The LogicHub Security Roundup: March 2021 Edition
Hello, and welcome to the first edition of the LogicHub Monthly Update! Each month we’ll be covering a broad view of this past month’s threats, a series of informative use cases seen this month by our teams, and a series of recommended articles, podcasts, and other useful resources.
Active Exploits on Chrome Zero-Day
WHAT DOES IT DO?
‘Jailbreaking’ a phone of any kind is the process of gaining root access in a way that is not authorized or intended by the manufacturer - whether with malicious intent or as a way of accessing more phone features by the user. In this case, a kernel object called a ‘mach voucher’ (which can control the referencing of resources) can be iterated in such a way that functions don’t need to be called together, breaking a cycle and causing a kernel panic. This kernel panic allows for full exploration of the underlying system.
Jailbreaking is dangerous, especially for corporate devices. Though the ability to access unintended features may be exciting, it also opens up devices to attack and makes the device more difficult to secure. The attack surface will be significantly increased with almost no way to secure.
Apple has released iOS 14.4, which is not vulnerable to this issue. Device administrators should force upgrades immediately.
vSphere Client RCE
WHAT DOES IT DO?
This remote code execution allows any attacker with access to port 443 on the affected device to exploit and gain full privileges on the underlying vSphere client. From here, virtual machines may be tampered with, created, or deleted.
Possible widespread outages, data loss, or lack of data integrity may occur from this vulnerability.
Updates have been made available by the vendor to patch out this vulnerability.
Privileged Escalation in Cisco Application Services Engine (CASE)
WHAT DOES IT DO?
This vulnerability is due to insufficient access controls for a service running in the Data Network. An attacker could exploit this vulnerability by sending crafted TCP requests to a specific service. A successful exploit could allow the attacker to have privileged access to run containers or invoke host-level operations.
This attack would have an effect on every level of the CIA triad if successful, as an attacker would be able to make modifications, view sensitive information, and cause a lack of availability if so chosen by the attacker.
This vulnerability has been patched in an update made available by Cisco, which should be immediately downloaded by affected parties.
A vulnerability in an API endpoint of Cisco ACI Multi-Site Orchestrator (MSO) installed on the Application Services Engine could allow an unauthenticated, remote attacker to bypass authentication on an affected device. The vulnerability is due to improper token validation on a specific API endpoint. An attacker could exploit this vulnerability by sending a crafted request to the affected API. A successful exploit could allow the attacker to receive a token with administrator-level privileges that could be used to authenticate to the API on affected MSO and managed Cisco Application Policy Infrastructure Controller (APIC) devices.
A stack-based buffer overflow vulnerability has been reported to affect QNAP NAS devices running Surveillance Station. If exploited, this vulnerability allows attackers to execute arbitrary code. QNAP have already fixed this vulnerability in the following versions: Surveillance Station 18.104.22.168.3 (and later) for ARM CPU NAS (64bit OS) and x86 CPU NAS (64bit OS) Surveillance Station 22.214.171.124.3 (and later) for ARM CPU NAS (32bit OS) and x86 CPU NAS (32bit OS)
ssh-agent in OpenSSH before 8.5 has a double free that may be relevant in a few less-common scenarios, such as unconstrained agent-socket access on a legacy operating system, or the forwarding of an agent to an attacker-controlled host.
CUSTOMER USE CASE
For some users, logging in from different locations is normal and expected. In some industries, however, logins from abnormal locations can spell disaster and mean possible unauthorized users. To prevent this, login locations can be checked and the ability of the user to travel the given distance between logins can be measured.
In the LogicHub solution, a flow is created that looks into all available logons and their locations, which are then tied to their respective users. If two logins from different locations are found, their distance and time between them are measured using average possible travel times by normal transportation methods. If the average is far beyond possibility (for instance: logging in from Germany and then the U.S. over the course of one hour), the type of IP is checked (if it’s a hosted IP, the score of the detection is greatly reduced) and a case is created based on its severity.
BENEFITS TO THIS APPROACH
- Hands-off monitoring of user logons
- Baseline is built over time - no information needs to be pre-supplied
- Location-based detections can be a huge precursor detection to larger problems like account takeover or pivoting.
This section contains some interesting reading related to the state of infosec today. These articles have a simple summary that explains the basic idea of the news and links to more information.
Supply Chain Hack on Open Source Dev Tools Affecting Apple, Microsoft
Security researcher Alex Birsan has devised a tool to be used on common open source development programs adopted by large players like Apple and Microsoft. The tool uses the privileges given to these open source projects to escalate privileges within the target network with astonishing success.
Nvidia’s Anti-Cryptomining Chip May Not Discourage Attacks
All of those in the gaming world know: GPUs are hard to come by thanks to the increased popularity of cryptomining. Nvidia’s response has been to develop an anti-cryptomining chip that throttles mining of Etherum coins, but it might not be as effective as estimated: this throttling appears to be based on detecting memory usage that looks like Etherum activity, which in itself can host a variety of problems.
Microsoft Exchange Updates Can Install Without Repairing Zero-Days
Time to validate those build numbers: recent critical Microsoft Exchange patches are able to install without actually fixing the problem that they’re meant to repair. Users and administrators installing these packages are encouraged to double-check the permissions status of their install (make sure it’s being installed as an administrator) to confirm that all necessary files are updated. Keep a close eye on this one: Exchange attacks are coming en-masse right now.
Critical RCEs Patched in Android Releases
In a series of high and critical-rated vulnerability patches, Google has provided resolutions for 37 separate vulnerabilities in Android 8.1, 9, 10, and 11. These vulnerabilities ranged in their targets, from Qualcomm components, kernel, and system, with the most severe of them being a vulnerability in the System component. This vulnerability would utilize a specially crafted transmission from an attacker to allow for arbitrary code execution.
Microsoft Solarwinds Attacks: Exchange and Azure Code Downloads
In an incident somewhat related to the recent Exchange attacks, attackers were able to download Microsoft Azure and Exchange code repositories as part of recent incidents leveraging the SolarWinds supply-chain attacks. This attack used the SolarWinds Orion management platform to push backdoors out to over 18,000 different organizations.