Information Technology

The Salt Project has issued a secondary fix for a command injection vulnerability after the first attempt to patch the issue partially failed.

The vulnerability, tracked as CVE-2020-28243, impacts SaltStack Salt before 3002.5. SaltStack Salt is automation and infrastructure software made available to the open source community. “The minion’s restartcheck is vulnerable to command injection via a crafted process name,” the bug’s description reads. “This allows for a local privilege escalation (LPE) by any user able to create files on the minion in a non-blacklisted directory.” The vulnerability was discovered by Immersive Labs’ security researcher Matthew Rollings in November 2020. If exploited, the command injection bug could allow attackers to craft process names and elevate their privileges on a local level. Container escapes were also possible, and as long as particular conditions were met, remote users may be able to tamper with process names — although this would be a difficult attack to pull off.   CVE-2020-28243 was resolved on February 4 as part of a wider security release. At least, in part. According to Rollings, the fix for the LPE security flaw did prevent command injection, but did not go far enough and still allowed argument injections. While not as severe as the original issue, failing to patch this problem could have led to denial-of-service and software crashes. 

The first fix issued by the Salt Project added shlex, a command shell sanitizing library, to prevent command injections.  “The developer that added this fix made an error,” Rollings explained. “Their usage of shlex does not provide any additional protection. The shlex.split function takes an input string and splits it into the command and its arguments using spaces as the delimiter. We control the package variable, which means we can inject additional arguments into the command.” According to the researcher, argument injections can still occur even if sanitization is in place, under the same conditions.  SaltStack’s fix was issued without coordinated disclosure with Immersive Labs, a factor that the cybersecurity firm says prevented the patch from being adequately tested.  “If they had communicated on the solution, the issue would have been spotted and a secondary fix wouldn’t have been necessary,” the company says. However, once the error in the patch was noticed and reported, SaltStack then privately shared the second attempt prior to publication.  The second fix, issued on March 23, now builds arrays to stop package names from being tampered with. “Thankfully, the second time around SaltStack shared the fix for approval before publication,” Rollings says. “This is a step in the right direction and shows more of a proactive than reactive approach to security, which is always better in the long run.” ZDNet has reached out to the Salt Project and we will update when we hear back.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

An upgraded variant of Purple Fox malware with worm capabilities is being deployed in an attack campaign that is rapidly expanding. 

Purple Fox, first discovered in 2018, is malware that used to rely on exploit kits and phishing emails to spread. However, a new campaign taking place over the past several weeks — and which is ongoing — has revealed a new propagation method leading to high infection numbers.  In a blog post on Tuesday, Guardicore Labs said that Purple Fox is now being spread through “indiscriminate port scanning and exploitation of exposed SMB services with weak passwords and hashes.” Based on Guardicore Global Sensors Network (GGSN) telemetry, Purple Fox activity began to climb in May 2020. While there was a lull between November 2020 and January 2021, the researchers say overall infection numbers have risen by roughly 600% and total attacks currently stand at 90,000.  The malware targets Microsoft Windows machines and repurposes compromised systems to host malicious payloads. Guardicore Labs says a “hodge-podge of vulnerable and exploited servers” is hosting the initial malware payload, many of which are running older versions of Windows Server with Internet Information Services (IIS) version 7.5 and Microsoft FTP. Infection chains may begin through internet-facing services containing vulnerabilities, such as SMB, browser exploits sent via phishing, brute-force attacks, or deployment via rootkits including RIG.  As of now, close to 2,000 servers have been hijacked by Purple Fox botnet operators. 

Guardicore Labs researchers say that once code execution has been achieved on a target machine, persistence is managed through the creation of a new service that loops commands and pulls Purple Fox payloads from malicious URLs.  The malware’s MSI installer disguises itself as a Windows Update package with different hashes, a feature the team calls a “cheap and simple” way to avoid the malware’s installers being connected to one another during investigations.  In total, three payloads are then extracted and decrypted. One tampers with Windows firewall capabilities and filters are created to block a number of ports — potentially in a bid to stop the vulnerable server from being reinfected with other malware.  An IPv6 interface is also installed for port scanning purposes and to “maximize the efficiency of the spread over (usually unmonitored) IPv6 subnets,” the team notes, before a rootkit is loaded and the target machine is restarted. Purple Fox is loaded into a system DLL for execution on boot.  Purple Fox will then generate IP ranges and begin scans on port 445 to spread.  “As the machine responds to the SMB probe that’s being sent on port 445, it will try to authenticate to SMB by brute-forcing usernames and passwords or by trying to establish a null session,” the researchers say. The Trojan/rootkit installer has adopted steganography to hide local privilege escalation (LPE) binaries in past attacks.  Indicators of Compromise (IoCs) have been shared on GitHub. 

Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Microsoft says that 92% of Exchange servers vulnerable to a set of critical vulnerabilities have now been patched or mitigations have been applied.  The Redmond giant’s Security Response team said there is “strong momentum” in patches or mitigation tools being applied to internet-facing, on-prem servers and the latest data shows a 43% improvement worldwide in comparison to last week.  Microsoft cited telemetry from RiskIQ, which is working with the tech giant to manage the fallout of the security incident, in a tweet posted on Monday.  Microsoft released emergency patches for Microsoft Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019 on March 2. At the time, the company said that four zero-day vulnerabilities which could lead to data theft and overall server hijacking were being actively exploited in “limited, targeted attacks.”However, it was not long before multiple advanced persistent threat (APT) groups began to join in Exchange Server-based campaigns and it is estimated that thousands of systems belonging to organizations worldwide have been compromised. Alongside the emergency patches, Microsoft has also published a mitigation guide and created a one-click mitigation tool including a URL rewrite for one of the vulnerabilities to stop an attack chain from forming.  In addition, Microsoft Defender Antivirus has been upgraded to include automatic mitigation capabilities for the zero-day vulnerabilities. 

The issue with these vulnerabilities, however, is that applying a patch or mitigations will not remove existing infections. F-Secure says “tens of thousands” of servers have already been breached and others “[are] being hacked faster than we can count.” While patches and mitigations are being applied at a fast rate, IT administrators must check their systems for indicators of compromise (IoCs) and perform security audits to see if their servers have been exploited prior to security updates being applied.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

 
The founder of ProtonVPN, Andy Yen, has jumped onto a soapbox to lambaste Apple over a decision to block an update of the app over its description. “Whether it is challenging governments, educating the public, or training journalists, we have a long history of helping bring online freedom to more people around the world,” stated the text an Apple app reviewer had an issue with. The reviewer suggested the text be modified to not “encourage users to bypass geo-restrictions or content limitations”. Yen used the rejection to claim Apple was stymieing rights in Myanmar, which is in the midst of a brutal crackdown following a coup last month. The founder said the company had used the description for months already. “Actions have consequences, and Apple’s actions are actively hampering the defense of human rights in Myanmar at a time when hundreds of people are dying,” Yen said. See also: Fastest VPN in 2021 Never mind that Apple challenges governments when it suits it — unless it is Beijing calling the shots.

It’s a far cry from its famous 1997 ad when the company said the following words over the top of a montage of government resisters: “Here’s to the crazy ones. The misfits. The rebels. The troublemakers. The round pegs in the square holes. The ones who see things differently. They’re not fond of rules. And they have no respect for the status quo.” Last week, Wired reported that Apple had agreed to begin showing Russian users a phone setup screen where they could install a set of Moscow-approved apps. “Apple’s priority is to preserve access to markets and maintain its profits, so it almost never challenges the policies of dictators or authoritarian regimes,” Yen said. “By giving in to tyrants, Apple is ignoring internationally recognised human rights and preventing organisations such as Proton from defending those in need. What is also troubling is that Apple requested the removal of this language in ALL countries where our app is available. “By doing so, Apple is helping spread authoritarian laws globally, even in countries where freedom of speech is protected.” Apple said in a submission to the Australian Competition and Consumer Commission recently that it was surprised developers took issue with its app review process. “The main purpose of the App Review process is to protect consumers from fraudulent, nonfunctioning, malicious, or scam apps,” Apple said. “Central to the App Review process is the protection of our consumers’ privacy and security.” Related Coverage More

  An example of SmartBlock (right) in action.
Image: Mozilla
Mozilla has launched Firefox 87, with the latest version of the browser boasting “SmartBlock”, a new privacy feature touted as intelligently fixing web pages that are broken by tracking protections, without compromising user privacy.SmartBlock aims to bolster Firefox’s built-in content blocking feature — available across both private browsing and strict tracking protection modes for the past six years — which blocks third-party scripts, images, and other content from being loaded from cross-site tracking companies reported by Disconnect. Explained in a blog post, by blocking these tracking components, Firefox’s private browsing windows prevented these companies from watching users as they browse the internet. Doing so, however, risked blocking components that were essential for some websites to function properly.”This can result in images not appearing, features not working, poor performance, or even the entire page not loading at all,” Mozilla explained. “To reduce this breakage, Firefox 87 is now introducing a new privacy feature we are calling SmartBlock.”SmartBlock does this by providing local stand-ins for blocked third-party tracking scripts. “These stand-in scripts behave just enough like the original ones to make sure that the website works properly. They allow broken sites relying on the original scripts to load with their functionality intact,” the blog said.”We believe the SmartBlock approach provides the best of both worlds: strong protection of your privacy with a great browsing experience as well.”

Over on Chrome, from version 90, the browser’s address bar will use “https://” by default, unless otherwise specified.”Users often type ‘example.com’ instead of ‘https://example.com’ in the address bar. In this case, if it was a user’s first visit to a website, Chrome would previously choose http:// as the default protocol. This was a practical default in the past, when much of the web did not support HTTPS,” the Chromium blog explained.It touted that the move would improve the initial loading speed of sites supporting HTTPS, in addition to being a privacy improvement.This change will roll out initially on Chrome Desktop and Chrome for Android in version 90, with a release for Chrome on iOS to follow soon after.RELATED COVERAGEGoogle Chrome: It’s time to ditch the browserWe created the monster that Google Chrome has become. Only we can destroy it.What about Firefox?Is there a place for the plucky underdog browser any longer?Too many browser tabs? This impressive extension is my favorite solutionIf you regularly find yourself opening so many browser tabs that you can’t keep track of them all, you’re not alone. There are plenty of extensions that promise to conquer tab overload, but my favorite, Workona, offers a feature set that others can’t match. More

Image: AEC
The Australian Electoral Commissioner Tom Rogers has dismissed the proposal to allow a non-government researcher to conduct a security audit on its systems.The prospect of security researcher Vanessa Teague, who has experience in finding holes in electoral systems, was raised by One Nation Senator Malcolm Roberts during Senate Estimates on Tuesday night. Rogers said “frankly” that Teague would not be welcome to perform an audit on the AEC systems. “We work with a range of partners, including the Australian Signals Directorate, the Australian Cyber Security Centre, we’ve had our internal code audited and checked,” he said. “And not being rude, I’m sure that Dr. Teague is a wonderful person, but we’ve had sufficient checks in place to assure ourselves that that system is running smoothly.” Roberts subsequently pushed for the commissioner to give a “resounding guarantee of the cyber integrity” of the system, to which Rogers refused. See also: Tech-augmented democracy is about to get harder in this half-baked world “No one would sit in this chair and give an unequivocal guarantee about that issue,” he said. “I would be cheapening the guarantee by giving it.”

Rogers repeated that the AEC and government cyber agencies were satisfied with the systems’ security and that they followed the prescribed Commonwealth guidelines, but since cybersecurity involves unknown factors, a guarantee could not be made. “But I am very, very, very confident that we’ve got an incredibly robust system in place that’s worked well and continues to work and we continue to assess it, we continue to work with our partner agencies, we comply with all Commonwealth guidelines, cybersecurity guidelines, and I think it’s a fantastically secure system,” he said. “I don’t think anyone would give an unequivocal guarantee about anything, there are factors that I’m not aware of.” The AEC chief also told Estimates that it would be rolling out more electronic certified lists as a way to mark off voters at polling stations, and would push the “vanishingly small” number of people voting multiple times even lower. During the 2019 Australian election, Rogers put the number of apparent multiple voters in the entire country at around 2,000 people, or 0.01% of the voting population. Related Coverage More

The Attorney-General’s Department (AGD) has said the reason for the delay in moving forward with a rework of the Australian Privacy Act 1988 was that staff needed to work on the COVIDSafe legislation, which entered Parliament in May last year.During Senate Estimates on Tuesday night, senators raised concerns regarding declarations made by Attorney-General Christian Porter, who is currently on leave, back in March 2019 that tougher penalties for misuse of Australians’ personal information were on their way, as no such protections have been put in place.”The team that works on the legislation and the Privacy Act review, has also dealt with other priorities. For example, the COVIDSafe legislation … that took quite a significant effort to deal with some of those issues,” deputy secretary for the Integrity and International Group in the AGD, Sarah Chidgey, said in response.See also: Attorney-General urged to produce facts on US law enforcement access to COVIDSafeThe department is currently in the midst of reviewing the Privacy Act. Since October, it has been calling for all interested parties to provide their two cents. Chidgey said an exposure draft was on its way.”We have been working on an exposure draft inside the Privacy Act review and expect that that would be released shortly, alongside the further discussion paper in the review of the Privacy Act,” she said, noting there has been “a lot of work on it”. “We’ve used submissions we’ve received through the Privacy Act review to better inform the development of that exposure draft legislation.”

Australian Information and Privacy Commissioner Angelene Falk said she welcomed any additions to her regulatory toolkit that would come with an updated Privacy Act.Her submission to the review included recommendations such as considering international developments, such as Europe’s General Data Protection Regulation, as well as adapting global schemes to suit Australia.”I think the digital platforms inquiry that was conducted by the ACCC (Australian Competition and Consumer Commission) certainly brought to public attention the extent of data handling practices … and a number of recommendations were made by that inquiry, some of which accorded with my own submissions to that inquiry, that there ought to be some amendments to the Privacy Act to ensure that it’s able to regulate data handling practices over the next decade,” she said.”I welcome any changes and improvements to the regulatory toolkit that I currently have. And I’m looking forward to both the legislation that goes to these matters and also the progress of the review that’s more broadly going to be conducted or is being conducted by the department at present.”PRIVACY IMPACT ASSESSMENTS UNDER REVIEWFalk was asked about the requirement for all Australian government agencies to keep a register of privacy impact assessments that are conducted. Greens co-deputy leader Senator Nick McKim pointed specifically to a project the Department of Home Affairs has underway regarding its travel exemption portal that is used to grant people permission to enter or leave Australia.While Falk isn’t aware of the project, McKim said individuals are currently being encouraged by Home Affairs to provide information such as banking details, financial assets, social media information, personal communications between them and their partners, private health and medical information, personal photographs to prove relationships, and medical reports to support any medical claims they have been making, including mental health reports.”I think there’s some difficulty in me commenting on a specific [project] … but the principle is that where a department is handling personal information in changed ways, or a new project that involves handling personal information in a way that could be considered to be high risk, then they ought to conduct a privacy impact assessment,” she said. “Many departments also conduct a preliminary assessment to decide whether or not that threshold is in fact, met. And I understand that that is usually the way in which many of the big departments and I think the Department of Home Affairs, does, in fact, undertake those preliminary assessments to decide whether or not to conduct a full privacy impact assessment.”Falk has powers under the Privacy Act to direct an agency to conduct a privacy impact assessment, but that power has not been exercised. She said her office is currently looking into how many agencies do have privacy impact assessment registers in place.”Notwithstanding that, we do think that we would expect Australian government agencies to have noted on their website a place where those documents could be found,” she added. MORE FROM THE PRIVACY ACT REVIEW More

Australian eSafety Commissioner Julie Inman Grant is hopeful the country’s new Online Safety Act will go some way to protecting women and girls in the online world as people grapple with how to do exactly that in the offline world.”You wouldn’t be surprised that 70% of the reports of all forms of abuse that come into our office are from women and girls,” Inman Grant told senators on Tuesday night. “That even applies to child sexual abuse where 90% of the perpetrators are men and 84% of the victims are girls. “That applies to image-based abuse, that applies to youth-based cyberbullying, and certainly to adult cyber abuse.”There are a handful of programs Inman Grant said that “cover the continuum of women and the spectrum of harms”. One receiving a lot of attention from her office is a program aiming to help women experiencing domestic and family violence.”One, of course, where women are particularly vulnerable, are women that are experiencing domestic and family violence, where technology-facilitated abuse is present as an extension of that coercion control and surveillance in 99.3% of these cases, and they deserve special protections,” she said. The commissioner is also concerned about women in the public sphere, pointing to the experience recently recounted by Liberal MP Nicole Flint as one example.  “We know that women are three times more likely to receive online abuse, but the tenor and tone of the abuse is very different too, it tends to be sexualised, violent, will target things like your fertility or appearance,” Inman Grant said.

“It’s rooted in misogyny, and it’s meant to silence women’s voices. We know from women that they self-censor, or they will get off social media altogether.”Social media did promise to be a great leveller. In terms of promoting women’s voices, we need to do a better job at protecting those voices online.”Senators pointed to the work underway by Sex Discrimination Commissioner Kate Jenkins, asking Inman Grant if the contents of the Online Safety Act would help protect women.”I think they will immeasurably, and in the end, as I say, particularly with the serious adult cyber abuse scheme, we’ll continue with our prevention programs … and the proactive and systemic change work that we do, including the work we’re doing around technology, challenges, and trends,” she said.”Of course, we know that a lot of trolls will use the veil of anonymity to try and abuse women with impunity. So all of these things I think, will come together and give us some important potent new tools to help us — a lot of this abuse that we see is rooted in misogyny, in racism, in hate that is surfaced by social media. “And this abuse online, targeting women, reinforces the gender inequality that already exists in our societies and our institutions. So we really need to protect women in the cloud as well.”See also: Three women in tech keeping the gender conversation goingBanter won’t qualify for interventionWith the new proposed law extending the cyber takedown function to adults, eSafety will have the power to issue takedown notices directly to the services hosting the content and end users responsible for the abusive content.Inman Grant clarified that the takedown directive — which is slashed from 48 to 24 hours under the new legislation — would only apply in serious situations.”The adult cyber abuse scheme is set at a very high threshold because adults are more resilient,” she said, noting it’s on par with the Criminal Code, which uses the terminology “to use a carriage service provider to menace, harass, or cause offence”. She also said the term “offensive” is sometimes taken out of context. “This is a very, very high threshold, where we have to make out intent to cause serious harm directed to a specific Australian individual. The second part of the test is an objective test that would ask those questions,” she added.”I do think we need to set expectations so that people — when they come to us, that it’s not just going to be banter or opinions or mean statements, that there’s a very, very high bar that has to be met before we can before we would recommend removal of that content.”The commissioner also addressed concerns of the overreaching powers that eSafety is set to receive with the legislation. “I can’t speculate about future safety commissioners and how they might use the power. All I would say is that, in my 30 years in working in technology, I’ve learned that you can’t anticipate the creative and myriad ways that people will misuse technology. And it requires us to have a broad toolkit,” she said. “I think the lines were carefully drawn on to make sure that there wasn’t suppression of free speech, and that there are a number of transparency and accountability provisions available.”She said beyond the AAT review, there’s also potentially judicial review and involvement from the Commonwealth Ombudsman, in addition to amendments currently being drafted around an internal review process.”And I’d say also that there was a pretty rigorous merit-based process that was involved for me landing this role. I fully anticipate that the government would be looking at people who have experience at the intersection of technology, policy, and social justice and would assess any concerning ideological events that might influence their decision making,” Inman Grant said. “I’m influenced by how do I minimise the risk to online citizens and I would expect the future eSafety Commissioner would hold those same values.”IF YOU OR ANYONE YOU KNOW IN AUSTRALIA NEEDS HELP CONTACT ONE OF THESE SERVICES:Suicide Call Back Service on 1300 659 467Lifeline on 13 11 14Kids Helpline on 1800 551 800MensLine Australia on 1300 789 978Beyond Blue on 1300 22 46 36Headspace on 1800 650 890QLife on 1800 184 527MORE ON THE NEW SAFETY BILL More