The LogicHub Security Roundup: September 2021 Edition

Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be covering a broad view of this past month’s threats, a series of informative use cases seen this month by our teams, and a series of recommended articles, podcasts, and other useful resources.

HIGHLIGHT

VMWare Workspace One Open Network Access

WHAT DOES IT DO?

VMWare Workspace is an application and desktop virtualization solution. It features a ‘/cfg’ application to change settings and configurations, accessible via port 443 on port 8443. A custom host header is typically used to access the /cfg application, but when an attacker crafts a custom packet, an unauthorized user may be able to perform unintended functions within the application.

POTENTIAL IMPACT

System configuration by an unauthorized user can lead to configurations that are difficult to detect and reverse, which are then used to maliciously access data, change permissions, and create further security holes.

REMEDIATION

Most of the products affected have been patched with the exception of vRealize Automation.

MORE INFORMATION:

https://www.vmware.com/security/advisories/VMSA-2021-0016.html

HIGHLIGHT

Confluence OGNL Injection

WHAT DOES IT DO?

The Confluence platform is a documentation and project management utility for enterprises. An OGNL injection uses Object Graph Navigation Language (OGNL), an open-source Java object manipulation language, as a vehicle for malicious code to Apache Struts instances. User code is input that is left without validation, which can then draw critical data from an object model. This vulnerability is being actively exploited in the wild.

POTENTIAL IMPACT

Vulnerabilities of this type have been used for data exfiltration previously (the Equifax data breach of 2017 was an ONGL injection). The data exfiltrated could contain passwords or other data that can then be used to gain footholds on the target network.

REMEDIATION

A patch for affected Confluence servers has been released.

MORE INFORMATION:

https://jira.atlassian.com/browse/CONFSERVER-67940

HIGHLIGHT

Node.JS Input Validation Issues

WHAT DOES IT DO?

Input validation is a feature that is frequently lacking in input forms on websites and applications. A lack of input validation means that any malicious code can easily be injected through a form without issue, possibly exfiltrating data or causing unintended system functions in the process.

POTENTIAL IMPACT

Missing input validation of host names returned by Domain Name Servers in node's DNS library can lead to output of wrong hostnames (leading to Domain Hijacking) and injection vulnerabilities in applications using the library (leading to Remote Code Execution, XSS, Applications crashes, etc.).

REMEDIATION

The Node.JS input validation vulnerability has been patched - the timeline for the vulnerability is posted in full on HackerOne.

MORE INFORMATION:

https://hackerone.com/reports/1178337

Additional Threats

Description

CUSTOMER USE CASE

Okta Administration and Authorization

SUMMARY

The Okta platform is an excellent method for managing users and logins, and it can make for a fantastic ingress/egress monitoring point. When users start performing administrative activity or policy changes occur without rhyme or reason, an automated solution can help sift out the malicious from the normal.

AUTOMATED SOLUTION

To look for malicious activity in admin- and policy-based changes, we must have an idea of administrators on the network. In this detection, we made use of a whitelist including normal administrators who we knew we could remove from certain activities. When we see any of these users performing actions like password changes or new user provisions with all other activity being normal, we know this action is legitimate. Normal password policy is also filtered.

For every user login, we have a baseline of prior logons for that user. From here, we know what their most usual country, operating system, user agent, and IPs are. This information can be used for two purposes: direct detections and identification guesses. Identification guesses make a baseline from the previously gathered information above and return a possible user from that logon, which can be helpful in narrowing down investigations should Okta not be able to assign a user to an attempted action.

BENEFITS TO THIS APPROACH

This type of detection is massively helpful in providing information before an investigation even begins. From information on a possible user to prior information and admin status, a profile on the user can be formulated and drawn from. Malicious activity can be quickly identified based on actual prior user activity, and regular malicious actions are outlined in the created user profile. Whereas manual review of Okta activity would mean hours upon hours of manual review, this automated method allows for a single page of all detections per user or per day.

Recommended Reading

This section contains some interesting reading related to the state of infosec today. These articles have a simple summary that explains the basic idea of the news and links to more information.

Submit