Liberté, Égalité, Spyware: France okays cops snooping on phones
ALSO: Shell fails to learn from past leaks; hundreds of solar plants found open to Mirai; and this week's crit vulns
Infosec in brief With riots rocking the country, French parliamentarians have passed a bill granting law enforcement the right to snoop on suspects via "the remote activation of an electronic device without the knowledge or consent of its owner."
That's the direct (via machine translation) language used in the French Senate's version of a justice reform bill passed earlier. According to French publication Le Monde, The French General Assembly just passed their version, albeit with a few amendments that will require the Senate to OK the changes before it can become law.
Under the provision, French police will have the right to activate cameras and microphones remotely, as well as gathering location data from devices belonging to suspects accused of committing crimes that are punishable by at least five years in jail. Police can gather data in that manner for up to six months, and any connected device – smartphones, laptops and even automobiles – can be used for surveillance.
Per Le Monde, lawmakers from French president Emmanuel Macron's Renaissance party added several amendments to what's been dubbed the "snoopers' charter" – requiring remote spying only be used "when justified by the nature and seriousness of the crime," and even then only for a "strict and proportional" length of time. Professions considered sensitive, including doctors, journalists, lawyers, judges and – of course – MPs can't be targeted under the law as passed by the General Assembly.
"At a time when police violence is only increasing, when political movements are being muzzled by surveillance and massive searches, parliamentarians are about to authorize the transformation of all connected objects into police snitches," French digital rights group La Quadrature du Net said of the bill.
French justice minister Éric Dupond-Moretti said the bill will only apply to a few dozen cases per year and, rather than being a way for France to get government-sponsored spyware onto the devices of anyone accused of a crime, will save lives.
"We're far away from the totalitarianism of 1984," he claimed.
Mastodon't neglect this week's critical vulnerabilities
For much of the world it was just another week, but in the US it was Independence Day on Tuesday, making things a bit quiet. That doesn't mean there weren't some critical vulnerabilities identified, though.
Decentralized social network Mastodon leads the pack with a rather serious issue identified this week. CVE-2023-36460, with its CVSS score of 9.9, exists in Mastodon versions starting with 3.5.0.
The issue could let an attacker with a specially-crafted media file "cause Mastodon's media processing code to create arbitrary files at any location," according to NIST. Any file that Mastodon has access to could be overwritten as well. Mastodon users are advised to patch to version 3.5.9, 4.0.5 or 4.1.3, depending on the fork they're using.
Heard of the brand new Firefox 115? It included several important security fixes, and Mozilla released some others, too:
- Firefox 115 fixes several high-severity vulnerabilities, including memory safety bugs that could be used to run arbitrary code and a use-after-free problem in the creation of WebRTC connections over HTTPS.
- Firefox ESR 102.13 received patches for similar vulnerabilities.
- Thunderbird v. 102.13 fixes a few issues alike to Firefox's, too.
CISA published a single critical ICS vulnerability, but it's definitely a critical one. Found in PiiGAP M-Bus software for the 900S, the advisory includes nine separate CVEs ranging from a CVSS score of 5.9 all the way to 9.8. Issues include hard-coded credentials, plain text transmission of credentials, and failure to sanitize input, among others.As for vulnerabilities under active exploit, a single critical case was identified this week in several versions of Arm Mali GPU kernel drivers. If leveraged by an attacker, it could lead to information disclosure or root privilege escalation.
Oil giant Shell clipped by Cl0p for the second time in three years
You would think an international oil company as large as Shell would learn its lesson after Russian cyber crime gang Cl0p abused a vulnerable file-transfer application to steal and ransom employee data in 2021. That's not the case, though, as Shell just admitted Cl0p hit it in the same way again – this time by making use of its hot new exploit in another file transfer app, MOVEit.
"A cyber security incident … has impacted a third-party software from Progress called MOVEit Transfer, which was running on a Shell IT platform," Shell explained in a brief statement about the breach.
Shell said that it was not a ransomware event – in other words, it fell victim to the same SQL injection vulnerability, or maybe one of the other vulnerabilities, reportedly being exploited by Cl0p. Shell revealed the stolen data related to employees of its BG Group subsidiary, adding there was no evidence of impact to other IT systems.
Cl0p last hit Shell two years ago in a similar manner – that time involving file transfer software made by Accellion, which has since rebranded as Kiteworks. Passport and visa scans belonging to employees were stolen in that incident.
To make matters worse, Shell's report of the breach comes just a day before Progress, maker of MOVEit, released a service pack to address three additional serious vulnerabilities in its code. Progress said the MOVEit service packs will be a regularly-released security measure to combat exploitation of its software, so anyone yet to flee to another service provider should get patching, lest you end up like Shell.
Hundreds of solar power plants at risk for Mirai takeover
There are more than 600 solar power facilities around the world running SolarView monitoring hardware and software that's vulnerable to a flaw under active exploit. It's tied to the Mirai botnet, security researchers from Vulncheck reported this week.
The exploit in question – CVE-2022-29303 – allows remote command injection due to failure to sanitize user inputs, and could lead to takeover by a Mirai-stylebotnet. If exploited, attackers could pivot to attack additional ICS hardware, as well as cutting off monitoring of solar power facilities, affecting productivity and revenue.
Vulncheck said that IoT search engine Shodan reports more than 600 SolarView systems are connected to the internet despite the fact they should be restricted to ICS networks. While patches for the exploit, found in version 6.00 of SolarView software, have been available since last year, less than one third of the affected systems have been patched, Vulncheck said.
To make matters worse, several newer CVEs identified by Vulncheck also affect SolarView systems, meaning even the patched third of systems could still be at risk.
The lesson? Keep your ICS network and hardware segmented from the internet, regardless of your stellar patching habits. ®