The LogicHub Security Roundup: January 2021 Edition

Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we provide a sampling of the past month’s significant threats, informative use cases seen by our SOC and research teams, and a series of recommended articles, podcasts, and other useful resources.

HIGHLIGHT

NGINX Absolute Paths

WHAT DOES IT DO?

The NGINX controller is a management system allowing for multiple instances of NGINX plus cloud applications to be controlled from a central system. When calling upon system resources, the NGINX controller does not use absolute paths, meaning that the address to these resources is not always ‘set’ within the application and a malicious version of the resource can be created by an attacker.

POTENTIAL IMPACT

This application being a management controller means that it will have higher level access to NGINX cloud applications. If a malicious resource is inserted, it will have the ability to execute arbitrary code and gain access to managed items in the controller.

REMEDIATION

Upgrades have been released for affected versions.

MORE INFORMATION:

https://support.f5.com/csp/article/K43530108

HIGHLIGHT

SolarWinds Authentication Bypass

WHAT DOES IT DO?

The SolarWinds Orion API is vulnerable to an authentication bypass that could allow a remote attacker to execute API commands which may result in a compromise of the SolarWinds instance. API authentication can be bypassed by including specific parameters in the Request.PathInfo portion of a URI request, which could allow an attacker to execute unauthenticated API commands.

POTENTIAL IMPACT

Ability to bypass API authentication means that an attacker can change critical, sometimes highly sensitive information, compromising every part of the CIA triad.

REMEDIATION

Solarwinds Orion updates are available to remediate this issue.

MORE INFORMATION:

https://kb.cert.org/vuls/id/843464

HIGHLIGHT

Jabber Arbitrary Execution

WHAT DOES IT DO?

The Cisco Jabber IM and video communication platform uses the Extensible Messaging and Presence Protocol (XMPP) to allow for the transmission of text-based messages. Due to improper validation methods, an attacker can craft a special XMPP message to execute arbitrary programs on a system running Cisco Jabber.

POTENTIAL IMPACT

This issue can cause a series of exploits that allow for the modification of the Jabber application configuration, access to sensitive information within the application, or the execution of commands on the system with the same permissions as the user account running Cisco Jabber.

REMEDIATION

Cisco has released software updates to combat these vulnerabilities.

MORE INFORMATION:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-jabber-ZktzjpgO

Additional Threats

Description

CUSTOMER USE CASE

Daily Metrics for Ease of Data Management

SUMMARY

Automation can require a lot of upfront manpower, particularly when a dynamic environment is at stake. Data changes constantly, new detections are needed, and the way that cases are handled may change. While all of these growing pains can cause significant cost, a look into that data can allow for prioritization at-a-glance. How can one decide what to automate first?

AUTOMATED SOLUTION

Daily Metrics are an incredible automated tool that can provide well-formatted raw information on problem areas in your instance with little effort. Instead of simply assigning automation tasks as they come to immediate attention, tasks can be prioritized and streamlined for ease of use. These metrics can also be used in the long term to see busy times for increased staffing, errors with alerting that might cause excessive cases, and other issues that might cause significant erroneous data.

BENEFITS TO THIS APPROACH
  • Information at-a-glance
  • Quick prioritization of cases and automation development
  • Resource reduction
  • Higher visibility into underlying issues in an environment

Recommended Reading

Here is a compilation of our detection and response teams’s interesting reading related to the state of infosec today. These articles have a simple summary that explains the basic idea of the news and links to more information.

Submit