Over the course of the last 2 years we performed vulnerability research on several Endpoint Management & Monitoring Solutions. The results were already partially presented in security advisories which were published on this blog during the last two years. The advisories can be found here:Continue reading
Updated on 20.06.22 with CVEs and link to Broadcom Security Notice.
In April 2021 we reported seven vulnerabilities in Broadcom Automic Automation (UC4) 12.3.5+hf.3. CVE IDs were assigned on 16.06.22, the corresponding Broadcom Security Notice can be found here.
The vulnerabilities have been found in the course of a research project, in which we analyzed the security of multiple Endpoint Management solutions. Similar vulnerabilities have been found in other solutions as we pointed out in previous posts about the Ivanti DSM Suite, Nagios XI, and Solarwinds N-Central. The outcome of the research project will be published as a whitepaper and a conference talk at Troopers 2022.
In this blog post we will provide a short description of the vulnerabilities outlining the impact. More technical details will be published in the whitepaper and conference talk. All vulnerabilities were found in Broadcom Automic Automation (UC4) version 12.3.5+hf.3.Continue reading
Missing server-side validation consistently scores a place in the OWASP Top 10. Browsers nowadays offer a lot of ways to easily implement client-side controls, increasing the usability by a lot. They automatically detect missing fields or invalid characters in your input fields and may even validate user input against a regular expressions.
However, these controls should only be considered as usability features. When sending data to a back-end system the application must always ensure data integrity by implementing encodings, validations and filters. Even for small applications this is a painful and tedious process. For each possible input, developers together with security experts have to carefully identify the context of each field, how the input is going to be used and what data requirements are present.
Furthermore, the application must always be aware of the current data encoding and apply the correct decoding before validating or filtering anything.
In this post we are going to present a new groundbreaking solution to combat missing server-side validation once and for all.Continue reading
This is a guest post from Thomas Smits.
A long time ago in a galaxy far, far away….
In my ordinary life, I teach computer science at the University of Applied Sciences in Mannheim but for some months, I was an intern at ERNW learning a lot about IT security and penetration testing. One of these learnings is that old protocols can be fun and breaking them even more. But let’s start at the beginning of the story…
Back in the year 1986: Top Gun, Platoon, and Crocodile Dundee were the top-grossing films in the cinema and IBM sold the very first laptop computer, called IBM PC Convertible (model 5140). The Internet Engineering Task Force (IETF) was just founded and Boris Becker won the Wimbledon Championships for the second time. A group of engineers of the Organisation for Data Exchange by Tele Transmission in Europe (ODETTE) met and specified OFTP, a protocol to transfer files over … no, there was no Internet commercially available at that time … X.25 networks. X.25 itself dates back to 1976 and is a packet-switched protocol for WANs. The OFTP protocol tried to “address the electronic data interchange (EDI) requirements of the European automotive industry” RFC2204, page 3. With the rise of the Internet, OFTP was extended in 1997 to support TCP/IP in addition to X.25 as the transport protocol (RFC2204) and in 2007 again to include encryption and authentication (RFC5024). With RFC5024 we have the most recent specification of the protocol which is called “OFTP2”. They somehow skipped their 10-year cycle (86, 97, 07) and did not release a current specification in the last 14 years.Continue reading
Using a static passkey for Bluetooth Low Energy pairing is insecure. Recent versions of the Bluetooth specification contain an explicit warning about this. However, in practice, we often see static passkeys being used. Moreover, there are no public implementations of proofs-of-concept that can practically show why using a static passkey is an issue. This is why we implemented one.Continue reading
I recently stumbled upon a strange behavior in my Firefox: I visited an HTTPS-enabled website that I had visited before and saw that my Firefox connected insecurely via HTTP. I found that strange because nowadays, most websites set the HSTS header, which is supposed to force the browser to connect via HTTPS. I checked whether this website set the HSTS header – and it did. This means my Firefox was ignoring/forgetting about the HSTS header right after my visit. Continue reading “Analysis of HSTS Caches of Different Browsers”Continue reading
In this post, we are discussing a bug we came across in Mesas llvmpipe Gallium3D graphics driver. This bug was accessible through Chromium’s WebGL implementation and can provide control of the program counter (pc) within Chromium’s GPU process if llvmpipe is used. Llvmpipe is a software rasterizer that is used on Linux if no hardware acceleration (graphics card) is available. This is a pretty rare edge case as llvmpipe has no widespread use. An estimate by Google is that approx 0.06% of the Chromium users are affected by this. However, as this is a simple but valid Chromium bug, we want to give you a quick walkthrough. The issue is tracked as CVE-2021-21153 and was fixed in February 2020.Continue reading
BloodHound data collection, aka Sharphound, is quite a complex beast.
When giving BloodHound workshops, the part where I get the most questions is always data collection.
How is the BloodHound data collected? What methods do what? Who am I talking to? How do I fly under the radar? Continue reading “DogWhisperer’s SharpHound Cheat Sheet”
Wir freuen uns, dass das Bundesamt für Sicherheit in der Informationstechnik (BSI) im Rahmen des gemeinsam mit ERNW durchgeführten SiSyPHuS Win10-Projekts (Studie zu Systemintegrität, Protokollierung, Härtung und Sicherheitsfunktionen in Windows 10) heute (ca. 10 Uhr) die nächsten drei Arbeitspakete veröffentlicht:
- Empfehlung zur Härtung von Windows 10 mit Bordmitteln
- Empfehlung zur Konfiguration der Protokollierung in Windows 10
- Gruppenrichtlinien zu den Konfigurationsempfehlungen für Härtung und Protokollierung für Windows 10
In den Dokumenten finden sich unterschiedliche Empfehlungen für Domänenmitglieder (mit normalem und mit hohem Schutzbedarf) und Einzelplatzrechner. Die Dokumente bauen auf den Empfehlungen von Microsofts Security Baseline und dem CIS Benchmark für Windows 10 auf und ergänzen diese in von Microsoft und CIS nicht betrachteten Bereichen oder modifizieren sie dort, wo es aus Erfahrung von ERNW im Hardening von Windows-Systemen sinnvoll ist.
Sie finden die Dokumente hier.
Wir hoffen, damit zur Sicherheit von Windows-Umgebungen beitragen zu können, und wünschen Ihnen viel Spaß bei der Lektüre!
German Federal Office for Information Security (BSI) Publishes Hardening Guideline, Logging Guideline And Related GPOs for Windows 10
We are happy to announce that today the BSI publishes several documents that ERNW created as part of the long-term SiSyPHuS Win10-Project (ger: “Studie zu Systemintegrität, Protokollierung, Härtung und Sicherheitsfunktionen in Windows 10”, en: “Study on System Integrity, Logging, Hardening and Security relevant Functionality in Windows 10”):
- Hardening Guideline
- Logging Guideline
- GPOs for the Guidelines
The guidelines are built on recommendations from Microsoft´s Security Baseline, CIS Benchmarks and ERNW´s expertise.
You can find the documents and GPOs here.
Let’s make the Windows world a safer place, and have fun reading!
Last year, the CISO of a customer sent me a laptop for analysis. The reason was that he feared the company could have been victim of industrial espionage. Starting in spring 2020, the IT help desk got several employee laptops with full hard drives, caused by a huge amount of audio recordings. The audio files contained recordings even of highly sensitive telephone conferences. An automated scan on all employee computers for such audio recordings showed that about 300 devices were affected. Continue reading “Of Corona, Buggy Audio Drivers and Industrial Espionage”Continue reading