Headline
SMB Edge Devices Walloped With Asus, Zyxel Patch Warnings
A slew of critical advisories this week showcase an exploding edge device attack surface for SMBs, which have limited cybersecurity protection, visibility, and maintenance available.
Small and midsized businesses (SMBs) have some security work ahead as two major edge device vendors (Asus and Zyxel) announce critical security vulnerabilities to patch — and another (Western Digital) cuts off unpatched devices from the cloud.
Asus released new firmware on June 19 to fix nine separate vulnerabilities in several of the company’s router models, one of which could let a cyberattacker gain code execution ability. Two of the most serious flaws are a critical memory corruption weakness in the Asus router firmware, tracked under CVE-2022-26376, and the second could allow a threat actor to “achieve arbitrary code execution,” according to NIST, and dates back to 2018, tracked under CVE-2018-1160.
The same day, Western Digital announced it has blocked devices running unpatched firmware from its cloud as of June 15.
A severe vulnerability impacting Western Digital’s MyCloud Home and other cloud storage devices could lead to remote code execution, according to NIST. Despite the fact that the bug, tracked under CVE-2022-36327, received a CVSS vulnerability-severity score of 9.8 out of 10, the flaw was known to the public for a full month before affected devices were blocked from accessing the Western Digital cloud.
Also this week, Zyxel released patches against code-injection vulnerabilities in three versions of its network-attached storage devices. The firmware command injection vulnerability is tracked under CVE-2023-27992 and could let an unauthenticated user execute operating system commands.
**SMB Edge Cyberattack Surface Explodes **
This glut of edge-device patch warnings this week showcases the fact that SMBs are increasingly at risk thanks to the exploding number of edge devices being connected to their networks. For an idea of the scale of the endpoint attack surface, experts put the number of active Internet of things (IoT) and edge devices around the world at more than 12 billion. That number is expected to hit 27 billion by 2025.
At the same time, many of these organizations are largely woefully lacking in basic cybersecurity hygiene and monitoring. At first, edge devices can seem like an economic choice for building out an SMB infrastructure, but they are much tougher to secure, explains Melissa Bischoping, director, endpoint security research at Tanium.
“For small businesses, using small-office-home-office (SOHO) routers and devices is often a cost-effective solution,” she says, “but the lack of monitoring and centralized management in many of these devices can result in vulnerabilities and insecure configurations that provide easy access to an adversary.”
Meanwhile, never ones to miss an opportunity, threat actors are making the most of this sweet spot.
“Edge infrastructure is an incredibly attractive target for attackers because it generally lacks the depth of monitoring and visibility that endpoints have, and is always public facing by design, removing an initial hurdle for access,” Bischoping explains.
Making these devices an even softer mark, many are built with open source components, says John Gallagher, vice president of Viakoo Labs.
“Edge devices like routers, NAS drives, IP cameras, and other IoT/OT systems are the fastest growing part of an organization’s attack surface due to their use of open source software components and often being unmanaged and unmonitored,” Gallagher explains. “Traditional IT security solutions that are agent-based don’t work for IoT/OT devices which require agentless solutions."
How SMBs Can Secure the Edge
Securing the SMB edge starts with knowing what there is to protect, according to Gallagher.
“First, make sure you have a complete inventory of devices by using an agentless asset discovery solution,” Gallagher says.
Once cybersecurity teams have visibility into what there is to defend, that information can be used to direct resources effectively, Bischoping adds.
“Prioritize visibility of the edge assets and leverage that information to address patching, credential management, and configuration hardening as part of your ongoing security hygiene and controls,” she says. “Other quick wins include ensuring you’ve rotated default login credentials on these devices, employed secure authentication mechanisms, and enforced least-privilege access for any accounts that may log in to those devices.”
And, to handle with firmware and password updates at the scale required for IoT and edge devices, Gallagher recommends an automated approach.
Commenting on how SMBs can manage the edge more effectively, organizations should also consider whether devices need to be connected to the Internet, or would be better suited for a more secure internal network connection, advises Matthew Morin, senior director of product management with NetRise.
“In the case of many vulnerabilities announced by Asus, Zyxel, and Western Digital, ensuring the affected devices were only accessible via internal networks would have dramatically reduced the impact of the vulnerabilities,” Morin recommends. “SMBs must understand what is publicly disclosed from their networks and regularly review if what is exposed needs to be there.”
Teams should also look for devices with no particular owner or purpose and pull the plug. “Lastly, ensure that devices have clear ownership and tracking of their lifecycle management, so that devices that go end of life or end of support can be replaced before they get exploited.” Gallagher adds.
Once those processes are in place, Morin says the next step for more mature organizations is incorporating software bills of materials (SBOMs) for added visibility.
“For more mature organizations, a good next step is ensuring that they have component-level visibility, such as an SBOM for network-connected devices,” Morin adds. “In this case, with an SBOM, an organization could have been aware of this risk well before the vendor decided to patch the issue.”
Related news
The out-of-bounds write vulnerability in the Windows-based SecuExtender SSL VPN Client software version 4.0.4.0 could allow an authenticated local user to gain a privilege escalation by sending a crafted CREATE message.
Given the privileged position these devices occupy on the networks they serve, they are prime targets for attackers, so their security posture is of paramount importance.
The U.S. Cybersecurity and Infrastructure Security Agency has added a batch of six flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. This comprises three vulnerabilities that Apple patched this week (CVE-2023-32434, CVE-2023-32435, and CVE-2023-32439), two flaws in VMware (CVE-2023-20867 and CVE-2023-20887), and one shortcoming impacting Zyxel
Categories: News Tags: CISA Tags: BOD 23-02 Tags: Internet exposed Tags: management interfaces Tags: vulnerabilities Tags: CVE-2023-27992 Tags: CVE-2023-20887 There is a lot to be said for the strategy of shielding management interfaces from public internet access (Read more...) The post Reducing your attack surface is more effective than playing patch-a-mole appeared first on Malwarebytes Labs.
Zyxel has rolled out security updates to address a critical security flaw in its network-attached storage (NAS) devices that could result in the execution of arbitrary commands on affected systems. Tracked as CVE-2023-27992 (CVSS score: 9.8), the issue has been described as a pre-authentication command injection vulnerability. "The pre-authentication command injection vulnerability in some Zyxel
Taiwanese company ASUS on Monday released firmware updates to address, among other issues, nine security bugs impacting a wide range of router models. Of the nine security flaws, two are rated Critical and six are rated High in severity. One vulnerability is currently awaiting analysis. The list of impacted products are GT6, GT-AXE16000, GT-AX11000 PRO, GT-AXE11000, GT-AX6000, GT-AX11000,
Taiwanese company ASUS on Monday released firmware updates to address, among other issues, nine security bugs impacting a wide range of router models. Of the nine security flaws, two are rated Critical and six are rated High in severity. One vulnerability is currently awaiting analysis. The list of impacted products are GT6, GT-AXE16000, GT-AX11000 PRO, GT-AXE11000, GT-AX6000, GT-AX11000,
Categories: Exploits and vulnerabilities Categories: News Tags: ASUS Tags: router Tags: models Tags: CVE-2022-26376 Tags: CVE-2018-1160 Tags: Netatalk Tags: disable WAN ASUS has released firmware updates for several router models fixing two critical and several other security issues. (Read more...) The post Update now! ASUS fixes nine security flaws appeared first on Malwarebytes Labs.
Categories: Exploits and vulnerabilities Categories: News Tags: ASUS Tags: router Tags: models Tags: CVE-2022-26376 Tags: CVE-2018-1160 Tags: Netatalk Tags: disable WAN ASUS has released firmware updates for several router models fixing two critical and several other security issues. (Read more...) The post Update now! ASUS fixes nine security flaws appeared first on Malwarebytes Labs.
The pre-authentication command injection vulnerability in the Zyxel NAS326 firmware versions prior to V5.21(AAZF.14)C0, NAS540 firmware versions prior to V5.21(AATB.11)C0, and NAS542 firmware versions prior to V5.21(ABAG.11)C0 could allow an unauthenticated attacker to execute some operating system (OS) commands remotely by sending a crafted HTTP request.
ASUS Router RT-AX3000 Firmware versions prior to 3.0.0.4.388.23403 uses sensitive cookies without 'Secure' attribute. When an attacker is in a position to be able to mount a man-in-the-middle attack, and a user is tricked to log into the affected device through an unencrypted ('http') connection, the user's session may be hijacked.
ASUS Router RT-AX3000 Firmware versions prior to 3.0.0.4.388.23403 uses sensitive cookies without 'Secure' attribute. When an attacker is in a position to be able to mount a man-in-the-middle attack, and a user is tricked to log into the affected device through an unencrypted ('http') connection, the user's session may be hijacked.
Server-Side Request Forgery (SSRF) vulnerability that could allow a rogue server on the local network to modify its URL to point back to the loopback adapter was addressed in Western Digital My Cloud OS 5 devices. This could allow the URL to exploit other vulnerabilities on the local server.This issue affects My Cloud OS 5 devices before 5.26.202.
A buffer overflow vulnerability was discovered on firmware version validation that could lead to an unauthenticated remote code execution in Western Digital My Cloud Home, My Cloud Home Duo and SanDisk ibi devices. An attacker would require exploitation of another vulnerability to raise their privileges in order to exploit this buffer overflow vulnerability. This issue affects My Cloud Home and My Cloud Home Duo: through 9.4.0-191; ibi: through 9.4.0-191.
A memory corruption vulnerability exists in the httpd unescape functionality of Asuswrt prior to 3.0.0.4.386_48706 and Asuswrt-Merlin New Gen prior to 386.7.. A specially-crafted HTTP request can lead to memory corruption. An attacker can send a network request to trigger this vulnerability.
By Francesco Benvenuto. Recently, I was performing some research on a wireless router and noticed the following piece of code: This unescape function will revert the URL encoded bytes to its original form. But something specifically caught my attention: There was no size check for the performed operations and the function assumes that after a ‘%’ there are always two bytes. So, what would happen if after ‘%’, only one character existed? The answer is that the s+3, in the strcpy, will access after the end of the string. So, it could lead to memory corruption. Then, I tried to exploit this bug on the router in question. But based on how the URL string was managed in that device, it was not possible. But it had the potential to crash other web servers that used this piece of code. That function belonged to the freshtomato library. So, I searched for the source code and noticed that at the beginning of the file containing that function, there was the following comment: It was code fr...
Netatalk before 3.1.12 is vulnerable to an out of bounds write in dsi_opensess.c. This is due to lack of bounds checking on attacker controlled data. A remote unauthenticated attacker can leverage this vulnerability to achieve arbitrary code execution.