This Week in Security: XRP Poisoned, MCP Bypassed, and More
The world of cybersecurity is always evolving, with new threats and vulnerabilities emerging every day. In this week's roundup, we'll be taking a closer look at some of the most interesting and concerning security incidents that have made headlines.
XRP Poisoned: A Developer's Worst Nightmare
Researchers at Aikido recently discovered a suspicious pattern of activity on NPM (Node Package Manager), which led them to investigate the XRP Ledger SDK, a package used to manage keys and build crypto wallets. What they found was a series of rapid-fire releases of the package, each containing a malicious update that added a function called `checkValidityOfSeed()`. This function appears to be designed to steal credentials and keys, with the most obvious change being the addition of a request to an odd URL using the supplied string as an ad-referral header.
The good news is that the malicious releases only managed to download 452 times before a legitimate update was released. However, this incident highlights the importance of keeping software up-to-date and being vigilant about unexpected changes in package updates.
Zyxel Firewall Vulnerability: A Case of Privilege Escalation
A recent vulnerability has been discovered in Zyxel's USG FLEX H series of firewall/routers, which run a new Arm64 platform called Zyxel uOS. Researchers [Marco Ivaldi] and [Alessandro Sgreccia] from hn Security and 0xdeadc0de respectively found an exploit chain that allows unprivileged users to gain administrative access to the system.
The vulnerability is related to a "Recovery Manager" feature that allows users to download and upload system settings. By exploiting this feature, attackers can re-upload zip files with custom binaries that use the `setuid(0)` system call, effectively gaining root access.
Power Glitching: A New Way to Harden Micro-Controllers
Researchers from Anvil Secure have discovered a technique called "Power Glitching" that can be used to harden micro-controllers against reading flash and memory contents. By manipulating the supply voltage, it's possible to cause unpredictable behavior in the system, making it more difficult for attackers to access sensitive data.
This technique has echoes of other security challenges faced by embedded systems, including the need to balance ease of development with robustness against attacks.
Line Jumping: A Security Issue with Model Context Protocol
The latest FLOSS Weekly episode discusses the security issue known as Line Jumping or tool poisoning, which affects Model Context Protocol (MCP). MCPs advertise the tools that they make available to LLM clients, but this description can also be used for prompt injection, a major problem with LLMs.
This incident highlights the importance of careful design and testing of these protocols to prevent such vulnerabilities.
Other Security Incidents
* Korean SK Telecom has been hacked, with customers being offered free SIM swapping protection services. * WatchTowr discovered a simple pre-auth RCE in Commvault using a malicious zip upload. * SSD Disclosure found two Use After Free bugs in Google Chrome, which were prevented from becoming actual exploits by the "Miracleptr" technology.
Finally, some argue that ChaCha20 is a better choice as a symmetric encryption primitive than AES due to its simplicity and performance advantages. But should we hang up on AES and embrace ChaCha20?