Welcome to Security Sunday – Week 47. our weekly summary from the world of cybersecurity (20. 11. – 26. 11. 2023).

We’re collecting notable incident and vulnerability reports from the past week.

Windows Hello can be bypassed without entering a password

Microsoft’s Offensive Research and Security Engineering (MORSE) division asked Blackwing Intelligence to evaluate the security of three fingerprint scanners embedded in laptops.

The company looked at the Dell Inspiron 15 laptop, the Lenovo ThinkPad T14 and the Microsoft Surface Pro X, specifically fingerprint scanners from ELAN, Synaptics and Goodix.

The Blackwing team reverse engineered the software and hardware, finding bugs in the implementation of the custom TLS protocol.

All of the fingerprint sensors tested were Match-on-Chip (MoC) sensors, which have their own microprocessor and memory, enabling secure on-chip fingerprint matching.

Despite this, security researchers successfully bypassed Windows Hello authentication on all three laptops with man-in-the-middle attacks using their own Raspberry Pi 4 device.

On the Dell and Lenovo laptops, the authentication bypass was achieved by enumerating valid IDs and registering the attacker’s fingerprint with the ID of a legitimate Windows user.

On the Surface device, whose ELAN fingerprint scanner used clear text communication and had no authentication, the researchers spoofed the fingerprint scanner and sent a valid string to log in.

Microsoft said that three years ago, the number of users logging in to Windows 10 devices using Windows Hello instead of a password was 84.7%.


Netflix bug that allowed attacks on smart TVs detailed after four years

A bug in Netflix that targeted smart TVs and the DIAL protocol was recently reported.

The vulnerability was discovered by Turkish security researcher Yunus Çadirci (Yunus Çadirci) and was dubbed “DIALStranger”. The vulnerability affects the DIAL (Discovery and Launch) protocol, which was jointly developed by Netflix and YouTube.

The DIAL protocol makes it easy to stream video between devices connected to the same local network. The protocol allows pairing without authentication and simplifies the video sharing process.

Most TV manufacturers have not implemented the protocol correctly, allowing hackers to play any video on TVs. The Shodan scan found more than one million devices with this vulnerability.

At the Black Hat Middle East and Africa conference, Çadirci demonstrated how DIALStranger could be used to play video on an LG Smart TV. He also said he had successfully exploited the vulnerability to attack Xbox One consoles and Philips smart TVs in 2019. The vulnerability was reported to Netflix in January 2020 and patched in August that year.

Çadirci noted that even after four years, “we’re not completely safe.” Many older devices will probably never be updated.


New malware uses zero-day to infect NVRs and routers

New malware based on the Mirai botnet, called “InfectedSlurs”, exploits two zero-day remote code execution (RCE) vulnerabilities to infect routers and network video recorders (NVRs). The malware hijacks these devices and connects them to its botnet.

Akamai’s Security Intelligence Response Team first discovered the botnet in October 2023, when they noticed unusual activity on a rarely used TCP port on their honeypots.

The botnet was exploiting an undocumented RCE vulnerability to gain unauthorised access.

Upon further investigation, Akamai found that the botnet was also targeting routers popular with home users and hotels. These routers suffer from another zero-day RCE vulnerability that the malware exploits.

Like Mirai, InfectedSlurs does not include a persistence mechanism.

As this is an unpatched vulnerability, Akamai has chosen not to disclose details of the affected hardware. An unnamed router manufacturer has promised to release a security update addressing the issue in December 2023.


Critical vulnerability in ownCloud exposes administrator password

Open-source file-sharing software ownCloud has been warned of three critical vulnerabilities, including one that could expose administrator passwords and mail server credentials.

The first vulnerability is tracked as CVE-2023-49103 and has received a maximum CVSS v3 score of 10. The bug can be exploited to steal credentials and configuration information in containerised deployments.

The problem, which affects graphapi 0.2.0 through 0.3.0, is due to the application’s dependency on a third-party library. The recommended workaround is to remove the GetPhpInfo.php file and disable the ‘phpinfo’ function in Docker containers. It is also recommended to change the ownCloud administrator password, mail server access credentials, database and object store/S3 access keys.

The second issue, with a CVSS v3 score of 9.8, affects ownCloud core library versions 10.6.0 to 10.13.0 and is an authentication bypass issue. The vulnerability allows attackers to access, modify or delete any file without authentication if they know the username and the user has not configured a signature key, which is the default setting.

The third bug (CVSS v3 score: 9) is a subdomain validation bypass issue that affects all versions of the oauth2 library below 0.6.1.

Security vulnerabilities in file-sharing platforms are under constant attack, with ransomware groups exploiting them to steal data from thousands of businesses around the world.


Critical vulnerability in popular VPN application strongSwan

The strongSwan software has been found to contain a critical vulnerability that could allow remote attackers to execute arbitrary code on affected systems. The vulnerability, tracked as CVE-2023-41913, affects all versions of the strongSwan software since version 5.3.0 and is related to a flaw in the charon-tkm component.

Fortunately, not all configurations using strongSwan software are vulnerable. Those that don’t use charon-tkm as an IKE daemon are safe.

StrongSwan 5.9.12 has been released for affected users, and patches for older versions are also available.


Interested in cyber security? Check out the next episodes of our weekly magazine Security Sunday.