Security Safari

New Threats in the Wild

This section is devoted to threats of particular note that have been seen in the past month. A select few of particular interest will be highlighted in greater detail. NIST NVD data will be used to make these determinations.

HIGHLIGHT

Active Exploits on Chrome Zero-Day

What does it do?

‘Jailbreaking’ a phone of any kind is the process of gaining root access in a way that is not authorized or intended by the manufacturer - whether with malicious intent or as a way of accessing more phone features by the user. In this case, a kernel object called a ‘mach voucher’ (which can control the referencing of resources) can be iterated in such a way that functions don’t need to be called together, breaking a cycle and causing a kernel panic. This kernel panic allows for full exploration of the underlying system.

Potential Impact

Jailbreaking is dangerous, especially for corporate devices. Though the ability to access unintended features may be exciting, it also opens up devices to attack and makes the device more difficult to secure. The attack surface will be significantly increased with almost no way to secure.

Remediation

Apple has released iOS 14.4, which is not vulnerable to this issue. Device administrators should force upgrades immediately.

More Information:

https://www.synacktiv.com/en/publications/analysis-and-exploitation-of-the-ios-kernel-vulnerability-cve-2021-1782.html

HIGHLIGHT

vSphere Client RCE

What does it do?

This remote code execution allows any attacker with access to port 443 on the affected device to exploit and gain full privileges on the underlying vSphere client. From here, virtual machines may be tampered with, created, or deleted.

Potential Impact

Possible widespread outages, data loss, or lack of data integrity may occur from this vulnerability.

Remediation

Updates have been made available by the vendor to patch out this vulnerability.

More Information:

https://www.vmware.com/security/advisories/VMSA-2021-0002.html

HIGHLIGHT

Privileged Escalation in Cisco Application Services Engine (CASE)

What does it do?

This vulnerability is due to insufficient access controls for a service running in the Data Network. An attacker could exploit this vulnerability by sending crafted TCP requests to a specific service. A successful exploit could allow the attacker to have privileged access to run containers or invoke host-level operations.

Potential Impact

This attack would have an effect on every level of the CIA triad if successful, as an attacker would be able to make modifications, view sensitive information, and cause a lack of availability if so chosen by the attacker.

Remediation

This vulnerability has been patched in an update made available by Cisco, which should be immediately downloaded by affected parties.

More Information:

https://nvd.nist.gov/vuln/detail/CVE-2021-1393

Additional Threats

CVE-2021-1388

A vulnerability in an API endpoint of Cisco ACI Multi-Site Orchestrator (MSO) installed on the Application Services Engine could allow an unauthenticated, remote attacker to bypass authentication on an affected device. The vulnerability is due to improper token validation on a specific API endpoint. An attacker could exploit this vulnerability by sending a crafted request to the affected API. A successful exploit could allow the attacker to receive a token with administrator-level privileges that could be used to authenticate to the API on affected MSO and managed Cisco Application Policy Infrastructure Controller (APIC) devices.

More Info

CVE-2020-2501

A stack-based buffer overflow vulnerability has been reported to affect QNAP NAS devices running Surveillance Station. If exploited, this vulnerability allows attackers to execute arbitrary code. QNAP have already fixed this vulnerability in the following versions: Surveillance Station 5.1.5.4.3 (and later) for ARM CPU NAS (64bit OS) and x86 CPU NAS (64bit OS) Surveillance Station 5.1.5.3.3 (and later) for ARM CPU NAS (32bit OS) and x86 CPU NAS (32bit OS)

More Info

CVE-2021-28041

ssh-agent in OpenSSH before 8.5 has a double free that may be relevant in a few less-common scenarios, such as unconstrained agent-socket access on a legacy operating system, or the forwarding of an agent to an attacker-controlled host.

More Info

Description

CVE-2021-1388

A vulnerability in an API endpoint of Cisco ACI Multi-Site Orchestrator (MSO) installed on the Application Services Engine could allow an unauthenticated, remote attacker to bypass authentication on an affected device. The vulnerability is due to improper token validation on a specific API endpoint. An attacker could exploit this vulnerability by sending a crafted request to the affected API. A successful exploit could allow the attacker to receive a token with administrator-level privileges that could be used to authenticate to the API on affected MSO and managed Cisco Application Policy Infrastructure Controller (APIC) devices.

More Info

CVE-2020-2501

A stack-based buffer overflow vulnerability has been reported to affect QNAP NAS devices running Surveillance Station. If exploited, this vulnerability allows attackers to execute arbitrary code. QNAP have already fixed this vulnerability in the following versions: Surveillance Station 5.1.5.4.3 (and later) for ARM CPU NAS (64bit OS) and x86 CPU NAS (64bit OS) Surveillance Station 5.1.5.3.3 (and later) for ARM CPU NAS (32bit OS) and x86 CPU NAS (32bit OS)

More Info

CVE-2021-28041

ssh-agent in OpenSSH before 8.5 has a double free that may be relevant in a few less-common scenarios, such as unconstrained agent-socket access on a legacy operating system, or the forwarding of an agent to an attacker-controlled host.

More Info

From The Field

Real World Use Cases in Action

In this section, we’ll be covering a significant use case that our teams recently saw and remediated, along with some of the benefits of doing so. It is our hope that this section can give some ideas for both current and future customers as to what problems can be seen in the real world and how they can be solved using LogicHub automations.

Customer Use Case

Distance-Based Detections

Summary

For some users, logging in from different locations is normal and expected. In some industries, however, logins from abnormal locations can spell disaster and mean possible unauthorized users. To prevent this, login locations can be checked and the ability of the user to travel the given distance between logins can be measured.

Automated Solution

In the LogicHub solution, a flow is created that looks into all available logons and their locations, which are then tied to their respective users. If two logins from different locations are found, their distance and time between them are measured using average possible travel times by normal transportation methods. If the average is far beyond possibility (for instance: logging in from Germany and then the U.S. over the course of one hour), the type of IP is checked (if it’s a hosted IP, the score of the detection is greatly reduced) and a case is created based on its severity.

Benefits to This Approach

  • Hands-off monitoring of user logons
  • Baseline is built over time - no information needs to be pre-supplied
  • Location-based detections can be a huge precursor detection to larger problems like account takeover or pivoting.

Recommended Reading

This section contains some interesting reading related to the state of infosec today. These articles have a simple summary that explains the basic idea of the news and links to more information.

Supply Chain Hack on Open Source Dev Tools Affecting Apple, Microsoft

Security researcher Alex Birsan has devised a tool to be used on common open source development programs adopted by large players like Apple and Microsoft. The tool uses the privileges given to these open source projects to escalate privileges within the target network with astonishing success.

Read More

Nvidia’s Anti-Cryptomining Chip May Not Discourage Attacks

All of those in the gaming world know: GPUs are hard to come by thanks to the increased popularity of cryptomining. Nvidia’s response has been to develop an anti-cryptomining chip that throttles mining of Etherum coins, but it might not be as effective as estimated: this throttling appears to be based on detecting memory usage that looks like Etherum activity, which in itself can host a variety of problems.

Read More

Microsoft Exchange Updates Can Install Without Repairing Zero-Days

Time to validate those build numbers: recent critical Microsoft Exchange patches are able to install without actually fixing the problem that they’re meant to repair. Users and administrators installing these packages are encouraged to double-check the permissions status of their install (make sure it’s being installed as an administrator) to confirm that all necessary files are updated. Keep a close eye on this one: Exchange attacks are coming en-masse right now.

Read More

Critical RCEs Patched in Android Releases

In a series of high and critical-rated vulnerability patches, Google has provided resolutions for 37 separate vulnerabilities in Android 8.1, 9, 10, and 11. These vulnerabilities ranged in their targets, from Qualcomm components, kernel, and system, with the most severe of them being a vulnerability in the System component. This vulnerability would utilize a specially crafted transmission from an attacker to allow for arbitrary code execution.

Read More

Microsoft Solarwinds Attacks: Exchange and Azure Code Downloads

In an incident somewhat related to the recent Exchange attacks, attackers were able to download Microsoft Azure and Exchange code repositories as part of recent incidents leveraging the SolarWinds supply-chain attacks. This attack used the SolarWinds Orion management platform to push backdoors out to over 18,000 different organizations.

Read More

Request a Demo