Squeeze Volume 12 - sudo, Cisco, WhatsApp, and Android Bluetooth bugs & more!

Welcome to Squeeze, a curated selection of interesting infosec articles from the past week that you may have missed.

Squeeze Volume 12 - sudo, Cisco, WhatsApp, and Android Bluetooth bugs & more!

Welcome to the twelfth edition of the Secjuice Squeeze, a selection of interesting infosec articles that you may have missed and curate them for your reading pleasure. This week's volume was compiled by Bhumish Ghajar, Guise Bule, Chad Calease, Manmeet Singh, Olivia Stella and Hozaifa Owaisi.

Sudo Bug Lets You Run Commands as Root

Joe Vennix of Apple security has found a significant vulnerability in the sudo utility that, under a specific configuration, allows low privilege users or programs to execute arbitrary commands with administrative ('root') privileges on Linux or macOS systems. According to Vennix, the flaw can only be exploited when the "pwfeedback" option (a feature that provides an asterisk (*) as visual feedback) is enabled in the sudoers configuration file when a user inputs a password in the terminal.

Link: https://thehackernews.com/2020/02/sudo-linux-vulnerability.html

Sudo Bug Lets Non-Privileged Linux and macOS Users Run Commands as Root
The Hacker News is the most popular, independent and trusted source for the latest news headlines on cybersecurity, hacking, computer security, cybercrime, privacy, vulnerabilities and technology for all businesses, information security professionals and hackers worldwide.

Only 3% Of Airports Pass Security Checks

Only three of the world's top 100 international airports pass necessary security checks, according to a report published last week. The three airports are the only ones that passed a long list of security tests that involved checks of their public websites, official mobile applications, and searches for leaks of sensitive airport or passenger data in places (like cloud services, public code repositories, or the dark web).

Link: https://www.zdnet.com/article/only-three-of-the-top-100-international-airports-pass-basic-security-checks/

Only three of the Top 100 international airports pass basic security checks | ZDNet
Only three of the Top 100 international airports passed the test carried out by a cybersecurity firm.

Critical Security Bug found in Whatsapp

A cybersecurity researcher has disclosed technical details of multiple high severity vulnerabilities he discovered in WhatsApp, which could have allowed remote attackers to compromise the security of users in different ways if exploited. It was revealed that WhatsApp Web was vulnerable to a potentially dangerous open-redirect flaw that led to persistent cross-site scripting attacks, which could have been triggered by sending a specially crafted message to the targeted WhatsApp users.

Link: https://threatpost.com/whatsapp-bug-malicious-code-injection-rce/152578/

WhatsApp Bug Allows Malicious Code-Injection, One-Click RCE

Serious Bugs in Cisco Affect Millions of Devices

A total of five high-rated Cisco vulnerabilities, dubbed collectively as CDPwn, have been confirmed. CDPwn exposes vulnerabilities, four remote code executions, and one denial of service in the Cisco proprietary Layer 2 network discovery protocol that is implemented in switches, routers, cameras, and IP phones. The good thing is that attacks can't be mounted over the internet. As explained above, the CDP protocol works only inside local networks, at the Data Link Layer, and is not exposed on a device's WAN interface -- via which most internet attacks come from.

Link: https://www.forbes.com/sites/daveywinder/2020/02/05/cisco-confirms-5-serious-security-threats-to-tens-of-millions-of-network-devices/

Cisco Confirms 5 Serious Security Threats To ‘Tens Of Millions’ Of Network Devices
With Cisco devices everywhere from the trading floor to the boardroom, this is one security alert you can’t afford to ignore.

Critical Android Bluetooth Bug Fixed

Google has patched this week with a critical security flaw in Android's Bluetooth component. If left unpatched, the vulnerability can be exploited without any user interaction and can even be used to create self-spreading Bluetooth worms. The bug allows an attacker to "silently execute arbitrary code with the privileges of the Bluetooth daemon." No user interaction is required, and only the Bluetooth MAC address of the target devices has to be known. For some devices, the Bluetooth MAC address can be deduced from the WiFi MAC address.

Link: https://www.zdnet.com/article/google-fixes-no-user-interaction-bug-in-androids-bluetooth-component/

Google fixes no-user-interaction bug in Android’s Bluetooth component | ZDNet
Fixes are available via the Android Security Bulletin for February 2020.

The awesome image used in this article is named "Advice from a Caterpillar" and was created by Anna Hurley.