The LogicHub Security Roundup: November 2021 Edition
Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be covering a broad view of this past month’s threats, a series of informative use cases seen this month by our teams, as well as a series of recommended articles, podcasts, and other useful resources.
SECURITY SAFARI
New Threats in the Wild
This section is devoted to threats of particular note that have been seen in the past month. A select few of particular interest will be highlighted in greater detail. NIST NVD data will be used to make these determinations.
HIGHLIGHT
Juniper Header Arbitrary Code Execution
WHAT DOES IT DO?
The usage of an internal HTTP header created an authentication bypass vulnerability (CWE-287), allowing an attacker to view internal files, change settings, manipulate services and execute arbitrary code. This issue affects all Juniper Networks 128 Technology Session Smart Router versions prior to 4.5.11, and all versions of 5.0 up to and including 5.0.1.
POTENTIAL IMPACT
As with any arbitrary code executions, impact can include full compromise of the CIA triad and severe monetary consequences.
REMEDIATION
A patch has been released by the vendor.
MORE INFORMATION:
https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11256&actp=METADATA
HIGHLIGHT
Cisco Policy Suite Static SSH Keys
WHAT DOES IT DO?
A vulnerability in the key-based SSH authentication mechanism of Cisco Policy Suite could allow an unauthenticated, remote attacker to log in to an affected system as the root user. This vulnerability is due to a weakness in the SSH subsystem of an affected system. An attacker could exploit this vulnerability by connecting to an affected device through SSH.
POTENTIAL IMPACT
Being able to login as root user means full access to all system operations and stored data, as well as possible access to all connected devices depending on topology.
REMEDIATION
Cisco has released a patch for this issue.
MORE INFORMATION:
HIGHLIGHT
Ethereum PoS DDoS
WHAT DOES IT DO?
The Ethereum cryptocurrency operates using a ‘proof of stake’ consensus system, which confirms transactions across the blockchain. Through October 19, 2021, two attacks were presented against Proof-of-Stake (PoS) Ethereum: one where short-range reorganizations of the underlying consensus chain are used to increase individual validators' profits and delay consensus decisions, and one where adversarial network delay is leveraged to stall consensus decisions indefinitely. Combining techniques from both refined attacks creates a third attack which allows an adversary with vanishingly small fraction of stake and no control over network message propagation (assuming instead probabilistic message propagation) to cause even long-range consensus chain reorganizations.
POTENTIAL IMPACT
Honest-but-rational or ideologically motivated validators could use this attack to increase their profits or stall the protocol, threatening incentive alignment and security of PoS Ethereum. The attack can also lead to destabilization of consensus from congestion in vote processing.
REMEDIATION
This issue has been completely patched and is no longer a concern.
MORE INFORMATION:
Additional Threats
Description
CVE-2021-40842
Proofpoint Insider Threat Management Server contains a SQL injection vulnerability in the Web Console. The vulnerability exists due to improper input validation on the database name parameter required in certain unauthenticated APIs. A malicious URL visited by anyone with network access to the server could be used to blindly execute arbitrary SQL statements on the backend database. Version 7.12.0 and all versions prior to 7.11.2 are affected.
CVE-2021-30820
A logic issue was addressed with improved state management. This issue is fixed in iOS 14.8 and iPadOS 14.8. A remote attacker may be able to cause arbitrary code execution.
CVE-2021-38180
SAP Business One - version 10.0, allows an attacker to inject formulas when exporting data to Excel (CSV injection) due to improper sanitation during the data export. An attacker could thereby execute arbitrary commands on the victim's computer but only if the victim is allowed to execute macros while opening the file and the security settings of Excel allow for command execution.
FROM THE FIELD
Real World Use Cases in Action
In this section, we’ll be covering a significant use case that our teams recently saw and remediated, along with some of the benefits of doing so. It is our hope that this section can give some ideas for both current and future customers as to what problems can be seen in the real world and how they can be solved using LogicHub automations.
CUSTOMER USE CASE
AWS Route 53 Domain Monitoring
SUMMARY
Developed in the wake of a series of DNS blunders and attacks, our engineering team produced some excellent monitoring solutions for AWS Route 53. This AWS service is a high availability scaling cloud DNS service that allows for easy monitoring, such as through LogicHub.
AUTOMATED SOLUTION
By pulling in logs from Route 53, we can run three different detections:
- AWS Route 53: Domain Resolving to Suspicious IP, uses our geoIpLookup() to verify the resolving IP is not a TOR node, VPN or anonymous hosting provider
- AWS Route 53: Suspicious DNS Response, checks for one of the following server responses “SERVFAIL”, “NOTIMP”, “REFUSED”, “YXDOMAIN”, “XRRSET”, “NOTAUTH”
- AWS Route 53: Domain Name Resolving to New Host Provider, checks 30 days back and compares the whois organization result for where the resolving host is to make sure a service hasn’t changed hosting. URL resolves to AWS but suddenly resolves to IT Services in Romania would raise an alert.
These detections can vastly improve the way your DNS security works with very little work. Any LogicHub customers paying for detections have access to these detections.
BENEFITS TO THIS APPROACH
While DNS can suffer from vulnerabilities that cause DDoS attempts, DNS hijacking, DNS tunneling, and DNS poisoning, automating security monitoring towards your DNS service can easily mitigate the possibility of these attacks. This in turn reduces downtime.
Recommended Reading
This section contains some interesting reading related to the state of infosec today. These articles have a simple summary that explains the basic idea of the news and links to more information.
Twitter Joins Backlash Against Australian Plan to ID Social Media Users
The Australian government aims to de-anonymize social media users in order to prevent online abuse, but Twitter’s response has been lukewarm. Opponents of the effort believe it’s far more harmful to privacy than Australians may know.
Cloudflare Report Highlights Devastating DDoS Attacks on VoIP Services and Several 'Record-Setting HTTP Attacks'
“Cloudflare researchers said they saw the several "record-setting HTTP DDoS attacks, terabit-strong network-layer attacks and one of the largest botnets ever deployed (Meris)," noting the emergence of ransom DDoS attacks on voice over IP (VoIP) service providers. The attack on Bandwidth.com left dozens of companies scrambling to deal with outages.”
Facebook to Delete 1 Billion Faceprints in Face Recognition Shutdown
After Facebook’s rebranding to ‘Meta’ early this month, the social media giant scraps their facial recognition program as a whole. Citing growing concerns about facial recognition technology’s dubious uses in society, they have chosen to narrow its application to a few specific use cases.
Google’s Minimum Security Baseline (MVSP)
On October 27, 2021, Google released their new Minimum Viable Secure Product (MVSP) baseline as a guideline for organizations’ minimum acceptable security across the industry. With large swaths of companies experiencing data breaches and attacks, this baseline should improve the way that security solutions are implemented.
Ignore China’s New Data Privacy Law at Your Peril
Mirroring Europe’s GDPR, China has implemented a new data privacy law intended to help protect the personal lives of their citizens. However, there is a catch - the government has full access. Companies sharing data outside of China also must go through a privacy review, further complicating Chinese citizens’ internet communication with the outside world.
Google’s Content Removal Transparency Report for 2021
Data hosting and search engine companies have to handle a significant amount of interaction with local governments and law enforcement to maintain legal standards, and Google is no different. Google releases an annual transparency report on the requests that they receive to remove content, usually under court orders or by their own policy. Keeping up on warrant canary and transparency reports is important to understand the state of the internet’s interactions with law enforcement.
Missouri Governor Vows to Prosecute St. Louis Post-Dispatch for Reporting Security Vulnerability
Governor Parson claims that SSN data leaked from the Department of Elementary and Secondary Education website was due to unauthorized access, despite the data being openly available in the site’s HTML source code. The governor claims that the breach will cost $50 million to fix.
