Security Week 50: Man-in-the-middle attacks in Confluence and Linux

Several news this week describe attacks such as Man-in-the-middle, as well as means to combat them. Let's start with the relatively curious news: zero-day vulnerability is random. discovered Twitter user SwiftOnSecurity is an anonymous person who specializes primarily in near-safe humor.

The vulnerability affects the Atlassian Companion App, an optional component of the cloud-based Confluence collaboration service that allows you to work with files on a computer: downloads a copy from the cloud, transfers it to office software, and then sends the modified file back. Part of the application is a local web server, and access to it is implemented through a public domain with a characteristic name atlassian-domain-for-localhost-connections-only.com.

The domain resolves to the local IP 127.0.0.1 – this design is made to encrypt traffic over SSL. The problem is that such a scheme can be quite easily used by an attacker who can change DNS records: the certificate for all local users of the application is the same, and nothing prevents redirecting local traffic to the attacker's server with subsequent access to private data. According to The Register, Atlassian is working to resolve this vulnerability.

Researchers from Breakpointing Bad and the University of New Mexico (news, technical description) found a much more cunning vulnerability in a number of Linux distributions (as well as Android). The vulnerability allows you to find out if the victim is connected to the VPN and what sites it connects to. It works in the scenario of “access points in a cafe” – when a user connects to public Wi-Fi, which is controlled by an attacker. In addition to monitoring user activity, in some cases, the vulnerability allows arbitrary data to be injected into the TCP stream and thus intercept the connection.

The vulnerability can be partially closed by network settings, namely by enabling the Reverse Path Filtering option. Changing the settings for this option in the systemd software release dated November 28, 2018 made it possible to implement the most serious attack scenario, therefore, only the latest releases of Ubuntu (19.10), Debian (10.2), and so on are listed in the list of affected Linux distributions. However, systemd is not the main “culprit”: it all depends on the OS settings and the features of the network stack, so there are distributions without systemd in the list of affected ones. Of the tunneling protocols, OpenVPN, WireGuard, and IKEv2 / IPSec are susceptible, but most likely not Tor.

What else happened:

Kaspersky Lab summed up the results of 2019 with a traditional review of threats and events (analytical part, statistics). Among other things, the researchers made an attempt to roughly calculate how much electricity the users of the company's security solutions saved as a result of blocking malicious crypto miners (on infected web pages or in the form of local software). It turned out a minimum of 240 and a maximum of 1670 megawatt hours, in money it is from 900 thousand to 6.3 million rubles.

More Man-in-the-Middle. Checkpoint Software told (news, more) about the targeted attack on an Israeli startup and a Chinese venture investor company. The attackers were able to intercept the correspondence between the two victims. At a crucial moment, the data for a bank transfer was faked, as a result of which a million dollars was transferred to attackers instead of a startup.

The December patch set for Android closed several serious vulnerabilities, including one that could cause a permanent denial of service. Two other vulnerabilities in the Media Framework allow arbitrary code to be executed.

To combat MITM attacks on Android phones, Google motivates application developers to implement encryption of transmitted data. The company talked about successes on this front. According to a recent report, 80% of applications on Google Play use encryption.

The encryption Trojan attacked a major provider CyrusOne (45 data centers in the US and Europe). Attackers managed to disable one data center in New York, six customers suffered.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *