NVIDIA DGX-2 SBIOS contains a vulnerability where an attacker may modify the ServerSetup NVRAM variable at runtime by executing privileged code. A successful exploit of this vulnerability may lead to denial of service.

**Details**

This section provides a summary of potential vulnerabilities that this security update addresses and their impact. Descriptions use CWE™, and base scores and vectors use CVSS v3.1 standards.

**CVE ID**

**Description**

**Base Score**

**Vector**

CVE‑2022‑42274

NVIDIA BMC contains a vulnerability in the IPMI handler, where an attacker with the required privileges can cause a buffer overflow, which may lead to denial of service or code execution.

7.8

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE‑2022‑42280

NVIDIA BMC contains a vulnerability in the SPX REST authorization handler, where an unauthorized user can exploit a path traversal, which may lead to escalation of privileges.

7.1

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CVE‑2022‑42282

NVIDIA BMC contains a vulnerability in the SPX REST API, where an attacker with the required privileges can access arbitrary files, which may lead to information disclosure.

6.5

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVE‑2022‑42283

NVIDIA BMC contains a vulnerability in the IPMI handler, where an attacker with the required privileges can cause a buffer overflow, which may lead to denial of service or code execution.

6.4

AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE‑2022‑42286

NVIDIA DGX-2 SBIOS contains a vulnerability in Bds, which may lead to code execution, denial of service, or escalation of privileges.

6.0

AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H

CVE‑2022‑42287

NVIDIA BMC contains a vulnerability in the IPMI handler, where an attacker can upload and download arbitrary files under certain circumstances, which may lead to denial of service, escalation of privileges, information disclosure, or data tampering.

6.0

AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

CVE‑2022‑42289

NVIDIA BMC contains a vulnerability in the SPX REST API, where an attacker with the required privileges can inject arbitrary shell commands, which may lead to code execution, denial of service, information disclosure, or data tampering.

7.2

AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE‑2022‑42290

NVIDIA BMC contains a vulnerability in the SPX REST API, where an attacker with the required privileges can inject arbitrary shell commands, which may lead to code execution, denial of service, information disclosure, or data tampering.

7.2

AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE‑2023‑0200

NVIDIA DGX-2 contains a vulnerability in OFBD where a user with high privileges and a pre-conditioned heap can cause an access beyond a buffers end, which may lead to code execution, escalation of privileges, denial of service, and information disclosure.

7.5

AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CVE‑2023‑0201

NVIDIA DGX-2 SBIOS contains a vulnerability in Bds, where a user with high privileges can cause a write beyond the bounds of an indexable resource, which may lead to code execution, denial of service, compromised integrity, and information disclosure.

6.7

AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE‑2023‑0202

NVIDIA DGX A100 SBIOS contains a vulnerability where an attacker may modify arbitrary memory of SMRAM by exploiting the GenericSio and LegacySmmSredir SMM APIs. A successful exploit of this vulnerability may lead to denial of service, escalation of privileges, and information disclosure.

7.5

AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CVE‑2023‑0206

NVIDIA DGX A100 SBIOS contains a vulnerability where an attacker may modify arbitrary memory of SMRAM by exploiting the NVME SMM API. A successful exploit of this vulnerability may lead to denial of service, escalation of privileges, and information disclosure.

7.5

AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CVE‑2023‑0207

NVIDIA DGX-2 SBIOS contains a vulnerability where an attacker may modify the ServerSetup NVRAM variable at runtime by executing privileged code. A successful exploit of this vulnerability may lead to denial of service.

7.5

AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

The NVIDIA risk assessment is based on an average of risk across a diverse set of installed systems and may not represent the true risk to your local installation. NVIDIA recommends consulting a security or IT professional to evaluate the risk to your specific configuration.

**Security Updates**

The following table lists the NVIDIA software products affected, versions affected, and the updated version that includes this security update.

To protect your system, download and install this firmware update through the NVIDIA Enterprise Support Portal.

**CVE IDs Addressed**

**Hardware Platform**

**System**

**Affected Versions**

**Updated Version**

**Firmware Container**

CVE‑2022‑42274  
CVE‑2022‑42280  
CVE‑2022‑42282  
CVE‑2022‑42283  
CVE‑2022‑42287  
CVE‑2023‑0200  
CVE‑2023‑0201

DGX-2

DGX-2

All BMC versions prior to 1.08.00

01.08.00

23.3.1

CVE‑2022‑42286  
CVE‑2022‑42289  
CVE‑2022‑42290  
CVE‑2023‑0207

DGX-2

DGX-2

All SBIOS versions prior to 0.33

0.33

23.3.1

CVE‑2023‑0202  
CVE‑2023‑0206

DGX A100

DGX A100

All SBIOS versions prior to 1.18

1.18

22.12.1

**AMI Security Advisory CVEs Addressed**

CVE‑2022‑40259  
CVE‑2022‑40242  
CVE‑2022‑2827

DGX Station A100

DGX Station A100

All BMC versions prior to 2.01.00

2.01.00

23.3.1

**Additional Information****Security Vulnerabilities Reported by AMI**

The following table lists potential security vulnerabilities in some AMI MegaRAC SP-X Baseboard Management Controllers that have been reported by AMI. These vulnerabilities may allow user enumeration, unauthorized access, or arbitrary code execution.

**CVE ID**

**Severity**

**Summary**

CVE‑2022‑40259

Critical

AMI MegaRAC Redfish Arbitrary Code Execution

CVE‑2022‑40242

High

MegaRAC Default Credentials Vulnerability

CVE‑2022‑2827

High

AMI MegaRAC User Enumeration Vulnerability

The following table lists the status of the NVIDIA response to these vulnerabilities for each NVIDIA DGX system.

**System**

**Status**

DGX-1

Not vulnerable - no response required

DGX-2

Not vulnerable - no response required

DGX A100

To be addressed in May 2023 as stated in NVIDIA DGX A100 Server and DGX Station A100 - December 2022

DGX Station

Not vulnerable - no response required

DGX Station A100

Addressed in this update

**Security Vulnerabilities Reported by Intel**

The following table lists potential security vulnerabilities in some Intel Processors that have been reported by Intel. These vulnerabilities may allow escalation of privileges or denial of service. They are addressed in DGX-2 SBIOS release version 0.33.

**CVE ID**

**Severity**

**Summary**

CVE‑2020‑12357

High

Intel(R) Processors Privilege Escalation Vulnerability

CVE‑2020‑8670

High

Intel(R) Processors Privilege Escalation Vulnerability

CVE‑2020‑8700

High

Intel(R) Processors Privilege Escalation Vulnerability

CVE‑2020‑12359

High

Intel(R) Processors Privilege Escalation Vulnerability

CVE‑2020‑12358

Medium

Intel(R) Processors Denial of Service Vulnerability

CVE‑2021‑0095

Medium

Intel(R) Processors Denial of Service Vulnerability

CVE‑2020‑12360

Medium

Intel(R) Processors Privilege Escalation Vulnerability

CVE‑2020‑24486

Medium

Intel(R) Processors Denial of Service Vulnerability

**Acknowledgements**

CVE‑2022‑42274, CVE‑2022‑42280, CVE‑2022‑42282, CVE‑2022‑42283, CVE‑2022‑42286, CVE‑2022‑42287, CVE‑2022‑42289, CVE‑2022‑42290: The NVIDIA Offensive Security Research (OSR) team reported these issues.

**Get the Most Up to Date Product Security Information**

Visit the NVIDIA Product Security page to

*   Subscribe to security bulletin notifications
*   See the current list of NVIDIA security bulletins
*   Report a potential security issue in any NVIDIA supported product
*   Learn more about the vulnerability management process followed by the NVIDIA Product Security Incident Response Team (PSIRT)

**Revision History**

  

**Revision**

**Date**

**Description**

1.0

March 23, 2023

Initial release

**Support**

If you have any questions about this security bulletin, contact NVIDIA Support.

**Disclaimer**

ALL NVIDIA INFORMATION, DESIGN SPECIFICATIONS, REFERENCE BOARDS, FILES, DRAWINGS, DIAGNOSTICS, LISTS, AND OTHER DOCUMENTS (TOGETHER AND SEPARATELY, “MATERIALS”) ARE BEING PROVIDED “AS IS.” NVIDIA MAKES NO WARRANTIES, EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE WITH RESPECT TO THE MATERIALS, AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OR CONDITION OF TITLE, MERCHANTABILITY, SATISFACTORY QUALITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT, ARE HEREBY EXCLUDED TO THE MAXIMUM EXTENT PERMITTED BY LAW.

Information is believed to be accurate and reliable at the time it is furnished. However, NVIDIA Corporation assumes no responsibility for the consequences of use of such information or for any infringement of patents or other rights of third parties that may result from its use. No license is granted by implication or otherwise under any patent or patent rights of NVIDIA Corporation. Specifications mentioned in this publication are subject to change without notice. This publication supersedes and replaces all information previously supplied. NVIDIA Corporation products are not authorized for use as critical components in life support devices or systems without express written approval of NVIDIA Corporation.

CVE-2023-0207: NVIDIA Support

NVIDIA DGX-1 SBIOS contains a vulnerability in Bds, which may lead to code execution, denial of service, and escalation of privileges.

**Details**

This section provides a summary of potential vulnerabilities that this security update addresses and their impact. Descriptions use CWE™, and base scores and vectors use CVSS v3.1 standards.

**CVE ID**

**Description**

**Base Score**

**Vector**

CVE‑2023‑0209

NVIDIA DGX-1 SBIOS contains a vulnerability in the Uncore PEI module, where authentication of the code executed by SSA is missing, which may lead to arbitrary code execution, denial of service, escalation of privileges, information disclosure, data tampering, and SecureBoot bypass.

8.2

AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CVE‑2023‑25505

NVIDIA DGX-1 BMC contains a vulnerability in the IPMI handler of the AMI MegaRAC BMC, where an attacker with the appropriate level of authorization can cause a buffer overflow, which may lead to denial of service, information disclosure, or arbitrary code execution.

7.8

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE‑2023‑25506

NVIDIA DGX-1 contains a vulnerability in Ofbd in AMI SBIOS, where a preconditioned heap can allow a user with elevated privileges to cause an access beyond the end of a buffer, which may lead to code execution, escalation of privileges, denial of service and information disclosure. The scope of the impact of this vulnerability can extend to other components.

7.5

AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CVE‑2023‑25507

NVIDIA DGX-1 BMC contains a vulnerability in the SPX REST API, where an attacker with the appropriate level of authorization can inject arbitrary shell commands, which may lead to code execution, denial of service, information disclosure, and data tampering.

7.2

AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE‑2023‑25508

NVIDIA DGX-1 BMC contains a vulnerability in the IPMI handler, where an attacker with the appropriate level of authorization can upload and download arbitrary files under certain circumstances, which may lead to denial of service, escalation of privileges, information disclosure, and data tampering.

6.7

AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE‑2023‑25509

NVIDIA DGX-1 SBIOS contains a vulnerability in Bds, which may lead to code execution, denial of service, and escalation of privileges.

6.0

AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H

The NVIDIA risk assessment is based on an average of risk across a diverse set of installed systems and may not represent the true risk to your local installation. NVIDIA recommends consulting a security or IT professional to evaluate the risk to your specific configuration.

**Security Updates**

The following table lists the NVIDIA server products affected, firmware versions affected, and the updated version that includes this security update.

To protect your system, download and install this firmware update through the NVIDIA Enterprise Support Portal.

**CVE IDs Addressed**

**Hardware Platform**

**System**

**Affected Versions**

**Updated Version**

CVE‑2023‑25505  
CVE‑2023‑25508  
CVE‑2023‑25507

NVIDIA DGX-1 Servers

DGX-1

All BMC versions prior to 3.39.3

3.39.30

CVE‑2023‑0209  
CVE‑2023‑25506  
CVE‑2023‑25509

NVIDIA DGX-1 Servers

DGX-1

All SBIOS prior to S2W\_3A13

S2W\_3A13

**Notes**

*   Upgrade the NVIDIA DGX-1 firmware container to version 23.04.01 to get the updated firmware and SBIOS version listed in the table above. Firmware updates are available through the NVIDIA Enterprise Support Portal.

**Additional Information: Security Vulnerabilities Reported by Intel**

The following table lists potential security vulnerabilities in some Intel processors that have been reported by Intel. These vulnerabilities may allow escalation of privileges or denial of service. They are addressed in DGX-1 SBIOSS2W\_3A13.

**CVE ID**

**Severity**

**Summary**

CVE-2020-12357

High

Intel(R) Processors Privilege Escalation Vulnerability

CVE-2020-8670

High

Intel(R) Processors Privilege Escalation Vulnerability

CVE-2020-8700

High

Intel(R) Processors Privilege Escalation Vulnerability

CVE-2020-12359

High

Intel(R) Processors Privilege Escalation Vulnerability

CVE-2020-12358

Medium

Intel(R) Processors Denial of Service Vulnerability

CVE-2021-0095

Medium

Intel(R) Processors Denial of Service Vulnerability

CVE-2020-12360

Medium

Intel(R) Processors Privilege Escalation Vulnerability

CVE-2020-24486

Medium

Intel(R) Processors Denial of Service Vulnerability

**Get the Most Up to Date Product Security Information**

Visit the NVIDIA Product Security page to

*   Subscribe to security bulletin notifications
*   See the current list of NVIDIA security bulletins
*   Report a potential security issue in any NVIDIA supported product
*   Learn more about the vulnerability management process followed by the NVIDIA Product Security Incident Response Team (PSIRT)

**Revision History**

  

**Revision**

**Date**

**Description**

1.1

April 19, 2023

Modified CVE-2023-0209 description.

1.0

April 19, 2023

Initial release

**Support**

If you have any questions about this security bulletin, contact NVIDIA Support.

**Disclaimer**

ALL NVIDIA INFORMATION, DESIGN SPECIFICATIONS, REFERENCE BOARDS, FILES, DRAWINGS, DIAGNOSTICS, LISTS, AND OTHER DOCUMENTS (TOGETHER AND SEPARATELY, “MATERIALS”) ARE BEING PROVIDED “AS IS.” NVIDIA MAKES NO WARRANTIES, EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE WITH RESPECT TO THE MATERIALS, AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OR CONDITION OF TITLE, MERCHANTABILITY, SATISFACTORY QUALITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT, ARE HEREBY EXCLUDED TO THE MAXIMUM EXTENT PERMITTED BY LAW.

Information is believed to be accurate and reliable at the time it is furnished. However, NVIDIA Corporation assumes no responsibility for the consequences of use of such information or for any infringement of patents or other rights of third parties that may result from its use. No license is granted by implication or otherwise under any patent or patent rights of NVIDIA Corporation. Specifications mentioned in this publication are subject to change without notice. This publication supersedes and replaces all information previously supplied. NVIDIA Corporation products are not authorized for use as critical components in life support devices or systems without express written approval of NVIDIA Corporation.

CVE-2023-25509: NVIDIA Support

While Intel is building more hardware protections directly into the chips, enterprises still need a strategy for applying security updates on these components.

Intel is taking a new tack with its latest commercial PC chips announced last month: Instead of touting speed and performance, the company is emphasizing the chip's security features.

The chip giant has been working with security vendors in recent years to implement hardware-level protections on the chips to protect laptops from ransomware and malware attacks. The new 13th Gen Intel Core vPro processors include under-the-hood improvements at the firmware and operating system levels that boost system protection and management, the company says.

Attackers will find it harder to compromise the firmware through hardware exploits because many of the new upgrades are in the chip's firmware and BIOS, and the chip's security layer contains prevention and detection capabilities. For example, there is a better handshake between the firmware and Microsoft's virtualization technology in Windows 11 to prevent intrusions, says Mike Nordquist, vice president and general manager of Intel Business Client Product Planning and Architecture. He notes that Hyper-V on Windows 11 works with vPro to store secrets and credentials in a virtual container.

"If you only have detection, you keep letting everyone in your front door. You are never really going to address the problem. You have to figure out how to close that front door," Nordquist says.

**Secure Enclaves on Chip**

Intel's vPro now provides the hooks for critical applications running on Windows 11 to be encrypted in memory through a feature called Total Memory Encryption-Multi-Key.

Microsoft provides the ability to encrypt storage drives, but it recently added the ability to encrypt data in memory. Intel's newer Core chips, code-named Raptor Lake, come ready for that feature; they have 16 memory slots in which applications can be encrypted, with separate keys needed to unlock the data.

The feature helps prevent side-channel attacks, which typically involve breaking into a chip and stealing unencrypted data from sources that include memory. Hackers would need a key to unlock the data, and isolating applications in 16 different slots makes it an even bigger challenge to steal data.

Applications are encrypted in virtual machines created in the memory slots, and system administrators can enable or disable the feature.

"We're not encrypting the entirety of the memory, because if you don't need to do it, it is basically going to impact performance," says Venky Venkateswaran, director of client product security and virtualization architecture and definition for Intel's Client Computing Group.

A new vPro technology to prevent security threats, TDT (threat detection technology), uses libraries baked into the chips to identify abnormal activity and security threats on a PC. The library assesses telemetry coming from CPUs that may be related to abnormal processing activity as a result of a security breach.

For example, the libraries can tell if a cryptocurrency mining application is calling on an abnormally high number of crypto instructions. That information is sent to security applications, which use that data in their engine to triage and stop threats.

The libraries have models tuned to weed out ransomware and other types of attack.

"We have low-level telemetry and an AI engine of sorts that can weed out the noise ... you don't want to have false positives," Venkateswaran says.

Intel is partnering with several antivirus vendors, including Microsoft, CrowdStrike, Eset, and Check Point Technologies, to integrate TDT features into security software. This way, the vendors get access to hardware telemetry to detect threats in virtual machines. For example, Eset Endpoint Security will be able to detect ransomware through Intel's performance monitoring unit (PMU), which sits underneath applications in the operating system.

**Patching Components**

Intel is working with PC makers to bring a standard methodology to patch PCs, and it is not putting all the eggs in one basket when it comes to securing systems. The focus is on establishing islands of security for different hardware components.

"There's no reason the BIOS needs to be able to have access to the OS memory. There is no value-add in it," Nordquist says. "So we actually deprivileged that at a base level ... and we did an enhanced level where we could really lock it down good. On vPro, that is a little bit better."

Attack vectors for PCs are different from servers and require a different security profile, he says.

"Before, PCs were designed to make sure the OS was protected. What if I want to protect something from the OS? What if I do not trust the hypervisor? I need the next level of security to deal with that," Nordquist says.

**Squashing Chip Bugs**

As a sign that Intel is serious about making hardware security a priority, the company last year awarded $935,751 in bug bounties to security researchers disclosing security flaws in its chips and firmware. The company has paid a total of $4 million since the inception of the program in 2017, according to its most recent annual security research report.

"These firmware updates are usually released on Intel's website, and the device vendor is responsible for distributing them. Some of them can be delivered automatically by Microsoft Windows Update, but only limited vendors can update their devices through it," says Alex Matrosov, founder of Binarly, whose firmware security platform helps people discover and patch hardware vulnerabilities. "CISOs should start paying more attention to threats and device ... security below the operating system. Every mature enterprise organization should invest in firmware security and specifically vulnerability management for their device security pasture."

Intel Prioritizes Security in Latest vPro Chips

Attackers have their methods timed to the second, and they know they have to get in, do their damage, and get out quickly. CISOs today must detect and block in even less time.

It may not be fair to say that incident response (IR) is the essence of an enterprise's cybersecurity strategy, but it is what everything else is building toward. However, the biggest opponent of IR is not as much attackers as it is time.

The bad guys, often aided by machine learning (especially in state-actor attacks), are ultrafocused. Cyberattackers today have a precise attack plan. Typically, they will be prepared to steal what they are looking for — or to damage systems — in a few minutes and then quickly exit the system.

Although some attackers prefer a stealthy means that installs malware and watches network activity for potentially months, many of the nastiest criminals today use a hit-and-run approach. That means an IR plan must identify what is going on, lock down ultrasensitive systems, and trap the attacker in moments. Speed may not be everything, but it's close.

Complicating the current IR environment is the fact that enterprise threat landscapes have gotten exponentially more complex in recent years, especially in terms of being porous as well as giving bad guys far more places to hide. Beyond the WAN and company systems, there are the shrinking — but still relevant — on-premises systems, a large number of cloud environments (both known and unknown), IoT/IIoT, partners with far greater access, home offices with insecure LANs, vehicle fleets with their own data retention and IP addresses, mobile devices with full credentials (often owned by employees, raising more security concerns), and SaaS apps that are hosted in systems with unknown holes of their own.

With all of that happening, the security operations center (SOC) may have mere minutes to identify and deal with a breach.

The biggest CISO problem with IR is a lack of preparation, and the biggest IR enterprise weakness today is foundational. The best processes for IR begin with readiness via building a solid organizational threat model and reconciling the threat library of things that could adversely affect the company with an alignment to what preventative, detective, and reactive controls are present against the attack surface of that threat model. Employing automation via security orchestration, automation, and response (SOAR) technologies has become highly useful in reducing response times and being able to leverage playbooks that get triggered upon certain defined conditions being met in the technical environment.

**Check the Map**

One of the most critical foundational elements is working from a current, accurate, and comprehensive data map. The problem is that today's environments make having a truly complete data map impossible.

Consider the mobile factor alone. Employees and contractors are constantly creating new intellectual property (a series of emails or texts, for example, between a sales rep and a customer or prospect) via mobile devices and then not syncing that information with centralized systems controlled by IT.

Because it's impossible to protect that which you don't know exists, generating as accurate a data map as possible is critical. It wouldn't hurt to also increase the visibility of all tools, platforms, hardware/devices (especially IoT), and anything else that an attacker could subvert.

Continuous attack surface management (CASM) has been an evolving area of security activities that companies need to mature to ensure that edge devices, particularly those that are IoT devices that may have direct access to the edge gateway, are adequately protected with detective controls.

You need to start with traditional asset management strategies, identifying all components and tracing all assets, regardless of whether they're in a rack somewhere or in a colocation. For too many enterprises, there is no comprehensiveness, no proper governance. They need to match assets and data with each line of business to plot out sustainability for that LOB. They need to figure out everything from IoT devices to third-party vendor software. There are so many things that often exist below the radar. What is the ecosystem for each and every product line?

**The Vertical Dimension**

Beyond that one enterprise, attack surface and the threat landscape must be identified for any verticals where the machine operates and often it has to drill into any and all subindustries. That forces a strict evaluation of what threat intelligence is being used.

For industry/vertical data, that means integrating information sharing and analysis centers (ISACs) along with open source alerts, vendor notifications, the Cybersecurity and Infrastructure Security Agency (CISA) and the (National Vulnerability Database (NVD) and many others, song with internal SIEM data.

But all of that threat intel is powerful before an incident. Once an attack begins and the SOC staff is actively defending itself, threat intel can sometimes prove more of a distraction than a help. It's great before as well as after the attack, but not during.

Companies often undermine their IR speed and effectiveness by not giving the SOC team sufficient access as well as information. For example, audit logs often include the IP addresses of affected devices, but some logs only display an internal NAT address and SOC staff couldn't easily and quickly map public IP addresses to NAT IP addresses. That forced the SOC team — during an emergency — to reach out to the network infrastructure team.

Does the SOC team have access to all cloud environments? Are they listed as contacts for all colocation and cloud support staff?

It is common for security people to use military analogies — especially war references — when describing incident response strategies. Sadly, those analogies are more apt than I'd wish. Attackers today are using top-end machine learning systems and are sometimes financially backed by nation-states. Their systems are often more robust and modern than what enterprises use for defense. That means that today's IR strategies must use the ML tools to keep up. The attackers have their methods timed to the second, and they know they have to get in, do their damage, exfiltrate their files, and get out quickly. CISOs today must detect and block in even less time.

The Tangled Web of IR Strategies

In Progress Flowmon Packet Investigator before 12.1.0, a Flowmon user with access to Flowmon Packet Investigator could leverage a path-traversal vulnerability to retrieve files on the Flowmon appliance's local filesystem.

Flowmon

**Visualize Network Traffic, Identify Issues & Prevent Cyber Incidents****Reduce risk and improve your resilience across your on-prem, hybrid and cloud with intelligent network visibility and security monitoring.**

Discover entire solution

**Protect your business from  
modern threats**

**Detection**

Uncover ransomware attacks, unknown threats and early incident of compromise before they can impact your business.

**Threat Hunting**

Analyze malicious activity and investigate the root cause with a state-of-the-art solution based on AI & ML.

**Response**

Leverage response in autonomous way to enhance containment and eradication of cyber threats.

**Forensic Analysis**

Collect, store and retrieve all network security data to deep analysis for better cybersecurity resilience.

Explore security solution

**Control your network with full  
visibility & decisive Intelligence**

**Complete Insight**

Gain comprehensive visibility into your entire hybrid & cloud environment. Get a holistic overview of your network with detailed insights.

**Performance Indicators**

See performance degradation and distinguish between delays caused by the network itself and delays caused by applications and services.

**Troubleshooting & Analysis**

Quickly find the root cause of any network & security failures with deep data granularity and suggestions for remedial action.

**Indispensable Anomaly Detection**

Automated analysis of user and network behaviour for recognition of advanced threats and operational issues.

Explore NPMD Solution

**Flowmon Named Technology Leader in Network Detection and Response**

Released in 2022, the SPARK MatrixTM report conducted by Quadrant Knowledge Solutions provides market insights, competitive evaluation, and vendor rankings to better understand the capabilities of different solutions in the network detection and response (NDR) market. In Customer Impact and Technology Excellence they awarded Flowmon's NDR the highest ranking of Technology Leader.

Get the report

**Results first**

> “The installation of Flowmon is very simple and intuitive. Thanks to Flowmon, we are provided with network visibility that we previously lacked. As a consequence we can identify the causes of network issues easier than ever before. The solution also allows us to design the proper capacity of our network. We plan to enforce network monitoring solution deployment across all 11 group offices and 20 facilities.”

Masahiro Sato  
Operations Network Engineer at SEGA

**Technology trusted by your peers**

 Rated 4.9/5

“Nowadays keeping eye on internet browsing history and analysing the data flow is very difficult. The Flowmon solution made thus task easier. We can analyse the network flow and also, we can identify the security threats in the network. The complete dashboard for this is really useful.”

Demo

**See live product demo**

Explore a fully interactive product demo and see what issues it can tackle for you.

Launch demo

Trial

**Request free trial**

Get no-obligation 30-day trial of Flowmon in your network.

Get your trial today

CVE-2023-26101: Flowmon - Trusted solution for network and security operations | Flowmon

The supply chain attack targeting 3CX was the result of a prior supply chain compromise associated with a different company, demonstrating a new level of sophistication with North Korean threat actors.
Google-owned Mandiant, which is tracking the attack event under the moniker UNC4736, said the incident marks the first time it has seen a "software supply chain attack lead to another software

The supply chain attack targeting 3CX was the result of a prior supply chain compromise associated with a different company, demonstrating a new level of sophistication with North Korean threat actors.

Google-owned Mandiant, which is tracking the attack event under the moniker **UNC4736**, said the incident marks the first time it has seen a "software supply chain attack lead to another software supply chain attack."

The Matryoshka doll-style cascading attack against 3CX first came to light on March 29, 2023, when it emerged that Windows and macOS versions of its communication software were trojanized to deliver a C/C++-based data miner named ICONIC Stealer by means of a downloader, SUDDENICON, that used icon files hosted on GitHub to extract the server containing the stealer.

"The malicious application next attempts to steal sensitive information from the victim user's web browser," the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said in an analysis of the malware. "Specifically it will target the Chrome, Edge, Brave, or Firefox browsers."

Select attacks targeting cryptocurrency companies also entailed the deployment of a next-stage backdoor referred to as Gopuram that's capable of running additional commands and interacting with the victim's file system.

Mandiant's investigation into the sequence of events has now revealed the patient zero to be a malicious version of a now-discontinued software provided by a fintech company called Trading Technologies, which was downloaded by a 3CX employee to their personal computer.

It described the initial intrusion vector as "a malware-laced software package distributed via an earlier software supply chain compromise that began with a tampered installer for X\_TRADER."

This rogue installer, in turn, contained a setup binary that dropped two trojanized DLLs and an innocuous executable, the latter of which is used to side-load one of the DLLs that's camouflaged as a legitimate dependency.

The attack chain then made use of open source tools like SIGFLIP and DAVESHELL to ultimately extract and execute VEILEDSIGNAL, a multi-stage modular backdoor written in C that's capable of sending data, executing shellcode, and terminating itself.

The initial compromise of the employee's personal computer using VEILEDSIGNAL enabled the threat actor to obtain the individual's corporate credentials, two after which the first unauthorized access to its network took place via a VPN by taking advantage of the stolen credentials.

Besides identifying tactical similarities between the compromised X\_TRADER and 3CXDesktopApp apps, Mandiant found that the threat actor subsequently laterally moved within the 3CX environment and breached the Windows and macOS build environments.

"On the Windows build environment, the attacker deployed a TAXHAUL launcher and COLDCAT downloader that persisted by performing DLL side-loading through the IKEEXT service and ran with LocalSystem privileges," Mandiant said. "The macOS build server was compromised with POOLRAT backdoor using Launch Daemons as a persistence mechanism."

POOLRAT, previously classified by the threat intelligence firm as SIMPLESEA, is a C/C++ macOS implant capable of collecting basic system information and executing arbitrary commands, including carrying out file operations.

UNC4736 is suspected to be a threat group with North Korean nexus, an assessment that's been reinforced by ESET's discovery of an overlapping command-and-control (C2) domain (journalide\[.\]org) employed in the supply chain attack and that of a Lazarus Group campaign called Operation Dream Job.

Evidence gathered by Mandiant shows that the group exhibits commonalities with another intrusion set tracked as Operation AppleJeus, which has a track record of carrying out financially motivated attacks.

UPCOMING WEBINAR

Zero Trust + Deception: Learn How to Outsmart Attackers!

Discover how Deception can detect advanced threats, stop lateral movement, and enhance your Zero Trust strategy. Join our insightful webinar!

Save My Seat!

What's more, the breach of Trading Technologies' website is said to have taken place in early February 2022 by weaponizing a then zero-day flaw in Google Chrome (CVE-2022-0609) to activate a multi-stage infection chain responsible for serving unknown payloads to the site visitors.

"The site www.tradingtechnologies\[.\]com was compromised and hosting a hidden IFRAME to exploit visitors, just two months before the site was known to deliver a trojanized X\_TRADER software package," Mandiant explained.

Another link connecting it to AppleJeus is the threat actor's previous use of an older version of POOLRAT as part of a long-running campaign disseminating booby-trapped trading applications like CoinGoTrade to facilitate cryptocurrency theft.

The entire scale of the campaign remains unknown, and it's currently not clear if the compromised X\_TRADER software was used by other firms. The platform was purportedly decommissioned in April 2020, but it was still available to download from the site in 2022.

3CX, in an update shared on April 20, 2023, said it's taking steps to harden its systems and minimize the risk of nested software-in-software supply chain attacks by enhancing product security, incorporating tools to ensure the integrity of its software, and establishing a new department for Network Operations and Security.

"Cascading software supply chain compromises demonstrate that North Korean operators can exploit network access in creative ways to develop and distribute malware, and move between target networks while conducting operations aligned with North Korea's interests," Mandiant said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

N.K. Hackers Employ Matryoshka Doll-Style Cascading Supply Chain Attack on 3CX

We learned some remarkable new details this week about the recent supply-chain attack on VoIP software provider 3CX, a complex, lengthy intrusion that has the makings of a cyberpunk spy novel: North Korean hackers using legions of fake executive accounts on LinkedIn to lure people into opening malware disguised as a job offer; malware targeting Mac and Linux users working at defense and cryptocurrency firms; and software supply-chain attacks nested within earlier supply chain attacks.

We learned some remarkable new details this week about the recent supply-chain attack on VoIP software provider **3CX.** The lengthy, complex intrusion has all the makings of a cyberpunk spy novel: North Korean hackers using legions of fake executive accounts on **LinkedIn** to lure people into opening malware disguised as a job offer; malware targeting **Mac** and **Linux** users working at defense and cryptocurrency firms; and software supply-chain attacks nested within earlier supply chain attacks.

Researchers at ESET say this job offer from a phony HSBC recruiter on LinkedIn was North Korean malware masquerading as a PDF file.

In late March 2023, 3CX disclosed that its desktop applications for both **Windows** and **macOS** were compromised with malicious code that gave attackers the ability to download and run code on all machines where the app was installed. 3CX says it has more than 600,000 customers and 12 million users in a broad range of industries, including aerospace, healthcare and hospitality.

3CX hired incident response firm **Mandiant**, which released a report on Wednesday that said the compromise began in 2022 when a 3CX employee installed a malware-laced software package distributed via an earlier software supply chain compromise that began with a tampered installer for **X\_TRADER**, a software package provided by **Trading Technologies**.

“This is the first time Mandiant has seen a software supply chain attack lead to another software supply chain attack,” reads the April 20 Mandiant report.

Mandiant found the earliest evidence of compromise uncovered within 3CX’s network was through the VPN using the employee’s corporate credentials, two days after the employee’s personal computer was compromised.

“Eventually, the threat actor was able to compromise both the Windows and macOS build environments,” 3CX said in an April 20 update on their blog.

Mandiant concluded that the 3CX attack was orchestrated by the North Korean state-sponsored hacking group known as Lazarus, a determination that was independently reached earlier by researchers at Kaspersky Lab and Elastic Security.

Mandiant found the compromised 3CX software would download malware that sought out new instructions by consulting encrypted icon files hosted on **GitHub**. The decrypted icon files revealed the location of the malware’s control server, which was then queried for a third stage of the malware compromise — a password stealing program dubbed ICONICSTEALER.

The double supply chain compromise that led to malware being pushed out to some 3CX customers. Image: Mandiant.

Meanwhile, the security firm **ESET** today published research showing remarkable similarities between the malware used in the 3CX supply chain attack and Linux-based malware that was recently deployed via fake job offers from phony executive profiles on LinkedIn. The researchers said this was the first time Lazarus had been spotted deploying malware aimed at Linux users.

As reported in a recent series last summer here, LinkedIn has been inundated this past year by fake executive profiles for people supposedly employed at a range of technology, defense, energy and financial companies. In many cases, the phony profiles spoofed chief information security officers at major corporations, and some attracted quite a few connections before their accounts were terminated.

Mandiant, Proofpoint and other experts say Lazarus has long used these bogus LinkedIn profiles to lure targets into opening a malware-laced document that is often disguised as a job offer. This ongoing North Korean espionage campaign using LinkedIn was first documented in August 2020 by **ClearSky Security**, which said the Lazarus group operates dozens of researchers and intelligence personnel to maintain the campaign globally.

**Microsoft Corp.**, which owns LinkedIn, said in September 2022 that it had detected a wide range of social engineering campaigns using a proliferation of phony LinkedIn accounts. Microsoft said the accounts were used to impersonate recruiters at technology, defense and media companies, and to entice people into opening a malicious file. Microsoft found the attackers often disguised their malware as legitimate open-source software like **Sumatra PDF** and the SSH client **Putty**.

Microsoft attributed those attacks to North Korea’s Lazarus hacking group, although they’ve traditionally referred to this group as “**ZINC**“. That is, until earlier this month, when Redmond completely revamped the way it names threat groups; Microsoft now references ZINC as “**Diamond Sleet**.”

The ESET researchers said they found a new fake job lure tied to an ongoing Lazarus campaign on LinkedIn designed to compromise **Linux** operating systems. The malware was found inside of a document that offered an employment contract at the multinational bank HSBC.

“A few weeks ago, a native Linux payload was found on VirusTotal with an HSBC-themed PDF lure,” wrote ESET researchers **Peter Kalnai** and **Marc-Etienne M.Leveille**. “This completes Lazarus’s ability to target all major desktop operating systems. In this case, we were able to reconstruct the full chain, from the ZIP file that delivers a fake HSBC job offer as a decoy, up until the final payload.”

ESET said the malicious PDF file used in the scheme appeared to have a file extension of “.pdf,” but that this was a ruse. ESET discovered that the dot in the filename wasn’t a normal period but instead a Unicode character (U+2024) representing a “leader dot,” which is often used in tables of contents to connect section headings with the page numbers on which those sections begin.

“The use of the leader dot in the filename was probably an attempt to trick the file manager into treating the file as an executable instead of a PDF,” the researchers continued. “This could cause the file to run when double-clicked instead of opening it with a PDF viewer.”

ESET said anyone who opened the file would see a decoy PDF with a job offer from HSBC, but in the background the executable file would download additional malware payloads. The ESET team also found the malware was able to manipulate the program icon displayed by the malicious PDF, possibly because fiddling with the file extension could cause the user’s system to display a blank icon for the malware lure.

**Kim Zetter**, a veteran Wired.com reporter and now independent security journalist, interviewed Mandiant researchers who said they expect “many more victims” will be discovered among the customers of Trading Technologies and 3CX now that news of the compromised software programs is public.

“Mandiant informed Trading Technologies on April 11 that its X\_Trader software had been compromised, but the software maker says it has not had time to investigate and verify Mandiant’s assertions,” Zetter wrote in her Zero Day newsletter on Substack. For now, it remains unclear whether the compromised X\_Trader software was downloaded by people at other software firms.

If there’s a silver lining here, the X\_Trader software had been decommissioned in April 2020 — two years before the hackers allegedly embedded malware in it.

“The company hadn’t released new versions of the software since that time and had stopped providing support for the product, making it a less-than-ideal vector for the North Korean hackers to infect customers,” Zetter wrote.

3CX Breach Was a Double Supply Chain Compromise

**SANTA CLARA, Calif.****,** **April 20, 2023** **/PRNewswire/ --** Infoblox Inc. the company that delivers a simplified, cloud- enabled networking and security platform for improved performance and protection, today published a threat report blog on a remote access trojan (RAT) toolkit with DNS command and control (C2). The toolkit created an anomalous DNS signature observed in enterprise networks in the U.S., Europe, South America, and Asia across technology, healthcare, energy, financial and other sectors. Some of these communications go to a controller in Russia.

Coined "Decoy Dog," Infoblox's Threat Intelligence Group was the first to discover this toolkit and is collaborating with other security vendors, as well as customers, to disrupt this activity, identify the attack vector, and secure global networks. The critical insight is that DNS anomalies measured over time not only surfaced the RAT, but ultimately tied together seemingly independent C2 communications. A technical analysis of Infoblox's findings is here.

"Decoy Dog is a stark reminder of the importance of having a strong, protective DNS strategy," said Renée Burton, Senior Director of Threat Intelligence for Infoblox. "Infoblox is focused on detecting threats in DNS, disrupting attacks before they start, and allowing customers to focus on their own business." 

As a specialized DNS-based security vendor, Infoblox tracks adversary infrastructure and can see suspicious activity early in the threat lifecycle, where there is "intent to compromise'' and before the actual attack starts. As a normal course of business, any indicators that are deemed suspicious are included in Infoblox's Suspicious domain feeds, direct to customers, to help them preemptively protect themselves against new and emerging threats.

**Threat Discovery, Anatomy & Mitigation:** 

*   Infoblox discovered activity from the remote access trojan (RAT) Pupy active in multiple enterprise networks in early April 2023. This C2 communication went undiscovered since April 2022.
*   The RAT was detected from anomalous DNS activity on limited networks and in network devices such as firewalls; not user devices such as laptops or mobile devices.
*   The RAT creates a footprint in DNS that is extremely hard to detect in isolation but, when analyzed in a global cloud-based protective DNS system like Infoblox's BloxOne® Threat Defense, demonstrates strong outlier behavior. Further it allowed Infoblox to tie the disparate domains together.
*   C2 communications are made over DNS and are based on an open-source RAT called Pupy. While this is an open-source project, it has been consistently associated with nation-state actors.
*   Organizations with protective DNS can mitigate their risk. BloxOne Threat Defense customers are protected from these suspicious domains.
*   In this case, Russian C2 domains were already included in the Suspicious domains feeds in BloxOne Threat Defense (Advanced) back in the fall of 2022. In addition to the Suspicious Domains feed, these domains have now been added to Infoblox's anti-malware feed.
*   Infoblox continues to urge organizations to block the following domains:

*   claudfront.net
*   allowlisted.net
*   atlas-upd.com
*   ads-tm-glb.click
*   cbox4.ignorelist.com
*   hsdps.cc

"While we automatically detect thousands of suspicious domains every day at the DNS level – and with this level of correlation, it's rare to discover these activities all originating from the same toolkit leveraging DNS for command-and-control," added Burton.

The Infoblox team is working around the clock to understand the DNS activity. Complex problems like this one highlight the need for an industry-wide intelligence-in-depth strategy where everyone contributes to understanding the entire scope of a threat.

For the full threat summary titled **"Dog Hunt: Finding Decoy Dog Toolkit via Anomalous DNS Traffic"** click here.

**About Infoblox's Threat Intelligence Group:**

The Threat Intelligence Group at Infoblox is dedicated to creating high fidelity "block-and-forget" domain name service (DNS) intelligence data for use in BloxOne Threat Defense. Core to Infoblox's protection strategy is the identification of suspicious domains. Infoblox's Threat Intelligence Group uses a patented machine learning algorithm to minimize the risk of enterprise outages while enabling maximum coverage of threats. Infoblox identifies suspicious domains through several **custom-built algorithms and DNS based threat hunting**.

The organization focuses on DNS and infrastructure actors. The team can identify suspicious behavior before its impact is known by the adjacent areas of the industry (endpoint, netflow vendors), and can track persistent actors to block their DNS infrastructure before it becomes a problem for our customers. Threat actors often register domains well in advance of using them for attacks, typically 14-120 days in advance, but we have seen domains held dormant for upwards of two years - like this case in point.

**About Infoblox** 

Infoblox unites networking and security to deliver unmatched performance and protection. Trusted by Fortune 100 companies and emerging innovators, we provide real-time visibility and control over who and what connects to your network, so your organization runs faster and stops threats earlier. Visit infoblox.com**, or follow-us on** LinkedIn or Twitter.

Infoblox Uncovers DNS Malware Toolkit & Urges Companies to Block Malicious Domains

The new Security Legal Research Fund and Hacking Policy Council are aimed at protecting "good faith" security researchers from legal threats and giving them a voice in policy discussions.

Security researchers who report vulnerabilities run the risk of either being slapped with legal sanctions to suppress disclosure or getting caught up in a legal battle punishing them for finding the flaws in the first place.

Even though the US Department of Justice announced last year that it won't prosecute cybersecurity researchers engaged in "good faith" vulnerability research and disclosure for violating the Computer Fraud and Abuse Act (CFAA), researchers still risk criminal and civil actions from states, foreign governments, and corporations. The nonprofit Center for Cybersecurity Policy & Law is pushing back with two coordinated initiatives – the Hacking Policy Council and the Security Legal Research Fund – to protect individuals who discover vulnerabilities that could potentially harm users if exploited.

The formation of the Hacking Policy Council and Security Legal Defense Fund underscores how critical it is to identify and disclose vulnerabilities to prevent malicious actors from gaining access to software, infrastructure, and data, says Futurum Research senior analyst Krista Macomber.

"The intention is to create a climate that encourages collaboration and information sharing and protects folks working diligently to expose potential threats," Macomber says.

The Hacking Policy Council plans to advocate and lobby for better vulnerability disclosure regulations and removing outdated laws. Founding member organizations include Google, Bugcrowd, HackerOne, Intel, Intigriti, and Luta Security. The Security Legal Research Fund, as of now, will provide only funding.

"The defense fund does not plan to provide direct legal representation to researchers at this time," said Harley Geiger, an attorney with Venable and coordinator of the two new groups, during the press conference announcing the two initiatives. "Instead, it will help provide funding to individuals who are facing legal threats due to good faith security research and vulnerability disclosure."

**Plight of Ethical Hackers**

James Dempsey, one of the Security Legal Research Fund's board members and a lecturer at the University of California at Berkeley Law and Stanford University, noted that independent researchers have long faced legal jeopardy for their efforts. For example, Dempsey pointed to a well-known case in 2008 when a judge issued an injunction that prevented a team of MIT students from presenting at the DEF CON security conference about vulnerabilities they discovered in Massachusetts Bay Transit Authority's fare card system.

Dempsey pointed to a more recent case in 2021 when Missouri Governor Mike Parson threatened to prosecute reporters at the St. Louis Post-Dispatch after the newspaper published an article exposing vulnerabilities on a state agency's website. But Missouri prosecutors ultimately declined to file charges.

"To get that letter on the letterhead threatening legal action can be very intimidating, and that's what we want to help people overcome," Dempsey said.

"This issue has so much impact that I think it really merits a group that is tightly focused on this issue and can bring that expertise to policymakers to help them make more informed policy," said Charley Snyder, Google's head of security policy.

The Hacking Policy Council will initially work to lobby for changes in laws and regulations in the US and, ultimately, worldwide. Luta Security founder and CEO Katie Moussouris emphasized that many regulations are outdated.

"Right now we have a lot of regulations that were, frankly, written in a different era when there was not a nuanced understanding of the hand-in-hand relationship between vulnerability discovery and malicious hacking prevention," she said.

Complicating matters is the global disparity in regulations and policies, which sometimes require disclosure to a government, either in tandem or before notifying affected users and the public, Moussouris noted. A provision in the Cyber Resilience Act, proposed by the European Commission, would require anyone in the EU discovering a vulnerability to disclose it within 24 hours.

"As written, it will be as effective for security as GDPR was for privacy; it will have that much of an impact," Venable's Geiger said.

Adding to the complexity, Geiger noted that the current definition doesn't distinguish between good faith security research and malicious criminals.

"There is currently no provision for making sure that the vulnerability, before it is disclosed, is patched," he said. "Part of the concern with the CRA is that you then end up EU-wide with a rolling list of software and vulnerabilities that may not yet be mitigated, shared with perhaps dozens of EU government agencies."

**Legal Aid for Security Researchers**

The Security Legal Research Fund will help good faith security researchers and penetration testers facing cease-and-desist letters, lawsuits, fines, and prosecution for disclosing vulnerabilities, said Tim Willis, head of Google's Project Zero team, during the media briefing.

"My hope in the long term for this fund is that the chilling effect that is currently felt by security researchers is reversed over time. One thing that all these parties can agree on is that users lose when things don't get fixed quickly," Willis said.

Geiger emphasized that the effort would focus on protecting ethical hackers who only use their research to protect users.

"The fund is not looking at helping good faith security researchers who are sued for something like extortion if they, in fact, committed extortion," Geiger said. "It will be for the act of good faith security research or the act of vulnerability disclosure connected with that good faith security research."

Amie Stepanovich, VP of US policy at the Future of Privacy Forum and a Security Research Legal Defense Fund board member, said each request will be considered based on the scope and merit of the case and the applicant's financial resources.

"We are going to be targeting funds to where they're needed most," Stepanovich said. "We want to be able to help as many people as possible in as dire need as possible, and so we will be making decisions about amounts based on the case and the need and what the actual factual circumstances are."

Google is seeding the Security Legal Research Fund with an undisclosed amount, but the fund would be operated by the Center for Cybersecurity Policy & Law to ensure no one company has influence or receives favor over how the funds are used. Willis urged other companies to also contribute to the fund.

Omdia analyst Curtis Franklin believes the fund and counsel further validate and support independent researchers' role in finding vulnerabilities.

"Independent researchers are a necessary part of our security infrastructure right now, and I think it's good that this is being recognized and that these companies want to take the steps of having more formal legal recognition of that," Franklin says. "Our systems are now sufficiently complex that no one company can find all of the vulnerabilities that exist and all of the interactions that exist in their systems, either before or after they're released."

New Policy Group Wants to Improve Cybersecurity Disclosure, Support Researchers

The Open Source Security Foundation's SLSA v1.0 release is an important milestone in improving software supply chain security and providing organizations with the tools they need to protect their software.

The Open Source Security Foundation (OpenSSF) has released v1.0 of Supply-chain Levels for Software Artifacts (SLSA) with specific provisions for the software supply chain.

Modern application development teams regularly reuse code from other applications and pull code components and developer tools from myriad sources. Research from Snyk and the Linux Foundation last year found that 41% of organizations didn't have high confidence in open source software security. With supply chain attacks posing an ever-present and ever-evolving threat, both software development teams and security teams now recognize that open source components and frameworks need to be secured.

SLSA is a community-driven supply chain security standards project backed by major technology companies, such as Google, Intel, Microsoft, VMware, and IBM. SLSA focuses on increasing security rigor within the software development process. Developers can follow SLSA's guidelines to make their software supply chain more secure, and enterprises can use SLSA to make decisions about whether to trust a software package, according to the Open Source Security Foundation.

SLSA provides a common vocabulary to talk about software supply chain security; a way for developers to assess upstream dependencies by evaluating the trustworthiness of source code, builds, and container images used in the application; an actionable security checklist; and a way to measure compliance with the forthcoming Secure Software Development Framework (SSDF).

The SLSA v1.0 release divides SLSA’s level requirements into multiple tracks, each one measuring a particular aspect of software supply chain security. The new tracks will help users better understand and mitigate the risks associated with software supply chains and ultimately develop, demonstrate, and use more secure and reliable software, the OpenSSF says. SLSA v1.0 also provides more explicit guidance on how to verify provenance, along with making corresponding changes to the specification and provenance format.

The Build Track Levels 1-3, which roughly correspond to Levels 1-3 in earlier SLSA versions, describes levels of protection against tampering during or after software build. The Build Track requirements reflect the tasks required: producing artifacts, verifying build systems, and verifying artifacts. Future versions of the framework will build on requirements to address other aspects of the software delivery life cycle.

Build L1 indicates provenance, showing how the package was built; Build L2 indicates signed provenance, generated by a hosted build service; and Build L3 indicates the build service has been hardened.

The higher the level, the higher the confidence that a package can be traced back to its source and has not been tampered with, OpenSSF said.

Software supply chain security is a key component of the Biden administration's US National Cybersecurity Strategy, as it pushes software providers to assume greater responsibility for the security of their products. And recently, 10 government agencies from seven countries (Australia, Canada, Germany, the Netherlands, New Zealand, the United Kingdom, and the United States) released new guidelines, "Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and -Default," to urge software developers to take necessary steps to ensure they are shipping products that are both secure by design and by default. That means removing default passwords, writing in safer programming languages, and establishing vulnerability disclosure programs for reporting flaws.

As part of securing the software supply chain, security teams should be engaging with developers to educate them about secure coding practices and tailoring security awareness training to include the risks surrounding the software development life cycle.

Tag

#intel