Weekly Security Roundup: AirBorne, Malicious EvilNotify, and Unauthorized RDP Revocation
Apple's AirPlay protocol and associated SDK have been plagued by a troubling set of vulnerabilities, collectively dubbed "AirBorne." This series of 16 CVEs impacts a broad range of devices, particularly macOS desktops and laptops, iOS and iPadOS mobile devices, and IoT devices utilizing AirPlay-supported SDK.
The ramifications of these vulnerabilities extend from authentication bypass to local file reading, culminating in Remote Code Execution (RCE). AirPlay, a Wi-Fi-based peer-to-peer protocol, employs a unique system that combines aspects of HTTP and RTSP, using property lists ("plists") for data transfer. This structure, common in serialization and data parsing interfaces, is a frequent hunting ground for software weaknesses.
One demonstration of the vulnerabilities involves a plist that was expected to carry a dictionary object but was constructed using a simple string instead. Deserializing this plist results in a malformed dictionary, and accessing it will crash the process.
Another demonstration utilizes AirPlay to achieve arbitrary memory writing on macOS devices. This capability can be used for zero-click exploitation, although the demo uses the music app and requires user intervention. Prior to the patch, any macOS device with AirPlay enabled and set to either "Anyone on the same network" or "Everyone" was affected. Given the zero-click nature, it could have been employed as a wormable exploit.
Apple has released updates addressing the CVEs for their various product lines. However, the task of refreshing the numerous IoT devices built on the vulnerable SDK may take a considerable amount of time. Many of these devices may not receive updates due to various factors, further complicating the remediation process.
A separate exploit targeting Apple systems, called EvilNotify, has been discovered by researcher Guilherme Rambo. This vulnerability exploits gaps in the Darwin Notification API, which is part of the shared codebase utilized by all Apple operating systems. The API's lack of authentication and restrictions on sending or receiving messages are the primary culprits leading to security concerns.
A notable issue made possible by this vulnerability is the "restore in progress" notification, which locks a device, leaving only the reboot option. A more nefarious version of this trick involves implementing the code triggering this warning within an app's widget extension, which could result in an irritating bootloop on iOS devices. Apple has remedied this issue by adding an authorization mechanism for sensitive notification endpoints.
In the realm of Continuous Integration (CI), security researcher John Stawinski from Praetorian has uncovered an exploit chain targeting the Node.js repository on GitHub via an outside pull request culminating in code execution on Jenkins host machines. Stawinski's discovery focuses on spoofing the timestamp on a pull request, allowing the Node.js CI to execute malicious code.
In 2024, Google published a report detailing the 75 zero-day vulnerabilities that were exploited throughout the year. While the number of exploited vulnerabilities decreased slightly compared to 2023 (98), experts predict an ongoing upward trend for zero-day exploitation. The report highlights enterprise targets, with security appliances and other network devices accounting for over 60% of the tracked vulnerabilities.
Microsoft has declared Windows machines' continued acceptance of revoked Remote Desktop Protocol (RDP) credentials for RDP logins as not a bug. Security researcher Daniel Wade discovered this issue and reported it to Microsoft, who initially deemed it non-security-related. Wade subsequently shared the report with Ars Technica, detailing the unexpected behavior of Windows machines storing RDP login credentials indefinitely without proper expiration checks.
- The vulnerabilities found in Apple's AirPlay protocol, known as "AirBorne," are not just limited to cybersecurity issues; they also pose threats in the realm of data-and-cloud-computing, considering their potential for Remote Code Execution (RCE) and exploitation of the Darwin Notification API.
- The ongoing issue of outdated IoT devices, built on vulnerable AirPlay SDK, and the lack of patching due to various factors, elevates the significance of technology updates in enhancing cybersecurity practices, especially in the face of an expected upward trend in zero-day exploitation.
