SANS NewsBites

Critical Patches Out For Cisco Small Business VPN Routers; Microsoft to Try Reducing Javascript Just In Time Browser Risks; Western Australia Slow to Remove Access from Dead Accounts

August 6, 2021  |  Volume XXIII - Issue #61

Top of the News


2021-08-05

Cisco Releases Updates to Address Two Vulnerabilities in VPN Routers

Cisco has released updates to fix critical pre-auth vulnerabilities in the web-based management interface of Cisco Small Business RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN routers. Running firmware older than release 1.0.03.22. The flaws could be exploited to execute arbitrary code and create a denial-of-service condition.

Editor's Note

The Cisco VPN Routers in question are from the Cisco Small Business Unit, which has almost nothing to do with Cisco’s enterprise product software. It's a completely separate operating system and hardware line. Unfortunately, it does have the Cisco name on it, so many small business customers will purchase it. This is a tragic scenario because these bugs hit companies that may not have all of the other security controls a large organization will have, and may not even patch these systems. This may go unnoticed for quite a while, and may only get addressed if they replace the product in the future. What we have seen is that for "Remote Management" these systems may have their Web Management right on the internet. Since these are VPN Routers, we would not expect that they are all behind a NAT so they may be internet facing.

Moses Frost
Moses Frost

These are pre-authentication vulnerabilities, exploitable via the web-based management interface which cannot be disabled on the local LAN connection. Take three steps now: apply the firmware updates; make sure that the management interface is disabled on the WAN connection and review your configuration to make sure it is unaltered. There are no workarounds.

Lee Neely
Lee Neely

This brings the total vulnerability count to 7 over the last couple years, for this particular router's web admin interface. If you believe that they found them all: Please allow worldwide access to the admin interface. If you feel like there may be a couple more vulnerabilities that haven't been found/patched yet: Disable access from anything but a few administrator IPs.

Johannes Ullrich
Johannes Ullrich

2021-08-05

Microsoft Edge Super Duper Secure Mode

Microsoft’s Edge Vulnerability Research (VR) team is reportedly working on a “super Duper Secure Mode “ feature for the browser. The feature turns off the JavaScript just-in-time (JIT) compiler. The VR team writes that “our hope is to build something that changes the modern exploit landscape and significantly raises the cost of exploitation for attackers.”

Editor's Note

Browsers are the first point of contact between both users and content and users and attacks. Over the years much more effort has gone into making browsers faster and fancier, vs. more secure. In recent years, Google, Mozilla and now Microsoft are adding much needed focus on “safety-first.” While the market share of the Edge browser is under 10%, Microsoft quotes numbers that say more than half of Chrome exploits take advantage of flaws in the JIT compiler. Microsoft’s first look at performance degradation with JIT disabled also showed minimal performance impact.

John Pescatore
John Pescatore

The JIT compiler allows JavaScript to achieve near C++ performance speed and a significant number of CVEs are related to the V8 JIT. (TurboFan/Sparkplug). The idea is to disable the JIT and enable other arbitrary-code-execution mitigation options such as Arbitrary Code Guard (ACG) and Controlflow-Enforcement Technology (CET) while maintaining compatibility and speed. Initial tests show performance hits under 15%, Web Assembly is not supported and only CET is enabled. You can enable and test SDSM at edge://flags in the Edge Canary, Dev and Beta versions.

Lee Neely
Lee Neely

The main purpose of the JavaScript JIT compiler is to optimize JavaScript and to make it faster. We will see if a browser without JIT will still be usable given the immense JavaScript code bloat on many sites. I assume Microsoft is working on making JavaScript perform without JIT compiler.

Johannes Ullrich
Johannes Ullrich

2021-08-05

Western Australia Auditor General Examines Government Employee Exit Controls

An audit conducted by Western Australia’s Auditor General found that some former government staff members still had access to IT systems. The audit examined employee exit controls at the Department of Planning, Lands and Heritage, the Department of Finance, and the Department of Local Government, Sport and Cultural Industries. It took an average of seven days following an employee leaving an agency for access to be deactivated.

Editor's Note

Access to systems, and resulting damage, by former employees is a legitimate threat and accounts need to be disabled immediately on separation. Resist temptation to “hold accounts open” for employees who will be returning in a new status (e.g. consultant); rather review the needed privileges in the new role, only granting those needed, just as you would a new hire.

Lee Neely
Lee Neely

Establishing and monitoring “Time to Remove Access” metrics is easy to do and very valuable. Checking that parameter should be part of every security controls test or audit. The Western Australian report showed an average of 7 days between employee termination and IT access removal, but had outliers of up to 161 days. The usual major problem is reliance on multi-step, undocumented people-driven processes vs. some level of integration between HR databases/systems and access removal.

John Pescatore
John Pescatore

We continue to be better at getting separated employees off the payroll than at revoking their IT privileges. Payroll is almost always a single point of control while IT privileges may come from many sources.

William Hugh Murray
William Hugh Murray

The Rest of the Week's News


2021-08-05

Mitsubishi Safety PLC Vulnerabilities

Mitsubishi has to address five vulnerabilities affecting its safety programmable logic controllers (PLCs). All five flaws are related to the authentication implementation of the MELSOFT communication protocol. Mitsubishi has suggested mitigations for the vulnerabilities, but fixes are not yet available. Nozomi Networks discovered the flaws and disclosed them to Mitsubishi.

Editor's Note

The core issue is that the username and passwords are not adequately protected (think cleartext) between the engineering workstation and the PLC. Patches are not available yet. Mitigate the risk by limiting the devices which can access the PLC and protecting that communication link via segmentation or other encapsulation. Once patched, limiting access to only authorized devices remains a good practice.

Lee Neely
Lee Neely

2021-08-04

INFRA:HALT TCP/IP Stack Vulnerabilities

Forescout Research Labs and JFrog Security Research have disclosed more than a dozen vulnerabilities affecting TCP/IP stacks in NicheStack. The flaws could be exploited to allow remote code execution, TCP spoofing, DNS cache poisoning, to leak information, or to cause denial-of-service conditions. The flaws, which are known collectively as INFRA:HALT, affect all versions of NicheStack prior to version 4.3.

Editor's Note

Big thanks to this group of researchers for doing the work companies developing this code should have done 20-30 years ago. But I am afraid much of the effort will be in vain as this code is embedded in countless unaccounted for devices that will never be patched until a lightning strike carries them across the IoT rainbow bridge to a land without invalid TCP/IP packets.

Johannes Ullrich
Johannes Ullrich

The exploit uses DNS to deliver shell code, which means that attacks are still possible if your segmented network has routes to public DNS servers. Other exploits leverage the HTTP server and malformed packets. The best mitigation will be to apply updates when available. Until then, disable the DNS client or block the traffic if not needed, disable or access to the HTTP server, and monitor/block malformed IP and ICMP packets.

Lee Neely
Lee Neely

2021-08-03

Old Versions of Android Will be Prevented from Accessing Google Services

As of September 27, 2021, devices running Android versions 2.3.7 and older will no longer be able to access Google services. The decision was made due to security issues. Google is urging users running old versions of Android to update to version 3.0 or newer.

Editor's Note

Android 2.3.7, aka Gingerbread, was released in December 2010. It’s time to replace those devices; there are no security updates, and compatibility with applications is going to be more miss than hit. As an enterprise you should have already set a base version of Android 11, and be assessing when you can move that minimum to Android 12. Be sure to also enforce the minimum for users establishing remote connections.

Lee Neely
Lee Neely

It's interesting that Google has taken the step to abandon 2.3.7. It would be interesting to see if they are doing this for "Security Reasons" or more practically maybe they are getting rid of specific API's that those products used. 2.3.0 was released in 2010 and after 11 years, it's probably time to discontinue it. It would be interesting to see if these devices continue to live through 3rd party services that are not Google. Those would be a lower trust offering potentially. Several statistics on the internet show that "Other" category for versions of Android this old (older than 3.0) at under 1%. 1% of 2 Billion Android phones would be 20 million. Hopefully it's a smaller number than this.

Moses Frost
Moses Frost

2021-08-04

Senate Report on US Federal Agency Cybersecurity

According to a report on federal cybersecurity from the US Senate Homeland Security and Governmental Affairs Committee, seven of eight agencies reviewed received a grade of “C” or “D” for cybersecurity. The report found that the majority of the eight agencies were using unsupported systems and applications; failed to install patches and other vulnerability remediation in a timely manner; did not provide adequate protection for personally identifiable information; and did not maintain accurate and comprehensive IT asset inventories.

Editor's Note

The title pretty much captures it all: “Federal Cybersecurity: America’s Data *Still* at Risk” Not much progress since the 2019 report but the pandemic year had major impacts – IT operations were consumed just keeping remote work running and time to patch and other key security metrics suffered.

John Pescatore
John Pescatore

Knowing what you have, what it’s supposed to be running, keeping it patched, and monitoring are core critical controls. Agencies are often faced with the daunting task of consuming the NIST cyber security framework and SP 800-53, which can distract them from which controls should be prioritized, simplification is needed to facilitate understanding and mandates such as CDM, Einstein, FISM reporting and assorted BODs consume available resources. As the report suggests, CISA is well positioned to offer services to agencies to help them improve their security posture; even so that support has to be accompanied with ongoing funding for staff, training and licenses to maintain a sufficient level of protection.

Lee Neely
Lee Neely

Many of these findings would be true of many private enterprises.

William Hugh Murray
William Hugh Murray

2021-08-05

Telegram for Mac Bugs Allow End Run Around Secret Chat Features

Bugs in Telegram for Mac allow users to save messages that are supposed to self-destruct after and to retrieve deleted messages. Messages sent in Secret Chat mode are protected with end-to-end encryption and are set to automatically self-destruct, and disappear from all devices after a set amount of time. Telegram has fixed the flaw that allows Secret Chat messages to be saved indefinitely but declined to fix a flaw that let users retrieve deleted messages.


2021-08-03

Water Utility Cybersecurity Concerns

A report from ThreatLocker examines the challenges water utilities encounter while trying to improve their cybersecurity posture. The report notes water utilities’ “limited IT and OT financial resources,” and the lack of clear regulatory guidelines.

Editor's Note

One of the ways to address the cybersecurity gap at utilities is to hire a larger organization to provide shiny cloud based secure options for them. The danger is they may be buffaloed by fancy talk and promises that they may not have the knowledge or skills to challenge. If you’re an operator, review the ThreatLocker report and use the recommendations on how to focus the EPA’s WSCRMG guidance to drive improvements internally or drill down with your service provider to provide written understandable approaches to address all the suggest controls.

Lee Neely
Lee Neely

One of the lessons highlighted in the report was the need for multi-party controls over critical functions. This will offer resistance to both attacks from outsiders and the more likely insider error.

William Hugh Murray
William Hugh Murray

2021-08-05

Joint Cyber Defense Collaborative

The US Cybersecurity and Infrastructure Security Agency (CISA) has launched the Joint Cyber Defense Collaborative (JCDC), an initiative to “will bring together public and private sector entities to unify deliberate and crisis action planning while coordinating the integrated execution of” the country’s cyber defense plans.” JCDC members include public and private sector organizations, including Amazon Web Services, AT&T, Google Cloud, Microsoft, FireEye Mandiant and Verizon, the FBI, the Department of Defense, the Department of Justice, and the National Security Agency. (Please note that the WSJ story is behind a paywall.)

Editor's Note

You need to participate in this effort. Connection with resources and information sharing across the public and private sectors will provide access to high-quality recommendations and services which will aid planning of defenses and implementations. It will also connect you to a network of resources and expertise you might not otherwise have access to.

Lee Neely
Lee Neely

2021-08-05

Healthcare Organizations Operating Under EHR Downtime Following Cyberattacks

Two US healthcare systems have reportedly been hit by cyberattacks that have caused them to operate under electronic health record (EHR) downtime. News outlets are reporting that Eskanazi Health in Indianapolis was the victims of a ransomware attack. Sanford Health in South Dakota is said to be “taking aggressive measures to contain the impact” of a cybersecurity incident.

Editor's Note

Aggressive measures for those not yet compromised must include isolating the high-risk applications, e-mail and browsing, from electronic healthcare systems.

William Hugh Murray
William Hugh Murray

Internet Storm Center Tech Corner

2FA Issues

https://isc.sans.edu/forums/diary/Three+Problems+with+Two+Factor+Authentication/27704/


Crazy Smishing

https://isc.sans.edu/forums/diary/Is+this+the+Weirdest+Phishing+SMishing+Attempt+Ever/27706/


Pivoting and Hunting for Shenanigans from a Reported Phishing Domain

https://isc.sans.edu/forums/diary/Pivoting+and+Hunting+for+Shenanigans+from+a+Reported+Phishing+Domain/27710/


Google Chrome Update

https://chromereleases.googleblog.com/2021/08/the-stable-channel-has-been-updated-to.html

https://www.bleepingcomputer.com/news/google/google-chrome-to-no-longer-show-secure-website-indicators/


Google Android Update

https://source.android.com/security/bulletin/2021-08-01?hl=en


DoD/NSA Publishes Kubernetes Hardening Guides

https://media.defense.gov/2021/Aug/03/2002820425/-1/-1/1/CTR_KUBERNETES%20HARDENING%20GUIDANCE.PDF


NicheStack TCP/IP Vulnerabilities

https://jfrog.com/blog/infrahalt-14-new-security-vulnerabilities-found-in-nichestack/


Securing the Cloud

https://www.sans.org/newsletters/ouch/securely-using-the-cloud/


Lockbit Recruiting Insiders

https://www.bleepingcomputer.com/news/security/lockbit-ransomware-recruiting-insiders-to-breach-corporate-networks/


Sneaky Phishing Hitting Office 365 Users

https://www.ehackingnews.com/2021/08/microsoft-warns-office-365-users-of.html


Cisco Patches Unauthenticated RCE in RV340/345 devices

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv340-cmdinj-rcedos-pY8J3qfy


Telegram Flawed Self Destruct in MacOS

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/telegram-self-destruct-not-always/


Significant Vulnerabilities in MacOS Privacy Protections

https://www.darkreading.com/application-security/researchers-find-significant-vulnerabilities-in-mac-os-privacy-protections


Windows Hello Bypass

https://threatpost.com/microsofts-patch-windows-hello-faulty/168392/


STI Student: James Casteel; Content Security Policy Bypass: Exploiting Misconfigurations

https://www.sans.org/white-papers/40380