The LogicHub Security Roundup: May 2021 Edition
Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be covering a broad view of this past month’s threats, a series of informative use cases seen this month by our teams, and a series of recommended articles, podcasts, and other useful resources.
Solarwinds Orion Escalated Privileges
WHAT DOES IT DO?
The Solarwinds Orion application has already been used in some high profile attacks, including those against multiple Fortune 500 companies and several government agencies. Although this vulnerability came after the above attacks, it is yet another painful zero-day that SolarWinds needs to cope with. This specific vulnerability concerns the SaveUserSetting endpoint - the endpoint isn’t restricted to unprivileged users and can therefore be used to escalate their own privilege from Guest to Administrator.
Such a large privilege escalation means that a completely unauthenticated user (Guest) can make massive changes to the application or to user settings.
Orion Platform 2020.2.4 release.
Smart Air Fryer RCE
WHAT DOES IT DO?
Another entry for the Internet of Things: In the WiFi setup process for the Cosori Smart Air Fryer, information about the device is pulled via the mobile app. If the request for that information is invalid and the JSON field value is too large, a buffer overflow occurs and remote code execution is possible.
Though it may be an air fryer, it still has the potential for serious damage. IoT devices that have a remote code execution vulnerability can be used in botnets, to find sensitive data on the local network, and can interfere with device operation (in the case of a smart air fryer, this could both be possibly dangerous or could gain access to information stored on your smartphone.)
No apparent remediation at this time. For safety and security, disconnect the device from your network until a fix is released.
A critical unauthenticated remote code execution vulnerability was found in all recent versions of Apache Tapestry. The affected versions include 5.4.5, 5.5.0, 5.6.2 and 5.7.0. The vulnerability I have found is a bypass of the fix for CVE-2019-0195. Recap: Before the fix of CVE-2019-0195 it was possible to download arbitrary class files from the classpath by providing a crafted asset file URL. An attacker was able to download the file `AppModule.class` by requesting the URL `http://localhost:8080/assets/something/services/AppModule.class` which contains a HMAC secret key. The fix for that bug was a blacklist filter that checks if the URL ends with `.class`, `.properties` or `.xml`. Bypass: Unfortunately, the blacklist solution can simply be bypassed by appending a `/` at the end of the URL: `http://localhost:8080/assets/something/services/AppModule.class/` The slash is stripped after the blacklist check and the file `AppModule.class` is loaded into the response. This class usually contains the HMAC secret key which is used to sign serialized Java objects. With the knowledge of that key an attacker can sign a Java gadget chain that leads to RCE (e.g. CommonsBeanUtils1 from ysoserial). Solution for this vulnerability: * For Apache Tapestry 5.4.0 to 5.6.1, upgrade to 5.6.2 or later. * For Apache Tapestry 5.7.0, upgrade to 5.7.1 or later.
HashiCorp Terraform’s Vault Provider (terraform-provider-vault) did not correctly configure GCE-type bound labels for Vault’s GCP auth method. Fixed in 2.19.1.
The kernel in Amazon Web Services FreeRTOS before 10.4.3 has an integer overflow in queue.c for queue creation.
Dell PowerScale OneFS 8.1.0 - 9.1.0 contains an LDAP Provider inability to connect over TLSv1.2 vulnerability. It may make it easier to eavesdrop and decrypt such traffic for a malicious actor. Note: This does not affect clusters which are not relying on an LDAP server for the authentication provider.
CUSTOMER USE CASE
Oracle Cloud Infrastructure Detections
The implementation of Oracle Cloud Infrastructure monitoring is extremely useful in that security incidents are commonly seen through this environment. In one such case, a new user was observed performing actions that affected other users and modified passwords. After some log correlation, the user was confirmed to be a part of an application used for audit logging. This essentially tested the audit logging service and confirmed the functionality of the detection.
This detection prevented a lot of manual digging by ingesting all logs for this user, correlating all of them within a certain time period, aggregating them, and confirming that the privileges of the user were unusual. Without this automation, the detection likely would have never been made or would have taken hours to find and correlate.
BENEFITS TO THIS APPROACH
- Easy collection of all related data within the time period
- Confirming audits and tests is far easier than it would be through a manual confirmation process
- Individual metadata cases by user are easier to correlate to a single event affecting multiple users, and can make cleanup after an event easier.
This section contains some interesting reading related to the state of infosec today. These articles have a simple summary that explains the basic idea of the news and links to more information.
U.S. Declares State of Emergency After Largest Pipeline Shut Down by Ransomware
The largest pipeline in the U.S., the Colonial Pipeline, has shut down almost entirely as of May 10th and caused a state of emergency in 13 states and the District of Columbia. An attack from Darkside ransomware group, the pipeline accounts for 48% of natural gas supply across the southeastern US. The state of emergency is in place until June 10th or the Colonial Pipeline Company is able to restore some services.
4 Million Email Addresses Used by Emotet Released, Posted to HaveIBeenPwned
It’s time to check in on HaveIBeenPwned.com and see if you were one of the unlucky ones who had their email used by the Emotet malware campaign. The email addresses were released by the FBI in tandem with a tool that uninstalled the malware from affected computers. These addresses aren’t publicly visible, and require the address owner to check for compromise.
Office365 Phishing On the Rise
Usual phishing advice doesn’t apply to the new O365 attacks. The link that is clicked by a targeted user directs to an actual O365 login page, but features a pop-up requesting permissions from an application that looks like it comes from Microsoft. This tactic both lends legitimacy and bypasses all two-factor authentication.
After Solarwinds, White House Pushes for Electrical Grid Security
Coming after the devastating Solarwinds attacks (now attributed to Russian actors), the Biden administration is working to roll out security for electrical grids across the U.S. This plan is based on incentives rather than regulations, providing monitoring software and requesting reporting of attacks.
Fake Comment Crisis at the FCC
The Federal Communications Commission has confirmed the illegitimacy of millions of fake comments regarding net neutrality. Comments both for and against the neutral treatment of data were added by fabricating names and using fake identities, causing confusion for legislators. Petitions and comments like this greatly influence legislative decisions, and fake comments can mean a direct disruption of the Democratic process.
Deepfaking (the creation of hyper realistic photos and videos with faces or bodies that aren’t their own) has been rising over the past 10 years, and it’s about to surge again with a massive uptick in deepfake tech crossing the dark web. Reported by Recorded Future, how-tos and best practices are becoming commonplace fare. Be vigilant, and don’t trust everything that even your own eyes see.