Security Intelligence FeedWe’ve got your back, even when you don’t know it.

Researchers discovered five vulnerabilities in a component of firmware update packages, DBUtil BIOS, used in Dell’s devices running Windows. 

Details

• The component – the dbutil_2_3.sys module – is installed and loaded on-demand by initiating the firmware update process and then unloaded after a system reboot.
• The cause of the flaws, collectively tracked as CVE-2021-21551 and assigned a score of 8.8, is an insufficient access control which could enable a threat actor to escalate privileges to kernel mode, trigger denial of service or information disclosure.
• Dell issued an advisory with technical details and remediation steps to patch the flaws.

Recommendations

• We recommend removing and/or remediating the vulnerable driver before June 1, when a proof-of-concept for these vulnerabilities is scheduled for release.
• Follow the remediation steps in Dell’s advisory to patch the flaws and run a remediated firmware update utility package.
• Since Dell’s driver accepts system calls from non-privileged users, malicious actors could exploit unpatched devices as part of an attack chain to gain persistence.

References: Dell

On 3 May 2021, Apple released fixes for two actively-exploited vulnerabilities in the Webkit engine that can be used to attack iPhones, iPads, iPods, macOS, and Apple Watch devices. We recommend applying the latest updates as soon as possible.

Details

• Apple addressed the flaws in the iOS 14.5.1, iOS 12.5.3, macOS Big Sur 11.3.1, and the watchOS 7.4.1 updates.
• One flaw, tracked as CVE-2021-30665, is a memory corruption issue. Another flaw, CVE-2021-30663, is an integer overflow which is now addressed with improved input validation.
• Both vulnerabilities could allow arbitrary remote code execution (RCE) on vulnerable devices if a victim visits a maliciously-crafted web page.

Recommendations

• We recommend applying the latest updates as soon as possible as actively-exploited flaws present high risk to unpatched devices.
• If you don’t have automatic updates enabled, on iOS and iPadOS, go to the Settings -> General -> Software Update.
• The flaw requires user interacation to exploit it, and this is a good reminder for users not to click on any links from unknown sources.

References: Apple

On 29 April 2021, Microsoft released a report on 25 critical memory allocation flaws in internet-of-things (IoT) and operational technology (OT) devices that are commonly connected to industrial, medical, and enterprise networks. 

Details

• Separately, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory with a list of affected devices and recommendations on applying the security patches.
• The flaws, collectively dubbed “BadAlloc”, exist in standard functions used in real-time operating systems (RTOS), embedded software development kits (SDKs), and C standard library (libc) implementations.
• The memory allocation implementations in the affected devices are missing proper input validations. This could allow threat actors to perform a heap overflow, execute malicious code or cause a denial-of-service (DoS) condition.
• The most severe of the flaws has been assigned a CVSS v3 score of 9.8.

Why it’s important

• The listed devices serve as an easy entry to a network, if left unpatched and/or poorly implemented.
• We recommend applying the vendor patches and reviewing CISA mitigations.
• The fixes are currently in progress by the affected vendors, including Amazon, ARM, Cesanta, Google Cloud, Samsung, Texas Instruments and Tencent.
• Check CISA advisory for a complete list of vulnerable products, as well as the patches currently available.

References: CISA

On 26 April 2021, Apple released security updates for macOS Big Sur, Catalina, and Mojave. The Big Sur update fixes 60 security vulnerabilities, including one with reports of active exploitation prior to being patched. We recommend updating the affected devices as soon as possible.

Details

• A logic flaw in macOS’ policy subsystems, tracked as CVE-2021-30657, causes misclassification of quarantined items, such as malicious applications. As a result, these apps, even if unsigned (and unnotarized), could be allowed to run with no warnings from macOS.
• The flaw allows a bypass of macOS’ core security mechanisms – file quarantine, Gatekeeper, and notarization requirements.
• The researchers who discovered the vulnerability suggest that it was likely introduced in macOS 10.15.
• One known malware, Shlayer, has been employing this flaw since January 2021 by distributing an exploit via compromised websites or poisoned search engine results.

Why it’s important

• We recommend updating your devices as soon as possible as actively-exploited flaws present high risk to unpatched devices.
• If you don’t have automatic updates enabled, go to the Settings-> General->Software Update.
• The flaw requires user interaction to exploit it, and this is a good reminder for users not to click on any links from unknown sources.

References: Apple

On 26 March 2021, Apple released security updates in multiple products to address a vulnerability that may have been “actively exploited” prior to being patched.

Details

• The flaw, tracked as CVE-2021-1879, is a cross-site scripting vulnerability in the WebKit browser engine used by the Safari browser on Apple devices.
• Updates are available for iPhone, iPad, iPod, and Apple Watch devices.
• Malicious actors could launch universal cross-site scripting attacks after tricking targets into opening maliciously-crafted web content on their devices.
• An attacker could then either serve malware or steal victim’s credentials using a malicious page.

Why it’s important

• Update your device as soon as possible as actively exploited flaws present high risk to unpatched devices.
• If you don’t have automatic updates enabled, on iOS and iPadOS, go to the Settings-> General->Software Update.

References: Apple