The LogicHub Security Roundup: February 2022 Edition
Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be covering a broad view of this past month’s threats, a series of informative use cases seen by our teams, and a series of recommended articles, podcasts, and other useful resources.
IBM Financial Transaction Manager Cross-Site Request Forgery
WHAT DOES IT DO?
The IBM Financial Transaction Manager has been suffering from a vulnerability containing little information on the affected component and activating input. Per the MITRE att&ck framework listing on cross-site request forgeries, the receiving client for the input does not sufficiently validate the input, which means that an attacker can trick the server into providing unintentionally sensitive information.
This vulnerability is actually a lower severity than we tend to cover, but is notable because of the widespread nature of the application, the flexibility of the technique, and the lack of specifics in the disclosure.
Upgrades are available for this vulnerability.
Polkit pkexec Privilege Escalation
WHAT DOES IT DO?
Polkit, also known as ‘policy kit’, is a component for Unix-like systems that manages system-wide privileges. The pkexec command allows Polkit to elevate privileges on the action. When exploited, the attacker leverages environmental variables to allow for arbitrary code execution, which then allows for privilege escalation.
As with all privilege escalations, they can allow for pivoting and much greater damage to the whole network than many other methods of attack. As roles don’t tend to be as heavily locked down as machines themselves, it is imperative that users keep a close eye on the idea of least privilege when thinking about mitigating privilege escalation.
There is an immediate update available and a mitigation for those who can’t immediately update.
Samba 4 RCE
WHAT DOES IT DO?
Samba is a utility for Macs that allows legacy MacOS/classic devices to use SMB, an inherently Windows-based drive sharing utility. The best description of this vulnerability is the one given in the disclosure: “All versions of Samba prior to 4.13.17 are vulnerable to an out-of-bounds heap read write vulnerability that allows remote attackers to execute arbitrary code as root on affected Samba installations that use the VFS module vfs_fruit.
The specific flaw exists within the parsing of EA metadata when opening files in smbd. Access as a user that has write access to a file's extended attributes is required to exploit this vulnerability. Note that this could be a guest or unauthenticated user if such users are allowed write access to file extended attributes.
The problem in vfs_fruit exists in the default configuration of the fruit VFS module using fruit:metadata=netatalk or fruit:resource=file. If both options are set to different settings than the default values, the system is not affected by the security issue.”
Arbitrary code execution has near limitless potential for an attacker, and is almost always a high criticality. All portions of the CIA triad are compromised.
Changes to the default values in the vfs_fruit configuration can help mitigate things, if possible. Otherwise, patches and additional releases have been created by Samba admins. .
Wormable flaws and RCEs in Patch Tuesday
Zibra Platform Zero-Day XSS
Argo CD zero-day
“Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. Details of the vulnerabilities are as follows:
A use after free vulnerability exists in WebGL. (CVE-2021-30554)
A use after free vulnerability exists in Sharing. (CVE-2021-30555)
A use after free vulnerability exists in WebAudio. (CVE-2021-30556)
A use after free vulnerability exists in TabGroups. (CVE-2021-30557)
Successful exploitation of the most severe of these vulnerabilities could allow an attacker to execute arbitrary code in the context of the browser. Depending on the privileges associated with the application, an attacker could view, change, or delete data. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.”
CUSTOMER USE CASE
Collecting Rain: Cloudflare WAF Triage and Correlation
Cloudflare WAFs are useful tools, able to drag out interesting pieces of network traffic and present them for easy review. The only problem: they can get quite noisy, and noisy is hard to connect into other sources. On a small-medium size network, millions of alerts can still trigger every day even with basic tuning.
The MDR sees hundreds of new cases a day with lots of Cloudflare traffic therein, so finding a way to remove the obviously benign items is a large boon to operations.
After the creation of Cloudflare cases, automated triage can begin. By pulling the created alerts and checking them against a log management solution, we can correlate traffic logs and confirm further activity from the address. From there, we can also view the WAF actions and Edge Responses, which give an idea of how we may be triaging. After pulling the results and confirming them against known good traffic patterns, we either close out the case or mark it for review.
BENEFITS TO THIS APPROACH
Cloudflare is an extremely useful tool in the arsenal of a security team. Managing its logs and using it to our advantage means that we can gain the upper hand on potential attackers without lifting a finger, so more time can be spent on remediation, patching, and even further automation. This correlation is just the beginning: from here, we may use further triage or quick escalation to raise issues.
This section contains some interesting reading related to the state of infosec today. These articles have a simple summary that explains the basic idea of the news and links to more information.