Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

YAPC - Yet Another PaperCut Vulnerability

The PaperCut enterprise management system has been a high priority for threat actors for the last few months, as a series of vulnerabilities have allowed its exploitation by groups like Cl0p and LockBit, who have used it for information exfiltration prior to extortion demands.

Now researchers at Horizon3.ai have disclosed a new critical vulnerability, CVE-2023-39143. This is a directory traversal vulnerability which allows unauthenticated attackers to read, delete and upload arbitrary files to a vulnerable PaperCut MF/NG server, with the possibility of remote code execution if iinstalled on Windows with the external device integration setting enabled - which it is, by default, on some PaperCut versions such as PaperCut NG Commercial or PaperCut MF.

A simple command can check whether a PaperCut server is not patched and is running on Windows:

curl -w "%{http_code}" -k --path-as-is "https://<IP>:<port>/custom-report-example/..\..\..\deployment\sharp\icons\home-app.png"

Horizon3.ai notified PaperCut, and customers are advised to upgrade to the latest PaperCut version, that is, version 22.1.3 or later. If an upgrade cannot be installed, the most appropriate mitigation is to configure an allowlist of IP addresses which can access the PaperCut server.

What's the old saw? "If you see one rat, you probably have a lot more" - and the same applies to vulnerabilities.

Sunkavally, Naveen, CVE-2023-39143: PaperCut Path Traversal/File Upload RCE Vulnerability, blog post, 4 August 2023. Available online at https://www.horizon3.ai/cve-2023-39143-papercut-path-traversal-file-upload-rce-vulnerability/.

Deep Learning Acoustic Attack Learns Keyboard Text With 95% Accuracy

That clacking sound your keyboard makes as you type? It could be leaking passwords to a nearby smartphone, or even via a Zoom or Skype session with others. In fact, it could even work with a smartwatch.

In a paper presented at the 2023 European Symposium on Security and Privacy Workshops, three UK researchers detailed an acoustic side channel attack which uses a deep learning model to classify laptop keystrokes. When trained on keystrokes recorded by a nearby smartphone, the classifier achieved an accuracy of 95%, the highest accuracy seen without the use of a language model (which would use the redundancy of human language to achieve near-100% accuracy). When trained on keystrokes recorded over Zoom, the attack still managed an accuracy of 93%.

The researchers performed initial training by pressing each alphanumeric key on a 16-inch Macbook Pro 25 times, recording the sound each made. From this, they extracted the waveform of the isolated keystrokes and produced spectrograms - which chart the intensity of each frequency - and used these to train the CoAtNet image classifier, tweaking the parameters until they had optimized the classification accuracy. Since all recent Macbooks use the same keyboard and presumably sound similar, the attack could work against other users' machines.

The researchers' results provide further evidence that passwords are an increasingly weak form of authentication. While they suggest some mitigations, including varying typing techniques, making use of the Ctrl and Shift keys, backspacing and, obviously, using randomized passphrases. I would add that the use of a password safe to paste a random password into an on-screen form would provide a particularly strong defence. Nevertheless, it is increasingly obvious that we need to move to cryptographic authentication techniques such as security keys and passkeys.

Harrison, Joshua, Ehsan Toreini and Maryam Mehnezhad, A Practical Deep Learning-Based Acoustic Side Channel Attack on Keyboards, workshop presentation paper, 3 August 2023. Available online at https://arxiv.org/abs/2308.01074.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.