This Week in Cyber 10th May 2024

Analyst Insight

The breach at the UK Ministry of Defence highlights the risks associated with outsourcing critical infrastructure management. Incidents involving breaches in third parties are unfortunately not uncommon, with external contractors often being compromised and their privileges exploited. Enhanced oversight and monitoring of these communications could have potentially mitigated the breach.  The Pathfinder attack exposes the vulnerability of high-performance CPUs to Spectre-style exploits, while vulnerabilities in F5 Central Manager and Aruba Networking reveal the potential for complete system compromise by threat actors. These events collectively underscore the necessity for robust cybersecurity measures, such as proactive vulnerability management, regular system updates, and comprehensive threat monitoring. 

UK MoD Cyberattack: Armed Forces’ Data Exposed

The Ministry of Defence (MoD) in the United Kingdom is presently navigating the repercussions of an intricate cyberattack. This advanced assault was directed at the MoD’s payroll infrastructure, resulting in the unauthorised disclosure of classified personal information pertaining to both serving and retired members of the military. The breach was enabled via an external contractor charged with the system’s management, thereby spotlighting the vulnerability of vital infrastructure to cyber threats. As the MoD diligently probes the comprehensive implications of this breach, the country anticipates a public statement from Defence Secretary Grant Shapps. He is projected to provide an account of the incident and delineate the initiatives being undertaken to reinforce the nation’s cyber defences. 

Pathfinder: A Spectre-Style Attack Targeting Intel CPUs

A collaborative research effort has uncovered a new threat to data security in the form of the Pathfinder attack, targeting high-performance Intel CPUs. Exploiting vulnerabilities in the branch prediction feature, this attack allows threat actors to manipulate the Path History Register (PHR) to induce branch mispredictions and gain unauthorised access to sensitive data, including encryption keys and images processed by libraries like libjpeg. Some may recognise this as similar to a spectre vulnerability, in which CPUs are tricked into accessing other locations in memory.  Despite previously deployed mitigations, Intel CPUs remain vulnerable to this sophisticated Spectre-style exploit. 

Critical Vulnerabilities in F5 Central Manager Pose Serious Security Risk

Security researchers have uncovered two critical vulnerabilities in F5 Next Central Manager that could enable threat actors to take full control of devices and create hidden rogue administrator accounts. These remotely exploitable flaws, identified as CVE-2024-21793 and CVE-2024-26026, affect Next Central Manager versions from 20.0.1 to 20.1.0. Exploitation could lead to complete administrative control, allowing attackers to create accounts on any managed BIG-IP Next assets. Even if the admin password is reset and the system patched, access may persist due to a concealed SSRF vulnerability.

Aruba's Critical Vulnerabilities

Aruba Networking, a subsidiary of Hewlett Packard Enterprise (HPE), disclosed ten vulnerabilities in its ArubaOS operating system. Among these, four have been identified as critical unauthenticated buffer overflow bugs that could lead to remote code execution (RCE). These vulnerabilities specifically affect Aruba’s network controller and gateway products, including Mobility Conductor, Mobility Controllers, WLAN Gateways, and SD-WAN Gateways managed through Aruba Central. Successful exploitation of these vulnerabilities could allow threat actors to execute arbitrary code with elevated privileges on affected systems.

Since the disclosure, HPE Aruba Networking has released patches for ArubaOS that address these multiple security vulnerabilities. The patches are available for affected customers in ArubaOS versions 10.6.0.0, 10.5.1.1, 10.4.1.1, 8.11.2.2, and 8.10.0.11. As of May 3, 2024, Censys observed 180+ hosts running ArubaOS, detected through an exposed SNMP service. Nearly half of these are running an End of Life (EOL) version. It’s crucial for organisations to apply these patches immediately to avoid potential cyber threats. As of now, Aruba Networking is not aware of any public proof-of-concept or active exploitation at the time of disclosure.