The LogicHub Security Roundup: September 2021 Edition
Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be covering a broad view of this past month’s threats, a series of informative use cases seen this month by our teams, and a series of recommended articles, podcasts, and other useful resources.
VMWare Workspace One Open Network Access
WHAT DOES IT DO?
VMWare Workspace is an application and desktop virtualization solution. It features a ‘/cfg’ application to change settings and configurations, accessible via port 443 on port 8443. A custom host header is typically used to access the /cfg application, but when an attacker crafts a custom packet, an unauthorized user may be able to perform unintended functions within the application.
System configuration by an unauthorized user can lead to configurations that are difficult to detect and reverse, which are then used to maliciously access data, change permissions, and create further security holes.
Most of the products affected have been patched with the exception of vRealize Automation.
Confluence OGNL Injection
WHAT DOES IT DO?
The Confluence platform is a documentation and project management utility for enterprises. An OGNL injection uses Object Graph Navigation Language (OGNL), an open-source Java object manipulation language, as a vehicle for malicious code to Apache Struts instances. User code is input that is left without validation, which can then draw critical data from an object model. This vulnerability is being actively exploited in the wild.
Vulnerabilities of this type have been used for data exfiltration previously (the Equifax data breach of 2017 was an ONGL injection). The data exfiltrated could contain passwords or other data that can then be used to gain footholds on the target network.
A patch for affected Confluence servers has been released.
Node.JS Input Validation Issues
WHAT DOES IT DO?
Input validation is a feature that is frequently lacking in input forms on websites and applications. A lack of input validation means that any malicious code can easily be injected through a form without issue, possibly exfiltrating data or causing unintended system functions in the process.
Missing input validation of host names returned by Domain Name Servers in node's DNS library can lead to output of wrong hostnames (leading to Domain Hijacking) and injection vulnerabilities in applications using the library (leading to Remote Code Execution, XSS, Applications crashes, etc.).
The Node.JS input validation vulnerability has been patched - the timeline for the vulnerability is posted in full on HackerOne.
A remote buffer overflow vulnerability was discovered in Aruba SD-WAN Software and Gateways; Aruba Operating System Software version(s): Prior to 184.108.40.206-220.127.116.11; Prior to 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52. Aruba has released patches for Aruba SD-WAN Software and Gateways and ArubaOS that address this security vulnerability.
Multiple vulnerabilities in the web UI and API endpoints of Cisco Application Policy Infrastructure Controller (APIC) or Cisco Cloud APIC could allow a remote attacker to perform a command injection or file upload attack on an affected system. For more information about these vulnerabilities, see the Details section of this advisory.
A vulnerability in an API endpoint of Cisco Application Policy Infrastructure Controller (APIC) and Cisco Cloud Application Policy Infrastructure Controller (Cloud APIC) could allow an unauthenticated, remote attacker to read or write arbitrary files on an affected system. This vulnerability is due to improper access control. An attacker could exploit this vulnerability by using a specific API endpoint to upload a file to an affected device. A successful exploit could allow the attacker to read or write arbitrary files on an affected device.
In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the "out" parameter can be NULL and, on exit, the "outlen" parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the "out" parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).
CUSTOMER USE CASE
Okta Administration and Authorization
The Okta platform is an excellent method for managing users and logins, and it can make for a fantastic ingress/egress monitoring point. When users start performing administrative activity or policy changes occur without rhyme or reason, an automated solution can help sift out the malicious from the normal.
To look for malicious activity in admin- and policy-based changes, we must have an idea of administrators on the network. In this detection, we made use of a whitelist including normal administrators who we knew we could remove from certain activities. When we see any of these users performing actions like password changes or new user provisions with all other activity being normal, we know this action is legitimate. Normal password policy is also filtered.
For every user login, we have a baseline of prior logons for that user. From here, we know what their most usual country, operating system, user agent, and IPs are. This information can be used for two purposes: direct detections and identification guesses. Identification guesses make a baseline from the previously gathered information above and return a possible user from that logon, which can be helpful in narrowing down investigations should Okta not be able to assign a user to an attempted action.
BENEFITS TO THIS APPROACH
This type of detection is massively helpful in providing information before an investigation even begins. From information on a possible user to prior information and admin status, a profile on the user can be formulated and drawn from. Malicious activity can be quickly identified based on actual prior user activity, and regular malicious actions are outlined in the created user profile. Whereas manual review of Okta activity would mean hours upon hours of manual review, this automated method allows for a single page of all detections per user or per day.
This section contains some interesting reading related to the state of infosec today. These articles have a simple summary that explains the basic idea of the news and links to more information.
Actively Exploited Windows Zero-Day Gets a Patch
A part of Microsoft’s Patch Tuesday, this exploit has been seen in the wild and has finally gotten its comeuppance. Taking advantage of the new Windows Update Medic Windows 10 service, this is a remote code execution vulnerability that requires no user interaction.
Cyberattackers Embrace CAPTCHAs to Hide Phishing, Malware
The infamous ‘human detector’ is getting a little more complex. ‘CAPTCHA’-like services traditionally geared towards weeding out bots are being used by malicious actors to hide their malware. The CAPTCHA service is meant to hide the website from malware detection scanners.
Chase bank accidentally leaked customer info to other customers
The bug, speculated to have been active between May 24th and July 14th, showed customers the data of other customers with similar identifying information. Limited information on affected parties is available from Chase at this time. Affected customers are receiving free credit monitoring.
Cybercrime Group Asking Insiders for Help in Planting Ransomware
It may seem lazy, but it’s definitely effective: Black Kingdom ransomware operators are looking for industry insiders to spread ransomware on their employer’s systems. Contacting users through an Outlook email and a Telegram user, the actor is requesting users deploy the ransomware and then delete it from the recycling bin.
T-Mobile data breach just got worse — now at 54 million customers
The stolen database contains information from customers going as far back as 2004. Including IMEI registration information, it contains a trove of personally identifiable information. The prior estimate by T-Mobile for this breach was 48.6 million.
Hackers Leak VPN Account Passwords From 87,000 Fortinet FortiGate Devices
The disclosure came after the leaked passwords were posted on a Russian hacking forum. Containing ‘raw access to the top companies spanning across 74 countries, including India, Taiwan, Italy, France, and Israel’, the leak came from a prior path traversal exploit.