Security Safari

New Threats in the Wild

This section is devoted to threats of particular note that have been seen in the past month. A select few of particular interest will be highlighted in greater detail. NIST NVD data will be used to make these determinations.

HIGHLIGHT

VMWare Workspace One Open Network Access

What does it do?

VMWare Workspace is an application and desktop virtualization solution. It features a ‘/cfg’ application to change settings and configurations, accessible via port 443 on port 8443. A custom host header is typically used to access the /cfg application, but when an attacker crafts a custom packet, an unauthorized user may be able to perform unintended functions within the application.

Potential Impact

System configuration by an unauthorized user can lead to configurations that are difficult to detect and reverse, which are then used to maliciously access data, change permissions, and create further security holes.

Remediation

Most of the products affected have been patched with the exception of vRealize Automation.

More Information:

https://www.vmware.com/security/advisories/VMSA-2021-0016.html

HIGHLIGHT

Confluence OGNL Injection

What does it do?

The Confluence platform is a documentation and project management utility for enterprises. An OGNL injection uses Object Graph Navigation Language (OGNL), an open-source Java object manipulation language, as a vehicle for malicious code to Apache Struts instances. User code is input that is left without validation, which can then draw critical data from an object model. This vulnerability is being actively exploited in the wild.

Potential Impact

Vulnerabilities of this type have been used for data exfiltration previously (the Equifax data breach of 2017 was an ONGL injection). The data exfiltrated could contain passwords or other data that can then be used to gain footholds on the target network.

Remediation

A patch for affected Confluence servers has been released.

More Information:

https://jira.atlassian.com/browse/CONFSERVER-67940

HIGHLIGHT

Node.JS Input Validation Issues

What does it do?

Input validation is a feature that is frequently lacking in input forms on websites and applications. A lack of input validation means that any malicious code can easily be injected through a form without issue, possibly exfiltrating data or causing unintended system functions in the process.

Potential Impact

Missing input validation of host names returned by Domain Name Servers in node's DNS library can lead to output of wrong hostnames (leading to Domain Hijacking) and injection vulnerabilities in applications using the library (leading to Remote Code Execution, XSS, Applications crashes, etc.).

Remediation

The Node.JS input validation vulnerability has been patched - the timeline for the vulnerability is posted in full on HackerOne.

More Information:

https://hackerone.com/reports/1178337

Additional Threats

CVE-2021-37716

A remote buffer overflow vulnerability was discovered in Aruba SD-WAN Software and Gateways; Aruba Operating System Software version(s): Prior to 8.6.0.4-2.2.0.4; Prior to 8.7.1.2, 8.6.0.8, 8.5.0.12, 8.3.0.15. Aruba has released patches for Aruba SD-WAN Software and Gateways and ArubaOS that address this security vulnerability.

More Info

CVE-2021-1581

Multiple vulnerabilities in the web UI and API endpoints of Cisco Application Policy Infrastructure Controller (APIC) or Cisco Cloud APIC could allow a remote attacker to perform a command injection or file upload attack on an affected system. For more information about these vulnerabilities, see the Details section of this advisory.

More Info

CVE-2021-1577

A vulnerability in an API endpoint of Cisco Application Policy Infrastructure Controller (APIC) and Cisco Cloud Application Policy Infrastructure Controller (Cloud APIC) could allow an unauthenticated, remote attacker to read or write arbitrary files on an affected system. This vulnerability is due to improper access control. An attacker could exploit this vulnerability by using a specific API endpoint to upload a file to an affected device. A successful exploit could allow the attacker to read or write arbitrary files on an affected device.

More Info

CVE-2021-3711

In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the "out" parameter can be NULL and, on exit, the "outlen" parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the "out" parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).

More Info

Description

CVE-2021-37716

A remote buffer overflow vulnerability was discovered in Aruba SD-WAN Software and Gateways; Aruba Operating System Software version(s): Prior to 8.6.0.4-2.2.0.4; Prior to 8.7.1.2, 8.6.0.8, 8.5.0.12, 8.3.0.15. Aruba has released patches for Aruba SD-WAN Software and Gateways and ArubaOS that address this security vulnerability.

More Info

CVE-2021-1581

Multiple vulnerabilities in the web UI and API endpoints of Cisco Application Policy Infrastructure Controller (APIC) or Cisco Cloud APIC could allow a remote attacker to perform a command injection or file upload attack on an affected system. For more information about these vulnerabilities, see the Details section of this advisory.

More Info

CVE-2021-1577

A vulnerability in an API endpoint of Cisco Application Policy Infrastructure Controller (APIC) and Cisco Cloud Application Policy Infrastructure Controller (Cloud APIC) could allow an unauthenticated, remote attacker to read or write arbitrary files on an affected system. This vulnerability is due to improper access control. An attacker could exploit this vulnerability by using a specific API endpoint to upload a file to an affected device. A successful exploit could allow the attacker to read or write arbitrary files on an affected device.

More Info

CVE-2021-3711

In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the "out" parameter can be NULL and, on exit, the "outlen" parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the "out" parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).

More Info

From The Field

Real World Use Cases in Action

In this section, we’ll be covering a significant use case that our teams recently saw and remediated, along with some of the benefits of doing so. It is our hope that this section can give some ideas for both current and future customers as to what problems can be seen in the real world and how they can be solved using LogicHub automations.

Customer Use Case

Okta Administration and Authorization

Summary

The Okta platform is an excellent method for managing users and logins, and it can make for a fantastic ingress/egress monitoring point. When users start performing administrative activity or policy changes occur without rhyme or reason, an automated solution can help sift out the malicious from the normal.

Automated Solution

To look for malicious activity in admin- and policy-based changes, we must have an idea of administrators on the network. In this detection, we made use of a whitelist including normal administrators who we knew we could remove from certain activities. When we see any of these users performing actions like password changes or new user provisions with all other activity being normal, we know this action is legitimate. Normal password policy is also filtered.

For every user login, we have a baseline of prior logons for that user. From here, we know what their most usual country, operating system, user agent, and IPs are. This information can be used for two purposes: direct detections and identification guesses. Identification guesses make a baseline from the previously gathered information above and return a possible user from that logon, which can be helpful in narrowing down investigations should Okta not be able to assign a user to an attempted action.

Benefits to This Approach

This type of detection is massively helpful in providing information before an investigation even begins. From information on a possible user to prior information and admin status, a profile on the user can be formulated and drawn from. Malicious activity can be quickly identified based on actual prior user activity, and regular malicious actions are outlined in the created user profile. Whereas manual review of Okta activity would mean hours upon hours of manual review, this automated method allows for a single page of all detections per user or per day.

Recommended Reading

This section contains some interesting reading related to the state of infosec today. These articles have a simple summary that explains the basic idea of the news and links to more information.

Actively Exploited Windows Zero-Day Gets a Patch

A part of Microsoft’s Patch Tuesday, this exploit has been seen in the wild and has finally gotten its comeuppance. Taking advantage of the new Windows Update Medic Windows 10 service, this is a remote code execution vulnerability that requires no user interaction.

Read More

Cyberattackers Embrace CAPTCHAs to Hide Phishing, Malware

The infamous ‘human detector’ is getting a little more complex. ‘CAPTCHA’-like services traditionally geared towards weeding out bots are being used by malicious actors to hide their malware. The CAPTCHA service is meant to hide the website from malware detection scanners.

Read More

Chase bank accidentally leaked customer info to other customers

The bug, speculated to have been active between May 24th and July 14th, showed customers the data of other customers with similar identifying information. Limited information on affected parties is available from Chase at this time. Affected customers are receiving free credit monitoring.

Read More

Cybercrime Group Asking Insiders for Help in Planting Ransomware

It may seem lazy, but it’s definitely effective: Black Kingdom ransomware operators are looking for industry insiders to spread ransomware on their employer’s systems. Contacting users through an Outlook email and a Telegram user, the actor is requesting users deploy the ransomware and then delete it from the recycling bin.

Read More

T-Mobile data breach just got worse — now at 54 million customers

The stolen database contains information from customers going as far back as 2004. Including IMEI registration information, it contains a trove of personally identifiable information. The prior estimate by T-Mobile for this breach was 48.6 million.

Read More

Hackers Leak VPN Account Passwords From 87,000 Fortinet FortiGate Devices

The disclosure came after the leaked passwords were posted on a Russian hacking forum. Containing ‘raw access to the top companies spanning across 74 countries, including India, Taiwan, Italy, France, and Israel’, the leak came from a prior path traversal exploit.

Read More

LET'S GET STARTED

I would like to

Submit

Request a Demo

This website uses cookies to ensure you get the best experience. Got it, Thanks! MORE INFO