An attacker with authenticated access to VICIdial version 2.14-917a as an agent can execute arbitrary shell commands as the root user. This attack can be chained with CVE-2024-8503 to execute arbitrary shell commands starting from an unauthenticated perspective.

VICIdial 2.14-917a Remote Code Execution

A veritable grab bag of tools used to access critical infrastructure networks are wildly insecure, and they're blobbing together to create a widening attack surface.

Source: Agencja Fotograficzna Caro via Alamy Stock Photo

The exploding demand for remote access into today's industrial control systems (ICS) and operational technology (OT) systems has created a nebulous, Internet-connected attack surface that's too attractive for cyberattackers to ignore. And cleanup is not going to be a simple affair.

Far too many ICS networks are being accessed by employees, partners, suppliers, and customers using a slapped-together mousetrap of tools, leaving these environments woefully exposed while connected to the Internet, according to researchers.

In a new analysis, Claroty's Team82 looked at 50,000 individual remote access-enabled devices running on industrial networks with dedicated OT hardware, and found 55% to have at least four remote access tools (RATs) in their environments. A full third (33%) reported using six or more RATs. Some organizations reported using up to 16 different of them.

Industries represented in the examples examined by the Team82 researchers included pharmaceuticals, consumer goods, food and beverage, automotive, oil and gas, mining, and manufacturing — many of which are considered critical infrastructure sectors.

"Within critical infrastructure, there is sometimes a bigger physical risk associated with a breach, depending on the jeopardized device," says Tal Laufer, Claroty's vice president of products, secure access. "That being said, all organizations with this type of tool sprawl are at risk, since it can create security gaps in their networks for threat actors to exploit."

Making matters even more complicated for cybersecurity teams, the Team82 report found that 79% of the organizations they surveyed have more than two remote access management tools in their environment that don't meet basic enterprise-grade security standards.

"Most of these tools lack the session recording, auditing, and role-based access controls that are necessary to properly defend an OT environment," the Team82 report said. "Some lack basic security features such as multi-factor authentication (MFA) options, or have been discontinued by their respective vendors and no longer receive feature or security updates."

**Cyberattackers Notice Sprawling OT Remote Access Attack Surface**

Adversaries are already well aware of the malicious possibilities that these remote access tools unlock — and have been for several years.

Laufer notes that several massive breaches in recent years have been the result of misconfigured remote access tools, including Colonial Pipeline in 2021 and Change Healthcare earlier this year.

As far back as 2020, analysts at Kaspersky warned about the risk of cyberattacks against remote access tools like TeamViewer and RMS to breach ICS environments. And in January 2023, CISA joined with the NSA to issue a warning that adversaries were launching widespread campaigns against remote management systems like AnyDesk to breach federal agencies.

Those warnings have played out: A threat actor was discovered attempting to drop XMRing cryptominer malware using TeamViewer in May 2023. Likewise, the remote access tool TeamViewer was targeted in failed attempts to compromise systems by LockBit 3.0 ransomware group in early 2024. Similarly, remote access tool production systems were compromised at AnyDesk last February, forcing the vendor to revoke all of its security clearances and reset all Web portal passwords.

Despite these warnings, ICS/OT operators are in a particularly tough spot without a clear path toward protecting themselves. The Team82 findings demonstrate how the sheer number of these tools can easily pile up within an environment, creating an ever-creeping blob of remote access surface area ripe for adversaries to probe for success. As the report detailed, each tool brings along with it its own supply chain weaknesses, often including a lack of basic, best-practice security features like MFA, auditing, and session recording.

Compounding the issue is a basic lack of monitoring, detection, and policy control tooling that works across disparate remote access systems, leaving them open to misconfigurations, as messy policy and control management, the report added.

The report added that managing all these various RATs, and the hardware behind them, is an expensive operational proposition.

**OT Remote Access Cleanup**

Unsurprisingly, the first step on the path to securing remote access for ICS/OT networks is to get a full inventory of the tools that provide access to OT assets, according to the report.

"A critical first step is ensuring you have complete visibility into your organization’s OT network to understand how many and which solutions are providing access to OT assets and industrial control systems (ICS)," Laufer explains.

Next, those solutions that don't meet basic enterprise cybersecurity requirements need to go — pronto.

"From there, engineers and assets managers need to actively eliminate or minimize the use of low-security remote access tools in the OT environment — especially taking into consideration those with known vulnerabilities or those lacking essential security features such as MFA," the researcher stresses.

It's also crucial to develop and require baseline security standards across the organization's supply chain. "Beyond this, security teams should also govern the use of remote access tools connected to OT and ICS," Laufer says. "This can help with alignment of security requirements and expansion of those requirements as needed throughout third parties within the supply chain."

Don't miss the latest Dark Reading Confidential podcast, where we talk to two cybersecurity professionals who were arrested in Dallas County, Iowa and forced to spend the night in jail -- just for doing their pen-testing jobs. Listen now!

Remote Access Sprawl Strains Industrial OT Network Security

Microsoft Corp. today released updates to fix at least 79 security vulnerabilities in its Windows operating systems and related software, including multiple flaws that are already showing up in active attacks. Microsoft also corrected a critical bug that has caused some Windows 10 PCs to remain dangerously unpatched against actively exploited vulnerabilities for several months this year.

**Microsoft Corp.** today released updates to fix at least 79 security vulnerabilities in its **Windows** operating systems and related software, including multiple flaws that are already showing up in active attacks. Microsoft also corrected a critical bug that has caused some **Windows 10** PCs to remain dangerously unpatched against actively exploited vulnerabilities for several months this year.

By far the most curious security weakness Microsoft disclosed today has the snappy name of CVE-2024-43491, which Microsoft says is a vulnerability that led to the rolling back of fixes for some vulnerabilities affecting “optional components” on certain Windows 10 systems produced in 2015. Those include Windows 10 systems that installed the monthly security update for Windows released in March 2024, or other updates released until August 2024.

**Satnam Narang**, senior staff research engineer at **Tenable**, said that while the phrase “exploitation detected” in a Microsoft advisory normally implies the flaw is being exploited by cybercriminals, it appears labeled this way with CVE-2024-43491 because the rollback of fixes reintroduced vulnerabilities that were previously know to be exploited.

“To correct this issue, users need to apply both the September 2024 Servicing Stack Update and the September 2024 Windows Security Updates,” Narang said.

**Kev Breen**, senior director of threat research at **Immersive Labs**, said the root cause of CVE-2024-43491 is that on specific versions of Windows 10, the build version numbers that are checked by the update service were not properly handled in the code.

“The notes from Microsoft say that the ‘build version numbers crossed into a range that triggered a code defect’,” Breen said. “The short version is that some versions of Windows 10 with optional components enabled was left in a vulnerable state.”

Zero Day #1 this month is CVE-2024-38226, and it concerns a weakness in **Microsoft Publisher**, a standalone application included in some versions of **Microsoft Office**. This flaw lets attackers bypass Microsoft’s “**Mark of the Web**,” a Windows security feature that marks files downloaded from the Internet as potentially unsafe.

Zero Day #2 is CVE-2024-38217, also a Mark of the Web bypass affecting Office. Both zero-day flaws rely on the target opening a booby-trapped Office file.

Security firm **Rapid7** notes that CVE-2024-38217 has been publicly disclosed via an extensive write-up, with exploit code also available on GitHub.

According to Microsoft, CVE-2024-38014, an “elevation of privilege” bug in the Windows Installer, is also being actively exploited.

June’s coverage of Microsoft Patch Tuesday was titled “Recall Edition,” because the big news then was that Microsoft was facing a torrent of criticism from privacy and security experts over “**Recall**,” a new artificial intelligence (AI) feature of Redmond’s flagship Copilot+ PCs that constantly takes screenshots of whatever users are doing on their computers.

At the time, Microsoft responded by suggesting Recall would no longer be enabled by default. But last week, the software giant clarified that what it really meant was that the ability to disable Recall was a bug/feature in the preview version of Copilot+ that will not be available to Windows customers going forward. Translation: New versions of Windows are shipping with Recall deeply embedded in the operating system.

It’s pretty rich that Microsoft, which already collects an insane amount of information from its customers on a near constant basis, is calling the Recall removal feature a bug, while treating Recall as a desirable feature. Because from where I sit, Recall is a feature nobody asked for that turns Windows into a bug (of the surveillance variety).

When Redmond first responded to critics about Recall, they noted that Recall snapshots never leave the user’s system, and that even if attackers managed to hack a Copilot+ PC they would not be able to exfiltrate on-device Recall data.

But that claim rang hollow after former Microsoft threat analyst **Kevin Beaumont** detailed on his blog how any user on the system (even a non-administrator) can export Recall data, which is just stored in an SQLite database locally.

As it is apt to do on Microsoft Patch Tuesday, Adobe has released updates to fix security vulnerabilities in a range of products, including **Reader** and **Acrobat**, **After Effects**, **Premiere Pro**, **Illustrator**, **ColdFusion**, **Adobe Audition**, and **Photoshop**. Adobe says it is not aware of any exploits in the wild for any of the issues addressed in its updates.

Seeking a more detailed breakdown of the patches released by Microsoft today? Check out the SANS Internet Storm Center’s thorough list. People responsible for administering many systems in an enterprise environment would do well to keep an eye on AskWoody.com, which often has the skinny on any wonky Windows patches that may be causing problems for some users.

As always, if you experience any issues applying this month’s patch batch, consider dropping a note in the comments here about it.

Bug Left Some Windows PCs Dangerously Unpatched

Ruby-SAML in <= 12.2 and 1.13.0 <= 1.16.0 does not properly verify the signature of the SAML Response. An unauthenticated attacker with access to any signed saml document (by the IdP) can thus forge a SAML Response/Assertion with arbitrary contents. This would allow the attacker to log in as arbitrary user within the vulnerable system.

This vulnerability was reported by ahacker1 of SecureSAML (ahacker1@securesaml.com)

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.

Attack complexity: More severe for the least complex attacks.

Privileges required: More severe if no privileges are required.

User interaction: More severe when no user interaction is required.

Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.

Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.

Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.

Availability: More severe when the loss of impacted component availability is highest.

GHSA-jw9c-mfg7-9rx2: SAML authentication bypass via Incorrect XPath selector

For modern applications built on Kubernetes and microservices, platform engineering is not just about building functional systems but also about embedding security into the fabric of those systems.

Michelle Ensey, Senior Manager of Product Management, NGINX

September 10, 2024

4 Min Read

Source: Brian Jackson via Alamy Stock Photo

Platform engineering is the rising star of the operations firmament. But squint hard and you'll quickly see that the foundation of any serious platform engineering program is operational and application security. By designing a platform through a "security-first" lens, platform engineering leaders can set up their DevOps and AppDev teams for success and make them more efficient by minimizing the toil and cognitive load required to properly execute security policies and practices.

**Designing Platform Assets From "Least Privilege": A Lockdown Mindset**

Every component within your platform — be it a virtual machine, a container, or even a service account — should operate with the bare minimum number of permissions. This is native to security and secure by design, but it should also be a core part of platform design, too. This limits the blast radius if an attacker does compromise a part of your system. Platform engineering teams should design their tools and services for application developers and DevOps practitioners accordingly. Doing this well requires attention to detail and a deep understanding of developer workflows. It also means that platform designs should, if possible, accommodate just-in-time access that elevates permissions only when necessary and revokes them after the required action. Sounds hard, but everything is moving faster in application development, so permissioning systems should meet the challenge, too. This means keeping developers in their workflows and making sure they get what they need when they need it, while also maintaining proper security. 

**Secure Defaults in Configuration Management: No Room for Sloppiness**

When your infrastructure is defined as code (IaC), the default settings for critical components (load balancers, database access, API gateways) become the foundation of your security posture. Developers want to spend as little time as possible on configurations. Yet a shockingly high percentage of security incidents are attributed to misconfigurations of security controls or access policies. Configuration management isn't sexy, but platform engineering for security means putting real muscle-building default configs and scanning behind it to ensure those configs are enforced in testing and deployment. Closely related to security configuration management is hardening IaC templates (Terraform, CloudFormation, etc.). These templates define your infrastructure deployments. Attackers know this and are paying more and more attention to IaC as an avenue of attack. Regular security reviews and IaC scanning can help uncover potential weaknesses. For their part, developers just want to grab a template and run with it. Inline suggestions where developers deploy infrastructure are becoming essential. New AI systems are particularly helpful in analyzing configurations and suggesting changes to harden or improve them.

**Automated Security Testing in CI/CD Pipelines: Fail Fast, Fail Safe**

Platform engineering must integrate security checks directly into your continuous integration and continuous delivery (CI/CD) pipelines so they run automatically whenever developers test code (and often before it is pushed to the main branch). This spots vulnerabilities early in the development cycle. Running static application security testing (SAST) and software composition analysis (SCA) to detect code vulnerabilities and risky open source components is the bare minimum.

More comprehensive practices entail container image scanning for known vulnerabilities and IaC scanning for misconfigurations. Better yet, deploying runtime scanners can detect problems that might appear only when processes are running. Properly done, security automation increases policy enforcement and reduces human error. However, heavy-handed automation can become problematic. For example, enforcing broad, automated code scanning of an entire application before every commit may result in scanners calling out known but irrelevant issues and slowing down CI/CD pipelines for no good reason. Scanning should be integrated with the developer experience using in-line tooling and scanners that never move the dev out of their comfort zone. Scanning can also focus on code that changes to reduce alert fatigue.

**GitOps for Version and Control**

Adopting GitOps for managing infrastructure and container images can help platform engineering better manage fast-changing configurations and create more transparent and accountable infrastructure engineering. Version control, deployment of configurations as code, and the use of a central repository are simple paths to improving application and infrastructure security by removing human errors, streamlining workflows, and eliminating unfamiliar additional IT orchestration systems. SecOps teams can even share Git access to GitOps workflows so that during a security incident everyone is in the same repo and able to root-cause together. For developers and DevOps, GitOps feels more native than trying to learn new environments like Ansible or other IT deployment and configuration engines.

**Conclusion: Platform Security is Job No. 1**

These are just some of the ways smart platform engineering can actually boost security while still improving developer experience, code velocity, and DevOps performance. Any assumption that enhancing platform security will necessarily slow down and hinder application development is a false trade-off. In fact, the two can be highly complementary, and platform engineers are probably better suited to delivering security while improving developer experience than security engineers themselves. For modern applications built on Kubernetes and microservices, platform engineering is not just about building functional systems but also about embedding security into the fabric of those systems, making it an integral part of security engineering.

**About the Author**

Senior Manager of Product Management, NGINX

Michelle Ensey is an accomplished product management professional with extensive experience across diverse industries. She currently serves at NGINX, where she plays a pivotal role in developing and delivering cutting-edge solutions to enhance application delivery and security. Known for her unwavering dedication to continuous learning and innovation, Michelle stays ahead of technological trends and is always enthusiastic about tackling new challenges and seizing opportunities to drive progress. Her commitment to excellence and her passion for technology make her a standout in her field.

Platform Engineering Is Security Engineering

Shadow apps, a segment of Shadow IT, are SaaS applications purchased without the knowledge of the security team. While these applications may be legitimate, they operate within the blind spots of the corporate security team and expose the company to attackers. 
Shadow apps may include instances of software that the company is already using. For example, a dev team may onboard their own

Shadow apps, a segment of Shadow IT, are SaaS applications purchased without the knowledge of the security team. While these applications may be legitimate, they operate within the blind spots of the corporate security team and expose the company to attackers.

Shadow apps may include instances of software that the company is already using. For example, a dev team may onboard their own instance of GitHub to keep their work separate from other developers. They might justify the purchase by noting that GitHub is an approved application, as it is already in use by other teams. However, since the new instance is used outside of the security team's view, it lacks governance. It may store sensitive corporate data and not have essential protections like MFA enabled, SSO enforced, or it could suffer from weak access controls. These misconfigurations can easily lead to risks like stolen source code and other issues.

**Types of Shadow Apps**

Shadow apps can be categorized based on their interaction with the organization's systems. Two common types are Island Shadow Apps and Integrated Shadow Apps.

**Standalone Shadow Apps**

Standalone shadow apps are applications that are not integrated with the company's IT ecosystem. They operate as an island in isolation from other company systems and often serve a specific purpose, such as task management, file storage, or communication. Without visibility into their use, corporate data may be mishandled, leading to the potential loss of sensitive information as data is fragmented across various unapproved platforms.

**Integrated Shadow Apps**

Integrated shadow apps are far more dangerous, as they connect or interact with the organization's approved systems through APIs or other integration points. These apps may automatically sync data with other software, exchange information with sanctioned applications, or share access across platforms. As a result of these integrations, threat actors could compromise the entire SaaS ecosystem, with the shadow apps acting as a gateway to access the integrated systems.

**How Shadow Apps Impact SaaS Security****Data Security Vulnerabilities**

One of the primary risks of shadow apps is that they may not comply with the organization's security protocols. Employees using unsanctioned apps may store, share, or process sensitive data without proper encryption or other protective measures in place. This lack of visibility and control can lead to data leaks, breaches, or unauthorized access.

**Compliance and Regulatory Risks**

Many industries are governed by strict regulatory frameworks (e.g., GDPR, HIPAA). When employees use shadow apps that haven't been vetted or approved by the organization's IT or compliance teams, the organization may unknowingly violate these regulations. This could lead to hefty fines, legal actions, and reputational damage.

**Increased Attack Surface**

Shadow apps widen the organization's attack surface, providing more entry points for cybercriminals. These apps may not have hardened their access controls, enabling hackers to exploit them and gain access to company networks.

**Lack of Visibility and Control**

IT departments need to have visibility over the apps being used within the organization to effectively manage and secure the company's data. When shadow apps are in use, IT teams may be blind to potential threats, unable to detect unauthorized data transfers, or unaware of risks stemming from outdated or insecure applications.

Learn how an SSPM protects your SaaS stack and detects shadow apps

**How Shadow Apps Are Discovered**

SaaS Security Posture Management (SSPM) tools are essential to SaaS security. Not only do they monitor configurations, users, devices, and other elements of the SaaS stack, but they are essential in detecting all non-human identities, including shadow applications.

SSPMs detect all SaaS applications that connect to another app (SaaS-to-SaaS), enabling security teams to detect integrated shadow apps. They also monitor sign-ins through SSOs. When users sign into a new app using Google, SSPMs make a record of that sign in. Existing device agents that are connected to your SSPM are a third way to see which new applications have been onboarded.

In addition, SSPMs have new methods of shadow app detection. An innovative approach integrates SSPM with existing email security systems. When new SaaS applications are introduced, they typically generate a flood of welcome emails, including confirmations, webinar invitations, and onboarding tips. Some SSPM solutions directly access all emails and gather extensive permissions, which can be intrusive. However, the more advanced SSPMs integrate with existing email security systems to selectively retrieve only the necessary information, enabling precise detection of shadow apps without overreaching.

Email security tools routinely scan email traffic, looking for malicious links, phishing attempts, malware attachments, and other email-borne threats. SSPMs can leverage permissions already granted to an email security system, enabling the detection of shadow apps without requiring sensitive permissions being granted to yet another external security tool.

Another method for shadow app discovery involves integrating the SSPM with a browser extension security tool. These tools track user behavior in real time, and can flag user behavior.

Secure browsers and browser extensions log and send alerts when employees interact with unknown or suspicious SaaS apps. This data is shared with the SSPM platform, which compares it against the organization's authorized SaaS list. If a shadow SaaS app is detected, the SSPM triggers an alert. This enables the security team to either properly onboard and secure the shadow app or offboard it.

As organizations continue to embrace SaaS applications for improved efficiency and collaboration, the rise of shadow apps is a growing concern. To mitigate these risks, security teams must take proactive measures to discover and manage shadow apps, leveraging their SSPM with shadow app discovery capabilities.

Get a demo of Adaptive Shield's key security features organizations benefit from to secure their entire SaaS stack.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Shining a Light on Shadow Apps: The Invisible Gateway to SaaS Data Breaches

Researchers flagged a pair of Gallup polling site XSS vulnerabilities that could have allowed malicious actors to execute arbitrary code, access sensitive data, or take over a victim account.

Source: Kristoffer Tripplaar via Alamy Stock Photo

UPDATE

As election season started to simmer over the summer, the Gallup polling company rushed to patch against a pair of cross-site scripting (XSS) vulnerabilities in the company's website that left it vulnerable to malicious actors.

Both flaws presented the opportunity for adversaries to perform actions on behalf of users.

These weaknesses are particularly concerning heading into a US election season that is already being widely targeted by misinformation. Just this week, for instance, the US Department of Justice accused Russia of a $10 million disinformation campaign that sought to barrage social media with enough bad information to sway the presidential election in November.

Cybersecurity researchers with Checkmarx explained in a report on Sept. 9 that they first contacted the incident response team at Gallup on June 23 to report the XSS flaws — the first a reflected XSS bug with a CVSS score of 6.5 out of 10, and the second a document object model (DOM)-based XSS vulnerability with a CVSS score of 5.4.

Cross-scripting flaws allow an attacker to use the URL address bar to insert unauthorized script into a page. For this attack, a target would be sent a malicious URL that looks exactly like a Gallup.com page. Once the victim clicks on the link, they are taken to a page indiscernible from the real thing֫—except in this instance the attacker controls the content displayed.

While these flaws do not impact any of Gallup’s internal data or polling, the bugs could be used by bad actors to spoof convincing looking Gallup.com site pages with misleading information. At scale, a convincing Gallup-branded page could be used spread misinformation to millions of people at once. Of particular concern to the Checkmarx team is that with a trusted name like Gallup behind the bad information, the campaign could appear incredibly convincing—a particularly dangerous risk during election season.

"In an era where misinformation and identity theft pose significant threats, the security of survey platforms is crucial, particularly during pivotal global election cycles," the Checkmarx team wrote. "Gallup, the leading survey company, quickly addressed security vulnerabilities that could be exploited to facilitate the dissemination of false information and compromise the personal data of users."

**Gallup's Cross-Site Scripting Vulnerabilities**

In the case of the first reflected XSS flaw, the researchers found that "the /kiosk.gx endpoint does not properly sanitize or encode the query string ALIAS parameter value before including it on the page."

Exploitation of the vulnerability could allow malicious actors to execute code in the targeted user's navigation session to perform various actions on their behalf, the researchers added.

"It's important to note that this endpoint is commonly used to access Gallup surveys, which may make users more susceptible to exploitation," the Checkmarx team wrote. "This could lead to unauthorized access to personally identifiable information (PII), manipulation of user preferences, and other detrimental actions."

In the second flaw, the endpoint once again failed to protect query parameter values before adding them to the page, giving a malicious actor another opportunity to perform tasks disguised as the target users and even take over the account altogether.

To avoid similar XSS flaws, the researchers at Checkmarx suggest that cybersecurity teams ensure their data is properly encoded before sending it to the response markup (HTML) or page DOM. Further, they recommend tweaking the content security policy to block locations where the browser can fetch or execute scripts.

"The prevalence of misinformation was identified as the top global risk in 2024 by the World Economic Forum’s 'Global Risks Report 2024,'" Checkmarx vice president of security research Erex Yalon says. "\[It's important to\] secure software that is prone to exploits of malicious actors, educate and close the knowledge gap, and hopefully safeguard the integrity of the election process."

This post was updated at 11:30AM ET on Sept. 11, 2024, to reflect that the bugs affected the website, not the Gallup Poll itself.

Another update was made at 4:53PM ET on Sept. 11, 2024 to clarify that neither vulnerability could have allowed attacker access to Gallup.com infrastructure and did not put internal data at risk of compromise.

Gallup.com Bugs Open Door to Election Misinformation

Researchers flagged a pair of Gallup site XSS vulnerabilities.

Source: Kristoffer Tripplaar via Alamy Stock Photo

UPDATE

Editor's Note: Dark Reading has become aware that a portion of the original Checkmarx research on these vulnerabilities is in dispute, prompting us to retract sections of our reporting below.

As election season started to simmer over the summer, the Gallup polling company rushed to patch against a pair of cross-site scripting (XSS) vulnerabilities in the company's website that left it vulnerable to misuse by malicious actors.

Cybersecurity researchers with Checkmarx explained in a report on Sept. 9 that they first contacted the incident response team at Gallup on June 23 to report the XSS flaws — the first a reflected XSS bug with a CVSS score of 6.5 out of 10, and the second a document object model (DOM)-based XSS vulnerability with a CVSS score of 5.4.

The flaws do not impact any of Gallup’s internal data or polling.

**Gallup's Cross-Site Scripting Vulnerabilities**

In the case of the first reflected XSS flaw, the researchers found that "the /kiosk.gx endpoint does not properly sanitize or encode the query string ALIAS parameter value before including it on the page."

In the second flaw, the endpoint once again failed to protect query parameter values before adding them to the page.

To avoid similar XSS flaws, the researchers at Checkmarx suggest that cybersecurity teams ensure their data is properly encoded before sending it to the response markup (HTML) or page DOM. Further, they recommend tweaking the content security policy to block locations where the browser can fetch or execute scripts.

This post was updated at 11:30AM ET on Sept. 11, 2024, to reflect that the bugs affected the website, not the Gallup Poll itself.

Another update was made at 4:53PM ET on Sept. 11, 2024 to clarify that neither vulnerability could have allowed attacker access to Gallup.com infrastructure and did not put internal data at risk of compromise.

A third update was made at 1:03PM ET on Sept. 12, 2024, to remove sections of the article that were based on now-disputed portions of the original Checkmarx blog.

Gallup Addresses XSS Bugs in Website

Cisco Talos is disclosing a new threat called “DragonRank” that primarily targets countries in Asia and a few in Europe, operating PlugX and BadIIS for search engine optimization (SEO) rank manipulation.

DragonRank, a Chinese-speaking SEO manipulator service provider

CISA has added CVE-2024-40766 to its Known Exploited Vulnerabilities catalog.

Source: Michael Vi via Shutterstock

Threat actors, including Akira ransomware affiliates, have begun exploiting a critical remote code execution (RCE) vulnerability that SonicWall disclosed — and patched — in its Gen 5, Gen 6, and some versions of its Gen 7 firewall products last month.

The attack activity has prompted the US Cybersecurity and Infrastructure Security Agency (CISA) to add the vulnerability, identified as CVE-2024-40766, to its Known Exploited Vulnerabilities (KEV) database. The vulnerability is one of the three that CISA added to its KEV catalog this week and wants federal civilian executive branch (FCEB) agencies to address by Sept. 30.

**Improper Access Control Bug**

CVE-2024-40766 is an improper access control bug in the management access component of SonicWall SonicOS running on the company’s SonicWall Firewall Gen 5 and Gen 6 devices, as well as Gen 7 devices running SonicOS 7.0.1-5035 and older. It lets attackers gain complete control of affected devices and in some cases cause the firewall to crash entirely.

SonicWall first disclosed the bug on Aug. 22 and assigned it a severity rating of 9.3 out a possible maximum of 10 on the CVSS scale. On Sept. 6, the network security vendor updated the advisory to include the local SSLVPN accounts as being vulnerable to CVE-2024-40766 as well. The advisory also warned customers about attack activity targeting the vulnerability and urged organizations to immediately apply the company's recommended mitigations for it.

Artic Wolf on Friday said it had observed Akira ransomware affiliates abusing the vulnerability to compromise SSLVPN accounts on SonicWall devices. "In each instance, the compromised accounts were local to the devices themselves rather than being integrated with a centralized authentication solution such as Microsoft Active Directory," Arctic Wolf said.  "Additionally, MFA was disabled for all compromised accounts."

SonicWall wants customers of affected appliances to update to fixed versions of the technology as soon as possible. The company also recommends that organizations limit firewall management functions to trusted sources and to disable WAN management via the Internet. "Similarly, for SSLVPN, please ensure that access is limited to trusted sources, or disable SSLVPN access from the Internet," SonicWall advised.

The company is also "strongly" advocating that administrators of the company's Gen 5 and Gen6 firewalls ensure that SSLVPN users with locally managed accounts change their passwords immediately to protect against unauthorized access. Additionally, SonicWall has recommended that organizations enable multifactor authentication (MFA) for all SSLVPN users.

**SonicWall: A Popular Target**

SonicWall's firewall products, like routers, VPNs and other network security technologies are an attractive attack target because of the elevated privileges threat actors can gain on a target network by compromising one of these products. Many network security products give attackers access to all traffic flowing in and out of a network and also to the valuable assets and data that are behind the devices. In recent years, security vendors such as Cisco and entities like CISA and the UK's National Cyber Security Center (NCSC) have warned repeatedly about attackers targeting vulnerabilities in network devices as a means to gain an initial foothold on target devices.

Earlier this year, CISA, for instance, identified China's notorious Volt Typhoon group as routinely targeting networking appliances from vendors such as Fortinet, Ivanti, NetGear, Cisco, and Citrix to obtain initial access. In a 2023 report, Cisco said it had observed continuous malicious activity, including traffic manipulation and copying, infrastructure reconnaissance, and active attempts to weaken network defenses, by state sponsored actors and intelligence agencies around the world. The company assessed that attackers like targeting network technologies such as routers and switches because of the deep visibility they enable on a victim network and because organizations often fail to keep the devices properly secured and patched.

Concerns over heightening government exposure to such attacks prompted CISA to issue a binding operational directive in late June that required FCEB agencies to implement strong measures to protect management interfaces for specific network devices such as firewalls, routers, switches, VPN concentrators, load balancers, and proxies.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Tag

#perl