Insights | Resources by Cybersafe Solutions

Cybersafe Solutions Security Advisory Bulletin Jan. 5, 2024

Written by Cybersafe Solutions | Jan 5, 2024 2:59:33 PM

In this week's Security Advisory:

  • Microsoft Disables MSIX App Installer Protocol
  • Terrapin Attacks Downgrade Security of SSH Protocol
  • Security Updates Released by Qualcomm

Microsoft Disables MSIX App Installer Protocol

Microsoft disabled the ms-appinstaller protocol handler by default as threat actors have abused it to deliver malware. The purpose of the ms-appinstaller protocol handler is to allow users to install applications without downloading the entire MSIX package.  Threat actors are abusing this service to deliver malware by tricking users into downloading signed malicious MSIX application packages via Microsoft Teams or malicious advertisements.

The App Installer service is a popular vector for attackers since it could allow them to bypass security mechanisms like Microsoft Defender SmartScreen which is responsible for displaying warnings when a file is downloaded from an untrusted or unknown source.  It is recommended to apply the latest patch provided by Microsoft to remove this vector.

More Reading/Information:

Terrapin Attacks Downgrade Security of SSH Protocol

There is a vulnerability in the Secure Shell (SSH) protocol called Terrapin that could allow an attacker to downgrade the connection's security and intercept data.  The vulnerability is being tracked as CVE-2023-48795 and affects all SSH client and server implementations.  CVE-2023-48795 is a flaw in the SSH channel integrity that could allow an attacker to manipulate sequence numbers during the handshake and subsequently remove initial messages sent by the client or server.  Successful exploitation could lead an attacker downgrading the security of the connection, intercepting data, and potentially compromising the network.  To successfully exploit this vulnerability, an attacker is required to be in an adversary-in-the-middle (AitM) position at the network layer to intercept and modify the connection's traffic.  This attack can be performed against any connection using ChaCha20-Poly1305 or CBC with Encrypt-then-MAC to secure the connection.

More Reading/Information:

Security Updates Released by Qualcomm

Qualcomm released patches for twenty-six (26) vulnerabilities, of which four (4) were deemed as critical.  The most severe is being tracked as CVE-2023-33025 and could lead to remote code execution via Voice-over-LTE (VoLTE) calls.  CVE-2023-33025 is a buffer overflow weakness that could cause memory corruption when a non-standard Session Description Protocol (SDP) body is used during a Voice-over-LTE (VoLTE) call.  CVE-2023-33025 received a CVSS score of 9.8 out of a possible 10.  It is recommended that users apply the updates from original equipment manufacturers (OEMs) as soon as possible.

More Reading/Information:

Recommendations

Please review your environment to ensure the above-mentioned issues are patched in a timely manner.  It is security best practice to regularly update and/or patch software to the latest versions.  The vulnerabilities above highlight the security benefits of limiting deployed software to "vendor-supported versions" only.  This dramatically increases the likelihood that new vulnerabilities have a patch issued for them.  Likewise, Cybersafe strongly encourages maintaining an inventory of current software in your environment, which helps ensure and inform your patch and vulnerability management program.