If you haven't shored up that Citrix hole, you were probably hacked over the weekend: Exploit code now available
Plus: TikTok clocked, Honey in a sticky situation, Arm's PAN mechanisms sidestepped
Roundup Welcome to another Register security roundup. Here are a few stories that caught our eye.
Citrix vulnerability hit by working exploit
Late last month Citrix disclosed a critical security hole (CVE-2019-19781) in its Application Delivery Controller and Unified Gateway offerings (VPN products formerly known as Netscaler ADC and Netscaler Gateways). Up to 80,000 systems were thought to be at risk, with some 25,000 instances found online over the weekend.
Those admins who haven't put mitigations in place by now will want to make sure they address their situation immediately, as infosec researchers have now publicly shared working exploit code for the remote takeover bug. The proof-of-concept code can be used to trivially achieve arbitrary code execution with no account credentials – hijack systems, in other words – via a directory traversal.
People's honey pots are being actively attacked, so if you haven't put in place the mitigations, and you have vulnerable systems facing the internet, you were probably hacked over the weekend by miscreants mass-scanning the 'net for machines to compromise. A thread tracking technical aspects of the vulnerability is here.
A full patch for the hole is not due to be released by Citrix until January 20.
Teen micro-vid app TikTok is no stranger to controversy, particularly when it comes to data security and privacy. Software vulnerabilities, however, have traditionally been less of a concern.
A report from Checkpoint looks to change that. Its hackers dug into the TikTok app and found a handful of security bugs, including the ability to remotely access and manipulate accounts (including adding and removing followers), delete and upload videos without authorization, turn private videos to public viewing, and reveal hidden personal information from user accounts.
TikTok was informed of all of the issues and a simple app update will make sure users are patched against these bugs. The findings, however, beg the question of just how many other serious security holes are present in the app.
'LiquorBot' malware surfaces. Ricky, Julian, and Bubbles wanted for questioning
Because hackers are nothing if not serious and dignified, a new Mirai botnet derivative has surfaced under the moniker 'LiquorBot'.
Unlike the good times implied in its name, LiquorBot can really mess up your night if it gets hold of your IoT devices and adding them to a botnet. Still, the team at BitDefender says the malware is interesting from a research perspective.
"Interestingly, LiquorBot is written in Go (also known as Golang), which offers some programming advantages over traditional C-style code, such as memory safety, garbage collection, structural typing, and even CSP-style concurrency," notes Bitdefender's Liviu Arsene.
"LiquorBot appears to use the same command and control server as a Mirai-related variant, and they have even featured together in dropper scripts, meaning attackers used both LiquorBot and the Mirai variant in various campaigns."
Arm security mitigations get PAN fried
While it's not of the severity of something like Spectre, this vulnerability in Arm chips found by Swiss researcher Siguza covers a vulnerability in the Privileged Access Never (PAN) memory protections that, if targeted, could allow kernel code to view userland memory when it's not supposed to.
Project Zero posts iOS hacking deep dive
It's not much of a security risk (the flaw was patched months ago) but those interested in learning how mobile phones are hacked will want to check out this three part series from Google's Project Zero.
The team shows how researchers go from discovering a security flaw to verifying it and developing a proof of concept to demonstrate remote code execution. The flaw itself was fixed in iOS 12.4.1, back in August.
Honey in a sticky situation with Amazon
This article in Wired reports that the Honey shopping plug-in was recently flagged by Amazon as a potential security risk. Amazon's contention is that the browser add-on collected a large amount of personal information on its users, while Honey disputes the claim. The claim comes barely a month after Paypal paid $4bn for the shopping app.
Avast updates its policies
After being pulled by some browser devs last year, Avast has updated its privacy policies to more clearly explain just what information its plug-ins collects and where they send it. Wladimir Palant, a researcher who has been following this saga throughout, has mixed reviews.
"The changes are far more extensive and far more convincing than I would have expected," he said. "While Chrome and Opera versions appear identical however, there are some additional changes in the Firefox version. That's presumably to comply with stricter privacy requirements of the Mozilla Add-ons site."
Florida clinic hit with ransomware
Hackers have managed to infiltrate the network of a Florida medical clinic.
The Center for Facial Restoration says that hackers have not only held its servers ransom, but have also obtained contact information for individual patients and sent them demands for payment with the threat of having their medical records released.
The clinic says it is working with the FBI to resolve the issue. ®