SSD’s Security Disclosure weekly news recap — April 1, 2021
In this edition, we’ll give new updates to the Google Project Zero findings, hackers trying to add a backdoor RCE through PHP’s Git, a security researcher being sued for bug disclosure, and our CVE of the week: a bug in netmask endangering more than 200 thousand projects.
Updates on Google Project Zero
First, let’s catch up on some updates to the Project Zero findings we talked about last week.
Two weeks ago, researchers from Project Zero revealed they discovered 11 unique vulnerabilities, used in highly sophisticated cyber attacks that were launched last year. It was later discovered that some details were omitted from the report and that these attacks were not launched by unknown hackers but by a US ally.
Even though security companies regularly shut down exploits that are being used by friendly governments, such actions are rarely made public. This made some employees state that counter-terror missions shouldn’t be published while others argued that it should be made public to protect users, causing a debate to emerge among researchers and developers at Google.
Other criticisms were based on the fact that Google omitted many details from the report like which government was behind these attacks. While some concerns were also raised about the fact that Google might have noticed government officials prior to publishing this report as well as concerns about Google’s ability to disrupt governments’ cybersecurity operations.
Hackers Tried to Insert a Backdoor RCE Through PHP’s Git
PHP is a popular programming language used for building websites with over 79% of websites running on PHP. PHP’s Git is a platform where developers can upload new source code to be added to PHP and find source code updates and improvements submitted by others.
While until recently this was used legitimately, hackers used this platform to insert two malicious commits into the PHP codebase posing as PHP’s main developers. The malicious commits they inserted were disguised as simple typo fixes but actually contained a backdoor RCE.
The researcher who first discovered this anomaly, Jake Birchall, said that the code could allow an RCE to be executed in every website running the infected version.
PHP main developers said in a post that they are investigating the details of this attack and that from now on changes to PHP should be posted on Github rather than PHP’s Git.
Security Researcher is Being Sued for Bug Disclosure
A security researcher is being sued for bug disclosure and is now looking for funding to fight back.
Rob Dyke is a security researcher who found a vulnerability in two repositories in the UK healthcare foundation, Apperta. These repositories contained sensitive data and were vulnerable to RCE attacks and SQL injections.
Dyke reported these flaws to the repositories creator who acknowledged it and promised to have it fixed but when Dyke checked the repositories later and found they were still vulnerable.
He disclosed these issues once more but this time he was hit with a court notice, saying that he is accused of committing offenses under the Computer Misuse Act of 1990 and the Investigatory Powers Act of 2016. Apperta accused him of hacking their systems and breaching a private portal to access financial information.
In order to deal with these accusations, Dyke opened a GoFundMe campaign with the goal of raising 10 thousand euros, and at the time of writing this recap, he had almost reached his goal.
Apperta defended themselves and said that they have a responsibility to protect confidential information, including data and intellectual property, and added they had acted according to this and within their lawful grounds.
CVE-2021–28918 — Possible SSRF in netmask
Our CVE of the week is a bug in netmask affecting more than 200 thousand running projects.
Netmask is an npm library used to divide an IP address into subnets and specify the network’s available hosts. Netmask has a large reach with over 3 million weekly downloads and about 238 million downloads overall.
On Saturday, 5 researchers ( Victor Viale, Sick Codes, Nick Sahler, Kelly Kaoudis, and John Jackson) disclosed a vulnerability is present in the way netmask handles mixed-format IP addresses. It occurs when a decimal IPv4 address contains a leading zero.
This vulnerability is critical since it could allow an attacker to influence the IP address input being parsed by the application which could lead to a variety of exploitations like SSRF bypass or Remote File Inclusion.
This combination of a variety of different possible exploitations with multiple users around the world can cause a lot of harm and puts this CVE at high risk.
Luckily, after the vulnerability was disclosed, a netmask developer, Olivier Poitrey, uploaded a series of fixes for the bug that you can find on Github in order to protect yourself.
Want to Be Part of the News?
At SSD, we help security researchers turn their skills in uncovering security vulnerabilities into a career. Designed by researchers, for researchers, SSD provides the fast response and support needed to get zero-day vulnerabilities and disclosures reported to vendors and to get researchers the compensation they deserve. We help researchers get to the bottom of vulnerabilities affecting major operating systems, software, or devices.
We are constantly publishing our findings, intended on educating our global security researcher’s community. You can find more vulnerabilities on our Advisories page. If you have findings of your own you can send us your findings here using our report template.
