![this-week-in-security:-blast-radius,-gitlab,-and-plormbing-[hackaday]](https://i0.wp.com/upmytech.com/wp-content/uploads/2024/07/194766-this-week-in-security-blast-radius-gitlab-and-plormbing-hackaday.jpg?resize=800%2C445&ssl=1)
This Week in Security: Blast-RADIUS, Gitlab, and Plormbing [Hackaday]
The RADIUS authentication scheme, short for “Remote Authentication Dial-In User Service”, has been widely deployed for user authentication in all sorts of scenarios. It’s a bit odd, in that individual users authenticate to a “RADIUS Client”, sometimes called a Network Access Server (NAS). In response to an authentication request, a NAS packages up the authentication details, and sends it to a central RADIUS server for verification. The server then sends back a judgement on the authentication request, and if successful the user is authenticated to the NAS/client.
The scheme was updated to its current form in 1994, back when MD5 was considered a cryptographically good hash. It’s been demonstrated that MD5 has problems, most notably a chosen-prefix collision attack demonstrated in 2007. The basis of this collision attack is that given two arbitrary messages, it is possible to find a pair of values that, when appended to the end of those messages, result in matching md5 hashes for each combined message. It turns out this is directly applicable to RADIUS.
The attack is a man-in-the-middle, but not against an authenticating user. This attack is a man-in-the-middle between the NAS and the RADIUS server, and a real user isn’t even required. This elevated position does make an attack harder to achieve in some cases, but situations like RADIUS providing authentication for administrative access to a device is squarely in scope. Wrapping the RADIUS backend communications in a TLS layer does protect against the attack.
Gitlab
It’s once again time to go update your Gitlab instances, and this one sounds familiar. It’s another issue where an attacker could run pipeline jobs as an arbitrary user. This comes as one more of a series of problems in Gitlab, with at least one of them being exploited in the wild. It’s not surprising to see a high-visibility vulnerability leading to the discovery of several more similar problems. With this latest issue being so similar to the previous pipeline problem, it’s possible that it’s actually an incomplete patch or additional workaround discovered to exploit the same issue.
Exim
There’s a bug in the Exim email server, that impacts the processing of attachment blocking rules. Specifically, the filename in the email header is broken into multiple parts, with some confusing extra bytes in between. It’s technically compliant with the right RFC, but Exim’s mime handling code gets confused, and misses the right message name.
Exim server can be configured to block certain file types, and this vulnerability allows those blocked attachments through. The original CVSS of 9.1 is a tad insane. The latest update drops that to a 5.4, which seems much more appropriate.
Plormbing Your ORM
Prisma is a “Next Generation ORM (Object Relational Mapper), that takes database schema, and maps it to code objects. In other words, it helps write code that interacts with a database. There’s some potential problems there, like using filters on protected data, to leak information one byte at a time, in a very Hollywood manner.
This brings us to a second approach, a time-based data leak. Here a SQL query will execute slowly or quickly depending on the data in the database. The plormber tool is designed to easily build attempts at time-based leaks. Hence the pun. If you have a leak in your ORM, call a plORMber. sigh
Internet Explorer Rises Again
When Microsoft finally obsoleted Internet Explorer in 2022, I had some hope that it wouldn’t be the cause of any more security issues. And yet here we are, in 2024, talking about an exploitation campaign that used a 0-day in Windows to launch Internet Explorer.
A very odd file extension, .pdf.url, manages to appear as a pdf file with the appropriate icon, and yet opens IE when executed. This finally got classified by Microsoft as a vulnerability and fixed.
Bits and Bytes
There’s another SSH issue, related to regreSSHion. This time a vendor patch makes a call to cleanup_exit() from a signal handler function, calling more async-unsafe code. If that doesn’t make any sense, circle back around to last week’s installment of the column for the details. This time it’s Fedora, Red Hat, and other distros that used the patch.
One of the security barriers that most of us rely on is that traffic originating from the WAN side of the router should stay there. When that paradigm breaks down, we have problems. And that’s exactly what the folks at Claroty are working to defeat. The trick this time is a vulnerability in a router’s Dynamic DNS service. Manage to spoof a DNS lookup or MitM that connection, and suddenly it’s RCE on the router.
And finally, we’ve covered a pair of outstanding stories this week here at Hackaday. You should go read about how Ticketmaster’s app was reverse engineered, followed by a brilliant and completely impractical scheme to get your Internet connection for free while flying.