The LogicHub Security Roundup: June 2021 Edition

Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be covering a broad view of this past month’s threats, a series of informative use cases seen this month by our teams, and a series of recommended articles, podcasts, and other useful resources.

HIGHLIGHT

Pulse Secure VPN RCE

WHAT DOES IT DO?

In an unfortunate and ironic turn of events, a workaround XML file for an RCE deactivates protection for an earlier RCE workaround. The released patch, according to the Threatpost article, “...may allow for an unauthenticated, remote attacker to execute code as a user with root privileges”. From the CERT Coordination Center report and Threatpost:

“When specifying a long server name for some SMB operations, the smbclt application may crash due to either a stack buffer overflow or a heap buffer overflow, depending on how long of a server name is specified,” CERT/CC noted. PCS 9.1R11.4 systems are vulnerable: CERT/CC said that it’s managed to trigger the vulnerability by targeting the CGI script /dana/fb/smb/wnf.cgi, although “Other CGI endpoints may also trigger the vulnerable code.”

POTENTIAL IMPACT

EIther of these vulnerabilities can cause significant damage to vulnerable machines. As these can cause buffer overflows followed by remote code execution, data may be modified, leaked, or destroyed. Machine access may be retained by the attacker, and their access would be root privileges.

REMEDIATION

There are two fixes available at the moment, and each one comes with its own caveats. Applying the most recent workaround (2105) will deactivate 2104, but requires that the system be on a new version or it will reactivate the old RCE. It also blocks use of the Windows File Share Browser If the second fix (setting a windows initial file browsing policy of deny for SMB connections) is performed, none of the connections that trigger the vulnerability will be allowed, but no legitimate SMB connections will be allowed, either.

MORE INFORMATION:

https://threatpost.com/pulse-secure-vpns-critical-rce/166437/

HIGHLIGHT

Hyper-V Kernel Trickery

WHAT DOES IT DO?

This vulnerability allows for a guest virtual machine to create conditions for a denial of service on the Hyper-V host kernel by forcing an invalid kernel read address. Though all of the potential for this vulnerability is not yet known, hardware-specific side effects related to devices attached to the Hyper-V host could cause abnormalities and possible further vulnerabilities.

POTENTIAL IMPACT

This vulnerability causes, at a minimum, a denial of service to the host machine, but could cause a release of information through unintended effects upon hardware devices.

REMEDIATION

Updates have been made available by the vendor to patch out this vulnerability.

MORE INFORMATION:

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-28476

HIGHLIGHT

Solarwinds Validation Failure

WHAT DOES IT DO?

Solarwinds vulnerability exploitation is on the rise, and this CVE is an interesting example. No authentication is necessary to exploit this vulnerability. Due to a lack of properly validated user-supplied data, deserialization may be performed and arbitrary code execution could then take place.

POTENTIAL IMPACT

As with all cases of arbitrary code execution, this one can cause complete compromise of the CIA triad, leaking or tampering with sensitive data.

REMEDIATION

This vulnerability has been patched in an update made available by Solarwinds. Solarwinds also recommends ensuring proper segmentation on networks with SQL server instances, strict access control on a least-privilege basis, and separating Orion servers from the rest of customer infrastructure using VLANs and jumpboxes.

MORE INFORMATION:

https://documentation.solarwinds.com/en/success_center/sam/content/release_notes/sam_2020-2-5_release_notes.htm#Fixed

Additional Threats

Description

CUSTOMER USE CASE

Detecting Binary Masquerading

SUMMARY

A lot of Windows programs are going to be launching, running, being installed, and working on a large network, especially one that has a more exclusive focus on Windows deployment. It is understandable, then, that finding malware masquerading as a Windows binary can be rather difficult and time consuming. In one case this month, a malware install alert was triggered on a binary that otherwise appeared normal. Using the automated solution below, an impressive near-exact clone of Microsoft Office was found, with binaries that were just in different paths than usual. Along with a unique conversation from the machine in question to an IP with a bad reputation, the machine was marked for quarantine, a sweep for similar incidents performed, and the end machine cleaned.

AUTOMATED SOLUTION

In the LogicHub solution against binary masquerading, we first search for indicators of normality: in the case above, that was ensuring that binary paths were normal in every detection and searching for unique firewall conversations. After the initial process of correlating logs and sources, each alarm on a Windows binary is checked against known binary paths. IPs involved in potentially unusual activity or excessive conversations are automatically checked in batches against a series of reputation websites. All of this data is correlated and scored according to possibility of compromise, and a case is opened if that score crosses a client-specified threshold.

BENEFITS TO THIS APPROACH
  • Quick review of large amounts of information - activity from binaries is common in Windows machines, so removing the noise is important
  • Finds covert malware that otherwise looks completely normal to the user
  • All information leading to a detection or associated with a machine is assigned to a single case and is easy to correlate

Recommended Reading

This section contains some interesting reading related to the state of infosec today. These articles have a simple summary that explains the basic idea of the news and links to more information.

Submit