Is Elon Musk a Security Expert? - ThreatWire

Threat Wire - Security, Privacy, and Internet Freedom News!

15 May 202410:27

Summary

TLDRThis week's episode of Threatwire covers a range of cybersecurity topics. It discusses the comparison between Signal and Telegram, highlighting Signal's open-source encryption and Telegram's need for enabling secret chat for end-to-end encryption. The episode also addresses two high-severity vulnerabilities found in the Next.js libraries, urging users to update to version 14.11 to resolve them. Additionally, it covers a network technique that bypasses VPN encapsulation using DHCP features, which was discovered to not be novel but still poses a threat. The discussion on password list authentication's vulnerability to man-in-the-middle attacks is also included, with recommendations for improving security. The episode concludes with a reminder that all stories featured are real and sourced, and an invitation to engage with the host on social media and Twitch.

Takeaways

🔒 **High Severity Vulnerabilities**: Two new vulnerabilities, CVE-2024-34350 and CVE-2024-34351, were found in Next.js libraries with a high severity score of 7.5.
📄 **Response C U Poisoning**: The first vulnerability (CVE-2024-34350) is a response C U poisoning vulnerability, which can lead to front-end servers mapping responses incorrectly.
⛓ **Server-Side Request Forgery**: The second vulnerability (CVE-2024-34351) is a server-side request forgery, allowing attackers to access unauthorized resources.
🛠️ **Solution for Next.js Issues**: Updating to Next.js version 14.11 or later is recommended to resolve both vulnerabilities.
🕵️‍♂️ **VPN Bypass Technique**: A network technique that bypasses VPN encapsulation using DHCP features was discovered, allowing attackers to snoop on user traffic.
📡 **DHCP Option 121**: The decloaking attack relies on DHCP option 121, which can add static routes to a client's routing table, potentially redirecting traffic outside of a VPN tunnel.
🔍 **Rediscovery of Known Issues**: The VPN bypass technique was not new, having been discussed as early as 2015, highlighting the importance of historical research to prevent rediscovery of known vulnerabilities.
🔑 **FIDO2 Authentication Flaw**: A critical flaw in FIDO2 standard was found, potentially allowing man-in-the-middle attacks by manipulating authentication communications.
📈 **Token Binding Recommendation**: Implementing token binding to prevent token theft and man-in-the-middle attacks is suggested.
📱 **Telegram vs Signal**: A debate arose regarding the security of Telegram and Signal, with Signal being open-source and having fewer CVEs compared to Telegram.
⚖️ **Legal Exploitation of Signal**: There were claims that Signal messages were exploited in US courts, but Signal maintains its end-to-end encryption and open-source nature.
💬 **Community Response**: The security community has responded to the debate, defending the encryption and security measures implemented by Signal.

Q & A

What are the two new vulnerabilities found in the Next.js libraries?
-The two new vulnerabilities are CVE-2024-34350, which is a response cache poisoning vulnerability, and CVE-2024-34351, which is a server-side request forgery vulnerability.
What is the severity score assigned to these vulnerabilities?
-The vulnerabilities have been assigned a high severity score of 7.5.
How does the response cache poisoning vulnerability (CVE-2024-34350) work?
-This vulnerability is a form of request smuggling attack that causes a front-end server to map responses from backends to the wrong requests, leading to users being served responses intended for others.
What is the server-side request forgery vulnerability (CVE-2024-34351) about?
-This vulnerability allows attackers to abuse requests to access or update resources they don't have permissions to.
What is the recommended solution to resolve both CVE-2024-34350 and CVE-2024-34351?
-The recommended solution is to update to Next.js version 14.11 or later to resolve both vulnerabilities.
What is the decloaking network technique that bypasses VPN encapsulation?
-The decloaking technique uses DHCP features to force a user's traffic off the VPN tunnel, allowing attackers to snoop on the target's traffic by tricking the VPN into thinking the attacker's server is the DHCP server.
What is the significance of the research on the decloaking attack?
-The research aimed to test the technique against modern VPN providers to determine their vulnerability and to notify the public of the issue, highlighting the importance of not losing historical context in cybersecurity.
What is the critical flaw discovered in the PH2 standard that allows man-in-the-middle attacks?
-Researchers found that attackers can intercept and manipulate authentication communications between the user and the relaying party, allowing them to gain access to the user's private information and perform malicious activities.
How can token binding help prevent man-in-the-middle attacks in PH2?
-Token binding binds security tokens to the TLS layer, preventing token theft and man-in-the-middle attacks by ensuring that security tokens are only used once and are thoroughly validated during the authentication process.
What is the controversy between Signal and Telegram regarding their encryption and security?
-Telegram's founder claimed that Signal's messages can be compromised and that big tech companies use the same encryption as Signal. However, Signal's president and the security community refuted these claims, emphasizing Signal's end-to-end encryption and open-source nature.
What does the security community recommend regarding the Signal and Telegram debate?
-Experts recommend that Signal's end-to-end encryption is more secure as it uses an open-source protocol that is widely adopted and verified, while Telegram requires enabling secret chat for encryption and has a higher number of known CVEs.
What was the AI-written story in the last week's episode of Threatwire?
-The AI-written story was about the GitLab vulnerability that was leading to account takeovers.