SANS NewsBites

Disconnect My Book NAS Devices to Prevent Remote Wipe; Firmware Updates Required to Prevent Dell SupportAssist Arbitrary Code Execution; Medicare Conditions of Participation Ignore Connected Medical Device Network Security

June 25, 2021  |  Volume XXIII - Issue #50

Top of the News


2021-06-24

My Book Network-Attached Storage Devices are Being Remotely Wiped

Users of Western Digital My Book network-attached storage (NAS) devices have been reporting that their devices received a remote factory reset command and that their files have been deleted. Western digital is urging users to disconnect their devices from the Internet while the issue is investigated.

Editor's Note

I will say it yet again: DO NOT EXPOSE NETWORK ATTACHED STORAGE TO THE INTERNET. This is not just a problem with Western Digital. All of these devices have had numerous vulnerabilities. These devices are marketed for simple Internet file sharing, but their rich history of vulnerabilities shows how they should never be used for anything other than internal file sharing.

Johannes Ullrich
Johannes Ullrich

Unfortunately, users almost certainly connected these devices directly to the Internet. But we can't blame users for this. They paid a premium for hardware that promised to provide a service. Western Digital suspended the program in 2015, leaving users who wanted to continue to use the devices as advertised with little choice but to expose the devices. Users unwittingly gravitated to the availability leg of the CIA triad (probably without even realizing said triad exists).

Jake Williams
Jake Williams

“Remote factory reset command” – what could possibly go wrong? Network-Attached Storage devices should be on a network segment that is not visible to the Internet.

William Hugh Murray
William Hugh Murray

2021-06-24

Vulnerabilities in Dell SupportAssist

Researchers from Eclypsium have discovered four vulnerabilities in the BIOSConnect feature of Dell SupportAssist. When chained together, the flaws “allow a privileged network adversary to impersonate Dell.com and gain arbitrary code execution at the BIOS/UEFI level of the affected device.” The flaws affect 128 models of Dell PCs and tablets. Server-side updates released in late May address two of the flaws; Dell has released client-side firmware updates to address the other two flaws.

Editor's Note

Dell's SupportAssist has a level of access to your system unlike any other software. To provide remote support with the ability to not only recover systems with corrupt boot partitions, but also be able to flash BIOS, SupportAssist has the ability to completely take over your system, and these vulnerabilities will transfer this ability to an attacker. Note that this will require a BIOS update, not just a “software update.”

Johannes Ullrich
Johannes Ullrich

This highlights why enterprises need to look very carefully at OEM software and ensure that it is removed where not needed. Dell SupportAssist is not something most organizations would want/need and yet is installed on practically every Dell machine sold. Security 101 mandates minimizing attack surface and this is no exception. Take this opportunity to review the other applications (particularly OEMs) installed on your golden image and remove anything not explicitly needed by a large percentage of your workforce.

Jake Williams
Jake Williams

The best mitigation is to apply the BIOS updates now, then apply the updates to BIOSConnect when they are released in July. Don’t use BIOSConnect to update the BIOS; use other patching mechanisms to install updates with verified signatures. Alternatively, you can disable BIOSConnect, which can be done locally, but may be better performed using their DCC remote system management tool. Don’t let users locally update their systems via the “BIOS Flash Update – Remote” (F12) option until the system has the known good BIOS installed.

Lee Neely
Lee Neely

2021-06-23

OIG Report: Medicare Needs to Improve Hospital Medical Device Security Assessments

A report from the Office of Inspector General for Health and Human Services (OIG HHS) says that the Centers for Medicare & Medicaid Services (CMS) does not have adequate protocols in place to assess the cybersecurity of networked medical devices in hospitals. In the report OIG HHS writes that they “recommend that CMS identify and implement an appropriate way to address cybersecurity of networked medical devices in its quality oversight of hospitals, in consultation with Department of Health and Human Services (HHS) partners and others.”

Editor's Note

This past year has raised the bar on hospital attacks, taking advantage of potentially weakened security or shortness of staffing. This comes back to the core critical controls – knowing what you have and what it’s supposed to be doing, as well as keeping it updated. This requires monitoring and alerting; use caution as some active processes, such as scanning, can be harmful to OT devices. Segment wherever possible, particularly guest, staff and operational network services. Schedule validation of your security posture, hire a trusted partner to identify issues overlooked and opportunities to improve, then work to implement them. Don’t overlook staff or training shortfalls.

Lee Neely
Lee Neely

In the US, the oversight of security of medical devices has multiple agencies involved, and many different forms of “certification” – but all continue to suffer from lack of enforcement to drive changes in procurement and operations issues to increase security levels. On the privacy side, HIPAA has started to have some teeth – I think the privacy aspect will be the more likely avenue for progress than any hope for meaningful raising of the CMS bar in the security related elements of the Conditions of Participation in the Medicare program.

John Pescatore
John Pescatore

Again, intuition serves us poorly. The first step in medical device security is to hide them. Healthcare in general, and patient care institutions in particular, need to segment their networks, such that medical devices are hidden, and patient care apps are hidden from those applications that, like e-mail and browsing, must be connected to the public networks.

William Hugh Murray
William Hugh Murray

The Rest of the Week's News


2021-06-24

Google’s Unified Vulnerability Schema to Manage Vulnerabilities in Open Source

On Thursday, June 24, Google announced “a unified vulnerability schema for open source.” The schema builds on Google’s Open Source Vulnerabilities database that was released in February 2021. In a blog post announcing the schema, Google’s Open Source Security team and the Go team write that the “unified format means ... a more complete view of vulnerabilities in open source for everyone, as well as faster detection and remediation times resulting from easier automation.”

Editor's Note

Google is pushing forward with schema and interchange standards that it finds value in, while larger industry efforts like the Open Source Security Foundation (which Google is part of) continue to move slowly. The Internet has a long history of that, while the telecoms space has a long history of large industry group efforts going on forever without security gains.

John Pescatore
John Pescatore

Security of the open source components is an increasing concern. Google is attempting to move forward with a standard to help solve this problem at Internet speed, which will help identify and provide the focus necessary to increase the overall security of open source. Even so, make sure that the open source components or libraries you use are actively maintained and include fixes for flaws identified.

Lee Neely
Lee Neely

2021-06-22

CISA Acting Director Responds to Senators Questions About SolarWinds

Responding to a letter from US Senator Ron Wyden (D-Oregon) regarding the SolarWinds supply chain attack, Cybersecurity and Infrastructure Security Agency (CISA) acting Director Brandon Wales said that federal agencies could have prevented subsequent attacks if they had implemented certain firewall configurations, but noted that “it would be impractical for CISA to direct individual agencies to adopt specific network and device configurations on a broad scale, particularly given the unique operational requirements of each agency,… [and that the configurations] may not be feasible given operational requirements for some agencies.”

Editor's Note

CISA can and does provide excellent guidance, but individual agencies implement according to their situation and accepted level of risk. With the current information sharing efforts, CISA will be better prepared to see overall trends and best practices to help make their guidance even more relevant. Keep an eye on their bulletins watching for gaps in your overall protections, even if you’re not a federal agency, and participate in their information sharing to help with the fidelity of CISA’s recommendations.

Lee Neely
Lee Neely

2021-06-22

Proposal Would Identify “Systemically Important Critical Infrastructure”

A proposal supported by some US legislators and the Cyberspace Solarium Commission would identify organizations deemed “systemically important critical infrastructure,” or SICI. The organizations would be classified SICI if they would cause economic, public health, or national security problems in the event of a cyberattack. The owners of the SICI-identified organizations would receive priority federal aid and protection from lawsuits if they meet as-yet unwritten cybersecurity standards.

Editor's Note

This is a tough one. Sometimes the only way to get significant improvements in security posture is to introduce regulatory requirements to avoid the temptation to opt out or otherwise minimize cybersecurity efforts. And the accompanying reporting/validation requirements can be burdensome and regarded as purely bureaucratic. While the proposal offers federal aid and legal protection to sweeten the pot, releasing the draft for public comment would go a long way toward building the needed partnership with industry as well as helping to solicit input on keeping the overhead minimalized. Working with industry peers to develop resource and information sharing, while protecting privacy and reputation of those involved also goes a long way toward helping organizations raise their own bar.

Lee Neely
Lee Neely

2021-06-24

Unpatched Pling Vulnerabilities

Researchers from Positive Security have discovered two vulnerabilities affecting Linux marketplaces based on the Pling platform. No fixes are yet available for the wormable cross-site scripting vulnerability and the remote code execution vulnerability.

Editor's Note

The Positive Security writeup includes the information necessary to replicate the exploit. If you haven’t seen how that works, it’s worth a look. Another lesson here is to watch for bug reports coming to posted contacts to support responsible discovery. Reports need to be responded to and acted on as well as treated as an attempt to help. Respect the input from the third party even if you disagree. Expect disclosure and be prepared with fixes or mitigations.

Lee Neely
Lee Neely

2021-06-24

VMware Releases Carbon Black Update to Fix Critical Vulnerability

An update for VMware Carbon Black App Control management server includes a fix for an authentication bypass vulnerability. Exploitation of the flaw requires network access. VMware has released Carbon Black App Control versions 8.6.2 and 8.5.8 as well as a hotfix for versions 8.1.x and 8.0.x.

Editor's Note

Network access to the management server is required to exploit the vulnerability; there are no workarounds other than applying the update. Make sure you are monitoring the access to that server and allow logins only from authorized devices. While you’re looking at VMware, be sure you’re pushing out the updates for VMware tools for Windows, VMRC for Windows and VMware App Volumes.

Lee Neely
Lee Neely

It is always a sad day when a security product suffers from very elemental security vulnerabilities. An attacker will be able to bypass Carbon Black, or maybe even use it against you. Apply the hotfix.

Johannes Ullrich
Johannes Ullrich

2021-06-23

SonicWall Update Fixes Incomplete Patch from October

SonicWall has released updates for its VPN Network Security Appliance that fix a vulnerability that was insufficiently addressed in a patch released in October 2020. The memory leak vulnerability could be exploited to access sensitive information.

Editor's Note

Incomplete patches like this make it even more difficult for defenders to track vulnerabilities. In addition, these types of vulnerabilities have been exploited in several recent ransomware attacks.

Johannes Ullrich
Johannes Ullrich

The fix was released June 22nd and you need to roll it out. While this vulnerability is not being actively exploited, SonicWall VPN and email security products remain a target for multiple exploits including the new FIVEHANDS ransomware, so don’t wait too long to deploy.

Lee Neely
Lee Neely

2021-06-24

Ransomware: Iowa’s Wolfe Eye Clinic Attack Affects 500,000 People

Wolfe Eye Clinic is notifying 500,000 current and former patients that their personal information may have been compromised in a ransomware attack that was detected in February 2021. Wolfe did not pay the ransom. In a separate, related story, FBI director Christopher Wray told legislators at a Senate budget hearing that there needs to be incentive for private sector organizations that are victims of ransomware attacks to notify the FBI promptly and work with them transparently.

Editor's Note

Wolfe Eye Clinic did engage third-party IT specialists and forensic investigators to help determine the scope of the compromise and information exposure; you should have similar plans in place should you become a victim. Add FBI reporting to the list if it’s not already there. Working with FBI still allows you to make decisions regarding payment or recovery while helping them identify and ultimately take action against ransomware gangs.

Lee Neely
Lee Neely

2021-06-24

Tulsa Data Stolen in Ransomware Attack is Posted Online

Information stolen from the City of Tulsa, Oklahoma in a May 2021 ransomware attack has been published online. The leaked files contain personally identifiable information including names, dates of birth, and driver’s license numbers. The City of Tulsa has notified residents and urged them to monitor financial accounts and credit reports.

Internet Storm Center Tech Corner

Phishing asking recipients not to report abuse

https://isc.sans.edu/forums/diary/Phishing+asking+recipients+not+to+report+abuse/27556/


Do You Like Cookies? Some are for sale!

https://isc.sans.edu/forums/diary/Do+you+Like+Cookies+Some+are+for+sale/27558/


PyPi Cryptomining Malware

https://blog.sonatype.com/sonatype-catches-new-pypi-cryptomining-malware-via-automated-detection


Dovecot TLS Implementation Vulnerability (see the link to the PDF for more details)

https://hackerone.com/reports/1204962


SonicWall Patch Incomplete

https://www.tripwire.com/state-of-security/featured/analyzing-sonicwalls-unsuccessful-fix-for-cve-2020-5135/


VMWare Carbon Black App Control Authentication Bypass

https://www.vmware.com/security/advisories/VMSA-2021-0012.html


DNS Name Server Hijack Attack

https://www.darkreading.com/vulnerabilities---threats/new-dns-name-server-hijack-attack-exposes-businesses-government-agencies/d/d-id/1341377


Palo Alto Cortex XSOAR Vulnerability

https://security.paloaltonetworks.com/CVE-2021-3044


Standing With Security Researchers Against Misuse of the DMCA

https://www.eff.org/deeplinks/2021/06/dmca-security-researcher-statement


A supply-chain breach: Taking over an Atlassian account

https://media.threatpost.com/wp-content/uploads/sites/103/2021/06/23175805/Atlassian-ATO-CPR-blog-FINAL.pdf


Dell Bios Connect Vulnerability

https://eclypsium.com/2021/06/24/biosdisconnect/


ATM Jackpotting via NFC

https://www.wired.com/story/atm-hack-nfc-bugs-point-of-sale/