The LogicHub Security Roundup: February 2022 Edition
Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be covering a broad view of this past month’s threats, a series of informative use cases seen by our teams, and a series of recommended articles, podcasts, and other useful resources.
SECURITY SAFARI
New Threats in the Wild
This section is devoted to threats of particular note that we encountered in the past month. A select few of particular interest will be highlighted in greater detail. NIST NVD data will be used to make these determinations.
HIGHLIGHT
IBM Financial Transaction Manager Cross-Site Request Forgery
WHAT DOES IT DO?
The IBM Financial Transaction Manager has been suffering from a vulnerability containing little information on the affected component and activating input. Per the MITRE att&ck framework listing on cross-site request forgeries, the receiving client for the input does not sufficiently validate the input, which means that an attacker can trick the server into providing unintentionally sensitive information.
POTENTIAL IMPACT
This vulnerability is actually a lower severity than we tend to cover, but is notable because of the widespread nature of the application, the flexibility of the technique, and the lack of specifics in the disclosure.
REMEDIATION
Upgrades are available for this vulnerability.
MORE INFORMATION:
HIGHLIGHT
Polkit pkexec Privilege Escalation
WHAT DOES IT DO?
Polkit, also known as ‘policy kit’, is a component for Unix-like systems that manages system-wide privileges. The pkexec command allows Polkit to elevate privileges on the action. When exploited, the attacker leverages environmental variables to allow for arbitrary code execution, which then allows for privilege escalation.
POTENTIAL IMPACT
As with all privilege escalations, they can allow for pivoting and much greater damage to the whole network than many other methods of attack. As roles don’t tend to be as heavily locked down as machines themselves, it is imperative that users keep a close eye on the idea of least privilege when thinking about mitigating privilege escalation.
REMEDIATION
There is an immediate update available and a mitigation for those who can’t immediately update.
MORE INFORMATION:
HIGHLIGHT
Samba 4 RCE
WHAT DOES IT DO?
Samba is a utility for Macs that allows legacy MacOS/classic devices to use SMB, an inherently Windows-based drive sharing utility. The best description of this vulnerability is the one given in the disclosure: “All versions of Samba prior to 4.13.17 are vulnerable to an out-of-bounds heap read write vulnerability that allows remote attackers to execute arbitrary code as root on affected Samba installations that use the VFS module vfs_fruit.
The specific flaw exists within the parsing of EA metadata when opening files in smbd. Access as a user that has write access to a file's extended attributes is required to exploit this vulnerability. Note that this could be a guest or unauthenticated user if such users are allowed write access to file extended attributes.
The problem in vfs_fruit exists in the default configuration of the fruit VFS module using fruit:metadata=netatalk or fruit:resource=file. If both options are set to different settings than the default values, the system is not affected by the security issue.”
POTENTIAL IMPACT
Arbitrary code execution has near limitless potential for an attacker, and is almost always a high criticality. All portions of the CIA triad are compromised.
REMEDIATION
Changes to the default values in the vfs_fruit configuration can help mitigate things, if possible. Otherwise, patches and additional releases have been created by Samba admins. .
MORE INFORMATION:
Additional Threats
Description
CVE-2021-30554
“Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. Details of the vulnerabilities are as follows:
A use after free vulnerability exists in WebGL. (CVE-2021-30554)
A use after free vulnerability exists in Sharing. (CVE-2021-30555)
A use after free vulnerability exists in WebAudio. (CVE-2021-30556)
A use after free vulnerability exists in TabGroups. (CVE-2021-30557)
Successful exploitation of the most severe of these vulnerabilities could allow an attacker to execute arbitrary code in the context of the browser. Depending on the privileges associated with the application, an attacker could view, change, or delete data. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.”
FROM THE FIELD
Real World Use Cases in Action
In this section, we’ll be covering a significant use case that our teams recently saw and remediated, along with some of the benefits of doing so. It is our hope that this section can give some ideas for both current and future customers as to what problems can be seen in the real world and how they can be solved using LogicHub automations.
CUSTOMER USE CASE
Collecting Rain: Cloudflare WAF Triage and Correlation
SUMMARY
Cloudflare WAFs are useful tools, able to drag out interesting pieces of network traffic and present them for easy review. The only problem: they can get quite noisy, and noisy is hard to connect into other sources. On a small-medium size network, millions of alerts can still trigger every day even with basic tuning.
The MDR sees hundreds of new cases a day with lots of Cloudflare traffic therein, so finding a way to remove the obviously benign items is a large boon to operations.
AUTOMATED SOLUTION
After the creation of Cloudflare cases, automated triage can begin. By pulling the created alerts and checking them against a log management solution, we can correlate traffic logs and confirm further activity from the address. From there, we can also view the WAF actions and Edge Responses, which give an idea of how we may be triaging. After pulling the results and confirming them against known good traffic patterns, we either close out the case or mark it for review.
BENEFITS TO THIS APPROACH
Cloudflare is an extremely useful tool in the arsenal of a security team. Managing its logs and using it to our advantage means that we can gain the upper hand on potential attackers without lifting a finger, so more time can be spent on remediation, patching, and even further automation. This correlation is just the beginning: from here, we may use further triage or quick escalation to raise issues.
Recommended Reading
This section contains some interesting reading related to the state of infosec today. These articles have a simple summary that explains the basic idea of the news and links to more information.
