Security Week 28: vulnerability in powerline extender
Two of the three vulnerabilities belong to the same class: the device’s web interface does not check the data entered by the user, which makes it possible for an attacker to run arbitrary code with the highest privileges. In one case, a function is used to rename one of the powerline devices on the network. In another, the function of adding a Wi-Fi device to the list of trusted ones. There is only one problem on the path of a potential cracker - two methods of executing commands with root rights do not work without authorization. But, as usual, this was not a serious obstacle due to the standard password for accessing the web interface: admin.
The third vulnerability does not require authorization at all, but it does not provide control over the device. To communicate with network adapters (which, according to the logic of Homeplug connections, there must be two or more), port 48912 is used, when connected to which you can change the name of the internal network for exchanging data through electrical wires. After changing the network name, the key for data encryption also changes - this was done, among other things, to eliminate conflicts between two different Homeplug networks, and, apparently, this interface is used during initial setup. Result: if desired, you can organize a cyclic reboot of the adapters and their complete inoperability.
As usual, when analyzing the firmware, the “tails” of the debugging mode were found: through the web interface, you can get a complete dump of the firmware, and the login and password for accessing the device through the “emergency” UART connection are sewn into the code. What is even sadder, the manufacturer did not respond to the requests of researchers from the IBM laboratory. The combination of the default password and two detected vulnerabilities allows you to attack the device remotely, just lure its owner to the prepared web page.
What else happened
Ten point vulnerability was detected and closed in F5 corporate network solutions BIG-IP .
Kaspersky Lab experts in detail disassemble the reincarnation of the Rovnix bootkit. The source code of this malware was leaked to the public in 2013, and a fresh modification is being distributed under the guise of an “important message from WHO” about the coronavirus epidemic.
Cisco closes the vulnerability in network switches for small businesses. Using the brute force method, you can pick up the current session identifier and take control of devices.
ArsTechnica publishes the results of an interesting study: with what words you can activate the voice assistant, in addition to the regular ones. For example, instead of “Hey Siri,” you can say “a city”.The reason for this behavior is the desire of the developer to increase the chances of the system triggering when it is accessed, while allowing false activation. The problem is that from such operations, private conversations are written and decrypted on the vendor’s server.
An extraordinary patch for Windows 10 closes a critical vulnerability in the built-in library of multimedia codecs, which could lead to the execution of arbitrary code.
At the end of June, we wrote about vulnerabilities in (at least) 79 Netgear routers. Six months after the vendor’s notification, you can evaluate the speed of patches: only 28 devices received an update .