Security Roundup: Roundcube Vulnerability, Unified Threat Identification, and Artificial Intelligence Chat Records
Get ready to explore some juicy tech news, bud! First up, if you're rocking a Roundcube Webmail setup prior to version 1.5.10 or 1.6.11, it's time to update, stat! Here's why: there's an authenticated Remote Code Execution (RCE) vulnerability lurking in Roundcube. Not great, huh? This isn’t the chaos of an unauthenticated RCE, but it's still a message you don't wanna ignore.
The culprit? The Roundcube user session code and its session deserialization method. There's a weird, sketchy code snippet in the unserialize function. The exclamation mark triggers some strange behavior, ignoring a character, and assuming what comes next has no value. But if it does have a value...well, that's where things go south. Combine this with the file upload function, and you've got a recipe for disaster. The uploaded filename can be used as a payload delivery mechanism, allowing for arbitrary session key/value pairs and, eventually, hijacking the GPG class from the PEAR library for some unauthorized command execution.
Now, onto Rhino Security Labs taking on NetMRI, a network automation suite from Infoblox. They discovered that the HTTP encoding for the ampersand symbol can be used to execute unauthorized code on the platform. It's like reading a recipe with the wrong ingredients and still ending up with a tasty mess, but in this case, it's a mess you don't want.
There were a couple of hard-coded credentials making appearances in the released image, as well as a SQL injection attack right inside a URL GET parameter. One particularly fascinating issue was the arbitrary file read by an authenticated user. A Java servlet usually used for creating reports can be manipulated to return files, and, get this—these files are fetched with root permissions. That's not the kind of root access you want to be handing out, am I right?
Speaking of access, let's talk about the Worldline Yomani XR credit card terminal. This bad boy has some extensive anti-tampering protections, but the software leaves a lot to be desired. Stefan Gloor, a Siemens employee, dismantled the device, ran into some tamper triggers, and opted to snag the flash chip and dump the firmware. Turns out, it's Linux 3.6 built with a 2010 release of buildroot, but apparently built in 2023. Scary stuff!
Now, buckle up, because the hacking never ends! The folks at CrowdStrike and Microsoft have partnered up to streamline their threat actor naming schemes. They're not merging their naming strategies, but they're agreeing to work together to keep their roster of cyber-baddies in sync. Think of it like when your buddy starts dating someone, and you guys agree to hang out with them, but you won't usually be together—it's just that you'll both have the same S.O. Sometimes, they'll even have the same names (read: nicknames).
To wrap up, there's a new security tool called Tnok. It's based on the Time-based One Time Password (TOTP) algorithm, allowing non-root users to send secure port-knocking requests. One potential issue? The TOTP token space is small, so Tnok comes with a built-in temporary IP blocking feature. But, if an attacker can spoof a victim's IP, they might be able to trigger that block, posing a Denial of Service risk.
Lastly, legal systems and technology can sometimes be, well, out of sync. OpenAI has been ordered to preserve all ChatGPT logs for use in a copyright violation case. The problem? Refusing to delete user logs is against California and European privacy laws. OpenAI is in a tough spot, and users are rightfully concerned. The company is fighting the order through legal measures. This one's definitely worth keeping an eye on.
Stay safe, and remember: knowledge is power!
- In the world of open source technology, a security issue has been discovered in Roundcube Webmail prior to version 1.5.10 or 1.6.11, with an authenticated Remote Code Execution (RCE) vulnerability lurking, specifically in the Roundcube user session code and its session deserialization method.
- Rhino Security Labs have found a code execution issue on NetMRI, a network automation suite from Infoblox, where the HTTP encoding for the ampersand symbol can be used to execute unauthorized code. This presents a potential danger similar to cooking with the wrong ingredients.
- A cybersecurity concern has emerged regarding the Worldline Yomani XR credit card terminal; while it has strong anti-tampering protections, its software runs on a Linux system that is uncharacteristically old, built with a 2010 release of buildroot but labeled as being built in 2023. This raises questions about the device's security and potential vulnerabilities.
