The LogicHub Security Roundup: August 2021 Edition

Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we cover a broad view of the past month’s threats, a series of informative use cases seen in the past month by our internal teams, and a series of recommended articles, podcasts, and other useful resources.

HIGHLIGHT

Windows Hyper-V RCE

WHAT DOES IT DO?

This vulnerability would require an authenticated attacker on a guest VM to send specially crafted file operation requests on the VM to hardware resources which could result in remote code execution on the host server.

POTENTIAL IMPACT

An RCE on the host server could result in full compromise of the CIA triad. Though this vulnerability would require specially crafted requests by an authenticated attacker, it is simple enough to access a possible default account or badly authenticated account for this purpose.

REMEDIATION

Microsoft has released an official patch for this vulnerability.

MORE INFORMATION:

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34450

HIGHLIGHT

Windows Kernel RCE

WHAT DOES IT DO?

This issue allows a single root input/output virtualization (SR-IOV) device which is assigned to a guest to potentially interfere with its Peripheral Component Interface Express (PCIe) siblings which are attached to other guests or to the root. Virtual machines and devices that utilize SR-IOV are particularly at risk and can increase the likelihood of an RCE being executed.

POTENTIAL IMPACT

As with all RCEs, this can cause severe interference or complete disruption to the CIA triad.

REMEDIATION

An official patch is available from the vendor.

MORE INFORMATION:

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34458

HIGHLIGHT

Google Chrome DevTools Sandbox Vulnerability

WHAT DOES IT DO?

Insufficient policy enforcement in DevTools in Google Chrome prior to 92.0.4515.107 allowed an attacker who had convinced a user to install a malicious extension to potentially perform a sandbox escape via a crafted HTML page. The remainder of the details on this CVE have been made private by Google.

POTENTIAL IMPACT

This sandbox escape allows the attacker to execute code outside of the sandbox intended, which means that possibly damaging and data retrieving commands can be used. Massive privacy and monetary implications are expected for this sort of vulnerability.

REMEDIATION

The vendor has released a patch for this issue.

MORE INFORMATION:

https://vuldb.com/?id.179980

Additional Threats

Description

CUSTOMER USE CASE

Suspicious Production Account Activity Triage

SUMMARY

Production accounts are simultaneously the most important and least expected place to see malicious activity on a network. While it’s uncommon to see a compromise situation get this far, it’s extremely important that controls be put in place to monitor and lockdown access to production accounts to perform on the principle of least privilege. Ideally, a production account alarm should look for a certain kind of unusual account operation or login and report on it with a heightened alarm severity.

AUTOMATED SOLUTION

Current automation logic starts with a lot of very careful, specific whitelisting. Any normal machine that a production account should touch will be considered, then crosschecked against normal actions. If all matches, no alarm would trigger. But if there is a single mismatch, a case will be created with a heightened severity and an alert to the analysts in charge of the instance.

BENEFITS TO THIS APPROACH

This may seem like overkill, but it actually takes a very straightforward and effective approach to such a sensitive set of accounts. Unlike with regular accounts or less privileged user accounts, production accounts can’t have a lot of alarm testing or possible issues, so their detections should be very simplistic in nature while automating out the most false positives possible.

Recommended Reading

This section contains some interesting reading related to the state of infosec today. These articles have a simple summary that explains the basic idea of the news and links to more information.

Submit