Security Bits Logo no alpha channel

Security Bits — 27 June 2021

Feedback & Followups

  • 🇺🇸 Two years ago First American Financial made the news for leaking sensitive financial data on more than 800 million documents for people who bought or sold a house in the preceding 16 years. They’ve just settled with the SEC for a mere $500K — krebsonsecurity.com/… (for context, the company process almost a quarter of all mortgage applications in the US, and the linked report from Krebs outlines a shockingly poor attitude to security within the company)
  • 🎦 A nice video from Rene Richie explaining Apple’s Private Relay we talked about in detail last time: Apple iCloud+ Private Relay — Explained! — www.imore.com/…

Deep Dive 1 — A Cautionary Tale for us All (those remote-wiped Western Digital drives)

This week I did something I rarely do, I tweeted that it was time to set your proverbial hair on fire! Security sites were reporting that owners of some models of Western Digital NAS drives were having them remotely wiped by attackers, and the advice from Western Digital was to disconnect them from the internet immediately.

The issue affects Western Digital My Book drives, and if you have one, and it’s connected to the internet your immediate action should be to disconnect it before you lose all your data, but you have a much much bigger problem than the short term!

Those of you who don’t have one of these drives probably tuned out once you knew it didn’t affect you, but, all of us should pay very close attention to this story because it should serve as a warning to us all — never trust your data to an un-supported internet-connected device!

What wasn’t clear from the initial reporting is that these are not modern drives, and the security vulnerability being exploited is not new!

These drives were released in 2012, discontinued in 2014, and got their last firmware update in 2015. The security vulnerability now being used to remote-wipe the device is a root-level remote code execution bug disclosed in 2018, along with sample proof-of-concept code. At the time Western Digital said it would not be patching the bug because the devices were out of support, and it advised users continuing to use the devices to block internet access to them on their routers.

What surprises me is not that these devices are being attacked now, but that these devices were not being attacked until now! What took the bad guys so long? If you know the IP address of one of these devices you can run any command you like on them as root!

Everyone who lost data here lost it because they trusted something important to an internet-connected device that is out of support. I wonder how many of us don’t end up doing that accidentally? Are we sure we’re not still using something that’s been working just fine for years but we’ve never thought to make sure it’s still getting patches from the vendor, and, that they’re actually being applied?

If you run your own NAS, it’s your responsibility to keep it safe. You need to understand how it gets security updates, and, you need to make sure all updates published by the vendor actually get applied. What’s more, if you find the product is out of support, you need to replace it! Running your own internet-connected infrastructure comes with responsibilities!

I got fed up with having to worry about this kind of thing last year, that’s why I now pay for cloud services to host my data and my backups. If I’m not prepared to take responsibility for keeping the infrastructure I reply on secured, I need to out-source that responsibility to someone else. If no one is responsible for keeping the stuff that keeps your data safe up-to-date, then it’s just a matter of time till something horrible like this happens again!

Links

Deep Dive 2 — The Schou iOS Wifi Bug

A very strange bug has been found in iOS’s networking stack — if you connect to a wireless network with a name (SSID) that contains %p%s%s%s%s%n wireless networking will break until you restore network settings and start over.

The good news is that the bug is more of an inconvenience than a threat and the security researcher who found it is pretty confident that it can’t be used to cause any real damage because the rule on SSIDs are so strict that attackers can’t place any kind of meaningful payload into one.

Apple have not yet patched the bug, so for now, don’t connect your iOS devices to networks with funny percent signs in the name!

Since we’re nerds, we can use this as an opportunity to learn a little more about a common kind of programming bug — an input sanitisation failure.

The security researcher who found the bug explained that it happens because logging code in the iOS network stack uses the network name as part of a format string without sanitising it first. That means the SSID will be interpreted as a C-style format string, and formatting markers will get processed.

The delimiter in C-style format strings is the % symbol, so any input under the control over users should either have all % symbols removed before being used in a format string or, all % symbols replace with %% so they get treated as an actual percentage sign. Apple forgot!

The way these format strings get used is in functions like C’s printf(). The format string gets passed as the first argument, and then the actual values for each placeholder are passed as the second, third, fourth, etc. arguments.

As a very simplistic example, %s specifies a string and %d an integer number, so the following command will print Bart's favourite number is 42:

char name[] = "Bart";
int fav_num = 42;
printf("%s's favourite number is %d", name, fav_num);

Notice my format string has two placeholders, and I passed two variables as the second and third arguments.

When it comes to this bug, the SSID is being included in a string that gets processed by something like printf(), and when your SSID contains formatting characters there will be more placeholders than expected, so some of the placeholders will get replaced with null data, which seems to cause a crash of some kind. In this case, %p means a pointer, the four %ses are strings. The interesting one here is the %n, this formatting character causes printf() to write the number of characters written to the output string so far into the matching variable. If there is no matching variable because extra placeholders have been injected, you have a null pointer exception and a crash!

Links

❗ Action Alerts

  • Apple have released iOS 12.5.4 with security fixes for older devices (iPhone 5S & 6*, iPad Air, iPad Mini 2 & 3, and 6th gen iPod Touch), and one of the vulnerabilities fixed is being actively exploited in the wild, so don’t delay! — www.imore.com/…

Worthy Warnings

  • Security researchers at Website Planet found a publicly accessible database of CVS customer records online. The data has now been taken down, and it did not contain payment card details, but it did contain contact information and details of customers’ interactions with CVS. The biggest danger appears to be very convincing automated phishing attacks — www.websiteplanet.com/…
  • Security researchers at Website Planet also found a publicly accessible database containing 3 years’ worth of logs (814M records) for DreamHost’s DreamPress hosted WordPress service including admin login URLs, admin usernames, email addresses, and other account information. By far the biggest danger here is very convincing automated phishing attacks attempting to get the passwords to go along with those usernames and login URLs — www.websiteplanet.com/…

Notable News

Interesting Insights

Palate Cleansers

Legend

When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.

Emoji Meaning
🎧 A link to audio content, probably a podcast.
A call to action.
flag The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country.
📊 A link to graphical content, probably a chart, graph, or diagram.
🧯 A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂
💵 A link to an article behind a paywall.
📌 A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future.
🎩 A tip of the hat to thank a member of the community for bringing the story to our attention.

1 thought on “Security Bits — 27 June 2021

  1. Philip From Australia - June 30, 2021

    A Google VPN? What could go wrong?

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top