Insinuator.net – Bold Statements

March 13, 2025 by Dennis Heinze

CVE-2025-20908: Use of insufficiently random values in Samsung’s Auracast implementation

As part of our research into the Auracast feature set in Bluetooth, we also started looking into vendor implementations. At the time we started with our research, there weren’t a lot of products on the market yet. But new products are coming out pretty frequently now.

One of the vendors that had Auracast implemented pretty early was Samsung. At the time the Samsung Galaxy S23 and S24 phones were able to broadcast Audio, while the Galaxy Buds were able to join these broadcasts.

In our previous blog post we analyze the security of Auracast broadcasts. In short, broadcasts can be encrypted by specifying a so-called Broadcast Code (or Passcode). We show that the key derivation used to derive an AES key from the Broadcast Code is not sufficient to properly protect the broadcast. The weak key derivation, combined with the way the encryption works, allows an attacker to perform an efficient offline brute-force attack against captured Auracast packets. However, when the Broadcast Code is chosen properly, this attack can be made very difficult and likely economically unreasonable.

However, we found that the Bluetooth specification is lacking in this regard. Both the specification of the Broadcast Code itself, and the example values given in the specification and other documents are inadequate.

This, in our opinion, inadequate specification and the poorly chosen examples of Broadcast Codes lead us to suspect that vendors may not be aware of the requirements for a secure Broadcast Code.

This is essentially what happened with Samsung’s implementation.

Continue reading “CVE-2025-20908: Use of insufficiently random values in Samsung’s Auracast implementation”

Misc

February 7, 2025 by Florian Bausch

When Your Edge Browser Syncs Private Data to Your Employer

Recently, one of our customers contacted us to investigate the extent of some unwanted and unexpected behavior regarding browsing data of employees.

Employees started contacting IT support because private browser bookmarks, private login credentials etc. showed up on their work machines. All affected employees stated that they never created these bookmarks on work systems. And interestingly, the data seemed to have been collected over quite some time.

Our customer wanted to understand how private data ended up in their environment. Obviously, private employee data in the enterprise landscape could cause some data privacy trouble (GDPR).

Our customer suspected that Microsoft Teams might be related to this because the company’s employees are allowed to join Teams meetings from private devices. Since this option was often used in many companies during COVID-related work-from-home times, we suspect that a larger number of enterprises may be affected by this problem.

Continue reading “When Your Edge Browser Syncs Private Data to Your Employer”

Misc

January 29, 2025 by Justus Hoffmann

Jigsaw RDPuzzle: Piecing Attacker Actions Together

In a recent incident response project, we had the chance to virtually look over the attackers’ shoulder and observe their activities. The attackers used the Remote Desktop Protocol (RDP) for lateral movement within the compromized environment and beyond (MITRE techniques T1570, T1021). As a matter of fact, RDP creates cache files that contain tiles of the transferred screen recording data. While this fact is well-known and there are existing tools, we found it worth reporting because of two different aspects:

On the one hand, we want to raise awareness for this valuable piece of evidence, explain how it works, how tooling works and how it can be used. In this particular case, the analysis of those cache files yielded valuable insights into the attackers’ activity and allowed further measures.
On the other hand, we found it exciting to look over the attacker’s shoulder, see the desktop as they saw it, and the commands they typed. We want to share parts of those insights as far as we are able to show them publicly.

Continue reading “Jigsaw RDPuzzle: Piecing Attacker Actions Together”

Breaking, Misc

January 27, 2025 by Dennis Heinze

Part I: Bluetooth Auracast from a Security Researcher’s Perspective

Auracast, the new Bluetooth LE Broadcast Audio feature has gained some publicity in the past months. The Bluetooth SIG has introduced the LE Audio feature-set to the Bluetooth 5.2 Specification in 2019 and vendors are only now starting to implement it. Auracast facilitates broadcasting audio over Bluetooth LE to a potentially unlimited number of devices. It does not require pairing or interaction between the sender and the receivers.

We also presented this topic at 38c3. This blog post will contain similar contents albeit with some more details.

Continue reading “Part I: Bluetooth Auracast from a Security Researcher’s Perspective”

Breaking

November 27, 2024 by Marius Walter

Vulnerability Disclosure: Command Injection in Kemp LoadMaster Load Balancer (CVE-2024-7591)

While conducting security research, I identified a critical vulnerability in Kemp’s LoadMaster Load Balancer. This vulnerability is a Command Injection and allows full system compromise. It requires no authentication and can be exploited remotely by having access to the Web User Interface (WUI). Kemp found that all LoadMaster versions up to and including version 7.2.60.0 and also the multi-tenant hypervisors up to and including version 7.1.35.11 are affected.

Kemp LoadMaster is a widely used Load Balancing Application that can commonly be seen in customer engagements. Therefore, we decided to take a closer look as part of our regular research projects.

As promised in the Announcement: Progress / Kemp LoadMaster CVE-2024-7591, I will go into detail about how I identified the vulnerability, where the vulnerable part of the code is, how the vulnerability can be exploited, and finally, how the vendor fixed this vulnerability.

Continue reading “Vulnerability Disclosure: Command Injection in Kemp LoadMaster Load Balancer (CVE-2024-7591)”

Breaking

November 22, 2024 by Nils Emmerich

Vulnerability Disclosure: Authentication Bypass in Vaultwarden versions < 1.32.5 - CVE-2024-55225

During a penetration test for a customer, we briefly assessed Vaultwarden, an open-source online password safe. In June 2024, the German Federal Office for Information Security (BSI) published results¹ of a static and dynamic test of the Vaultwarden server component. Therefore, only a partial source code audit was performed during our assessment. However, a quick look was needed to find some glaring issues with the authentication.
Continue reading “Vulnerability Disclosure: Authentication Bypass in Vaultwarden versions < 1.32.5 - CVE-2024-55225"

Misc

September 9, 2024 by Florian Grunow

Announcement: Progress / Kemp LoadMaster CVE-2024-7591

Hey everybody,

during a recent Red Teaming engagement Marius Walter from ERNW found a command injection issue in Progress (Kemp) LoadMaster. It was registered as CVE-2024-7591 and scores a CVSS of 10.0.

The vendor already has patches out, make sure to apply them as this is a high severe issue. You can find the official announcement and the patch references on the official support page.

Marius will follow up with a technical blog post on this issue once we think everybody had a realistic chance of applying the patches.

Breaking

September 3, 2024 by Florian Kiersch

Disclosure: Potential Limitations of Apple ADE in Corporate Usage Scenarios

Apple Automated Device Enrollment (ADE) is presented as a way to automate and simplify the enrollment process of Apple devices within Mobile Device Management (MDE) solutions. This blog post is aimed at organizations currently planning or even already using this feature and making you, the reader, aware of potential limitations of this process that might otherwise not be clearly addressed in your companies’ device management process.

Continue reading “Disclosure: Potential Limitations of Apple ADE in Corporate Usage Scenarios”

Misc

August 20, 2024 by Baptiste David

CrowdStrike: What is the worldwide BSOD all about?

This article is about the massive BSOD triggered by CrowdStrike worldwide on July 19. Analysis and information from CrowdStrike or other sources are regularly published, completing what is expressed here. Updates may also be provided in the future.

Continue reading “CrowdStrike: What is the worldwide BSOD all about?”

Breaking

August 9, 2024 by Jan Ruge

Disclosure: Apple ADE – Network Based Provisioning Bypass

Mobile Device Management (MDM) solutions are used to centrally manage mobile devices in corporate environments. This includes the monitoring of the device, automatic installation/removal of apps or certificates and restrict the functionality. Even though MDM solutions exist for multiple vendors, we will look specifically on Apple devices enrolled via Intune. When an Apple device is registered for Automated Device Enrollment (ADE), it will automatically download and apply these policies during the initial setup and prior to the first boot.

During a customer project, we identified a network-based provisioning bypass which prevents the iPad to fetch and apply the provisioning profiles. Continue reading “Disclosure: Apple ADE – Network Based Provisioning Bypass”