Links

https://thehackernews.com/2023/11/warning-3-critical-vulnerabilities.html

• https://owncloud.com/security-advisories/disclosure-of-sensitive-credentials-and-configuration-in-containerized-deployments/
• https://owncloud.com/security-advisories/webdav-api-authentication-bypass-using-pre-signed-urls/
• https://owncloud.com/security-advisories/subdomain-validation-bypass/

https://www.securityweek.com/windows-hello-fingerprint-authentication-bypassed-on-popular-laptops/

https://securityaffairs.com/154743/security/app-used-by-hundreds-of-schools-leaking-childrens-data.html

https://www.theregister.com/2023/11/23/blackcat_ransomware_fnf/

3 Critical ownCloud Vulnerabilities

• ownCloud
  • open-source file-sharing software
• graphapi App
  • CVSS score: 10/10
  • versions from 0.2.0 to 0.3.0.
  • uses third-party library that provides a URL.
    • URL is accessed, it reveals the configuration details of the PHP environment (phpinfo) (environment variables of the web server)
  • Containerized Deployment
    • environment variables may include sensitive data such as the ownCloud admin password, mail server credentials, and license key.
  • Fix
    • delete the “owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php” file.
    • disable the ‘phpinfo’ function.
    • change secrets.
      • ownCloud admin password
      • mail server and database credentials
      • Object-Store/S3 access keys.
    • WebDAV Api
      • CVSS score: 9.8/10
      • Versions: core 10.6.0 – 10.13.0
      • Access, Modify or delete any files.
        • Username of victim is known.
        • No signing key configured.
          • Default config
        • oauth2 app
          • CVSS score: 9/10
          • Versions: oauth2 < 0.6.1
          • improper access control
          • A malicious actor can pass in a specially crafted redirect-url to the system.
            • bypasses the validation code.
            • redirect callbacks to a TLD maliciously controlled.
          • PoC for Other Vulnerability
            • CrushFTP
            • CVE-2023-43177
              • No CVSS yet
            • unauthenticated attacker to access files, run arbitrary programs on the host, and acquire plain-text passwords.
            • version 10.5.2
              • Released on August 10, 2023.

Indian App used by Schools leaks Data

• Cybernews
  • recent investigation
• AppsCook
  • Application Developer
  • Apps used in 600 Schools.
    • India and Sri Lanka
    • Education management
  • 96 school-specific apps
    • support online classes.
    • enable direct communication between parents and schools.
      • regarding their child’s academic performance and daily activities
    • AppsCook DigitalOcean
      • Misconfigured
      • Open without authentication
      • Leaking Data
        • Students’ names
        • Names of parents
        • Pictures of students attending pre-primary, primary, and secondary schools
        • Names of the schools’ children attend.
        • Birth certificates
        • Fee receipts
        • Student report cards/exam results
        • Home addresses
        • Phone numbers
      • Attacks
        • exploit the vulnerability of children by attempting to extort their parents.
        • revealing their daily whereabouts
          • and what they look like
        • Social Engineering
          • impersonate school officials.
          • manipulate children and parents.

Windows Hello Fingerprint Issues

• Microsoft’s Offensive Research and Security Engineering
  • And Blackwing Intelligence
  • Bypass fingerprint authentication
• Tested
  • Dell Inspiron 15 with a Goodix fingerprint sensor
  • Lenovo ThinkPad T14s with the Synaptics sensor
  • Microsoft Surface Pro X, which has an ELAN sensor.
• Match-on-Chip
  • Fingerprint Sensor
  • chip has a microprocessor and memory.
  • fingerprint data never leaves the sensor.
• Attack
  • physical access to the targeted device
  • connecting a hacking device to each laptop, via USB
  • connecting the fingerprint sensor to a specially crafted rig.
  • Dell and Lenovo
    • enumerating valid IDs associated with user fingerprints.
    • enrolling the attacker’s fingerprint by spoofing a legitimate user’s ID
  • Surface
    • unplug the Type Cover
      • keyboard
        • includes fingerprint sensor.
      • connect a USB device.
        • spoofs the fingerprint sensor.
        • instructs the system that an authorized user is logging in.

BlackCat claims the Fidelity National Finance Attack

• Fidelity National Financial (FNF)
  • Fortune 500
  • $11 billion in total revenue in 2022
  • title insurance and settlement services
    • real estate and mortgage industries.
  • 8-K filing with the Securities and Exchange Commission (SEC)
    • shut down several systems, disrupting various areas of the business.
    • Material impact
  • What is known?
    • SEC Filing dated November 19
      • Made public 2 days later.
        • Within the 4-day reporting window
      • ALPHV/BlackCat
        • November 22
        • Posted to their leak blog.
        • Poked fun at incident response company
          • Mandiant
            • Reputation
            • lack of action regarding the attack
          • giving them more time before the leak
            • “Before disclosing whether or whether we have [not] collected any data, we will allow FNF further time to get in touch,” it said. “Wouldn’t want to disclose every card at this early stage.”
          • Impact
            • companies and home buyers
              • unable to close purchases
            • wait for the closing system to come back online.
          • Speculation
            • “CitrixBleed.”
            • Kevin Beaumont
              • Security Researcher
              • Shodan scan of Netscaler boxes
                • Patched 2 weeks after it came out.
              • CitrixBleed
                • CVE-2023-4966
                • unauthenticated attacker sends a specially crafted request to NetScaler ADC or Gateway instance.
                • obtain valid session tokens.
                • bypass authentication