Headline
Reducing your attack surface is more effective than playing patch-a-mole
Categories: News Tags: CISA
Tags: BOD 23-02
Tags: Internet exposed
Tags: management interfaces
Tags: vulnerabilities
Tags: CVE-2023-27992
Tags: CVE-2023-20887
There is a lot to be said for the strategy of shielding management interfaces from public internet access
(Read more…)
The post Reducing your attack surface is more effective than playing patch-a-mole appeared first on Malwarebytes Labs.
On June 13, 2023 the Cybersecurity and Infrastructure Security Agency (CISA) issued Binding Operational Directive (BOD) 23-02. BOD 23-02 is titled Mitigating the Risk from Internet-Exposed Management Interfaces, and requires federal civilian agencies to remove specific networked management interfaces from the public-facing internet, or implement Zero Trust Architecture capabilities that enforce access control to the interface within 14 days of discovery.
Harsh as that may sound, there is a lot to be said for the strategy of shielding management interfaces from public internet access, or if that’s not an option, to apply every possible access control to make sure that only authorized people have access to the management part of the application.
As we have experienced a few times, applying timely patches is absolutely no guarantee you’ll be safe. Take for example the recent MOVEit vulnerability that was used against hundreds of victims before anyone even became aware of the fact that the vulnerability existed.
And new vulnerabilities are disclosed at a worrying rate. To demonstrate that point, here’s a quick roundup of the ones I looked at just yesterday.
- Researchers discovered two dangerous vulnerabilities with Azure Bastion and Azure Container Registry that could allow attackers to achieve cross-site scripting (XSS), injecting malicious scripts into trusted websites. Exploitation of the vulnerabilities could have potentially allowed hackers to gain access to a target’s session within the compromised Azure service.
- Zyxel warned its NAS (Network Attached Storage) devices users to update their firmware to fix a critical severity command injection vulnerability. The newly discovered vulnerability, CVE-2023-27992, is a pre-authentication command injection problem that could allow an unauthenticated attacker to execute operating system commands by sending specially crafted HTTP requests.
- VMWare published a security advisory about multiple vulnerabilities in Aria Operations for Networks. Of these vulnerabilities, CVE-2023-20887 was confirmed to be exploited in the wild. Successful exploitation would allow a malicious actor with network access to VMware Aria Operations for Networks to perform a command injection attack resulting in remote code execution.
- We reported about ASUS fixing nine security flaws in several router models. Among them were two critical vulnerabilities that could lead to memory corruption, and one vulnerability that could allow a remote unauthenticated attacker to achieve arbitrary code execution.
These are applications and services that we find in many organizations’ networks. Finding the vulnerable instances and applying the patches could be more than a day’s work in some cases.
But, a workaround that would have worked for many of the above is disablingor minimizing the internet facing access.
This supports the warning from CISA director Jen Easterly, who said:
“Too often, threat actors are able to use network devices to gain unrestricted access to organizational networks, in turn leading to full-scale compromise. Requiring appropriate controls and mitigations outlined in this Directive is an important step in reducing risk to the federal civilian enterprise. While this Directive only applies to federal civilian agencies, as the threat extends to every sector, we urge all organizations to adopt this guidance. When it comes to reducing cyber risk and ensuring resilience, we all have a role to play.”
Recommendations
In a nutshell, the recommendations from CISA to minimize your attack surface are:
- Remove management interfaces from the internet by making them only accessible from an internal enterprise network. CISA recommends network segmentation to create an isolated management network.
- Deploy capabilities that enforce access control to the interface through a policy enforcement point separate from the interface itself. In other words, don’t rely on the access control of the instance itself, once it’s vulnerable it could be easy to circumvent.
For more information, we encourage you to read the directive. While the primary audience for this document is FCEB agencies, other organizations may find the content useful.
Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.
TRY NOW
Related news
The out-of-bounds write vulnerability in the Windows-based SecuExtender SSL VPN Client software version 4.0.4.0 could allow an authenticated local user to gain a privilege escalation by sending a crafted CREATE message.
VMware has released software updates to correct two security vulnerabilities in Aria Operations for Networks that could be potentially exploited to bypass authentication and gain remote code execution. The most severe of the flaws is CVE-2023-34039 (CVSS score: 9.8), which relates to a case of authentication bypass arising as a result of a lack of unique cryptographic key generation. "A
VMWare Aria Operations for Networks (vRealize Network Insight) is vulnerable to command injection when accepting user input through the Apache Thrift RPC interface. This vulnerability allows a remote unauthenticated attacker to execute arbitrary commands on the underlying operating system as the root user. The RPC interface is protected by a reverse proxy which can be bypassed. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8. A malicious actor can get remote code execution in the context of root on the appliance. VMWare 6.x version are vulnerable. This Metasploit module exploits the vulnerability to upload and execute payloads gaining root privileges. Successfully tested against version 6.8.0.
Discover stories about threat actors’ latest tactics, techniques, and procedures from Cybersixgill’s threat experts each month. Each story brings you details on emerging underground threats, the threat actors involved, and how you can take action to mitigate risks. Learn about the top vulnerabilities and review the latest ransomware and malware trends from the deep and dark web. Stolen ChatGPT
The U.S. Cybersecurity and Infrastructure Security Agency has added a batch of six flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. This comprises three vulnerabilities that Apple patched this week (CVE-2023-32434, CVE-2023-32435, and CVE-2023-32439), two flaws in VMware (CVE-2023-20867 and CVE-2023-20887), and one shortcoming impacting Zyxel
A slew of critical advisories this week showcase an exploding edge device attack surface for SMBs, which have limited cybersecurity protection, visibility, and maintenance available.
VMware has flagged that a recently patched critical command injection vulnerability in Aria Operations for Networks (formerly vRealize Network Insight) has come under active exploitation in the wild. The flaw, tracked as CVE-2023-20887, could allow a malicious actor with network access to the product to perform a command injection attack, resulting in remote code execution. It impacts VMware
Zyxel has rolled out security updates to address a critical security flaw in its network-attached storage (NAS) devices that could result in the execution of arbitrary commands on affected systems. Tracked as CVE-2023-27992 (CVSS score: 9.8), the issue has been described as a pre-authentication command injection vulnerability. "The pre-authentication command injection vulnerability in some Zyxel
The pre-authentication command injection vulnerability in the Zyxel NAS326 firmware versions prior to V5.21(AAZF.14)C0, NAS540 firmware versions prior to V5.21(AATB.11)C0, and NAS542 firmware versions prior to V5.21(ABAG.11)C0 could allow an unauthenticated attacker to execute some operating system (OS) commands remotely by sending a crafted HTTP request.
The Chinese state-sponsored group known as UNC3886 has been found to exploit a zero-day flaw in VMware ESXi hosts to backdoor Windows and Linux systems. The VMware Tools authentication bypass vulnerability, tracked as CVE-2023-20867 (CVSS score: 3.9), "enabled the execution of privileged commands across Windows, Linux, and PhotonOS (vCenter) guest VMs without authentication of guest credentials
Categories: Exploits and vulnerabilities Categories: News Tags: cve-2023-20887 Tags: cve-2023-20888 Tags: cve-2023-20889 Tags: vmware Tags: Aria Operations for Networks Tags: RCE Tags: information disclosure Tags: deserialization Tags: command injection VMware has released security updates to fix a trio of flaws in Aria Operations for Networks that could result in information disclosure and remote code execution (Read more...) The post VMware patches critical vulnerabilities in Aria Operations for Networks appeared first on Malwarebytes Labs.
VMware has released security updates to fix a trio of flaws in Aria Operations for Networks that could result in information disclosure and remote code execution. The most critical of the three vulnerabilities is a command injection vulnerability tracked as CVE-2023-20887 (CVSS score: 9.8) that could allow a malicious actor with network access to achieve remote code execution. Also patched by
Aria Operations for Networks contains an information disclosure vulnerability. A malicious actor with network access to VMware Aria Operations for Networks may be able to perform a command injection attack resulting in information disclosure.