SANS NewsBites

Check for Use of OpenSSL 3.0.7 and Prepare to Patch Critical Flaw; FTC Punishes Drizly CEO; Patch Cisco AnyConnect to Protect Against Active Exploits

October 28, 2022  |  Volume XXIV - Issue #84

Top of the News


2022-10-27

OpenSSL 3.0.7 Will Address Critical Flaw

OpenSSL plans to release an update next week to address a critical vulnerability in the cryptographic library. The flaw affects OpenSSL versions 3.0.0 through 3.0.6. OpenSSL will release version 3.0.7 on Tuesday, November 1. The last time OpenSSL was faced with a critical vulnerability was the Heartbleed vulnerability, which was disclosed in 2014.

Editor's Note

While people are working on performing the diffing of patches to try and understand the impact, OpenSSL 3.0 may not be as widely deployed as the version with Heartbleed. It’s a wait-to-see scenario. A core library like this may still impact many systems. Hopefully, with the advent of SBOM (software bill of material) products, companies can quickly find and attempt to patch these libraries quickly.

Moses Frost
Moses Frost

The notice from OpenSSL doesn’t disclose the exact vulnerability, only categorizing it as critical, which means it affects common configurations and is likely to be exploitable. OpenSSL policy is to keep the specific issues private and trigger a new release. Given the prevalence of OpenSSL it makes sense to be careful disclosing the exact issue as there could be an enormous attack surface. What you can do is make sure that you update your OpenSSL installs, and applications with embedded OpenSSL, judiciously after the update is released. Review your software inventory and make a prioritized list, much like you did for Log4J.

Lee Neely
Lee Neely

2022-10-26

FTC Sanctions Drizly and Its CEO Over Data Security Failures

The US Federal Trade Commission has sanctioned online alcohol marketplace Drizly and its CEO over poor customer data protection that resulted in the theft of 2.4 million user records. Drizly and CEO James Cory Rellas were alerted to security concerns two years before the breach occurred, but they had not taken steps to improve the security. The FTC's “proposed order against Drizly not only restricts what the company can retain and collect going forward but also ensures the CEO faces consequences for the company’s carelessness.” The order’s requirements will follow Rellas: He will be required to implement security programs at companies he runs if they collect data from 25,000 or more individuals.

Editor's Note

While on the surface this seems like a good one to show your CEO, I doubt this action against Drizly’s CEO will stand up to any formal appeal or legal challenge. As Commissioner Wilson’s dissent points out, this is saying that if any business decision made to take a security or privacy risk turns out to be the wrong decision, a CEO could be sanctioned. That seems unrealistic.

John Pescatore
John Pescatore

With this sanction, the FTC is shining a light on the CEO and indirectly, the company executive team. While unlikely that the order will survive on appeal, it serves notice to every CEO that they are fully accountable for implementing and actively managing the company cyber security program.

Curtis Dukes
Curtis Dukes

As Drizly is now part of Uber, the proposed order applies to the company as well as the former CEO, not only requiring increased security and training but also deletion of unnecessary data. The FTC intends the message to be: protecting American’s data is not discretionary and is to be prioritized. Keep an eye out for new FTC orders raising the bar on cyber security expectations. The proposed order, when finalized, will be in effect for twenty years.

Lee Neely
Lee Neely

Interesting move by the FTC. This is a perfect case to set precedence over corporate maleficence and oversight. We will have to watch this one more closely, as if this does follow the CEO from company to company, we may see changes in the boardroom based on this.

Moses Frost
Moses Frost

2022-10-26

Cisco: Known AnyConnect Vulnerabilities are Being Actively Exploited

Cisco is warning that two previously disclosed vulnerabilities in its AnyConnect Secure Mobility Client for Windows are being actively exploited. Cisco released fixes for the vulnerabilities in February and August 2020. Both vulnerabilities have been added to the US Cybersecurity and Infrastructure Security Agency’s (CISA’s) Known Exploited Vulnerabilities catalog.

Editor's Note

The good news is this only impacts your Windows client. The bad news is probably most of your clients are Windows-based. There are no workarounds: you need to get your clients to at least 4.9.00086. Use the firewall’s capability to update the client to push an update when users next connect. Consider using your endpoint management to also distribute the updated client. POC exploit code was available 8/13, and Cisco became aware of active exploitation attempts 10/25. CISA is giving agencies until 11/14 to fix this. I’d advise not waiting.

Lee Neely
Lee Neely

It’s rather odd that these two LPEs are being actively exploited years after they are released. It is also probably not surprising as many customers are reluctant to upgrade their versions of AnyConnect unless there is a specific feature needed, such as “Windows 11” support. As of the time of the publishing of this, it’s important to note that the DarkReading article mentions a Cisco Gigabyte Driver, which I believe is a mistake. Cisco doesn’t own Gigabyte. I believe they are referring to the motherboard manufacturer being added to the CISA KEV.

Moses Frost
Moses Frost

The Rest of the Week's News


2022-10-27

Microsoft Will Fix Vulnerable Driver Blocklist Issue Next Month

Microsoft acknowledged that its hypervisor-protected code integrity (HVCI) feature has not been kept up to date. HVCI is touted as being able to prevent known vulnerable drivers from running on Windows machines. However, the list of vulnerable drivers has not been kept current in some pre-Windows 11 OSes. A non-security preview of Microsoft’s November 2022 Patch Tuesday release includes a fix for the problem.

Editor's Note

The driver blocklist was introduced as an optional feature in Windows 10, version 1809 and is enabled on systems which enable HVCI or run in S mode. As of Windows 11, version 22H2, it is enabled by default. This can be managed with the Windows Security app, but the version which manages this setting hasn’t been released yet. Part of the fix was that Microsoft was supposed to be providing updates to the on-device database of flawed drivers; these updates are now working. While not every flawed driver will be detected, it adds one more layer to our defenses at the endpoint. That said, use caution enabling the blocklist as it can result in a blue screen (aka hard stop) or inability to (re)install needed drivers.

Lee Neely
Lee Neely

2022-10-25

Apple October Security Updates

Apple has released security updates for macOS, iOS, iPadOS, TVOS, watchOS, and Safari. Among the fixes are patches for a high-severity zero-day remote code execution flaw in iOS and iPadOS. The vulnerability is due to an out-of-bounds write issue. Apple’s update for macOS 13 Ventura addresses more than 100 issues.

Editor's Note

The updates include the anticipated iPadOS 16. iOS 16.1 and iPadOS 16 address 36 CVEs. Apple also just released iOS/iPadOS 15.7.1 which addresses 20 CVEs. All of the iOS/iPadOS updates address a recent zero-day, CVE-2022-42827 which is being actively exploited. Note apple has released updated security bulletins for their recent updates (macOS, tvOS, iOS/iPadOS, watchOS, etc.) which include additional CVEs addressed. Note that when deploying iPadOS 16, the on-device version is listed as 16.1. The iOS/iPadOS zero-day has been added to the CISA KVE with a fix date of 11/15/22.

Lee Neely
Lee Neely

Seems like only yesterday that Apple marketed itself as highly attack resistant when compared to other edge devices. We know several things changed over that time: the CPU, an increase in attack surface with the seamless integration of mobile devices, commoditization of vulnerabilities. Expect this to be the new normal for Apple and its high in demand products.

Curtis Dukes
Curtis Dukes

2022-10-26

Apple Plans Fix for macOS Ventura Bug that Disrupts Third-Party Security Tools

Apple says it will fix an issue in macOS Ventura that renders third party security tools unable to access resources necessary to operate. The issue affects the macOS Ventura beta version that was released on October 11. There is a workaround available. Apple says that the problem will be resolved in the next macOS software update.

Editor's Note

Essentially the full disk access privilege gets revoked for security tools. The fix was intended to prevent attackers from gaining the access they needed to operate. If affected, you need to unlock the preferences, revoke the privilege explicitly, lock the preferences, then repeat granting the privilege this time. This doesn’t impact enterprise systems pushing Ventura updates via their MDM.

Lee Neely
Lee Neely

2022-10-25

PayPal Adding Passkey Passwordless Login for Apple Devices

PayPal is introducing passkeys for passwordless account login on Apple devices running iOS 16, iPadOS 16.1 or macOS Ventura. PayPal plans to extend passkey availability as other platforms add support for the standard. Apple, Google, and Microsoft have said they plan to support passkeys by early next year.

Editor's Note

PayPal was one of the founding members of FIDO Alliance, will be good to see them urge their 200M+ users to move away from reusable passwords.

John Pescatore
John Pescatore

At a bare minimum enable 2FA on your PayPal account. Better still, setup a PassKey, particularly if you're using SMS for 2FA. If you’re wondering what FIDO authentication looks like to an end-user – here’s your opportunity.

Lee Neely
Lee Neely

Keep in mind that webauthn is primarily a convenience feature, not a security measure. It aids security by making it easier to do the safe thing. Its widespread adoption by websites and their users may reduce use and leakage of passwords and their fraudulent reuse. From a security perspective, it substitutes beneficial use of a device, something one has and can use, for entry of a password. It resists the leaky browser problem as relates to credentials but use of browsers leaves users vulnerable to leakage of other data.

William Hugh Murray
William Hugh Murray

2022-10-27

DHS Releases Cross-Sector Cybersecurity Performance Goals

The US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has released cybersecurity performance goals and metrics designed to help entities in multiple industrial sectors improve their cybersecurity posture. While the goals were developed with critical infrastructure organizations in mind, other private sector companies could benefit from them as well. The documents include best practices for eight areas, including account security, device security, vulnerability management, and supply chain/third party security. CISA has set up a discussion page to receive feedback on the goals.

Editor's Note

Improving cybersecurity of critical infrastructure is a national priority. Current fragmented efforts by each industry sector point to the need for a common and prioritized set of safeguards to achieve a baseline cybersecurity posture. The CIS Critical Security Controls, starting with implementation group 1 are measurably effective against the top five attack types being used against every industry sector.

Curtis Dukes
Curtis Dukes

The Cybersecurity Performance Goals (CPGs) are intended to be a fast-start guide to implementing the larger NIST CSF and are intended to be broadly applicable. CISA and NIST would like to see all organizations leverage the CSF, which is intended to not only be cross-sector and cross-industry relevant, but also maps to multiple security frameworks (NIST, ISO, etc.) NIST is setting up a discussions website, leveraging GitHub discussions, for feedback on the CPGs. See the NIST cross-sector CPG site: https://www.cisa.gov/cpg for the goals as well as links to the discussion site.

Lee Neely
Lee Neely

Whether or not an enterprise is “critical infrastructure organization,” if it attaches to the public networks, it becomes a part of our collective infrastructure and should behave accordingly.

William Hugh Murray
William Hugh Murray

2022-10-26

More Medibank Breach Details Emerge

Australian insurance provider Medibank now says that a data breach disclosed earlier this month compromised personal information of all 4 million customers. The compromised data include claims details. Medibank said that it does not have insurance for cyber incidents and that it expects costs associated with the breach to total between AU$25 million and AU$35 million ($16M to $22.4M) over the next six months.

Editor's Note

This is a great example of what cyber insurance can do for an organisation. Cyber insurance won’t prevent an attack, nor will it by itself reduce the technical risks you may face, however it does help you cover the financial risk from a cybersecurity breach.

Brian Honan
Brian Honan

Before casting doubts on being self-insured, check with your insurance providers to make sure you understand what sorts of incidents are _NOT_ covered. You may find you’ve got a gap you didn’t anticipate. In addition to the fines above, Medibank is also expected to have large regulatory fines. Take note of the support Medibank is providing to customers, statements about impact as well as operational status to include financial impact and investor briefings. Are you prepared to be this transparent in a breach as well as provide your customers with this level of support? Double check that at the highest levels.

Lee Neely
Lee Neely

2022-10-27

GitHub Fixes Vulnerability That Could Have Allowed Account Takeover

Researchers from Checkmarx Supply Chain Security team found a vulnerability in GitHub that could be exploited to take control of GitHub repositories. The issue affects renamed GitHub accounts. GitHub has addressed the flaw.

Editor's Note

Make sure that you’re referencing the most current repository name for your GitHub requests. Monitor for redirected repositories and update your configuration to use the updated location as well as verify the intended packages are at that location. The vulnerability existed when a user renamed their repository, which caused redirects to be setup from the old name to the new, and someone else registered on GitHub with the vacated username, which removed the redirects, and that person now can deliver their package to systems expecting the moved one. GitHub now has a process whereby popular usernames, when changed, are retired so that you cannot activate a vacated username.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

Upcoming Critical OpenSSL Vulnerability: What will be Affected?

https://isc.sans.edu/forums/diary/Upcoming+Critical+OpenSSL+Vulnerability+What+will+be+Affected/29192


OpenSSL Critical Flaw to Be Patched

https://mta.openssl.org/pipermail/openssl-announce/2022-October/000238.html


Why is My Cat Using Baidu And Other IoT DNS Oddities

https://isc.sans.edu/forums/diary/Why+is+My+Cat+Using+Baidu+And+Other+IoT+DNS+Oddities/29188


Apple Updates

https://support.apple.com/en-us/HT201222


Fodcha Botnet Reaches 1Tbps

https://www.bleepingcomputer.com/news/security/fodcha-ddos-botnet-reaches-1tbps-in-power-injects-ransoms-in-packets/


MacOS Ventura Blocks Security Tools

https://www.wired.com/story/apple-macos-ventura-bug-security-tools/


Critical VMWare Security Tools

https://www.vmware.com/security/advisories/VMSA-2022-0027.html


Massing Cryptomining Operation via Github Actions

https://sysdig.com/blog/massive-cryptomining-operation-github-actions/


Daixin Team Ransomware Targeting Healthcare Providers

https://www.ic3.gov/Media/News/2022/221021.pdf


Cisco AnyConnect Client Exploited in the Wild

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-anyconnect-dll-F26WwJW

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ac-win-path-traverse-qO4HWBsj


SQLite Vulnerability Details

https://blog.trailofbits.com/2022/10/25/sqlite-vulnerability-july-2022-library-api/