Enterprise Linux 6 and 7, and that all of its customers running affection versions of the dhclient package should update their packages to the newer versions as soon as they are available.

"Users have the option to remove or disable the vulnerable script, but this will prevent certain configuration parameters provided by the DHCP server from being configured on a local system, such as addresses of the local NTP or NIS servers," Red Hat warns.

Fedora has also released new versions of DHCP packages containing fixes for Fedora 26, 27, and 28.

Other popular Linux distributions like OpenSUSE and Ubuntu do not appear to be impacted by the vulnerability, as their DHCP client implementation doesn't have NetworkManager integration script by default.

Adobe has just released new versions of its Acrobat DC, Reader and Photoshop CC for Windows and macOS users that patch 48 vulnerabilities in its software.

A total of 47 vulnerabilities affect Adobe Acrobat and Reader applications, and one critical remote code execution flaw has been patched in Adobe Photoshop CC.

Out of 47, Adobe Acrobat and Reader affect with 24 critical vulnerabilities—categorized as Double Free, Heap Overflow, Use-after-free, Out-of-bounds write, Type Confusion, and Untrusted pointer dereference—which if exploited, could allow arbitrary code execution in the context of the targeted user.

Rest of the 23 flaws, including Security Bypass, Out-of-bounds read, Memory Corruption, NTLM SSO hash theft, and HTTP POST newline injection via XFA submission, are marked as important and can lead to information disclosure or security bypass.
The above-listed vulnerabilities impact the Windows and macOS versions of Acrobat DC (Consumer and Classic 2015), Acrobat Reader DC (Consumer and Classic 2015), Acrobat 2017, and Acrobat Reader 2017.

The latest Adobe Acrobat and Reader patches have been given a priority rating of "1," which means the flaws are either being exploited in the wild or more likely to be exploited in the wild. So, users are highly recommended to update their software as soon as possible.

The flaws have been addressed in Acrobat DC and Acrobat Reader DC version 2018.011.20040, Acrobat 2017 and Acrobat Reader DC 2017 version 2017.011.30080, as well as Acrobat Reader DC (Classic 2015) and Acrobat DC (Classic 2015) version 2015.006.30418.

Security Patch for Adobe Photoshop CC

Adobe has also released security patches for the Windows and macOS versions of Photoshop CC to address a critical vulnerability, categorized as "out-of-bounds write" issue, which can be exploited to execute arbitrary code in the context of the current user.

The vulnerability (CVE-2018-4946) impacts Photoshop CC 2018 version 19.1.3 and earlier 19.x versions, as well as Photoshop CC 2017 version 18.1.3 and earlier 18.x versions.

The company credited researcher Giwan Go of Trend Micro's Zero Day Initiative for reporting the flaw, which has been addressed with the release of Photoshop CC 2018 version 19.1.4 and Photoshop CC 2017 version 18.1.4.

This update has been given a priority rating of "3," which means the attackers have not targeted the vulnerability.

Adobe recommends end users and administrators to install the latest security updates as soon as possible.

A critical remote code execution vulnerability has been discovered in the popular Electron web application framework that could allow attackers to execute malicious code on victims' computers.

Electron is an open source app development framework that powers thousands of widely-used desktop applications including WhatsApp, Skype, Signal, Wordpress, Slack, GitHub Desktop, Atom, Visual Studio Code, and Discord.

Besides its own modules, Electron framework also allows developers to create hybrid desktop applications by integrating Chromium and Node.js framework through APIs.

Since Node.js is a robust framework for server-side applications, having access to its APIs indirectly gives Electron-based apps more control over the operating system installed on the server.

To prevent unauthorised or unnecessary access to Node.js APIs, Electron framework by default sets the value of "webviewTag" to false in its "webPreferences" configuration file, which then sets "nodeIngration" to false.

This configuration file with the hardcoded values of some parameters was introduced in the framework to prevent real-time modifications by malicious functions, i.e., by exploiting a security vulnerability like cross-site scripting (XSS).

Moreover, if an app developer skips or forgets to declare "webviewTag: false" in the configuration file, even then the framework by default considers the value of "nodeIntegration" as false, to take a preventive measure.
However, Trustwave researcher Brendan Scarvell has released proof-of-concept (PoC) code that attackers can inject into targeted applications running without "webviewTag" declared, by exploiting a cross-site scripting flaw, to achieve remote code execution.

The exploit re-enables "nodeIntegration" in runtime, allowing attackers to gain unauthorised control over the application server and execute arbitrary system commands.

It should be noted that the exploit would not work if the developer has also opted for one of the following options:

• nativeWindowOption option enabled in its webPreferences.
• Intercepting new-window events and overriding event.newGuest without using the supplied options tag.

The vulnerability, tracked as CVE-2018-1000136, was reported to the Electron team by Scarvell earlier this year and affected all versions of Electron at the time of discovery.

Electron developers patched the vulnerability in March 2018 with the release of versions 1.7.13, 1.8.4, and 2.0.0-beta.4.

So, app developers should ensure their applications are patched, or at least not vulnerable to this issue.

For more technical details on the Electron vulnerability and PoC exploit code, you can head on to the Trustwave's blog post.

It should also be noted that the Electron bug has nothing to do with the recently discovered flaw in Signal app, which has also recently patched a critical cross-site scripting vulnerability that leads to remote code execution, whose full technical details are scheduled to be published exclusively on The Hacker News this evening. Stay Tuned!