Technical Advisory: containerd – containerd-shim API Exposed to Host Network Containers (CVE-2020-15257)

Vendor: containerd Project Vendor URL: https://containerd.io/ Versions affected: 1.3.x, 1.2.x, 1.4.x, others likely Systems Affected: Linux Author: Jeff Dileo CVE Identifier: CVE-2020-15257 Advisory URL: https://github.com/containerd/containerd/security/advisories/GHSA-36xw-fx78-c5r4 Risk: High (full root container escape for a common container configuration) Summary containerd is a container runtime underpinning Docker and common Kubernetes configurations. It handles abstractions related to containerization and … Continue reading Technical Advisory: containerd – containerd-shim API Exposed to Host Network Containers (CVE-2020-15257) →

Conference Talks – December 2020

This month, members of NCC Group will be presenting their work at the following conferences: Jon Szymaniak, "Guiding Engineering Teams Toward a More Secure Usage of U-Boot," to be presented at the Open Source Firmware Conference (Virtual - December 1-3 2020)Ivan Reedman, "Secure by Design, still a USP in a competitive environment," to be presented … Continue reading Conference Talks – December 2020 →

TA505: A Brief History Of Their Time

Threat Intel Analyst: Antonis Terefos (@Tera0017)Data Scientist: Anne Postma (@A_Postma) 1. Introduction TA505 is a sophisticated and innovative threat actor, with plenty of cybercrime experience, that engages in targeted attacks across multiple sectors and geographies for financial gain. Over time, TA505 evolved from a lesser partner to a mature, self-subsisting and versatile crime operation with … Continue reading TA505: A Brief History Of Their Time →

Decrypting OpenSSH sessions for fun and profit

Author: Jelle Vergeer Introduction A while ago we had a forensics case in which a Linux server was compromised and a modified OpenSSH binary was loaded into the memory of a webserver. The modified OpenSSH binary was used as a backdoor to the system for the attackers. The customer had pcaps and a hypervisor snapshot … Continue reading Decrypting OpenSSH sessions for fun and profit →

Past, Present and Future of Effective C

Dennis Ritchie and Ken Thompson invented the C Programming Language at Bell Telephone Laboratories in 1972 [Ritchie 1993]. The C Language is a highly successful system programming language that can work with a wide range of computing hardware and architectures. Nearly 50 years later, C remains as vital and popular as ever. System languages are … Continue reading Past, Present and Future of Effective C →

Technical Advisory: SQL Injection and Reflected Cross-Site Scripting (XSS) Vulnerabilities in Oracle Communications Diameter Signaling Router (CVE-2020-14787, CVE-2020-14788)

Vendor: Oracle Vendor URL: https://www.oracle.com/ Versions affected: 8.0.0.0-8.4.0.5 Systems Affected: Oracle Communications Diameter Signaling Router CVE Identifier: CVE-2020-14787 (XSS), CVE-2020-14788 (SQL Injection) Advisory URL: https://www.oracle.com/security-alerts/cpuoct2020.html Risk: Medium – 6.1 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) (SQL injection) Risk: Medium - 5.4 (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) (Reflected Cross-Site Scripting) Authors: Viktor Gazdag - viktor.gazdag[at]nccgroup[dot]com Ioannis Charalambous - ioannis.charalambous[at]nccgroup[dot]com Summary Based on the Oracle product … Continue reading Technical Advisory: SQL Injection and Reflected Cross-Site Scripting (XSS) Vulnerabilities in Oracle Communications Diameter Signaling Router (CVE-2020-14787, CVE-2020-14788) →

Technical Advisory: Pulse Connect Secure – Arbitrary File Read via Logon Message (CVE-2020-8255)

Vendor: Pulse Secure Vendor URL: https://www.pulsesecure.net/ Versions affected: Pulse Connect Secure (PCS) 9.1Rx or below Systems Affected: Pulse Connect Secure (PCS) Appliances CVE Identifier: CVE-2020-8255 Advisory URL: https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601 Risk: 4.9 Medium CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N Authors: Richard Warren - richard.warren[at]nccgroup[dot]com David Cash – david.cash[at]nccgroup[dot]com Summary Pulse Connect Secure suffers from an arbitrary file read vulnerability in the pre/post … Continue reading Technical Advisory: Pulse Connect Secure – Arbitrary File Read via Logon Message (CVE-2020-8255) →

Technical Advisory: Pulse Connect Secure – RCE via Uncontrolled Gzip Extraction (CVE-2020-8260)

Vendor: Pulse SecureVendor URL: https://www.pulsesecure.net/Versions affected: Pulse Connect Secure (PCS) 9.1Rx or belowSystems Affected: Pulse Connect Secure (PCS) AppliancesCVE Identifier: CVE-2020-8260Advisory URL: https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601Risk: 7.2 High CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HAuthors:Richard Warren - richard.warren[at]nccgroup[dot]comDavid Cash – david.cash[at]nccgroup[dot]com Summary The Pulse Connect Secure appliance suffers from an uncontrolled gzip extraction vulnerability which allows an attacker to overwrite arbitrary files, resulting in … Continue reading Technical Advisory: Pulse Connect Secure – RCE via Uncontrolled Gzip Extraction (CVE-2020-8260) →

Technical Advisory – Jitsi Meet Electron – Arbitrary Client Remote Code Execution (CVE-2020-27162)

Current Vendor: Jitsi Vendor URL: https://jitsi.org Versions affected: 1.x.x Systems Affected: Jitsi Meet Electron Authors: Robert Wessen robert[dot]wessen[at]nccgroup[dot]com CVE Identifier: CVE-2020-27162 Risk: 8.3 (High) – AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H Summary Jitsi is an open source online communication suite. It includes a variety of audio, video, text and screen sharing capabilities. Both server, client, and libraries for third party … Continue reading Technical Advisory – Jitsi Meet Electron – Arbitrary Client Remote Code Execution (CVE-2020-27162) →