Categories: Business
In this post, a cybersecurity expert gives his 6-point checklist of features your EDR should have to stop ransomware.



(Read more...)




The post Can your EDR handle a ransomware attack? 6-point checklist for an anti-ransomware EDR appeared first on Malwarebytes Labs.

Most cybersecurity experts agree that having Endpoint Detection and Response software is essential to fighting ransomware today—but not every EDR is equal.

Businesses, especially small-to-medium sized ones with limited budget or IT resources, need to make sure that their EDR is cost-effective, easy-to-use, and able to reliably stop the growing ransomware threat. So precisely what features should SMBs be looking for in an anti-ransomware EDR, and why?

In this post, Robert Zamani, Regional Vice President, Americans Solutions Engineering at Malwarebytes, gives his 6-point checklist of features your EDR should have to stop ransomware.

**Table of contents**

*   **How should EDR address ransomware?**

1.  **Multi-vector Endpoint Protection (EP) is built-in**
2.  **Maintains visibility and patching regularly**
3.  **Has machine learning (ML) to recognize ‘goodware’ instead of malware**
4.  **Uses standard reference language and forensic analysis**
5.  **Thorough containment, eradication, and recovery options**
6.  **Searches for ransomware indicators across all your managed endpoints**

*   **More resources**

**How should EDR address ransomware?**

At its core, ransomware is an exploitation of trust, Zamani says.

“We place our trust in applications to perform only the functions we intended, Operating Systems to perform functions we authorized, and that our credentials (user ID/password) are used only by authorized personnel. Stolen credentials, phishing attacks, zero-day applications, and OS vulnerabilities exploit our trust in endpoints. And since ransomware stems from exploitation of trust, then EDR is not optional when it comes to mitigating a detected threat."

A risk management strategy states that we cannot eliminate all system vulnerabilities or block all cyberattacks. In other words, your EDR should be optimized to “prevent what you can and mitigate the rest.”

> "Since ransomware stems from exploitation of trust, then EDR is not optional when it comes to mitigating a detected threat."
> 
> _Robert Zamani, Regional Vice President, Americans Solutions Engineering_

**1\.   Multi-vector Endpoint Protection (EP) is built-in**

The base functionality of any EDR is to notify you of any suspicious activity that is taking place on your systems and offer “response” capabilities to mitigate the detection. However, EDR doesn’t inherently do any prevention: It won’t stop the threat from breaching your environment in the first place. 

Relying solely on EDR as a prevention solution will overwhelm your staff and increase operational costs.

That is why anti-ransomware starts with preventing the known bad, Zamani says. Enter Endpoint Protection (EP), an advanced threat prevention solution for endpoints that uses a layered approach with multi-vector detection techniques.

Many EDR vendors will offer EP as a separate offering—usually, these are just file-based scanners looking for possible clues to malware in binary files. This is the minimal functionality of EP and insufficient because there is more that can be prevented, Zamani says.

EP must reduce the attack surface of ransomware through a combination of comprehensive web protection, application hardening, and other “first-layers of defense”. Since most ransomware attacks start with a phishing email, this primary ‘preventative’ type of endpoint protection is essential.

For a budget-friendly way to get the first layer of ransomware protection, look for an EDR with full-stack Endpoint Protection.

_EP gives you a “first-layer of defense” against known and unknown malware, ransomware, and other threats._

**2\. Maintains visibility and patching regularly**

Patching is not just system maintenance, Zamani says. According to the Ponemon Institute, 57% of cyberattack victims report that their breaches could have been prevented by installing an available patch. 

“Application and OS vulnerability assessment and patch management solutions are preventative and reduce the ransomware attack surface on endpoints. A good application and OS, vulnerability management solution must automate inventory and severity classification based on CVSS scoring,” Zamani says. “The sorting by severity and grouping by the asset (endpoint) will allow you to prioritize patching the most valuable endpoints.”

In short, make sure your EDR has some sort of vulnerability and patch management component to make it more difficult for ransomware attackers to breach your systems.

**3\. Has machine learning (ML) to recognize ‘goodware’ instead of malware**

A good EDR is looking for a deviation from good behavior, Zamani says. When an application launches and performs in an expected way, we call that an example of good behavior—and when it doesn’t, the administrator gets an alert notifying them of suspicious activity warranting investigation.

Contrast this with an ML model trained to recognize “bad behavior,” where the model finds patterns in datasets of known malware code. On the low side, there are tens of billions of unique malware, so we can safely assume “bad behavior” is seemingly endless.

The larger the dataset of bad behavior, the greater the chances of misinterpreting good behavior as bad, leading to many false positives.

“Indicators of Compromise (IOC) and Indicators of Attack (IOA) are ill-suited for EDR detections. IOC and IOA define bad, and ‘bad’ mutates, creating 100s of billions of possibilities,” Zamani says. Therefore, a modern EDR heuristics engine must be trained on the good behavior of known-good applications.

Dealing with too many false positives costs time and manpower, distracting you from actual security issues like ransomware. Make sure you choose an EDR that detects deviations from known-good applications to reduce false positives that could distract you in your fight against ransomware.

**4\. Uses standard reference language and forensic analysis**

So your EDR has EP and is looking for deviation from known-good behavior to lower false positives—now, it has sent you a notification of a ransomware threat. The next piece of an anti-ransomware EDR is that the information that comes to you should be standardized both in summary and in detail.

“Traditional, older style EDR will use vendor-specific verbiage for describing the attack,” Zamani says. “But in your EDR, you want the TTPs (tools, techniques, and procedures) of threats to be described in plain English with a common reference number.”

The reference number is necessary for documentation purposes, Zamani says. At the same time, the plain-English description is necessary for you to know at what stage an endpoint was ransomed (because a hacker could have exploited a vulnerability in a still-running application).

> "In your EDR, you want the TTPs (tools, techniques, and procedures) of threats to be described in plain English with a common reference number.”
> 
> _Robert Zamani, Regional Vice President, Americans Solutions Engineering_

To avoid unnecessary complexity in figuring out the origin of a ransomware threat, your EDR solution should have an industry standardized way of describing the attack—such as MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge).

“Your EDR needs to tell the story of what happened using the standard reference language of MITRE with direct links to the MITRE ATT&CK reference library,” Zamani says. “It should provide a summary using a Kanban board and a separate process graph with detailed forensics of what and how it happened.”

_Your EDR should show you alerts that are standardized both in summary and in detail._

Look to an EDR to mitigate unforeseen threats and ultimately a new method of ransomware (exploitation of trust), says Zamani.

If one of your endpoints gets infected with ransomware, we want to stop the spread as fast as possible, which NIST defines as “containment” in its “Computer Security Incident Handling Guide.”

Containment prevents lateral movement of an attack by allowing you to contain individual machines, processes, or user-IDs and continue active response activities—making quick and easy containment features a must for your EDR.

But the fight doesn’t stop at containment, says Zamani.

“So you’ve contained and studied a threat with your EDR. That’s great,” says Zamani. “But now you want to do remediation. You want to remotely eradicate the ransomware and restore the endpoint to a known-good state free of malware, virus, unwanted programs including unwanted modification.”

But you may ask: Aren’t eradicating and recovering from ransomware the same thing? Not quite, Zamani says.

“Just because you deleted the artifacts does not restore the endpoint into a state where the machine can function. For example, a registry key says the startup sequence is ‘malware first, and then boot.’ So we remove the nasty registry key ‘malware first’, but if you say nothing else, the system won't boot!”

In other words, your EDR needs instrumentation that not only eradicates ransomware but actually recovers and restores the machine's state into a functioning state where it can be returned to the network.

“Your ransomware rollback should store changes to data files on the system in a local cache for 72 hours (no ransomware actually exceeds 24 hours), which can be used to help revert changes caused by ransomware,” Zamani says.

**6\. Searches for ransomware indicators across all your managed endpoints**

What if you want to see if the same ransomware threat you discovered on one of your endpoints is in the early stages of the attack on other endpoints?

“Your EDR should have a search engine that can look at any of the TTPs and search across your network,” Zamani says. “Because you want to see if you can catch something early enough before it hits the point of ransom.”

Look for an EDR that can search data like files, registry, processes, and networking activity so you can threat hunt or analyze how a ransomware compromise occurred in your environment.

**Businesses need an EDR that immediately detects and responds to ransomware threats**

In this post, cybersecurity expert Robert Zamani explained the features SMBs should look for in an anti-ransomware EDR and why.

Of course, the fight against ransomware doesn’t stop at EDR: you still good cyber hygiene with a well-written and practiced Incident Response Plan (IRP). Looking to further empower your business in the fight against ransomware?

Read our "A Defender's Guide to Ransomware Resilience" eBook!

**More resources**

Ransomware protection with Malwarebytes EDR: Your FAQs, answered!

Simplifying the fight against ransomware: An expert explains

Demo: Your data has been encrypted! Stopping ransomware attacks with Malwarebytes EDR

Can your EDR handle a ransomware attack? 6-point checklist for an anti-ransomware EDR

Categories: Privacy
Twitter has confirmed a data breach on July 2.



(Read more...)




The post Twitter data breach affects 5.4M users appeared first on Malwarebytes Labs.

Twitter has confirmed that it was breached last month via a now-patched 0-day vulnerability in Twitter’s systems, allowing an attacker to link email addresses and phone numbers to user accounts. This enabled the attacker to compile a list of 5.4 million Twitter user account profiles.

> “We want to let you know about a vulnerability that allowed someone to enter a phone number or email address into the log-in flow in the attempt to learn if that information was tied to an existing Twitter account, and if so, which specific account. We take our responsibility to protect your privacy very seriously, and it is unfortunate that this happened.”

When a person submits a publicly known email address or phone number to Twitter, the system tells this person what Twitter account the email or phone number is associated with. The attacker took advantage of this and created a list containing 5.4 million Twitter users with scraped publicly available details of the accounts, including whether the account was verified.

This is especially worrying for users who want to remain anonymous on the platform. It's a bit late now, but Twitter recommends anyone trying to stay anonymous should not tie a publicly known phone number or email to their Twitter account.

> If you operate a pseudonymous Twitter account, we understand the risks an incident like this can introduce and deeply regret that this happened. To keep your identity as veiled as possible, we recommend not adding a publicly known phone number or email address to your Twitter account.

According to BleepingComputer, the attacker sold the data on twice, saying that “the data would likely be released for free in the future.”

Twitter introduced the vulnerability after updating its code in June 2021. A threat hunter reported this vulnerability in January 2022, with Twitter eventually awarding the researcher for the find as part of its bug bounty program.

While the company says no passwords were compromised, it continues to encourage users to enable two-factor authentication (2FA) for their accounts, either in the form of authentication apps or hardware keys.

Twitter data breach affects 5.4M users

Twitter on Friday revealed that a now-patched zero-day bug was used to link phone numbers and emails to user accounts on the social media platform.
"As a result of the vulnerability, if someone submitted an email address or phone number to Twitter's systems, Twitter's systems would tell the person what Twitter account the submitted email addresses or phone number was associated with, if any,"

Twitter on Friday revealed that a now-patched zero-day bug was used to link phone numbers and emails to user accounts on the social media platform.

"As a result of the vulnerability, if someone submitted an email address or phone number to Twitter's systems, Twitter's systems would tell the person what Twitter account the submitted email addresses or phone number was associated with, if any," the company said in an advisory.

Twitter said the bug, which it was made aware of in January 2022, stemmed from a code change introduced in June 2021. No passwords were exposed as a result of the incident.

The six-month delay in making this public stems from new evidence last month that an unidentified actor had potentially taken advantage of the flaw before the fix to scrape user information and sell it for profit on Breach Forums.

Although Twitter didn't reveal the exact number of impacted users, the forum post made by the threat actor shows that the flaw was exploited to compile a list containing allegedly over 5.48 million user account profiles.

Restore Privacy, which disclosed the breach late last month, said the database was being sold for $30,000.

Twitter stated it's in the process of directly notifying account owners affected by the issue, while also urging users to turn on two-factor authentication to secure against unauthorized logins.

The development comes as Twitter, in May, agreed to pay a $150 million fine to settle a complaint from the U.S. Justice Department that alleged the company between 2014 and 2019 used information account holders provided for security verification for advertising purposes without their consent.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Hackers Exploit Twitter Vulnerability to Exposes 5.4 Million Accounts 

A Reflected Cross-site scripting (XSS) issue was discovered in dotCMS Core through 22.06. This occurs in the admin portal when the configuration has XSS_PROTECTION_ENABLED=false.

** Zero-Day Advisory**

**Fortinet Discovers dotCMS Multiple Cross-Site Scripting Vulnerability**

**Summary**

Fortinet's FortiGuard Labs had discovered a Cross-Site Scripting (XSS) vulnerability in dotCMS Admin Portal.

dotCMS is an open source content management system (CMS) written in Java for managing content and content driven sites and applications.

The vulnerability is caused by insufficient input sanitization in dotCMS Core. Upon successful exploitation, it allows attackers to launch client-side script execution in the browser's process context.  

**Solutions**

FortiGuard Labs released the following FortiGate IPS signature which covers this specific vulnerability:

**dotCMS.Portal.Multiple.XSS**  
Released Aug 02, 2022

Users should always enable XSS Prevention feature on dotCMS

**Additional Information**

The vulnerability affected dotCMS Core.  

**Timeline**

Fortinet reported the vulnerability to dotCMS on 10 June, 2022.

dotCMS confirmed the vulnerability on 25th  June, 2022 and concluded it as a no-fix issue. 

**Acknowledgement**

This vulnerability was discovered by Nguyen Thanh Nguyen of Fortinet's FortiGuard Labs.

**IPS Subscription**

Fortinet customers who subscribe to Fortinet's intrusion prevention (IPS) service should be protected against this vulnerability with the appropriate configuration parameters in place. Fortinet's IPS service is one component of FortiGuard Subscription Services, which also offer comprehensive solutions such as antivirus, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated by FortiGuard Labs, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products. Fortinet strictly follows responsible disclosure guidelines to ensure optimum protection during a threat's lifecycle.

CVE-2022-37431: Fortiguard

Agentless approach meets the attacker earlier to protect financial services and other large enterprises from an underserved attack vector.

**NEW YORK, NY – Aug. 3, 2022** – Deep Instinct, the first company to apply end-to-end deep learning to cybersecurity, today delivered Deep Instinct Prevention for Applications, an agentless, on-demand, antimalware solution for the enterprise that is device and operating system agnostic. This new offering revolutionizes threat protection beyond the endpoint with flexible, deploy anywhere, in-transit file scanning via API to quickly return a malicious versus benign verdict at enterprise speed. It protects any web application or cloud storage from malicious content while fully ensuring data privacy.

Until now, financial services and other industries with petabytes of data in motion each day have been at high risk from uploaded malicious content that can be detonated upon download from storage. These organizations have been relying on antiquated solutions that are slow, consume vast CPU and memory resources, and miss unknown malware, leaving this threat segment underserved.

In the wake of the pandemic, fintech transactions alone rose by 13% and their volume by 11%, indicating significant industry growth. With tens of millions of files in transit each day connected to high-value trading data, mortgage applications, insurance claims, and other sensitive information, financial institutions are at risk from unchecked malicious uploads or downloads and lack viable options to ensure infected content is not a threat to their operations or their customers. As threat actors seek alternative points of entry into enterprise environments, this risk factor will only increase. In fact, one study found that 35% of "never-before-seen" malware files were hidden in Microsoft Office and PDF files.

"As threat actors compromise points of entry beyond the endpoint, financial services institutions that exchange tens of millions of files each day are at increased risk. This was primarily created by the failure of established antivirus, network and other solutions to evolve. They are slow, can't scale or process high volumes of daily traffic or handle large file sizes, and often resort to sandboxing. As a result, they continue to miss unknown threats, and incur high infrastructure costs. "That's the worst of both worlds for an enterprise," said Guy Caspi, CEO and Co-Founder of Deep Instinct. "Deep Instinct is disrupting the cybersecurity status quo by setting a new standard for preventing malicious files, both known and unknown, before they reach storage."

Deep Instinct Prevention for Applications provides organizations an on-demand, high-speed scanning solution that prevents \>99% unknown malware hidden in files and easily scales to scan tens of millions of files per day. With very low CPU requirements, a low false-positive rate of <0.1%, near zero latency, and low processing requirements, Deep Instinct provides the most innovative solution for this underserved threat gap. A typical traditional AV solution is ineffective at preventing unknown malware, will require sandbox and cloud intelligence checks, and takes an average of 90 seconds to 3 minutes to make decisions. Traditional AV/sandbox solutions are ineffective at solving this issue as they are easily evaded and slow to respond. This increases risk and negatively affects the user experience but impacts the business by slowing down critical processes.

"Deep Instinct is addressing a major pain point of today's enterprise — their exposure to an ever-expanding number of attack vectors," said David OLeary, Field CISO – Sr. Director, Global Cybersecurity, SHI. "We look forward to bringing this truly unique solution to our enterprise customer base and helping them better protect themselves and their customers from malicious content as they exchange important files every day."

Other benefits of Deep Instinct Prevention for Applications include the following:

*   Does not rely on the cloud to provide a verdict.
*   Only the file hash ever leaves the environment, retaining full customer data privacy.
*   No customer data is used for training or updating AI models.
*   Minimal infrastructure resources, including CPU and memory usage, combined with a small footprint, ensure a low total cost of ownership.

For more product information and case studies, please visit: https://deepinstinct.com/prevention-for-applications.

**About Deep Instinct**

Deep Instinct takes a prevention-first approach to stopping ransomware and other malware using the world's first and only purpose-built, deep-learning cybersecurity framework. We predict and prevent known, unknown, and zero-day threats in <20 milliseconds, 750X faster than the fastest ransomware can encrypt. Deep Instinct has >99% zero-day accuracy and promises a <0.1% false positive rate. The Deep Instinct Prevention Platform is an essential addition to every security stack — providing complete, multilayered protection against threats across hybrid environments. For more, visit www.deepinstinct.com.

Deep Instinct Pioneers Deep-Learning Malware Prevention to Protect Mission-Critical Business Applications at Scale

Because they leave so little time to patch and defuse, zero-day threats require a proactive, multilayered approach based on zero trust.

The recent Atlassian Confluence remote code execution bug is just the latest example of zero-day threats targeting critical vulnerabilities within major infrastructure providers. The specific threat, an Object-Graph Navigation Language (OGNL) injection, has been around for years but took on new significance given the scope of the Atlassian exploit. And OGNL attacks are on the rise.

Once bad actors find such a vulnerability, proof-of-concept exploits start knocking at the door, seeking unauthenticated access to create new admin accounts, execute remote commands, and take over servers. In the Atlassian case, Akamai's threat research team identified that the number of unique IP addresses attempting these exploits grew to more than 200 within just 24 hours.

Defending against these exploits becomes a race against time worthy of a 007 movie. The clock is ticking and you don't have much time to implement a patch and "defuse" the threat before it's too late. But first you need to know that an exploit is underway. That requires a proactive, multilayered approach to online security based on zero trust.

What do these layers look like? Consider the following practices that security teams — and their third-party Web application and infrastructure partners — should be aware of.

**Monitor Vulnerability Repositories**

Mass vulnerability scanning tools like Nuclei's community-based scanner or Metasploit penetration testing are popular tools for security teams. They are also popular among bad actors who are looking for proof-of-concept exploit code that will help them probe for cracks in the armor. Monitoring these repositories for new templates that may be designed to identify potential exploit targets is an important step to maintain awareness of potential threats and stay a step ahead of the black hats.

**Make the Most of Your WAF**

Some may point to Web application firewalls (WAFs) as ineffective against zero-day attacks, but they can still play a role in mitigating the threat. In addition to filtering traffic for known attacks, when a new vulnerability is identified, a WAF can be used to quickly implement a "virtual patch," creating a custom rule to prevent a zero-day exploit and give you some breathing room while you work to implement a permanent patch. There are some downsides to this as a long-term solution, potentially affecting performance as rules proliferate to counter new threats. But it's a capability worth having in your defensive arsenal.

**Monitor Client Reputation**

When analyzing attacks, including zero-day events, it's common to see them using many of the same compromised IPs — from open proxies to poorly protected IoT devices — to deliver their payloads. Having a client reputation defense that blocks suspicious traffic originating from these sources can provide one more layer of defense from zero-day attacks. Maintaining and updating a client reputation database is not a small task, but it can dramatically reduce the risk of an exploit gaining access.

**Control Your Traffic Rates**

IPs that are hammering you with traffic can be a tip-off to an attack. Filtering out those IPs is another way to reduce your attack surface. While smart attackers may distribute their exploits across many different IPs to avoid detection, rate control can help filter out attacks that don't go to such lengths.

**Watch Out For Bots**

Attackers use scripts, browser impersonators, and other subterfuges to mimic a real, live person logging in to a website. Implementing some form of automated bot defense that triggers when it detects anomalous request behavior can be extremely valuable in mitigating risk.

**Don't Overlook Outbound Activity**

A common scenario for attackers attempting remote code execution (RCE) penetration testing is to send a command to the target Web server to perform out-of-band signaling to make an outbound DNS call to a beaconing domain controlled by the attacker. If the server makes the call, bingo — they found a vulnerability. Monitoring outbound traffic from systems that shouldn't be generating that traffic is an often overlooked way to spot a threat. This can also help spot any anomalies that the WAF missed when the request came as incoming traffic.  

**Sequester Identified Attack Sessions**

Zero-day attacks are not usually a "one and done" proposition; you may be targeted repeatedly as part of an active attack session. Having a way to spot these repeat attacks and automatically sequester them not only reduces risk, but it can also provide an auditable log of the attack sessions. This "trap and trace" capability is really useful for forensic analysis.

**Contain the Blast Radius**

Multilayered defense is about minimizing risk. But you may not be able to completely eliminate the chance that a zero-day exploit can squeak through. In that case, having blocks to contain the threat is critical. Implementing some form of microsegmentation will help prevent lateral movement, disrupting the cyber kill chain, limiting the "blast radius," and mitigating the impact of an attack.  

There is no single magic formula for defending against zero-day attacks. But applying a range of defensive strategies and tactics in a coordinated (and, ideally, automated) way can help minimize your threat surface. Covering the bases outlined here can go a long way to strengthening your defenses and help minimize the fire drills that erode team morale.

Zero-Day Defense: Tips for Defusing the Threat

This vulnerability allows local attackers to escalate privileges on affected installations of xhyve. An attacker must first obtain the ability to execute high-privileged code on the target guest system in order to exploit this vulnerability. The specific flaw exists within the e1000 virtual device. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a stack-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the hypervisor. Was ZDI-CAN-15056.

July 6th, 2022

**(0Day) xhyve e1000 Stack-based Buffer Overflow Local Privilege Escalation Vulnerability****ZDI-22-949  
ZDI-CAN-15056**

CVE ID

CVE-2022-35867

CVSS SCORE

7.5, (AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H)

AFFECTED VENDORS

xhyve  

AFFECTED PRODUCTS

xhyve  

VULNERABILITY DETAILS

This vulnerability allows local attackers to escalate privileges on affected installations of xhyve. An attacker must first obtain the ability to execute high-privileged code on the target guest system in order to exploit this vulnerability.

The specific flaw exists within the e1000 virtual device. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a stack-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the hypervisor.  

ADDITIONAL DETAILS

This vulnerability is being disclosed publicly without a patch in accordance with the ZDI 120-day deadline.

10/21/21 – ZDI attempted to contact the vendor and obtain secure keys.  
10/22/21 – The contact advised they were only a one-time contributor but provided their key and agreed to receive the notification in case this was about their contribution.  
10/22/21 – The contact provided a GitHub link pointing to the admin of the repository as well as their contact information.  
10/25/21 –  The project owner advises to send the information, but also notes that the problem could have originated in FreeBSD’s bhyve. This issue was fixed in FreeBSD’s bhyve under CVE-2019-5609 and the code was never updated in xhyve.  
10/25/21 –  ZDI re-notified the case to the project owner and advised him to review the potential to notify FreeBSD.  
06/24/22 – ZDI verified that this code was still vulnerable as of this date.  
06/29/22 –  ZDI notified the vendor of the intention to publish the case as  a 0-day advisory on 07/6/22  

 -- Mitigation:  
Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the application.

  

DISCLOSURE TIMELINE

*   2021-10-22 - Vulnerability reported to vendor
*   2022-07-06 - Coordinated public release of advisory
*   2022-07-14 - Advisory Updated

CREDIT

Alisa Esage of Zero Day Engineering (zerodayengineering.com)  

BACK TO ADVISORIES

CVE-2022-35867: ZDI-22-949

‘We believe that announcing vulnerabilities without a fix is the best solution for a difficult problem’

‘We believe that announcing vulnerabilities without a fix is the best solution for a difficult problem’

Open source DevOps platform Jenkins is warning users of unpatched security vulnerabilities impacting more than a dozen plugins.

A leading open source automation server, Jenkins provides thousands of plugins to support building, deploying, and automating projects.

The organization’s latest security advisory lists a total of 27 plugin vulnerabilities, five of which were deemed to be ‘high’ impact and the majority of which remain unpatched.

**High five**

First on the list of high impact bugs – all of which were unfixed at the time of writing – is a cross-site request forgery (CSRF) vulnerability in the Coverity plugin (CVE-2022-36920).

It was found that the plugin fails to perform a permission check in an HTTP endpoint. In addition, this HTTP endpoint does not require POST requests, opening the door to CSRF attacks.

**YOU MIGHT ALSO LIKE** CompleteFTP path traversal flaw allowed attackers to delete server files

Meanwhile, an arbitrary file write vulnerability in the CLIF Performance Testing Plugin (CVE-2022-36894) allows attackers with ‘Overall/Read’ permission to create or replace arbitrary files on the Jenkins controller file system with attacker-specified content.

Stored cross-site scripting (XSS) flaws were also discovered in the Dynamic Extended Choice Parameter plugin (CVE-2022-36902) and Maven Metadata plugin (CVE-2022-36905), along with a reflected XSS vulnerability in the Lucene-Search plugin (CVE-2022-36922).

**Getting the word out**

Of the 27 plugin vulnerabilities listed in the latest Jenkins security advisory, 18 remained unpatched and are effectively zero-days.

Discussing the team’s decision to disclose these issues to the community in lieu of any fixes, Jenkins security officer Wadeck Follonier told _The Daily Swig_: “The main objective of the Jenkins security team is to ensure the Jenkins plugin ecosystem is as secure as possible.

“With a plugin ecosystem as big as ours, it isn’t a surprise that not every plugin is maintained all the time, and maintainers sometimes cannot be contacted, do not respond, or tell us they’re no longer able to maintain the plugin.

“In those cases, we analyze the vulnerability in depth, write up a detailed description, and announce it in a security advisory with other, fixed vulnerabilities.”

Read more about the latest security vulnerabilities

Follonier added: “We believe that announcing vulnerabilities without a fix is the best solution for a difficult problem, as it allows administrators to carefully consider their continued use of the affected plugin.

“Besides the Jenkins Advisories mailing list and our social channels, we inform administrators about vulnerabilities affecting their Jenkins instance directly on the UI immediately after publishing an advisory, so every Jenkins administrator gets informed about this.

“Our recommendation to Jenkins administrators is to read our security advisories to understand whether they’re impacted,” Follonier said. “A lot of vulnerabilities are irrelevant to instances with only a single administrator user that are inaccessible to others, for example.

“Of course, if they are unsure whether they are affected, the safest thing to do is to uninstall the plugin.”

**RECOMMENDED** Trio of XSS bugs in open source web apps could lead to complete system compromise

Jenkins security: Unpatched XSS, CSRF bugs included in latest plugin advisory

Plus: A Google Chrome patch licks the DevilsTongue spyware, Android’s kernel gets a tune-up, and Microsoft fixes 84 flaws.

July has been a month of important updates, including patches for already-exploited vulnerabilities in Microsoft and Google products. This month also saw the first Apple iOS update in eight weeks, fixing dozens of security flaws in iPhones and iPads.

Security vulnerabilities continue to hit enterprise products, too, with July patches issued for SAP, Cisco, and Oracle software. Here’s what you need to know about the vulnerabilities fixed in July.

Apple iOS 15.6

Apple has released iOS and iPadOS 15.6 to fix 37 security flaws, including an issue in Apple File System (APFS) tracked as CVE-2022-32832. If exploited, the vulnerability could allow an app to execute code with kernel privileges, according to Apple’s support page, giving it deep access to your device.

Other iOS 15.6 patches fix vulnerabilities in the kernel and WebKit browser engine, as well as flaws in IOMobileFrameBuffer, Audio, iCloud Photo Library, ImageIO, Apple Neural Engine, and GPU Drivers.

Apple isn’t aware of any of the patched flaws being used in attacks, but some of the vulnerabilities are pretty serious—especially those affecting the kernel at the heart of the operating system. It’s also possible for vulnerabilities to be chained together in attacks, so make sure you update as soon as possible.

The iOS 15.6 patches were released alongside watchOS 8.7, tvOS 15.6, macOS Monterey 12.5, macOS Big Sur 11.6.8, and macOS Catalina 10.15.7 2022-005.

Google Chrome

Google released an emergency patch for its Chrome browser in July, fixing four issues, including a zero-day flaw that has already been exploited. Tracked as CVE-2022-2294 and reported by Avast Threat Intelligence researchers, the memory corruption vulnerability in WebRTC was abused to achieve shellcode execution in Chrome’s renderer process.

The flaw was used in targeted attacks against Avast users in the Middle East, including journalists in Lebanon, to deliver spyware called DevilsTongue.

Based on the malware and tactics used to carry out the attack, Avast attributes the use of the Chrome zero-day to Candiru, an Israel-based company that sells spyware to governments.

Microsoft’s Patch Tuesday

Microsoft’s July Patch Tuesday is a big one, fixing 84 security issues including a flaw already being used in real-world attacks. The vulnerability, CVE-2022-22047, is a local privilege escalation flaw in the Windows Client/Server Runtime Subsystem (CSRSS) server and client Windows platforms, including the latest Windows 11 and Windows Server 2022 releases. An attacker able to successfully exploit the vulnerability could gain System privileges, according to Microsoft.

Of the 84 issues patched in Microsoft’s July Patch Tuesday, 52 were privilege escalation flaws, four were security feature bypass vulnerabilities, and 12 were remote code execution issues.

Microsoft security patches do sometimes cause other issues, and the July update was no different: Following the release, some users found MS Access runtime applications did not open. Thankfully, the firm is rolling out a fix.

Android July Security Bulletin

Google has released July updates for its Android operating system, including a fix for a critical security vulnerability in the System component that could lead to remote code execution with no additional privileges needed.

Google also fixed serious issues in the kernel–which could result in information disclosure—and the framework, which could lead to local privilege escalation. Meanwhile, vendor-specific patches from MediaTek, Qualcomm, and Unisoc are available if your device is using those chips. Samsung devices are starting to receive the July patch, and Google also released updates for its Pixel range.

SAP

Software maker SAP has issued 27 new and updated security notes as part of its July Security Patch Day, fixing multiple high-severity vulnerabilities. Tracked as CVE-2022-35228, the most serious issue is an information disclosure flaw in the central management console of the vendor’s Business Objects platform.

The vulnerability allows an unauthenticated attacker to gain token information over the network, according to security firm Onapsis. “Fortunately, an attack like this would require a legitimate user to access the application,” the firm adds. However, it’s still important to patch as soon as possible.

Oracle

Oracle has issued 349 patches in its July 2022 Critical Patch Update, including fixes for 230 flaws that can be exploited remotely.

Oracle’s April Patch Update included 520 security fixes, some of which addressed CVE-2022-22965, aka Spring4Shell, a remote code execution flaw in the spring framework. Oracle’s July update continues to address this issue.

Apple Just Patched 37 iPhone Security Bugs

Trend Micro Security 2021 and 2022 (Consumer) is vulnerable to an Out-Of-Bounds Read Information Disclosure Vulnerability that could allow an attacker to read sensitive information from other memory locations and cause a crash on an affected machine.

**LAST UPDATED: JUL 07, 2022**

**Release Date:** July 08, 2022

**Trend Micro Vulnerability Identifier:** CVE-2022-35234

**Platform(s):** Microsoft Windows

**CVSSv3 Scores:** 4:4 AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L

**Severity Rating** Medium

**Summary**

Trend Micro has released a hotfix for the Trend Micro Security for Windows family of consumer products (2021 and 2022) which resolves an Out-Of-Bounds Read Information Disclosure Vulnerability.

**Affected Versions**

PRODUCT

AFFECTED VERSION(S)

PLATFORM

LANGUAGE(S)

Trend Micro Security

2022 (17. 7.1383 and below)

Microsoft Windows

English

**Solution**

Trend Micro has released a hotfix available for each version below that resolves the issue.

PRODUCT

APPLICABLE VERSION(S)

PLATFORM

LANGUAGE(S)

Trend Micro Security

2022 (17.7) hotfix

Microsoft Windows

English

Trend Micro Security

2021 (17.0) hotfix

Microsoft Windows

English

**Vulnerability Details**

Trend Micro Security 2021 and 2022 (Consumer) is vulnerable to an Out-Of-Bounds Read Information Disclosure Vulnerability that could allow an attacker to read sensitive information from other memory locations and cause a crash on an affected machine.

Trend Micro has received no reports nor is aware of any actual attacks against the affected product related to this vulnerability at this time.

**Acknowledgement**

Trend Micro would like to thank the following individual for responsibly disclosing the issue and working with Trend Micro to help protect our customers:

*   Michael DePlante (@izobashi) with Trend Micro Zero Day Initiative.

**Additional Assistance**

Customers who have questions are encouraged to contact Trend Micro Technical Support for further assistance.

**External Reference**

The following advisories may be found at Trend Micro's Zero Day Initiative Published Advisories site:

*   ZDI-CAN-16650

How helpful was this article?

*   It wasn't helpful at all.
*   Somewhat helpful.
*   Just okay.
*   It was somewhat helpful.
*   It was helpful.

*   \*Feedback submitted will only be used as reference for future product, service and article improvements.

Tag

#zero_day