Aggregator

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Dahua IP Camera, Linux Kernel and Microsoft Exchange Server bugs to its Known Exploited Vulnerabilities catalog. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the following vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog: In October 2021, experts warned of the availability of proof of concept (PoC) exploit code […]

This blog highlights two vulnerabilities that were disclosed by researchers from Synacktiv in the Autel Maxicharger firmware at the Pwn2Own Automotive 2024 event and how Autel responded to and patched these in their latest firmware release.

At the Pwn2Own event,  the Synacktiv researchers demonstrated two unique remote attacks on the Autel Maxicharger running firmware v1.32 that demonstrated RCE.  Autel was later informed of these issues and they responded with firmware update v1.35 before ZDI publicly disclosed the research to the public. The first vulnerability we discuss in this blog was addressed in ZDI-24-851, while the second is covered by ZDI-24-852. In this blog, we describe the reverse engineering process used to find the vulnerabilities in the original firmware and how ZDI observed the corrected code in the new firmware.

 The first vulnerability disclosed was an issue with a Bluetooth function that handles charging control. The researchers were able to send malicious code within a Bluetooth Low Energy (BLE) message and insert it into the target’s memory to take control of this code. This is because the v1.32 firmware did not limit the client message length it stores in memory. The researchers could add the malicious code in their message to the Autel charger, overflow the receive buffer that was allocated, and ultimately take control of the device. We extracted both the v1.32 and v1.35 firmware versions from the Autel charger and reversed both binaries using Ghidra. Utilizing Ghidra’s versioning feature, a comparison of the two firmware versions was done using the AppChargingControl function. As shown in the screenshot below, the left panel (v1.32) simply copies a client message of any length directly to memory. On the right panel (v1.35), a length check was added by Autel to limit the client message length to the length of the memory buffer ( 0x3D bytes).

Figure 1 - A comparison of the v1.32 and v1.35 firmware versions

This added condition on the client length should now prevent buffer overflow by a remote attacker when this function is called.

The second issue reported by researchers was located in a similar reversing process using Ghidra. Both firmware versions were extracted and then compared side by side in Ghidra’s versioning tool to observe the vulnerability and its associated patch. The vulnerability consists of a function that authenticates Wi-Fi credentials but contains a back door with hard-coded credentials. The screenshot below again shows v1.32 code in the left panel and v1.35 code in the right panel. The highlighted code shows the back door that was removed between the two code versions.

Figure 2 - Comparing v1.32 to v1.35 to show the removal of the back door

In this patch, the back door was completely removed in v1.35. In theory, this should now require unique WiFi credentials to gain access.

Conclusion

It is good to see these bugs patched by the vendor as they were particularly easy to exploit without mitigations in the system. EV chargers are being rapidly deployed in homes around the world and represent safety risks when not secured. We are looking forward to Automotive Pwn2Own again in January 2025 and will see if EV charger vendors have improved their product security. Look out for our upcoming rules, targets, and contest announcements soon, and we hope to see you there.

Until then, follow the team on Twitter, Mastodon, LinkedIn, or Instagram for the latest in exploit techniques and security patches.

The Network and Information Systems Directive 2 (NIS2) regulation goes into effect in October 2024, leaving European Union (EU) member states just a few fleeting months to adopt and publish its compliance recommendations.

The post The countdown to NIS2 is on: Understand its scope and requirements appeared first on Security Boulevard.

Этические дилеммы и научные перспективы редактирования генома человека.

SolarWinds fixed a hardcoded credential flaw in its Web Help Desk (WHD) software that could allow attackers to gain unauthorized access to vulnerable instances. SolarWinds has addressed a new security flaw, tracked as CVE-2024-28987 (CVSS score of 9.1) in its Web Help Desk (WHD) software that could allow remote unauthenticated attackers to gain unauthorized access to […]

Microsoft has confirmed and fixed a known issue causing performance issues, boot problems, and freezes on Windows Server 2019 systems after installing the August 2024 security updates. [...]

Cary, North Carolina, 22nd August 2024, CyberNewsWire

The post INE Security Launches Initiatives to Invest in the Education of Aspiring Cybersecurity Professionals appeared first on Security Boulevard.

A new Android malware named NGate can steal money from payment cards by relaying to an attacker's device the data read by the near-field communication (NFC) chip. [...]

via the comic & dry wit of Randall Munroe, creator of XKCD

Permalink

The post Randall Munroe’s XKCD ‘Storage Tanks’ appeared first on Security Boulevard.

A vulnerability was found in Kashipara Hotel Management System 1.0. It has been classified as problematic. This affects an unknown part of the file /admin/edit_room_controller.php. The manipulation of the argument room_name leads to cross site scripting. This vulnerability is uniquely identified as CVE-2024-42771. It is possible to initiate the attack remotely. There is no exploit available.

Cybersecurity researchers have uncovered a hardware backdoor within a particular model of MIFARE Classic contactless cards that could allow authentication with an unknown key and open hotel rooms and office doors. The attacks have been demonstrated against FM11RF08S, a new variant of MIFARE Classic that was released by Shanghai Fudan Microelectronics in 2020. "The FM11RF08S backdoor enables any

SolarWinds has issued patches to address a new security flaw in its Web Help Desk (WHD) software that could allow remote unauthenticated users to gain unauthorized access to susceptible instances. "The SolarWinds Web Help Desk (WHD) software is affected by a hardcoded credential vulnerability, allowing [a] remote unauthenticated user to access internal functionality and modify data," the company

Microsoft has confirmed the August 2024 Windows security updates are causing Linux booting issues on dual-boot systems with Secure Boot enabled. [...]

One of the major challenges organizations face in certificate lifecycle management is the timely renewal of certificates. Application owners often fail to renew certificates promptly despite receiving multiple advance expiry alerts. This oversight leads to application outages, business downtime, and security risks. The AppViewX AVX ONE Certificate Lifecycle Management (CLM) solution effectively addresses the issue […]

The post TLS Certificates Renewal with AppViewX AVX ONE CLM and Puppet appeared first on Security Boulevard.

Критическая ошибка в популярном плагине отбирает сайты у владельцев.

Open-Source Intelligence (OSINT) methods offer a variety of techniques for locating and gathering information from images. One common approach is metadata analysis, which involves extracting hidden data embedded within the image file, such as GPS coo...

Recently identified PyPI packages called "netfetcher" and "pyfetcher" impersonate open source libraries and target Windows users with malicious executables that have a zero detection rate among leading antivirus engines. Furthermore, some of these executables are called "node.exe" and even bear the NodeJS icon and metadata, making them evasive and easily mistaken for legitimate libraries.

The post ‘Netfetcher’ package drops illicit ‘node’ binary on Windows appeared first on Security Boulevard.