This Week in Cyber: January 31st – February 4th

At the beginning of this week, it was reported that yet another application has been targeted by a customised exploit for the Log4j vulnerability. Researchers at Morphisec announced that Ubiquiti’s UniFi Network applications are vulnerable to the exploit, with the first successful exploitation being tracked back to 20th January 2022. 

Article type: Blog
author Lara

UniFi Network is an application that can help devices running macOS, Linux and Windows operating systems to set up and manage UniFi Network devices, while also providing an overview of the network and controlling it. 

In the UniFi Network Application, the vulnerability is tracked as CVE-2021-44228, which has a CVSS score of 10, but so far it has only been identified in versions prior to UniFi Network Application 6.5.54. This critical vulnerability is dangerous as it enables malicious actors to complete remote code execution, but what is most worrying is that the command-and-control server in the attack is correlated to a previous SolarWinds attack, reported by CrowdStrike.

Discussing the discovery of this vulnerability, and covered by the entire InfoRiskToday UK, and the entire ISMG estate, John Goodacre, director of the UKRI’s Digital Security by Design challenge and Professor of Computer Architectures at Manchester University, said

“The continued use of known vulnerabilities shows the complexity on both system administrators and software suppliers to keep up with the need to patch. Given the historic investment and likely hood developers will continue to create vulnerable code, it’s important everyone understands how future hardware can help protect software from exploitation by design, and that developers are provided additional tools and capabilities that bring down the costs of delivering products secured by default. The UKRI Digital Security by Design (DSbD) programme is supporting industry to deliver new underpinning technologies with the recently announce DSbD Technology Access programme offering developers the opportunity to understand and evaluate the resulting benefits to their business.”

John Goodacre, director of the UKRI’s Digital Security by Design challenge and Professor of Computer Architectures at Manchester University

Another piece of research that caught our eye was the discovery of a memory corruption vulnerability, tracked as CVE-2021-4034, also known as Pwnkit. Researchers at Qualys discovered the vulnerability in polkit’s pkexec, a SUID-root program installed on all Linux distributions by default, which when exploited allows unprivileged users full root privileges on a vulnerable host. This vulnerability is especially worrying because pkexec, which is a part of Polkit, provides the foundation for critical software running on servers, phones and the Linux kernel. 

“privilege escalation vulnerabilities such as this are a major weapon in the cyber attacker’s arsenal. Although this bug is independently described as a local privilege escalation, they also permit an attacker to extend the harm initiated via another vulnerability in a specific application and its data, to all data in the machine, and potentially the network.

John Goodacre, director of the UKRI’s Digital Security by Design challenge and Professor of Computer Architectures at Manchester University

For decades computers have provided just a few levels of privilege, with software finding it too slow and expensive to use these mechanisms to create more secured solutions. The UKRI Digital Security by Design (DSbD) programme recently announced its Technology Access Programme to offer technology businesses the opportunity to investigate the benefits of the DSbD technology. These technologies are able to provide an arbitrary number of privilege and hardware protected compartments while also providing protection against the exploitation of vulnerabilities.

You can find out more about the Industrial Strategy Challenge Fund here

Sign up to the newsletter

Sign up to the Digital Security by Design newsletter to stay up to date with our events, news, insights and opportunities. Be the first to know about our work and ways to get involved.

UKRI DSbD Councils
Website delivered by Digital Catapult as part of the Technology Access Programme, funded by UKRI through the Digital Security by Design Programme