Connect with us

Technology

Hackers are actively exploiting BIG-IP vulnerability with a 9.8 severity rating

Published

on

Researchers are marveling at the scope and magnitude of a vulnerability that hackers are actively exploiting to take full control of network devices that run on some of the world’s biggest and most sensitive networks.

The vulnerability, which carries a 9.8 severity rating out of a possible 10, affects F5’s BIG-IP, a line of appliances that organizations use as load balancers, firewalls, and for inspection and encryption of data passing into and out of networks. There are more than 16,000 instances of the gear discoverable online, and F5 says it’s used by 48 of the Fortune 50. Given BIG-IP’s proximity to network edges and their functions as devices that manage traffic for web servers, they often are in a position to see decrypted contents of HTTPS-protected traffic.

Last week, F5 disclosed and patched a BIG-IP vulnerability that hackers can exploit to execute commands that run with root system privileges. The threat stems from a faulty authentication implementation of the iControl REST, a set of web-based programming interfaces for configuring and managing BIG-IP devices.

“This issue allows attackers with access to the management interface to basically pretend to be an administrator due to a flaw in how the authentication is implemented,” Aaron Portnoy, the director of research and development at security firm Randori, said in a direct message. “Once you are an admin, you can interact with all the endpoints the application provides, including execute code.”

Images floating around Twitter in the past 24 hours show how hackers can use the exploit to access an F5 application endpoint named bash. Its function is to provide an interface for running user-supplied input as a bash command with root privileges.

While many images show exploit code supplying a password to make commands run, exploits also work when no password is supplied. The image quickly drew the attention of researchers who marveled at the power of an exploit that allows the execution of root commands without a password. Only half-joking, some asked how functionality this powerful could have been so poorly locked down.

Elsewhere on Twitter, researchers shared exploit code and reported seeing in-the-wild exploits that dropped backdoor webshells that threat actors could use to maintain control over hacked BIG-IP devices even after they’re patched. One such attack showed threat actors from the addresses 216.162.206.213 and 209.127.252.207 dropping a payload to the file path /tmp/f5.sh to install PHP-based webshell in /usr/local/www/xui/common/css/. From then on, the device is backdoored.

The severity of CVE-2022-1388 was rated at 9.8 last week before many details were available. Now that the ease, power, and wide availability of exploits are better understood, the risks take on increased urgency. Organizations that use BIG-IP gear should prioritize the investigation of this vulnerability and the patching or mitigating of any risk that arises. Randori provided a detailed analysis of the vulnerability and a one-line bash script here that BIG-IP users can use to check exploitability. F5 has additional advice and guidance here.

This Article was first live here.

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published.

Technology

Apple’s Next Trick: Letting You Borrow Cables From Android Friends

Published

on

A photo of a USB-C cable

Photo: Sam Rutherford / Gizmodo

It might not seem like the needle-moving announcement that Apple would make. But thanks to a news bit from a trusted analyst, there’s hope on the horizon that someday soon, Apple iPhones and Android smartphones will stop being separated—by charging cables, at least. (Don’t expect any parity on messaging any time soon!)

This week on Gadgettes, we dive into the most recent Apple leaks. With WWDC 2022 fast approaching, we figured it’d be an appropriate time to round up some of what we’ve heard in the rumor mill.

In addition to the USB-C tidbit, there’s chatter about everything from what the Apple Watch Series 8 will be capable of to whether iOS 16 will see much of a significant bump. We’ll also get into some of the patents revealed over the past few weeks, including a Surface Pro-like keyboard for the iPad and a foldable iPhone with a color E Ink display.

Then, Sony does it again, grooving into our hearts with its new WH-1000XM5 headphones. The model name doesn’t quite roll off the tongue, but you won’t care once you realize these are some of the best headphones money can buy. We’ll talk about why these headphones are worth their $400 price point. We’ll also get into the caveats of headphones like these and why the WH-1000XM5’s new folding mechanism might make you go for the last-generation model.

Finally, we’ll defend printers. We’ll explain why you might consider springing for an all-in-one printer for your at-home print shop. The compact HP Deskjet 6700 is an all-in-one that comes in a few colors and pairs rather nicely with the Amazon Basics laminator if you need to make reusable worksheets! HP also offers Instant Ink, which ships you ink cartridges so that you don’t have to worry about securing more when they run out.

Listen to this week’s episode of Gadgettes on Apple Podcasts, Spotify, or wherever you get your podcasts.

This Article was first live here.

Continue Reading

Technology

Chromebook 101: how to change your Chrome OS channels and get unreleased features

Published

on

You might not know it from glancing at a Chromebook, but Google’s Chrome OS is in a constant state of evolution.

The operating system receives minor updates every two to three weeks and major releases every six weeks. And, at any given moment, Google’s staff is working on features and software enhancements that most people won’t see for a matter of weeks — or months.

Here’s a little secret, though: if you’re feeling adventurous, you can gain access to those unreleased enhancements. All it takes is the flip of a virtual switch in your Chromebook’s settings, and you’ll have all sorts of interesting new options at your fingertips.

First, it’s important to understand exactly what’s involved so you can make an educated decision about which setup makes the most sense for you.

Understanding the Chrome OS channels

Chrome OS actually exists in four separate development channels. The software you see on your Chromebook varies considerably depending on which channel you choose:

  • The Stable channel is the polished and ready for prime time version of the software that all devices use by default.
  • The Beta channel is updated weekly and receives new features about a month ahead of its Stable sibling.
  • The Developer channel is updated as frequently as twice a week and sees stuff that’s actively being worked on and has undergone only a small amount of testing.
  • Finally, the Canary channel is what Google describes as the “bleeding edge” Chrome OS path — a channel that receives daily updates prior to any widespread testing and can be accessed only by a Chromebook that’s switched into a special developer mode (which, somewhat confusingly, has nothing to do with the Developer channel).

The Stable channel is the safest option and what the vast majority of people should use — particularly those who need to know their computers will always work flawlessly without any hiccups or unexpected glitches.

If you’re feeling adventurous and don’t mind a bit of a risk, the Beta channel is a good way to get a peek at unreleased features without too much instability. The odds of running into something funky are certainly higher than with Stable, but, by and large, elements in Beta are fairly well-developed and just in the final phases of testing.

Most day-to-day users would be well advised to stay away from the Developer channel since it receives updates as they’re built and is quite likely to contain bugs. And, as for the Canary channel, if you’re not sure whether you ought to be using it, the answer is probably no.

Changing your Chrome OS channel

Once you’ve decided which channel you want to try, here’s how to make the switch:

  • Open your Chromebook’s settings.
  • Click About Chrome OS in the menu on the left, then click Additional details.

Click About Chrome OS in the menu on the left, then click Additional details.

  • Look for the category Channel and click the Change channel button. That’ll cause a pop-up to appear that lets you select the Stable, Beta, or Developer channel. (Canary, remember, is available only if your device is in Developer mode — a level of access that opens the door to more advanced forms of OS modification but also disables some of the software’s standard layers of protection. It requires several extra steps to enable and, again, isn’t advisable for most Chromebook users.)

Change channel menu

Choose the Stable, Beta, or Developer channel.

  • Click the channel you want, then click the blue Change channel confirmation button that appears.
  • Click the left-facing arrow at the top of the screen to get back to the About Chrome OS page. When you see the Restart button appear near the top of the page (it may take a minute or two), click it.

About Chrome OS page with Restart button

Hit the Restart button to complete the change.

And that’s it: as soon as your Chromebook finishes restarting, you’ll be on your new channel with all your accounts, files, and preferences in place just like you left them.

If you ever decide you want to move back to the Stable channel, repeat that same process and select Stable.

Change channel box with “Change channel and Powerwash” button.

If you change back to Stable, you’ll have to Powerwash your system.

Just note that moving in that direction — from a higher channel to a less experimental one — generally requires you to Powerwash your Chromebook. Powerwash means all of your information and data will be erased, and you’ll have to sign in anew and start over.

About ChromeOS box

Hit the Restart and reset button to finish the process of restoring the Stable channel.

The one exception: if your Chromebook is connected to a work- or school-based G Suite account, your data won’t be deleted and the change won’t take place immediately. Instead, you’ll have to wait until the lower channel catches up to the higher one in version number, which could take anywhere from a few weeks to a few months.

Update May 20th, 2022, 9:30AM ET: This article was originally published on October 15th, 2019, and has been updated to account for changes in the OS.

This Article was first live here.

Continue Reading

Technology

Qualcomm updates its AR Smart Viewer reference design with a higher-powered chipset, a wireless tethering system with Wi-Fi 6 / 6E and Bluetooth, and more (Adi Robertson/The Verge)

Published

on


Adi Robertson / The Verge:

Qualcomm updates its AR Smart Viewer reference design with a higher-powered chipset, a wireless tethering system with Wi-Fi 6 / 6E and Bluetooth, and more  —  But don’t expect much battery life  —  Qualcomm is introducing a wireless version of its augmented reality Smart Viewer …

This Article was first live here.

Continue Reading

Trending