The LogicHub Security Roundup: December 2021 Edition
Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be covering a broad view of this past month’s threats, a series of informative use cases seen this month by our teams, and a series of recommended articles, podcasts, and other useful resources.
Google Chrome Use After Free
WHAT DOES IT DO?
The Google Chrome web browser frequently stores items in memory to reference later. A ‘use after free’ vulnerability means that an area of memory is referenced after the application has already freed it, and that reference causes an error resulting in corruption of data or even arbitrary code execution. More specifically from the CVE page, “Web Transport in Google Chrome prior to 95.0.4638.69 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page.”
Sandbox escapes and Use After Free vulnerabilities are both highly dangerous ways of gaining unintended privileges and can cause significant losses on all portions of the CIA triad.
A stable release has been made available by the Chrome development team.
Zoom Buffer Overflow
WHAT DOES IT DO?
Zoom is an application for virtual meetings and calling over phone or computer. In this vulnerability, a multitude of Zoom’s different clients are affected by a buffer overflow. Buffer overflows take advantage of a lack of memory checks or errors in the way that memory is written to perform unintended actions. An application or script may be used to write data in such a way that bypasses checks in place to prevent access to forbidden areas. Details on the methodology for this vulnerability were not given, but we have seen several similar issues from Zoom clients dating back to 2017.
As with all buffer overflows, severity is quite high due to the ability to impact sensitive parts of a system. Buffer overflows tend to hit on a base level that takes advantage of the high privileges given at that level (such as system roles).
The manufacturer has released a patch that is currently available and recommended for download.
Palo Alto GlobalProtect Arbitrary Execution
WHAT DOES IT DO?
Palo Alto GlobalProtect is a VPN application with extra security features for all throughput traffic. From the CVE: “A memory corruption vulnerability exists in Palo Alto Networks GlobalProtect portal and gateway interfaces that enables an unauthenticated network-based attacker to disrupt system processes and potentially execute arbitrary code with root privileges. The attacker must have network access to the GlobalProtect interface to exploit this issue. This issue impacts PAN-OS 8.1 versions earlier than PAN-OS 8.1.17. Prisma Access customers are not impacted by this issue.”
As with any arbitrary execution issue, this can be dangerous to all internal processes and the entirety of the CIA triad. However, due to the fact that the attacker must have access to the GlobalProtect interface, this vulnerability is slightly easier to manage.
A patch has been released by the manufacturer.
The vSphere Web Client (FLEX/Flash) contains an SSRF (Server Side Request Forgery) vulnerability in the vSAN Web Client (vSAN UI) plug-in. A malicious actor with network access to port 443 on vCenter Server may exploit this issue by accessing a URL request outside of vCenter Server or accessing an internal service.
A SQL injection vulnerability in feature services provided by Esri ArcGIS Server 10.9 and below allows a remote, unauthenticated attacker to impact the confidentiality, integrity and availability of targeted services via specifically crafted queries.
HashiCorp Vault and Vault Enterprise 0.11.0 up to 1.7.5 and 1.8.4 templated ACL policies would always match the first-created entity alias if multiple entity aliases exist for a specified entity and mount combination, potentially resulting in incorrect policy enforcement. Fixed in Vault and Vault Enterprise 1.7.6, 1.8.5, and 1.9.0.
Microsoft Edge (Chromium-based) Spoofing Vulnerability (Author’s Note: Little information on this vulnerability exists, however it has been included here due to its severity. If using Edge, please keep up-to-date.)
CUSTOMER USE CASE
Phishing Context Automation and Response
Phishing can be one of the greatest attack vectors to a company. Through one email, or a single link, it is very easy for an attacker to strike and do a large amount of damage. By reviewing all of the relevant fields for a suspicious email (metadata, file hash, included links, and sender domain), it’s relatively simple to prevent that email from ever reaching its target. Many modern malware solutions can stop basic attacks and suspicious emails, but verifying the legitimacy of the anti-malware action is another story. In one case, a customer had a series of items downloaded by an employee, many of which were suspicious and flagged by the anti-malware solution. Because there were so many items, digging through them took a lot of man hours only to find no legitimate attacks.
By using multiple sources for review of hashes and checks against allowed domains, we can quickly pare down the amount of results that are truly suspicious. Combining the results from several lookups means that items can be scored by severity and reviewed quickly. If they appear to be more severe, items scored low enough can be automatically closed and commented on within a case. After these decisions are made, tuning can be performed to completely eliminate the lowest severity right from the source.
BENEFITS TO THIS APPROACH
The automation used in this solution may be simple, but it is powerful. The results were staggering in that all items could quickly be sorted and many were removed in the end. With phishing being one of the most common methods for attack, it’s important to keep a sharp eye on emails, and especially on links and attached files.
This section contains some interesting reading related to the state of infosec today. These articles have a simple summary that explains the basic idea of the news and links to more information.
This mysterious malware could threaten millions of routers and IoT devices
BotenaGo is an Internet of Things malware with over 30 different exploits up its sleeve. Written in Go, it is detected by some antiviruses as a variant on the Mirai botnet malware but is not in the same language.This malware is currently operating under beta with no command and control server.
Facebook's Meta pushes back Messenger and Instagram encryption plans until 2023
Encryption activists have a little longer to wait for popular social media apps Messenger and Instagram to hop on the ‘default secure messaging’ bandwagon. Per the ZDNet article: “E2EE should mean that even Facebook employees with physical access to its hardware in data centers can't access the content of messages, preventing the firm and employees from producing some evidence even when ordered by a court to do so.”
Mediatek eavesdropping bug impacts 30% of all Android smartphones
The Mediatek semiconductor vulnerabilities were found by Check Point, with three patched and one soon-to-be patched vulnerability in out-of-bounds privilege escalations. All users of Mediatek devices are urged to patch promptly.
Germany to force ISPs to give discounts for slow Internet speeds
In a measure that most consumers could likely get behind, an amendment to the Telecommunications Act of Germany dictates the possibility of discounts to consumers when ISPs don’t deliver on promised speeds. An official speed measurement app provided by the German Federal Network Agency will help in documenting speeds for this purpose. Hopefully, an amendment like this may pave the way for other countries to start enforcing better speeds in a world where modern internet is becoming a necessity.
Hackers are targeting this Microsoft Windows Installer flaw, say security researchers
An escalation of privilege flaw in the Windows Installer is now being exploited (according to Cisco Talos researchers) and can give attackers admin rights. A proof of concept shows that it still functions even despite Microsoft’s patching attempts, working on the ‘server’ versions of affected Windows as well as regular Windows installs.
BitMart: Crypto-exchange loses $150m to hackers
The exchange giant may have lost up to $200M according to the first security company that noticed the hack. Losses like this are becoming commonplace - in fact, they have shuttered larger exchanges previously - so it is highly recommended for traders to move their cryptocurrency into cold storage if they are not actively trading with it. BitMart has made little information available on this loss, but assures their customers that they will continue to update where information becomes available.
You Can Now Get $25 From Zoom Following a Class Action Settlement
Paid subscribers to the service are receiving $25, and normal users between 2016 and 2021 may receive $25. This settlement is due to Zoom allegedly not doing enough to prevent leaks of user information (such as through the zoom-bombing attacks that were seen prior to patching). Zoom also allegedly falsely advertised their application as end-to-end encrypted.