Google’s Project Zero team has posted a blog post that paints a pretty scary picture for Pixel and Samsung owners:
In late 2022 and early 2023, Project Zero reported eighteen 0-day vulnerabilities in Exynos Modems produced by Samsung Semiconductor. The four most severe of these eighteen vulnerabilities (CVE-2023-24033 and three other vulnerabilities that have yet to be assigned CVE-IDs) allowed for Internet-to-baseband remote code execution. Tests conducted by Project Zero confirm that those four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level with no user interaction, and require only that the attacker know the victim’s phone number. With limited additional research and development, we believe that skilled attackers would be able to quickly create an operational exploit to compromise affected devices silently and remotely.
The fourteen other related vulnerabilities (CVE-2023-26072, CVE-2023-26073, CVE-2023-26074, CVE-2023-26075, CVE-2023-26076 and nine other vulnerabilities that are yet to be assigned CVE-IDs) were not as severe, as they require either a malicious mobile network operator or an attacker with local access to the device.
The following devices are known to be affected by these exploits:
- Samsung phones including the Galaxy S22 series, the Galaxy M33, M13, M12, A71, A53, A33, A21, A13, A12 and A04
- Vivo phones including the S16, S15, S6, X70, X60 and X30
- Google Pixel 6 and 7 series
- Wearables using the Exynos W920 chipset
- Vehicles that use the Exynos Auto T5123 chipset
That’s a very big list. And I have to wonder what cars use Exynos based modems. I guess we will find out shortly. In any case, the mitigation until updates come out is to turn off Wi-Fi calling and Voice-over-LTE (VoLTE). You should be able to find both of these in the Settings menu under Network & internet > SIMs, though the exact location may vary from device to device. If you have a vehicle that uses this chipset, I have no mitigation for you. And I have no way for you to check your vehicle to see if you have this Exynos chipset.
Expect patches for phones and wearables to come out soon, if they haven’t already. As for vehicles, your guess is as good as mine.
UPDATE:
David Maynor, Senior Director of Threat Intelligence at Cybrary had this to say:
“The flaw in the baseband component is important for enterprise customers to be aware of but not for the reasons it seems. The baseband component is the radio that communicates with cellular infrastructure. The software is a binary blob that’s encrypted, and there are not good ways to inspect the baseband state. So, you have a place you can’t monitor with software you can’t inspect that creates a perfect place for bad guys to do nefarious things.”
Ted Miracco, CEO of Approov followed up with this:
“The discovery of 18 vulnerabilities in Samsung’s Exynos chipsets is deeply unsettling, especially given that four of them enable remote code execution without any user interaction or indication. Overall, the discovery of these vulnerabilities highlights the importance of ongoing security research and the need for vendors to prioritize mobile security in their products. While, It also serves as a reminder for users to remain vigilant and take steps to protect themselves from potential attacks, the fact that an attacker only needs the victim’s phone number to carry out these attacks further highlights the severity of these vulnerabilities.”
FDIC #Fails Audit Regarding Active Directory Controls Within Their Organization
Posted in Commentary with tags Security on March 17, 2023 by itnerdThe FDIC is reporting disappointing results after the Office of Inspector General performed an audit of its controls for securing and managing its Microsoft Windows Active Directory which it uses for central management of all IT system user credentials.
According to auditors, privileged system users didn’t practice simple password hygiene such as:
In addition, the probe found that, in over 900 cases, the accounts of users were not removed after prolonged inactivity. They also found three FDIC IT accounts with privileged access that remained privileged for almost a year after the access was no longer required for their positions.
Since the audit findings, the FDIC IG has made 15 recommendations to the agency for improving security controls such as providing password training and the removal of unnecessary privileges. This brings into question what training may have been up until now for password and credential controls, and other widely-used cybersecurity issues such as phishing, for example.
Details of the cybersecurity concerns come as the financial regulator headlines the SVB failure, and following another report published earlier this year also by the OIG, which found that the FDIC is not doing enough to monitor cyber risks within the institutions it regulates.
Oh boy.
I have there comments on this rather shambolic audit. The first is from
Naveen Sunkavalley, Chief Architect at Horizon3.ai had this comment:
“The issues highlighted in the audit – password re-use, excessive account privileges, and the failure to deactivate stale accounts – are very serious and commonly exploited by threat actors. These issues make it easier for an attacker to compromise an account and then use that single account to take over many other accounts and elevate privileges, ultimately leading to full compromise of AD and all AD-managed assets.
“The FDIC is not alone though. We see the same problems in many of the organizations we work with. And the problems can easily recur after being fixed once, as users join or leave an organization, or users change passwords. We recommend regular security assessments of Active Directory environments to identify issues and address them as soon as possible.
Baber Amin, COO at Veridium had this to say:
This report highlights two fundamental problems.
Action: Don’t put a training band aid, eliminate the problem, eliminate passwords.
Action: Limit access grants, use privileged access management tools to monitor privileged activity, use smart entitlements to limit overarching access, use smart monitoring to identify probes, and anomalies.
Morten Gammelgaard, EMEA, co-founder of BullWall had this to say:
“The fact that privileged users were found to be reusing passwords and sharing them across accounts, as well as failing to change passwords for extended periods, indicates a lack of awareness about the importance of good password hygiene practices.
“Moreover, the incorrect account configurations, and the discovery that user accounts were not removed after prolonged inactivity, reveals a lack of oversight in managing user accounts. These are common weaknesses that leave agencies vulnerable to cyber attacks, particularly ransomware attacks, which have only increased year over year.
“For all their potential resources, government agencies clearly need to prioritize cybersecurity best practices and implement robust security controls. This includes providing password training to users, regularly reviewing user accounts and privileges, and removing unnecessary elevated domain privileges.”
It’s bad enough that smaller businesses suffer from these sorts of issues. But for the FDIC to have these sorts of issues is insane. Hopefully this is the wake up call that they need to move them into a much better place. And everybody else should read this report and ensure that they don’t have any of these issues as well.
Leave a comment »