Showing posts from 2021

Old dog, same tricks

Introduction Old dog, old tricks When enterprise software gets old, should we consider it tried-and-true, or decrepit and a threat, like the superglue holding the soles of my running shoes together? Old software that’s been humming around in the background hasn’t necessarily broken, but that doesn’t mean that you can necessarily trust it; in fact there should be a healthy skepticism when it comes to the security of old software, as not only do new vulnerabilities get discovered, but the capability of attackers grows as the bar rises higher in the game of cat-and-mouse. This should drive us to periodically review software that maybe we’ve been trusting, and today’s example is some software that has been around for a long time but has a landmine of a vulnerability. Beagle Software’s ClockWatch product line includes a number of solutions for setting clocks on machines and synchronizing them with high-accuracy time sources such as Global Positioning System (GPS), including an enterprise

The walls have ears

Introduction Modern business often relies heavily on the Internet and software resources such as Zoom or Skype to support daily operations. Use of such systems often requires additional hardware resources like microphones and cameras. Advances in computing has provided a pathway for these very ordinary hardware commodities to develop into resources that enrich user experience through vast offerings of specialized features or the integration of many discrete devices into a single product. With this progress comes additional risk in product use, because what were once mechanical or analog devices are now increasingly being redesigned with embedded processors. This change in direction implies that what seem like ordinary commodity devices are, in fact, reasonably capable computing machines with attack surfaces very similar to traditional PCs. GRIMM researchers recently selected one such device, the STEM Audio Table conference room speaker. This blog post

Pulse Secure April Attack

Pulse Connect Secure vulnerability CVE-2021-22893 and other old vulnerabilities are being actively exploited. While GRIMM engineers were not able to obtain a device or the firmware for a full analysis, the device in question looks like a Linux-based rack-mounted server that sits inside the firewall and mediates all kinds of access for clients accessing it via a web interface. Based on the available information, it appears weaknesses in the web application within the device have been the root of multiple problems, including the most recent vulnerability. Takeaway This was not a supply chain attack, this was a sophisticated actor becoming intimately familiar with a target and exploiting it persistently, continuing to find new vulnerabilities and tailoring their malware to blend in with the software. The signs are subtle but detectable: changes in hashes on the device, strange authentication behavior appearing in logs, small changes in network traffic such as new HTTP verbs and extr

Time for an upgrade

Introduction Cleaning your domain clock Sometimes we grow to like the old software we’ve become familiar with over the years, but because as users we only see the facade of an interface and functionality, we don’t know what risks may exist in something as simple as a clock. The bar is high for enterprise software: we have to expect that our software accomplishes all of its tasks in a manner that doesn’t put us at risk. Today we dive into a venerable piece of software that appears to carry out its underappreciated task, because despite the engineering behind its functionality, it contained a classic software flaw. Domain Time II from Greyware Automation Products, Inc. is enterprise-grade time synchronization software, including client and server software as well as testing, administration, and auditing capabilities. Everyone has probably had a moment when they realized that the clocks on two different devices were off by a few minutes (or more), but some businesses are particularly s


      GRIMM is pleased to announce the launch of their new Private Vulnerability Disclosure (PVD) program. This offering allows defenders to get ahead of the attack curve, instead of reacting to unknown threats, by providing previously unknown vulnerabilities.  Subscribers will have access to a stream of high-impact vulnerabilities from GRIMM's internal research team. Release timing will be at least two weeks before the vulnerabilities are publicly known, allowing partners to defend themselves before most attackers are aware of the vulnerability/vulnerabilities.  Each PVD release will include: Full technical details of the vulnerabilities and affected systems Proof-of-concept exploit, which provides: Verification that specific configurations are (or are not) vulnerable Assessment of defenses to determine true effectiveness Documentation illustrating how the attack works, enabling Blue teams to write robust mitigations and detections Red teams to improve skills on the art of exploit

New Old Bugs in the Linux Kernel

  Introduction Dusting off a few new (old) vulns Have you ever been casually perusing the source code of the Linux kernel and thought to yourself "Wait a minute, that can’t be right"? That’s the position we found ourselves in when we found three bugs in a forgotten corner of the mainline Linux kernel that turned out to be about 15 years old. Unlike most things that we find gathering dust, these bugs turned out to still be good, and one turned out to be useable as a Local Privilege Escalation (LPE) in multiple Linux environments. Who you calling SCSI? The particular subsystem in question is the SCSI (Small Computer System Interface) data transport, which is a standard for transferring data made for connecting computers with peripheral devices, originally via a physical cable, like hard drives. SCSI is a venerable standard originally published in 1986 and was the go-to for server setups, and iSCSI is basically SCSI over TCP. SCSI is still in use today, especially