The CyberScotland Technical Bulletin is designed to provide you with information about updates, exploits and countermeasures.
Please subscribe to our CyberScotland mailing list to be notified by email when a new bulletin is published.
Microsoft Patch Tuesday
For the final round of monthly updates of the year, Microsoft released their December 2023 Patch Tuesday update. Microsoft addressed a total of 35 security issues, including one previously unpatched vulnerability in AMD CPUs. Out of these, eight are remote code execution (RCE) bugs, with three deemed critical. The critical flaws include a spoofing vulnerability in Power Platform, two RCEs in Internet Connection Sharing, and one RCE in the Windows MSHTML Platform.
A notable fix in this update is for the AMD zero-day vulnerability CVE-2023-20588, a division-by-zero error in certain AMD processors that might expose sensitive data. This flaw, disclosed back in August, had remained unpatched until now. For detailed information on all the security updates, click here.
Apple Security Update
Apple has recently rolled out a series of security updates for its various operating systems, including iOS, iPadOS, macOS, tvOS, watchOS, and the Safari web browser, to fix a range of security vulnerabilities. Additionally, the company has extended patches for two recently revealed zero-day exploits to older devices.
The updates address 12 security issues in iOS and iPadOS, affecting components such as AVEVideoEncoder, ExtensionKit, Find My, ImageIO, Kernel, Safari Private Browsing, and WebKit. macOS Sonoma 14.2 resolves 39 vulnerabilities, including six bugs in the ncurses library.
A critical flaw, CVE-2023-45866, found in Bluetooth, stands out among these vulnerabilities. This flaw could potentially allow an attacker with network privileges to spoof a keyboard and inject keystrokes. Furthermore, Apple has released Safari 17.2, targeting two significant WebKit vulnerabilities, CVE-2023-42890 and CVE-2023-42883. These flaws could lead to arbitrary code execution and a denial-of-service (DoS) condition. The Safari update is available for macOS Monterey and macOS Ventura users.
As a precautionary measure, users are advised to update their devices to the latest versions to ensure enhanced security and protection against these vulnerabilities.
Bluetooth BLUFFS Vulnerability
Recent studies have revealed a series of new attacks that compromise the security of Bluetooth Classic, specifically its forward and future secrecy features. These attacks create a situation where an adversary can intercept and manipulate communications between two connected devices. Named BLUFFS, these vulnerabilities affect Bluetooth Core Specifications from version 4.2 to 5.4 and are identified as CVE-2023-24023 with a CVSS score of 6.8. The discovery was responsibly reported in October 2022.
The essence of these attacks is the ability to impersonate devices and intercept data across multiple sessions by compromising just one session key. This is achievable due to two newly discovered flaws in the session key derivation mechanism of the Bluetooth standard, which allow the same key to be derived across different sessions. Forward secrecy in cryptographic protocols is meant to secure past communications from being exposed if future keys are compromised. Conversely, future secrecy (also known as backward secrecy) is designed to protect future communications if past keys are compromised.
These attacks exploit four architectural vulnerabilities in the Bluetooth session establishment process. This leads to the derivation of a weak session key that can be brute-forced to impersonate victims. An adversary, posing as a paired device, can then initiate a connection and establish encryption using outdated methods. The Bluetooth Special Interest Group (SIG) highlighted that an attacker nearby could force the use of the same encryption key for each session and choose the weakest key length.
The impact of these vulnerabilities can be somewhat mitigated by denying access to host resources from a compromised session or ensuring high key entropy, making the reuse of session keys less useful to an attacker. Additionally, these vulnerabilities allow real-time brute-forcing of encryption keys, facilitating live attacks on traffic between affected devices. However, the attack’s success relies on the attacker being within the wireless range of the vulnerable devices and being able to capture and manipulate Bluetooth packets.
In response, SIG advises Bluetooth implementations to reject connections on encrypted links with key strengths below 7 octets. Devices should operate in “Secure Connections Only Mode” for better key strength and pair using “Secure Connections” mode instead of the legacy mode.
