Decentralized identity products are increasingly projected to be introduced to the market in the next couple of years.

Although the decentralized identity market is still in its infancy, it has been gaining traction in recent years and has the potential to change existing identity, authentication, and access for the better. In 2022, the decentralized identity market was projected to reach $270 million.

    

Through decentralization and blockchain technology, there are an increasing number of people taking back control of their data. Although the digital identity space is still in its initial stages, it is possible that decentralized identity with blockchain could make identity management decentralized, simplified, and seamless, completely transforming the market landscape. Startups and DID initiatives continue to develop proofs of concept (PoC) for decentralized identity in government, finance, healthcare, and other fields, and the opportunities for decentralized identity continue to grow and evolve.

**eIDAS 2.0 Driving Growth**

Omdia believes that the eIDAS 2.0 regulation will be a significant driver for growth in decentralized identity during the forecast period. The updated eIDAS 2.0 initiative is built on the existing, cross-border, legal framework for trusted digital identities, the European electronic identification, and trust services initiative (eIDAS Regulation), which was adopted in 2014. By September 2023, all EU member states must ensure that a digital identity wallet is available to all EU citizens, residents, and businesses in the EU and usable not only for identity documents but for all attestations, including those with sensitive personal data such as health-related data and documents.

**Advantages of Decentralized Identity**

The advantages that decentralized identity gives users over traditional identity and access management solutions include control, security, privacy, and ease of use:

*   Control – Control gives identity owners and digital devices power over their digital identifiers. Because users have complete control and ownership of their identities and credentials, they can decide which information they want to reveal and can prove their claims without depending on any other party.
*   Security – Security reduces attack surfaces by storing personal identifiable information (PII). Blockchain is an encrypted decentralized storage system that is safe, flexible, and reduces the risk of an attacker gaining unauthorized access to steal or monetize user data.
*   Privacy – Privacy enables entities to use the principle of least privilege (PoLP) to designate minimal or selective access for identity credentials. PoLP is a term correlated with information security. It states that any person, gadget, or process should only have the minimal rights necessary to execute the considered task.
*   Ease of use – Decentralized identity technology gives users the advantage of easily creating and managing their identities with user-friendly neoteric decentralized identity apps and platforms.

**Disadvantages of Decentralized Identity**

In contrast, the disadvantages of decentralized identity include no large-scale adoption, legacy systems, and regulation and identity data fragility:

*   No large-scale adoption – Governments and organizations are still attempting to figure out how to deploy decentralized identity technology at scale while most non-tech users have not even heard of this phenomenon.
*   Legacy systems and regulation – Replacing existing legacy systems and creating interoperable global standards and governance are also important issues.
*   Identity data fragility – While a secondary issue, identity data fragility, which refers to duplication, confusion, and inaccuracy in identity management, remains.

**More Decentralized Identity Products Coming**

The popularity of decentralized identity is gathering pace with vendors such as IBM, Microsoft, and Ping Identity entering the fray. Even governments are looking at the technology. Omdia believes that over the next couple of years, more decentralized identity products will be launched onto the market, and this will help the technology become more mainstream. The decentralized identity market is expected to have significant growth during the forecast period, increasing to $6.5 billion in 2027.

Is Decentralized Identity About to Reach an Inflection Point?

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between March 24 and March 31. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key

Threat Roundup for March 24 to March 31

An authentication bypass vulnerability in the Password Reset component of Gladinet CentreStack before 13.5.9808 allows remote attackers to set a new password for any valid user account, without needing the previous known password, resulting in a full authentication bypass.

White Oak Security discovered an instance of Gladinet’s CentreStack server which was vulnerable to an authentication bypass and an arbitrary file upload resulting in remote code execution.

This issue has been remediated as of release 13.5.9808 – June 13, 2022 (1). These issues were tracked as S-8238.

**CentreStack Vulnerability Disclosure Timeline**

White Oak Security (WOS) followed responsible disclosure guidelines by giving Gladinet time to remediate this vulnerability and allow customers ample time to patch their instances. Once we were able to establish contact with Gladinet, we appreciated their quick response to remediating the reported issues.

**4/16/22**: Attempted to contact Gladinet via online support ticket.

**4/22/22**: Second attempt to contact Gladinet via online support ticket.

**5/10/22**: Attempted to contact Gladinet via generic cold email methods.

**5/12/22**: Successfully contacted Gladinet via customer support phone number and follow-up emails.

**5/16/22**: Vulnerabilities disclosed to Gladinet via online support ticket.

**6/13/22**: Patch made available by Gladinet, identified by ID S-8238.

**2/2/23:** White Oak Security publicly discloses the finding according to our vulnerability disclosure policy.

**CentreStack**

CentreStack is an on-premise solution that provides file share, backup services, and remote file access which can be managed by a web application.

**CentreStack Exposure**

Using Shodan, the CentreStack web server can be found exposed on the internet on a handful of servers. 

**Analysis: Unauthenticated Password Reset**

White Oak Security identified an access control violation where unauthenticated attackers can access the change password controller and, without providing the original user account password, force an update for an existing user account. The result is a full authentication bypass which allows a malicious user to gain access to an administrator account.

As a demonstration, an invalid login attempt for the account admin@test.com was performed using the password: “fakepassword!.

The application denies the login request as expected due to an invalid password:

Next, the unauthenticated malicious actor forcefully navigates to the password reset application page. A form is created which prompts the user to attempt a password reset.

The malicious actor intercepts this request, modifies the hfTicket value to contain a username, in this case, the victim user admin@test.com, and sets a new password for the account “fakepassword!”.

The application successfully processes this request:

Lastly, the malicious actor once again navigates to the main login page and attempts to login as the admin@test.com user with the newly forced password.

The application successfully authenticates the user since the account password had been changed, and the malicious actor gains the permissions of any account that had been reset, in this case, full administrative privileges.

**Analysis: Unrestricted File Upload**

Now that White Oak Security established a valid authentication bypass, WOS focused its efforts on obtaining code execution. An unrestricted file upload vulnerability was discovered within the Cluster and Tenant branding functionality, accessible by an administrator of the application. When chained together with an abuse of the Anti-Virus engine, the result is code execution. 

The branding image upload functionality does not limit what file types that can be uploaded to the server, which allows a malicious actor to upload a custom executable file. In this example, a reverse shell binary is uploaded in the Logo handler:

Once the binary has been uploaded, the application reveals a broken image as expected since the content is not actually an image indicating that our upload has been successful:

Upon inspecting the network traffic, we can see that the download for the logo image does return the binary program:

In order to achieve command execution, the full path of the uploaded image is required in order to be exploited with the Anti-Virus engine. On the filesystem, we can observe that a random GUID has been created within the **C:/CentreStack** directory.

While this GUID is random, the GUID can be leaked by interacting with the local file image editor or local application editor with any uploaded file:

The network traffic for this request leaks the full GUID in the LocalEditPage.aspx application response:

Next, the filename of the raw binary also contains a GUID with a fixed name “Brand\_LogoImg” appended to the GUID that is generated.

However, this value is simply the **_y-glad-brid_** session value which can easily be found throughout any authenticated request:

Now that the full path of the uploaded binary has been discovered through the application’s own components, the Anti-Virus engine scanner location can be modified to the full path of the binary:

Since the Anti-Virus engine does not limit the path of the potential programs that can be executed, any arbitrary binary on the system can be executed as the Anti-Virus engine.

Lastly, a malicious actor simply has to upload any file to the CentreStack server which will trigger the Anti-Virus scan to execute and run the custom binary:

On the attacker-controlled machine, the reverse shell is executed and a successful connection is observed. The process is additionally being executed with the highest permissions of **NT AUTHORITY\\SYSTEM**.

Upon inspecting the executing processes on the server with ProcessExplorer (2), the execution path is observed as the **GladinetCloudMonitor.exe** service executing the binary as NT AUTHORITY\\SYSTEM compared to the web server permissions of IIS APPPOOL. This is due to the Anti-Virus programs requiring a higher permission to scan local files, however, this gains an attacker full administrative privileges over the underlying server.

While the unrestricted file upload vulnerability was used to upload arbitrary files to the server, White Oak Security could have alternatively uploaded a malicious file to the server using the built-in file storage mechanism, and simply pointed the Anti-Virus engine to execute that program and obtain a shell in that fashion. 

However, it was more interesting to identify a vulnerability rather than built-in functionality to chain together this attack path.

****More From White Oak Security****

White Oak Security is a highly skilled and knowledgeable cyber security and penetration testing company that works hard to get into the minds of opponents to help protect those we serve from malicious threats through expertise, integrity, and passion.

Read more from White Oak Security’s pentesting team.

****Sources****

1\. https://www.centrestack.com/p/gce\_latest\_release.html – CentreStack Release History

2\. https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer – ProcessExplorer

CVE-2023-26829: CentreStack Vulnerability Disclosure | White Oak Security

Plus: Microsoft Outlook and Android patch serious flaws, Chrome and Firefox get fixes, and much more.

Meanwhile, researchers at Google’s Project Zero have reported 18 zero-day vulnerabilities in Exynos Modems made by Samsung. The four most severe—CVE-2023-24033, CVE-2023-26496, CVE-2023-26497, and CVE-2023-26498—allow internet-to-baseband remote code execution, the researchers wrote in a blog. “Tests conducted by Project Zero confirm that the four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level with no user interaction, and require only that the attacker know the victim’s phone number,” they wrote. 

Affected devices include those in the S22, M33, M13, M12, A71, A53, A33, A21s, A13, A12, and A04 series, as well as Google’s Pixel 6 and Pixel 7 series.

Patch timelines will vary per manufacturer, but affected Pixel devices have received a fix for all four of the severe internet-to-baseband remote code execution vulnerabilities. In the meantime, users with affected devices can protect themselves by turning off Wi-Fi calling and Voice-over-LTE (VoLTE) in their device settings, Google said.

Google Chrome 

Google has released Chrome 111 of its popular browser, fixing eight security flaws, seven of which are memory safety bugs with a high severity rating. Four use-after-free vulnerabilities include a high-severity issue tracked as CVE-2023-1528 in Passwords and CVE-2023-1529, an out-of-bounds memory access flaw in WebHID.

Meanwhile, CVE-2023-1530 is a use-after-free bug in PDF reported by the UK’s National Cyber Security Centre, and CVE-2023-1531 is a high-severity use-after-free vulnerability in ANGLE.

None of the issues are known by Google to have been used in attacks, but given their impact, it makes sense to update Chrome when you can.

Cisco

Enterprise software giant Cisco has published the twice-yearly security bundle for its IOS and IOS XE Software, fixing 10 vulnerabilities. Six of the issues fixed by Cisco are rated as having a high impact, including CVE-2023-20080, a denial of service flaw, and CVE-2023-20065, a privilege escalation bug.

At the start of the month, Cisco fixed multiple vulnerabilities in the web-based management interface of some Cisco IP Phones that could allow an unauthenticated, remote attacker to execute arbitrary code or cause denial of service. With a CVSS score of 9.8, the worst is CVE-2023-20078, a vulnerability in the web-based management interface of Cisco IP Phone 6800, 7800, and 8800 series multiplatform phones. 

An attacker could exploit this vulnerability by sending a crafted request to the web-based management interface, Cisco said, adding, “A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system of an affected device.”

Firefox

Privacy-conscious developer Mozilla has released Firefox 111, fixing 13 vulnerabilities, seven of which are rated as having a high impact. These include three flaws in Firefox for Android, including CVE-2023-25749, which may have resulted in third-party apps opening without a prompt.

Meanwhile, two memory safety bugs, CVE-2023-28176 and CVE-2023-28177, have been fixed in Firefox 111. “Some of these bugs showed evidence of memory corruption, and we presume that with enough effort some of these could have been exploited to run arbitrary code,” Mozilla said.

SAP

It’s another month of big updates for software maker SAP, which has released 19 new security notes in its March Security Patch Day guidance. Issues fixed during the month include four with a CVSS score of over 9. 

One of the worst of these is CVE-2023-25616, a code injection vulnerability in SAP Business Objects Business Intelligence Platform. This vulnerability in the Central Management Console allows an attacker to inject arbitrary code with a “strong negative impact” on the integrity, confidentiality, and availability of the system, security firm Onapsis said.

Finally, with a CVSS score of 9.9, CVE-2023-23857 is an improper access control bug in SAP NetWeaver AS for Java. “The vulnerability allows an unauthenticated attacker to attach to an open interface and make use of an open naming and directory API to access services,” Onapsis said.

Apple's iOS 16.4: Security Updates Are Better Than a Goose Emoji

A ReDoS issue was discovered in the Time component through 0.2.1 in Ruby through 3.2.1. The Time parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to Time objects. The fixed versions are 0.1.1 and 0.2.2.

CVE-2023-28756: Ruby 3.2.0 Released

In a Solar Winds-like attack, compromised, digitally signed versions of 3CX DesktopApp are landing on user systems via the vendor's update mechanism.

Security researchers are sounding the alarm on what may well be another major SolarWinds or Kaseya-like supply chain attack, this time involving Windows and Mac versions of a widely used video conferencing, PBX, and business communication app from 3CX.

On March 30, multiple security vendors said they had observed legitimate, digitally signed versions of the 3CX DesktopApp bundled with malicious installers landing on user desktops via the company's official automatic update process, as well as via manual updates. The end result is a data-stealing malware being implanted as part of a likely cyber-espionage effort by an advanced persistent threat (APT) actor.

The potential impact of the new threat could be huge. 3CX claims some 600,000 installations worldwide with over 12 million daily users. Among its numerous big-name customers are companies like American Express, Avis, Coca Cola, Honda, McDonald's, Pepsi, and Toyota.

CrowdStrike assessed that the threat actor behind the campaign is Labyrinth Chollima, a group that many researchers believe is linked with the cyber-warfare unit of North Korea's intelligence agency, the Reconnaissance General Bureau (RGB). Labyrinth Chollima is one of four groups that CrowdStrike has assessed are part of North Korea's larger Lazarus Group.

The threat is still very much an active one. "Currently, the very latest installers and updates available on the public 3CX website are still the compromised and backdoored applications that are noted as known bad by numerous security firms," says John Hammond, senior security researcher at Huntress.

**Enterprise App Trojanized With Malicious Installers**

The weaponized app arrives on a host system when the 3CX Desktop Application automatically updates, or when a user grabs the latest version proactively. Once pushed to a system, the signed 3CX DesktopApp executes a malicious installer, which then beacons out to an attacker-controlled server, pulls down a second-stage, information-stealing malware from there, and installs it on the user's computer. CrowdStrike, one of the first to report on the threat on March 29, said in a few instances it had also observed malicious hands-on-keyboard activity on systems with the Trojanized 3CX app.

In a message early on March 30, 3CX CEO Nick Galea urged users to immediately uninstall the app, adding that Microsoft Windows Defender would do that automatically for users running the software. Galea urged customers that want the app's functionality to use the Web client version of the technology while the company works on delivering an update.

A security alert from 3CX CISO Pierre Jourdan identified the affected apps as Electron Windows App, shipped in Update 7, version numbers 18.12.407 & 18.12.416 and Electron Mac App version numbers 18.11.1213, 18.12.402, 18.12.407, & 18.12.416. "The issue appears to be one of the bundled libraries that we compiled into the Windows Electron App via GIT," Jourdan said.

**Attackers Likely Breached 3CX's Production Environment**

Neither Jourdan nor Galea's messages gave any indication of how the attacker managed to gain the access they needed to trojanize a signed 3CXDekstopApp.exe binary. But at least two security vendors that have analyzed the threat say it could have only happened if the attackers were in 3CX's development or build environment — in the same manner that SolarWinds was compromised.

"Although only 3CX has the complete picture of what happened, so far, from the forensics, we assess with high confidence that the threat actor had access to the production pipeline of 3CX," says Lotem Finkelstein, director of threat intelligence & research at Check Point Software. "The files are signed with 3CX certificates, the same as used for the previous benign versions. The code is built in a way that it keeps working as it normally should but also adds some malware."

Finkelstein says Check Point's investigation confirms that the Trojanized version of the 3CX DesktopApp is being delivered through either manual download or regular updates from the official system.

Dick O'Brien, principal intelligent analyst at Symantec Threat Hunter team, says the threat actor does not appear to have touched the main executable itself. Instead, the APT compromised two dynamic link libraries (DLLs) that were delivered along with the executable in the installer. 

"One DLL was replaced with a completely different file with the same name," O'Brien says. "The second was a Trojanized version of the legitimate DLL \[with\] the attackers essentially appending it with additional encrypted data." The attackers have used a technique, known as DLL sideloading, to trick the legitimate 3CX binary to load and execute the malicious DLL, he says.

O'Brien agrees that the attacker would have needed access to 3CX's production environment to pull off the hack. "How they did that remains unknown. But once they had access to the build environment, all they had to do was drop two DLLs into the build directory."

**Potentially Broad Impact**

Researchers at Huntress tracking the threat said they had so far sent out a total of 2,595 incident reports to customers warning them of hosts running susceptible versions of the 3CX desktop application. In these instances, the software matched the hash or identifier for one of the known bad applications. 

"The final stage of the attack chain as we know it is reaching out to the command-and-control servers, however, this appears to be on a set timer after seven days," says Huntress' Hammond. A Shodan search that Huntress conducted showed 242,519 publicly exposed 3CX systems, though the issue's impact is broader than just that set of targets.

"The updates received by the signed 3CX Desktop Application are coming from the legitimate 3CX update source, so at first blush, this looks normal," he adds. "Many end users did not expect the original and valid 3CX application to suddenly be setting off alarm bells from their antivirus or security products, and in the early timeline where there was not much information uncovered, and there was some confusion over whether the activity was malicious or not, he says.

**Shades of SolarWinds & Kaseya**

Hammond compares this incident to the breaches at SolarWinds and at Kaseya. 

With SolarWinds, attackers — likely linked with Russia's Foreign Intelligence Service — broke into the company's build environment and inserted a few lines of malicious code into updates for its Orion network management software. Some 18,000 customers received the updates, but the threat actor was really targeting only a small handful of them for subsequent compromise. 

The attack on Kaseya's VSA remote management technology resulted in more than 1,000 downstream customers of its managed service provider customers being impacted and subsequently targeted for ransomware delivery. The two attacks are examples of a growing trend of threat actors targeting trusted software providers and entities in the software supply chain to reach a broad set of victims. Concerns over the threat prompted President Biden to issue an executive order in May 2021 that contained specific requirements for bolstering supply chain security.

Automatic Updates Deliver Malicious 3CX 'Upgrades' to Enterprises

By Waqas
Researchers have warned users to be on alert, as the IRS never sends emails to confirm taxpayers' personal information.
This is a post from HackRead.com Read the original post: IRS tax forms W-9 email scam drops Emotet malware

Emotet malware is known for stealing personal data and financial details from a targeted device.

The cybersecurity researchers at Malwarebytes have warned taxpayers about a new IRS tax email scam that delivers **Emotet malware**, a notorious banking Trojan that steals sensitive financial information from victims’ computers.

According to the researchers, the fraudulent emails appear to be sent from the agency and contain a subject line such as **IRS Tax Form W-9.** The message simply asks the recipient if they require a hard copy of the tax form, stating, “Let me know if you would like a hard copy mailed as well.”

The malicious email (Credit: Malwarebytes)

However, the attachment is actually a malicious payload that installs the Emotet malware onto the victim’s device if Marcos is enabled. Once the malware is installed, it can steal sensitive information such as login credentials, financial data, and personally identifiable information.

Moreover, the malicious Microsoft Word document is 500MB in size, which alone should stand as the biggest indicator that something is wrong with the downloaded file.

It is also worth noting that users should also beware of emails that contain subject lines like “Tax Payment Request” or “Automatic Income Tax Reminder” which instruct the recipient to download a Microsoft document file to review and confirm their personal details.

The latest IRS tax malspam scam should not come as a surprise, as malicious Microsoft document files were found to be responsible for **43% of all malware downloads** in 2021.

The Emotet malware has been active since 2014 and is known for its ability to evade detection and spread rapidly. It has been used to distribute other malware strains such as **TrickBot** and **Ryuk ransomware**, which have caused significant damage to organizations around the world.

The researchers **advise** taxpayers to be cautious of unsolicited emails, especially those that request personal information or contain suspicious links or attachments. On the other hand, the IRS recommends that recipients do not click on any links or download any attachments in such emails, and instead forward them to the IRS at **phishing@irs.gov**.

The IRS has reminded taxpayers that it does not initiate contact with taxpayers via email, text messages, or social media channels. The agency only communicates with taxpayers through traditional mail delivered by the United States Postal Service, or through secure online accounts on its official website, IRS.gov.

Taxpayers who have clicked on a link or downloaded an attachment from a suspicious email should immediately contact their IT department or a reputable cybersecurity firm for assistance. They should also file a complaint with the FBI’s Internet Crime Complaint Center (IC3) at **www.ic3.gov**.

1.  PayPal Notifies 35,000 Users of Data Breach
2.  Ransomware Email Scam Using FBI and IRS as Bait
3.  Hackers Hit IRS, Stopped Before Anything was Taken
4.  Data Breach Rattles IRS, 334k Tax Payers Data Stolen
5.  Users hit by ransomware via fake IRS tax return emails

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

IRS tax forms W-9 email scam drops Emotet malware

Red Gate SQL Monitor 11.0.14 through 12.1.46 has Incorrect Access Control, exploitable remotely for Escalation of Privileges.

Our solutions make life easier for development, operations, and IT leaders by **solving the database challenges** in delivering software at speed.

**Redgate helps teams balance the demand to deliver software fast with the need to protect and preserve business critical data.**

Your business, teams, and databases benefit from fast delivery, low downtime, and strong collaboration, while minimizing any risks to your data.

*   Request a demo
*   Discover more

**Discover how Compliant Database DevOps empowers your team**

Request a demo

**Solutions for every stage in your Compliant Database DevOps journey**

** Standardize team-based development**

Prevent rework and conflicts, build consistency and quality into your code, and gain time for development that adds value, with standardized best practices for database development.

**Learn more**

** Automate database deployments**

Unlock agility and performance across the full software lifecycle, with database continuous integration, continuous delivery, and shift-left testing that let you rapidly respond to user requirements.

**Learn more**

** Monitor performance and availability**

Avoid performance issues, minimize downtime, and support efficient recovery with proactive visibility and insight into your database estate.

**Learn more**

** Protect and preserve data**

Decrease the risk of breaches, protect business critical data, and meet compliance requirements while supporting data demands from developers and testers.

**Learn more**

Discover more

> “We've freed up the DBA team by 70-80%. That's the ROI, and the leadership team can understand that too.”

> “Code goes from months to deploy, to days. When we want to bring out new functionality for the customer, we can do it really quick. That's the real benefit.”

> “We knew the investment made sense and we were going to recover the cost fast. The best proof is that all the developers love Redgate's solution and use it on a daily basis. It's become a standard part of our development process.”

> “We were doing one database update a week, which took almost a full day. Now it takes ten minutes. We've automated 90% of the process, and we can now scale our application to more servers and markets without increasing our overhead.”

> “Redgate has helped LumiData deliver a foolproof development cycle rivaling that of any company, Microsoft included. We can now have major database revisions or releases out in minutes and distributed to all of our clients' databases.”

**Case studies**

See how our customers are benefiting from fast delivery, low downtime, and strong collaboration

**Get started with Compliant Database DevOps**

*   Request a demo
*   Discover more

20 years

as industry leader in database solutions

91% of the Fortune 100

use Redgate's software

800,000 users

rely on Redgate worldwide

**Can't find what you're looking for?**

CVE-2022-47542: Redgate Software - Compliant Database DevOps Solutions and Tools For SQL Server, Oracle, & .NET

Network protocols can be used to identify operating systems and discern other device information.

Network security and asset management products have to be able to identify what operating systems are currently running in the organization. With this information, IT and security departments gain greater visibility and control over their networks.

Device and operating system information is trivial to collect if the device has a software agent installed. However, agents are not an option for some operating systems, especially those installed on embedded and Internet of Things devices. This is where passive OS fingerprinting comes in handy, since passive methods don't require installing software on devices and work for most operating systems. Passive OS fingerprinting involves matching uniquely identifying patterns in the host's network traffic and classifying the traffic accordingly. Several protocols from different network layers can be used for OS fingerprinting: MAC addresses, TCP/IP parameters, HTTP User-Agent strings, and DHCP requests.

The Open Systems Interconnection (OSI) model contains several protocols for the application, transport, network, and data link layers. As a rule of thumb, protocols at the lower levels of the OSI stack — such as MAC and IP — provide better reliability with lower granularity compared with those on the upper levels of stack, and vice versa. Let's start at the bottom of the stack and move up.

**Start at the MAC Address**

The medium access control (MAC) protocol uses a unique physical identifier hardcoded into the device during manufacturing. The 12-digit hexadecimal number — the MAC address — is commonly written out as six pairs divided by hyphens. The left most six-digit long string represents the manufacturer's unique identifier and the right most six represent the serial number of the device's network interface card. For example, the six left-most digits of a MacBook laptop's MAC address would be 88:66:5a, which is the string affiliated with Apple.

By looking at the manufacturer's unique identifier, network administrators can infer the type of device running in the network and, in some cases, even the operating system.

**TCP/IP Tells Tales**

The TCP/IP stack is a more granular source of information. Most operating systems set unique values in the parameters within the packet headers, making it possible to identify the OS by looking at these values. Some of the most common parameters used in OS fingerprinting are initial time to live (TTL), Windows Size, "Don't Fragment" flag, and TCP options (values and order). For example, if a device has an outgoing packet's IP header with the "Don't fragment" flag set, TTL with the value of 64, Windows size of 65535, and a specific set of TCP options (02, 01, 03, 01, 01, 08, 04, 00), that's enough to identify it as running MacOS.

**HTTP Has a Wealth of Info**

Several protocols in the application layer are also useful for identifying the device's operating system type and the exact version or distribution. In some cases, these fields can be configured by the user and, thus, are less reliable.

The most common application protocol used in OS fingerprinting is HTTP, via the header's User-Agent field. The field, added by the application (such as a Web browser), includes information such as the application, operating system, and underlying device of the client. For example, the HTTP request to the server could contain a User-Agent field that identifies the client as a Firefox browser running on a Windows 7 OS: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0.

The User-Agent field is not the only indicator the HTTP protocol contains. Most operating systems have a built-in connectivity test that automatically runs when the device connects to a public network. For example, Network Connectivity Status Indicator (NCSI), an Internet connection awareness protocol in Microsoft's Windows operating systems, consists of a sequence of specifically crafted DNS and HTTP requests and responses that indicate if the host is located behind a captive portal or a proxy server.

**DHCP Identifies Hosts**

The DHCP protocol, used for IP assignment over the network, provides several indicators that can be used to identify the host. DHCP is composed of 4 steps: discovery, offer, request, and acknowledge (DORA). For example, a Windows host broadcasting DHCP messages over the local network and receiving replies from the DHCP server will be sending a unique vendor class identifier "MSFT 5.0," and the parameter request list would contain a sequence of values common to Windows hosts.

Combined with the order of the DHCP options themselves, the indicators are sufficient to identify the host as a Windows OS.

**Wrapping Up**

While some protocols provide better accuracy than others, there is no "silver bullet" for the task of OS identification, and the different options provide different types of information. Rather than fingerprinting based on a single protocol, you might consider a multiprotocol approach, such as combining the HTTP User-Agent with lower-level TCP options.

How to Solve IoT's Identity Problem

The vulnerability would have allowed an unauthenticated attacker to execute code on a container hosted on one of the platform's nodes.

Microsoft has patched what researchers called a "dangerous" flaw in its Azure Service Fabric component of the company's cloud-hosting infrastructure. If exploited, it would have allowed an unauthenticated, malicious actor to execute code on a container hosted on the platform.

Researchers from Orca Security discovered the cross-site scripting (XSS) flaw — which they dubbed Super FabriXss — in December and reported it to Microsoft, which issued a fix for it in March's round of Patch Tuesday updates, the researchers said in a blog post published March 30, revealing the technical details of the bug.

They also demonstrated how attackers can take advantage of the flaw — which makes Azure Service Fabric Explorer versions 9.1.1436.9590 or earlier vulnerable to exploit — in a presentation at Microsoft's BlueHat IL 2023 in Tel Aviv today. 

Super FabriXss, tracked as CVE-2023-23383 with a CVSS rating of 8.2, is the second XSS flaw so far that Orca researchers discovered in Azure Service Fabric Explorer. Part of Microsoft's Azure cloud computing platform, Azure Service enables packaging, deployment, and management of stateless and stateful microservices and containers on large-scale distributed systems.

The first XSS vulnerability, dubbed FabriXss and detailed by Orca researchers in October, did not pose as severe a risk as its successor, the researchers said. FabriXss, also patched quickly by Microsoft in a Patch Tuesday update, would have allowed an attacker to gain full administrator permissions on the Service Fabric cluster.

**Exploiting Super FabriXss**

With Super FabriXss, a remote unauthenticated attacker can execute code on a container hosted on one of the Service Fabric nodes, which "means that an attacker could potentially gain control of critical systems and cause significant damage," Lidor Ben Shitrit, cloud security researcher at Orca Security, wrote in the post.

Using Super FabriXss, an attacker could craft a malicious URL that, when clicked, initiates a multi-step process eventually leading to the creation and deployment of a harmful container on one of the cluster nodes, Shitrit tells Dark Reading.

Specifically, researchers demonstrated at BlueHat how they could escalate a reflected XSS vulnerability in Azure Service Fabric Explorer to an unauthenticated RCE by abusing the metrics tab and enabling a specific option in the console: the "Cluster Type" toggle, Shitrit wrote in the post.

"To exploit this vulnerability, a victim (an authenticated Service Fabric Explorer user) must first click on the malicious URL and then be guided to click on the Cluster Type under the Events tab," he explains to Dark Reading. "Once exploited, sensitive cluster data could be revealed to the attacker, potentially allowing them to expand the attack to a larger surface."

The vulnerability itself arises from a vulnerable "Node Name" parameter, which can be exploited to embed an iframe in the user's context, Shitrit said in the post. This iframe then retrieves remote files from a server controlled by the attacker, eventually leading to the execution of a malicious PowerShell reverse shell.

"This attack chain can ultimately result in remote code execution on the container \[that\] is deployed to the cluster, potentially allowing an attacker to take control of critical systems," he wrote.

**Mitigation & Implications for Azure Users**

Orca reported the vulnerability to the Microsoft Security Response Center (MSRC) on Dec. 20, and an investigation into the issue begun later that month, on Dec. 31, the researchers said. Orca researchers and MSRC communicated several times regarding the impact of the flaw before Microsoft assigned CVE-2023-23383 to the vulnerability and issued a patch for it on March 14 that automatically fixed the issue for customers.

While no further action is necessary by Azure Service Fabric users, the flaw does, once again, highlight the inherent danger of unpatched flaws in cloud-based architectures that an enterprise deploys, he tells Dark Reading. These vulnerabilities "can pose higher risks compared to on-premises solutions," Shitrit says.

"With cloud-based systems, organizations often depend on third-party providers, leading to a larger attack surface and less control over security measures," he adds. "Additionally, it's important to consider the multi-tenant nature of cloud environments and the significance of maintaining proper isolation between tenants."

To address risks posed by cloud-based flaws like Super FabriXss, he suggests that organizations maintain a regime of cloud security hygiene. This includes regularly applying patches, monitoring security, addressing vulnerabilities, training employees on best practices, applying network segmentation, enforcing least-privilege permissions, collaborating with providers, and creating a robust incident response plan, Shitrit says.

"These combined efforts help ensure a secure and resilient cloud environment," he says.

Tag

#microsoft