SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals
SEC595Cyber Defense
SANS Community Benefits
Connect, learn, and share with other cybersecurity professionals
VOLUME 23ISSUE 23
The Consensus Security Vulnerability Alert
Internet Storm Center Spotlight
ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html
Github Copilot vs. Google: Which code is more secure
Published: 2023-06-06
Last Updated: 2023-06-06 16:18:17 UTC
by Johannes Ullrich (Version: 1)
I played with GitHub Copilot and compared it to simple "Googleing" code snippets to see what is more secure. Please see the video below for a quick recording of the experiment.
The task I selected was pretty trivial: A PHP script/page to collect data from an import form and insert it into a SQL database. There were two specific challenges I looked for:
Cross-site Scripting: I wanted the data the user entered to be "prefilled" into the form as it is returned to the user
SQL Injection: The data should be inserted into a SQL database
Both Copilot, as well as the "Google" solution, ignored the XSS issue. As far as SQL injection went, Copilot did use prepared statements, which is nice. The code was not as "clean" as I would have written it, but not that my code is always that great. When specifically asked to, Copilot did escape the data to avoid XSS.
The "Google" solution came from a random PHP tutorial with SQL injection and XSS vulnerabilities. In that sense, Copilot was better.
One important issue I noticed when using Copilot is that the code it comes up with varies in quality. Some of this may also be related to how "busy" Copilot is, as sometimes it responds slowly or not at all.
I also experimented with some other input validation with Copilot, which went okay if the prompt was done correctly.
Read the full entry:
https://isc.sans.edu/diary/Github+Copilot+vs+Google+Which+code+is+more+secure/29918/
After 28 years, SSLv2 is still not gone from the internet... but we're getting there
Published: 2023-06-01
Last Updated: 2023-06-01 08:38:42 UTC
by Jan Kopriva (Version: 1)
Although the SSL/TLS suite of protocols has been instrumental in making secure communication over computer networks into the (relatively) straightforward affair it is today, the beginnings of these protocols were far from ideal.
The first publicly released version of Secure Sockets Layer protocol, the SSL version 2.0, was published all the way back in 1995 and was quickly discovered to contain a number of security flaws. This has led to the development of a more secure version of the protocol named SSLv3, which was officially published only a year later (and which, as it later turned out, had its own set of issues). It has also led to the official deprecation of SSLv2 in 2011.
Although due to its deprecated status, most web browsers out there have been unable to use SSLv2 for over a decade, the support for this protocol still lingers. Few years ago, one might still have found it supported even on web servers, which one would hope would be as secure as possible - for example, on servers providing access to internet banking services.
Nevertheless, while going over data about open ports and protocol support on the internet, which I have gathered over time from Shodan using my TriOp tool, I have recently noticed that although there is still a not insignificant number of web servers which support SSLv2, the overall trend seems to show that such systems are slowly “dying off”.
Read the full entry:
Internet Storm Center Entries
Management of DMARC control for email impersonation of domains in the .co TLD - part 2 (2023.06.07)
Brute Forcing Simple Archive Passwords (2023.06.05)
https://isc.sans.edu/diary/Brute+Forcing+Simple+Archive+Passwords/29914/
Recent CVEs
The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.CVE-2023-34152 - A vulnerability was found in ImageMagick. This security flaw cause a remote code execution vulnerability in OpenBlob with --enable-pipes configured.Product: ImageMagick OpenBlobCVSS Score: 0NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-34152ISC Podcast: https://isc.sans.edu/podcastdetail.html?podcastid=8520NVD References: - https://access.redhat.com/security/cve/CVE-2023-34152- https://bugzilla.redhat.com/show_bug.cgi?id=2210659- https://github.com/ImageMagick/ImageMagick/issues/6339- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/V2ZUHZXQ2C3JZYKPW4XHCMVVL467MA2V/CVE-2023-3079 - Chromium: CVE-2023-3079 Type Confusion in V8Product: Google ChromeCVSS Score: 0 AtRiskScore 40** KEV since 2023-06-07 **NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-3079MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-3079NVD References: - https://chromereleases.googleblog.com/2023/06/stable-channel-update-for-desktop.html- https://crbug.com/1450481CVE-2023-32692 - CodeIgniter allows arbitrary code execution via Validation Placeholders, patched in version 4.3.5.Product: CodeIgniter CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-32692NVD References: - https://github.com/codeigniter4/CodeIgniter4/blob/develop/CHANGELOG.md- https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-m6m8-6gq8-c9fjCVE-2023-33189 - Pomerium access proxy may make incorrect authorization decisions with crafted requests (patched in versions 0.17.4 to 0.22.2).Product: Pomerium CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-33189NVD References: - https://github.com/pomerium/pomerium/commit/d315e683357a9b587ba9ef399a8813bcc52fdebb- https://github.com/pomerium/pomerium/releases/tag/v0.17.4- https://github.com/pomerium/pomerium/releases/tag/v0.18.1- https://github.com/pomerium/pomerium/releases/tag/v0.19.2- https://github.com/pomerium/pomerium/releases/tag/v0.20.1- https://github.com/pomerium/pomerium/releases/tag/v0.21.4- https://github.com/pomerium/pomerium/releases/tag/v0.22.2- https://github.com/pomerium/pomerium/security/advisories/GHSA-pvrc-wvj2-f59pCVE-2023-33193 - Emby Server is vulnerable to administrative access via spoofing certain headers, allowing login without a password or viewing a list of users without passwords, on systems where the administrator hasn't tightened the account login configuration for administrative users.Product: Emby.ReleasesCVSS Score: 9.1NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-33193NVD References: https://github.com/EmbySupport/security/security/advisories/GHSA-fffj-6fr6-3fgfCVE-2023-2972 - Prototype Pollution in GitHub repository antfu/utils prior to 0.7.3.Product: Utils Project CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-2972NVD References: - https://github.com/antfu/utils/commit/7f8b16c6181c988bdb96613fbb2533b345f68682- https://huntr.dev/bounties/009f1cd9-401c-49a7-bd08-be35cff6faefCVE-2023-2978 - Abstrium Pydio Cells 4.2.0 has an authorization bypass vulnerability in its Change Subscription Handler, fixed in version 4.2.1 (VDB-230210).Product: Abstrium Pydio CellsCVSS Score: 9.8NVD References: - https://pydio.com/en/community/releases/pydio-cells/pydio-cells-enterprise-421- https://vuldb.com/?ctiid.230210- https://vuldb.com/?id.230210CVE-2023-2979 - Abstrium Pydio Cells 4.2.0 allows remote attackers to gain improper access through User Creation Handler, with an upgrade to version 4.2.1 recommended to address this critical vulnerability (VDB-230211).Product: Abstrium Pydio CellsCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-2979NVD References: - https://pydio.com/en/community/releases/pydio-cells/pydio-cells-enterprise-421- https://vuldb.com/?ctiid.230211- https://vuldb.com/?id.230211CVE-2023-2980 - Abstrium Pydio Cells 4.2.0 is vulnerable to remote code execution due to improper control of resource identifiers in the User Creation Handler component.Product: Abstrium Pydio CellsCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-2980NVD References: - https://pydio.com/en/community/releases/pydio-cells/pydio-cells-enterprise-421- https://vuldb.com/?ctiid.230212- https://vuldb.com/?id.230212CVE-2023-33975 - RIOT-OS contains a network stack vulnerability allowing an attacker to execute arbitrary code by sending a crafted 6LoWPAN frame.Product: RIOT-OS, an operating system for Internet of Things (IoT) devicesCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-33975NVD References: - https://github.com/RIOT-OS/RIOT/blob/f41b4b67b6affca0a8b32edced7f51088696869a/sys/net/gnrc/network_layer/sixlowpan/frag…
Sponsors
Corelight, Inc.
********** Sponsored By Corelight ***********Webinar: Supercharge SecOps with long-term data | Storing rich environmental and behavioral data long term shouldn’t break the bank. Corelight and CrowdStrike make it easy and affordable to see the complete history of attacks. Register to see how:
Dragos
Enhancing OT Security: A Dual Perspective on Threat Detection with Emerson and Dragos - Join us on Thursday, June 15 at 3:30pm ET as Emerson & Dragos dive deeper into threat monitoring techniques, OT visibility, and incident response to better protect your industrial applications from cyber threats. | Register now:
Crowdstrike
Upcoming webcast: Achieve Cloud Security at Scale with Dave Shackleford on Thursday, June 15 at 1:00pm ET | Register now:
CardinalOps
Tune in on Tuesday, June 20 at 3:30pm ET for our upcoming webcast: The Future of Risk-Based Detection | Register now: