The LogicHub Security Roundup: October 2021 Edition

Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be covering a broad view of this past month’s threats, a series of informative use cases seen this month by our teams, and a series of recommended articles, podcasts, and other useful resources.

HIGHLIGHT

WordPress Publications ZIP RCE

WHAT DOES IT DO?

The WordPress wp-publications plugin allows users to create bibliographies for publications and other similar lists. A file included in the plugin, bibtexbrowser.php, allows an attacker to use the included ‘Q_FILE’ as a way to access local files. Attackers can then use .ZIP files to trigger remote code execution.

POTENTIAL IMPACT

This vulnerability, at the least, allows an attacker to access unauthorized files. At the worst, an attacker can upload malicious code and gain a large foothold in the network, possibly resulting in a widespread compromise.

REMEDIATION

As this application has been removed for available download and is not patched, the recommendation for this plugin is to uninstall immediately.

MORE INFORMATION:

https://nvd.nist.gov/vuln/detail/CVE-2021-38360

HIGHLIGHT

SAP Netweaver Proxy Attacks

WHAT DOES IT DO?

SAP Netweaver is a software development, provisioning, and management environment. In several versions, crafted queries can be sent by someone with access to the server to perform proxy attacks (this is a type of man in the middle attack). Sensitive data is leaked to the attacker through the installed proxy, with a victim unaware that their data is being accessed. Notably, if this server is running on the open internet, the severity of this vulnerability is much greater.

POTENTIAL IMPACT

A proxy attack of this type can fully undermine the CIA triad, resulting in complete compromise if certain information (such as passwords) are seen by the attacker.

REMEDIATION

There is currently a hotfix available, but the affected functionality can be deactivated if the hotfix is not possible.

MORE INFORMATION:

https://nvd.nist.gov/vuln/detail/CVE-2021-33690

HIGHLIGHT

Zoom Client Validation Failure

WHAT DOES IT DO?

Zoom is a video meeting application. When updating, .msi files used in the updating process are not properly validated, leading to improperly signed update files. This lack of validation means that a fake .msi update file can be used for remote code execution.

POTENTIAL IMPACT

As is the nature of remote code executions, this is essentially an open avenue for an attacker to write malicious code that will do almost anything on the system. This can mean complete compromise of the CIA triad.

REMEDIATION

Update past version 5.3.0. All versions prior were affected.

MORE INFORMATION:

https://explore.zoom.us/en/trust/security/security-bulletin/

Additional Threats

Description

CUSTOMER USE CASE

Network Connection Triage with Talos

SUMMARY

When a new external IP hits a network, there are a few things that should be known on the IP. Activity should be logged thoroughly enough to understand what the IP is doing on the network and why, to the point where activity can be traced through all actions on the network from point of entry. IPs should also be vetted by reputation using a trusted IP reputation platform. In this use case, we take IP reputation and apply it towards traffic on the network using Cisco Talos.

AUTOMATED SOLUTION

Manually reviewing reputation can take a while. Using a command takes much less time, but fully automating a reputation lookup is quick and painless. After scraping a case for IPs, they are sent en masse to Cisco Talos and their lookup results returned to the case. From there, the case can be closed if no suspicious reputations are seen, sent to an analyst if the combined scoring of the activity and the reputation is high enough, or priority lowered and reviewed at a later time if scoring is lower.

BENEFITS TO THIS APPROACH

Besides the obvious savings of time and money with this form of automation, it’s also a method of triaging cases without human intervention. Depending on traffic, hundreds of cases could come in and be triaged without being touched. Other automation could look into priority of servers and hosts being hit by the IP and adjust accordingly.

Recommended Reading

This section contains some interesting reading related to the state of infosec today. These articles have a simple summary that explains the basic idea of the news and links to more information.

Submit