Security
Headlines
HeadlinesLatestCVEs

Headline

Deserialized web security roundup – Fortinet, Citrix bugs; another Uber breach; hacking NFTs at Black Hat

Your fortnightly rundown of AppSec vulnerabilities, new hacking techniques, and other cybersecurity news

PortSwigger
#sql#csrf#vulnerability#web#ios#android#google#microsoft#apache#nodejs#js#git#java#kubernetes#intel#ssrf#aws#log4j#auth#zero_day#ssl

John Leyden 16 December 2022 at 17:43 UTC

Your fortnightly rundown of AppSec vulnerabilities, new hacking techniques, and other cybersecurity news

Our second web security roundup begins with news that a brace of network security flaws in products from Fortinet and Citrix have each come under active attack.

These attacks were respectively enabled by memory corruption vulnerabilities in the FortiOS SSL-VPN as well as a critical arbitrary code execution risk in Citrix ADC and Citrix Gateway (CVE-2022-27518). It’s unclear whether these assaults are linked, but their occurrence can still be said to underline the importance of patching SSL VPN devices, which have previously been vectors for pushing ransomware onto enterprise networks, among other attacks.

Uber this week suffered a data breach as a result of a cybersecurity incident at a third-party vendor, resulting in the exposure of employees’ personal information. The incident represents only the latest security breach to impact the ride-hailing app firm, which was previously faulted for the delayed disclosure of a 2016 breach that exposed the account records of customers and drivers. More recently, back in September, Uber’s internal IT systems were breached by a social engineering attack.

Over at Black Hat Europe, security researcher Nitesh Dhanjani discussed the impact of floor prices of non-fungible token (NFT) collections and how attacks focused on business dynamics have the potential to wreak havoc on marketplaces. Dhanjani also spoke about off-chain and on-chain sync algorithms, and how the disparities between the two blockchain-related environments can be abused.

I also attended the event for The Daily Swig, reporting on a keynote in which security researcher Daniel Cuthbert said the industry’s fixation on zero-day vulnerabilities was only a partial solution to making the internet fundamentally secure. We also covered some of the top hacking tools from the event.

Among other stories on The Daily Swig in recent days was an Akamai WAF bypass via Spring Boot, SQL injection payloads being smuggled past WAFs, and a crypto maintainer rejecting a bogus cryptocurrency ‘vulnerability’ submitted with the help of ChatGPT.

Here are some other web security stories and other cybersecurity news that caught our attention in the last fortnight:

Web vulnerabilities

  • Apache CXF / Critical / SSRF (server-side request forgery) vulnerability in parsing the href attribute of XOP / Disclosed with patch, December 13
  • Grails Spring Security Core plugin / CVE-2022-41923 / Critical / “Vulnerability allows an attacker access to one endpoint (i.e. the targeted endpoint) using the authorization requirements of a different endpoint” / Disclosed with patch, November 22
  • Microsoft .NET / CVE-2022-41089 / Critical / “Malicious actor could cause a user to run arbitrary code as a result of parsing maliciously crafted xps files” / Disclosed with a patch, December 13
  • Ping / CVE-2022-23093 / Memory-handling vulnerability involving networking protocol implementation by FreeBSD prompted its developers to test their own software, which unearthed a flaw in OpenBSD’s implementation of Ping that dates back to software changes introduced 24 years ago
  • Planet eStream / Critical / Vulnerabilities in video platform geared towards online learning enable attackers to take over user accounts with administrative privileges and execute arbitrary JavaScript code, among other attacks / Vendor has released software updates

Research and attack techniques

  • A researcher documented how it’s possible to exploit misconfigurations in cross-origin resource sharing (CORS) – a mechanism to control access to restricted website resources from external domains – to run various attacks. CORS misconfiguration issues have historically been downplayed but can seemingly be exploited to bypass CSRF protections or run cross-site tracking (XST) attacks.
  • Lightspin uncovered a serious flaw in an AWS-hosted service that allows software developers to find and share public container images. Attackers could potentially delete all images in the AWS Elastic Container Registry (ECR) Public Gallery or update image contents to inject malicious code, prompting AWS to resolve the problem within a day of its disclosure.
  • A series of flaws in three popular applications that allows an Android device to be used as a remote keyboard and mouse were exposed by Synopsys Cybersecurity Research Center (CyRC) The authentication, authorization, and insecure communication flaws potentially opened up attacks including keystroke sniffing.
  • Supposedly ‘air-gapped’ networks without direct access to the internet often require DNS services in order to resolve a company’s internal DNS records – a weakness potential hackers might be able to exploit, as a blog post by Pentera explains.
  • SALT Labs used a LEGO-run site as a testbed to illustrate the general risk posed by API security issues. Researchers uncovered a variety of API-related security issues in LEGO’s Brick Lane, including a potential vector to internal production data and systems or manipulating users into surrendering control of their accounts.

LEGO reportedly fixed a number of API security issues found by SALT Labs

Bug bounty / vulnerability disclosure

  • HackerOne revealed that cloud-based vulnerabilities account for a growing proportion of vulnerabilities reported by bug bounty hunters, now totalling 65,000 in 2022, a year-on-year rise of 21%.
  • A security researcher who discovered a means to achieve unauthorized access to resumes stored on LinkedIn may have been left underwhelmed by the $5,000 bounty he received for his find, given the potential impact of the issue on users of the Microsoft-owned business-focused social network. An Insecure Direct Object Reference (IDOR) security vulnerability, inadvertently introduced in October 2022, could have allowed recruiters and perhaps more unsavoury parties to download resumes without permission.
  • Swedish video surveillance giant Axis Communications has launched a private bug bounty program with Bugcrowd.

New open source infosec/hacking tools

  • Node Security Shield – a defensive tool that takes an allow-listing approach to protecting zero-day protection for NodeJS applications. The tool was inspired by the infamous Log4Shell vulnerability, a zero-day vulnerability in Log4j, a popular Java logging framework.
  • Invoke-DNSteal – allows pen testers to perform file transfers using the DNS protocol as a covert communications channel.
  • Kubeshark – API Traffic Viewer for Kubernetes, providing “deep visibility and monitoring of all API traffic and payloads going in, out and across containers and pods inside a Kubernetes cluster”

For devs

  • Google has announced a free-of-charge scanner that allows open source developers to check their software projects for vulnerable dependencies. The tool – called OSV-Scanner – builds on Google’s work in developing an open source vulnerability database.
  • OWASP, best known for its ‘Top 10 Web Application Security Risks’ framework, is backing the creation of a similar scheme to index classes of security risks in the world of AppSec and DevSecOps. The Top 10 CI/CD Security Risks taxonomy aims to catalogue risks in the CI/CD pipeline. “Insufficient Flow Control Mechanisms” topped the nascent list.
  • The SHA-1 cryptographic algorithm, in use since 1995, has reached the end of its useful life, announced the National Institute of Standards and Technology (NIST), which says the federal government should phase out its use by 2030.
  • Research from Endor Labs found that the vast majority (95%) of all vulnerabilities are “found in transitive dependencies – open source code packages that are not selected by developers, but indirectly pulled into projects”.

For fun

ChatGPT – the artificial intelligence chat tool from OpenAI – is the hottest thing in infosec-focused social media circles just now. Rather than suggesting possible vulnerabilities in code we wondered what ChatGPT could conjure when asked to write lyrics for a song about SQL injection in the style of the late David Bowie.

The results were more than satisfactory:

In the realm of computers, where data flows like a stream
There are those that seek to exploit and cause us all to scream
They are the hackers, the codebreakers, the malicious ones
And among their favorite trick is the art of SQL injection

Chorus:

SQL injection, SQL injection
A dangerous game, a digital infection
SQL injection, SQL injection
Beware of the hackers and their devious invention

To paraphrase the great man himself, I still don’t know what I was waiting for… but it definitely wasn’t this.

RECOMMENDED Black Hat Europe 2022: A defendable internet is possible, but only with industry makeover

Related news

From Ransomware to Cyber Espionage: 55 Zero-Day Vulnerabilities Weaponized in 2022

As many as 55 zero-day vulnerabilities were exploited in the wild in 2022, with most of the flaws discovered in software from Microsoft, Google, and Apple. While this figure represents a decrease from the year before, when a staggering 81 zero-days were weaponized, it still represents a significant uptick in recent years of threat actors leveraging unknown security flaws to their advantage. The

Thousands of Citrix Servers Still Unpatched for Critical Vulnerabilities

Thousands of Citrix Application Delivery Controller (ADC) and Gateway endpoints remain vulnerable to two critical security flaws disclosed by the company over the last few months. The issues in question are CVE-2022-27510 and CVE-2022-27518 (CVSS scores: 9.8), which were addressed by the virtualization services provider on November 8 and December 13, 2022, respectively. While CVE-2022-27510

GHSA-2c7v-qcjp-4mg2: .NET Remote Code Execution Vulnerability

# Microsoft Security Advisory CVE-2022-41089: .NET Remote Code Execution Vulnerability ## <a name="executive-summary"></a>Executive summary Microsoft is releasing this security advisory to provide information about a vulnerability in .NET Core 3.1, .NET 6.0., and .NET 7.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. A remote code execution vulnerability exists in .NET Core 3.1, .NET 6.0, and .NET 7.0, where a malicious actor could cause a user to run arbitrary code as a result of parsing maliciously crafted xps files. ## Announcement Announcement for this issue can be found at https://github.com/dotnet/announcements/issues/242 ### <a name="mitigation-factors"></a>Mitigation factors Microsoft has not identified any mitigating factors for this vulnerability. ## <a name="affected-software"></a>Affected software * Any .NET 7.0 WinForms or WPF application running on .NET 7.0.0 or earlier. * Any .NET 6.0 W...

Hackers Actively Exploiting Citrix ADC and Gateway Zero-Day Vulnerability

The U.S. National Security Agency (NSA) on Tuesday said a threat actor tracked as APT5 has been actively exploiting a zero-day flaw in Citrix Application Delivery Controller (ADC) and Gateway to take over affected systems. The critical remote code execution vulnerability, identified as CVE-2022-27518, could allow an unauthenticated attacker to execute commands remotely on vulnerable devices and

Microsoft Squashes Zero-Day, Actively Exploited Bugs in Dec. Update

Here's what you need to patch now, including six critical updates for Microsoft's final Patch Tuesday of the year.

CVE-2022-41089

.NET Framework Remote Code Execution Vulnerability.

Citrix ADC, Gateway Users Race Against Hackers to Patch Critical Flaw

Citrix issues a critical update as NSA warns that the APT5 threat group is actively trying to target ADC environments.

CVE-2022-41089: .NET Framework Remote Code Execution Vulnerability

A remote code execution vulnerability exists when Microsoft .NET Framework fails to properly validate input before loading libraries. An attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. To exploit the vulnerability, an attacker would first need to access the local system with the ability to execute a malicious application. The security update addresses the vulnerability by correcting how .NET validates input on library load.

Critical Ping Vulnerability Allows Remote Attackers to Take Over FreeBSD Systems

The maintainers of the FreeBSD operating system have released updates to remediate a security vulnerability impacting the ping module that could be potentially exploited to crash the program or trigger remote code execution. The issue, assigned the identifier CVE-2022-23093, impacts all supported versions of FreeBSD and concerns a stack-based buffer overflow vulnerability in the ping service. "

CVE-2022-41923: Grails Spring Security Core plugin: Improper Privilege Management vulnerability

Grails Spring Security Core plugin is vulnerable to privilege escalation. The vulnerability allows an attacker access to one endpoint (i.e. the targeted endpoint) using the authorization requirements of a different endpoint (i.e. the donor endpoint). In some Grails framework applications, access to the targeted endpoint will be granted based on meeting the authorization requirements of the donor endpoint, which can result in a privilege escalation attack. This vulnerability has been patched in grails-spring-security-core versions 3.3.2, 4.0.5 and 5.1.1. Impacted Applications: Grails Spring Security Core plugin versions: 1.x 2.x >=3.0.0 <3.3.2 >=4.0.0 <4.0.5 >=5.0.0 <5.1.1 We strongly suggest that all Grails framework applications using the Grails Spring Security Core plugin be updated to a patched release of the plugin. Workarounds: Users should create a subclass extending one of the following classes from the `grails.plugin.springsecurity.web.access.intercept` package, depending on th...

PortSwigger: Latest News

We’re going teetotal: It’s goodbye to The Daily Swig