SANS NewsBites

White House Cyber Summit; Azure Cosmos DB Vulnerability Fixed; SteelSeries Fixes Installation App Bug that Grants Admin Rights

August 27, 2021  |  Volume XXIII - Issue #67

Top of the News


2021-08-25

White House Cyber Summit

On Wednesday, August 25, US President Joe Biden met with leaders in the technology, education, finance, insurance, and energy sectors to discuss ways to improve national cybersecurity. Major technology companies have pledged to take steps to drive technology supply chain security and to invest of billions of dollars in the expansion of zero-trust programs, improve open-source security, and other measures.

Editor's Note

The commitment includes more collaboration between private industry and NIST, which should increase the applicability of NIST standards making it easier to achieve commonality between the two sectors on security standards and practices: reducing the inherent challenges of verification of security across differing baselines. With all the high-tech initiatives on the agenda, it’s critical not to lose focus on the basics. Participants committed money and resources to make that happen. While many pledges are focused on education and training, Microsoft has also committed $150 million in technical services to help federal, state, and local governments upgrade their security practices.

Lee Neely
Lee Neely

Meetings like this sometimes involve classified information we may never see. It makes me wonder what any org would spend on security if they had a more complete picture of what goes on.

Christopher Elgee
Christopher Elgee

2021-08-26

Microsoft Fixed Security Issue in Azure Cosmos DB

Microsoft says it has mitigated a vulnerability in Azure Cosmos DB that could have been exploited to allow users to access other users’ resources. The flaw was present for approximately two years before Microsoft addressed it earlier this month. Microsoft was alerted to the issue by researchers from Wiz.

Editor's Note

Microsoft disabled the vulnerable feature on August 14th, and published the issue on August 26th. Microsoft advises users to regenerate their Cosmos DB primary keys, and leverage a vNET or firewall to further protect their Cosmos DB Accounts.

Lee Neely
Lee Neely

I have to give some credit to Microsoft about being open about this vulnerability. The advantage of SaaS is that the vendor will patch it for you. But this also implies that the vulnerabilities are never disclosed, and users are not aware that their data may have been exposed to these risks. Thanks, Microsoft, for being transparent.

Johannes Ullrich
Johannes Ullrich

Given how pervasive the cloud has become, I am happy to see that Microsoft reacted quickly to solve the issue. This level of commitment and response is exactly what cloud consumers are looking for when they inherit risk and put more trust on cloud providers.

Roger O'Farril
Roger O'Farril

One advantage of using the cloud is that the provider fixes the vulnerability once instead of every customer having to fix it, often across multiple systems.

William Hugh Murray
William Hugh Murray

2021-08-25

SteelSeries Device Installation App Bug Gives Windows 10 Admin Rights

Gaming peripherals and accessories maker SteelSeries has patched a vulnerability in its device installation app that could be exploited to gain Windows 10 system privileges. The. News of this issue follows a disclosure less than a week ago of a similar bug in Razer peripherals installation software.

Editor's Note

As I said last week with respect to the Razer mouse driver vulnerability: Allowing regular users to install drivers that are executed with elevated privileges is a bad idea. But I doubt this architectural issue will be fixable. Expect more of the same in future Newsbites.

Johannes Ullrich
Johannes Ullrich

An external emulator can be used to mimic HID device signatures, which will trigger the auto-installation of drivers or trigger the SteelSeries installer without the actual device. This time there is a hyperlink in the EULA which, when clicked opens IE with System privileges. The update from SteelSeries includes a work-around which disables the software auto-launch of their installer upon detection of a new SteelSeries device. Note that software to manage allowed/disallowed USB device connections often doesn’t allow you to block the connection of keyboards and mice. The long term fix for both be a trade-off between automatically installing drivers and the interruption requiring the user to grant explicit admin privilege granting at the time the installation happens.

Lee Neely
Lee Neely

The Rest of the Week's News


2021-08-26

White House Directive: NIST to Develop Technology Supply Chain Security Framework

The White House has directed the National Institute of Standards and Technology (NIST) to “collaborate with industry and other partners to develop a new framework to improve the security and integrity of the technology supply chain.” The White House issued the directive after the August 25 Presidential Cyber Summit.

Editor's Note

This directive, coupled with the promised investment of money and resources from private sector participants Google, Microsoft, and IBM, will be key in producing a result in a timely fashion. Funding and private sector active participation are key to achieving the desired outcomes.

Lee Neely
Lee Neely

2021-08-26

Atlassian Fixes Critical Flaw in Confluence Server and Data Center

Atlassian has released a fix for a critical OGNL injection vulnerability affecting its Confluence Server and Data Center. The flaw “would allow an authenticated user, and in some instances unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance.” The vulnerability is fixed in Confluence Server and Confluence Data Center versions 6.13.23, 7.4.11, 7.11.6, 7.12.5, and 7.13.0.

Editor's Note

Read the section describing what you need to do carefully. While the listed versions have fixes, you need to make plans to move to 7.13.0 (or later). If you cannot implement the update, there is a workaround script to provide a temporary fix until you do. Note that as you need to shutdown Confluence to apply that fix, it may be less disruptive to simply apply the update, allowing for a single service outage.

Lee Neely
Lee Neely

Atlassian/Confluence is often used to manage software development projects. If you need extra support from management to fix this: Call it a "Supply Chain" vulnerability (which it is). Interesting wording from Atlassian to say it can be exploited by authenticated and “in some instances unauthenticated” users. Nice form of advisory speak to tell you: Patch this quickly.

Johannes Ullrich
Johannes Ullrich

2021-08-26

Microsoft Publishes ProxyShell Guidance

Microsoft has published an advisory regarding three ProxyShell vulnerabilities affecting on-premises Exchange servers. Attackers have been exploiting these vulnerabilities since early August; several researchers and the US Cybersecurity and Infrastructure Security Agency (CISA) has urges users to apply patches. Microsoft says that users who have applied the May 2021 or July 2021 security updates are protected.

Editor's Note

Microsoft lists the conditions under which your exchange servers are vulnerable. The recommendation is to apply the one of the latest CU (Cumulative Update) and SU (Security Update). If you’re using Exchange Online – don’t click the done button until you are certain your hybrid Exchange servers are addressed. Verify those hybrid servers are still needed, and if they are needed only to support your migration to Exchange Online, retire them.

Lee Neely
Lee Neely

2021-08-26

F5 Releases Fixes for 13 High Severity BIG-IP Bugs

F5 has released fixes for 29 security issues in its BIG-IP and BIG-IQ devices. Thirteen of the flaws are rated high severity. One of those vulnerabilities, a privilege elevation issue affecting BIG-IP modules Advanced WAF (Web Application Firewall) and the Application Security Manager (ASM), is rated critical for users running BIG-IP in Appliance Mode.

Editor's Note

F5 recommends updating your BIG-IP appliances to at least BIG-IP 14.1.0 and your BIG-IP VEs to at least BIG-IP 15.1.0. Take a serious look at moving to BIG-IP 16.1.0 or higher which is repeatedly listed as having the fixes to the identified vulnerabilities. Note that some of the fixes will introduce a loss of functionality: read the supporting bulletins to verify any additional actions needed beyond the update itself. Where possible test these changes in non-production devices first.

Lee Neely
Lee Neely

2021-08-26

Cisco Fixes Critical Application Policy Infrastructure Controller Vulnerability

Cisco has released updates to address a critical flaw in the Application Policy Infrastructure Controller (APIC) interface in its Nexus 9000 Series Switches. The improper access control issue could be exploited “to read or write arbitrary files on an affected device.”

Editor's Note

There are no workarounds for this flaw. With the exception of Cisco APIC version 5.2, all other releases have update requirements. Making plans to update to version 5.2 are ideal. Ensure your hardware is sufficient, including memory, to support that version prior to attempting that update.

Lee Neely
Lee Neely

2021-08-26

FBI Alert Warns of Hive Ransomware

The FBI has released a TLP: White Flash Alert regarding the Hive ransomware, which has been used in at least 28 attacks, including the Memorial Health System in Ohio and West Virginia. The alert describes technical details about the ransomware and lists indicators of compromise.

Editor's Note

Read the IC3 notice to understand the behavior of this ransomware, including how it hides its actions, and IOCs to incorporate in your SIEM. Note that Hive deletes volume shadow copies including disk backup copies and snapshots. This is another case where data is exfiltrated and threats of publishing are used to further extort payment. Review your ransomware preparedness plan, making sure you’ve already established a connection/contact with your local FBI field office, rather than trying to figure that out when responding to an incident.

Lee Neely
Lee Neely

2021-08-24

Updates Available for B. Braun Medical Infusion Pump and Dock Vulnerabilities

Vulnerabilities in medical devices made by B. Braun could be chained together to allow an attacker to alter the rate at which medication is administered. The flaws affect B. Braun Infusomat Space Large Volume Pump and B. Braun SpaceStation infusion pump and docking station. McAfee found the flaws and notified B. Braun in January 2021. The company has issued updates to address the vulnerabilities.

Internet Storm Center Tech Corner

Cisco Advisories

https://tools.cisco.com/security/center/publicationListing.x


There May Be Many More SPF Records Than We Might Expect

https://isc.sans.edu/forums/diary/There+may+be+many+more+SPF+records+than+we+might+expect/27786/


Attackers Hunting for Twilio Credentials

https://isc.sans.edu/forums/diary/Attackers+Hunting+For+Twilio+Credentials/27782/


GETH DoS Vulnerability

https://github.com/ethereum/go-ethereum/releases/tag/v1.10.8


Confluence Security Advisory

https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html


VMWare Updates

https://www.vmware.com/security/advisories.html


OpenSSL Update

https://www.openssl.org/news/vulnerabilities.html


F5 Update

https://support.f5.com/csp/article/K50974556

https://support.f5.com/csp/article/K41351250


SideWalk Backdoor

https://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/


Modified WhatsApp Spreading Malware

https://securelist.com/triada-trojan-in-whatsapp-mod/103679/


Privilege Escalation without Plugin in Device

https://0xsp.com/security%20research%20&%20development%20(SRD)/local-administrator-is-not-just-with-razer-it-is-possible-for-all