Linux Distributions Releasing Patches for 12-Year-Old Polkit Vulnerability; Water Sector Added to US ICS Cybersecurity Initiative; OMB's Zero-Trust Architecture Strategy

Patches should be available for all major Linux distributions, and the patch does not require a reboot. Privilege escalation vulnerabilities are often assigned a lower urgency. But this vulnerability is easy to exploit, and some of the exploits publicly available will not leave a mark in your logs.

Johannes Ullrich

Updates to Polkit have been released for RedHat/CentOS and other Linux distributions and are available through you regular repositories. IF you cannot patch, remove the set UID root permission from pkexec. (e.g., chmod 755 /bin/pkexec). Exploitation can be detected by looking for log entries, see the Qualys blog for examples; however, it is possible to exploit the flaw without leaving any traces in system logs.

Lee Neely

Unix/Linux escalation of privilege vulnerabilities linger around for a significant amount of time since they are “only” privilege escalation and lower CVSSv3 score. Make the effort to get your systems patched for this vulnerability that is trivially exploited.

Jorge Orchilles

This bug is fascinating to me for several reasons. First, it indicates to researchers that other SUID binaries may have a similar issue, so I suspect we may see more of these. Second, this bug is dead simple to exploit. Almost all the POC's available were written based on the initial writeup. It also does not deal with any type of ASLR or memory corruption bug in this exploit, so this universally works everywhere regardless of kernel or distribution version. Patch it now.

Moses Frost

The water sector consists of thousands of businesses, many very small with little budget, making cyber improvements a challenge. Even so, the CISA is offering free vulnerability scans and technical assessments to help bridge the gap. These will be particularly helpful where services were outsourced or expertise is lacking to verify systems are appropriately secured.

Lee Neely

The announcement acknowledges that the Water and Wastewater Sector is intensely local – very similar to election systems in the number and variety of local agencies providing water and sewage services. While past compromises in this section definitely in need of security attention, the same approaches and solutions that work for large scale electrical grids and energy systems will not work here.

John Pescatore

Water is infrastructure and needs to be protected as such. However, it is not vulnerable to the kind of cascading failures that the power grid is. While there may be back-up and load sharing agreements, their invocation is not automatic.

William Hugh Murray

At core, the driver to zero trust is that our legacy model of a hardened perimeter with (many) defined entry and exit points is not sufficient to prevent attack by modern adversaries. The executive order (EO 14028) required agencies to have a zero-trust implementation plan. This memo adds a requirement for agencies to build upon those plans within 60 days, as well as identify a zero-trust strategy implementation within 30 days of the memo. The memo has broad impact, not only in authentication, but also requiring more substantive application testing, DNS encryption, encryption of internal HTTP connections, comprehensive data protection and more. This memo provides a good set of security measures to consider regardless of public or private sector.

Lee Neely

As your architecture moves from traditional on-prem to cloud and zero-trust, be sure your defenses and detections evolve as well. If you can't detect password spraying and identity abuse, you may not any better off. Also: multi-factor authentication for all the things!

Christopher Elgee

Non-federal agencies should review and apply similar guidance to meet the bar set by OMB.

Jorge Orchilles

I always think about definitions when I read headlines like this. Many will argue MFA alone is not Zero Trust. Do we know which Zero Trust Architecture definition we are going with today?

Moses Frost

We need system-to-system and process-to-process isolation, and least privilege access control and we need them now, not two years from now. Setting a target of 2024 is the equivalent of granting a license to accept the risk (e.g., that a covert backdoor anyplace in the organization puts the entire organization at risk) until then.

William Hugh Murray

Practitioner's note: after downloading new NSE scripts (usually to /usr/share/nmap/scripts/ or C:\Program Files (x86)\Nmap\scripts\), be sure to run "nmap --script-updatedb" as an elevated user. This updates Nmap's local script database so that next time you run something like " nmap -iL hosts.txt --script 'vuln' ", the appropriate new script will run.

Christopher Elgee

The Nmap Scripting Engine is one of the most powerful and potentially underused free security tools available. Engaging the security community to crowdsource the development could be exactly what is needed to draw more interest and development effort to this underused tool. The latest version has around 600 scripts; however, only a little over 100 of those check for specific vulnerabilities. Some of the vulnerabilities are over 20 years old, and the newest CVE specifically mentioned in current NSEs is CVE-2018-15442. Of the current 344 CVEs listed in CISA’s Known Exploited Vulnerabilities Catalog (https://www.cisa.gov/known-exploited-vulnerabilities-catalog), current NSE scripts only identify 2: CVE-2017-0143 (smb-vuln-ms17-010.nse) and 2017-5638 (http-vuln-cve2017-5638.nse). Both are nearly 5 years old. That’s a big gap and NCSC’s project should provide a valuable resource for little to no cost. The US could do similar with a project focused on detecting the CVEs in the Known Exploited Vulnerabilities Catalog.

Jon Gorenflo

This is going to be a useful library to help your scanning be more comprehensive. Even so, be sure to review each script to understand how it checks for vulnerabilities, if the check is intrusive (they are designed not to be), why it may have false positives as well as false negatives.

Lee Neely

There are very few vulnerability scanners that are free. NMAP with their NSE scripts is one of the best options. I look forward to this project.

Jorge Orchilles

Monetizing content via ads requires ads to be relevant to the user. Google is struggling hard to come up with a solution that will be accepted by users. This is not a technical problem. Companies like Google and Facebook lost user trust and no technical solution will get it back.

Johannes Ullrich

While privacy concerns effectively killed FLoC, the Topics API is still intended to provide tailored advertising based on your browsing habits. Their claim is “advertisers will only receive topics they have observed from other sites.” A user visits a site, browser infers topics of interest from browser history, a site with ads is visited, the topics of interest are relayed to the AdTech platform (via API), which then selects the ads to display. E.g., if you visit a lot of Football sites, advertising would be from Football related advertisers. The question is do we want revised/targeted tracking, are would no tracking (non-targeted) be preferred.

Lee Neely

If the goal here is to provide less tracking of users and more privacy or anonymity of browsing, we cannot in good faith expect it to come from a company whose business model depends on this data. There are probably more impartial organizations that allow for "comments" that can design a more workable model. Although my snark meter will just remark that we will likely see tracking code in NFTs in the future, so buckle up.

Moses Frost

The biggest issue with certificate revocations is knowing that somewhere in your organization they are being used. Site owners with impacted certs will get email, but not all those sites are even known by IT or IT security. This is probably a low impact event, but good to use as justification for improvement certificate management capabilities.

John Pescatore

With a 90-day expiration and the automation of certificate rollout, this one will be one to watch. With 2 million websites, it would be good to know who did or did not get affected by this. If there was an outage, how long did it last? Unfortunately, this type of data is seldom easy to come by because there may not be any reporting, and outages may happen with no one talking about it. However, with Certification Transparency Reporting, we could ultimately figure out who was impacted and how quickly they rolled out new certificates. Maybe a good project for a research study.

Moses Frost

If your certificate is revoked, your nightly run of certbot (or other ACME client) will get you an updated certificate. Avoid the temptation to run it repeatedly/rapidly so as not to DOS the Let’s Encrypt service.

Lee Neely

The cost of a cloud hosted file service is going to be less than rebuilding your NAS if compromised with DeadBolt or other ransomware. If you’re still exposing your NAS to the Internet, make sure to disable remote system administration, make sure your router is not port forwarding the NAS admin services to the Internet and disable the UPnP Port Forwarding on your device. Make sure you’ve updated to the latest firmware. Make sure you have multiple disconnected backups of your NAS.

Lee Neely

I first ran into a ransomware gang that hit a Windows Server through exposed RDP and quickly pivoted to encrypting a Synology NAS. The prevalence of this type of gear in small businesses or Prosumer (Pro-Consumer) makes these types of attacks both easy and destructive. Most of the gear is not configured with strong passwords or authentication mechanisms, and the management interfaces are generally on the same network as the standard workstation equipment. I am surprised we do not see more of this.

Moses Frost

Two vulnerabilities have already been made public or are being exploited ahead of the release of the patch. For others, additional details were released shortly after the patches were released. Update by this weekend. But note that there are some issues, for example with Dropbox, as you are applying this update. Apple Music, which is a full rewrite for MacOS, may also require you to log out and log in again to re-authorize your system.

Johannes Ullrich

The iOS and iPadOS updates may feel benign as they only address 10 CVEs. The kicker is they include a fix to the CVE-2022-22587 zero day which is being actively exploited. Push the updates to your devices now. These updates are essentially monthly now, consider configuring your MDM to always push updates to your managed devices as they are released, along with user notification to reduce exposure windows.

Lee Neely

Before your local hospital has a cyber incident, verify options to use a different facility, both from a feasibility and insurance perspective. Also be prepared to have documentation on current medications and medical conditions much as you would on a first time visit to a doctor, even if you’re going to an impacted facility, as they may not have the back-end health care/history records.

Lee Neely

I worked in healthcare for almost a decade back in the early 2000s. It was tough to justify endpoint security, segmentation, and other security items because the threat model was poorly defined. Specifically, after "worms" stopped being so prevalent, taking down systems. If patient safety or patient care isn't a factor, it isn't a priority in many places. Compliance and privacy are generally the more significant mover of the budget. It has taken almost another decade, but Ransomware has finally turned what was a hard sell into practically a requirement. Expect to see more focus in healthcare as more and more systems become Ransomware targets.

Moses Frost

Delta claims to be the largest supplier of switching power supplies. The Conti ransomware operators claim to have encrypted 1500 servers and 12,000 computers out of the approximately 65,000 devices on Delta’s network. Take that sort of impact to your next disaster exercise and see how you would recover from that sort of impact, then make sure you have leveraged logical and physical separation techniques to manage lateral movement.

Lee Neely