The LogicHub Security Roundup: April 2021 Edition

Hello, and welcome to the first edition of the LogicHub Monthly Update! Each month we cover a broad view of this past month’s threats, a series of informative use cases seen this month by our teams, and a series of recommended articles, podcasts, and other useful resources.

HIGHLIGHT

Netgear File Upload Zero Day

WHAT DOES IT DO?

With this vulnerability, a written class in the Netgear ProSAFE Network Management System fails to validate a user-supplied path, allowing for code execution in the product.

POTENTIAL IMPACT

With the ability to arbitrarily execute code along a supplied path, attackers may have free reign over the product - from gaining access to data as the SYSTEM to modifying operation.

REMEDIATION

Netgear have released a security update as of March 26th.

MORE INFORMATION:

https://www.zerodayinitiative.com/advisories/ZDI-21-357/

HIGHLIGHT

Cisco IOS XE Boundary Checks

WHAT DOES IT DO?

On some Cisco Catalyst 4500 and 4500-X series switches, a lack of boundary checks on Easy VSS protocol packets allows for a crafted buffer overflow from an attacker. Once this overflow is triggered, the attacker may gain admin access to the underlying Linux operating system or the ability to perform a denial of service.

POTENTIAL IMPACT

Complete loss of access through denial of service, possible total breach of confidentiality and data integrity.

REMEDIATION

No workarounds or patches are available, but some mitigations have been suggested, such as disabling Discovery Protocol.

MORE INFORMATION:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-xe-evss-code-exe-8cw5VSvw

HIGHLIGHT

Snapdragon Buffer Overflow

WHAT DOES IT DO?

This vulnerability copies the data within a RTT/TTY packet without verifying the size of the destination buffer, causing a possible buffer overflow. This can then be used to perform an out-of-bound write of data.

POTENTIAL IMPACT

Out-of-bound writes can cause crashes, unexpected behavior, or even code execution. This can result in the complete disruption of the CIA triad.

REMEDIATION

Qualcomm has addressed this and several other vulnerabilities in their March 2021 patch.

MORE INFORMATION:

https://nvd.nist.gov/vuln/detail/CVE-2020-11227

Additional Threats

Description

CUSTOMER USE CASE

Automatic Rule Pushing

SUMMARY

There is something to be said of being able to make updates on the fly. In the case of irritating IPs and abnormal host activity on a fast-paced network, rules must be pushed to firewalls quickly and effectively to avoid more noise for analysts. This often involves making sure that either all analysts or all in a certain group have access to every security appliance, then allowing them to add rules manually as needed.

AUTOMATED SOLUTION

Instead of a manual and individual addition of every firewall rule, rules are automatically pushed to the security appliance after the detection of certain activities in connection to an IP. When a case is created that is a verified network scanner or has been verified as a malicious IP, this may be triggered, or an analyst can run the command to automatically input data into a new rule.

BENEFITS TO THIS APPROACH
  • Fast rule push for high-throughput environments
  • No need for special permissions to devices - all is done through a single agent
  • Both a preventative and proactive approach to rule-building

Recommended Reading

This section contains some interesting reading related to the state of infosec today. These articles have a simple summary that explains the basic idea of the news and links to more information.

Submit