Is Elon Musk a Security Expert? - ThreatWire
Summary
TLDRThis week's episode of Threatwire covers a range of cybersecurity topics. It discusses the comparison between Signal and Telegram, highlighting Signal's open-source encryption and Telegram's need for enabling secret chat for end-to-end encryption. The episode also addresses two high-severity vulnerabilities found in the Next.js libraries, urging users to update to version 14.11 to resolve them. Additionally, it covers a network technique that bypasses VPN encapsulation using DHCP features, which was discovered to not be novel but still poses a threat. The discussion on password list authentication's vulnerability to man-in-the-middle attacks is also included, with recommendations for improving security. The episode concludes with a reminder that all stories featured are real and sourced, and an invitation to engage with the host on social media and Twitch.
Takeaways
- 🔒 **High Severity Vulnerabilities**: Two new vulnerabilities, CVE-2024-34350 and CVE-2024-34351, were found in Next.js libraries with a high severity score of 7.5.
- 📄 **Response C U Poisoning**: The first vulnerability (CVE-2024-34350) is a response C U poisoning vulnerability, which can lead to front-end servers mapping responses incorrectly.
- ⛓ **Server-Side Request Forgery**: The second vulnerability (CVE-2024-34351) is a server-side request forgery, allowing attackers to access unauthorized resources.
- 🛠️ **Solution for Next.js Issues**: Updating to Next.js version 14.11 or later is recommended to resolve both vulnerabilities.
- 🕵️♂️ **VPN Bypass Technique**: A network technique that bypasses VPN encapsulation using DHCP features was discovered, allowing attackers to snoop on user traffic.
- 📡 **DHCP Option 121**: The decloaking attack relies on DHCP option 121, which can add static routes to a client's routing table, potentially redirecting traffic outside of a VPN tunnel.
- 🔍 **Rediscovery of Known Issues**: The VPN bypass technique was not new, having been discussed as early as 2015, highlighting the importance of historical research to prevent rediscovery of known vulnerabilities.
- 🔑 **FIDO2 Authentication Flaw**: A critical flaw in FIDO2 standard was found, potentially allowing man-in-the-middle attacks by manipulating authentication communications.
- 📈 **Token Binding Recommendation**: Implementing token binding to prevent token theft and man-in-the-middle attacks is suggested.
- 📱 **Telegram vs Signal**: A debate arose regarding the security of Telegram and Signal, with Signal being open-source and having fewer CVEs compared to Telegram.
- ⚖️ **Legal Exploitation of Signal**: There were claims that Signal messages were exploited in US courts, but Signal maintains its end-to-end encryption and open-source nature.
- 💬 **Community Response**: The security community has responded to the debate, defending the encryption and security measures implemented by Signal.
Q & A
What are the two new vulnerabilities found in the Next.js libraries?
-The two new vulnerabilities are CVE-2024-34350, which is a response cache poisoning vulnerability, and CVE-2024-34351, which is a server-side request forgery vulnerability.
What is the severity score assigned to these vulnerabilities?
-The vulnerabilities have been assigned a high severity score of 7.5.
How does the response cache poisoning vulnerability (CVE-2024-34350) work?
-This vulnerability is a form of request smuggling attack that causes a front-end server to map responses from backends to the wrong requests, leading to users being served responses intended for others.
What is the server-side request forgery vulnerability (CVE-2024-34351) about?
-This vulnerability allows attackers to abuse requests to access or update resources they don't have permissions to.
What is the recommended solution to resolve both CVE-2024-34350 and CVE-2024-34351?
-The recommended solution is to update to Next.js version 14.11 or later to resolve both vulnerabilities.
What is the decloaking network technique that bypasses VPN encapsulation?
-The decloaking technique uses DHCP features to force a user's traffic off the VPN tunnel, allowing attackers to snoop on the target's traffic by tricking the VPN into thinking the attacker's server is the DHCP server.
What is the significance of the research on the decloaking attack?
-The research aimed to test the technique against modern VPN providers to determine their vulnerability and to notify the public of the issue, highlighting the importance of not losing historical context in cybersecurity.
What is the critical flaw discovered in the PH2 standard that allows man-in-the-middle attacks?
-Researchers found that attackers can intercept and manipulate authentication communications between the user and the relaying party, allowing them to gain access to the user's private information and perform malicious activities.
How can token binding help prevent man-in-the-middle attacks in PH2?
-Token binding binds security tokens to the TLS layer, preventing token theft and man-in-the-middle attacks by ensuring that security tokens are only used once and are thoroughly validated during the authentication process.
What is the controversy between Signal and Telegram regarding their encryption and security?
-Telegram's founder claimed that Signal's messages can be compromised and that big tech companies use the same encryption as Signal. However, Signal's president and the security community refuted these claims, emphasizing Signal's end-to-end encryption and open-source nature.
What does the security community recommend regarding the Signal and Telegram debate?
-Experts recommend that Signal's end-to-end encryption is more secure as it uses an open-source protocol that is widely adopted and verified, while Telegram requires enabling secret chat for encryption and has a higher number of known CVEs.
What was the AI-written story in the last week's episode of Threatwire?
-The AI-written story was about the GitLab vulnerability that was leading to account takeovers.
Outlines
🔒 JavaScript Vulnerabilities in Next.js Libraries
This week's episode of Threatwire discusses two high-severity vulnerabilities found in Next.js libraries, CVE-2024-34350 and CVE-2024-34351, both assigned a severity score of 7.5. The first vulnerability, CVE-2024-34350, is a response cache poisoning vulnerability that can lead to front-end servers mapping responses from backends incorrectly. This can result in users receiving responses intended for others. The second vulnerability, CVE-2024-34351, is a server-side request forgery, allowing attackers to access or update unauthorized resources. The solution is to update to at least Next.js version 14.11. Additionally, a network technique that bypasses VPN encapsulation by exploiting DHCP features is detailed, highlighting the need for a focus on historical research to prevent re-discovery of known issues.
📱 Security Concerns: Telegram vs Signal
The script addresses the ongoing debate between Telegram and Signal as the most secure messaging apps. It mentions a post by Telegram's founder, Pavel Durov, questioning Signal's security and suggesting that Signal's encryption can be compromised. This has sparked a response from the security community, defending Signal's open-source encryption and its use by various tech companies. Signal's typical response to such claims is to emphasize its open-source nature, allowing anyone to verify its security. In contrast, Telegram requires users to enable 'Secret Chat' for end-to-end encryption. The discussion also touches on the number of known CVEs for each platform, with Signal having 14 and Telegram with 36. Elon Musk's comment on Signal's vulnerabilities, which lack evidence, is also highlighted, emphasizing the importance of accurate information in security discussions.
📢 Threatwire Show and Community Engagement
The video script concludes with a reminder that every story included in Threatwire is real and sourced, dispelling doubts about the authenticity of the content. The host mentions their presence on various online platforms, including Twitch and Instagram, where they engage with the community and share additional content. The host also encourages viewers to support the show on Patreon and to join them on their social media channels for more cybersecurity discussions, challenges, and a mix of technical and light-hearted content.
Mindmap
Keywords
💡Signal
💡Telegram
💡CVE
💡Response Splitting
💡Server-Side Request Forgery (SSRF)
💡DHCP
💡VPN
💡FIDO2
💡Token Binding
💡Threatwire
💡AI-generated content
Highlights
A high severity vulnerability (CVE 2024-34350) with a score of 7.5 has been found in Next.js libraries, leading to response cache poisoning attacks.
The response cache poisoning vulnerability can cause front-end servers to map responses from backends to the wrong requests.
A second vulnerability (CVE 2024-34351) is a server-side request forgery, allowing attackers to access or update unauthorized resources.
To resolve these vulnerabilities, users are advised to update their Next.js versions to at least 14.11.
Researchers at Leviathan Security Group have identified a network technique that bypasses VPN encapsulation using DHCP features.
The decloaking attack exploits DHCP option 121 to force a user's traffic off the VPN tunnel, allowing attackers to snoop on the target's traffic.
The decloaking attack was given a CVE and over 50 vendors were alerted prior to public disclosure.
Recent research has uncovered a critical flaw in the PH2 standard, allowing man-in-the-middle attacks and bypassing PH2 authentication.
Researchers recommend implementing token binding to prevent token theft and man-in-the-middle attacks.
Telegram and Signal are in a dispute over which is the most secure messaging app; Signal's encryption has been scrutinized.
Telegram's founder, Pavel Durov, has criticized Signal's encryption, claiming it can be compromised.
Signal's response to allegations of compromise is that it is open source and its security can be independently verified.
Experts in the security community have refuted Telegram's claims, supporting Signal's encryption and security practices.
Elon Musk has commented on known vulnerabilities in Signal that are allegedly not being addressed, though no evidence is provided.
AI has written a story in this week's episode of ThreatWire, which is a real news story about a GitLab vulnerability leading to account takeovers.
ThreatWire is written live each week on the host's Twitch channel, providing an interactive experience for viewers.
The host is an MIT-educated software engineer who does cybersecurity as a hobby and in her free time.
The host will be attending Defcon and invites viewers to join the conversation on social media platforms.
Transcripts
which is better signal or telegram this
story and more in this week's episode of
threatwire
for the JavaScript viewers two new
vulnerabilities were found in the nextjs
libraries cve 2024 34350 and cve 2024
34351 have been assigned a high severity
score of 7.5 the first vulnerability cve
2024
34350 is response CU poisoning vulnerab
ility according to portswigger response
CU poisoning is a powerful form of
request smuggling attack that causes a
front-end server to start mapping
responses from the backends to the wrong
requests in practice this means that all
users of the same front end SL backend
connection are persistently served
responses that were intended for someone
else which to be very clear is not good
the other vulnerability cve 2024
34351 is a server side request forgery
vulnerability meaning that attackers can
abuse requests to access or update
resources they don't have permissions to
according to an application security
engineer at versel cve 2024 34350 comes
about under the following inconsistent
interpretation of a crafted HTTP request
meant that requests are being treated as
both a single request and two separate
requests by nexj s leading to
desynchronized responses this led to a
response CU poisoning vulnerability in
the affected nextjs versions the
security engineer disclosed the other
cve and that it was also found by the
team at asset node the ssrf
vulnerability is able to happen when
running a self-hosted nextjs server
older than version
14.11 the server uses server actions and
the server action performs a redirect to
a relative path that starts with a slash
the solution for resolving both issues
is to update your nextjs versions to
14.11 at the minimum to resolve both
cves researchers at the Leviathan
Security Group identified a network
technique that bypasses VPN
encapsulation they say it uses
decloaking the ability to force a user's
traffic off the VPN tunnel in this case
specifically using DHCP features they're
able to Snoop targets traffic the attack
relies on DHCP option 121 in 2002 RFC
3442 introduced option 121 classless
static routes and obsolet option 33
which still should be supported
depending on who you
ask option 121 also allows
administrators to add static routes to a
client's routing table but with
classless ranges instead There's No
Limit besides packet size to how many
different routes can be installed at
once to work targets and attackers must
be on the same network essentially the
attacker will trick the target's VPN
into thinking that they are their DHCP
server attackers can snoop on traffic
using forwarding rules on the malicious
DHCP server to pass it through to a real
Gateway using option 121 to arbitrarily
set the route they're able to set a
higher priority than those of the routes
used by a VPN this also leads to all of
the targets Network traffic being sent
outside of the vpn's encrypted tunnel
this decloaking attack was given a cve
and with the help of the eff and cesa
they were able to alert over 50 vendors
prior to public disclosure now here's
where the story gets a little bit
interesting after publishing it's come
out that this isn't necessarily novel
they even acknowledge that this isn't
novel by Crossing out the word that they
used in the first paragraph of the
publishing in an update included they
came to learn that this research isn't
new and has been published across the
web as early as 2015 in a blog post
about hardening open bpn for Defcon they
do the update and say the purpose of
This research was to test this technique
against modern VPN providers to
determine their vulnerability and to
notify the wider public of this issue
this is not a story to shame researchers
in any way instead it's a story about
how we are losing history and that we
need to get more focus on the stories of
the past in order to make sure we don't
keep rediscovering the discovered if
anything I recommend reading the article
as it was a great summary about
networking VPN DHCP and more password
list authentication has been considered
highly secure against fishing session
hijacking and man-in-the-middle
attacks the phto 2 standard developed by
the phto alliance uses public key
cryptography and security keys for
authentication however Recent research
has uncovered a critical flaw that
allows attackers to perform
man-in-the-middle attacks and bypass f 2
authentication researchers from Silver
front discovered that attackers can
intercept and manipulate authentication
Communications between the user and the
relaying party this flaw allows
attackers to gain access to the user's
private info and perform malicious
activities such as removing registered
PH2 devices PH2 involves generating a
public and private key pair with the
public key sent to the relaying party
for verification during authentication
the browser communicates with the phto
security key if approved the security
key generates a signature using the
private key verified by the relaying
party researchers recommend implementing
token binding which binds security
tokens to the TLs layer preventing token
theft and man-in-the-middle attacks
application managers should enforce
token binding on the phto to
authentication developers should also
ensure session tokens are only used once
and thoroughly validate the
authentication process telegram is going
up against signal as the most secure
messaging app recently the telegram
founder paval durov posted in his
personal Channel putting the team team
behind and the product of signal on
blast an attempt to encourage fud or
sphere uncertainty and doubt it started
off with the claim that signal messages
can actually be compromised the US
government spent $3 million to build
signals encryption and today the exact
same encryption is implemented in
WhatsApp Facebook Messenger Google
messages and even Skype it looks almost
as if big Tech in the US is not allowed
to build its own encryption protocols
that would be independent of government
interference and a alarming number of
important people I've spoken to remarked
that their private signal messages had
been exploited against them in US court
or media but whenever somebody raises
doubt about their encryption Signal's
typical response is we are open source
so anyone can verify that everything is
all right that however is a trick these
claims have not been verifiable yet in
response the signal president has come
out expressing that telegram's messages
are compromised and routinely Cooper
Ates with governments the security
Community has also stepped up and very
loudly proclaimed how wrong the telegram
statements are expressing that signal
has expressed inability to give chat
logs once a peanut experts like Matthew
green a literal professor of
cryptography quickly spoke out on the
topic and the security and encryption of
signal and the weird decisions of the
telegram project signal inherently is
end to-end encrypted while telegram you
literally have to enable the secret chat
option which uses a home ruled
encryption scheme created by another
founder of telegram signal uses its
aonomus protocol which as explained
earlier is used by many companies as
their encryption protocol of choice and
uses open- Source verified hashes
agreement protocols and so on while
signal has 14 no cves telegram has 36
known
cves but how did this all start in a
tweeted response to a signal smear
article Elon Musk chimed in saying there
are known vulner abilities was signal
that are not being addressed seems odd
this has been appended with a community
note explaining that there is literally
no evidence for this statement and that
the lack of evidence is very easy to
verify this treat has over 3,000 likes
with a view count of 1.2 million but at
this rate we can't tell if this is
accurate just like elon's statement and
for context I personally say don't some
of you are right but many of you were
wrong as a reminder every story that is
included threatwire is a real story
there are real sources and many of you
said that the cisa FBI developer warning
was a fake story and written by AI sorry
to let you know that that is a real
story and it was written by me the AI
story written in last week's episode was
actually the story about the gitlab
vulnerability that was leading to
account takeovers once again there is an
AI written story in this week's episode
comment down below which story you think
it was as a reminder it is a real story
it is real news it was just written by
AI also I do see the feedback that many
of you enjoyed the off theough insert
for threatwire last week I do have a lot
of research and there's a lot of
specific numbers and definitions and
quotes that need to be included to make
each threatwire story
comprehensive it just wouldn't be
feasible to do each story off the cuff
but I do write threatwire each week live
on my twitch Channel twitch.tv/ ending
with allei if you enjoyed the other kind
of vibe feel free to head over there and
hang out I C on a regular basis there
and this month is actually mod month so
I have a lot of challenges to do that my
mods made for me and I would love to see
you there P.S I booked my tickets from
Defcon who's going to be there also it's
so sweet that some of youall are talking
about that I look very pretty but I just
want to remind yall that I am an MIT
educated software engineer who does
cyber security as a hobby and in her
free time but if you do want to pop over
to my Instagram I'm going to be starting
to post more photos over there including
memes about about tech and maybe some
reals too but I know y'all hate it so
hopefully they'll be funny thank you so
much for watching threatwire for the
week of May 1 13th 2024 don't forget to
head over to patreon.com threatwire and
support us over there thank you for
helping keep this show adree if you want
to find me online I'm @ ending withth
alley everywhere good luck have fun and
don't get caught
5.0 / 5 (0 votes)