Cisco Systems has released a new patch for a remotely exploitable privilege escalation vulnerability after security researchers found that its previous fix was incomplete.
The company first patched the vulnerability, known as WebExec or CVE-2018-15442, Oct. 24. The flaw was located in WebExService, a service installed on Windows machines by the Webex client apps.
The initial bug, identified by researchers from Counter Hack, allowed unprivileged users to start the service and issue an update command with a malicious file. The service executed the supplied file with SYSTEM privileges, allowing a local attacker to take full control of the computer. Even worse, the vulnerability could be exploited remotely over the local network in Active Directory environments.
After Cisco released its patch in October, researchers from another company called SecureAuth found a different way to exploit the vulnerability that relies on a technique known as DLL hijacking.
“The vulnerability can be exploited by copying to a local attacker controlled folder, the ptUpdate.exe binary,” the researchers said in an advisory. “Also, a malicious dll must be placed in the same folder, named wbxtrace.dll. To gain privileges, the attacker must start the service with the command line: sc start webexservice install software-update 1 “attacker-controlled-path” (if the parameter 1 doesn’t work, then 2 should be used).”
Cisco updated its CVE-2018-15442 advisory to warn users that the original patch was insufficient and that it released new patches to close the newly identified attack vector. Users should update the Cisco Webex Meetings Desktop App to version 33.6.4 or later and the Cisco Webex Productivity Tools to version 33.0.6 and later.
NPM Package Backdoored to Steal Cryptocurrency Wallets
The attack was performed through a package called event-stream and happened after its creator transferred ownership to another user. The new maintainer then added a component to the package called flatmap-stream and put his malicious code inside.
The rogue code was highly obfuscated and deployed its AES-encrypted payload only under certain conditions. People who analyzed it found that it targeted libraries associated with a Bitcoin wallet called Copay and its goal was to steal the wallet files and send them to a remote server.
“He emailed me and said he wanted to maintain the module, so I gave it to him,” event-stream’s original author said in a discussion on GitHub. “I don’t get anything from maintaining this module, and I don’t even use it anymore, and haven’t for years.”
This is not the first time when hackers have tricked the authors of popular software components to give them up. There are documented cases where attackers set up companies and paid significant amounts of money to buy WordPress plug-ins or Google Chrome extensions from their original developers. After acquiring them, they modified their code to inject spam into websites or users’ browsing sessions.
The problem for end users is that changes in software ownership are rarely announced publicly and are difficult to detect, especially in complex development ecosystems made up of thousands of third-party packages. As this incident shows, a package that has been trusted for years can fall in the hands of malicious users and can become a security risk overnight.
“These supply-chain attacks are only going to become more and more prevalent with time,” Thomas Hunter II, a researcher with security firm Intrinsic, said in a blog post about the event-stream attack. “Targeted attacks, like how this package specifically targets the Copay application, will also become more prevalent.”