Aggregator

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Fortinet FortiOS vulnerability to its Known Exploited Vulnerabilities catalog. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a Fortinet FortiOS authorization bypass vulnerability, tracked as CVE-2024-55591 (CVSS score: 9.6) to its Known Exploited Vulnerabilities (KEV) catalog. Remote attackers can exploit the vulnerability to bypass authentication and gain […]

A vulnerability has been found in Linux Kernel up to 6.12.8 and classified as critical. This vulnerability affects the function drm_dev_enter of the component xe. The manipulation leads to memory corruption. This vulnerability was named CVE-2024-57844. The attack needs to be initiated within the local network. There is no exploit available. It is recommended to upgrade the affected component.

Cl0p Ransomware Releases a List of Companies Related to the Cleo Exploit

A vulnerability, which was classified as critical, was found in Linux Kernel up to 6.1.123/6.6.69/6.12.8. This affects the function fsm_main_thread of the file fsm_main_thread.c of the component mtk_t7xx. The manipulation leads to improper update of reference count. This vulnerability is uniquely identified as CVE-2024-39282. The attack needs to be done within the local network. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability, which was classified as critical, has been found in Linux Kernel up to 6.12.8. Affected by this issue is some unknown functionality of the component rxe. The manipulation leads to use after free. This vulnerability is handled as CVE-2024-57795. The attack can only be initiated within the local network. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability classified as critical was found in Linux Kernel up to 6.12.8. Affected by this vulnerability is the function nvmet_root_discovery_nqn_store of the component nvmet. The manipulation leads to allocation of resources. This vulnerability is known as CVE-2024-53681. The attack can only be done within the local network. There is no exploit available. It is recommended to upgrade the affected component.

Sweet Security, a leader in cloud runtime detection and response, today announced the launch of its groundbreaking patent-pending Large Language Model (LLM)-powered cloud detection engine. This innovation enhances Sweet’s unified detection and response solution, enabling it to reduce cloud detection noise to an unprecedented 0.04%. Sweet uses advanced AI to help security teams navigate complex […]

The post Sweet Security Introduces Patent-Pending LLM-Powered Detection Engine, Reducing Cloud Detection Noise to 0.04% appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

ShadowSyndicate is a prolific threat actor that has been active since July 2022, collaborated with various ransomware groups, and leverages a diverse toolkit, including Cobalt Strike, Sliver, IcedID, and Matanbuchus malware.  A distinctive feature of their operations is the consistent use of a specific SSH fingerprint (1ca4cbac895fc3bd12417b77fc6ed31d) across numerous servers, with at least 52 linked […]

The post ShadowSyndicate Hackers Added RansomHub Ransomware to their Arsenal appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

Роскомнадзор подтвердил второй масштабный сбой за двое суток.

For the upcoming Pwn2Own Automotive contest a total of 7 electric vehicle chargers have been selected. One of these is the Autel MaxiCharger AC Wallbox Commercial (MAXI US AC W12-L-4G) which also made an appearance at the inaugural Pwn2Own Automotive last January. 

We have previously posted internal photos of the MaxiCharger in 2023 so the goal of this blog post is to present up to date internal photos of the main boards and provide additional information.

Internals

Opening the MaxiCharger is easy and involves removing a few Torx T10 screws and then prying open the edges of the housing.

The metrology board is mounted on the back part of the housing and is responsible for power monitoring, handling the input mains power and providing power to the charging cable. Most of the components mounted on the lower voltage part of the board (towards the top) are covered in conformal coating.

Figure 1: Power board

Towards the top right of the power board is the STM32F407ZGT6, which is a general purpose ARM Cortex-M4 microcontroller. Many of the pins are broken out surrounding the STM32 and are not covered in conformal coating allowing for easy probing.

UART output can be viewed using the broken-out pins above the STM32 with a baud rate of 921600bps. SWD pins are also broken out which allows for full access to the STM32 including dumping the internal flash. A cursory glance of the flash dump shows references to FreeRTOS.

The power board connects to the main board which is mounted on the top part of the housing. The main board is responsible for most of the heavy lifting, including handling Bluetooth, Wi-Fi, ethernet and more. This board isn't covered in conformal coating but quite a few of the components are under metal shielding that was removed for the following photos.

Figure 2: Main board (top)

The main board contains many labelled test points that make for easy probing.

In the top left is the Barrot BR8041A01 bluetooth module. There isn't much publicly available information about this module. The test points nearby suggest that this module is operated over UART (BT_RX, BT_TX) however sniffing these points doesn't show much other than very basic initialization even when attempting to pair a new device.

Towards the center of the board is a IS65WV10248EBLL (PDF) SRAM chip.

Flipping the main board over reveals the main processor and an ESP32. Again, there are many labelled test points.

Figure 3: Main board (underside)

The MCU is the GD32F407ZGT6 (PDF) ARM Cortex-M4. Interestingly it has been noted that Autel occasionally swap out the GD32F407ZGT6 for the STM32F407ZGT6 for unknown reasons, presumably due to supply. To the left of the battery is the broken out SWD pins for the MCU. Connecting to these pins shows that the MCU has been configured with readout protection level 1 (or "Security Protection Code low" to use GigaDevice's terminology).

Figure 4: Secured GD32 device detected

This prevents tools such as ST-Link and J-Link from dumping the internal flash, however Jonathan Andersson and Thanos Kaliyanakis Blackhat EU talk details a few very interesting bypasses that circumvent this readout protection! One such method doesn’t require glitching.

To the right of the MCU is a Winbond W25Q128JV (PDF) serial flash chip. Below is an RJ45 jack for ethernet communications. This is one of the ways the charger can connect to the internet, the other methods are Wi-Fi and over a mobile network.

There is a mysterious USB C port to the left of the MCU which doesn't have a documented use. This isn't the only USB port on the Autel that has an unknown use, but it is the only one that can be accessed without dismantling the charger.

The ESP32 module in the top left is the ESP32 WROOM 32D (PDF) which has Bluetooth and Wi-Fi capabilities. Internally the module uses the ESP32-D0WD dual core Xtensa MCU and a 4MB SPI flash chip.

Directly above the USB C port one of the GD32 UARTs is broken out. Connecting with a baud rate of 921600bps shows a lot of debugging information. Interestingly, during initialization the string "UART_WIFI_BT" is printed alongside AT commands that are sent to the ESP32 from the GD32.  When pairing a new device, many of these messages are logged.

Combining this information with the very little traffic sniffed to/from the Barrot bluetooth module over the test points hints towards the Barrot bluetooth module being redundant. It seems as though the ESP32 is used for the bluetooth operations.

To the right of the ESP32 are more broken out pins, this time for one of the ESP32 UARTs and the IO0 pin which is used for the ESP32 boot mode selection. Connecting to the UART header at 115200 baud will show the usual ESP32 boot log.

Stacked underneath the main board is the 4G board that has a SIM card tray and a mobile communications module.

Figure 5: 4G mobile communications board

The 4G module is the Quectel EC25AFXDGA (PDF) that internally uses the Qualcomm MDM9207 LTE modem which itself contains an ARM Cortex-A7 core. The SIM card tray sits to the left of the 4G module. Connecting the Autel to a mobile network is optional.

The top right of the 4G board has a micro USB port with no known use. The charger must be disassembled to access this port. Presumably this is for some kind of debugging of the 4G module.

A few pins are broken out from the 4G module along the left side of the board. Connecting to RXD and TXD at 115200 baud prints a Linux boot log which ultimately drops to a login prompt for the Quectel module.

Above the UART connection is what's labelled as "BOOT". Shorting these unpopulated headers together and then booting the charger changes the behavior of the 4G module. Notably, the UART connection doesn’t print out the Linux boot log anymore. This behavior may be linked to the aforementioned USB port but this wasn't investigated further.

Interestingly, under the 4G board is yet another unused micro USB port. This is attached to the back of the LCD board and is likely used for debugging LCD related functionality. The silkscreen also shows SWD related text.

Figure 6: Unused USB port

The final board of interest is the NFC and LED board which is connected to the main board. There is an unused 4 pin connector on the back of the board which is likely for debugging purposes.

Figure 7: NFC and LED board (top)

Flipping the board over reveals the NFC chip.

Figure 8: Multi-protocol contactless transceiver

The NFC chip is a Fudan Microelectronics FM17660 multi-protocol contactless transceiver IC.

Summary

Overall, all the main components are the same as the previous MaxiCharger we tore down last year which is good news for any contestants who previously bought the MaxiCharger.

Hopefully this blog post provides enough information to kickstart vulnerability research against the Autel MaxiCharger. Keep an eye out for future posts that will cover the threat landscape of the MaxiCharger.

We are looking forward to Pwn2Own Automotive again in Tokyo in January 2025 at Automotive World, and we will see if IVI vendors have improved their product security. Don’t wait until the last minute to ask questions and register! We hope to see you there.

You can find me on Twitter at @ByteInsight, and follow the team on Twitter, Mastodon, LinkedIn, or Bluesky for the latest in exploit techniques and security patches.

A vulnerability classified as problematic has been found in Linux Kernel up to 5.10.232/5.15.175/6.1.123/6.6.69/6.12.8. Affected is an unknown function of the component rtrs. The manipulation leads to null pointer dereference. This vulnerability is traded as CVE-2024-36476. The attack needs to be approached within the local network. There is no exploit available. It is recommended to upgrade the affected component.

Widespread malware campaigns detected by side crawlers exploit vulnerabilities on multiple websites where the intrusion method remains under investigation, with no common entry point identified.  A malicious script creates unauthorized administrator accounts with the credentials ‘wpx_admin’ and a hardcoded password. Subsequently, it downloads and activates a malicious WordPress plugin, compromising the website and enabling the […]

The post 5,000 WordPress Sites Hacked in New WP3.XYZ Malware Attack appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

A vulnerability was found in Linux Kernel up to 6.12.8. It has been rated as critical. This issue affects some unknown processing of the component netrom. The manipulation leads to allocation of resources. The identification of this vulnerability is CVE-2024-57802. Access to the local network is required for this attack to succeed. There is no exploit available. It is recommended to upgrade the affected component.

Six vulnerabilities have been fixed in the newest versions of Rsync (v3.4.0), two of which could be exploited by a malicious client to achieve arbitrary code execution on a machine with a running Rsync server. “The client requires only anonymous read-access to the server, such as public mirrors. Additionally, attackers can take control of a malicious server and read/write arbitrary files of any connected client. Sensitive data, such as SSH keys, can be extracted, and … More →

The post Rsync vulnerabilities allow remote code execution on servers, patch quickly! appeared first on Help Net Security.

A vulnerability was found in Linux Kernel up to 6.6.69/6.12.8. It has been declared as critical. This vulnerability affects unknown code of the file fs/attr.c. The manipulation leads to stack-based buffer overflow. This vulnerability was named CVE-2024-57895. Access to the local network is required for this attack. There is no exploit available. It is recommended to upgrade the affected component.

Silver Spring, United States / Maryland, 15th January 2025, CyberNewsWire

The post Aembit Announces Speaker Lineup for the Inaugural NHIcon appeared first on Security Boulevard.