Headline
Researchers Debut Fresh RCE Vector for Common Google API Tool
The finding exposes the danger of older, unpatched bugs, which plague at least 4.5 million devices.
A new vector to exploit a vulnerable version of Google SLO Generator has been uncovered, which facilitates remote code execution (RCE). It allows an attacker to gain access to the system and deploy malicious code as if it is coming from a trusted source inside the network.
Google SLO Generator is a widely used Python library used by engineers who want to track their Web API performance. The tool is used by thousands of Google services, but prior to a September 2021 patch, it housed unsafe and exploitable functions, potentially exposing user input data.
Michael Assraf, co-founder and CEO of Vicarius, explains that this path to exploitation was previously unknown and created a new way to exploit outdated versions for worse outcomes than simple information disclosure.
It is unknown how many of the more than 167,000 applications using this library are running vulnerable versions, according to Vicarius, which published a report detailing the attack path. Users who updated the code won’t be exposed to this attack, but that said, unpatched vulnerabilities are still the most common way that companies are successfully attacked.
Assraf also raises the issue of potentially problematic workarounds as security researchers uncover new vectors to exploit vulnerable software instances. Developers will often use workarounds to protect against known exploits rather than deploying a systematic update/patch.
“Developers who fall into that category will be vulnerable to this new exploit — along with anyone else who has yet to deploy the patch,” he says.
Millions of Unpatched Devices Remain a Problem
Externally accessible vulnerabilities expected to remain a favorite attack vector for cybercriminals in the future. A report published this week from Rezilion found vulnerabilities as old as a decade remain unpatched in software and Internet-connected devices.
The study identified more than 4.5 million Internet-facing devices that remain open to vulnerabilities discovered between 2010 to 2020. The report also identified active scanning/exploitation attempts in most of these vulnerabilities.
Yotam Perkal, director of vulnerability research at Rezilion, says there are multiple reasons why unpatched vulnerabilities are so common.
“First, many organizations with less mature security programs do not even have visibility into the vulnerabilities they have in their environment,” he says. “Without the proper tooling and vulnerability management processes in place, they are basically blind to the risk and can’t patch what they do not know about.”
Second, even for organizations with mature vulnerability management processes in place, patching presents a challenge — it requires time and a considerable amount of effort and can often lead to unforeseen patch compatibility issues.
“With the constant rise in the number of new vulnerabilities discovered each year, organizations simply struggle to keep up,” he explains.
Unpatched Vulnerabilities a Top Security Issue
Assraf calls unpatched vulnerabilities one of the most significant, prevalent, yet fixable security problems across the board — and for a multitude of reasons.
“This issue transcends industry and company size, although large enterprises are typically more susceptible due to sheer volume of systems and users in place,” he adds.
He points out there are also new vulnerabilities cropping up daily, so managing “zero vulnerabilities” is a bit of a pipedream.
In addition, large-scale updates also occasionally break things and create unforeseen consequences and compatibility issues, leaving many to take a stance of “If it ain’t broke, don’t fix it.”
“The problem is, it is broken, you just don’t see the chink in the armor until you’ve been breached,” Assraf warns. “Other common issues are around visibility, shadow IT, and distributed teams that lead to ownership complications.”
From his perspective, visibility is the first step in getting vulnerabilities and patching under control, as you can’t fix what you don’t know is broken.
“Having an accurate and continuously updated asset inventory of all assets and devices in your environment is a critical first step,” he explains.
Next is knowing how to prioritize the updates available to those systems and assets, which is a common place where enterprises fall short and the volume begins to become just noise.
Perkal says he thinks the key point to having a more proactive posture towards risks from unpatched vulnerabilities is awareness.
“Once you are aware of the risk, make sure you have the right processes and tools in place that will allow you to effectively take action,” he says. “At the end of the day, applying an existing patch to a known vulnerability that is known to be exploited in the wild should be the easy aspect of proper security hygiene.”
A July report from Palo Alto Networks’ Unit 42 also suggested attackers play favorites when looking at which software vulnerabilities to target.
Solving the Patching Problem With Business Context
Assraf says it’s common to prioritize based on criticality from the major frameworks like CVSS, which assign severity ratings to known vulnerabilities — several security vendors also assign their own black-box scoring systems.
“What’s important to account for, and where this step — and vendors — often fall short, is a failure to take business context into account,” he says.
It’s important therefore to focus on the potential threats that will have the largest impact on your unique digital environment, not necessarily a third-party rating assigned without context.
“The most mature organizations will then automate the patching process based on said context, updating the most critical systems while minimizing downtime and impact through strategic scheduling of deployment,” Assraf says.
Perkal points out that most of the code running in an organization comes from various third parties, whether open source or commercial.
“While this allows organizations to focus on their core business logic and release code faster, this also introduces a security risk in the form of software vulnerabilities,” he says. “Patching everything simply isn’t feasible.”
He says to be able effectively to cope with the risk, attack surface management platforms that can intelligently prioritize the vulnerabilities that matter most, as well as help automate some of the mitigation and remediation aspects, can help address this risk.
“The most concerning aspect I drew from the research is these old, known, exploitable vulnerabilities are still so pervasive,” he adds. “It’s especially concerning since it is likely the same analysis we did is also being conducted by attackers, and by leaving this huge attack surface vulnerable, we are making their lives easy.”