image of breaking badness
Breaking Badness
Breaking Badness

124. Patch Me If You Can

Here are a few highlights from each article we discussed:

Cuz I’m The PACMAN

  • MIT researchers discovered Apple’s M1 chips have an “unpatchable” hardware vulnerability that could allow attackers to break through its last line of security defenses
  • The M1 chip is a desktop class ARM processor designed and built by the Apple team to eliminate their reliance on Intel x86 chips
    • It powers the bulk of their desktop / laptop lineup and is finding its way into their iPads as well
    • They are chock full of cores and are quite power efficient
    • And as all chips these days with a lot of cores (think chips on chips on chips) they use these extra cores to leverage “branch prediction” to speed up applications that are running
    • Branch prediction allows them to parallel process multiple pathways of instructions and then “choose” the right branch
  • In their research, the MIT team found the pointer authentication codes (PAC) can be defeated, and there’s no patch to fix it
    • Apple continues to come up with newer and newer designs and came up with this pointer authentication to make sure the stuff that comes out on the other side is the stuff that came in on the front side
    • The folks at MIT came in and said that work may have been for not
  • This attack is called “PACman”
    • It will “guess” a PAC with speculative execution
    • There are only so many values for the PAC, so it’s possible to guess the correct one
  • The researchers also found that this attack works against the kernel
    • “Kernel” being the software core of a device’s operating system
    • This has dire implications future security work
      • Pointer authentication was meant to be the last defense against attackers, but this research shows that it isn’t as robust as previously thought
  • Pointer authentication is used on all of Apple’s custom ARM-based silicon so far (M1, M1 Pro, and M1 Max)
    • Apple is currently working on the M2 chip, which also supports pointer authentication, but MIT has not yet tested the attack on it
  • Apple is appreciative of the research done by MIT, though they currently do not believe this poses an immediate risk to users
    • Current state, Apple could certainly be correct
    • It’s not immediately apparent right now what could happen, but it will be in so many different chips, Apple and Android alike
  • In terms of next steps, there isn’t a whole lot anyone can do at this point
    • Folks are working on detection
    • The tricky part about this is things are happening on this speculative branch (the untraveled branch)
    • It’s difficult to detect, if not impossible at this point

Zero Days of Summer

  • Confluence, an Atlassian product, had another remote code execution vulnerability
    • If you sent the correct malformed packet, under the right circumstances, you could remote execute any arbitrary code you wanted
    • This is also not the first instance of this type of occurrence
      • There was a similar incident in 2021, so this probably isn’t the last time we’ll hear about this type of vulnerability
  • On June 2, Atlassian released a security advisory outlining an active zero-day campaign targeting a critical flaw that is being tracked as CVE-2022-26134
    • This vulnerability impacts all versions of the Confluence Server and Confluence Data Center
  • Atlassian classified this vulnerability as critical
  • Immediate recommendation was to put Confluence behind a web application firewall
    • You do have to be able to talk to the vulnerable server over the network in order to exploit it, so if it’s internet-exposed, you want to limit that access
    • Without a patch available in the first 24 hours, the risk of something happening was too big, so we at DomainTools shut down our Confluence server to be overly cautious
      • A patch was available the next day, to Atlassian’s credit
  • The million dollar question is: who is behind this?
    • Threat actors curious about proprietary technologies (typically, company information lives on these wikis). This is a great opportunity to collect intelligence to hurt a company if publicly released
    • Likely commercial espionage space, but it’s hard to say

Two Truths and a Lie

Introducing our newest segment on Breaking Badness. We are going to play a game you are all likely familiar with called two truths and a lie, with a fun twist. Each week, one us with come prepared with three article titles, two of which are real, and one is, you guessed it, A LIE.

You’ll have to tune in to find out!

Current Scoreboard

This Week’s Hoodie/Goodie Scale

Cuz I’m The PACMAN

[Taylor]: 4.75/10 Hoodies
[Daniel]: 8/10 Hoodies

Zero Days of Summer

[Taylor]: 6.5/10 Hoodies
[Daniel]: 8/10 Hoodies

That’s about all we have for this week, you can find us on Twitter @domaintools, all of the articles mentioned in our podcast will always be included on our podcast recap. Catch us Wednesdays at 9 AM Pacific time when we publish our next podcast and blog.

*A special thanks to John Roderick for our incredible podcast music!