Reflected XSS and DOM-based XSS bugs net researchers $3,000 and $5,000 bug bounties

Reflected XSS and DOM-based XSS bugs net researchers $3,000 and $5,000 bug bounties

  

A pair of vulnerabilities in Google Cloud, DevSite, and Google Play could have allowed attackers to achieve cross-site scripting (XSS) attacks, opening the door to account hijacks.

The first vulnerability is a reflected XSS bug in Google DevSite. An attacker-controlled link could run JavaScript on the origins http://cloud.google.com and http://developers.google.com, meaning a malicious actor could read and modify its contents, bypassing the same-origin policy.

Researcher ‘NDevTK’, who discovered both vulnerabilities, wrote: “Due to a vulnerability in the server-side implementation of <devsite-language-selector> part of the URL was reflected as html so it was possible to get XSS on the origins using that component from the 404 page.”

Read more about the latest web security vulnerabilities

The second vulnerability is a DOM-based XSS on Google Play. DOM-based XSS vulnerabilities usually arise when JavaScript takes data from an attacker-controllable source, such as the URL, and passes it to a sink that supports dynamic code execution, such as eval() or innerHTML.

This enables attackers to execute malicious JavaScript, which typically allows them to hijack other users’ accounts.

The researcher told The Daily Swig that they “don’t think the same server response” would be sent to other users without using attacker provided URL.

They wrote: “On the search page of \[the\] Google Play console vulnerable code was run when the search resulted in an error.

“Getting an error was simple as doing /?search=& and because window.location includes the hash which never encodes ' it’s possible to escape the href context and set other html attributes. Unlike the DevSite XSS this is prevented by the CSP but was still awarded more by the panel.”

**Bounty**

The researcher earned $3,133.70 for the DevSite issue and $5,000 for the vulnerability in Google Play.

Speaking to The Daily Swig, they said that they were “happy with the bounty”.

DON’T MISS Onfido bug bounty program launched to help shore up ID verification defenses

XSS vulnerabilities in Google Cloud, Google Play could lead to account hijacks

New web targets for the discerning hacker

New web targets for the discerning hacker

Summer is here in the northern hemisphere, but this hasn’t interrupted the steady stream of new bug bounty programs from hitting the market.

During the teaser for its new Lockdown Mode this month, **Apple** said vulnerabilities in the new anti-spyware tech can be disclosed via its Security Bounty program. Rewards of up to $2 million are on offer.

Lockdown Mode, which will ship with iOS 16, iPadOS 16, and macOS Ventura, is described as “an extreme, optional protection for the very small number of users who face grave, targeted threats to their digital security”.

Australia’s **Monash University** has also established a new bug bounty program, which is aimed at shoring up its defenses amid a spate of cyber-attacks impacting the education sector.

Added to the mix this month are two new rewards programs for the burgeoning digital identity market, as **Onfido** partners with YesWeHack and India’s **Aadhaar** dips its toe in the water with a program of its own.

Aadhaar is world’s largest digital identity program that provides services to over 1.3 billion Indian residents. To take part in this new, private bug bounty, hackers must apply via the UIDAI website.

There’s a high bar for entry, too, as Aadhaar stipulates that “candidates should be listed in the top 100 of the bug bounty leaderboards such as HackerOne, Bugcrowd, or listed in the bounty programs conducted by reputable companies such as Microsoft, Google, Facebook, \[or\] Apple”.

**The latest bug bounty programs for August 2022**

The past month saw the arrival of several new bug bounty programs. Here’s a list of the latest entries:

**Aadhaar**

**Program provider:  
**Independent

**Program type:  
**Private

**Max reward:  
**TBD

**Outline:  
**In an effort to secure Aadhaar data hosted in UIDAI’s Central Identities Data Repository (CIDR), UIDAI is planning the launch of a new bug bounty program.

**Notes:  
**Full application details can be found on the UIDAI website. The number of participants is being limited to 20, all of whom must be Indian residents.

Check out the UIDAI bug bounty bulletin (PDF) for more details

**Apple – Lockdown Mode**

**Program provider:  
**Independent

**Program type:  
**Public

**Max reward:  
**$2 million

**Outline:  
**Apple has established a new category within the Apple Security Bounty program to reward researchers who find Lockdown Mode bypasses and help improve its protections.

**Notes:  
**Bounties have been doubled for qualifying findings in Lockdown Mode, up to a maximum of $2 million – one of the highest maximum payouts in the industry.

Check out our earlier coverage for more details

**BKEX**

**Program provider:  
**HackenProof

**Program type:  
**Public

**Max reward:  
**$10,000

**Outline:  
**BKEX is a global digital asset trading platform, featuring more than 1,200 cryptocurrencies.

**Notes:  
**The financial service company’s new bug bounty program is replete with a range of in-scope web attack vectors, including remote code execution (RCE), SQL injection vulnerabilities, file inclusion and access control issues, server-side request forgery (SSRF), cross-site request forgery (CSRF), cross-site scripting (XSS), and directory traversal.

Check out the BKEX bug bounty page for more details

**ClickHouse**

**Program provider:  
**Bugcrowd

**Program type:  
**Public

**Max reward:  
**$2,500

**Outline:  
**ClickHouse is an open source, column-oriented OLAP database management system that allows users to generate analytical reports using SQL queries in real time. The main focus of the public program is the open source version of the ClickHouse platform.

**Notes:  
**“No technology is perfect, and ClickHouse believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology,” the company said. “We are excited for you to participate as a security researcher to help us identify vulnerabilities in our open source assets.”

Check out the ClickHouse bug bounty page for more details

**Monash University**

**Program provider:  
**Bugcrowd

**Program type:  
**Public

**Max reward:  
**$2,500

**Outline:  
**Monash University in Melbourne, Australia, has launched a public bug bounty program to help maintain the security of its digital platforms.

**Notes:  
**In-scope targets include the main Monash University web domain and mobile apps, along with various technologies that are used by the institution, including its VPN and FileShare instances.

Check out our earlier coverage for more details

**Onfido**

**Program provider:  
**YesWeHack

**Program type:  
**Private

**Max reward:  
**TBD

**Outline:  
**Digital identity verification company Onfido has launched a new bug bounty program, in partnership with European vulnerability disclosure platform YesWeHack.

**Notes:  
**Commenting on the partnership, Alex Valle, chief product officer at Onfido, said: “Security and compliance are essential to our mission of creating a more open world, where identity is the key to online access, and we are always looking for ways to strengthen this.”

Check out our earlier coverage for more details

**SideFX**

**Program provider:  
**HackerOne

**Program type:**  
Public

**Max reward:**  
$3,000

**Outline:**  
Canada-based SideFX is the developer of Houdini, a 3D animation software application used in film, television, advertising, and video games.

**Notes:**  
Only vulnerabilities discovered in the company’s main web domain, sidefx.com, are applicable under the terms of this new bug bounty program.

Check out the SideFX bug bounty page for more details

**ZBWeb**

**Program provider:**  
HackenProof

**Program type:**  
Public

**Max reward:**  
$5,000

**Outline:**  
Founded in 2013, ZB.com is a worldwide digital trading platform, facilitating the exchange and management of digital assets from all corners of the globe.

**Notes:**  
In-scope web vulnerabilities include business logic issues, payment manipulation, RCE, SQL injection, access control issues, SSRF, CSRF, XSS, and other vulnerabilities with a “clear potential loss”.

Check out the ZBWeb bug bounty page for more details

**Other bug bounty and VDP news this month**

*   **HackerOne** has disclosed details of an incident involving a former employee who was accused of accessing internal data for personal financial gain.
*   **Go Daddy**, **Trellix**, and **Fidelity** have launched (unpaid) vulnerability disclosure programs (VDPs).
*   Advertising platform developer and social media company **Meta** has released its inaugural ‘Bug Bulletin’, which includes details of some of the notable finds identified in its own, and in third-party, code.

**PREVIOUS EDITION** Bug Bounty Radar // The latest bug bounty programs for July 2022

Bug Bounty Radar // The latest bug bounty programs for August 2022

New features also include ability to connect social media accounts

Emma Woollacott 28 July 2022 at 15:32 UTC

New features also include ability to connect social media accounts

GitHub has announced three enhancements to JavaScript package manager npm which aim to improve its security and manageability.

A new CLI command has been introduced to verify the integrity of packages in npm, replacing the current, more cumbersome, multi-step PGP process, which is now set to expire early next year.

“Recently, we began work to re-sign all npm packages with new signatures relying on the secure ECDSA algorithm and using an HSM for key management, and you can now rely on this signature to verify the integrity of the packages you install from npm,” writes Myles Borins and Monish Mohan, product managers at GitHub and npm, respectively, in a blog post.

“We have introduced a new audit signatures command in npm CLI version 8.13.0 and above.”

**Social connections**

Also new is the ability to connect GitHub and Twitter accounts to npm. While developers were already able to include their GitHub and Twitter handles, this was until now a free-form text field that wasn’t validated or verified.

Now, accounts can be linked via official integrations with both GitHub and Twitter, making account recovery easier and laying the foundation for automated identity verification as part of account recovery.

Finally, following mixed feedback on the recent announcement of enhancements to make two-factor authentication (2FA) adoption easier for developers, there are new moves to streamline the login and publishing experience, available in npm 8.15.0.

Read more of the latest security news about open source software

Login and publish authentication will now be managed in the browser – login can use an existing session, only prompting for the second factor or email verification OTP to create a new session.

Meanwhile, publish now supports ‘remember me for five minutes’, allowing for subsequent publishes from the same IP + access token to take place without the 2FA prompt for a five-minute period. This is especially useful when publishing from a npm workspace, says GitHub.

These features are currently opt-in, but will become the default experience in npm 9.

“Our primary goal continues to be protecting the npm registry, and our next major milestone will be enforcing 2FA for all high-impact accounts, those that manage packages with more than one million weekly downloads or 500 dependents, tripling the number of accounts we will require to adopt a second factor,” write Borins and Mohan.

“Prior to this enforcement we will be making even more improvements to our account recovery process, including introducing additional forms of identity verification and automating as much of the process as possible.”

YOU MAY ALSO LIKE Open-Xchange issues fixes for RCE, SSRF bugs in OX App Suite

GitHub enhances 2FA for npm, improves security and manageability

Initiative adds another layer of protection for end-to-end identity verification platform

James Walker 28 July 2022 at 13:19 UTC

Initiative adds another layer of protection for end-to-end identity verification platform

Digital identity verification company Onfido has launched a new bug bounty program, in partnership with European vulnerability disclosure platform YesWeHack.

The security rewards program will provide Onfido with access to YesWeHack’s community of 40,000 ethical hackers.

According to UK-based Onfido, the partnership comes as part of the company’s continued commitment to pen testing its platform against cyber-threats and delivering secure platform solutions.

**Open access**

The initiative was launched as Onfido continues to expand its Real Identity Platform to deliver a suite of trusted data sources and identity verification services.

“Together, Onfido and YesWeHack defined the rules for the bug bounty program including the scope of the test, the vulnerabilities that qualify for a reward, and their value,” a press release reads.

Read more of the latest bug bounty news

Commenting on the partnership, Alex Valle, chief product officer at Onfido, said: “Security and compliance are essential to our mission of creating a more open world, where identity is the key to online access and we are always looking for ways to strengthen this.

“The bug bounty program delivers us gold standard protection from bad actors, identifying and fixing any critical vulnerabilities before they even have a chance to arise.”

Since the beginning of 2022, YesWeHack said it has launched more than 200 new bug bounty programs and hosted several live hacking events.

“Onfido’s goal is to improve and grow the program little by little, by inviting more researchers, increasing the scope and raise the rewards,” a YesWeHack spokesperson told _The Daily Swig_.

“Switching from private to public is definitely one of their goals as they want to have the best possible coverage on their assets, however the program hasn’t reached that level of maturity yet.”

**INTERVIEW** Sonatype CTO Brian Fox on the struggle to secure the neglected software supply chain

Onfido bug bounty program launched to help shore up ID verification defenses

Attack vector cost businesses 2.5% more in one year

Attack vector cost businesses 2.5% more in one year

  

Supply chain attacks on the rise, costing businesses more year on year as organizations failing to implement zero trust strategies.

This is according to IBM’s new Cost of a Data Breach report, which found that one in five breaches occurred because of a compromise at a business partner, with a supply chain breach taking on average 26 days longer to identify and contain than the global average.

The total cost of a supply chain compromise was $4.46 million – 2.5% higher than average.

The report also found that the global average cost of a data breach has hit an all-time high of $4.35 million – up nearly 13% over the last two years.

“Seventeen per cent of breaches in critical infrastructure organizations occurred due to a business partner being initially compromised – this shows us that organizations need to put more focus on the security controls that govern third party access,” John Hendley, head of strategy at IBM Security X-Force told The Daily Swig.

**Zero trust, zero problems?**

Critical infrastructure organizations such as financial services, industrial, transportation, and healthcare companies are a growing target for these attacks, says IBM, and zero trust is the best way to guard against attack.

“Organizations need to be more vigilant than ever and closely scrutinize these external points of access into their environment, whether that’s through direct network access, applications, or even physical access,” says Hendly.

“Supply chain attacks are of great concern, both because of how insidious they are and how extreme their impacts can be. We saw this play out with SolarWinds, and we’ll surely see more of these attacks in the future.”

Read more of the latest news about software supply chain attacks

Those organizations that had implemented a zero trust security approach saw breaches cost them less, with an average cost saving of $1.5 million.

However, critical infrastructure organizations in particular are failing to do this, with only one in five having adopted a zero trust model, compared with an overall global average of 41%.

Javvad Malik, lead security awareness advocate at KnowBe4, says that greater transparency is needed across the supply chain, along with greater technical assurance that all components are adequately secured.

“We’ve seen many organizations breached, not for the organization itself, but because it will provide a way into another. Popular examples of these include Target, RSA, and more recently SolarWinds,” he told The Daily Swig.

“While many organisations try to mitigate risks by sending out lengthy questionnaires to third parties it deals with to determine the level of security they employ, it is often not sufficient to cover the entire supply chain, and even if it was, it doesn’t provide technical assurance.”

YOU MAY ALSO LIKE ‘We’re still fighting last decade’s battle’ – Sonatype CTO Brian Fox on the struggle to secure the neglected software supply chain

One in five data breaches due to software supply chain compromise, IBM report warns

Security release also includes precautionary patches for potential Log4j-like flaw in Logback library

Security release also includes precautionary patches for potential Log4j-like flaw in Logback library

Diversified technology and infrastructure software provider Open-Xchange has released fixes for several security vulnerabilities impacting OX App Suite.

Available as an on-premise solution or as part of the organization’s cloud offering, OX App Suite is secure email and collaboration software designed for telcos, web hosting firms, and service providers.

The latest patch release includes fixes for two remote code execution (RCE) vulnerabilities that were discovered in the software’s document converter component. CVE-2022-23100 and CVE-2022-24405 earned CVSS scores of 8.2 and 7.3, respectively.

The document converter API was also found to harbor a server-side request forgery (SSRF) vulnerability (CVE-2022-24406) that potentially allowed attackers to predict boundaries and overwrite its content.

**Preemptive patches**

Further down the severity list are two cross-site scripting (XSS) flaws impacting OX App Suite (CVE-2022-23099, CVE-2022-23101). In order to exploit these flaws, an attacker would need to force a victim to click on a malicious link.

In the wake of the Log4Shell issue that rocked the global software development industry last December, OX App Suite also includes an update that addresses a similar potential issue in the Logback component (CVE-2021-42550).

**YOU MIGHT ALSO LIKE** Cisco patches dangerous bug trio in Nexus Dashboard

“At its default configuration, OX App Suite is not susceptible to this vulnerability and there are no scenarios that require to deploy a vulnerable configuration,” the Open-Xchange security advisory reads.

“We provide this update strictly as a precaution to mitigate the possibility of a vulnerability. Exploiting CVE-2021-42550 at this point would require privileged access to alter system configuration.”

**External input**

When asked whether the vulnerabilities were discovered as part of the company’s bug bounty program, Open-Xchange CISO Martin Heiland told _The Daily Swig_: “For this advisory, it was a 50/50 thing. We use input from the bug bounty program as inspiration for our internal research.

“In this case, the full impact of a seemingly ‘medium’ issue reported via the bounty program led to a thorough review process and discovery of a potential remote code execution flaw.”

Read more of the latest news about security vulnerabilities

Heiland added: “Combining internal reviews with external input makes our program very impactful and helps with continuous learning and challenging of our engineering teams. I have been running the bug bounty program for about six years, and it has been very successful for our web applications.”

The vulnerabilities impact OX App Suite versions 7.10.6 and earlier. They have all been fixed by the vendor in various branch updates.

“Most users run automated deployment and our own hosted service uses ‘cloud native’ automation/orchestration, which allows very swift updates,” Heiland said. “Of course, we advise updating as soon as possible, regardless of the deployment method.”

**RECOMMENDED** FileWave MDM authentication bypass bugs expose managed devices to hijack risk

Open-Xchange issues fixes for RCE, SSRF bugs in OX App Suite

‘Vast majority’ of users have updated systems thanks to vendor warnings

‘Vast majority’ of users have updated systems thanks to vendor warnings

Vulnerabilities in FileWave’s mobile device management (MDM) platform could enable attackers to seize control of vulnerable instances and all their managed devices, security researchers warn.

FileWave MDM allows IT administrators to manage and monitor an organization’s laptops, workstations, smartphones, tablets, and other smart devices.

A pair of critical authentication bypasses in the software uncovered by industrial cybersecurity firm Claroty mean hostile actors could gain the highest administrative privileges and access “users’ personal home networks, organizations’ internal networks, and much more”, according to a blog post published yesterday (July 25) by Claroty vulnerability researcher Noam Moshe.

RECOMMENDED Cloud fax company claims healthcare pros are ditching email for ‘more secure’ fax

Attackers could “exfiltrate all sensitive data being held by \[compromised\] devices, including usernames, email addresses, IP addresses, geo-location etc, and install malicious software on managed devices”, he added. Claroty’s proof-of-concept exploit involved the installation of faux ransomware.

Users have been urged to apply the most recent software update.

Researchers from Claroty’s Team82 said they discovered more than 1,100 vulnerable FileWave MDM instances operated by organizations of various sizes, including for instance government agencies and educational institutions.

However, the “vast majority” of systems have been “verified as up to date”. Team82 commended FileWave for “swiftly patching these vulnerabilities” and for notifying users.

**Hardcoded shared secret**

Researchers first uncovered a hard-coded cryptographic key vulnerability (CVE-2022-34906), before finding a second bypass (CVE-2022-34907) that Moshe likened to a recent vulnerability in F5’s BIG-IP networking software that potentially exposed thousands of users to remote takeover.

The first bypass pertained to a hardcoded shared secret – – used by the task scheduler service to authenticate to the web server.

Each route requiring valid authentication must inherit the class (or any class that itself inherits this class), noted Moshe.

“This check is performed inside the function, where if this function returns the request will be fulfilled, and if this function returns , a 401 Unauthorized will be returned,” he said.

Read more of the latest cybersecurity research news and analysis

The function takes the authorization header from the HTTP request, compares it to the base64-decoded scheduler secret, and if they match, the request is granted permissions.

“This means that if we know the shared secret and supply it in the request, we do not need to supply a valid user’s token or know the user’s username and password,” explained Moshe.

**Second bypass**

This vulnerability only worked up to FileWave version 13.1.3, when the logic inside was changed so that, instead of comparing the authorization header to the scheduler secret, it only accepted valid users’ tokens.

But Team82 also discovered the addition of a middleware – – that did compare the authorization header to the scheduler secret. However, they would have to bypass a new check comparing to localhost in order to again obtain privileges.

Fortunately, documentation from Django, which was used to code the web server in Python, showed this was achievable by setting the header as localhost.

**No exploitation to date**

FileWave addressed the second flaw in versions 14.6.3, 14.7.2, and 14.8, which protect users against both bypasses.

The vendor said it notified affected users of the vulnerabilities and availability of patched versions on April 26.

In a press release published today (July 26) it also said: “The implementation of the patched software versions should have eliminated the risk of the vulnerabilities to be exploited by third-party attacks. Since the identification of the vulnerabilities, no actual exploitation has become known to FileWave to date. Nevertheless, we recommend users of FileWave Services to double-check that the security update is properly installed and up to date to avoid the risk of third-party attacks going forward.”

Noam Moshe told The Daily Swig: “With the large number of XIoT \[extended IoT\] devices in use today, it’s very common for any type of organisation to use an MDM solution so the IT administrators can manage everything effectively.

“Authentication bypass vulnerabilities, such as CVE-2022-34907, are unfortunately more common than many people realise,” he added. “By sharing our knowledge, we hope to raise awareness around these types of vulnerabilities so they can be eliminated before they are exploited worldwide.”

YOU MIGHT ALSO LIKE Adversarial attacks can cause DNS amplification, fool network defense systems, machine learning study finds

FileWave MDM authentication bypass bugs expose managed devices to hijack risk

Maintainers warn to patch all versions of open source web app framework – even those not deemed vulnerable

Maintainers warn to patch all versions of open source web app framework – even those not deemed vulnerable

  

Researchers from AntGroup FG Security Lab have discovered a critical security vulnerability allowing an attacker to remotely execute code within a Grails application runtime.

Grails is an open source web application framework based on the Apache Groovy programming language and is used for developing agile web applications. Customers include Google, IBM, Walmart, Credit Suisse, and Mastercard.

The flaw, tracked using CVE-2022-35912, allows an attacker to remotely execute code within a Grails application runtime by issuing a specially crafted web request that grants the attacker access to the class loader.

Read more of the latest news about web security vulnerabilities

The attack exploits a section of the Grails data-binding logic, which is invoked in a number of ways including the creation of command objects, domain class construction, and manual data binding when using bindData.

The vulnerability has been confirmed on Grails framework versions 3.3.10 and higher, including Grails framework 4 and 5, that are running on Java 8. It has been observed in both the embedded Tomcat runtime and applications deployed as a Web Archive (WAR) to a Tomcat instance.

“Due to the nature of this vulnerability, we strongly suggest that all Grails applications, including those that are not vulnerable to this specific attack, be updated to a patched Grails release,” the Grails team noted in a blog post.

“While we have not been able to reproduce this specific exploit on applications running in Java 11 or in versions of the Grails framework before 3.3.10, the nature of the vulnerability is such that variations on the attack could be discovered that earlier Grails releases, and Grails applications running on higher versions of Java will be impacted.”

**Patches available**

Versions 5.2.1, 5.1.9, 4.1.1, and 3.3.15 have now been patched, and the team recommends upgrading to a patched version. Grails 4.x applications can be upgraded to version 4.1.1 or higher, Grails 5.0.x and 5.1.x applications can be upgraded to 5.1.9 or higher, and Grails 5.2 applications can be upgraded to 5.2.1 or higher.

“The Grails Foundation and the Grails core development team take application security very seriously,” wrote the team. “We are continuing to research and monitor this vulnerability.”

YOU MAY ALSO LIKE Cisco patches dangerous bug trio in Nexus Dashboard

Critical security vulnerability in Grails could lead to remote code execution

The fax is dead. Long live the online fax? A new study suggests many healthcare professionals believe that flaws in today’s web security landscape are prompting a return to what’s been deemed an “extr

The fax is dead. Long live the online fax?

A new study suggests many healthcare professionals believe that flaws in today’s web security landscape are prompting a return to what’s been deemed an “extremely” secure medium: fax.

Published earlier this month, eFax research surveyed 1,000 IT and business decision-makers in the UK and Europe.

According to the report (PDF), 62% of respondents in the healthcare sector said that security was the major reason for a “migration” to cloud-based fax systems, and 21% of those surveyed believe that digital fax systems are “extremely” secure.

**What is ‘cloud fax’?**

Cloud faxing removes the need for on-premise equipment on both sides of a transmission. The gist is that users can send a fax quickly, via an online service, to be viewed and/or printed by the recipient.

Among fax users in healthcare, 37% of respondents said they use “cloud-based fax” systems, while 21% use both cloud and traditional faxing.

The research is the work of eFax, a company that uses the slogan: “The fast & easy way to send and receive faxes by email”.

It’s interesting, then, that the company’s own research says: “One of the main problems with email is its increasing vulnerability to interception, hacking, and fraud.”

“eFax is an internet fax service that eliminates the need for a fax machine, extra fax line, and all the associated expenses,” the company says. “Get a real local or toll-free fax number to send and receive faxes as email attachments. Online faxing is more reliable, secure, and convenient than analog fax machines.”

**Blurred lines**

When you send a test eFax ‘fax’, you receive an ‘incoming’ fax email with a PDF attached. Faxes can be sent to a phone number or online assignment number and can be accessed via email, the eFax portal, mobile app, or a standard fax machine.

Overall, a third of respondents (37%) said fax usage was likely to increase in the future – but 35% also said there might be a decrease.

However, while eFax appears to be trying to separate email and fax security, the line between what can be considered a fax message, or just an email, has been blurred.

Read more of the latest email security news

Traditional fax machines were considered secure in the past as they were ‘dumb’, internet connections were dial-up or nothing, and contained limited, analog functionality.

But the moment you connect a fax ‘number’ to a digital channel – whether this is an online portal accessed through a browser, email account, or app – there is always a risk of compromise.

When the study was published, Scott Wilson, vice president of sales and service at eFax, commented:

It’s clear that email is the established and widely accepted format for most communications, but it’s flawed and vulnerable to interception and hacking. Cloud faxing is more secure than email not least because fax infrastructure has limited exposure to the internet and internet-connected devices.

**‘Encryption is king’**

Using a fax number to send a message rather than an email address might not be traceable to a specific company department or user, and so could mitigate the risk of targeted attacks.

Sending a document directly to a physical fax machine, too, might have some perceived advantages – but it does not take away the risks of its underlying, digital infrastructure.

When asked by _The Daily Swig_ how eFax differs from standard email, and what security or encryption measures are in place, the eFax did not respond. (The firm’s help center, however, does mention TLS and some form of encryption.)

Simon Mullis, CTO of Venari Security, commented: “Cloud-based fax systems are a resourceful way to ensure the secure communication of confidential information, but for most encryption will be king.

“With 25% of healthcare organizations saying they rely on email encrypted software, it’s important to recognize the role of end-to-end encryption in ensuring higher levels of security and privacy, while also remaining compliant of regulations like GDPR.”

Cloud fax services can be quicker, cheaper, and more convenient for businesses that don’t want to rely on analog lines. However, the jury’s out on whether digital ‘faxes’ are any more, or less, secure than email – especially when both would depend on the implementation of basic security measures such as end-to-end encryption.

**YOU MIGHT ALSO LIKE** Zero-day flaws in GPS tracker pose surveillance, fuel cut-off risks to vehicles

Cloud fax company claims healthcare pros are ditching email for ‘more secure’ fax

Inadequate access control and CSRF protections spawn critical and high severity issues

Adam Bannister 25 July 2022 at 14:10 UTC

Inadequate access control and CSRF protections spawn critical and high severity issues

Serious vulnerabilities in Cisco Nexus Dashboard give attackers a viable path to executing arbitrary commands as root, uploading container image files, or performing cross-site request forgery (CSRF) attacks.

Discovered via internal testing, the trio of unauthenticated bugs – one critical, two high severity – have been patched in the data center management platform’s latest software update.

Cisco said it was not aware of any in-the-wild malicious abuse of the vulnerability.

**Vulnerable API**

The most severe issue, notching a critical CVSS score of 9.8, could allow an attacker to access a vulnerable API running in the data network and execute arbitrary commands (CVE-2022-20857).

The vulnerability can be abused by sending crafted HTTP requests to the API, which, thanks to insufficient access controls, means an attacker can “execute arbitrary commands as the root user in any pod on a node”, reads a security advisory published on July 20.

The most severe of two high severity issues is the CSRF bug (CVSS 8.8), which exists in the web UI running in the management network.

Catch up on the latest enterprise security news

The vulnerability (CVE-2022-20861) is exploitable “by persuading an authenticated administrator of the web-based management interface to click a malicious link”, said Cisco. Should they achieve this, attackers could then “perform actions with Administrator privileges on an affected device”.

Finally, a flaw with a CVSS rating of 8.2 (CVE-2022-20858) exposes the service that manages container images in both the data and management networks.

Arising due to insufficient access controls, the vulnerability can be exploited “by opening a TCP connection to the affected service” and downloading container images or uploading malicious container images to an affected device. “The malicious images would be run after the device has rebooted or a pod has restarted,” added Cisco.

Vulnerable versions of Cisco Nexus Dashboard – formerly known as Cisco Application Services Engine – are 1.1, 2.0, 2.1, and 2.2 (although version 1.1 is not affected by CVE-2022-20858). All three flaws have been addressed in version 2.2(1e).

Cisco was unable to provide workarounds to mitigate risks.

YOU MIGHT ALSO LIKE Zyxel firewall vulnerabilities left business networks open to abuse

Source

PortSwigger