The LogicHub Security Roundup: March 2021 Edition

Hello, and welcome to the first edition of the LogicHub Monthly Update! Each month we’ll be covering a broad view of this past month’s threats, a series of informative use cases seen this month by our teams, and a series of recommended articles, podcasts, and other useful resources.

HIGHLIGHT

Active Exploits on Chrome Zero-Day

WHAT DOES IT DO?

‘Jailbreaking’ a phone of any kind is the process of gaining root access in a way that is not authorized or intended by the manufacturer - whether with malicious intent or as a way of accessing more phone features by the user. In this case, a kernel object called a ‘mach voucher’ (which can control the referencing of resources) can be iterated in such a way that functions don’t need to be called together, breaking a cycle and causing a kernel panic. This kernel panic allows for full exploration of the underlying system.

POTENTIAL IMPACT

Jailbreaking is dangerous, especially for corporate devices. Though the ability to access unintended features may be exciting, it also opens up devices to attack and makes the device more difficult to secure. The attack surface will be significantly increased with almost no way to secure.

REMEDIATION

Apple has released iOS 14.4, which is not vulnerable to this issue. Device administrators should force upgrades immediately.

MORE INFORMATION:

https://www.synacktiv.com/en/publications/analysis-and-exploitation-of-the-ios-kernel-vulnerability-cve-2021-1782.html

HIGHLIGHT

vSphere Client RCE

WHAT DOES IT DO?

This remote code execution allows any attacker with access to port 443 on the affected device to exploit and gain full privileges on the underlying vSphere client. From here, virtual machines may be tampered with, created, or deleted.

POTENTIAL IMPACT

Possible widespread outages, data loss, or lack of data integrity may occur from this vulnerability.

REMEDIATION

Updates have been made available by the vendor to patch out this vulnerability.

MORE INFORMATION:

https://www.vmware.com/security/advisories/VMSA-2021-0002.html

HIGHLIGHT

Privileged Escalation in Cisco Application Services Engine (CASE)

WHAT DOES IT DO?

This vulnerability is due to insufficient access controls for a service running in the Data Network. An attacker could exploit this vulnerability by sending crafted TCP requests to a specific service. A successful exploit could allow the attacker to have privileged access to run containers or invoke host-level operations.

POTENTIAL IMPACT

This attack would have an effect on every level of the CIA triad if successful, as an attacker would be able to make modifications, view sensitive information, and cause a lack of availability if so chosen by the attacker.

REMEDIATION

This vulnerability has been patched in an update made available by Cisco, which should be immediately downloaded by affected parties.

MORE INFORMATION:

https://nvd.nist.gov/vuln/detail/CVE-2021-1393

Additional Threats

Description

CUSTOMER USE CASE

Distance-Based Detections

SUMMARY

For some users, logging in from different locations is normal and expected. In some industries, however, logins from abnormal locations can spell disaster and mean possible unauthorized users. To prevent this, login locations can be checked and the ability of the user to travel the given distance between logins can be measured.

AUTOMATED SOLUTION

In the LogicHub solution, a flow is created that looks into all available logons and their locations, which are then tied to their respective users. If two logins from different locations are found, their distance and time between them are measured using average possible travel times by normal transportation methods. If the average is far beyond possibility (for instance: logging in from Germany and then the U.S. over the course of one hour), the type of IP is checked (if it’s a hosted IP, the score of the detection is greatly reduced) and a case is created based on its severity.

BENEFITS TO THIS APPROACH
  • Hands-off monitoring of user logons
  • Baseline is built over time - no information needs to be pre-supplied
  • Location-based detections can be a huge precursor detection to larger problems like account takeover or pivoting.

Recommended Reading

This section contains some interesting reading related to the state of infosec today. These articles have a simple summary that explains the basic idea of the news and links to more information.

Submit