Security Safari

New Threats in the Wild

This section is devoted to threats of particular note that have been seen in the past month. A select few of particular interest will be highlighted in greater detail. NIST NVD data will be used to make these determinations.

HIGHLIGHT

Google Chrome Use After Free

What does it do?

The Google Chrome web browser frequently stores items in memory to reference later. A ‘use after free’ vulnerability means that an area of memory is referenced after the application has already freed it, and that reference causes an error resulting in corruption of data or even arbitrary code execution. More specifically from the CVE page, “​​Web Transport in Google Chrome prior to 95.0.4638.69 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page.”

Potential Impact

Sandbox escapes and Use After Free vulnerabilities are both highly dangerous ways of gaining unintended privileges and can cause significant losses on all portions of the CIA triad.

Remediation

A stable release has been made available by the Chrome development team.

More Information:

https://nvd.nist.gov/vuln/detail/CVE-2021-38002

HIGHLIGHT

Zoom Buffer Overflow

What does it do?

Zoom is an application for virtual meetings and calling over phone or computer. In this vulnerability, a multitude of Zoom’s different clients are affected by a buffer overflow. Buffer overflows take advantage of a lack of memory checks or errors in the way that memory is written to perform unintended actions. An application or script may be used to write data in such a way that bypasses checks in place to prevent access to forbidden areas. Details on the methodology for this vulnerability were not given, but we have seen several similar issues from Zoom clients dating back to 2017.

Potential Impact

As with all buffer overflows, severity is quite high due to the ability to impact sensitive parts of a system. Buffer overflows tend to hit on a base level that takes advantage of the high privileges given at that level (such as system roles).

Remediation

The manufacturer has released a patch that is currently available and recommended for download.

More Information:

https://nvd.nist.gov/vuln/detail/CVE-2021-34423

HIGHLIGHT

Palo Alto GlobalProtect Arbitrary Execution

What does it do?

Palo Alto GlobalProtect is a VPN application with extra security features for all throughput traffic. From the CVE: “​​A memory corruption vulnerability exists in Palo Alto Networks GlobalProtect portal and gateway interfaces that enables an unauthenticated network-based attacker to disrupt system processes and potentially execute arbitrary code with root privileges. The attacker must have network access to the GlobalProtect interface to exploit this issue. This issue impacts PAN-OS 8.1 versions earlier than PAN-OS 8.1.17. Prisma Access customers are not impacted by this issue.”

Potential Impact

As with any arbitrary execution issue, this can be dangerous to all internal processes and the entirety of the CIA triad. However, due to the fact that the attacker must have access to the GlobalProtect interface, this vulnerability is slightly easier to manage.

Remediation

A patch has been released by the manufacturer.

More Information:

https://nvd.nist.gov/vuln/detail/CVE-2021-3064

Additional Threats

CVE-2021-22049

The vSphere Web Client (FLEX/Flash) contains an SSRF (Server Side Request Forgery) vulnerability in the vSAN Web Client (vSAN UI) plug-in. A malicious actor with network access to port 443 on vCenter Server may exploit this issue by accessing a URL request outside of vCenter Server or accessing an internal service.

More Info

CVE-2021-29114

A SQL injection vulnerability in feature services provided by Esri ArcGIS Server 10.9 and below allows a remote, unauthenticated attacker to impact the confidentiality, integrity and availability of targeted services via specifically crafted queries.

More Info

CVE-2021-43998

HashiCorp Vault and Vault Enterprise 0.11.0 up to 1.7.5 and 1.8.4 templated ACL policies would always match the first-created entity alias if multiple entity aliases exist for a specified entity and mount combination, potentially resulting in incorrect policy enforcement. Fixed in Vault and Vault Enterprise 1.7.6, 1.8.5, and 1.9.0.

More Info

CVE-2021-42308

Microsoft Edge (Chromium-based) Spoofing Vulnerability (Author’s Note: Little information on this vulnerability exists, however it has been included here due to its severity. If using Edge, please keep up-to-date.)

More Info

Description

CVE-2021-22049

The vSphere Web Client (FLEX/Flash) contains an SSRF (Server Side Request Forgery) vulnerability in the vSAN Web Client (vSAN UI) plug-in. A malicious actor with network access to port 443 on vCenter Server may exploit this issue by accessing a URL request outside of vCenter Server or accessing an internal service.

More Info

CVE-2021-29114

A SQL injection vulnerability in feature services provided by Esri ArcGIS Server 10.9 and below allows a remote, unauthenticated attacker to impact the confidentiality, integrity and availability of targeted services via specifically crafted queries.

More Info

CVE-2021-43998

HashiCorp Vault and Vault Enterprise 0.11.0 up to 1.7.5 and 1.8.4 templated ACL policies would always match the first-created entity alias if multiple entity aliases exist for a specified entity and mount combination, potentially resulting in incorrect policy enforcement. Fixed in Vault and Vault Enterprise 1.7.6, 1.8.5, and 1.9.0.

More Info

CVE-2021-42308

Microsoft Edge (Chromium-based) Spoofing Vulnerability (Author’s Note: Little information on this vulnerability exists, however it has been included here due to its severity. If using Edge, please keep up-to-date.)

More Info

From The Field

Real World Use Cases in Action

In this section, we’ll be covering a significant use case that our teams recently saw and remediated, along with some of the benefits of doing so. It is our hope that this section can give some ideas for both current and future customers as to what problems can be seen in the real world and how they can be solved using LogicHub automations.

Customer Use Case

Phishing Context Automation and Response

Summary

Phishing can be one of the greatest attack vectors to a company. Through one email, or a single link, it is very easy for an attacker to strike and do a large amount of damage. By reviewing all of the relevant fields for a suspicious email (metadata, file hash, included links, and sender domain), it’s relatively simple to prevent that email from ever reaching its target. Many modern malware solutions can stop basic attacks and suspicious emails, but verifying the legitimacy of the anti-malware action is another story. In one case, a customer had a series of items downloaded by an employee, many of which were suspicious and flagged by the anti-malware solution. Because there were so many items, digging through them took a lot of man hours only to find no legitimate attacks.

Automated Solution

By using multiple sources for review of hashes and checks against allowed domains, we can quickly pare down the amount of results that are truly suspicious. Combining the results from several lookups means that items can be scored by severity and reviewed quickly. If they appear to be more severe, items scored low enough can be automatically closed and commented on within a case. After these decisions are made, tuning can be performed to completely eliminate the lowest severity right from the source.

Benefits to This Approach

The automation used in this solution may be simple, but it is powerful. The results were staggering in that all items could quickly be sorted and many were removed in the end. With phishing being one of the most common methods for attack, it’s important to keep a sharp eye on emails, and especially on links and attached files.

Recommended Reading

This section contains some interesting reading related to the state of infosec today. These articles have a simple summary that explains the basic idea of the news and links to more information.

This mysterious malware could threaten millions of routers and IoT devices

BotenaGo is an Internet of Things malware with over 30 different exploits up its sleeve. Written in Go, it is detected by some antiviruses as a variant on the Mirai botnet malware but is not in the same language.This malware is currently operating under beta with no command and control server.

Read More

Facebook's Meta pushes back Messenger and Instagram encryption plans until 2023

Encryption activists have a little longer to wait for popular social media apps Messenger and Instagram to hop on the ‘default secure messaging’ bandwagon. Per the ZDNet article: “E2EE should mean that even Facebook employees with physical access to its hardware in data centers can't access the content of messages, preventing the firm and employees from producing some evidence even when ordered by a court to do so.”

Read More

Mediatek eavesdropping bug impacts 30% of all Android smartphones

The Mediatek semiconductor vulnerabilities were found by Check Point, with three patched and one soon-to-be patched vulnerability in out-of-bounds privilege escalations. All users of Mediatek devices are urged to patch promptly.

Read More

Germany to force ISPs to give discounts for slow Internet speeds

In a measure that most consumers could likely get behind, an amendment to the Telecommunications Act of Germany dictates the possibility of discounts to consumers when ISPs don’t deliver on promised speeds. An official speed measurement app provided by the German Federal Network Agency will help in documenting speeds for this purpose. Hopefully, an amendment like this may pave the way for other countries to start enforcing better speeds in a world where modern internet is becoming a necessity.

Read More

Hackers are targeting this Microsoft Windows Installer flaw, say security researchers

An escalation of privilege flaw in the Windows Installer is now being exploited (according to Cisco Talos researchers) and can give attackers admin rights. A proof of concept shows that it still functions even despite Microsoft’s patching attempts, working on the ‘server’ versions of affected Windows as well as regular Windows installs.

Read More

BitMart: Crypto-exchange loses $150m to hackers

The exchange giant may have lost up to $200M according to the first security company that noticed the hack. Losses like this are becoming commonplace - in fact, they have shuttered larger exchanges previously - so it is highly recommended for traders to move their cryptocurrency into cold storage if they are not actively trading with it. BitMart has made little information available on this loss, but assures their customers that they will continue to update where information becomes available.

Read More

You Can Now Get $25 From Zoom Following a Class Action Settlement

Paid subscribers to the service are receiving $25, and normal users between 2016 and 2021 may receive $25. This settlement is due to Zoom allegedly not doing enough to prevent leaks of user information (such as through the zoom-bombing attacks that were seen prior to patching). Zoom also allegedly falsely advertised their application as end-to-end encrypted.

Read More

LET'S GET STARTED

I would like to

Submit

Request a Demo

This website uses cookies to ensure you get the best experience. Got it, Thanks! MORE INFO