Security Safari

New Threats in the Wild

This section is devoted to threats of particular note that have been seen in the past month. A select few of particular interest will be highlighted in greater detail. NIST NVD data will be used to make these determinations.

HIGHLIGHT

Solarwinds Orion Escalated Privileges

What does it do?

The Solarwinds Orion application has already been used in some high profile attacks, including those against multiple Fortune 500 companies and several government agencies. Although this vulnerability came after the above attacks, it is yet another painful zero-day that SolarWinds needs to cope with. This specific vulnerability concerns the SaveUserSetting endpoint - the endpoint isn’t restricted to unprivileged users and can therefore be used to escalate their own privilege from Guest to Administrator.

Potential Impact

Such a large privilege escalation means that a completely unauthenticated user (Guest) can make massive changes to the application or to user settings.

Remediation

Orion Platform 2020.2.4 release.

More Information:

https://www.zerodayinitiative.com/advisories/ZDI-21-192/

HIGHLIGHT

Smart Air Fryer RCE

What does it do?

Another entry for the Internet of Things: In the WiFi setup process for the Cosori Smart Air Fryer, information about the device is pulled via the mobile app. If the request for that information is invalid and the JSON field value is too large, a buffer overflow occurs and remote code execution is possible.

Potential Impact

Though it may be an air fryer, it still has the potential for serious damage. IoT devices that have a remote code execution vulnerability can be used in botnets, to find sensitive data on the local network, and can interfere with device operation (in the case of a smart air fryer, this could both be possibly dangerous or could gain access to information stored on your smartphone.)

Remediation

No apparent remediation at this time. For safety and security, disconnect the device from your network until a fix is released.

More Information:

https://talosintelligence.com/vulnerability_reports/TALOS-2020-1216

Additional Threats

CVE-2021-27850

A critical unauthenticated remote code execution vulnerability was found in all recent versions of Apache Tapestry. The affected versions include 5.4.5, 5.5.0, 5.6.2 and 5.7.0. The vulnerability I have found is a bypass of the fix for CVE-2019-0195. Recap: Before the fix of CVE-2019-0195 it was possible to download arbitrary class files from the classpath by providing a crafted asset file URL. An attacker was able to download the file `AppModule.class` by requesting the URL `http://localhost:8080/assets/something/services/AppModule.class` which contains a HMAC secret key. The fix for that bug was a blacklist filter that checks if the URL ends with `.class`, `.properties` or `.xml`. Bypass: Unfortunately, the blacklist solution can simply be bypassed by appending a `/` at the end of the URL: `http://localhost:8080/assets/something/services/AppModule.class/` The slash is stripped after the blacklist check and the file `AppModule.class` is loaded into the response. This class usually contains the HMAC secret key which is used to sign serialized Java objects. With the knowledge of that key an attacker can sign a Java gadget chain that leads to RCE (e.g. CommonsBeanUtils1 from ysoserial). Solution for this vulnerability: * For Apache Tapestry 5.4.0 to 5.6.1, upgrade to 5.6.2 or later. * For Apache Tapestry 5.7.0, upgrade to 5.7.1 or later.

More Info

CVE-2021-30476

HashiCorp Terraform’s Vault Provider (terraform-provider-vault) did not correctly configure GCE-type bound labels for Vault’s GCP auth method. Fixed in 2.19.1.

More Info

CVE-2021-29066

The kernel in Amazon Web Services FreeRTOS before 10.4.3 has an integer overflow in queue.c for queue creation.

More Info

CVE-2020-26197

Dell PowerScale OneFS 8.1.0 - 9.1.0 contains an LDAP Provider inability to connect over TLSv1.2 vulnerability. It may make it easier to eavesdrop and decrypt such traffic for a malicious actor. Note: This does not affect clusters which are not relying on an LDAP server for the authentication provider.

More Info

Description

CVE-2021-27850

A critical unauthenticated remote code execution vulnerability was found in all recent versions of Apache Tapestry. The affected versions include 5.4.5, 5.5.0, 5.6.2 and 5.7.0. The vulnerability I have found is a bypass of the fix for CVE-2019-0195. Recap: Before the fix of CVE-2019-0195 it was possible to download arbitrary class files from the classpath by providing a crafted asset file URL. An attacker was able to download the file `AppModule.class` by requesting the URL `http://localhost:8080/assets/something/services/AppModule.class` which contains a HMAC secret key. The fix for that bug was a blacklist filter that checks if the URL ends with `.class`, `.properties` or `.xml`. Bypass: Unfortunately, the blacklist solution can simply be bypassed by appending a `/` at the end of the URL: `http://localhost:8080/assets/something/services/AppModule.class/` The slash is stripped after the blacklist check and the file `AppModule.class` is loaded into the response. This class usually contains the HMAC secret key which is used to sign serialized Java objects. With the knowledge of that key an attacker can sign a Java gadget chain that leads to RCE (e.g. CommonsBeanUtils1 from ysoserial). Solution for this vulnerability: * For Apache Tapestry 5.4.0 to 5.6.1, upgrade to 5.6.2 or later. * For Apache Tapestry 5.7.0, upgrade to 5.7.1 or later.

More Info

CVE-2021-30476

HashiCorp Terraform’s Vault Provider (terraform-provider-vault) did not correctly configure GCE-type bound labels for Vault’s GCP auth method. Fixed in 2.19.1.

More Info

CVE-2021-29066

The kernel in Amazon Web Services FreeRTOS before 10.4.3 has an integer overflow in queue.c for queue creation.

More Info

CVE-2020-26197

Dell PowerScale OneFS 8.1.0 - 9.1.0 contains an LDAP Provider inability to connect over TLSv1.2 vulnerability. It may make it easier to eavesdrop and decrypt such traffic for a malicious actor. Note: This does not affect clusters which are not relying on an LDAP server for the authentication provider.

More Info

From The Field

Real World Use Cases in Action

In this section, we’ll be covering a significant use case that our teams recently saw and remediated, along with some of the benefits of doing so. It is our hope that this section can give some ideas for both current and future customers as to what problems can be seen in the real world and how they can be solved using LogicHub automations.

Customer Use Case

Oracle Cloud Infrastructure Detections

Summary

The implementation of Oracle Cloud Infrastructure monitoring is extremely useful in that security incidents are commonly seen through this environment. In one such case, a new user was observed performing actions that affected other users and modified passwords. After some log correlation, the user was confirmed to be a part of an application used for audit logging. This essentially tested the audit logging service and confirmed the functionality of the detection.

Automated Solution

This detection prevented a lot of manual digging by ingesting all logs for this user, correlating all of them within a certain time period, aggregating them, and confirming that the privileges of the user were unusual. Without this automation, the detection likely would have never been made or would have taken hours to find and correlate.

Benefits to This Approach

  • Easy collection of all related data within the time period
  • Confirming audits and tests is far easier than it would be through a manual confirmation process
  • Individual metadata cases by user are easier to correlate to a single event affecting multiple users, and can make cleanup after an event easier.

Recommended Reading

This section contains some interesting reading related to the state of infosec today. These articles have a simple summary that explains the basic idea of the news and links to more information.

U.S. Declares State of Emergency After Largest Pipeline Shut Down by Ransomware

The largest pipeline in the U.S., the Colonial Pipeline, has shut down almost entirely as of May 10th and caused a state of emergency in 13 states and the District of Columbia. An attack from Darkside ransomware group, the pipeline accounts for 48% of natural gas supply across the southeastern US. The state of emergency is in place until June 10th or the Colonial Pipeline Company is able to restore some services.

Read More

4 Million Email Addresses Used by Emotet Released, Posted to HaveIBeenPwned

It’s time to check in on HaveIBeenPwned.com and see if you were one of the unlucky ones who had their email used by the Emotet malware campaign. The email addresses were released by the FBI in tandem with a tool that uninstalled the malware from affected computers. These addresses aren’t publicly visible, and require the address owner to check for compromise.

Read More

Office365 Phishing On the Rise

Usual phishing advice doesn’t apply to the new O365 attacks. The link that is clicked by a targeted user directs to an actual O365 login page, but features a pop-up requesting permissions from an application that looks like it comes from Microsoft. This tactic both lends legitimacy and bypasses all two-factor authentication.

Read More

After Solarwinds, White House Pushes for Electrical Grid Security

Coming after the devastating Solarwinds attacks (now attributed to Russian actors), the Biden administration is working to roll out security for electrical grids across the U.S. This plan is based on incentives rather than regulations, providing monitoring software and requesting reporting of attacks.

Read More

Fake Comment Crisis at the FCC

The Federal Communications Commission has confirmed the illegitimacy of millions of fake comments regarding net neutrality. Comments both for and against the neutral treatment of data were added by fabricating names and using fake identities, causing confusion for legislators. Petitions and comments like this greatly influence legislative decisions, and fake comments can mean a direct disruption of the Democratic process.

Read More

Deepfake Surge

Deepfaking (the creation of hyper realistic photos and videos with faces or bodies that aren’t their own) has been rising over the past 10 years, and it’s about to surge again with a massive uptick in deepfake tech crossing the dark web. Reported by Recorded Future, how-tos and best practices are becoming commonplace fare. Be vigilant, and don’t trust everything that even your own eyes see.

Read More

LET'S GET STARTED

I would like to

Submit

Request a Demo

This website uses cookies to ensure you get the best experience. Got it, Thanks! MORE INFO