Your mid-week infosec news bonanza: Cisco bugs, VMware-Nvidia guest escapes, KDE hijacking, and more

Roundup Before letting the IT staff clock out early for summer, make sure they read up on the following security notices out this week.

Cisco warns of four flaws in small biz switch line

Organizations using Cisco Small Business 220 Series switches should make sure the firmware on the device is up-to-date with today's update from the networking box maker. Switchzilla says the SMB switches are host to the following three serious flaws that could allow an attacker to remotely upload files to, execute code on, and inject commands into a vulnerable switch.

CVE-2019-1013 is a root-level remote-code execution vulnerability stemming from a buffer overflow. To exploit the flaw, an unauthenticated attacker must send a specially-crafted packet through the web management interface via HTTP or HTTPS. Credit for discovery was given to "bashis" via the VDOO Disclosure Program.

CVE-2019-1012 is an authentication bypass flaw that would result in the intruder being able to upload arbitrary files to the device. That bug can also be exploited via HTTP or HTTPS packets sent through the web interface. In this case, the flaw is due to incomplete authorization checks. Credit for reporting the bug was again given to "bashis" via the VDOO Disclosure Program.

CVE-2019-1014 is a command injection flaw in the 220 Series switches that acts more like an elevation of privilege. To exploit the bug, an attacker must have a valid web management interface login with level 15 privileges. If those requirements are met, a malicious request could be sent to kick off arbitrary shell commands run with root privileges. The flaw was found and reported by – you guessed it – "bashis" from the VDOO Disclosure Program.

Also patched was CVE-2019-1941, a cross-site scripting flaw in the web management interface for Cisco Identity Services Engine. An attacker that convinced a target to click on a malicious link would be able to perform actions or extract information in the context of the logged-in victim's browser session with the device's web-based management system. This bug was discovered internally during testing.

Nvidia flaw makes VMware Workstation bug even worse

A vulnerability in VMware Workstation 15 can be amplified by flaws in Nvidia's GPU software to allow malicious code within a virtual machine to take over the host system.

Cisco Talos senior research engineer Piotr Bania found and reported CVE-2019-5521, CVE-2019-5684, and CVE-2019-5685 in VMware and Nvidia's software. The first flaw, CVE-2019-5521, is an out-of-bounds read error in VMware Workstation 15 that is triggered by a malformed pixel shader. When the flaw is exploited, it causes Workstation 15 to crash for most systems. However, when coupled with programming errors in Nvidia's Windows GPU display driver, it potentially transforms into a potent guest escape.

On certain Windows machines fitted with particular Nvidia graphics processors, therefore, a malicious or malformed shader running within a Workstation 15 guest can potentially take CVE-2019-5521 one step further, and exploit CVE-2019-5684, a pointer-dereference bug in Nvidia's Windows GPU driver, to gain arbitrary code execution on the host. That means software within a guest can escape to the host, and cause havoc, via a dodgy shader, Workstation 15, and Nvidia's GPU drivers on Windows.

Similarly, CVE-2019-5685, again involving either an out-of-bounds write or unsafe pointer dereference in Nvidia's GPU driver, can be exploited by a shader within a Workstation 15 guest on Windows to escape to the host.

These flaws could, for example, be used by malware to break out of attempts to quarantine the code within a virtual machine, and infect the underlying host. If you have an Nvidia card and/or run VMware software, it is worth taking the time to update your installations: see the above advisories for affected products and version numbers, and where to get suitable fixes.

KDE bug allows command injection without even opening a malicious file

Those running the KDE desktop environment on their Linux boxes will want to keep a close eye on their downloads following the disclosure of a particularly nasty bug for which no patch is currently available.

Researcher Dominik Penner revealed that a .desktop or .directory file can be crafted so that if it is simply parsed by KDE, commands within the file are automatically executed. This means if you download a malicious .desktop file, or one is included in a .ZIP archive that is unpacked, KDE will immediately parse its contents and automatically start running commands within the files.

You don't have to explicitly open the booby-trapped files to trigger execution: KDE 4 and 5 will do that for you. This means KDE users can be tricked into downloading archives containing dot files that, when unpacked, cause further malware to be automatically downloaded and run, for instance.

"Using a specially crafted .desktop file a remote user could be compromised by simply downloading and viewing the file in their file manager, or by drag and dropping a link of it into their documents or desktop," Penner explained. "Theoretically, if we can control config entries and trigger their reading, we can achieve command injection / RCE."

A fix is in the works. It is understood KDE was not warned of the vulnerability ahead of its public disclosure. "For the moment avoid downloading .desktop or .directory files and extracting archives from untrusted sources," a spokesperson for KDE tweeted. "Also, if you discover a similar vulnerability, it is best to send an email security@kde.org before making it public. This will give us time to patch it and keep users safe before the bad guys try to exploit it."

Microsoft launches Azure Security Lab, gives Fancy Bear update

Microsoft wants more hackers to take a crack at breaking Azure security. The Redmond giant has opened up a new Security Lab for its cloud platform that will let researchers hammer away at isolated test servers. Anyone who can demonstrate a functioning guest escape exploit will be able to claim a bounty of up to $300,000.

"As well as offering a secure testing space, the lab program will enable participating researchers to engage directly with Microsoft Azure security experts," Microsoft said.

"Accepted applicants will have access to quarterly campaigns for targeted scenarios with added incentives, as well as regular recognition and exclusive swag."

Elsewhere in Redmond security happenings, Microsoft's team has posted an update on the long-running Russian Fancy Bear operation. The Windows giant said the Kremlin-backed hacking crew are now targeting corporate Internet-of-Things devices. Microsoft says its team found signatures of the Fancy Bear, aka Strontium, gang in three network intrusions. In each case, it was an IoT device (a VoIP handset, a printer, and a video decoder, respectively) that functioned as the point of entry.

This infiltration did not, however, involve particularly sophisticated exploits. Rather, just bad opsec by the victims.

"The investigation uncovered that an actor had used these devices to gain initial access to corporate networks," said Microsoft. "In two of the cases, the passwords for the devices were deployed without changing the default manufacturer’s passwords and in the third instance the latest security update had not been applied to the device."

Google continues Advanced Protection rollout with Chrome option

Those who have opted into Google's fancy Advanced Protection Program now have an additional layer of security: the Chocolate Factory has built extra filtering into Chrome that block exploit code in webpages, as well as drive-by downloads, for those enrolled in the program.

"Advanced Protection users already benefit from malware protections beyond Gmail's standard, industry-leading safeguards," Google said. "As a result, attackers are shifting their strategies to threaten Advanced Protection users outside of email with linked malware and 'drive-by downloads' where users unknowingly download harmful software onto their devices."

This rollout comes just a week after Google also announced it would allow enterprise accounts to enroll in the Advanced Protection service via a beta test.

TMI from Timi – health upstart leaves data sitting out

Timi Health, a US-based healthcare startup building what it calls, sigh, a "blockchain powered ecosystem that allows for health data ownership," has admitted it accidentally revealed some of its users' health records to the public internet via a poorly secured web server.

After infosec journalist Zack Whittaker pointed out the privacy blunder, the biz admitted it had fumbled the medical records of "14" people – allegedly friends and family of its founding employees – who participated in a test program earlier this year:

Today 14 people who were part of the Timi test system and loaded data had that data exposed through a malicious hack. We have resolved the issue & are notifying the 14 individuals that uploaded data. If you have any concerns or questions, 512-994-1721. Support@timihealth.com

— Timi Health (@TimiHealth) August 6, 2019

Timi Health cofounder Will Lowe told El Reg his outfit was tipped off about the data leak by a pseudonymous bug-hunter about an hour before word of the cockup emerged on Twitter. Lowe says his developer team eventually traced the exposed web directory to a URL used by the Timi Health Android app during a test run. Regardless, the data was up on the internet, and now it is off the internet. ®