The latest cybersecurity trends, best practices, security vulnerabilities, and more
The Bug Report – March 2023 Edition
By Trellix · April 05, 2023
This story was also written by Kasimir Schulz.
Why am I here?
Welcome back to the Bug Report, Ides of March edition! Last month was highlighted by glimpses into the past, with a historic attack technique and a vanquished bug returning to stab you in the back once more. As if that wasn’t bad enough, Google Pixel and Windows 11 users were subjected to an Acropalypse. If you’ve managed to survive all that, we suggest you sit back, relax, and enjoy some laughs as we reflect on the vulnerabilities that plagued our March news feeds—you’ve earned it.
- CVE-2023-24033: Samsung Baseband
- CVE-2023-21036: Google Pixel and Windows Snipping Tool
- CVE-2023-23397: Microsoft Outlook
- CVE-2023-24880: Windows SmartScreen
CVE-2023-24033: If you liked it, you shouldn’t have put a ring on it
What is it?
Baseband phone hacking was quiet for a while, but it seems like the signal is back and stronger than ever. Once a tool for those seeking liberation from carrier-locked SIM cards for iPhones around the world, but now, after taking a bite from the Apple, the technique left countless devices with no option but to turn off their Wi-Fi calling and Voice over LTE (VoLTE) for several days. This March, Google's Project Zero reported that they found eighteen 0-day vulnerabilities in Samsung Semiconductor's Exynos Modems. Four of these vulnerabilities allowed attackers to remotely execute code on a victim's device simply by knowing their phone number—talk about your number being up, huh?
The vulnerabilities occurred because the Session Description Protocol (SDP) module's format types are improperly checked by the Exynos Modem's baseband modem chipsets. In the case of CVE-2023-24033 and the other three critical vulnerabilities, this allowed communications coming from the internet and going to baseband to take advantage of the improper checks to perform remote code execution.
While "the edge" is a term that is often thrown around in networking, most people try to avoid living on it. For all of you who agree that living on the edge (in regard to security) has all the risk with almost none of the fun, you might care about this vulnerability. Those that own a Google Pixel 6 or 7, or a Samsung or Vivo mobile are most likely to be affected by these vulnerabilities, since those devices contain the vulnerable Samsung Semiconductor chips. However, all those iPhone users who have been laughing thus far should keep reading, as the affected chips are not limited to being inside small mobile devices. If you are driving around in a large mobile device—better known as a car—that uses the Exynos Auto T5123 chipset, you are also vulnerable.
While at this time there are no reports of these vulnerabilities being exploited in the wild, Project Zero purposefully left the details of the four critical vulnerabilities hidden due to "a very rare combination of level of access these vulnerabilities provide and the speed with which we [Project Zero] believe a reliable operational exploit could be crafted."
What can I do?
As always, the best way to protect yourself from vulnerabilities is to download the patch(es) that fixes them. As their own devices were in the spotlight this time, Google was quick to make sure that the Pixel 6 and 7 were patched quickly. By the end of March, most devices had been updated to protect against the vulnerabilities and these patches can be downloaded through the usual software update process. For those whose devices do not have an update available yet, you should turn off Wi-Fi calling and VoLTE, which will prevent your device from being targeted by the critical vulnerabilities.
CVE-2023-21036: The Acropalypse
What is it?
It's not often that a vulnerability comes in with a nickname that's good enough to use as our witty subtitle as-is. Comparing a vulnerability to the apocalypse may seem extreme, but what else can you call a vulnerability that may affect a significant number of photos on the internet? While this vulnerability has existed in the Google Pixel screenshot editing functionality for five years, it is also cropping up in other places, such as the Windows 11 snipping tool. The likely prevalence of this vulnerability throughout multiple editing tools is due to the simplicity of the cause of the issue. In an effort that rivaled the valiant reverse engineers who recently participated in our CTF, David Buchanan did a root cause analysis of the vulnerability. Buchanan discovered that the API call being used to write the file was not truncating by default, resulting in cropped files having some of the original file left behind.
In step with this month's theme of trusted components stabbing you in the back, this vulnerability is a good warning for all the developers in the audience. If you or a loved one is plagued by being an open-source developer for any image cropping tools, please direct your attention to the "What can I do?" section.
If you are lucky enough to not have to maintain any open-source code but have ever used the products mentioned above to crop an image, you probably still care. While the vulnerability can cause emotional damage by bringing back that ex you cropped out of your favorite photos, it can also be used to recover sensitive information that you've cropped out. This could range from you being slightly embarrassed (depending on your browsing history) to your credit card information being leaked.
Unlike the previous vulnerability, this one has multiple PoC scripts available on GitHub, as well as Buchanan's blog post which fully explains the vulnerability and how to exploit it. A group of researchers also created a website that anyone can use to recover cropped out data from Pixel screenshots for those of you that want to see how much trouble you are in.
What can I do?
Despite the Acropalypse being upon us, all hope is not lost. Instead of having to delete every photo on your favorite social media, you can use one of the many Acropalypse detection and sanitization tools to clean your photos. At that point, you could reupload the photos and hope that your parents were wrong all those years ago when they said that anything posted on the internet is there forever.
For all those open-source developers that were sent to this section by concerned loved ones, rejoice, you are about to feel a weight lift off your shoulders. To solve this problem in your own codebase, you just need to get rid of all that extra baggage. While getting rid of emotional baggage might be hard, getting rid of extra bytes is as simple as truncating your files when you overwrite them.
CVE-2023-23397: A grim Outlook
What is it?
Don't you just hate receiving meeting invites? Well, after hearing about CVE-2023-23397, you'll have an all-new reason to wince when you get one. Although we've already done a deep dive into this vulnerability, we'll give a quick summary here to save you some time—unlike all those pesky meetings. Prior to March's Patch Tuesday, it seems Microsoft inadvertently let hackers add their own boss music when hacking by simply setting an Outlook invite's custom reminder sound to a UNC path pointing to an attacker-controlled server. When the victim's Outlook client attempted to retrieve the reminder sound, it would perform NTLM authentication with the malicious server, thereby leaking the victim's NTLMv2 hash. These hashes could then be used in an NTLM relay attack to gain access to other hosts or services, potentially leading to a full domain compromise.
Although this Outlook vulnerability is typically exploited by sending a malicious calendar invite to a victim, it can potentially be exploited using any Outlook entity that uses the .msg format and supports reminders.
Chances are, if you are reading this, you do. If you or anyone at your org uses Outlook, you should be on the look-Out for CVE-2023-23397. Not only is there a PoC out for this vulnerability, but it has also been allegedly getting exploited in the wild for almost a year. While we love to joke here on the Bug Report, the impact of this vulnerability is sadly no joke. Due to CVE-2023-23397 requiring no user interaction, it's much more dangerous than most Office vulnerabilities, and even the best anti-phishing training won't protect your systems from this one.
What can I do?
Don't despair though, while the Outlook may be grim, there is light on the horizon. In a stroke of luck resulting in me getting to write a really short section, and you getting to have a secure system, Microsoft has already patched the vulnerability. They have also released a detailed guide on how to patch your systems, as well as automatically detect if any users have been targeted.
Trellix customers also have reason to rejoice, as they are covered for this vulnerability across numerous products, including Trellix Endpoint Detection and Response (EDR), Endpoint Security (ENS), Intrusion Prevention System (IPS), and Helix.
CVE-2023-24880: Outsmarting the SmartScreen patch for… error?!?
What is it?
I know you might think that we traveled back in time to 2022 with this vulnerability, and while that would have been better than a return to 2020, that is luckily not the case this time. CVE-2023-24880 is a workaround for Microsoft's patch for CVE-2022-44698, which allowed malicious files to be downloaded without a security warning being displayed. Normally, when you download a file, Windows adds a zone identifier known as Mark of the Web (MOTW) to the file. When the file is run, Windows SmartScreen then checks this zone identifier to determine if the file was downloaded from the internet. If so, SmartScreen then attempts to do a reputation check.
The original exploit worked by creating an invalid Authenticode signature that caused SmartScreen to return an error that bypassed the security warning dialog displayed to users. The patch that was put in place checked to see if a valid signature was being passed, returning a dialog if an invalid one was found. In what should have been an alarming display of tenacity, malicious actors were able to forge signature files that passed the check but raised an entirely different error, resulting in the warning dialog still not being displayed.
Maybe you are an avid meme collector like our Bug Report authors, maybe you are just a regular internet user who likes downloading files. If you are someone who downloads files and trusts in the software meant to defend you working as expected, then you should be careful and check out the next section about what you can do to wall up your SmartScreen.
Like the original vulnerability, this bypass is also being actively exploited in the wild, primarily in Magniber ransomware campaigns. Google TAG released a blog stating that they have observed over 100,000 downloads of the malicious MSI files used to spread the Magniber ransomware since January 2023.
What can I do?
If you are smart, then you should update to the latest patch that screens your computer against this vulnerability that outsmarted the old patch. Even after updating, it would still be smart to always double check files that you download from the internet if they are from untrusted sources.
We also encourage you to consult our KB article on Magniber ransomware disguised as Windows MSI files, which provides IOCs and suggested countermeasures. For Trellix customers, we provide coverage for the Magniber ransomware delivery mechanism utilized in the aforementioned campaign across multiple products, including Trellix Network Security, Detection as a Service, and Email Security.
Dec 7, 2023
Trellix Named 2023 Global Endpoint Security Company of the Year by Frost & Sullivan
Dec 4, 2023
Trellix Extends Virtual Intrusion Prevention System with AWS Gateway Load Balancer
Nov 28, 2023
Board Support Remains Critical as Majority of CISOs Experience Repeat Cyber Attacks
Nov 27, 2023
Trellix Announces Cybersecurity Generative AI Innovations Powered by Amazon Bedrock
Nov 22, 2023
Trellix Hosts Zero Trust Strategy Virtual Forum
The latest from our newsroom
By Harold Rivas · November 28, 2023
Uncover insights from global CISOs on post-cyberattacks strategies in Mind of the CISO: Behind the Breach. Learn proactive defense tactics and the role of XDR.
Is your organization’s data protected from an Alien Symbiont attack? In this episode we’ll dive into how the National Superhero Keeper Agency developed a unique use case to defend against an Insider Threat.
New ransomware attacks occur daily, including Rhysida ransomware. This blog aims to improve defenders' security with insights and detection rules.
Get the latest
We’re no strangers to cybersecurity. But we are a new company.
Stay up to date as we evolve.
Zero spam. Unsubscribe at any time.