The LogicHub Security RoundUp: May 2022 Edition

Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be covering a broad view of this past month’s threats, a series of informative use cases seen this month by our teams, and a series of recommended articles, podcasts, and other useful resources.

HIGHLIGHT

Cisco Enterprise NFV Infrastructure VM Escape

WHAT DOES IT DO?

A vulnerability in the Next Generation Input/Output (NGIO) feature of Cisco Enterprise NFVIS could allow an authenticated, remote attacker to escape from the guest VM to gain unauthorized root-level access on the NFVIS host.

POTENTIAL IMPACT

This vulnerability is due to insufficient guest restrictions. An attacker could exploit this vulnerability by sending an API call from a VM that will execute with root-level privileges on the NFVIS host. A successful exploit could allow the attacker to compromise the NFVIS host completely.

REMEDIATION

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

MORE INFORMATION:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-NFVIS-MUL-7DySRX9

HIGHLIGHT

F5 BIG-IP RCE

WHAT DOES IT DO?

This vulnerability is one that has an extremely simple PoC (proof of concept). By sending a POST request for a bash shell to a vulnerable host (one with REST access), the user can gain full shell access to a machine. This is notable due to how easy this process is, and how easy it is to confirm: one crafted request is enough.

POTENTIAL IMPACT

This is a critical severity vulnerability that allows full access to the host with no bounds, and requires no credentials to use.

REMEDIATION

Patches have been made available for many versions of BIG IP products, listed in the article below. Patch immediately.

MORE INFORMATION:

https://thehackernews.com/2022/05/researchers-develop-rce-exploit-for.html

HIGHLIGHT

Azure Insufficient Tenant Separation

WHAT DOES IT DO?

This vulnerability allows a user to access Synapse tenants that should be inaccessible to them using the Integration Runtime infrastructure or Redshift in Azure, gaining full remote code exploit (RCE) abilities. This issue would not be limited to a single tenant - in fact, almost any adjacent tenant using the Open Database Connectivity Driver to access Redshift and Integration Runtime was vulnerable.

POTENTIAL IMPACT

As with all remote code executions, this could allow an attacker with intentional or public access to one Synapse tenant the ability to pivot and access other unintended tenants. As with all RCEs, the impact could be devastating.

REMEDIATION

Though a fix has been released, the original reporting group (Orca) recommends being cautious with use of the infrastructure.

MORE INFORMATION:

https://orca.security/resources/blog/azure-synapse-analytics-security-advisory/

Additional Threats

Description

CUSTOMER USE CASE

Automating with Flashpoint

SUMMARY

This month, the LogicHub team assembled an integration for FlashPoint intelligence services. Intelligence services aim to drag a figurative ‘net’ through the trove of data available online and pull out compromised credentials, stolen data, general intelligence/OSINT reports, payment data, and other notable items from across the internet and dark web. Pulling this data manually would take a lot of review and would need to constantly change, including pastebins, forums, card seller sites, marketplaces, and more general postings.

AUTOMATED SOLUTION

Through the new integration, users can easily interface with the FlashPoint API for quick return on ingested data. The API returns a readout on intel that can then be combined with other sources or modified for a user-friendly data printout.

BENEFITS TO THIS APPROACH

The use of open source intelligence is a big concern for larger organizations. It can clue in attackers to convenient avenues for invasion, or can allow them to use your resources without any effort at all. By correlating data from intelligence services and using this ingested information to patch or more generally improve security standing, businesses directly cripple the abilities of their potential adversaries.

Recommended Reading

This section contains some interesting reading related to the state of infosec today. These articles have a simple summary that explains the basic idea of the news and links to more information.