The LogicHub Security Roundup: May 2021 Edition

Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be covering a broad view of this past month’s threats, a series of informative use cases seen this month by our teams, and a series of recommended articles, podcasts, and other useful resources.

HIGHLIGHT

Solarwinds Orion Escalated Privileges

WHAT DOES IT DO?

The Solarwinds Orion application has already been used in some high profile attacks, including those against multiple Fortune 500 companies and several government agencies. Although this vulnerability came after the above attacks, it is yet another painful zero-day that SolarWinds needs to cope with. This specific vulnerability concerns the SaveUserSetting endpoint - the endpoint isn’t restricted to unprivileged users and can therefore be used to escalate their own privilege from Guest to Administrator.

POTENTIAL IMPACT

Such a large privilege escalation means that a completely unauthenticated user (Guest) can make massive changes to the application or to user settings.

REMEDIATION

Orion Platform 2020.2.4 release.

MORE INFORMATION:

https://www.zerodayinitiative.com/advisories/ZDI-21-192/

HIGHLIGHT

Smart Air Fryer RCE

WHAT DOES IT DO?

Another entry for the Internet of Things: In the WiFi setup process for the Cosori Smart Air Fryer, information about the device is pulled via the mobile app. If the request for that information is invalid and the JSON field value is too large, a buffer overflow occurs and remote code execution is possible.

POTENTIAL IMPACT

Though it may be an air fryer, it still has the potential for serious damage. IoT devices that have a remote code execution vulnerability can be used in botnets, to find sensitive data on the local network, and can interfere with device operation (in the case of a smart air fryer, this could both be possibly dangerous or could gain access to information stored on your smartphone.)

REMEDIATION

No apparent remediation at this time. For safety and security, disconnect the device from your network until a fix is released.

MORE INFORMATION:

https://talosintelligence.com/vulnerability_reports/TALOS-2020-1216

Additional Threats

Description

CUSTOMER USE CASE

Oracle Cloud Infrastructure Detections

SUMMARY

The implementation of Oracle Cloud Infrastructure monitoring is extremely useful in that security incidents are commonly seen through this environment. In one such case, a new user was observed performing actions that affected other users and modified passwords. After some log correlation, the user was confirmed to be a part of an application used for audit logging. This essentially tested the audit logging service and confirmed the functionality of the detection.

AUTOMATED SOLUTION

This detection prevented a lot of manual digging by ingesting all logs for this user, correlating all of them within a certain time period, aggregating them, and confirming that the privileges of the user were unusual. Without this automation, the detection likely would have never been made or would have taken hours to find and correlate.

BENEFITS TO THIS APPROACH
  • Easy collection of all related data within the time period
  • Confirming audits and tests is far easier than it would be through a manual confirmation process
  • Individual metadata cases by user are easier to correlate to a single event affecting multiple users, and can make cleanup after an event easier.

Recommended Reading

This section contains some interesting reading related to the state of infosec today. These articles have a simple summary that explains the basic idea of the news and links to more information.

Submit