The LogicHub Security Roundup: November 2021 Edition

Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be covering a broad view of this past month’s threats, a series of informative use cases seen this month by our teams, as well as a series of recommended articles, podcasts, and other useful resources.

HIGHLIGHT

Juniper Header Arbitrary Code Execution

WHAT DOES IT DO?

The usage of an internal HTTP header created an authentication bypass vulnerability (CWE-287), allowing an attacker to view internal files, change settings, manipulate services and execute arbitrary code. This issue affects all Juniper Networks 128 Technology Session Smart Router versions prior to 4.5.11, and all versions of 5.0 up to and including 5.0.1.

POTENTIAL IMPACT

As with any arbitrary code executions, impact can include full compromise of the CIA triad and severe monetary consequences.

REMEDIATION

A patch has been released by the vendor.

MORE INFORMATION:

https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11256&actp=METADATA

HIGHLIGHT

Cisco Policy Suite Static SSH Keys

WHAT DOES IT DO?

A vulnerability in the key-based SSH authentication mechanism of Cisco Policy Suite could allow an unauthenticated, remote attacker to log in to an affected system as the root user. This vulnerability is due to a weakness in the SSH subsystem of an affected system. An attacker could exploit this vulnerability by connecting to an affected device through SSH.

POTENTIAL IMPACT

Being able to login as root user means full access to all system operations and stored data, as well as possible access to all connected devices depending on topology.

REMEDIATION

Cisco has released a patch for this issue.

MORE INFORMATION:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cps-static-key-JmS92hNv

HIGHLIGHT

Ethereum PoS DDoS

WHAT DOES IT DO?

The Ethereum cryptocurrency operates using a ‘proof of stake’ consensus system, which confirms transactions across the blockchain. Through October 19, 2021, two attacks were presented against Proof-of-Stake (PoS) Ethereum: one where short-range reorganizations of the underlying consensus chain are used to increase individual validators' profits and delay consensus decisions, and one where adversarial network delay is leveraged to stall consensus decisions indefinitely. Combining techniques from both refined attacks creates a third attack which allows an adversary with vanishingly small fraction of stake and no control over network message propagation (assuming instead probabilistic message propagation) to cause even long-range consensus chain reorganizations.

POTENTIAL IMPACT

Honest-but-rational or ideologically motivated validators could use this attack to increase their profits or stall the protocol, threatening incentive alignment and security of PoS Ethereum. The attack can also lead to destabilization of consensus from congestion in vote processing.

REMEDIATION

This issue has been completely patched and is no longer a concern.

MORE INFORMATION:

https://arxiv.org/abs/2110.10086

Additional Threats

Description

CUSTOMER USE CASE

AWS Route 53 Domain Monitoring

SUMMARY

Developed in the wake of a series of DNS blunders and attacks, our engineering team produced some excellent monitoring solutions for AWS Route 53. This AWS service is a high availability scaling cloud DNS service that allows for easy monitoring, such as through LogicHub.

AUTOMATED SOLUTION

By pulling in logs from Route 53, we can run three different detections:

  • AWS Route 53: Domain Resolving to Suspicious IP, uses our geoIpLookup() to verify the resolving IP is not a TOR node, VPN or anonymous hosting provider
  • AWS Route 53: Suspicious DNS Response, checks for one of the following server responses “SERVFAIL”, “NOTIMP”, “REFUSED”, “YXDOMAIN”, “XRRSET”, “NOTAUTH”
  • AWS Route 53: Domain Name Resolving to New Host Provider, checks 30 days back and compares the whois organization result for where the resolving host is to make sure a service hasn’t changed hosting. URL resolves to AWS but suddenly resolves to IT Services in Romania would raise an alert.

These detections can vastly improve the way your DNS security works with very little work. Any LogicHub customers paying for detections have access to these detections.

BENEFITS TO THIS APPROACH

While DNS can suffer from vulnerabilities that cause DDoS attempts, DNS hijacking, DNS tunneling, and DNS poisoning, automating security monitoring towards your DNS service can easily mitigate the possibility of these attacks. This in turn reduces downtime.

Recommended Reading

This section contains some interesting reading related to the state of infosec today. These articles have a simple summary that explains the basic idea of the news and links to more information.

Submit