Sam Stelfox

Smart Home Cybersecurity Roundup [October 2021]

One month dedicated to cybersecurity awareness isn't enough. In this bonus cybersecurity roundup, we're diving deep into the latest firmware and IoT vulnerabilities to hit the news in October, such as malware, breaches, vulnerability patches, and more. Where possible, we provide additional documentation in the form of discovery reports and share best practices. To stay informed, subscribe to our newsletter at the bottom of the page.

<img src="minim-logo-lock-with-key.png" alt="lock down your smart home cybersecurity with Minim">

Netgear releases firmware patches for routers suffering vulnerabilities 

CVE-2021-40847 is a high-severity vulnerability discovered to allow remote code execution (RCE) in 11 Netgear routing devices. 10 R-series routers and 1 RS-series routers appear to be affected and are more at risk with outdated firmware. 

As detailed in the discovery report on the GRIMM security blog, the source of the vulnerability resides in the Circle parental control's circled (pronounced "circle dee") daemon, which is enabled by default even if parental controls are not configured on the router. The daemon requests to obtain version information and updates to its filtering database from Circle. However, these requests are sent by cleartext HTTP, allowing an attacker to intercept and respond with crafted database files that achieve privileges for overwrite and RCE. 

The discovery report explains the impact of this vulnerability in the work-from-home era. It offers one example of an attack chain for a threat actor to achieve device compromise: 

  1. Determine the internet service provider (ISP) a target corporation is using 
  2. Compromise the ISP via phishing, social engineering, etc. 
  3. Use ISP information to target and compromise vulnerable routers 
  4. Utilize router to locate and compromise a connected device 
  5. Achieve corporate network access and data exfiltration 

Netgear offered the following statement to The Hacker News when prompted about the vulnerability: 

"Circle created software fixes to resolve recently publicized security vulnerabilities for a loader on Netgear routers and has worked with Netgear to ensure it is available for Netgear customers. Circle recommends that Netgear users ensure that they are using the latest firmware for their Netgear routers. No other Circle customers are impacted by this vulnerability."

For users whose internet service providers (ISPs) do not automatically update their firmware, it is recommended to update affected routers according to Netgear's security advisory

ThroughTek IoT devices vulnerable to interception threaten smart home cybersecurity 

A critical IoT security vulnerability (CVE-2021-28372) with a severity rating of 9.6 was discovered by researchers at FireEye. The vulnerability is exploited in the ThroughTek Kalay platform found in devices such as cameras, baby monitors, and DVR products. It intercepts remote communication with devices and can utilize RCE capabilities for full device compromise. It can also be leveraged against devices like microphones and cameras for live eavesdropping and viewing real-time video. There is no list of affected devices, but Mandiant's ThroughTek Kalay platform is central to the vulnerability and used in over 83 million devices. 

The attack requires knowledge of Kalay's protocols/API and acquisition of a device's unique identifier (UID) via social engineering or other vulnerability. Once a UID has been collected, the attacker registers the device within their environment and impersonates the owner.  

The malicious device registration takes precedence over the original device registration, meaning every time the original device owner submits a request to see their video feed (or other IoT requests), the response is sent directly to the attacker. Once user login credentials are acquired, the attacker can compromise the device and execute Remote Procedure Call (RPC) actions as a root user. Researchers provided a video of the exploit in action as proof of concept instead of publishing PoC code. 

Companies who utilize the Kalay platform are advised to enable DTLS and Authkey and upgrade to version 3.1.10. Home users are advised to implement the latest software updates on all IoT devices, use strong passwords, and avoid connecting IoT devices to unprotected WiFi networks. 

Microsoft security updates for October Patch Tuesday 2021 

In its most recent Patch Tuesday, Microsoft released patches for over 80 vulnerabilities. The most notable patches were to critical vulnerabilities in virtualization and server software, Microsoft Word, and the problematic Print Spooler Spoofing vulnerability. Details on these vulnerabilities are as follows:

Affected Product 

CVE 

Severity Rating 

Description 

Windows 11, Windows Server 2022 

CVE-2021-38762 

Critical: 8.0 

Remote code execution (RCE) via Hyper-V platform 

Windows 10 & 11, Windows Server 2019 & 2022 

CVE-2021-40461 

Critical: 8.0 

RCE via Hyper-V platform 

Microsoft Word 

CVE-2021-40486 

Critical: 7.8 

RCE via Microsoft Word Preview Pane 

Windows 7-11, Windows Server 2008-2019 

CVE-2021-36970 

Important: 8.8 

Little detailed information, but related to the previously discovered PrintNightmare vulnerability 

Microsoft Exchange Server 2016-2019 

CVE-2021-26427 

Important: 9.0 

RCE in Microsoft Exchange, but requires adjacent access

 

As Krebson Security covered in their Patch Tuesday recap, many of the patches focus on some of the prime targets from earlier in the year. For example, the Exchange servers that were targeted during the HAFNIUM hacks in March, and print spooler vulnerabilities that have been receiving attention since June. What's more, this isn't the first time a Windows Preview Pane functionality has been targeted, as the Outlook Preview Pane came under fire last year.  

Highly detailed information about the vulnerabilities is not yet published. Still, according to Microsoft, CVE-2021-38762 could allow a guest virtual machine (VM) to read kernel memory in its host system and lead to VM escape. They have also disclosed that although CVE-2021-26427 is considered a 9.0 on the Common Vulnerability Severity Scale (CVSS) for the potential threat, an attacker would need Bluetooth or WiFi access to an on-premises device to trigger the exploit. 

Users of any affected products are advised to implement security patches as soon as possible. 

Google Chrome patches more zero-day vulnerabilities 

Chrome has published patches for two more zero-day vulnerabilities within the last month, bringing the total to a whopping 16 zero-day patches this year. Google has acknowledged that these vulnerabilities were used to exploit Chrome users, and it has offered general descriptions in release notes

CVE 

Description 

CVE-2021-38000 

Insufficient validation on untrusted input in Intents 

CVE-2021-38003 

Inappropriate implementation in V8 JavaScript engine 

 

This round of patches also includes coverage for exploits found at the Tianfu Cup, such as CVE-2021-38002, a use-after-free vulnerability in Web Transport. Although explicit details have not been offered officially by Google, CyberSecurityHelp.com has released notes illustrating how each vulnerability can lead to arbitrary code execution or system compromise via maliciously crafted web pages. Those who have not implemented the latest patch are advised to explore new pages with great caution. 

Bleeping Computer suggests manually checking for an update for users who have not received an automatic update notification using the following steps: 

  1. Click the ellipsis (...) to the right of the address bar 
  2. Navigate to Help 
  3. Click About Google Chrome 

It’s also best practice to update other browsers that utilize the Chromium Engine, such as Microsoft Edge or Brave. 


More cybersecurity roundups you may enjoy 

We want to keep you informed of recent cybersecurity news and the current threatscape. If you want to receive our monthly newsletter, please subscribe below and enjoy the following articles:  

Like this blog?

Subscribe to our newsletter.