Last Week’s Security news: Cisco ASA, BIG-IQ, vSphere, Solaris, Dlink, iPhone %s, DarkRadiation, Google schema, John McAfee. Hello, today I want to experiment with a new format. I will be reading last week’s news from my @avleonovnews channel, which I found the most interesting. I do this mostly for myself, but if you like it too, then that would be great. Please subscribe to my YouTube channel and my Telegram @avleonovcom.
Let’s start with some new public exploits.
- Researchers at Positive Technologies have dropped a proof-of-concept (PoC) exploit on Twitter for a known cross-site scripting (XSS) vulnerability in the Cisco Adaptive Security Appliance (ASA) CVE-2020-3580. This flaw was patched in October. There are reports of researchers pursuing bug bounties using this exploit. Maybe you should do this too. Well, or at least ask your IT administrators if they have updated the ASA.
- F5 BIG-IQ VE Post-auth Remote Root RCE. BIG-IQ provides a single point of management for all your BIG-IP devices — whether they are on premises or in a public or private cloud. It was possible to execute commands with root privileges as an authenticated privileged user via command injection in easy-setup-test-connection. A good reason to check if you have this in the infrastructure. But of course the fact that this is Post-auth makes it less interesting.
- VMware vCenter 6.5 / 6.7 / 7.0 Remote Code Execution. From the description of the vulnerability that was published in February 2021. “The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.” Therefore, if your IT colleagues have not patched vCenter since February, you can try to demonstrate how this vulnerability is exploited in practice.
- Solaris SunSSH 11.0 Remote Root. “CVE-2020-14871 is a critical pre-authentication (via SSH) stack-based buffer overflow vulnerability in the Pluggable Authentication Module (PAM) in Oracle Solaris. PAM is a dynamic authentication component that was integrated into Solaris back in 1997 as part of Solaris 2.6”. If you are still using Solaris in your infrastructure, this is a great opportunity to try this exploit.
- Dlink DSL2750U – ‘Reboot’ Command Injection. There, in the exploit code, there is a link to the full study that shows how the researcher, Mohammed Hadi, gains admin access to the router. This is interesting considering that this router model is quite popular and you can still buy such a router.
- It’s 2021 and a printf format string in a wireless network’s name can break iPhone Wi-Fi. On Friday, Carl Schou, a security researcher in Denmark, reported that his iPhone lost its Wi-Fi capability after attempting to connect to a Wi-Fi network named “%p%s%s%s%s%n”. Fortunately, the damage appears not to be permanent. Apple iOS devices that lose Wi-Fi capability after being bitten by this bug can be restored via the General -> Reset -> Reset Network Settings menu option, which reverts network settings to their factory default. Not a very interesting vulnerability in terms of practical exploitation, but fun. Don’t connect to unfamiliar Wi-Fi networks.
Now let’s see some interesting new vulnerabilities.
- Critical Palo Alto Cyber-Defense Bug Allows Remote ‘War Room’ Access. “A critical security bug in Palo Alto Networks’ Cortex XSOAR could allow remote attackers to run commands and automations in the Cortex XSOAR War Room and to take other actions on the platform, without having to log in. Found internally by Palo Alto, the bug (CVE-2021-3044) is an improper-authorization vulnerability that “enables a remote unauthenticated attacker with network access to the Cortex XSOAR server to perform unauthorized actions through the REST API,” according to the security vendor’s Tuesday advisory.
- Cisco HyperFlex HX Auth Handling Remote Command Execution. Cisco HyperFlex HX Data Platform is a high-performance, extensible distributed file system that supports multiple hypervisors with a wide range of enterprise-grade data management and optimization services. If you have this in use, pay attention.
- “VMware has rolled out security updates to resolve a critical flaw affecting Carbon Black App Control that could be exploited to bypass authentication and take control of vulnerable systems.” Carbon Black Protection (Cb App Control), formerly Bit9, is an application control product that allows departments to monitor and control application execution on systems.
- NVIDIA Jetson Chipsets Found Vulnerable to High-severity Flaws. The NVIDIA Jetson line consists of embedded Linux AI and computer vision compute modules and developer kits that primarily caters to AI-based computer vision applications and autonomous systems such as mobile robots and drones.
- On June 22, SonicWall published an advisory (SNWLID-2021-0006) to address an incomplete fix for a vulnerability in its operating system, SonicOS, used in a variety of SonicWall network security devices, including their SSL VPNs.
Malware:
- Cybersecurity researchers are sounding the alarm bell over a new ransomware strain called “DarkRadiation” that’s implemented entirely in Bash and targets Linux and Docker cloud containers, while banking on messaging service Telegram for command-and-control (C2) communications. “The ransomware is written in Bash script and targets Red Hat/CentOS and Debian Linux distributions,” researchers from Trend Micro said in a report published last week. “The malware uses OpenSSL’s AES algorithm with CBC mode to encrypt files in various directories. It also uses Telegram’s API to send an infection status to the threat actor(s).”
Some statistics for your presentations:
- Time to patch increases significantly during pandemic. “Among some of the headline findings in the data was a sharp decrease in the frequency with which disclosed vulnerabilities are patched in under 24 hours – which dropped from 20% last year to 9.9% today – despite new vulnerabilities or zero-days being quickly exploited by malicious actors, as has been seen in many cases, even before disclosure. The survey also found that about 60% of organisations take more than 72 hours to patch, and more than 20% take over 30 days, giving malicious actors a wide-open window to take advantage of the disclosed vulnerabilities to get inside target networks, establish persistence, steal data, and drop malware or ransomware.”
- ‘Set it and forget it’ attitude to open-source software has become a major security problem, says Veracode. 92 per cent of the flaws discovered in third-party libraries could be fixed by simply updating to the latest version, with two-thirds of fixes being “minor and non-disruptive to the functionality of even the most complex software applications.” The report also highlighted that a slim majority, 52 per cent, of developers claimed to have a formal process for the selection of third-party libraries, with a quarter saying they are either unsure or unaware of the existence of such a process, and that “security” is the third biggest concern when selecting a library – with “functionality” and “licensing” topping the leader board.
Promising topic:
- Google on Thursday introduced a unified vulnerability schema for open source projects, continuing its current campaign to shore up the security of open source software. A schema defines the structure of a database. It’s a blueprint for the objects within the database and it informs how data can be queried and exchanged. As Google describes it, existing naming systems like the CPE Product Dictionary don’t provide an easy way to automatically map a CVE vulnerability listing to a package name and a set of versions in a package manager. “With this schema we hope to define a format that all vulnerability databases can export.” Well, let’s keep an eye on this.
Well, it would probably be worth ending with the words about John McAfee.
Anti-virus Pioneer John McAfee Found Dead in Spanish Prison Cell. I do not presume to say anything about the crimes of which he was accused. In any case, he was an information security legend and his whole life was cooler than any Hollywood blockbuster. I recommend watching videos on his YouTube channel about attack attribution and the current state of infrastructure security. He said some pretty unpopular things. And some of them are very interesting. The way it ended is of course very sad and tragic. RIP.
Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.
А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.