SANS NewsBites

Splunk On-Premise Users Need to Patch ASAP; Microsoft Finally Releases Follina Fixes; Microsoft Slow on Releasing Azure Vulnerability Patches

June 17, 2022  |  Volume XXIV - Issue #47

Top of the News


2022-06-17

Splunk Releases Critical Update

Splunk released an emergency patch this week, addressing a critical vulnerability that could lead to arbitrary code execution. The vulnerability, CVE-2022-32158, has a CVSS score of 9.0. An attacker taking advantage of the flaw could execute code on endpoints connected to a particular deployment server. Splunk released patches only for Splunk 9.0; users of older versions need to upgrade to 9.0 to patch.

Editor's Note

If you're on Splunk 9.0, you will need to apply the patch. Due to the newness of the patch, you may wish to wait for any updates/issues to be squared away, If you're doing that, you need to disable the deployment server unless you're actively using it to deploy configuration updates. The ISC blog below has details on this approach. If you're not on Splunk 9.0, time to roll up your sleeves and get that update going.

Lee Neely
Lee Neely

This does not impact Splunk Cloud users, so relevant to a bit more than half of Splunk customers. SaaS vendors have a simpler patching issue than IaaS vendors, but in procurement very important to ask about and evaluate the vendors patch time commitments, their use of external Cloud Service Providers and DoS protection as well as broader security processes and controls. Like many security software vendors, Splunk is seeing it cloud business grow more than twice as fast as on-premises deployments. But margins (profit on sales) are still lower for cloud sales vs. on-premise. Important to keep the pressure on all security vendors to make sure cloud security of their own offering is Job 1, even as they look to constrain costs to improve cloud profit.

John Pescatore
John Pescatore

2022-06-16

Microsoft Patch Tuesday Updates Include Follina Fix

On Tuesday, June 14, Microsoft released updates that address 60 security issues in a range of products. The updates include a patch for the Follina flaw in Microsoft Support Diagnostic Tool (MSDT). Three of the vulnerabilities fixed in this patch of updates have been deemed critical; the three remote code execution vulnerabilities affect Windows Network File System, Windows Hyper-V, and Windows Lightweight Access Protocol.

Editor's Note

The Follina fix was issued with a release date of May 30th, which caused a bit of confusion as it wasn't part of the June 14th set of patches. But it is included in the rollup patches. Please apply expeditiously. Also note the NFS patch. While not enabled by default, this is the third month in a row for NFS patches and this time, additional details regarding the vulnerability have been published by the discoverer making an exploit more likely.

Johannes Ullrich
Johannes Ullrich

The patches address both the MSDT flaw and the Windows Network File System flaws. The NFS 4.1 fix is for your servers, and while critical, you may wish to test prior to wide deployment. Also, in case you're missing it, June 15 is the de-support date for IE - take care of your support and IT teams this month, it's going to be busy.

Lee Neely
Lee Neely

2022-06-14

Microsoft Called Out for Dragging its Feet on Azure Fixes

Orca Security and Tenable both say that Microsoft has taken too long to address critical flaws in Azure. Orca Security’s Tzah Pahima said that Microsoft took more than four months to adequately fix a critical vulnerability in Azure’s Synapse Analytics. Researchers from Tenable detected two vulnerabilities in Synapse Analytics and reported them to Microsoft in early March; the issues were not acknowledged for nearly three months.

Editor's Note

Using the cloud (aka “someone else's computer”) requires trust. Delayed fixes and missing transparency about the risks your data is exposed to does not build trust. On the other hand: As long as it is cheap and easy enough, people will probably use it anyway.

Johannes Ullrich
Johannes Ullrich

I started Gartner’s coverage of cloud service security back in 2010 or so and a key issue was how cloud service providers would patch their underlying infrastructure. Testing patches to make sure a 10,000 user enterprise isn’t impacted is tough enough – Microsoft has over 700M users on Azure Active Directory. Obviously, Microsoft has the biggest problem since Windows vulnerabilities get outed the quickest, but Amazon AWS has the biggest market share (over 1M users). They have to walk the line between risk of customers being compromised by attackers exploiting the vulnerability and too-fast push out of patches that aren’t fully testing, leading to downtime at hundreds to thousands of customers. Right now, Microsoft is erring on the side of avoiding the latter, which is probably prudent since some recent MSFT patches have had to be recalled.

John Pescatore
John Pescatore

It took Microsoft three tries to fix the vulnerability; the full fix was released in May. We have seen multiple patch cycles previously. The risk is that with cloud services you're not only dependent on the software provider for the fix, just as with on-prem, but also restricted to the mitigations they provide, which is unlike on-premise services. Make sure that you're considering this risk, weighed against the providers track record of deploying updates and inclusion of possible compensating security measures.

Lee Neely
Lee Neely

The Rest of the Week's News


2022-06-15

US HHS Security Risk Assessment Tool Version 3.3

The US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) and National Coordinator for Health Information Technology (ONC) have released the Security Risk Assessment (SRA) Tool version 3.3. SRA “is designed to help healthcare providers conduct a security risk assessment as required by the HIPAA Security Rule and the Centers for Medicare and Medicaid Service (CMS) Electronic Health Record (EHR) Incentive Program.”

Editor's Note

This is just a port of the paper version of the OCR Security Risk Assessment tool to electronic/spreadsheet format. So, if you were already using the paper version, much easier to use. But the questionnaire is heavy on policy and compliance, much lighter on actual security defenses/controls. A decent starting point if you are starting from scratch but will also need tailoring for most environments. There are 64 questions with “I don’t know” as possible answers. The spreadsheet logic will show those as yellow for if you use that answer, but a “Huh?” response should be high risk/red – if you answer “I don’t know” on more than a handful, time to stop and get a detailed security assessment performed.

John Pescatore
John Pescatore

Download the tool from the HealthIT.gov Security Risk Assessment Tool website (see link below). It is available as an application for windows 7/8/10/11 systems which stores data locally, or an Excel workbook. The questions include guidance for each of your possible answers, whether it is required, and the source for the question. Sections also include Threats and Vulnerabilities questions which you can leverage to see your risk score. Allow sufficient time to honestly assess yourself, resist the blame game. If you find yourself with a lot of critical or high-risk scores, or I-don't-know answers, consider a professional engagement to help you both verify your assessment and devise a risk-based path forward.

Lee Neely
Lee Neely

2022-06-14

Healthcare Entities Respond to HHS RFI on Cybersecurity Requirements

In April, the US Department of Health and Human Services (HHS) published a request for information (RFI) seeking public comment on current healthcare security practices and how HHS Office for Civil Rights (OCR) can help healthcare entities implement security measures. A common thread throughout comments from several healthcare-related organizations is that cybersecurity requirements need to be flexible rather than one size fits all.

Editor's Note

Most of the reaction has been because HHS OCR is asking many questions on how best to determine monetary penalties for failure to protect personal health information. HIPAA has been out since 1996, HITECH since 2009, OCR enforcement actions did not start until 2017 and have been mostly driven by complaints not by proactive assessments – since 2017, OCR has had 105,189 complaints and only 1,739 Compliance reviews and fines were assessed in only .06% of cases, roughly only 1 out of 1500. Bottom line: most likely outcome is language accepting use of widely accepted frameworks, followed by increase proactive assessment and higher occurrence of fines. Legislation moves slowly – earliest start is probably FY 24. So, develop a 2-3 year strategic gap closure plan to convince management to fund progress over that period to avoid future punitive actions (sounds scarier than just saying fines…)

John Pescatore
John Pescatore

Security frameworks need to be viewed from both a risk perspective and a as a minimum bar. Use them to identify potential gaps in your protections, document your decisions.

Lee Neely
Lee Neely

2022-06-15

Cloudflare Says it Mitigated a 26M rps DDoS Attack

Cloudflare detected and thwarted a 26 million request per second (rps) distributed denial-of-service (DDoS) attack against one of its customers. The attack occurred last week. It was the work of a botnet comprising just over 5,000 devices, mostly servers and virtual machine belonging to cloud service providers. In a blog post, Cloudflare’s Omer Yoachimik writes that the botnet was “4,000 times stronger [than most other botnets] due to its use of virtual machines and servers.”

Editor's Note

Since extended DDoS attacks can cause cloud service providers to start failing to meet service level agreements, the larger CSPs generally have strong DDoS filtering in place, usually a mixture on in their data centers and used of services like Cloudflare or Akamai/Prolexic. Make sure the security group is involved in evaluating cloud service procurements to assure thatsuch hybrid DDoS protection is part of the bid – payoffs on SLA failure only give your company rebates on future bills, no level of business interruption costs are included.

John Pescatore
John Pescatore

Even though this thwarted attack was targeting services on the free tier Cloudflare plan, verify your CDN provides DDoS protections on the service you're using. Cloudflare is comparing the relative impact for small device/IoT botnets (730,000 devices) versus smaller collections of server class nodes (5,067 devices). The larger botnet only generates 1.3 million rps, meaning while protecting your IoT devices is key, it's still paramount to consider your physical and virtual servers as high value targets for acquisition. Pay particular attention to unexpected workload bursts, consistent with DDoS attack duration.

Lee Neely
Lee Neely

2022-06-15

Hertzbleed Side-Channel Attack

A newly-detected side-channel attack affects Intel and AMD x86 processors. Dubbed Hertzbleed, the flaw can be exploited to steal cryptographic keys by observing CPU frequency variations in the dynamic voltage and frequency scaling (DVFS) CPU-throttling technology. The researchers who detected the vulnerability acknowledged that exploits would require complex attacks. Intel and AMD do not have plans to release fixes.


2022-06-15

Citrix Fixes ADM Vulnerabilities

Citrix has released updates to address a pair of flaws affecting Citrix Application Delivery Management (ADM). An improper access control vulnerability could be exploited to allow a remote, unauthenticated user to corrupt the system and potentially reset the administrator password. An improper control of a resource through its lifetime issue could be exploited to temporarily disrupt the ADM license service. The flaws affect all supported versions of Citrix ADM server and Citrix ADM agent. Users are urged to upgrade to the most recent versions.


2022-06-16

Latin American Government Face Serious Ransomware Risks

Latin American governments face a significant risk from ransomware attacks due to poor cyber hygiene, inadequate education, and immature infrastructure, according to researchers from Recorded Future’s Inskit Group. The researchers note that “If unaddressed, ransomware attacks on local, provincial, or federal government entities in LATAM could constitute a credible national and geopolitical security risk.”

Editor's Note

This is about cyber hygiene. Attackers are leveraging compromised credentials, which is best mitigated through the use of MFA. If you must hang on to reusable credentials, use services to check breach dumps for compromised credentials, to include rapid action for discovered compromised accounts.

Lee Neely
Lee Neely

We have witnessed successful ransomware attacks against public sector bodies throughout the United States and Europe. There is no reason not to expect similar types of victims in other regions such as Latin America.

Brian Honan
Brian Honan

2022-06-15

Ukraine’s Internet Routed Through Russia

Ukrainian internet companies are reportedly being forced to reroute their traffic through Russia or shut down their connections. Russian troops are seizing Ukrainian Internet providers’ equipment and ordering employees to reroute traffic; if they refuse, the troops are able to make the changes themselves. In addition, a new mobile company in the city of Kherson appears to be selling SIM cards that connect to a network with numbers that uses the international prefix for Russia. Cloudflare’s head of data insight David Belson said, “Controlling internet access and being able to manipulate the internet access into an occupied area” is a “new front.”

Editor's Note

On the Internet, anything beyond the network jack in your system should be considered hostile anyway. Russia would be negligent not to reroute networks they physically control.

Johannes Ullrich
Johannes Ullrich

This is why end-to-end encryption is so important. Encryption is not just a tool to protect privacy, it is also a critical security tool which not only protects data but, as exemplified here, can protect people’s lives and their freedoms. Those looking for backdoors into encryption need to role play what would happen if a hostile and/or oppressive government had access to individuals’ internet traffic.

Brian Honan
Brian Honan

The Ukrainian ISPs don't have a lot of choice here, as the Russians are able to make the changes if they refuse, and have physical access to the network equipment to obtain access. Watch to see if users can successfully use VPNs to bypass anticipated restrictions of access and attempted monitoring. If you are unsure of the network, wired/wireless or cellular you're using, use a VPN to secure the connection to a trusted exit point. Note that some services filter connection methods some VPNs use, so be prepared to use alternate offerings.

Lee Neely
Lee Neely

2022-06-14

SBOMs Need to be Mapped to Known Vulnerabilities

In a blog post, Google’s Open Source Security Team observes that a software bill of materials (SBOM) by itself is not useful for determining security risks. Instead, a SBOM “needs to be mapped onto a list of known vulnerabilities to know which components could pose a threat.” The blog goes on to describe the process of using an open source tool to identify vulnerabilities in components included in a SBOM.

Editor's Note

Short response is no single action is alone complete for determining, let alone mitigating, software supply chain risks or any risk. SBOMs will have to part of the solution, but the starting point is enterprises having accurate software inventories – the most likely apps to be compromised are the ones that are NOT in ITs configuration management database or spreadsheet of software license.

John Pescatore
John Pescatore

Information to make informed decisions is important. The usefulness of SBOMs will depend on how we consume/analyze them. It may become tricky to keep up with SBOM evaluation due to rate of update or complexity unless we have trusted automation to identify risks.

Lee Neely
Lee Neely

2022-06-15

Cloud Security Alliance: Top Cloud Computing Risks

The Cloud Security Alliance has published a report identifying the top cloud computing security risks faced by cybersecurity experts. Among things they noticed – a shift in cloud security responsibility from the service provider to the cloud adopter. The number one risk CSA identified is insufficient identity, credentials, access, and key management, which are the responsibility of cloud adopters. Other top risks include insecure interfaces and APIs; misconfiguration and inadequate change control; lack of cloud security architecture and strategy; and unsecure software development.

Editor's Note

[Neely] The report includes business impact, key takeaways, examples, and security guidance for each of these risks. Use this to develop processes to ensure minimum security practices are implemented for your current and future cloud services. https://cloudsecurityalliance.org/artifacts/top-threats-to-cloud-computing-pandemic-eleven/

Lee Neely
Lee Neely

2022-06-14

Prison Time for Selling DDoS Attack Services

A US district judge in California sentenced Matthew Gatrel to two years in prison for operating distributed-denial-of-service (DDoS) attack for hire websites. The sites Gatrel ran launched more than 200,00 DDoS attacks. In September 2021, Gatrel was found guilty of conspiracy to commit unauthorized impairment of a protected computer, conspiracy to commit wire fraud, and unauthorized impairment of a protected computer. A co-defendant pleaded guilty before the trial began.

Editor's Note

This is similar to moving from arresting and sentencing one person buying drugs or weapons to doing so to a dealer selling to dozens – obviously a good thing. The next step is going after the sketchy hosting/IaaS companies providing capacity to some “cybercrime as a service” criminals. Even better would be ISP ingress and egress filtering of obviously malicious traffic.

John Pescatore
John Pescatore

Having DDoS protection must become SOP for internet facing services. While court cases like this may provide some deterrence, having active technical countermeasures in place will provide a more rapid return, and possibly help your CISO sleep at night.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

Microsoft Patch Tuesday

https://isc.sans.edu/forums/diary/Microsoft+June+2022+Patch+Tuesday/28742/


Terraforming Honeypots: Using IaaC & Cloud to Attract Attacks

https://isc.sans.edu/forums/diary/Terraforming+Honeypots+Installing+DShield+Sensors+in+the+Cloud/28748/


Houdini is Back Delivered Through a JavaScript Dropper

https://isc.sans.edu/forums/diary/Houdini+is+Back+Delivered+Through+a+JavaScript+Dropper/28746/


Drifting Cloud: Zero-Day Sophos Firewall Exploitation

https://www.volexity.com/blog/2022/06/15/driftingcloud-zero-day-sophos-firewall-exploitation-and-an-insidious-breach/


Exploiting a Heap Overflow in the FreeBSD Wi-Fi Stack

https://www.zerodayinitiative.com/blog/2022/6/15/cve-2022-23088-exploiting-a-heap-overflow-in-the-freebsd-wi-fi-stack


Cisco Email Security Appliance and Cisco Secure Email and Web Manager

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sma-esa-auth-bypass-66kEcxQD


Zimbra Email - Stealing Clear=Text Credentials via Memcache Injection

https://blog.sonarsource.com/zimbra-mail-stealing-clear-text-credentials-via-memcache-injection/


Analyzing the Fastjson "Auto Type Bypass" RCE vulnerability

https://jfrog.com/blog/cve-2022-25845-analyzing-the-fastjson-auto-type-bypass-rce-vulnerability/


Cloud Middleware Dataset

https://github.com/wiz-sec/cloud-middleware-dataset


CVE-2022-26937 Windows Network File System NLM Portmap Stack Buffer Overflow

https://www.zerodayinitiative.com/blog/2022/6/7/cve-2022-26937-microsoft-windows-network-file-system-nlm-portmap-stack-buffer-overflow


Citrix Application Delivery Management Security Bulletin

https://support.citrix.com/article/CTX460016/citrix-application-delivery-management-security-bulletin-for-cve202227511-and-cve202227512


Hardcoded Backdoor User and Outdated Software Components in Nexans FTTO GigaSwitch

https://sec-consult.com/vulnerability-lab/advisory/hardcoded-backdoor-user-outdated-software-components-nexans-ftto-gigaswitch/


Adobe Patches

https://helpx.adobe.com/security/security-bulletin.html


SynLapse Vulnerability

https://orca.security/resources/blog/synlapse-critical-azure-synapse-analytics-service-vulnerability/


Hertzbleed Attack

https://www.hertzbleed.com