#git

As the second entry in our “Exploring malicious Windows drivers” series, we will continue where the first left off: Discussing the I/O system and IRPs.

Exploring trends on how attackers are trying to manipulate and bypass MFA, as well as when/how attackers will try their 'push-spray' MFA attacks

Seventy percent of enterprises are prioritizing investment in SaaS security by establishing dedicated teams to secure SaaS applications, as part of a growing trend of maturity in this field of cybersecurity, according to a new survey released this month by the Cloud Security Alliance (CSA). Despite economic instability and major job cuts in 2023, organizations drastically increased investment in

### Impact This issue is only relevant to clusters provisioned using RKE1 with secrets encryption configuration enabled. A vulnerability has been identified in which an RKE1 cluster keeps constantly reconciling when secrets encryption configuration is enabled (please see the [RKE documentation](https://rke.docs.rancher.com/config-options/secrets-encryption)). When reconciling, the Kube API secret values are written in plaintext on the AppliedSpec. Cluster owners, Cluster members, and Project members (for projects within the cluster), all have RBAC permissions to view the cluster object from the apiserver. This could lead to an unauthorized user gaining access to the entire secrets encryption config specific for the cluster, only on the applied spec. Since this affects only custom encryption configurations, users need to manually rotate the keys by editing the cluster. For more information, please refer to the [RKE secrets encryption documentation](https://rke.docs.rancher.com/config...

### Impact A vulnerability has been identified whereby privilege escalation checks are not properly enforced for `RoleTemplate`objects when external=true, which in specific scenarios can lead to privilege escalation. The bug in the webhook rule resolver ignores rules from a `ClusterRole` for external `RoleTemplates` when its context is set to either `project` or is left empty. The fix introduces a new field to the `RoleTemplate` CRD named `ExternalRules`. The new field will be used to resolve rules directly from the `RoleTemplate`. Additionally, rules from the backing `ClusterRole` will be used if `ExternalRules` is not provided. The new field will always take precedence when it is set, and serve as the source of truth for rules used when creating Rancher resources on the local cluster. Please note that this is a breaking change for external `RoleTemplates`, when context is set to `project` or empty and the backing `ClusterRole` does not exist, as this was not previously required. *...

### Impact When RKE provisions a cluster, it stores the cluster state in a configmap called `full-cluster-state` inside the `kube-system` namespace of the cluster itself. This cluster state object contains information used to set up the K8s cluster, which may include the following sensitive data: - RancherKubernetesEngineConfig - RKENodeConfig - SSH username - SSH private key - SSH private key path - RKEConfigServices - ETCDService - External client key - BackupConfig - S3BackupConfig - AWS access key - AWS secret key - KubeAPIService - SecretsEncryptionConfig - K8s encryption configuration (contains encryption keys) - PrivateRegistries - User - Password - ECRCredentialPlugin - AWS access key - AWS secret key - AWS session token - CloudProvider - AzureCloudProvider - ...

### Impact A vulnerability has been identified in which Rancher does not automatically clean up a user which has been deleted from the configured authentication provider (AP). This characteristic also applies to disabled or revoked users, Rancher will not reflect these modifications which may leave the user’s tokens still usable. An AP must be enabled to be affected by this, as the built-in User Management feature is not affected by this vulnerability. This issue may lead to an adversary gaining unauthorized access, as the user’s access privileges may still be active within Rancher even though they are no longer valid on the configured AP (please consult the [MITRE ATT&CK - Technique - Valid Accounts](https://attack.mitre.org/techniques/T1078/) for further information about the associated technique of attack). It’s important to note that all configurable APs are impacted, see [Rancher Docs - Configuring Authentication - External vs. Local Authentication](https://ranchermanager.docs....

### Summary If an attacker can successfully authenticate through SSO/Access Code, they can obtain the real backend API Key by modifying the base URL to their own attack URL on the frontend and setting up a server-side request. ### Details The attack process is described above.  ### PoC Frontend: 1. Pass basic authentication (SSO/Access Code). 2. Set the Base URL to a private attack address. 3. Configure the request method to be a server-side request. 4. At the self-set attack address, retrieve the API Key information from the request headers. Backend: 1. The LobeChat version allows setting the Base URL. 2. There is no outbound traffic whitelist. ### Impact All community version LobeChat users using SSO/Access Code authentication, tested on version 0.162.13.

### Impact A MFA bypass in the Firefly III OAuth flow may allow malicious users to bypass the MFA-check. This allows malicious users to use password spraying to gain access to your Firefly III data using passwords stolen from other sources. As OAuth applications are easily enumerable using an incrementing id, an attacker could try sign an OAuth application up to a users profile quite easily if they have created one. The attacker would also need to know the victims username and password. ### Patches Problem has been patched in Firefly III v6.1.17 and up. ### Workarounds - Use a unique password for your Firefly III instance, - Store your password securely, i.e. in a password manager or in your head. ### References - https://owasp.org/www-community/attacks/Password_Spraying_Attack - https://www.menlosecurity.com/what-is/highly-evasive-adaptive-threats-heat/mfa-bypass

Incorrect access control in the Kafka Connect REST API in the STRIMZI Project 0.41.0 and earlier allows an attacker to deny the service for Kafka Mirroring, potentially mirror the topics' content to his Kafka cluster via a malicious connector (bypassing Kafka ACL if it exists), and potentially steal Kafka SASL credentials, by querying the MirrorMaker Kafka REST API.