FOXTROT/ALFA: TikTok Vulnerability, Spotify Radio, House of Commons Meeting via Zoom

Welcome to issue 105 of FOXTROT/ALFA for Tuesday, 21 April 2020. The madness out there won’t stop and so I won’t either. Here’s what’s been happening.

IBM Botches Data Risk Manager Vulnerability Disclosure

There are a number of vulnerabilities in IBM’s Data Risk Manager that can be combined to achieve unauthenticated remote code execution as root.

IBM has acknowledged that it mishandled a bug report that identified four vulnerabilities in its enterprise security software, and plans to issue an advisory. IBM Data Risk Manager offers security-focused vulnerability scanning and analytics, to help businesses identify weaknesses in their infrastructure. At least some versions of the Linux-powered suite included four exploitable holes, identified and, at first, privately disclosed by security researcher Pedro Ribeiro at no charge. Three are considered to be critical, and one is high risk.

Prior to going public, Ribeiro had tried to get CC/CERT to privately coordinate responsible disclosure with IBM, but Big Blue refused to accept the bug report. He said the mainframe giant replied thus: “We have assessed this report and closed as being out of scope for our vulnerability disclosure program since this product is only for ‘enhanced’ support paid for by our customers.”

“This is an unbelievable response by IBM, a multi-billion dollar company that is selling security enterprise products and security consultancy to huge corporations worldwide,” said Ribeiro in his disclosure.

The vulnerabilities consist of authentication bypass, command injection, insecure default password, and arbitrary file download. Using the first three, an unauthenticated remote user can run arbitrary code, and there’s now a Metasploit module to do so. Vulnerabilities one and four allow an unauthenticated attacker to download arbitrary files from the system. There’s also a Metasploit module for that attack chain.

The flaws don’t yet have CVE designations, and as far as we can tell, no patches nor updates to address the holes are available right now. The first three have been confirmed to affect IBM Data Risk Manager 2.0.1 to 2.0.3. Ribeiro believes versions 2.0.4 to 2.0.6, the latest release, are also vulnerable but that has not been confirmed. The fourth affects IDRM 2.0.2 and 2.0.3, and possibly 2.0.4 to 2.0.6. The Register asked IBM whether 2.0.6 is affected but IBM’s spokesperson did not respond.

Since there isn’t a patch yet and IBM hasn’t even issued an advisory, users of this software are currently out in the cold.

TikTok Vulnerability

It turns out TikTok doesn’t encrypt videos that get served from its CDN. Which means you can run a man-in-the-middle attack on users and serve them fake videos from what looks to them like trustworthy sources.

Mysk created videos that shared false COVID-19 information on several popular and verified accounts on the platform. This includes the World Health Organization, the British and American Red Cross, and even the official TikTok account.

This could be used by state actors like intelligence services to attack a large number of users by spreading propaganda. Such an attack would be especially feasible in a country where these actors can gain access to integral parts of the country’s network infrastructure.

Deserialisation Vulnerabilities in .Net Games

Many games written in .Net – which includes games that use the popular Unity engine – are susceptible to well know deserialisation vulnerabilities. They can be attacked by crafting malicious third party content that gets loaded into the games – like save games, mods and scenarios. A group of Swiss security researchers looked at a typical Steam library with about 400 games and found around 30 vulnerable titles. They managed to write exploits for 14 of them, including Tabletop Simulator and Totally Accurate Battle Simulator. Both of these games have since been fixed.

In its default configuration BinaryFormatter in .Net is insecure. Several well known gadget chains exist that can be easily used to gain arbitrary code execution.

BinaryFormatter does however allow the definition of a Binder class which handles the resolution of types used in the Serialization and Deserialization processes. Using such a Binder, whitelisting of expected types can be facilitated with relative ease, providing resilience against deserialization gadgets. This method was used to fix all of the vulnerabilities mentioned above.

Steam aggravates this vulnerability because games that use Steam Workshop can be attacked and made to share more malicious content from the attacked user’s Steam account. This could create a worm-like scenario with malicious content rapidly spreading through Steam Workshop.

Sonos Launches a Radio Service

Sonos is launching its own radio service.

Sonos Radio is a new, free-to-use streaming service that’s being introduced as part of a software update rolling out today worldwide. Moving forward, it’ll come preloaded in the Sonos app. CEO Patrick Spence says it’s “only the beginning” as Sonos works on other services “that provide our customers a better experience, and provide our music streaming service partners an opportunity to highlight their best content.”

Sonos says radio playback accounts for “nearly half” of all the time that customers spend listening to its products. “The new service introduces a holistic and cohesive way to explore radio, bringing together more than 60,000 stations from multiple streaming partners alongside original programming from Sonos,” the company said in its press release. Those partners include TuneIn and iHeartRadio, two obvious go-to picks for this category. Sonos says more partners, including Radio.com in the US and Global in the UK, are coming soon.

The are even launching their own stations.

But the second, more interesting pillar of Sonos Radio is original programming – found under the Sonos Presents section – and this is headlined by an ad-free station called Sonos Sound System. Think of it like Apple’s Beats 1. The company converted the basement of its (currently closed) flagship retail store in Soho into a recording and production facility.

There will also be artist-curated stations that offer “a regularly updated stream of hundreds of songs from artists inspired by their own influences and obsessions.” The first of those is going live today from Radiohead’s Thom Yorke. Like Sonos Sound System, you can listen to these artist stations without any ad interruptions.

Sonos Stations are the third and last piece of Sonos Radio. These are genre-based stations that do have ads – Sonos is partnering with TargetSpot to sell ad inventory and says only general location data (ZIP code) and music genre information" is shared with advertising partners.

UK House of Commons Now Meeting via Zoom

For some reason, I feel like all the privacy edicts and laws that have been established over the last couple of years since Snowden aren’t worth the paper they were written on anymore. It’s suddenly all out the window. Remember when Boris got chided for doing a cabinet meeting via Zoom because of the obvious confidentiality problems? Nah, who cares. That was three weeks ago. Times have changed. It’s OK now!

The House of Commons today approved so-called “hybrid sessions” – MPs participating in Parliament in person and via video conferencing – marking arguably the biggest change in British parliamentary procedure in centuries. The changes, which are designed to allow a continuity of parliamentary business during the coronavirus pandemic, enter into effect tomorrow.

Under the new system, Parliament will meet three times a week (on Monday, Tuesday and Wednesday) for a two-hour session. This can be extended, although at the sole discretion of the Speaker. These meetings will consist of questions to ministers, urgent questions (defined as relating “to a matter of public importance”) and ministerial statements.

Crucially, it will allow parliamentarians to participate electronically, with only 50 members present in the chamber. MPs speaking remotely will be displayed on a number of flat-screen displays dotted around the room. Due to the technical limitations of the Zoom platform chosen, the number of remote participants will be capped at 120 members, and balanced based on proportional party strength.

In his speech, Rees-Mogg affirmed this change would be temporary, and would not represent a fundamental reworking of Parliamentary protocol. The new rules will remain in place until May 12, unless an extension is deemed necessary. “In 1349 when the Black Death affected this country, Parliament couldn’t sit. And didn’t. The session was cancelled. Thanks to modern technology, even I have moved past 1349,” added Rees-Mogg, who is famed for his staunch traditionalism and Victorian mannerisms that border on parody.

Gotta love these guys cracking jokes at such a time. And apparently I was wrong, confidentiality isn’t an issue at all.

Confidentiality isn’t a pressing concern, here. Parliament sessions are (as they should be) a matter of public record, and are broadcast live on TV and YouTube. The real concern is the potential incursion of unwelcome participants –  a phenomenon known as Zoombombing.

Well, alright, chaps. In that case, I’m completely reassured. What could possibly go wrong?

Last week, a meeting of the US House Oversight Committee was disrupted three times by uninvited guests. And if the House of Commons fails to use the proper security measures, there’s a possibility the same could happen here.

Oh. Right.

Also Noteworthy

Some other stories I’ve been reading today:

This is an archived issue of my daily newsletter FOXTROT/ALFA. You can find more information about it, including how to subscribe via email, on this page.