The LogicHub Security Roundup: August 2021 Edition
Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we cover a broad view of the past month’s threats, a series of informative use cases seen in the past month by our internal teams, and a series of recommended articles, podcasts, and other useful resources.
Windows Hyper-V RCE
WHAT DOES IT DO?
This vulnerability would require an authenticated attacker on a guest VM to send specially crafted file operation requests on the VM to hardware resources which could result in remote code execution on the host server.
An RCE on the host server could result in full compromise of the CIA triad. Though this vulnerability would require specially crafted requests by an authenticated attacker, it is simple enough to access a possible default account or badly authenticated account for this purpose.
Microsoft has released an official patch for this vulnerability.
Windows Kernel RCE
WHAT DOES IT DO?
This issue allows a single root input/output virtualization (SR-IOV) device which is assigned to a guest to potentially interfere with its Peripheral Component Interface Express (PCIe) siblings which are attached to other guests or to the root. Virtual machines and devices that utilize SR-IOV are particularly at risk and can increase the likelihood of an RCE being executed.
As with all RCEs, this can cause severe interference or complete disruption to the CIA triad.
An official patch is available from the vendor.
Google Chrome DevTools Sandbox Vulnerability
WHAT DOES IT DO?
Insufficient policy enforcement in DevTools in Google Chrome prior to 92.0.4515.107 allowed an attacker who had convinced a user to install a malicious extension to potentially perform a sandbox escape via a crafted HTML page. The remainder of the details on this CVE have been made private by Google.
This sandbox escape allows the attacker to execute code outside of the sandbox intended, which means that possibly damaging and data retrieving commands can be used. Massive privacy and monetary implications are expected for this sort of vulnerability.
The vendor has released a patch for this issue.
Microsoft discovered a remote code execution (RCE) vulnerability in the SolarWinds Serv-U product utilizing a Remote Memory Escape Vulnerability. If exploited, a threat actor may be able to gain privileged access to the machine hosting Serv-U Only. SolarWinds Serv-U Managed File Transfer and Serv-U Secure FTP for Windows before 15.2.3 HF2 are affected by this vulnerability.
Overwolf Client 0.169.0.22 allows XSS, with resultant Remote Code Execution, via an overwolfstore:// URL.
The Poll, Survey, Questionnaire and Voting system WordPress plugin before 1.5.3 did not sanitise, escape or validate the date_answers POST parameter before using it in a SQL statement when sending a Poll result, allowing unauthenticated users to perform SQL Injection attacks
In FreeRDP before 2.4.0 on Windows, wf_cliprdr_server_file_contents_request in client/Windows/wf_cliprdr.c has missing input checks for a FILECONTENTS_SIZE File Contents Request PDU.
Dell EMC Networking S4100 and S5200 Series Switches manufactured prior to February 2020 contain a hardcoded credential vulnerability. A remote unauthenticated malicious user could exploit this vulnerability and gain administrative privileges.
CUSTOMER USE CASE
Suspicious Production Account Activity Triage
Production accounts are simultaneously the most important and least expected place to see malicious activity on a network. While it’s uncommon to see a compromise situation get this far, it’s extremely important that controls be put in place to monitor and lockdown access to production accounts to perform on the principle of least privilege. Ideally, a production account alarm should look for a certain kind of unusual account operation or login and report on it with a heightened alarm severity.
Current automation logic starts with a lot of very careful, specific whitelisting. Any normal machine that a production account should touch will be considered, then crosschecked against normal actions. If all matches, no alarm would trigger. But if there is a single mismatch, a case will be created with a heightened severity and an alert to the analysts in charge of the instance.
BENEFITS TO THIS APPROACH
This may seem like overkill, but it actually takes a very straightforward and effective approach to such a sensitive set of accounts. Unlike with regular accounts or less privileged user accounts, production accounts can’t have a lot of alarm testing or possible issues, so their detections should be very simplistic in nature while automating out the most false positives possible.
This section contains some interesting reading related to the state of infosec today. These articles have a simple summary that explains the basic idea of the news and links to more information.
PrintNightmare Breakdown: Analysis and Remediation
After a devastating 0-day hit Windows machines last month, administrators rushed to turn off the culprit: print spooler. Caused by a patch to fix a previous vulnerability, this breakdown explains how the infection spreads, how to contain it, and some common markers of infection.
Microsoft Rushes Fix for ‘PetitPotam’ Attack PoC
Microsoft is recommending that system administrators stop using NT LAN Manager following an interesting proof-of-concept in which the attacker uses Microsoft SMB, forcing an authentication and gaining authentication details. From here, password hashes gained can be easily cracked. A Microsoft workaround has been released.
Google Play Protect fails Android security tests once more
Based on an AV-TEST real-world lab test, the Google Play Protect mobile antivirus ranked last out of 15 applications tested. "Finishing in last place, Google Play Protect only detected 68.8 percent in the real-time test and 76.6 percent in the test with the reference set." It also picked out 70 apps as false positive detections.
Amazon gets $888 million GDPR fine for behavioral advertising
Using browser tracking and by building massive profiles filled with user data, Amazon has been caught red-handed utilizing data protected by the GDPR. This is the largest fine issued by the European Union in enforcement of the GDPR and was done entirely without user consent. Amazon intends to appeal against the decision.
NSA Warns Public Networks are Hacker Hotbeds
Those of you regular DEFCON attendees out there need not be told: public WiFi is not safe. The NSA has released a public announcement confirming that Bluetooth, open WiFi, and NFC are all massive targets painted on the backs of corporate tech users. They provide a lot of the same regulations we’ve heard since 2015: turn off NFC and bluetooth when not in use, use a VPN, and think critically in regards to how you connect.
Ransomware Gangs and the Name Game Distraction
Ransomware gangs change names with the seasons, it seems, typically in an effort to throw off investigators or rebrand themselves in a different direction. The linked KrebsOnSecurity article shows just how often these name changes take place and why it’s so important to keep up as a security researcher.
Apple plans to scan US iPhones for child sexual abuse images
In a big move for the privacy world, Apple will now scan photos stored locally on iPhones for images of child sexual abuse. neuralMatch scans images before upload to iCloud, searching for known flagged imagery and notifying the National Center for Missing and Exploited Children if instances are found. This move, though morally clear, holds strong and concerning implications for the world of personal privacy,