SANS NewsBites

DHS Mandates Federal Agencies Patch Known Exploited Vulnerabilities; Serious Linux Flaw Requires Patching; Cisco Flaws Require Updates and SSH Key Generation

November 5, 2021  |  Volume XXIII - Issue #87

Top of the News


2021-11-04

CISA Binding Operational Directive on Vulnerability Patching for Federal Agencies

The US Cybersecurity and Infrastructure Security Agency (CISA) has released a Binding Operational Directive (BOD) that requires federal agencies to patch known security flaws within certain timeframes. The BOD includes a catalog of nearly 300 known vulnerabilities that are being actively exploited. The flaws, some of which date back to 2017, each have deadlines for patching.

Editor's Note

Every year like clockwork, the US Federal government Office of Inspectors General produces audits that invariably repeat the findings of previous year’s OIG reports about federal agencies having failed to patch well-known vulnerabilities. There will be much complaining about this BOD but in the past such BODs or other “over the transom dictates” from OMB have driven actual movement in actual improvements in the security levels of government systems. There is no way for any government agency to even talk about “Zero Trust” without first having decent essential security processes such as vulnerability assessment and management.

John Pescatore
John Pescatore

This enhances the previous BOD 19-02 which required critical vulnerabilities to be patched in 15 days and high vulnerabilities in 30 days. One key component added is a due date for remediating these known exploited vulnerabilities. Use the CISA catalog of known exploited vulnerabilities to help prioritize your patching efforts as well as verify that you’re not missing any required dates. Everyone should leverage this catalog. This BOD also requires agencies which are still using the old CyberScope quarterly submissions to either be reporting vulnerability status via the CDM dashboard by October 1, 2022 or provide CyberScope submissions bi-weekly.

Lee Neely
Lee Neely

This Binding Operation Directive is much more specific and actionable than the 2019 BOD which simply stated “thou must have a vulnerability management program.” In this directive, both the vulnerabilities and required dates for patching are specifically called out. This does two things. First, it makes it very easy to measure which agencies have truly acted and complied. Second it makes it much easier for agencies to act on as agencies no longer have to decide what to patch: they simply follow CISA guidance. The easier a requirement, the more likely it will be followed. As a bonus, once agencies are done with patching, they will have the processes in place for a long-term vulnerability management program.

Lance Spitzner
Lance Spitzner

2021-11-04

Linux Kernel TIPC RCE Flaw

A remote code execution flaw in the Linux Kernel’s Trans Inter Process Communication (TIPC) module can be exploited locally and remotely. The heap overflow vulnerability could be exploited to gain kernel privileges.

Editor's Note

This is a serious flaw, but likely only affecting few systems. Only kernels 5.10 through 5.15 include the vulnerable component, and it has to be specifically enabled. The TIPC protocol is typically used on cluster systems and not used on "average" Linux installs. The protocol may be exposed via UDP on port 6118 (but can also be used directly over ethernet).

Johannes Ullrich
Johannes Ullrich

This affects kernel version 5.10. The flaw was reported October 19th, a patch released October 21st, and a fix was added to the mainline repository, released October 29 under version 5.15. The attack doesn’t require privileges. If you’re using TIPC, update now.

Lee Neely
Lee Neely

2021-11-04

Cisco Releases Multiple Updates

Cisco has released patches for multiple vulnerabilities, including two critical flaws in Catalyst Passive Optical Network (PON) switches Optical Network Terminal. One of the flaws involved a hardcoded password for a debugging account; the second vulnerability involves static SSH keys.

Editor's Note

The debugging account can only be accessed over Telnet. Make sure you don’t have telnet enabled for your routers; it’s supposed to be disabled by default. Fixing the static SSH keys, which are part of Cisco Policy Suite, requires generating new SSH keys and propagating them to all machines, as well as updating to version 21.2.0, which will automatically generate new keys on installs but _NOT_ on upgrades. See the fixed releases of Cisco’s security advisory for the procedure. https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cps-static-key-JmS92hNv: Cisco Policy Suite Static SSH Keys Vulnerability

Lee Neely
Lee Neely

The Rest of the Week's News


2021-11-03

Commerce Department Sanctions Spyware Companies

The US Department of Commerce’s Bureau of Industry and Security has published an updated list of entities sanctioned “for engaging in activities that are contrary to the national security or foreign policy interests of the United States.” The newly added organization are NSO Group, Candiru, Positive Technologies, and Computer Security Initiative Consultancy.

Editor's Note

The entities list restricts the “export, re-export, and in-country transfer of items subject to the EAR to persons (individuals, organizations, companies) reasonably believed to be involved, have been involved, or pose a significant risk of being or becoming involved, in activities contrary to the national security or foreign policy interests of the United States.” And there will be no exceptions, which means you can get into substantial penalties (civil and criminal as well as fines) for doing business with one of these entities.

Lee Neely
Lee Neely

2021-11-03

CISA’s Subpoena Power Helps Mitigate Vulnerabilities

The US Cybersecurity and Infrastructure Security Agency (CISA) has used 35 administrative subpoenas since the authority was first granted, according to agency director Jen Easterly. CISA has the authority to conduct Internet scans with the purpose of detecting industrial systems with vulnerabilities; they can then subpoena Internet service providers to discover who owns the identified systems and notify the owners about the flaws.

Editor's Note

These activities have resulted in a reduction of vulnerabilities since they started this work. CISA offers their services to public and private sector companies in the US, including scanning, posture assessment and training, free of charge; they are taxpayer funded. It may be better to directly engage them rather than find later you’ve got an issue.

Lee Neely
Lee Neely

2021-11-05

US State Department Offers Reward for Info That Helps Bring DarkSide Operators to Justice

The US State Department is offering “a reward of up to $10,000,000 for information leading to the identification or location of any individual(s) who hold(s) a key leadership position in the DarkSide ransomware variant transnational organized crime group.” DarkSide was behind the Colonial Pipeline ransomware attack last spring.

Editor's Note

The idea is to leverage techniques that work with traditional crimes to get traction on cyber criminals. In this case, the amount of the reward, $10M and a subsequent $5M, should help incentivize participation. Leveraging all options available is the most likely way to make forward progress against ransomware gangs. One example was the offensive actions by U.S. Cyber Command and a foreign government to compromise systems belonging to the REvil gang which caused them to shutter their business.

Lee Neely
Lee Neely

This is both a good and sad thing. Good in that motivators like this can truly lead to the arrest and capture behind those involved in these large scale crimes. At $10 million, cyber criminals may be motivated to even turn in their own. The sad part is in today’s world this is one of the few ways we can apply pressure to and deter threat actors, one of the few ways we can make it risky for them to operate. The problem we have now is most threat actors can act with impunity and continue to attack as much as they want. It’s like playing a game of football where you can only play defense. This is one of the very few ways we can play offense.

Lance Spitzner
Lance Spitzner

2021-11-04

Another NPM Library Hijacked

The Command-Option-Argument, or ‘coa’ NPM library is downloaded about 9 million times weekly and is used by nearly 5 million open source GitHub repositories. The last stable version of ‘coa’ was released in 2018, but within the last few days, several new versions have appeared. Developers are reporting that the new releases are breaking their builds.

Editor's Note

Yet another issue. Have you found a way yet to manage your npm libraries? If you are using node.js, inventorying and vetting npm packages should be a top priority.

Johannes Ullrich
Johannes Ullrich

COA is a command line parser for Node.js projects. COA was untouched since version 2.0.2 in December 2018. The newer versions have been removed; even so, make sure your builds are back to 2.0.2. The same code injected into COA was also found in the previous hack of ‘ua-parser-js.’

Lee Neely
Lee Neely

While NPM offers strong authentication to its users, it is opt-in. Given their role, perhaps it is time to change the default.

William Hugh Murray
William Hugh Murray

2021-11-04

BlackMatter Says It's Closing Up Shop. Again.

Earlier this week, the BlackMatter ransomware group said it would shutter operations “due to certain unsolvable circumstances associated with pressure from the authorities.” Cybersecurity experts are wary of taking the announcement too seriously. This is not the first time the group has claimed to be closing down.

Editor's Note

BlackMatter closing job does not help existing victims. No keys were released. There have been reports of BlackMatter affiliates moving victims to the Lockbit infrastructure for payments.

Johannes Ullrich
Johannes Ullrich

BlackMatter was a rebranding of DarkSide after the Colonial Pipeline attack. While it is expected that this cycle is not finished, ongoing and increased pressure from law enforcement should make it harder for this type of rebranding to continue. In the meantime, remain vigilant; the threat is not gone.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

Revisiting BrakTooth: Two Months Later

https://isc.sans.edu/forums/diary/Revisiting+BrakTooth+Two+Months+Later/27992/


October 2021 Forensic Contest Answers and Analysis

https://isc.sans.edu/forums/diary/October+2021+Forensic+Contest+Answers+and+Analysis/27998/


CVE-2021-43267: Remote Linux Kernel Heap Overflow in TIPC Module

https://www.sentinelone.com/labs/tipc-remote-linux-kernel-heap-overflow-allows-arbitrary-code-execution/


The Security Risk of Lacking Compiler Protection in WebAssembly

https://arxiv.org/abs/2111.01421


Gitlab CVE-2021-22205 Exploited (and often not patched)

https://www.rapid7.com/blog/post/2021/11/01/gitlab-unauthenticated-remote-code-execution-cve-2021-22205-exploited-in-the-wild/


Cisco Patches

https://tools.cisco.com/security/center/publicationListing.x


New Proxy Shell Exploits Seen Against Exchange

https://blog.talosintelligence.com/2021/11/babuk-exploits-exchange.html


BlackMatter Shutting Down Again

https://www.bleepingcomputer.com/news/security/blackmatter-ransomware-moves-victims-to-lockbit-after-shutdown/


Android 0-Day Patched

https://source.android.com/security/bulletin/2021-11-01


Escalating XSS to Sainthood with Nagios

https://blog.grimm-co.com/2021/11/escalating-xss-to-sainthood-with-nagios.html


Pentaho Business Analytics Vulnerability

https://hawsec.com/publications/pentaho/HVPENT210401-Pentaho-BA-Security-Assessment-Report-v1_1.pdf