Dec 9, 2021
0 0

AWS Among 12 Cloud Services Affected by Flaws in Eltima SDK

Written by

Join thousands of people who receive the latest breaking cybersecurity news every day.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.
Share this article:
The flaws, which could enable attackers to disable security and gain kernel-level privileges, affect Amazon WorkSpaces and other cloud services that use USB over Ethernet.
Researchers have found a number of high-security vulnerabilities in a library created by network virtualization firm Eltima, that leave about a dozen cloud services used by millions of users worldwide open to privilege-escalation attacks.
That includes Amazon WorkSpaces, Accops and NoMachine, among others: all apps that enable remote desktop access by using the Eltima software development kit (SDK) to enable the company’s “USB Over Ethernet” product. USB Over Ethernet enables sharing of multiple USB devices over Ethernet, so that users can connect to devices such as webcams on remote machines anywhere in the world as if the devices were physically plugged into their own computers.
The flaws are in the USB Over Ethernet function of the Eltima SDK, not in the cloud services themselves, but because of code-sharing between the server side and the end user apps, they affect both clients – such as laptops and desktops running Amazon WorkSpaces software – and cloud-based machine instances that rely on services such as Amazon Nimble Studio AMI, that run in the Amazon cloud.
The flaws allow attackers to escalate privileges so that they can launch a slew of malicious actions, including to kick the knees off the very security products that users depend on for protection. Specifically, the vulnerabilities can be used to “disable security products, overwrite system components, corrupt the operating system or perform malicious operations unimpeded,” SentinelOne senior security researcher Kasif Dekel said in a report published on Tuesday.

SentinelOne traced the vulnerabilities to two drivers that are responsible for USB redirection – “wspvuhub.sys” and “wspusbfilter.sys” – that could lead to a buffer overflow that allows an attacker to jack up privileges so as to execute arbitrary code in the kernel.
Buffer overflow scenario. Source: SentineOne.
“An attacker with access to an organization’s network may also gain access to execute code on unpatched systems and use this vulnerability to gain local elevation of privilege,” SentinelOne noted. “Attackers can then leverage other techniques to pivot to the broader network, like lateral movement.”
The cybersecurity firm hasn’t detected in-the-wild use of the vulnerabilities, of which there are dozens.
The firm reported the flaws last quarter to the appropriate vendors, and they’ve since been fixed. The full list of affected products includes Amazon Nimble Studio AMI, Amazon NICE DCV, Amazon WorkSpaces, Amazon AppStream, NoMachine, Accops HyWorks, Accops HyWorks DVM Tools, Eltima USB Network Gate, Amzetta zPortal Windows zClient, Amzetta zPortal DVM Tools, FlexiHub and Donglify.
Some of the updates are automatically applied, while others require customers to take action. The vendors’ responses:
SentinelOne’s post also includes instructions on a manual update that’s necessary on AWS for users that have either maintenance turned off or AlwaysOn WorkSpaces with OS updates turned off.
SentinelOne also recommends “revoking any privileged credentials deployed to the platform before the cloud platforms have been patched and checking access logs for irregularities.”
Other cloud services using the same libraries are probably affected as well, according to SentinelOne’s advisory: “While we have confirmed these vulnerabilities for AWS, NoMachine and Accops, our testing was limited in scope to these vendors, and we believe it is highly likely other cloud providers using the same libraries would be vulnerable,” the firm said.
As well, given that SentinelOne hasn’t tested both client side and server side vulnerabilities in the products it did check out, there could be yet more vulnerabilities in the analyzed vendors’ products.
The security holes, which are also found in Eltima SDK-derived products and proprietary variants, have been “unwittingly inherited by cloud customers,” Dekel wrote.
SentinelOne pointed out that vulnerabilities in third-party code such as the ones found in Eltima’s SDK could spread far and wide, potentially endangering “huge” numbers of products, systems and, ultimately, users: everything and everybody downstream in the cloud supply chain.
Recent instances of the code supply-chain vulnerabilities have included four Microsoft zero-days in the Azure cloud platform’s Open Management Infrastructure (OMI) – a software that many don’t even realize is embedded in a host of services – that showed up in September. Dubbed “OMIGOD” both for the infrastructure’s name and because that’s how researchers reacted when they discovered them, the weaknesses demonstrated a massive security blind spot.
Another example showed up in June, when cryptominer code bombs showed up in the Python Package Index (PyPI): a code repository created in the Python programming language.
SentinelOne pointed to the pandemic-fueled need to adopt new work models to support work-from-home (WFH) staff as adding an edge to these kinds of disclosures: “This required organizations to make use of various solutions that allow WFH employees to securely access their organization’s assets and resources.”
The result has been a booming market for WFH products, but security “has not necessarily evolved accordingly,” the advisory said.
Image courtesy of Blue Coat Photos. Licensing details.
There’s a sea of unstructured data on the internet relating to the latest security threats. REGISTER TODAY to learn key concepts of natural language processing (NLP) and how to use it to navigate the data ocean and add context to cybersecurity threats (without being an expert!). This LIVE, interactive Threatpost Town Hall, sponsored by Rapid 7, will feature security researchers Erick Galinkin of Rapid7 and Izzy Lazerson of IntSights (a Rapid7 company), plus Threatpost journalist and webinar host, Becky Bracken.

Register NOW for the LIVE event!
Share this article:
The lurking code-bombs lift Discord tokens from users of any applications that pulled the packages into their code bases.
Attackers are milking unpatched Hikvision video systems to drop a DDoS botnet, researchers warned.
DoH! Nate Warfield, CTO of Prevailion, discusses new stealth tactics threat actors are using for C2, including Malleable C2 from Cobalt Strike’s arsenal.

This site uses Akismet to reduce spam. Learn how your comment data is processed.
Join thousands of people who receive the latest breaking cybersecurity news every day.
The flaws, discovered by @SentinelOne, could enable attackers to disable security and gain kernel-level privileges.…
1 hour ago
Get the latest breaking news delivered daily to your inbox.
The First Stop For Security News
Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.


Article Categories:
Cloud Security

Comments are closed.