Synology and Python vulnerabilities being exploited, DNS and HTML functions under attack and Microsoft offering bounties...
Welcome to this week’s Security News. We’ve collated the best articles from the around the internet and put them all into one place. If you have any queries or concerns about anything in this week’s news, then please get in touch with our team who can advise further. For our existing clients, if we believe anything may affect your organisation, our team will be in touch directly.
Vulnerabilities and Patches
Synology router vulnerabilities let attackers inject arbitrary webscript
Synology, a leading provider of network-attached storage and networking solutions, has recently patched multiple vulnerabilities in its Router Manager (SRM) software. These security flaws, classified as moderate in severity, could allow attackers to inject arbitrary web scripts or HTML into affected devices.
The vulnerabilities, identified as CVE-2024-53279 through CVE-2024-53285, affect Synology Router Manager (SRM) versions prior to 1.3.1-9346-10. These flaws stem from improper neutralization of input during web page generation, commonly known as Cross-site Scripting (XSS) vulnerabilities.
The vulnerabilities primarily affect remote authenticated users, with most requiring administrator privileges to exploit. Successful exploitation could allow attackers to inject malicious web scripts or HTML code, potentially leading to:-
- Theft of sensitive information
- Manipulation of user sessions
- Defacement of the router’s web interface
- Potential execution of arbitrary commands on the affected device
Synology has addressed these vulnerabilities in the latest release of SRM. Users are strongly advised to upgrade their Synology Router Manager to version 1.3.1-9346-10 or above to mitigate the risk.
This is not the first time Synology routers have faced security challenges. In late 2022, the company patched several critical vulnerabilities, including flaws that were likely exploited at the Pwn2Own hacking contest. These past incidents highlight the ongoing importance of router security and the need for regular updates.
While these vulnerabilities require authentication and, in most cases, administrator privileges, they still pose a significant risk if exploited by malicious actors who gain access to the router’s management interface.
Synology’s swift response in patching these vulnerabilities demonstrates the company’s commitment to user security.
Critical Vulnerability in Python Affected MacOS or Linux Devices leads to memory being exploited
A high-severity vulnerability (CVE-2024-12254) impacting CPython has been publicly disclosed, affecting Python versions 3.12.0 and later. The flaw, identified in the asyncio module, specifically lies in the:
_SelectorSocketTransport.writelines() method, potentially leading to memory exhaustion under certain conditions.
The vulnerability arises from improper handling of memory buffering in the writelines() method used within the asyncio module.
Normally, when the write buffer reaches a “high-water mark,” the system pauses writing and signals the protocol to drain the buffer to avoid excessive memory usage.
However, in Python 3.12.0 and later, this mechanism fails to engage, allowing the write buffer to grow unchecked in specific scenarios.
The issue lies with the functionality of asyncio._SelectorSocketTransport.writelines(), which fails to pause writing and drain the buffer upon reaching the high-water mark.
This oversight can result in unbounded memory usage, potentially causing memory exhaustion. Given the implications, the severity of this issue is classified as high.
This vulnerability affects Python 3.12.0+ on macOS/Linux, where asyncio protocols using .writelines() may not drain the write buffer, risking memory exhaustion due to the new zero-copy-on-write behaviour introduced in Python 3.12.0.
Cyber Attacks
Hackers exploiting HTML functions to bypass email security filters
Cybercriminals increasingly leverage sophisticated HTML techniques to circumvent email security filters, putting users and organizations at greater risk of falling victim to phishing attacks.
These attacks, often disguised as legitimate documents such as invoices or HR policies, exploit various HTML functions to deceive both users and security systems alike.
HTML attachments have become a favoured tool for attackers due to their versatility and ability to bypass traditional security measures. These attachments can contain embedded JavaScript, which executes malicious actions when opened, such as redirecting users to phishing sites or harvesting credentials directly from the user’s device.
One of the most prevalent techniques employed by attackers is JavaScript obfuscation. This method involves disguising the malicious code within the HTML attachment, making it extremely difficult for security systems to identify and block.
Uncovering attacker’s infrastructure & tactics via passive DNS
In the ever-evolving landscape of cybersecurity, understanding how attackers establish and maintain their attack infrastructure is crucial for building robust defences.
A recent study by Juniper Threat Labs sheds light on the sophisticated methods attackers use to set up their operations, focusing on techniques like IP churn and changing hosting providers and how passive DNS can be leveraged to discover malicious infrastructure proactively.
Passive DNS, a collection of DNS logs gathered from distributed network sensors, has emerged as a powerful tool for threat hunters. Unlike traditional DNS logging methods, passive DNS sensors can be strategically placed along various network paths, offering a comprehensive view of DNS traffic without compromising user privacy or incurring high storage costs.
In Other News...
Microsoft challenges AI Hackers to break LLM Email Service, rewards upto $10,000
Microsoft has launched an innovative cybersecurity challenge that puts artificial intelligence (AI) to the test. As Microsoft is inviting hackers and security researchers to attempt to break its simulated LLM-integrated email client, dubbed the LLMail service, with rewards of up to $10,000 for successful attacks.
The competition, named “LLMail-Inject: Adaptive Prompt Injection Challenge,” aims to evaluate and improve defences against prompt injection attacks in AI-powered systems. Participants are tasked with evading prompt injection defences in the LLMail service, which utilizes a large language model (LLM) to process user requests and perform actions. Competitors take on the role of an attacker, attempting to manipulate the LLM into executing unauthorized commands.
Analysts at Microsoft observed that the primary goal is to craft an email that bypasses the system’s defences and triggers specific actions without the user’s consent.