Security Safari

New Threats in the Wild

This section is devoted to threats of particular note that have been seen in the past month. A select few of particular interest will be highlighted in greater detail. NIST NVD data will be used to make these determinations.

HIGHLIGHT

Netgear File Upload Zero Day

What does it do?

With this vulnerability, a written class in the Netgear ProSAFE Network Management System fails to validate a user-supplied path, allowing for code execution in the product.

Potential Impact

With the ability to arbitrarily execute code along a supplied path, attackers may have free reign over the product - from gaining access to data as the SYSTEM to modifying operation.

Remediation

Netgear have released a security update as of March 26th.

More Information:

https://www.zerodayinitiative.com/advisories/ZDI-21-357/

HIGHLIGHT

Cisco IOS XE Boundary Checks

What does it do?

On some Cisco Catalyst 4500 and 4500-X series switches, a lack of boundary checks on Easy VSS protocol packets allows for a crafted buffer overflow from an attacker. Once this overflow is triggered, the attacker may gain admin access to the underlying Linux operating system or the ability to perform a denial of service.

Potential Impact

Complete loss of access through denial of service, possible total breach of confidentiality and data integrity.

Remediation

No workarounds or patches are available, but some mitigations have been suggested, such as disabling Discovery Protocol.

More Information:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-xe-evss-code-exe-8cw5VSvw

HIGHLIGHT

Snapdragon Buffer Overflow

What does it do?

This vulnerability copies the data within a RTT/TTY packet without verifying the size of the destination buffer, causing a possible buffer overflow. This can then be used to perform an out-of-bound write of data.

Potential Impact

Out-of-bound writes can cause crashes, unexpected behavior, or even code execution. This can result in the complete disruption of the CIA triad.

Remediation

Qualcomm has addressed this and several other vulnerabilities in their March 2021 patch.

More Information:

https://nvd.nist.gov/vuln/detail/CVE-2020-11227

Additional Threats

CVE-2021-21982

VMware Carbon Black Cloud Workload appliance 1.0.0 and 1.01 has an authentication bypass vulnerability that may allow a malicious actor with network access to the administrative interface of the VMware Carbon Black Cloud Workload appliance to obtain a valid authentication token. Successful exploitation of this issue would result in the attacker being able to view and alter administrative configuration settings.

More Info

CVE-2021-29066

Certain NETGEAR devices are affected by authentication bypass. This affects RBK852 before 3.2.17.12, RBK853 before 3.2.17.12, RBK854 before 3.2.17.12, RBR850 before 3.2.17.12, and RBS850 before 3.2.17.12.

More Info

CVE-2021-1818

A logic issue was addressed with improved state management. This issue is fixed in macOS Big Sur 11.2, Security Update 2021-001 Catalina, Security Update 2021-001 Mojave, watchOS 7.3, tvOS 14.4, iOS 14.4 and iPadOS 14.4. A remote attacker may be able to cause unexpected application termination or arbitrary code execution.

More Info

Description

CVE-2021-21982

VMware Carbon Black Cloud Workload appliance 1.0.0 and 1.01 has an authentication bypass vulnerability that may allow a malicious actor with network access to the administrative interface of the VMware Carbon Black Cloud Workload appliance to obtain a valid authentication token. Successful exploitation of this issue would result in the attacker being able to view and alter administrative configuration settings.

More Info

CVE-2021-29066

Certain NETGEAR devices are affected by authentication bypass. This affects RBK852 before 3.2.17.12, RBK853 before 3.2.17.12, RBK854 before 3.2.17.12, RBR850 before 3.2.17.12, and RBS850 before 3.2.17.12.

More Info

CVE-2021-1818

A logic issue was addressed with improved state management. This issue is fixed in macOS Big Sur 11.2, Security Update 2021-001 Catalina, Security Update 2021-001 Mojave, watchOS 7.3, tvOS 14.4, iOS 14.4 and iPadOS 14.4. A remote attacker may be able to cause unexpected application termination or arbitrary code execution.

More Info

From The Field

Real World Use Cases in Action

In this section, we’ll be covering a significant use case that our teams recently saw and remediated, along with some of the benefits of doing so. It is our hope that this section can give some ideas for both current and future customers as to what problems can be seen in the real world and how they can be solved using LogicHub automations.

Customer Use Case

Automatic Rule Pushing

Summary

There is something to be said of being able to make updates on the fly. In the case of irritating IPs and abnormal host activity on a fast-paced network, rules must be pushed to firewalls quickly and effectively to avoid more noise for analysts. This often involves making sure that either all analysts or all in a certain group have access to every security appliance, then allowing them to add rules manually as needed.

Automated Solution

Instead of a manual and individual addition of every firewall rule, rules are automatically pushed to the security appliance after the detection of certain activities in connection to an IP. When a case is created that is a verified network scanner or has been verified as a malicious IP, this may be triggered, or an analyst can run the command to automatically input data into a new rule.

Benefits to This Approach

  • Fast rule push for high-throughput environments
  • No need for special permissions to devices - all is done through a single agent
  • Both a preventative and proactive approach to rule-building

Recommended Reading

This section contains some interesting reading related to the state of infosec today. These articles have a simple summary that explains the basic idea of the news and links to more information.

A Fake Cybersecurity Firm Built to Target Security Researchers

A North Korean campaign created accounts for fake security firm SecuriElite, aiming to bait users into accessing a malicious website. All of the accounts created have since been suspended and was initially flagged in January of 2021.

Read More

Gaming mods, cheat engines are spreading Trojan malware and planting backdoors

Remote access trojans are being distributed en-masse in the form of gaming cheat engines, say researchers with Cisco Talos. Initially spread through malvertising in the form of YouTube videos or website advertisements, malware developers are making more efforts to avoid detection, even going so far as to check their created code against VirusTotal and similar services.

Read More

CISA Releases Tool to Review M365 Post-Compromise Activity

The new tool, nicknamed Aviary, is a Splunk-based dashboard that assists researchers in hunting down activity from the SolarWinds supply-chain attack. It allows for the review of Powershell mailbox sign-ins to verify the legitimacy of activities.

Read More

Facebook Data Leak: No Notifications, Attributed to Web Scraping

The 500m+ users that were affected by the Facebook data leaking incident will not be receiving notification of their involvement, nor will Facebook be attributing this incident to a hack. Instead, Facebook has attributed this incident to web scraping based on user phone numbers connected to accounts, with the company claiming to have insufficient visibility into the exact accounts affected in order to send notifications.

Read More

Ransomware gang urges victims’ customers to demand a ransom payment

In an unusual new method of coercing a ransom from victims, the Clop ransomware gang is emailing the customers, partners, and employees of affected companies in an attempt to pressure them into payment. The emails put special focus on customer information privacy.

Read More

LET'S GET STARTED

I would like to

Submit

Request a Demo

This website uses cookies to ensure you get the best experience. Got it, Thanks! MORE INFO