This Week in Security: VMWare, Microsoft Teams, Python Fuzzing, and More

There’s a VMWare problem that’s being exploited in the wild, according to the NSA (PDF). The vulnerability is a command injection on an administrative console. The web host backing this console is apparently running as root, as the vulnerability allows executing “commands with unrestricted privileges on the underlying operating system.”

The wrinkle that makes this interesting is that VMWare learned about this vuln from the NSA, which seems to indicate that it was a zero-day being used by a foreign state. The compromise chain they list is also oddly specific, making me suspect that it is a sanitized account of observed attacks.

Microsoft Teams, And the Non-CVE

[Oskars Vegeris] found a pair of interesting problems in the Microsoft Teams client, which together allows an interactionless, wormable RCE. The first vuln is an XSS problem, where a message containing a “mention” can be modified in transit to include arbitrary Javascript. To get that JS past the XSS protection filter, a unicode NULL byte is included in the payload. The second vuln is using the built-in file download code in the Teams app to download and auto-run a binary. Put together, anyone who simply loads the message in their Teams app runs the code.

Vegeris points out that since so many users have a presence in multiple rooms, it would be trivial to use this exploit to build a worm that could infect the majority of Teams users worldwide. The bug was reported privately to Microsoft and fixed back in October. A wormable RCE in a widely used tool seems like a big deal, and should net a high CVE score, right? Microsoft gave two ratings for this attack chain, for the two versions of Teams that it can affect. For the Office365 client, it’s “Important, Spoofing”, which is about as unimportant as a bug can be. The desktop app, at least, was rated “critical” for an RCE. The reason for that seems to be that the sandbox escape only works on the standalone desktop app.

But no CVE was issued for the exploit chain. In the security community, collecting CVEs is an important proof of work for your resume. Microsoft replied that they don’t issue CVEs for products that get updated automatically without user interaction. Kerfuffle ensued.

Fuzzing with Atheris

Google released Atheris, a new open-source fuzzing tool, specifically written for Python programs. Fuzzing is the process of running a program or library with generated input, usually input that would be considered malformed, and tracking what happens. Many vulnerabilities have been found and fixed this way in recent years. Atheris is a coverage-guided fuzzer, meaning it keeps track of which lines of code are executed in each iteration, and tries to maximize the lines covered.

The announcement post points out a fascinating use case for Atheris — testing two implementations of a library for bug-for-bug compatibility. An example might be a JSON parser written in Python, compared to a browser’s version. You would set up a test run that started with valid JSON, and then transforms that input slightly for each iteration. Run the same input through both implementations, and then compare the outputs.

Not to be outdone, Intel also just announced a bug-finding tool, ControlFlag. This tool operates on a very different principle, using machine learning to find anomalies in written source code. I wish I could tell you the source is available to go play with, but it appears that this tool has been announced only, and not released for public use.

SSL Root Cert Abuse

Kazakhstan seems to be engaging in some strange security practices, likely intended to enable snooping on internet traffic. ISPs in the capital city are blocking access to Google, Twitter, and the like, until a government issued root certificate is installed and trusted in the connecting browser. The government is calling this a “training exercise”, but as the certificate is valid for 20 years, it seems like a blatant attempt to enable HTTPS MitM attacks against the public. Stories like this are a reminder of how important things like OCSP stapling and DNS Certification Authority Authorization are. Both of those protocol extensions are intended to protect users from fraudulent certificates that are issued by a trusted root certificate.

Trickbot Evolves and Gains a New Skill

The Trickbot malware platform is an all-in-one tool for stealing credentials, controlling bots, and installing ransomware. It seems a new trick is being added to the already-overflowing bag — firmware modification. The core library from RWEverything has been found in recent samples of Trickbot, and the malware has been observed doing recon against machine firmware. So far, no one has observed a malicious firmware write by Trickbot, but the capability is now there, and that’s worrying enough.