In this week's Security Advisory:
- Microsoft Disables MSIX App Installer Protocol
- Terrapin Attacks Downgrade Security of SSH Protocol
- Security Updates Released by Qualcomm
Microsoft Disables MSIX App Installer Protocol
Microsoft disabled the ms-appinstaller protocol handler by default as threat actors have abused it to deliver malware. The purpose of the ms-appinstaller protocol handler is to allow users to install applications without downloading the entire MSIX package. Threat actors are abusing this service to deliver malware by tricking users into downloading signed malicious MSIX application packages via Microsoft Teams or malicious advertisements.
The App Installer service is a popular vector for attackers since it could allow them to bypass security mechanisms like Microsoft Defender SmartScreen which is responsible for displaying warnings when a file is downloaded from an untrusted or unknown source. It is recommended to apply the latest patch provided by Microsoft to remove this vector.
More Reading/Information:
- https://www.microsoft.com/en-us/security/blog/2023/12/28/financially-motivated-threat-actors-misusing-app-installer/
- https://www.bleepingcomputer.com/news/microsoft/microsoft-disables-msix-protocol-handler-abused-in-malware-attacks/
- https://www.scmagazine.com/news/microsoft-hardens-app-installer-security-as-malware-abuse-continues
Terrapin Attacks Downgrade Security of SSH Protocol
There is a vulnerability in the Secure Shell (SSH) protocol called Terrapin that could allow an attacker to downgrade the connection's security and intercept data. The vulnerability is being tracked as CVE-2023-48795 and affects all SSH client and server implementations. CVE-2023-48795 is a flaw in the SSH channel integrity that could allow an attacker to manipulate sequence numbers during the handshake and subsequently remove initial messages sent by the client or server. Successful exploitation could lead an attacker downgrading the security of the connection, intercepting data, and potentially compromising the network. To successfully exploit this vulnerability, an attacker is required to be in an adversary-in-the-middle (AitM) position at the network layer to intercept and modify the connection's traffic. This attack can be performed against any connection using ChaCha20-Poly1305 or CBC with Encrypt-then-MAC to secure the connection.
More Reading/Information:
- https://www.bleepingcomputer.com/news/security/nearly-11-million-ssh-servers-vulnerable-to-new-terrapin-attacks/?utm_source=dlvr.it&utm_medium=linkedin
- https://securityaffairs.com/156784/hacking/terrapin-attack-ssh-protocol.html
- https://www.theregister.com/2023/12/20/terrapin_attack_ssh/
- https://nvd.nist.gov/vuln/detail/CVE-2023-48795
Security Updates Released by Qualcomm
Qualcomm released patches for twenty-six (26) vulnerabilities, of which four (4) were deemed as critical. The most severe is being tracked as CVE-2023-33025 and could lead to remote code execution via Voice-over-LTE (VoLTE) calls. CVE-2023-33025 is a buffer overflow weakness that could cause memory corruption when a non-standard Session Description Protocol (SDP) body is used during a Voice-over-LTE (VoLTE) call. CVE-2023-33025 received a CVSS score of 9.8 out of a possible 10. It is recommended that users apply the updates from original equipment manufacturers (OEMs) as soon as possible.
More Reading/Information:
- https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2024-bulletin.html
- https://www.scmagazine.com/news/qualcomm-chip-vulnerability-enables-remote-attack-by-voice-call
- https://nvd.nist.gov/vuln/detail/CVE-2023-33025
Recommendations
Please review your environment to ensure the above-mentioned issues are patched in a timely manner. It is security best practice to regularly update and/or patch software to the latest versions. The vulnerabilities above highlight the security benefits of limiting deployed software to "vendor-supported versions" only. This dramatically increases the likelihood that new vulnerabilities have a patch issued for them. Likewise, Cybersafe strongly encourages maintaining an inventory of current software in your environment, which helps ensure and inform your patch and vulnerability management program.
