The researcher Ralf-Phillip Weinmann , managing director at security firm Comsecuris , has disclosed Vulnerability-related.DiscoverVulnerability a zero-day baseband vulnerability affecting Vulnerability-related.DiscoverVulnerability Huawei smartphones , laptop WWAN modules , and IoT components . Baseband is firmware used on smartphones to connect to cellular networks , to make voice calls , and transmit data . An attacker can exploit baseband flaws to eavesdrop Attack.Databreach mobile communications , take over the device making calls and sending SMS messages to premium numbers or to exfiltrate Attack.Databreach data . The expert revealed Vulnerability-related.DiscoverVulnerability the flaw this week at the Infiltrate Conference , the vulnerability could be exploited Vulnerability-related.DiscoverVulnerability by attackers to execute a memory-corruption attack against affected devices over the air . Fortunately , the attack is quite difficult to conduct . The baseband vulnerability resides in Vulnerability-related.DiscoverVulnerability the HiSilicon Balong integrated 4G LTE modems . The Balong application processor is called Kirin , it is produced by the Hisilicon Technologies , a subsidiary of Huawei Technologies . The affected firmware is present in several Huawei Honor smartphones , including the P10 , Huawei Mate 9 , Honor 9 , 7 , 5c and 6 . Weinmann believes that millions of Honor smartphones could be exposed to the to attack . Weinmann presented Vulnerability-related.DiscoverVulnerability multiple baseband vulnerabilities found in Vulnerability-related.DiscoverVulnerability the Kirin application processor . The expert also revealed that many laptops produced by IT vendors leverage the HiSilicon Balong integrated modem , such as a number IoT devices . “ This baseband is much easier to exploit than other basebands . Why ? I ’ m not sure if this was intentional , but the vendor actually published the source code for the baseband which is unusual , ” Weinmann said . “ Also , the malleability of this baseband implantation doesn ’ t just make it good for device experimenting , but also network testing. ” Weinmann speculates HiSilicon may have wrong released the Kirin source code as part of a developer tar archive associated with the Huawei H60 Linux kernel data . Weinmann demonstrated several attack scenarios against mobile phones . A first attack scenario presented by the researcher involves setting up a bogus base station using open-source software called OpenLTE that is used by an attacker to simulate a network operator . The attacker can send specially crafted packets over the air that trigger a stack buffer overflow in the LTE stack causing the phone crashing . Once the phone rebooted an attacker can gain persistence installing a rootkit . In a second attack scenario , the attacker with a physical access to the phone and private key pair data would install malicious tools on the firmware . “ It requires key material that is stored both by the carrier and on the SIM card in order to pass the mutual authentication between the phone and the network . Without this key material , a base station can not pose as a legit network towards the device. ” Weinmann used for its test his own VxWorks build environment using an evaluation version of VxWorks 7.0 that shipped with Intel Galileo several years ago . The expert explained that the existence of a Lua scripting interpreter running in the baseband gives him further offensive options . Weinmann did not disclose the technical details to avoid threat actors in the wild will abuse his technology . “ I have chosen to only disclose lower-severity findings for now . Higher severity findings are in the pipeline. ” Weinmann said .

The bugs let hackers crash IoT devices , leak Attack.Databreach their information , and completely take them over . Researchers have found Vulnerability-related.DiscoverVulnerability that a popular Internet of Things real-time operating system – FreeRTOS – is riddled with serious vulnerabilities . The bugs could allow hackers to crash connected devices in smart homes or critical infrastructure systems , leak Attack.Databreach information from the devices ’ memory , and take them over . And while patches have been issued Vulnerability-related.PatchVulnerability , researchers warn that it still may take time for smaller vendors to update Vulnerability-related.PatchVulnerability . Researcher Ori Karliner , with Zimperium ’ s zLabs team , recently analyzed some of the leading operating systems in the IoT market – including FreeRTOS , an open-source OS specifically designed for the microcontrollers that are within IoT devices . Within several versions of FreeRTOS , Karliner found Vulnerability-related.DiscoverVulnerability 13 vulnerabilities enabling an array of attacks , including remote code execution , information leak and denial-of-service bugs . “ During our research , we discovered Vulnerability-related.DiscoverVulnerability multiple vulnerabilities within FreeRTOS ’ s TCP/IP stack and in the AWS secure connectivity modules . The same vulnerabilities are present in Vulnerability-related.DiscoverVulnerability WHIS Connect TCP/IP component for OpenRTOS\SafeRTOS , ” according to a Thursday post by zLabs . The vulnerabilities specifically exist in Vulnerability-related.DiscoverVulnerability FreeRTOS ’ s TCP/IP stack and in the AWS secure connectivity modules ( in as well as in the WHIS Connect TCP/IP component for OpenRTOS\SafeRTOS ) . These vulnerabilities include four remote code execution bugs ( CVE-2018-16522 , CVE-2018-16525 , CVE-2018-16526 , and CVE-2018-16528 ) ; seven information leak vulnerabilities ( CVE-2018-16524 , CVE-2018-16527 , CVE-2018-16599 , CVE-2018-16600 , CVE-2018-16601 , CVE-2018-16602 , CVE-2018-16603 ) one denial of service flaw ( CVE-2018-16523 ) and a final ( CVE-2018-16598 ) that was unspecified . zLabs said Vulnerability-related.DiscoverVulnerability it has disclosed Vulnerability-related.DiscoverVulnerability the security issues to Amazon and collaborated with them to patch Vulnerability-related.PatchVulnerability the vulnerabilities . Those fixes were deployed Vulnerability-related.PatchVulnerability for AWS FreeRTOS versions 1.3.2 and onwards . The vulnerabilities in RTOS WHIS were also patched Vulnerability-related.PatchVulnerability . Amazon did not respond to a request for comment from Threatpost . Due to the amount of vendors impacted Vulnerability-related.DiscoverVulnerability by the bugs , the researchers said Vulnerability-related.DiscoverVulnerability that they would hold off on publishing Vulnerability-related.DiscoverVulnerability further details until all holes have been sealed Vulnerability-related.PatchVulnerability .

Git has disclosed Vulnerability-related.DiscoverVulnerability a security vulnerability that allows for arbitrary code execution in malicious repositories , Microsoft reports . The vulnerability , CVE-2018-11235 , was addressed Vulnerability-related.PatchVulnerability and fixed Vulnerability-related.PatchVulnerability in Git 2.17.1 and Git for Windows 2.17.1 ( 2 ) , which were both released Vulnerability-related.PatchVulnerability today . In addition , the Visual Studio Team Services ( VSTS ) team has blocked malicious repositories from being pushed to VSTS to ensure that Visual Studio can not be used as a vector for transmitting malicious repositories to clients who have not yet patched Vulnerability-related.PatchVulnerability their clients . The vulnerability is caused when repositories are cloned . When cloning a repository , Git checks out the parent repository into the working directory as it prepares to clone the submodule . Then , Git realizes that it does not need to perform the clone of submodule because the submodule ’ s repository already exists on the disk from when it was checked in to the parent , and then was written to the working directory when the parent repository was checked out . According to Microsoft , the problem lies in the fact that when Git repositories are cloned , there are important configuration details not obtained from the server , such as hooks , which are scripts that can be run at certain points in the Git workflow . The configuration is not cloned from a remote server because that would lead to a vulnerability where remote servers could provide code that would be executed on the end user ’ s computer . Unfortunately , with the new vulnerability , that is exactly what happens , Microsoft explained . Because the submodule ’ s repository is checked in to a parent repository , it is not actually cloned . Therefore , the submodule repository can already have a hook configured . Additionally , if a user recursively cloned a malicious parent repository , it first checks out the parent , reads the submodule ’ s checked-in repository and prepares to write that submodule to the working directory , then it executes post-checkout hooks , Microsoft explained . In order to eliminate this vulnerability , submodule ’ s folder names are examined more closely by Git clients . Now , submodule folder names can no longer contain “ .. ” as a path segment and they can not be symbolic links . As a result , they now will have to be within the .git repository folder instead of in the actual repository ’ s working directory . According to Microsoft , Git now refuses to work with repositories that do not follow this newly specified configuration . Visual Studio Team Services and other hosting providers will also reject users from pushing repositories that do not adhere to this submodule configuration to protect clients that have not been patched Vulnerability-related.PatchVulnerability yet .

The Git community has disclosed Vulnerability-related.DiscoverVulnerability a security vulnerability affecting Vulnerability-related.DiscoverVulnerability the clone and submodule commands that could enable remote code execution when vulnerable machines access malicious repositories . The vulnerability , which has been assigned Vulnerability-related.DiscoverVulnerability CVE–2018–17456 by Mitre , has been fixed Vulnerability-related.PatchVulnerability in Git 2.19.1 . To trigger the vulnerability , a malicious repository could forge a .gitmodules containing an URL starting with a dash . This would affect Vulnerability-related.DiscoverVulnerability both git clone -- recurse-submodules and git submodule update -- recursive in that they would recursively pass the URL starting with a dash to a git clone or git submodule subprocess that would interpret the URL as a command option . This could lead to executing an arbitrary command on the local machine . This vulnerability is similar to CVE–2017–1000117 , which also enabled an option-injection attack by forging ssh URLs starting with a dash that would be interpreted as an option by the ssh subprocess executed by git . No exploits are known at the moment . We were also able to use the time to scan all repositories on GitHub for evidence of the attack being used in the wild . As shown in the PR fixing Vulnerability-related.PatchVulnerability the vulnerability , submitted by @ joernchen , the fix is quite trivial in itself . Yet , this discovery provided the opportunity for an overall audit of .gitmodules , which led to implementing stricter checks on both paths and URLs found inside of it . As mentioned , the fix for this vulnerability is included in Git 2.19.1 . Additionally , it has been backported Vulnerability-related.PatchVulnerability to versions 2.14.5 , 2.15.3 , 2.16.5 , 2.17.2 , and 2.18.1 . Since git is integrated in GitHub projects such as GitHub Desktop and Atom , those have been patched Vulnerability-related.PatchVulnerability as well , so you will be better off upgrading Vulnerability-related.PatchVulnerability them as soon as possible .