Security Safari

New Threats in the Wild

This section is devoted to threats of particular note that have been seen in the past month. A select few of particular interest will be highlighted in greater detail. NIST NVD data will be used to make these determinations.

HIGHLIGHT

Juniper Header Arbitrary Code Execution

What does it do?

The usage of an internal HTTP header created an authentication bypass vulnerability (CWE-287), allowing an attacker to view internal files, change settings, manipulate services and execute arbitrary code. This issue affects all Juniper Networks 128 Technology Session Smart Router versions prior to 4.5.11, and all versions of 5.0 up to and including 5.0.1.

Potential Impact

As with any arbitrary code executions, impact can include full compromise of the CIA triad and severe monetary consequences.

Remediation

A patch has been released by the vendor.

More Information:

https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11256&actp=METADATA

HIGHLIGHT

Cisco Policy Suite Static SSH Keys

What does it do?

A vulnerability in the key-based SSH authentication mechanism of Cisco Policy Suite could allow an unauthenticated, remote attacker to log in to an affected system as the root user. This vulnerability is due to a weakness in the SSH subsystem of an affected system. An attacker could exploit this vulnerability by connecting to an affected device through SSH.

Potential Impact

Being able to login as root user means full access to all system operations and stored data, as well as possible access to all connected devices depending on topology.

Remediation

Cisco has released a patch for this issue.

More Information:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cps-static-key-JmS92hNv

HIGHLIGHT

Ethereum PoS DDoS

What does it do?

The Ethereum cryptocurrency operates using a ‘proof of stake’ consensus system, which confirms transactions across the blockchain. Through October 19, 2021, two attacks were presented against Proof-of-Stake (PoS) Ethereum: one where short-range reorganizations of the underlying consensus chain are used to increase individual validators' profits and delay consensus decisions, and one where adversarial network delay is leveraged to stall consensus decisions indefinitely. Combining techniques from both refined attacks creates a third attack which allows an adversary with vanishingly small fraction of stake and no control over network message propagation (assuming instead probabilistic message propagation) to cause even long-range consensus chain reorganizations.

Potential Impact

Honest-but-rational or ideologically motivated validators could use this attack to increase their profits or stall the protocol, threatening incentive alignment and security of PoS Ethereum. The attack can also lead to destabilization of consensus from congestion in vote processing.

Remediation

This issue has been completely patched and is no longer a concern.

More Information:

https://arxiv.org/abs/2110.10086

Additional Threats

CVE-2021-40842

Proofpoint Insider Threat Management Server contains a SQL injection vulnerability in the Web Console. The vulnerability exists due to improper input validation on the database name parameter required in certain unauthenticated APIs. A malicious URL visited by anyone with network access to the server could be used to blindly execute arbitrary SQL statements on the backend database. Version 7.12.0 and all versions prior to 7.11.2 are affected.

More Info

CVE-2021-30820

A logic issue was addressed with improved state management. This issue is fixed in iOS 14.8 and iPadOS 14.8. A remote attacker may be able to cause arbitrary code execution.

More Info

CVE-2021-38180

SAP Business One - version 10.0, allows an attacker to inject formulas when exporting data to Excel (CSV injection) due to improper sanitation during the data export. An attacker could thereby execute arbitrary commands on the victim's computer but only if the victim is allowed to execute macros while opening the file and the security settings of Excel allow for command execution.

More Info

Description

CVE-2021-40842

Proofpoint Insider Threat Management Server contains a SQL injection vulnerability in the Web Console. The vulnerability exists due to improper input validation on the database name parameter required in certain unauthenticated APIs. A malicious URL visited by anyone with network access to the server could be used to blindly execute arbitrary SQL statements on the backend database. Version 7.12.0 and all versions prior to 7.11.2 are affected.

More Info

CVE-2021-30820

A logic issue was addressed with improved state management. This issue is fixed in iOS 14.8 and iPadOS 14.8. A remote attacker may be able to cause arbitrary code execution.

More Info

CVE-2021-38180

SAP Business One - version 10.0, allows an attacker to inject formulas when exporting data to Excel (CSV injection) due to improper sanitation during the data export. An attacker could thereby execute arbitrary commands on the victim's computer but only if the victim is allowed to execute macros while opening the file and the security settings of Excel allow for command execution.

More Info

From The Field

Real World Use Cases in Action

In this section, we’ll be covering a significant use case that our teams recently saw and remediated, along with some of the benefits of doing so. It is our hope that this section can give some ideas for both current and future customers as to what problems can be seen in the real world and how they can be solved using LogicHub automations.

Customer Use Case

AWS Route 53 Domain Monitoring

Summary

Developed in the wake of a series of DNS blunders and attacks, our engineering team produced some excellent monitoring solutions for AWS Route 53. This AWS service is a high availability scaling cloud DNS service that allows for easy monitoring, such as through LogicHub.

Automated Solution

By pulling in logs from Route 53, we can run three different detections:

  • AWS Route 53: Domain Resolving to Suspicious IP, uses our geoIpLookup() to verify the resolving IP is not a TOR node, VPN or anonymous hosting provider
  • AWS Route 53: Suspicious DNS Response, checks for one of the following server responses “SERVFAIL”, “NOTIMP”, “REFUSED”, “YXDOMAIN”, “XRRSET”, “NOTAUTH”
  • AWS Route 53: Domain Name Resolving to New Host Provider, checks 30 days back and compares the whois organization result for where the resolving host is to make sure a service hasn’t changed hosting. URL resolves to AWS but suddenly resolves to IT Services in Romania would raise an alert.

These detections can vastly improve the way your DNS security works with very little work. Any LogicHub customers paying for detections have access to these detections.

Benefits to This Approach

While DNS can suffer from vulnerabilities that cause DDoS attempts, DNS hijacking, DNS tunneling, and DNS poisoning, automating security monitoring towards your DNS service can easily mitigate the possibility of these attacks. This in turn reduces downtime.

Recommended Reading

This section contains some interesting reading related to the state of infosec today. These articles have a simple summary that explains the basic idea of the news and links to more information.

Twitter Joins Backlash Against Australian Plan to ID Social Media Users

The Australian government aims to de-anonymize social media users in order to prevent online abuse, but Twitter’s response has been lukewarm. Opponents of the effort believe it’s far more harmful to privacy than Australians may know.

Read More

Cloudflare Report Highlights Devastating DDoS Attacks on VoIP Services and Several 'Record-Setting HTTP Attacks'

“Cloudflare researchers said they saw the several "record-setting HTTP DDoS attacks, terabit-strong network-layer attacks and one of the largest botnets ever deployed (Meris)," noting the emergence of ransom DDoS attacks on voice over IP (VoIP) service providers. The attack on Bandwidth.com left dozens of companies scrambling to deal with outages.”

Read More

Facebook to Delete 1 Billion Faceprints in Face Recognition Shutdown

After Facebook’s rebranding to ‘Meta’ early this month, the social media giant scraps their facial recognition program as a whole. Citing growing concerns about facial recognition technology’s dubious uses in society, they have chosen to narrow its application to a few specific use cases.

Read More

Google’s Minimum Security Baseline (MVSP)

On October 27, 2021, Google released their new Minimum Viable Secure Product (MVSP) baseline as a guideline for organizations’ minimum acceptable security across the industry. With large swaths of companies experiencing data breaches and attacks, this baseline should improve the way that security solutions are implemented.

Read More

Ignore China’s New Data Privacy Law at Your Peril

Mirroring Europe’s GDPR, China has implemented a new data privacy law intended to help protect the personal lives of their citizens. However, there is a catch - the government has full access. Companies sharing data outside of China also must go through a privacy review, further complicating Chinese citizens’ internet communication with the outside world.

Read More

Google’s Content Removal Transparency Report for 2021

Data hosting and search engine companies have to handle a significant amount of interaction with local governments and law enforcement to maintain legal standards, and Google is no different. Google releases an annual transparency report on the requests that they receive to remove content, usually under court orders or by their own policy. Keeping up on warrant canary and transparency reports is important to understand the state of the internet’s interactions with law enforcement.

Read More

Missouri Governor Vows to Prosecute St. Louis Post-Dispatch for Reporting Security Vulnerability

Governor Parson claims that SSN data leaked from the Department of Elementary and Secondary Education website was due to unauthorized access, despite the data being openly available in the site’s HTML source code. The governor claims that the breach will cost $50 million to fix.

Read More

LET'S GET STARTED

I would like to

Submit

Request a Demo

This website uses cookies to ensure you get the best experience. Got it, Thanks! MORE INFO