SANS NewsBites

OWASP Adds New Vulnerabilities to Top 10 List; Update iPhones to iOS 14.8 to Stop Active Attacks; University of Minnesota and Medical Device Industry Will Work to Improve Device Security

September 14, 2021  |  Volume XXIII - Issue #72

Top of the News


2021-09-10

OWASP App Security Weaknesses Draft Top 10 List

The Open Web Application Security Project (OWASP) has released a draft of its top 10 web software vulnerabilities. The first three items on the list are broken access controls, cryptographic failure, and injection. The list is a draft; OWASP is seeking input from data scientists, web designers, translators, and ASVS, testing guide, and code review guide leadership before releasing the final version.

Editor's Note

Two of the three new top 10 vulnerabilities are kind of broad for the OWASP list but really important to prioritize: A04:2021-Insecure Design and A08:2021-Software and Data Integrity Failures, which incorporated the previous A108-2017 Insecure Deserialization. Both of these demand increased testing of commercially and internally developed software as well as software updates, but the larger goal is driving improvements early in the software design phase.

John Pescatore
John Pescatore

The nice thing about "Top x" lists is that they force you to focus on what actually matters. There are hundreds/thousands of potential things that can and will go wrong, but OWASP is doing a good job in narrowing it down to the issues that matter most. “Insecure Design” is an interesting addition, and in line with the current trend to “shift left.” Not a new concept by any means, but it looks like the renewed focus and better/catchier expression of the concept has finally caught on. OWASP hasn't actually removed any issues from its top ten list, but managed to re-group some issues to better cover specific problems like XML External Entities by including the root cause of these vulnerabilities (misconfiguration in the case of XXE).

Johannes Ullrich
Johannes Ullrich

Following OWASP recommendations has been an efficient way to address web application security.

William Hugh Murray
William Hugh Murray

2021-09-13

Apple Updates Address Zero-Day Flaws

Apple has released iOS 14.8, which addresses several vulnerabilities that are being actively exploited. Among those is a flaw that was could be exploited without the user clicking on anything.

Editor's Note

So far, this vulnerability appears to have been exclusively exploited by the NSO Group's "Pegasus" tool. We often see exploits like the one used by Pegasus trickle down over time to become commodity exploits. With more details available now, the race is on between you, the user, and the attacker to see who is first: patching or exploit development. Don't let them outrun you. You have a bit of time here, but not much. Apple is likely going to release a major update for its operating systems in a month (or less). The patch will likely be included in that update as well.

Johannes Ullrich
Johannes Ullrich

2021-09-13

University of Minnesota Launches Center for Medical Device Cybersecurity

The University of Minnesota has launched the Center for Medical Device Cybersecurity. “CMDC was formed in response to a request from members of the medical device manufacturing industry to form a collaborative hub for discovery, outreach and workforce training in the emerging device security field.”

Editor's Note

Kudos for Boston Scientific, Smiths Medical, Optum, Medtronic, and Abbott Laboratories for providing funding to get this started but I have to quibble with the term “emerging device security field.” The vast majority of the vulnerabilities medical device manufacturers have been building into their devices are well known bad design/implementation choices that have been on the OWASP Top 10 for many years. I’d like to see the mission of this center focus more on improving the practices of device manufacturers rather than on tactics for protecting poorly designed, vulnerable devices from attacks.

John Pescatore
John Pescatore

It's quite rare that pentesters have scope to attack medical devices, so it's great to see an organization like this sponsoring their hackathon. Yes, this often comes down to “stunt hacking,” but if that raises awareness for the leaders who own the risk in these devices, hack away, friends!

Christopher Elgee
Christopher Elgee

The Rest of the Week's News


2021-09-13

House Committee Proposes Bill that Would Include Establishing FTC Data Security Bureau

US legislators have introduced a bill that would fund a Federal Trade Commission( FTC) Data Security Bureau. Members of the House Energy and Commerce Committee have proposed allocating $1 billion for the FTC to build the Data Security Bureau over 10 years.

Editor's Note

Back in 2013, SANS gave the FTC a SANS Difference Makers award and here is what we said: “It seems like regardless of who is president or what the state of the economy is, the FTC stays focused on its mission of consumer protection and, in particular, going after companies that don't protect their customers' information. The FTC doesn't seem to need new laws or more money, it just keeps fighting for its customers.” I have confidence they will continue doing so regardless of the outcome of the draft legislation.

John Pescatore
John Pescatore

The FTC has been effective in punishing some of those that fail to meet their security commitments. It might be an efficient place to invest.

William Hugh Murray
William Hugh Murray

2021-09-13

Vulnerability in WooCommerce Multi Currency WordPress Plug-in

An access control vulnerability in the WooCommerce Multi Currency plug-in for WordPress could be exploited to change the price of products in online stores. The plug-in detects shoppers’ locations and displays pricing in the local currency. The issue lies in the “Import Fixed Price” feature in WooCommerce Multi Currency versions 2.1.17 and older. Users are urged to upgrade to version 2.1.18.

Editor's Note

Interesting vulnerability somewhat reminiscent of vulnerabilities in early e-commerce sites that allowed users to overwrite prices in hidden form fields.

Johannes Ullrich
Johannes Ullrich

2021-09-14

Google Chrome Update

Google has released Chrome 93.0.4577.82 to the stable channel for Windows , macOS, and Linux. The updates will be rolled out over the next few days. The newest version of the browser includes fixes for 11 security issues. Of those vulnerabilities, two are being actively exploited.

Editor's Note

Two already exploited flaws are patched with this update. Luckily, Google Chrome has a pretty good auto-update system. But you may need to restart the browser. (Good idea to take a break from death-scrolling social media feeds in your browser from time to time anyway.)

Johannes Ullrich
Johannes Ullrich

2021-09-13

Olympus Medical Technology Company is Investigating Cyber Incident

Tokyo-based Medical technology company Olympus is investigating a cybersecurity incident that reportedly affected some of its IT systems in Europe, the Middle East, and Africa (EMEA) on September 8. Tech Crunch writes that “according to a person with knowledge of the incident, Olympus is recovering from a ransomware attack that began in the early morning of September 8.”


2021-09-10

Yandex Hit with Huge DDoS Attack

Russia’s Yandex Internet company was the target of a massive distributed denial-of-service (DDoS) attack on August 19, 2021. The attack’s traffic peaked at 21.8 million requests per second. The attack us believed to have been launched through a botnet known as Mēris. Brian Krebs has disclosed that the KrebsOnSecurity website was the targeted of a Mēris DDoS attack on Thursday, September 9.


2021-09-10

WordPress 5.8.1

WordPress 5.8.1 includes fixes for three security issues, including a cross-site scripting vulnerability and a data exposure vulnerability affecting the RESTful API. The US Cybersecurity and Infrastructure Security Agency (CISA) is urging users to update to the most recent version of WordPress.

Internet Storm Center Tech Corner

Shipping Microsoft DNS Logs to Elasticsearch

https://isc.sans.edu/forums/diary/Shipping+to+Elasticsearch+Microsoft+DNS+Logs/27828/


Apple Updates Everything

https://support.apple.com/en-us/HT201222


Citizen Lab Discloses NSO Exploit Details

https://citizenlab.ca/2021/09/forcedentry-nso-group-imessage-zero-click-exploit-captured-in-the-wild/


Google Chrome Update

https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop.html


WooCommerce Multi Currency Plugin Vulnerability

https://blog.nintechnet.com/vulnerability-fixed-in-wordpress-woocommerce-multi-currency-plugin/


Exploit Generator for CVE-2021-40444

https://github.com/lockedbyte/CVE-2021-40444


Windows Lock Screen Bypass

https://halove23.blogspot.com/2021/09/zdi-21-1053-bypassing-windows-lock.html


Citrix Hypervisor Update

https://support.citrix.com/article/CTX325319


GitHub Identifies Vulnerable node.js Packages

https://github.blog/2021-09-08-github-security-update-vulnerabilities-tar-npmcli-arborist/