Skip links

Infosec bods: After more than a year, Sky gets round to squashing hijacking bug in 6m home broadband routers

In brief Sky has fixed a flaw in six million of its home broadband routers, and it only took the British broadcaster’n’telecoms giant a year to do so, infosec researchers have said.

We’re told that the vulnerability could be exploited by tricking a subscriber into viewing a malicious webpage. If an attack was successful, their router would fall under the attacker’s control, allowing the crook to open up ports to access other devices on the local network, change the LAN’s default DNS settings to redirect browsers to malicious sites, reconfigure the gateway, and cause other general mischief and irritation.

This exploitation is non-trivial: it involves luring people to a webpage that uses JavaScript to cause the browser to first use an attacker-controlled DNS server to lookup the IP address for a subdomain to connect to an outside server, then the browser is encouraged to reconnect to the server, the IP address is looked up again, and this time, the subdomain resolves to the local IP address of the router rather than the outside server.

Now the browser starts talking to the router as if it’s the remote server, and the JavaScript on the page can access the router’s web configuration panel. The browser thinks it’s still talking to the remote server and doesn’t get in the way.

This will work reliably if the subscriber hasn’t changed their router username and password from the default of admin and sky; if the credentials have been changed, they’ll have to be brute-forced. It’s not too easy to pull off, but not impossible. Pen Test Partners (PTP), which said it found and disclosed this DNS rebinding vulnerability to Sky, made this video demonstrating the hole:

Youtube Video

The security firm said last week it told Sky about the issue in May 2020, and developed a proof-of-concept exploit. Sky, according to PTP, said it would fix the issue in a November software update that year for its routers, but this got pushed back to December and then “early 2021.” It was only when the vulnerability researchers started to talk to the press that Sky got a wriggle on and issued the patch, PTP said.

“Sky’s communications were particularly poor and had to be chased multiple times for responses,” PTP’s Rafael Fini said.

Police are investigating the ongoing and near-month-long IT breakdown at Simplify, which operates Premier Property Lawyers and other brands.

It’s understood the UK conveyancing giant was hit by some kind of potentially criminal cyber-security drama, the end result of the tech outage being home buyers and sellers were, or still are, unable to complete transactions and move.

In a note on its website on Monday this week, Premier Property Lawyers noted: “We are pleased to report that by the end of today, the majority of our conveyancing colleagues will be back up and running on core systems, and actively working on cases.

“Our team, supported by external experts, has been working non-stop for the past two weeks to get our systems safely back up and running and to ensure we prioritise the most urgent cases, enabling clients to move.”

Microsoft squashes Azure privilege-escalation bug

Microsoft has fixed a flaw in Azure that, according to the infosec firm that found and privately reported the issue, could be exploited by a rogue user within an Azure Active Directory instance “to escalate up to a Contributor role.”

“If access to the Azure Contributor role is achieved, the user would be able to create, manage, and delete all types of resources in the affected Azure subscription,” NetSPI said of the vulnerability, labeled CVE-2021-42306.

Essentially, an employee at a company using Azure Active Directory, for instance, could end up exploiting this bug to ruin an IT department or CISO’s month. Microsoft said last week it fixed the problem within Azure:

“The discovery of this vulnerability,” said NetSPI’s Karl Fosaaen, who found the security hole, “highlights the importance of the shared responsibility model among cloud providers and customers. It’s vital for the security community to put the world’s most prominent technologies to the test.”

Oh look, it’s a new way to poison Linux-powered DNS caches

It appears boffins have found a way to bypass some DNS cache poisoning defenses, and, in the right circumstances, trick a DNS cache into accepting the wrong IP address as the answer to a domain-name lookup query. Subsequent queries for this domain-name from the cache by clients will return the wrong IP address. This could be exploited to, for instance, redirect netizens to malicious websites that masquerade as legit sites to harvest login credentials.

It’s said that 38 per cent of public-facing open resolvers are vulnerable to this latest attack. Whether or not a DNS cache is vulnerable depends on the version of the Linux kernel it is running on, and the software involved, be it BIND, Unbound, or dnsmasq. See table 1 in this academic paper [PDF] on the attack to work out whether your service is at risk of poisoning.

You can also use the ID CVE-2021-20322 to track kernel-level patches to thwart the attacks: here’s Debian and Red Hat‘s pages for the flaw, for instance.

The poisoning technique builds upon last year’s SADDNS approach. First, understand that DNS cache poisoning, as pointed out by the late Dan Kaminsky, was possible by waiting for a DNS cache to query another server for a domain-name lookup, and replying to that query from another machine before the server. If you managed to guess, or brute force, the correct transaction ID in the reply in time, your answer would be accepted over the server, allowing you to poison the cache with a bad IP address.

To counter this, a randomized UDP port would be used for the query, meaning the attacker would have to brute-force guess the 16-bit transaction ID and the correct UDP port, making poisoning infeasible. Last year, SADDNS showed it was possible to figure out the UDP port, reducing the attack complexity and prompting various patches.

This latest technique, devised by Keyu Man, Xin’an Zhou, and Zhiyun Qian at the University of California Riverside, is a side-channel attack: it involves spraying the cache with ICMP errors to determine the UDP port to use. The trio wrote the aforementioned paper, which was presented at the ACM Conference on Computer and Communications Security this month.

“This paper presents novel side channels during the process of handling ICMP errors, a previously overlooked attack surface,” they wrote.

“We find that side channels can be exploited to perform high-speed off-path UDP ephemeral port scans. By leveraging this, the attacker could effectively poison the cache of a DNS server in minutes. We show that side channels affect many open resolvers and thus have serious impacts.”

FBI warns of FatPipe zero-day exploit

In a flash notice [PDF] the FBI has warned that criminals have been able to hijack FatPipe VPN devices using a zero-day bug since May.

The Feds said they had conducted forensic analysis into an attack and found the exploited vulnerability in all FatPipe WARP, MPVPN, and IPVPN device firmware prior to the latest versions, 10.1.2r60p93 and 10.2.2r44p1. An attacker could use the security hole to upload a web shell on the equipment that would provide root access to the device. The FBI said this was used to commandeer VPN boxes and route malicious traffic to target parts of the US infrastructure.

Finding out if you’re one of the victims could be tricky, however, since the attackers frequently used cleanup scripts to hide evidence of their activities. If you do find any evidence of an attack, please preserve it as the FBI would like to hear from you.

The US government wants you! If you do security

As part of its ongoing efforts to modernize and skill up in cybersecurity, the US Department of Homeland Security has unveiled new methods for finding and keeping talent.

Dubbed the Cybersecurity Talent Management System (CTMS), the framework may make it easier for Uncle Sam to recruit infosec types by allowing recruiters to hire people based on “demonstrated competencies” rather than holding industry certificates, streamlining the hiring process so candidates aren’t waiting months, and enabling pay rates more in line with private-sector positions.

“The DHS Cybersecurity Talent Management System fundamentally re-imagines how the Department hires, develops, and retains top-tier and diverse cybersecurity talent,” said Secretary of Homeland Security Alejandro Mayorkas. “As our Nation continues to face an evolving threat landscape, we cannot rely only on traditional hiring tools to fill mission-critical vacancies.”

For once, WordPress users not hit with ransomware

Over the past week or so, hundreds of WordPress users were greeted with a sight every webmaster dreads: their websites replaced with a message demanding 0.1 Bitcoin to decrypt and restore the sites’ data.

Sucuri was called into one such case and had some good news. It’s not actually ransomware.

The site content isn’t actually encrypted: it’s just hidden. A rogue plugin called directorist was generating the messages and hiding the posts. See here for more info on which plugin to remove, and how to restore the vanished content with an SQL database command. ®