Select Page
Dozens of Severe Flaws Found in 4 Popular Open Source VNC Software

Dozens of Severe Flaws Found in 4 Popular Open Source VNC Software

Four popular open-source VNC remote desktop applications have been found vulnerable to a total of 37 security vulnerabilities, many of which went unnoticed for the last 20 years and most severe could allow remote attackers to compromise a targeted system.

VNC (virtual network computing) is an open source graphical desktop sharing protocol based on RFB (Remote FrameBuffer) that allows users to remotely control another computer, similar to Microsoft’s RDP service.

The implementation of the VNC system includes a “server component,” which runs on the computer sharing its desktop, and a “client component,” which runs on the computer that will access the shared desktop.

In other words, VNC allows you to use your mouse and keyboard to work on a remote computer as if you are sitting in front of it.

There are numerous VNC applications, both free and commercial, compatible with widely used operating systems like Linux, macOS, Windows, and Android.

Considering that there are currently over 600,000 VNC servers accessible remotely over the Internet and nearly 32% of which are connected to industrial automation systems, cybersecurity researchers at Kaspersky audited four widely used open source implementation of VNC, including:

  • LibVNC
  • UltraVNC
  • TightVNC 1.x
  • TurboVNC

After analyzing these VNC software, researchers found a total of 37 new memory corruption vulnerabilities in client and server software: 22 of which were found in UltraVNC, 10 in LibVNC, 4 in TightVNC, just 1 in TurboVNC.

“All of the bugs are linked to incorrect memory usage. Exploiting them leads only to malfunctions and denial of service — a relatively favorable outcome,” Kaspersky says. “In more serious cases, attackers can gain unauthorized access to information on the device or release malware into the victim’s system.

Some of the discovered security vulnerabilities can also lead to remote code execution (RCE) attacks, meaning an attacker could exploit these flaws to run arbitrary code on the targeted system and gain control over it.

Since the client-side app receives more data and contains data decoding components where developers often make errors while programming, most of the vulnerabilities affect the client-side version of these software.

images from Hacker News

OnePlus Suffers New Data Breach Impacting Its Online Store Customers

OnePlus Suffers New Data Breach Impacting Its Online Store Customers

Chinese smartphone maker OnePlus has suffered a new data breach exposing personal and order information of an undisclosed number of its customers, likely, as a result of a vulnerability in its online store website.

The breach came to light after OnePlus started informing affected customers via email and published a brief FAQ page to disclose information about the security incident.

According to OnePlus, the company discovered the breach just last week after an unauthorized party accessed order information of its customers, including their names, contact numbers, emails, and shipping addresses.

“Last week while monitoring our systems, our security team discovered that some of our users’ order information was accessed by an unauthorized party,” the company said.

OnePlus also assured that not all customers were affected and that the attackers were not able to access any payment information, passwords, and associated accounts.

“Impacted users may receive spam and phishing emails as a result of this incident.”

images from Hacker News

New ZombieLoad v2 Attack Affects Intel’s Latest Cascade Lake CPUs

New ZombieLoad v2 Attack Affects Intel’s Latest Cascade Lake CPUs

Zombieload is back.

This time a new variant (v2) of the data-leaking side-channel vulnerability also affects the most recent Intel CPUs, including the latest Cascade Lake, which are otherwise resistant against attacks like MeltdownForeshadow and other MDS variants (RIDL and Fallout).

Initially discovered in May this year, ZombieLoad is one of the three novel types of microarchitectural data sampling (MDS) speculative execution vulnerabilities that affect Intel processor generations released from 2011 onwards.

The first variant of ZombieLoad is a Meltdown-type attack that targets the fill-buffer logic allowing attackers to steal sensitive data not only from other applications and the operating system but also from virtual machines running in the cloud with common hardware.

ZombieLoad v2 Affects Latest Intel CPUs

Now, the same group of researchers has disclosed details of a second variant of the vulnerability, dubbed ZombieLoad v2 and tracked as CVE-2019-11135, that resides in Intel’s Transactional Synchronization Extensions (TSX).

Intel TSX provides transactional memory support in hardware, aiming to improve the performance of the CPU by speeding up the execution of multi-threaded software and aborting a transaction when a conflict memory access was found.

images from Hacker News

First Cyber Attack ‘Mass Exploiting’ BlueKeep RDP Flaw Spotted in the Wild

First Cyber Attack ‘Mass Exploiting’ BlueKeep RDP Flaw Spotted in the Wild

Cybersecurity researchers have spotted a new cyberattack that is believed to be the very first but an amateur attempt to weaponize the infamous BlueKeep RDP vulnerability in the wild to mass compromise vulnerable systems for cryptocurrency mining.

In May this year, Microsoft released a patch for a highly-critical remote code execution flaw, dubbed BlueKeep, in its Windows Remote Desktop Services that could be exploited remotely to take full control over vulnerable systems just by sending specially crafted requests over RDP.

BlueKeep, tracked as CVE-2019-0708, is a wormable vulnerability because it can be weaponized by potential malware to propagate itself from one vulnerable computer to another automatically without requiring victims’ interaction.

BlueKeep has been considered to be such a serious threat that since its discovery, Microsoft and even government agencies [NSA and GCHQ] had continuously been encouraging Windows users and admins to apply security patches before hackers gain hold onto their systems.

Even many security firms and individual cybersecurity researchers who successfully developed a fully working exploit for BlueKeep pledged not to release it to the public for a greater good—especially because nearly 1 million systems were found vulnerable even a month after patches were released.

This is why amateur hackers took almost six months to come up with a BlueKeep exploit that is still unreliable and doesn’t even have a wormable component.

BlueKeep Exploit Spreads Cryptocurrency Malware

The BlueKeep exploitation in the wild was first speculated by Kevin Beaumont on Saturday when his multiple EternalPot RDP honeypot systems got crashed and rebooted suddenly.​

images from Hacker News

Watch Out IT Admins! Two Unpatched Critical RCE Flaws Disclosed in rConfig

Watch Out IT Admins! Two Unpatched Critical RCE Flaws Disclosed in rConfig

If you’re using the popular rConfig network configuration management utility to protect and manage your network devices, here we have an important and urgent warning for you.

A cybersecurity researcher has recently published details and proof-of-concept exploits for two unpatched, critical remote code execution vulnerabilities in the rConfig utility, at least one of which could allow unauthenticated remote attackers to compromise targeted servers, and connected network devices.

Written in native PHP, rConfig is a free, open source network device configuration management utility that allows network engineers to configure and take frequent configuration snapshots of their network devices.

According to the project website, rConfig is being used to manage more than 3.3 million network devices, including switches, routers, firewalls, load-balancer, WAN optimizers.

What’s more worrisome? Both vulnerabilities affect all versions of rConfig, including the latest rConfig version 3.9.2, with no security patch available at the time of writing.

Discovered by Mohammad Askar, each flaw resides in a separate file of rConfig—one, tracked as CVE-2019-16662, can be exploited remotely without requiring pre-authentication, while the other, tracked as CVE-2019-16663, requires authentication before its exploitation.

  • Unauthenticated RCE (CVE-2019-16662) in ajaxServerSettingsChk.php
  • Authenticated RCE (CVE-2019-16663) in search.crud.php

In both cases, to exploit the flaw, all an attacker needs to do is access the vulnerable files with a malformed GET parameter designed to execute malicious OS commands on the targeted server.

images from Hacker News