Multiple flaws in privacy-enhancing hardware patched
A raft of security vulnerabilities found in the Winston Privacy API could allow unauthenticated attackers to seize control of devices and gain remote access to users’ local networks.
Security researchers were able to achieve remote code execution (RCE) by chaining a critical command injection bug with a cross-site request forgery (CSRF) and insecure cross-origin resource sharing (CORS) vulnerabilities, revealed a security advisory published yesterday (October 27).
Chris Davis and Justin Paglierani, security consultant and researcher respectively at offensive security outfit Bishop Fox, said Winston was “highly responsive” in fixing all nine security flaws, with firmware updates applied automatically.
Winston Privacy’s subscription-based service and hardware offer a virtual private network (VPN), traffic monitoring, ad and tracker blocking, a privacy mesh network, and a privacy-preserving web extension.
Richard Stokes, CEO of Winston Privacy, didn’t specify the size of the install base, only telling The Daily Swig that it is “quite significant”.
The /api/advanced_settings endpoint allowed “device settings to be altered, including the proxy address”.
Researchers sent an unauthenticated API request with a command injection payload in the proxy address field, triggering a connect-back shell.
Winston then refreshed the iptables rules using the /etc/winston/confiptable.sh script, which sourced the config.toml file containing the malicious input, executing the command substitution and therefore the payload. This returned a reverse Netcat shell, giving any malicious LAN host full device compromise.
If an unsuspecting victim navigated to a phishing page containing the CSRF exploit, the command injection API request would then trigger RCE.
Improper access controls
A pair of improper access control bugs also facilitated root-level access upon compromise, while the micro USB console – analyzed after researchers prised the device open – granted local root access.
Researchers also identified insufficient authorization controls in the device management API, while the Monit web application, in which privacy features can be disabled, was configured with default administrative credentials.
Finally, researchers discovered an undocumented SSH service, which Winston told Bishop Fox was “disclosed to users when they report critical bugs which need remote assistance”.
Bishop Fox researchers discovered the flaws on July 21. On July 29, they notified the vendor, which applied a patch to the v1.5.5 firmware for the most critical, the command injection bug, the very same day.
Richard Stokes said Winston then “decided that despite the considerable work involved, our users would be best served by a complete kernel update, which would also benefit from security improvements from the mainline Linux source”.
This was rolled out in v1.5.6 along with several further patches, with additional fixes applied to v1.5.7, released on September 28. On October 22, v1.5.8 landed with all flaws remediated.
Stokes said Winston issues firmware updates roughly once a month, releases policy updates daily, hot fixes when necessary, and issues “both defensive and anticipatory security features in each release”.
“The cost of ensuring security for our users is not trivial, especially for a startup of our size,” he added. “There is no reason [larger] vendors shouldn’t be able to be at least as responsive, especially given their resources.”