Why am I here?
Seems as if some of us should have stayed at our tropical vacation getaway. Nothing like coming back to the cyber world screeching about intelligence leaks, critical vulnerabilities, and breaches. It’s as if we should be asking “who has not been breached these days?” 3CX made the news early in April via a supply chain attack, Uber’s driver data was stolen via the breach on Genova Burns LLC and now MSI has been compromised. Fear not! It’s not all doom and gloom, as the Trellix Advanced Research Center helped take down one of the largest online markets for illegal activities and content.
Organizations looking to avoid having their names wind up in similar headlines have come to the right place, as the Bug Report promises to the answer the questions, “What is it?” “Who cares?” and “What can I do?” for the top vulnerabilities each month. As promised, let’s say hello to this month’s list of faulty bugs!
- CVE-2023-28205: macOS, iOS, iPadOS, and Safari
- CVE-2023-29389: 2021 Toyota RAV4
- CVE-2023-28252: Windows Common Log File System (CLFS)
- CVE-2023-2033: Google Chrome and Chromium
CVE-2023-28205: One bite of the Apple
What is it?
Looks like Google’s Clément Lecigne is on a roll with Apple-related CVEs, this being his third major find in just two years. This vulnerability is a use-after-free in Webkit, a browser engine used in Safari, iOS, iPadOS, and macOS to render online content. The vuln can be triggered via a malicious HTML page embedded with a JavaScript payload, leading to arbitrary code execution with elevated privileges.
Who cares?
A wide range of devices running iOS, iPadOS, Safari, and macOS are vulnerable, placing the majority of Apple’s customers firmly in the “I care” column. You may be surprised to learn that the iPod Touch was among the vulnerable products that have been patched. Frankly, I had to research if iPods are still even a thing–I must be getting old.
It should also be noted that the researchers who reported this bug to Apple apparently discovered it being used in the wild, although neither they nor Apple have released any details regarding the nature of this exploitation as of yet.
What can I do?
Thankfully, Apple has already patched this vulnerability with the release of versions 15.7.5 and 16.4.1 for iOS, iPadOS, and Safari and the release of macOS Ventura 13.3.1. If you’ve somehow survived this long without knowing how to update your Apple devices, Apple provides support pages on how to accomplish this for both mobile and desktop.
CVE-2023-29389: 2021 Toyota RAV4, now with keyless entry
What is it?
At the risk of sounding entitled, would it be possible for Toyota to ensure their vehicles don’t automatically trust messages from other ECUs via the CAN bus? Unfortunately, I don’t think the folks at Toyota can hear my request, since it’s still possible to use this type of attack on any 2021 Toyota RAV4 (and potentially other vehicles–see below). Simply access the headlight connector behind the bumper and send a “Key is validated” message via CAN injection, and now you can control the vehicle.
Ken Tindell, CTO of Canis Automotive Labs, and his friend Ian Tabor discovered this vulnerability after Ian’s RAV4 was stolen off the street back in July of last year after a couple of failed attempts in April, meaning criminals have been using this vulnerability for at least a year. In his blog, Ken notes that although the CVE description explicitly names the 2021 Toyota RAV4 as the vulnerable product, “this is not something specific to Toyota: Ian investigated the RAV4 because his stolen car was a RAV4, and other manufacturers have car models that can be stolen in a similar way.” In fact, the theft device they reverse-engineered to discover the vulnerability claims to support “Lexus models including the ES, LC, LS, NX, RX and Toyota models including the GR Supra, Prius, Highlander, Land Cruiser – and RAV4.”
Who cares?
In 2021, Toyota sold 407,739 RAV4’s in the U.S alone. While it may not be assumed that all of those were 2021 models given how car release cycles are implemented, it is still a significant number of vehicles that may be vulnerable to CAN injection hijacking. If Ken Tindell’s claim that this vulnerability affects various other Lexus and Toyota models is to be believed, it’s possible this number could be in the millions. A threat actor compromising a vehicle via this method could endanger the public or the driver’s life–or, more likely, use it to unlock and steal the car right off the street in minutes.
What can I do?
Currently there is no patch available from Toyota. So… secure your vehicle? Have it insured? Forgo electronic vehicles entirely? Jokes aside, without a patch from Toyota, your best bet is probably to avoid leaving your RAV4 on the street at night and park in the garage for the time being. If you need to park on the street, utilize a steering wheel lock to make your vehicle a less attractive target for carjackers.
CVE-2023-28252: Gang Gang CLFS
What is it?
Nothing like jumping into another zero-day found in the Windows driver for its Common Log File System (CLFS), which seems to be a common target for vulnerabilities as of late. For those that don’t know, CLFS is a subsystem utilized by both the kernel and user space applications to, among other things, log transactions to the disk in the form of a Base Log File.
CVE-2023-28252 can be exploited by malforming the Base Log File’s fields enough to cause an out-of-bounds write when the driver processes it. Once the vulnerability is triggered, the attacker may use the exposed kernel structures to execute malicious code with system privileges.
Who cares?
Do you run Windows in enterprise environments? Maybe even just at home? If you own one of the billions of devices worldwide that run Windows, congratulations, you are vulnerable!
To be fair, the CLFS data structures are old and have had several vulnerabilities attributed to them since 2018. The pressing matter with this CVE is that it has been exploited in the wild by cybercriminals to deploy Nokoyawa ransomware.
What can I do?
Given the fact that this vulnerability is being exploited in the wild to deliver ransomware, it is recommended to patch your systems as soon as possible. You can find the patch details here.
CVE-2023-2033: V8 fragged out
What is it?
It looks like Google’s Clément Lecigne isn’t content with finding bug after bug in Apple’s Webkit and has also set his sights on Google’s own V8 Javascript engine, used in Google Chrome and other Chromium-based browsers like Edge and Opera. CVE-2023-2033 is yet another type confusion bug in V8, this one affecting all versions of Chrome prior to 112.0.5616.121. Wow, that was a mouth full; maybe we can get a bit more streamlined with version numbers instead of APT naming conventions.
Who cares?
Google stated that it is aware this CVE has been exploited in the wild. Thus, I think most of us care at this point, whether we like it or not. I tried not to, but I somehow found myself using Google Chrome again. In fact, I now have 128 GB of RAM to safely use a window with a single tab in Chrome. Don’t act like Firefox is any better; I had so many plugins that I had to migrate it to one of those enterprise servers with a terabyte of RAM.
What can I do?
Given that this vulnerability has been observed being exploited in the wild, the best course of action is to patch ASAP. You can start by consulting Google’s Chrome Releases for more details. According to the Chromium Security page, these releases also apply to the Chromium project and, by extension, Chromium-based browsers that aren’t Chrome.
The document and the information contained herein describes computer security research for educational purposes only and the convenience of Trellix customers.