The LogicHub Security Roundup: February 2022 Edition

Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be covering a broad view of this past month’s threats, a series of informative use cases seen by our teams, and a series of recommended articles, podcasts, and other useful resources.

HIGHLIGHT

IBM Financial Transaction Manager Cross-Site Request Forgery

WHAT DOES IT DO?

The IBM Financial Transaction Manager has been suffering from a vulnerability containing little information on the affected component and activating input. Per the MITRE att&ck framework listing on cross-site request forgeries, the receiving client for the input does not sufficiently validate the input, which means that an attacker can trick the server into providing unintentionally sensitive information.

POTENTIAL IMPACT

This vulnerability is actually a lower severity than we tend to cover, but is notable because of the widespread nature of the application, the flexibility of the technique, and the lack of specifics in the disclosure.

REMEDIATION

Upgrades are available for this vulnerability.

MORE INFORMATION:

https://vuldb.com/?id.192115

HIGHLIGHT

Polkit pkexec Privilege Escalation

WHAT DOES IT DO?

Polkit, also known as ‘policy kit’, is a component for Unix-like systems that manages system-wide privileges. The pkexec command allows Polkit to elevate privileges on the action. When exploited, the attacker leverages environmental variables to allow for arbitrary code execution, which then allows for privilege escalation.

POTENTIAL IMPACT

As with all privilege escalations, they can allow for pivoting and much greater damage to the whole network than many other methods of attack. As roles don’t tend to be as heavily locked down as machines themselves, it is imperative that users keep a close eye on the idea of least privilege when thinking about mitigating privilege escalation.

REMEDIATION

There is an immediate update available and a mitigation for those who can’t immediately update.

MORE INFORMATION:

https://access.redhat.com/security/cve/CVE-2021-4034

HIGHLIGHT

Samba 4 RCE

WHAT DOES IT DO?

Samba is a utility for Macs that allows legacy MacOS/classic devices to use SMB, an inherently Windows-based drive sharing utility. The best description of this vulnerability is the one given in the disclosure: “All versions of Samba prior to 4.13.17 are vulnerable to an out-of-bounds heap read write vulnerability that allows remote attackers to execute arbitrary code as root on affected Samba installations that use the VFS module vfs_fruit.

The specific flaw exists within the parsing of EA metadata when opening files in smbd. Access as a user that has write access to a file's extended attributes is required to exploit this vulnerability. Note that this could be a guest or unauthenticated user if such users are allowed write access to file extended attributes.

The problem in vfs_fruit exists in the default configuration of the fruit VFS module using fruit:metadata=netatalk or fruit:resource=file. If both options are set to different settings than the default values, the system is not affected by the security issue.”

POTENTIAL IMPACT

Arbitrary code execution has near limitless potential for an attacker, and is almost always a high criticality. All portions of the CIA triad are compromised.

REMEDIATION

Changes to the default values in the vfs_fruit configuration can help mitigate things, if possible. Otherwise, patches and additional releases have been created by Samba admins. .

MORE INFORMATION:

https://www.samba.org/samba/security/CVE-2021-44142.html

Additional Threats

Description

CUSTOMER USE CASE

Collecting Rain: Cloudflare WAF Triage and Correlation

SUMMARY

Cloudflare WAFs are useful tools, able to drag out interesting pieces of network traffic and present them for easy review. The only problem: they can get quite noisy, and noisy is hard to connect into other sources. On a small-medium size network, millions of alerts can still trigger every day even with basic tuning.

The MDR sees hundreds of new cases a day with lots of Cloudflare traffic therein, so finding a way to remove the obviously benign items is a large boon to operations.

AUTOMATED SOLUTION

After the creation of Cloudflare cases, automated triage can begin. By pulling the created alerts and checking them against a log management solution, we can correlate traffic logs and confirm further activity from the address. From there, we can also view the WAF actions and Edge Responses, which give an idea of how we may be triaging. After pulling the results and confirming them against known good traffic patterns, we either close out the case or mark it for review.

BENEFITS TO THIS APPROACH

Cloudflare is an extremely useful tool in the arsenal of a security team. Managing its logs and using it to our advantage means that we can gain the upper hand on potential attackers without lifting a finger, so more time can be spent on remediation, patching, and even further automation. This correlation is just the beginning: from here, we may use further triage or quick escalation to raise issues.

Recommended Reading

This section contains some interesting reading related to the state of infosec today. These articles have a simple summary that explains the basic idea of the news and links to more information.

Submit