The LogicHub Security Roundup: June 2021 Edition
Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be covering a broad view of this past month’s threats, a series of informative use cases seen this month by our teams, and a series of recommended articles, podcasts, and other useful resources.
Pulse Secure VPN RCE
WHAT DOES IT DO?
In an unfortunate and ironic turn of events, a workaround XML file for an RCE deactivates protection for an earlier RCE workaround. The released patch, according to the Threatpost article, “...may allow for an unauthenticated, remote attacker to execute code as a user with root privileges”. From the CERT Coordination Center report and Threatpost:
“When specifying a long server name for some SMB operations, the smbclt application may crash due to either a stack buffer overflow or a heap buffer overflow, depending on how long of a server name is specified,” CERT/CC noted. PCS 9.1R11.4 systems are vulnerable: CERT/CC said that it’s managed to trigger the vulnerability by targeting the CGI script /dana/fb/smb/wnf.cgi, although “Other CGI endpoints may also trigger the vulnerable code.”
EIther of these vulnerabilities can cause significant damage to vulnerable machines. As these can cause buffer overflows followed by remote code execution, data may be modified, leaked, or destroyed. Machine access may be retained by the attacker, and their access would be root privileges.
There are two fixes available at the moment, and each one comes with its own caveats. Applying the most recent workaround (2105) will deactivate 2104, but requires that the system be on a new version or it will reactivate the old RCE. It also blocks use of the Windows File Share Browser If the second fix (setting a windows initial file browsing policy of deny for SMB connections) is performed, none of the connections that trigger the vulnerability will be allowed, but no legitimate SMB connections will be allowed, either.
Hyper-V Kernel Trickery
WHAT DOES IT DO?
This vulnerability allows for a guest virtual machine to create conditions for a denial of service on the Hyper-V host kernel by forcing an invalid kernel read address. Though all of the potential for this vulnerability is not yet known, hardware-specific side effects related to devices attached to the Hyper-V host could cause abnormalities and possible further vulnerabilities.
This vulnerability causes, at a minimum, a denial of service to the host machine, but could cause a release of information through unintended effects upon hardware devices.
Updates have been made available by the vendor to patch out this vulnerability.
Solarwinds Validation Failure
WHAT DOES IT DO?
Solarwinds vulnerability exploitation is on the rise, and this CVE is an interesting example. No authentication is necessary to exploit this vulnerability. Due to a lack of properly validated user-supplied data, deserialization may be performed and arbitrary code execution could then take place.
As with all cases of arbitrary code execution, this one can cause complete compromise of the CIA triad, leaking or tampering with sensitive data.
This vulnerability has been patched in an update made available by Solarwinds. Solarwinds also recommends ensuring proper segmentation on networks with SQL server instances, strict access control on a least-privilege basis, and separating Orion servers from the rest of customer infrastructure using VLANs and jumpboxes.
IBM Cognos Analytics 11.0 and 11.1 DQM API allows submitting of all control requests in unauthenticated sessions. This allows a remote attacker who can access a valid CA endpoint to read and write files to the Cognos Analytics system. IBM X-Force ID: 183903.
A missing authorization vulnerability exists in Citrix ShareFile Storage Zones Controller before 5.7.3, 5.8.3, 5.9.3, 5.10.1 and 5.11.18 may allow unauthenticated remote compromise of the Storage Zones Controller.
Certain NETGEAR devices are affected by command injection by an unauthenticated attacker via the vulnerable /sqfs/lib/libsal.so.0.0 library used by a CGI application, as demonstrated by setup.cgi?token=';$HTTP_USER_AGENT;' with an OS command in the User-Agent field.
The unprivileged user portal part of CentOS Web Panel is affected by a Command Injection vulnerability leading to root Remote Code Execution.
On version 15.1.x before 15.1.3, 14.1.x before 14.1.4, 13.1.x before 13.1.4, 12.1.x before 12.1.6, and all versions of 16.0.x and 11.6.x., BIG-IP APM AD (Active Directory) authentication can be bypassed via a spoofed AS-REP (Kerberos Authentication Service Response) response sent over a hijacked KDC (Kerberos Key Distribution Center) connection or from an AD server compromised by an attacker. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Windows Kernel Information Disclosure Vulnerability: The type of information that could be disclosed if an attacker successfully exploited this vulnerability is the contents of Kernel memory. An attacker could read the contents of Kernel memory from a user mode process.
CUSTOMER USE CASE
Detecting Binary Masquerading
A lot of Windows programs are going to be launching, running, being installed, and working on a large network, especially one that has a more exclusive focus on Windows deployment. It is understandable, then, that finding malware masquerading as a Windows binary can be rather difficult and time consuming. In one case this month, a malware install alert was triggered on a binary that otherwise appeared normal. Using the automated solution below, an impressive near-exact clone of Microsoft Office was found, with binaries that were just in different paths than usual. Along with a unique conversation from the machine in question to an IP with a bad reputation, the machine was marked for quarantine, a sweep for similar incidents performed, and the end machine cleaned.
In the LogicHub solution against binary masquerading, we first search for indicators of normality: in the case above, that was ensuring that binary paths were normal in every detection and searching for unique firewall conversations. After the initial process of correlating logs and sources, each alarm on a Windows binary is checked against known binary paths. IPs involved in potentially unusual activity or excessive conversations are automatically checked in batches against a series of reputation websites. All of this data is correlated and scored according to possibility of compromise, and a case is opened if that score crosses a client-specified threshold.
BENEFITS TO THIS APPROACH
- Quick review of large amounts of information - activity from binaries is common in Windows machines, so removing the noise is important
- Finds covert malware that otherwise looks completely normal to the user
- All information leading to a detection or associated with a machine is assigned to a single case and is easy to correlate
This section contains some interesting reading related to the state of infosec today. These articles have a simple summary that explains the basic idea of the news and links to more information.
U.S. Declares State of Emergency After Largest Pipeline Shut Down by Ransomware
The largest pipeline in the U.S., the Colonial Pipeline, has shut down almost entirely as of May 10th and caused a state of emergency in 13 states and the District of Columbia. An attack from Darkside ransomware group, the pipeline accounts for 48% of natural gas supply across the southeastern US. The state of emergency is in place until June 10th or the Colonial Pipeline Company is able to restore some services.
4 Million Email Addresses Used by Emotet Released, Posted to HaveIBeenPwned
It’s time to check in on HaveIBeenPwned.com and see if you were one of the unlucky ones who had their email used by the Emotet malware campaign. The email addresses were released by the FBI in tandem with a tool that uninstalled the malware from affected computers. These addresses aren’t publicly visible, and require the address owner to check for compromise.
Office365 Phishing On the Rise
Usual phishing advice doesn’t apply to the new O365 attacks. The link that is clicked by a targeted user directs to an actual O365 login page, but features a pop-up requesting permissions from an application that looks like it comes from Microsoft. This tactic both lends legitimacy and bypasses all two-factor authentication.
After Solarwinds, White House Pushes for Electrical Grid Security
Coming after the devastating Solarwinds attacks (now attributed to Russian actors), the Biden administration is working to roll out security for electrical grids across the U.S. This plan is based on incentives rather than regulations, providing monitoring software and requesting reporting of attacks.
Fake Comment Crisis at the FCC
The Federal Communications Commission has confirmed the illegitimacy of millions of fake comments regarding net neutrality. Comments both for and against the neutral treatment of data were added by fabricating names and using fake identities, causing confusion for legislators. Petitions and comments like this greatly influence legislative decisions, and fake comments can mean a direct disruption of the Democratic process.
Deepfaking (the creation of hyper realistic photos and videos with faces or bodies that aren’t their own) has been rising over the past 10 years, and it’s about to surge again with a massive uptick in deepfake tech crossing the dark web. Reported by Recorded Future, how-tos and best practices are becoming commonplace fare. Be vigilant, and don’t trust everything that even your own eyes see.