Biztonsági hírek

Zoom for Mac patches get-root bug – update now!

Sophos security - 3 óra 33 perc
There's many a slip 'twixt the cup and the lip. Or at least between the TOC and the TOU...
Kategóriák: Biztonsági hírek

VU#309662: Signed third party UEFI bootloaders are vulnerable to Secure Boot bypass - cs, 08/11/2022 - 21:04

A security feature bypass vulnerability exists in signed 3rd party UEFI bootloaders that allows bypass of the UEFI Secure Boot feature. An attacker who successfully exploits this vulnerability can bypass the UEFI Secure Boot feature and execute unsigned code during the boot process.


UEFI firmware is software written by vendors in the UEFI ecosystem to provide capabilities in the early start up phases of a computer. Secure Boot is a UEFI standard that can be enabled and used to verify firmware and to protect a system against malicious code being loaded and executed early in the boot process, prior to the loading of the operating system.

Security researchers at Eclypsium have found three specific UEFI bootloaders that are signed and authenticated by Microsoft to be vulnerable to a security feature bypass vulnerability allowing an attacker to bypass Secure Boot when it is enabled. The vulnerable bootloaders can be tricked to bypass Secure Boot via a custom installer (CVE-2022-34302) or an EFI shell (CVE-2022-34301 and CVE-2022-34303). As a vulnerable bootloader executes unsigned code prior to initialization of the the Operating System's (OS) boot process, it cannot be easily monitored by the OS or common Endpoint Detection and Response (EDR) tools.

The following vendor-specific bootloaders were found vulnerable:

  • Inherently vulnerable bootloader to bypass Secure Boot
    • New Horizon Datasys Inc (CVE-2022-34302)
  • UEFI Shell execution to bypass Secure Boot
    • CryptoPro Secure Disk (CVE-2022-34301)
    • Eurosoft (UK) Ltd (CVE-2022-34303)

An attacker can bypass a system's Secure Boot feature at startup and execute arbitrary code before the operating system (OS) loads. Code executed in these early boot phases can provide persistence to an attacker, potentially loading arbitrary kernel extensions that survive both reboot and re-installation of an OS. It may also evade common OS-based and EDR security defenses.

Solution Apply a patch

Apply your vendor-provided security updates that address these vulnerabilities to block vulnerable firmware from bypassing Secure Boot. Microsoft has provided details with their KB5012170 article released on August 9th 2022. Note, these updates can be delivered from your OEM vendor or the OS vendor to install an updated Secure Boot Forbidden Signature Database (DBX) .

Enterprise and Product Developers

As DBX file changes can cause a system to become unstable, Vendors are urged to verify the DBX updates do not cause the machine to be unusable. Enterprises and Cloud Providers that manage large number of computers are also urged to do the required security updates and ensure DBX files are implemented reliably without any risk of boot failure.


Thanks to Mickey Shkatov and Jesse Michael of Eclypsium who researched and reported these vulnerabilities.

This document was written by Brad Runyon & Vijay Sarvepalli.

Kategóriák: Biztonsági hírek

S3 Ep95: Slack leak, Github onslaught, and post-quantum crypto [Audio + Text]

Sophos security - cs, 08/11/2022 - 16:34
Latest episode - listen now! (Or read the transcript if you prefer.)
Kategóriák: Biztonsági hírek

APIC/EPIC! Intel chips leak secrets even the kernel shouldn’t see…

Sophos security - sze, 08/10/2022 - 18:59
If you've ever written code that left stuff lying around in memory when you didn't need it any more... we bet you've regretted it!
Kategóriák: Biztonsági hírek

Slack admits to leaking hashed passwords for five years

Sophos security - h, 08/08/2022 - 17:14
"When those invitations went out... somehow, your password hash went out with them."
Kategóriák: Biztonsági hírek

Traffic Light Protocol for cybersecurity responders gets a revamp

Sophos security - p, 08/05/2022 - 18:57
Traffic lights make a handy global metaphor for denoting the sensitivity of cybersecurity threat data - three colours that everyone knows.
Kategóriák: Biztonsági hírek

VU#495801: muhttpd versions 1.1.5 and earlier are vulnerable to path traversal - cs, 08/04/2022 - 20:22

Versions 1.1.5 and earlier of the mu HTTP deamon (muhttpd) are vulnerable to path traversal via crafted HTTP request from an unauthenticated user. This vulnerability can allow unauthenticated users to download arbitrary files and collect private information on the target device.


The muhttpd, hosted at SourceForge as an opensource project, is a lightweight webserver. This software is commonly used in customer premise equipment (CPE), such as home routers and small office routers, to provide device management capability through a web interface. The muhttpd supports the use of CGI scripts that enable remote management of CPE devices.

A path traversal vulnerability in muhttpd (version 1.1.5 and earlier) could allow an unauthenticated attacker to read arbitrary content on the target device, including usernames and passwords, Wireless SSID configurations, ISP connection information, and private keys. If remote management is enabled on a device running vulnerable version of muhttpd, this attack is possible from a remote network. Even in cases with restricted Local Area Network access, a vulnerable version of muhttpd can be accessed using other attack methods such as DNS Rebinding.


An unauthenticated attacker can use crafted HTTP request to download arbitrary files or gather sensitive information from a vulnerable target device. In cases where remote management is enabled on a vulnerable device, a remote unauthenticated attacker can perform these attacks.

Solution Apply Updates

Update to the latest version of firmware/software provided by your vendor; see Vendor Information section for details. Downstream developers of embedded systems should update muhttpd software (to version 1.1.7 or later) from SourceForget git repository.

Disable remote management

Disabling remote management access, which thereby limits access strictly to local area network, can minimize the exposure introduced by the vulnerable software. Use access control to limit remote management if remote management is desired from specific IP network locations. Additional mitigations are described in the security researcher's advisory.


Thanks to Derek Abdine for reporting this vulnerability.

This document was written by Brad Runyon, Vijay Sarvepalli, and Eric Hatleback.

Kategóriák: Biztonsági hírek

S3 Ep94: This sort of crypto (graphy), and the other sort of crypto (currency!) [Audio + Text]

Sophos security - cs, 08/04/2022 - 18:52
Lastest episode - listen now! (Or read if that's what you prefer.)
Kategóriák: Biztonsági hírek

GitHub blighted by “researcher” who created thousands of malicious projects

Sophos security - cs, 08/04/2022 - 01:06
If you spew projects laced with hidden malware into an open source repository, don't waste your time telling us "no harm done" afterwards.
Kategóriák: Biztonsági hírek

Post-quantum cryptography – new algorithm “gone in 60 minutes”

Sophos security - sze, 08/03/2022 - 18:55
And THIS is why you don't knit your own home-made encryption algorithms and hope no one looks at them.
Kategóriák: Biztonsági hírek

Cryptocoin “token swapper” Nomad loses $200 million in coding blunder

Sophos security - k, 08/02/2022 - 18:12
Transactions were only approved, it seems, if they were initiated by... errrrr, by anyone.
Kategóriák: Biztonsági hírek

GnuTLS patches memory mismanagement bug – update now!

Sophos security - h, 08/01/2022 - 18:55
GnuTLS may well be the most widespread cryptographic toolkit you've never heard of. Learn more...
Kategóriák: Biztonsági hírek

How to celebrate SysAdmin Day!

Sophos security - p, 07/29/2022 - 17:37
I've just popped in to wish you all/The best SysAdmin Day!
Kategóriák: Biztonsági hírek

Critical Samba bug could let anyone become Domain Admin – patch now!

Sophos security - sze, 07/27/2022 - 23:15
It's a serious bug... but there's a fix for it, so you know exactly what to do!
Kategóriák: Biztonsági hírek

Mild monthly security update from Firefox – but update anyway

Sophos security - sze, 07/27/2022 - 02:41
You're probably thinking we're going to say, "Don't delay/Do it today"... and that's exactly what we are saying!
Kategóriák: Biztonsági hírek

T-Mobile to cough up $500 million over 2021 data breach

Sophos security - h, 07/25/2022 - 18:20
Technically, it's not a fine, and the lawyers will get a big chunk of it. But it still adds up to a half-billion-dollar data breach.
Kategóriák: Biztonsági hírek

Office macro security: on-again-off-again feature now BACK ON AGAIN!

Sophos security - szo, 07/23/2022 - 03:10
20 years to turn it on, then 20 weeks to turn it off, then just 2 weeks to turn it back on again. That's progress!
Kategóriák: Biztonsági hírek

S3 Ep92: Log4Shell4Ever, travel tips, and scamminess [Audio + Text]

Sophos security - cs, 07/21/2022 - 18:25
Latest episode - listen, read or both!
Kategóriák: Biztonsági hírek

Apple patches “0-day” browser bug fixed 2 weeks ago in Chrome, Edge

Sophos security - cs, 07/21/2022 - 14:38
One vendor's zero-day is another vendor's routine patch...
Kategóriák: Biztonsági hírek


Feliratkozás hírolvasó - Biztonsági hírek csatornájára