Deserialized web security roundup – Fortinet, Citrix bugs; another Uber breach; hacking NFTs at Black Hat

John Leyden 16 December 2022 at 17:43 UTC

Your fortnightly rundown of AppSec vulnerabilities, new hacking techniques, and other cybersecurity news

Our second web security roundup begins with news that a brace of network security flaws in products from Fortinet and Citrix have each come under active attack.

These attacks were respectively enabled by memory corruption vulnerabilities in the FortiOS SSL-VPN as well as a critical arbitrary code execution risk in Citrix ADC and Citrix Gateway (CVE-2022-27518). It’s unclear whether these assaults are linked, but their occurrence can still be said to underline the importance of patching SSL VPN devices, which have previously been vectors for pushing ransomware onto enterprise networks, among other attacks.

Uber this week suffered a data breach as a result of a cybersecurity incident at a third-party vendor, resulting in the exposure of employees’ personal information. The incident represents only the latest security breach to impact the ride-hailing app firm, which was previously faulted for the delayed disclosure of a 2016 breach that exposed the account records of customers and drivers. More recently, back in September, Uber’s internal IT systems were breached by a social engineering attack.

Over at Black Hat Europe, security researcher Nitesh Dhanjani discussed the impact of floor prices of non-fungible token (NFT) collections and how attacks focused on business dynamics have the potential to wreak havoc on marketplaces. Dhanjani also spoke about off-chain and on-chain sync algorithms, and how the disparities between the two blockchain-related environments can be abused.

I also attended the event for The Daily Swig, reporting on a keynote in which security researcher Daniel Cuthbert said the industry’s fixation on zero-day vulnerabilities was only a partial solution to making the internet fundamentally secure. We also covered some of the top hacking tools from the event.

Among other stories on The Daily Swig in recent days was an Akamai WAF bypass via Spring Boot, SQL injection payloads being smuggled past WAFs, and a crypto maintainer rejecting a bogus cryptocurrency ‘vulnerability’ submitted with the help of ChatGPT.

Here are some other web security stories and other cybersecurity news that caught our attention in the last fortnight:

Web vulnerabilities

• Apache CXF / Critical / SSRF (server-side request forgery) vulnerability in parsing the href attribute of XOP / Disclosed with patch, December 13
• Grails Spring Security Core plugin / CVE-2022-41923 / Critical / “Vulnerability allows an attacker access to one endpoint (i.e. the targeted endpoint) using the authorization requirements of a different endpoint” / Disclosed with patch, November 22
• Microsoft .NET / CVE-2022-41089 / Critical / “Malicious actor could cause a user to run arbitrary code as a result of parsing maliciously crafted xps files” / Disclosed with a patch, December 13
• Ping / CVE-2022-23093 / Memory-handling vulnerability involving networking protocol implementation by FreeBSD prompted its developers to test their own software, which unearthed a flaw in OpenBSD’s implementation of Ping that dates back to software changes introduced 24 years ago
• Planet eStream / Critical / Vulnerabilities in video platform geared towards online learning enable attackers to take over user accounts with administrative privileges and execute arbitrary JavaScript code, among other attacks / Vendor has released software updates

Research and attack techniques

• A researcher documented how it’s possible to exploit misconfigurations in cross-origin resource sharing (CORS) – a mechanism to control access to restricted website resources from external domains – to run various attacks. CORS misconfiguration issues have historically been downplayed but can seemingly be exploited to bypass CSRF protections or run cross-site tracking (XST) attacks.
• Lightspin uncovered a serious flaw in an AWS-hosted service that allows software developers to find and share public container images. Attackers could potentially delete all images in the AWS Elastic Container Registry (ECR) Public Gallery or update image contents to inject malicious code, prompting AWS to resolve the problem within a day of its disclosure.
• A series of flaws in three popular applications that allows an Android device to be used as a remote keyboard and mouse were exposed by Synopsys Cybersecurity Research Center (CyRC) The authentication, authorization, and insecure communication flaws potentially opened up attacks including keystroke sniffing.
• Supposedly ‘air-gapped’ networks without direct access to the internet often require DNS services in order to resolve a company’s internal DNS records – a weakness potential hackers might be able to exploit, as a blog post by Pentera explains.
• SALT Labs used a LEGO-run site as a testbed to illustrate the general risk posed by API security issues. Researchers uncovered a variety of API-related security issues in LEGO’s Brick Lane, including a potential vector to internal production data and systems or manipulating users into surrendering control of their accounts.

LEGO reportedly fixed a number of API security issues found by SALT Labs

Bug bounty / vulnerability disclosure

• HackerOne revealed that cloud-based vulnerabilities account for a growing proportion of vulnerabilities reported by bug bounty hunters, now totalling 65,000 in 2022, a year-on-year rise of 21%.
• A security researcher who discovered a means to achieve unauthorized access to resumes stored on LinkedIn may have been left underwhelmed by the $5,000 bounty he received for his find, given the potential impact of the issue on users of the Microsoft-owned business-focused social network. An Insecure Direct Object Reference (IDOR) security vulnerability, inadvertently introduced in October 2022, could have allowed recruiters and perhaps more unsavoury parties to download resumes without permission.
• Swedish video surveillance giant Axis Communications has launched a private bug bounty program with Bugcrowd.

New open source infosec/hacking tools

• Node Security Shield – a defensive tool that takes an allow-listing approach to protecting zero-day protection for NodeJS applications. The tool was inspired by the infamous Log4Shell vulnerability, a zero-day vulnerability in Log4j, a popular Java logging framework.
• Invoke-DNSteal – allows pen testers to perform file transfers using the DNS protocol as a covert communications channel.
• Kubeshark – API Traffic Viewer for Kubernetes, providing “deep visibility and monitoring of all API traffic and payloads going in, out and across containers and pods inside a Kubernetes cluster”

For devs

• Google has announced a free-of-charge scanner that allows open source developers to check their software projects for vulnerable dependencies. The tool – called OSV-Scanner – builds on Google’s work in developing an open source vulnerability database.
• OWASP, best known for its ‘Top 10 Web Application Security Risks’ framework, is backing the creation of a similar scheme to index classes of security risks in the world of AppSec and DevSecOps. The Top 10 CI/CD Security Risks taxonomy aims to catalogue risks in the CI/CD pipeline. “Insufficient Flow Control Mechanisms” topped the nascent list.
• The SHA-1 cryptographic algorithm, in use since 1995, has reached the end of its useful life, announced the National Institute of Standards and Technology (NIST), which says the federal government should phase out its use by 2030.
• Research from Endor Labs found that the vast majority (95%) of all vulnerabilities are “found in transitive dependencies – open source code packages that are not selected by developers, but indirectly pulled into projects”.

For fun

ChatGPT – the artificial intelligence chat tool from OpenAI – is the hottest thing in infosec-focused social media circles just now. Rather than suggesting possible vulnerabilities in code we wondered what ChatGPT could conjure when asked to write lyrics for a song about SQL injection in the style of the late David Bowie.

The results were more than satisfactory:

In the realm of computers, where data flows like a stream
There are those that seek to exploit and cause us all to scream
They are the hackers, the codebreakers, the malicious ones
And among their favorite trick is the art of SQL injection

Chorus:

SQL injection, SQL injection
A dangerous game, a digital infection
SQL injection, SQL injection
Beware of the hackers and their devious invention

To paraphrase the great man himself, I still don’t know what I was waiting for… but it definitely wasn’t this.

RECOMMENDED Black Hat Europe 2022: A defendable internet is possible, but only with industry makeover