SANS NewsBites

Patch OpenSSL as Updated and Tested Packages Become Available; Establish and Test Backup Plans for Cloud-based Security Services; Patch ConnectWise Backup Software; Make Sure Domain Controllers Are NOT Exposed on the Internet

November 1, 2022  |  Volume XXIV - Issue #85

Top of the News


2022-11-01

OpenSSL Patches Punycode Vulnerability in OpenSSL 3.0

Today, OpenSSL released OpenSSL 3.0.7. This version patches a buffer overrun vulnerability that can be triggered in X.509 certificate verification. To exploit the vulnerability, the attacker would need to obtain a valid signature from a trusted certificate authority for a malicious certificate. The vulnerability is triggered by a malformed Punycode encoded domain name either in a hostname or the domain part of an email address included in the certificate. Exploitation will result in a crash (denial of service) or could also lead to remote code execution. OpenSSL initially rated the vulnerability as "Critical" but now downgraded it to "High."

Editor's Note

Looks "not bad." Exploitation seems to be unlikely given the requirement for a valid signature from a trusted certificate authority. The remote code execution is only likely for a malformed Punycode email address. Patch this one as updated packages become available, but you can stand down from "Heartbleed status."

Johannes Ullrich
Johannes Ullrich

OpenSSL released two patches that were originally deemed critical. It appears that during the internal disclosure process, many of the operating system vendors have responded with comments and potentially PoC code that identifies many of the memory protections and compiler protections that would make reaching this bug for true exploitability harder than thought (potentially impossible, although that’s an absolute that I would never claim). There is, however, a chance that OpenSSL 3.0 is in use in Network gear such as firewalls, VPNs, switches, and routers. Most of these devices do NOT offer memory protections as they can’t afford to spend the computational cost of doing so. The only saving grace(s) is that the vendor may not have moved to OpenSSL 3.0 yet, and the customers may not have upgraded to software with the vulnerability. The only true way to tell is to wait for vendor disclosures. On a lark, I went ahead and looked at the latest Cisco ASA 9.18 version’s disclosure documentation (https://www.cisco.com/c/dam/en_us/about/doing_business/open_source/docs/ASA-9181-1650467697.pdf), and it appears that they are still disclosing 0.9 train and 1.1.X trains in that document. Please do not take this as an assured fact. Every vendor will have to perform this library search. If you are looking at your own servers, there will be scanners for this it’s probably just too early to tell.

Moses Frost
Moses Frost

For most organizations, I recommend taking a step back from the gritty details and ensure you have an inventory of where you leverage OpenSSL and what versions. For OpenSSL 3.x solutions, see where and how to apply the patch. Then you can focus on understanding the implementation of the solutions using OpenSSL 3.x that cannot be patched yet and see if there is a possibility of those implementations being exploitable. I posted the most useful resources I found thus far here: https://twitter.com/jorgeorchilles/status/1587482470131408898

Jorge Orchilles
Jorge Orchilles

2022-10-31

Zscaler Outages Highlight Risk of Cloud-based Cybersecurity

Recent outages at Zscaler underscore the need for companies to be prepared for such downtime. The week before one of the disruptions, Zscaler warned customers that there could be packet loss because of damaged cables that could impact transoceanic routes. Forrester Research VP and research director for security and risk Merritt Maxim noted, “Cloud products and services are not necessarily more susceptible to outages than on-prem equivalents, [but] the issue is often that because of this perception, organizations do not properly assess all possible causes of cloud outages and develop mitigation plans in response to these threats.”

Editor's Note

All cloud services have Service Level Agreements that specify a percentage of downtime that if exceeded results in some reduction of your next month’s bill – SLAs don’t cover the cost of your business interruption. Those SLAs also have fairly complex terms and conditions that often exclude certain types of traffic (such as streaming) or unusually high volumes of business traffic. So, decisions on fail open (allow traffic to bypass outage) vs. fail closed, as well as backup plans, need to be in place and tested in advance for all cloud based security services and any business critical cloud services. SLAs should be reviewed by contracts, legal and security.

John Pescatore
John Pescatore

Understand what the impact of outages are for outsourced services. When you purchased Zscaler or AWS, you definitely paid for a higher service level, but did you factor in the impact of outages, to include you not being able to affect the recovery with just-in-time resources or equipment? Make sure that you’ve considered contingencies, particularly for services which represent entry points to your business systems. Make, and document, decisions to allow interruptions, or work-arounds. Test those workarounds. Review regularly as more services get moved to external providers.

Lee Neely
Lee Neely

2022-10-31

Updates Available for ConnectWise RCE Vulnerability

ConnectWise has released updates to address a critical remote code execution vulnerability in its ConnectWise Recover and R1Soft server backup manager. The flaw is due to improper neutralization of special elements in output used by a downstream component. The vulnerability was detected by researchers from Huntress.

Editor's Note

Vulnerabilities in backup systems are one of the underappreciated risks. Backup systems essentially instrument your network for remote privileged file access, and if abused, you easily hand over control to an attacker.

Johannes Ullrich
Johannes Ullrich

ConnectWise enterprise applications are most often used by managed service providers (MSPs) that provide IT services to small businesses and local government. In the past 24 months, ransomware attacks have shown a bias towards small businesses and local government. With that in mind and given that a proof of concept exploit exists for this RCE vulnerability, MSPs should place a high priority on implementing the patch within their infrastructure.

Curtis Dukes
Curtis Dukes

This weakness can be exploited for lateral movement, not just impacting the targeted node, so you really want to close this hole. ConnectWise Recover should have automatically updated to newest version. The R1Soft update supports many Linux package mangers (yum, apt-get, dpkg & rpm), making the update straight forward. There is no workaround here.

Lee Neely
Lee Neely

2022-10-28

Misconfigured CLDAP Services are Being Used to Magnify DDoS Attacks

According to researchers from Black Lotus Labs, misconfigured Connectionless Lightweight Directory Access Protocol (CLDAP) services on Microsoft domain controllers are being used to amplify distributed denial-of-service attacks. Known as reflection attacks, the technique has been in used for at least five years.

Editor's Note

You should be highly aware of what your domain controllers are talking to. At a minimum, don’t expose CLDAP (389/UDP) to the Internet. Limit access to LDAP services on your domain controllers to authorized systems, and implement measures to block spoofed IP traffic, such as RPF.

Lee Neely
Lee Neely

And yet again: why is this even exposed to the internet? I hope with “managing your attack surface” becoming more of a vendor buzz word, organizations may finally figure out how to configure a basic firewall.

Johannes Ullrich
Johannes Ullrich

The Rest of the Week's News


2022-10-31

Google Fixes Seventh Chrome Zero-day This Year

Google has released a fix for a vulnerability in its Chrome browser that is being actively exploited. This is the seventh zero-day vulnerability that Google has patched in Chrome so far this year. Google has not revealed many details about the flaw apart from noting that it is a type confusion bug in the V8 JavaScript and WebAssembly engine. October has seen a bumper crop of updates, including patches from Apple, Microsoft, Google, Zoom, Cisco, VMware, and SAP.

Editor's Note

Keeping Chrome up to date is usually quite easy. But don’t forget that to apply any updates, you need to restart Chrome. I suggest restarting as you start the day in the morning to not delay any updates.

Johannes Ullrich
Johannes Ullrich

When you're popular, you get attacked - just ask the Windows security team. I applaud those who make patching fast and transparent, like the Chrome team. The same cannot be said for tablets, networking gear, IOT devices, software libraries...

Christopher Elgee
Christopher Elgee

This isn’t what we mean when we say Halloween can be a scary time of year. By now you should be leveraging every trick in the book to keep your Chrome/Chromium browsers updated - including enforced limits on browser refresh after an update, so you should be able to scan and remediate stragglers fairly easily. If you're in the federal sector, make sure that you’re tracking updates for those data calls on pushing out these as well as Apple, Chrome, VMware, Cisco, etc. updates.

Lee Neely
Lee Neely

Browsers are general, flexible, feature rich, and complex; they leak. Prefer purpose built applications.

William Hugh Murray
William Hugh Murray

2022-10-31

NSA, CISA, and ODNI Publish Software Supply Chain Security Guidelines

The US National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Office of the Director of National Intelligence (ODNI) have released software supply chain security guidance for vendors. The document was developed through the Enduring Security Framework (ESF) public-private cross-sector working group. It grew out of analysis of the events leading up to the SolarWinds supply chain attack in December 2020. ESF released a version of the guidance for developers earlier this year, and expects to release another for customers.

Editor's Note

The latest guide starts off with the first sentence emphasizing essential security hygiene (“Unmitigated vulnerabilities in the software supply chain pose a significant risk to organizations.”) and throughout makes the point that in order to implement higher levels of supply chain security, you need that foundation of vulnerability management, configuration control and privilege management (such as at least Tier 2 of the NIST Cybersecurity Framework or Implementation Group 1 of the CIS Critical Security Controls) in order to be able to perform due diligence on what your software supply chain is supplying you with.

John Pescatore
John Pescatore

While this is a non-trivial problem to get your arms around, the ESF is working to simplify it by focusing on three areas: Software Developers, Software Suppliers (vendors) and Software Consumers (acquiring organizations), and is releasing guidance documents specific to each. The intent is to assist customers in describing, assessing and measuring security practices relevant to software lifecycle. Software security via contractual agreements (which includes updates, addressing vulnerabilities and mitigations) is intended to be a vendor responsibility. Developer guidance includes the dreaded security requirements planning, adding security features and maintaining the integrity of the underlying infrastructure, which includes source code review and testing. This division should help you focus on the areas you can affect as well as know what to look for overall.

Lee Neely
Lee Neely

It’s hard to imagine initiatives like this trimming the number of supply chain security incidents, but this could definitely help organizations triage and react when there's an issue with an upstream software package. You can’t fix it if you don't know you have it.

Christopher Elgee
Christopher Elgee

This guidance is aimed at suppliers rather than purchasers. It is essential that suppliers be responsible for excluding malicious code from their deliveries.

William Hugh Murray
William Hugh Murray

2022-10-31

CISA, FBI, and MS-ISAC Jointly Release DDoS Guidance

The US Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI) and the Multi-state Information Sharing and Analysis Center (MS-ISAC) have jointly published guidance “to reduce the likelihood and impact of distributed denial-of-service (DDoS) attacks.” The guidance is intended both for network defenders and for organizational leaders. At the same time, CISA has published a document with additional DDoS guidance for federal civilian executive branch agencies.

Editor's Note

These publications are both good high-level guides, but it is pretty rare to see a DDoS attack impact an organization that says, “I had no idea that could happen.” More common is “They wouldn’t believe that *would happen to us.*” The main guide has a good suggestion about using tabletop exercises to gain support for spending on needed mitigation measures.

John Pescatore
John Pescatore

The guidance starts with the basics: Know what you have, verify protections are in place (e.g., WAF in blocking mode), understand what protections your ISP and other service providers have today, then work to close the gap. Don’t overlook any CDN services. Yes, we’re back to defense in depth, albeit CISA recommends enrolling in a single source for DDoS protections, versus multiple, which makes management and issue resolution simpler.

Lee Neely
Lee Neely

2022-10-31

Cyberattack Against Aurubis Systems Part of Broad Attacks Against Manufacturing

Multinational copper producer and recycler Aurubis has acknowledged that its IT systems were the target of a cyberattack on Friday, October 28. Aurubis says the incident did not halt production, but they did disconnect their IT system as a precaution. According to a press release from Aurubis, the attack on their systems was part of a broader attack against the metals and mining industry.

Editor's Note

Not a lot of details out on this one yet, but the Colonial Gas Pipeline incident pointed out that not only do OT systems need to be protected and segmented from IT systems, key applications on the IT side that if shut down would impact billing, tracking, sales etc. can also bring production to a halt.

John Pescatore
John Pescatore

As with Colonial Pipeline, both OT and IT systems have to be operational to deliver services. Which means that you’ve not only got to properly isolate those OT systems but also make sure that IT core systems which drive the business as well as talk to those OT systems are adequately protected. One other aspect to contemplate, workers sent home during the outage, as they couldn’t do their jobs was reported as a layoff, which could damage your reputation during an already challenging event.

Lee Neely
Lee Neely

2022-10-31

FTC Brings Action Against Chegg for Alleged Security Failures

The US Federal Trade Commission (FTC) has filed a legal complaint against homework help app Chegg alleging that the company has exhibited a “careless” approach to cybersecurity resulting in multiple breaches of sensitive customer information. Among the issues listed in the complaint: Chegg shared an AWS access key with multiple employees and third-party contractors that allowed full administrative access to S3 databases; did not employ least privilege controls; and did not employ multi-factor authentication for access to the S3 databases. The FTC order will require Chegg to employ stronger security measures, and delete unnecessary data.

Editor's Note

Since late 2021, the FTC has expanded its role in both setting and enforcing cybersecurity standards. The issues cited in the complaint can be mitigated by simply following well established cybersecurity best practices in the form of CIS critical security controls and CIS cloud foundation benchmarks. This order and the recent action against online alcohol marketplace Drizly and its CEO, sends a clear signal that the FTC has rightfully placed a focus on enforcing cybersecurity standards. Commercial businesses should redouble efforts in implementing a cybersecurity program that is both measurable and defensible

Curtis Dukes
Curtis Dukes

This comes after multiple breaches from Chegg, (2018, 2019, 2020), and reinforces the FTC’s new mantra of information protection being non-discretionary. Before you shrug off the behaviors above, make sure that you don’t have similar practices within your organization. If you do, take steps to remedy them. When was the last time you checked that you had adequate ACLs on your S3 buckets? How about other cloud storage? What about that temporary access for Jane from that company you were doing business with - did that get closed down after the contract concluded?

Lee Neely
Lee Neely

Very few enterprises are employing least privilege access control or even have plans to get there.

William Hugh Murray
William Hugh Murray

2022-10-28

Polish and Slovakian Parliaments Report Cyberattacks

The website of Poland’s Senate was reportedly hit with a distributed denial-of-service (DDoS) attack late last week, and voting in Slovakia’s Parliament was postponed after disclosing that its IT systems were not operating.

Editor's Note

Cyber as a weapon is now part of the military doctrine for a large majority of nations. While this attack could be viewed as more of a nuisance, it should serve as a reminder for organizations to revisit their recovery plans for service disruptions that impact business operations.

Curtis Dukes
Curtis Dukes

The attack even took systems in the cafeteria offline. Whether or not you feel you’re a targeted organization, make sure that you have DDoS protections in place, even more so if you’re in any way affiliated with supporting government. Review the guidance on DDoS provided by CISA above.

Lee Neely
Lee Neely

2022-10-31

FCC Notice of Proposed Rulemaking for Emergency Alert System

The US Federal Communication Commission (FCC) has published a Notice of Proposed Rulemaking regarding plans to strengthen the security of the country’s Emergency Alert System (EAS) and Wireless Emergency Alerts. The proposed rules would require organizations participating in EAS to report unauthorized use of EAS equipment within 72 hours. Organizations would be required to certify their risk management plans annually, and ensuring that only valid alerts are received by consumers’ devices.

Editor's Note

Centralized reporting of incidents and misuse of government systems is expected these days. The risk management plans are alluding to making sure that appropriate security is in place, and it is reviewed at least annually. Automation is your friend here: this bar is not going to get lowered, and with efforts like CDM, expect it to continue to rise.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

NMAP without NMAP - Port Testing and Scanning with PowerShell

https://isc.sans.edu/diary/NMAP+without+NMAP+Port+Testing+and+Scanning+with+PowerShell/29202


Supersizing your DUO and 365 Integration

https://isc.sans.edu/diary/Supersizing+your+DUO+and+365+Integration/29194/


Google Chrome 0-Day Patch

https://chromereleases.googleblog.com/2022/10/stable-channel-update-for-desktop_27.html


LODEINFO 2022 Abusing Security Software

https://securelist.com/apt10-tracking-down-lodeinfo-2022-part-i/107742/


Spring Security Vulnerability

https://tanzu.vmware.com/security/cve-2022-31692


ConnectWise Recover and R1Soft Server Backup Critical Vulnerability

https://www.connectwise.com/company/trust/security-bulletins/r1soft-and-recover-security-bulletin


TCP/IP Vulnerability CVE-2022–34718 PoC Restoration and Analysis

https://medium.com/numen-cyber-labs/analysis-and-summary-of-tcp-ip-protocol-remote-code-execution-vulnerability-cve-2022-34718-8fcc28538acf


Juniper SSLVON / JunOS RCE Vulnerabilities

https://octagon.net/blog/2022/10/28/juniper-sslvpn-junos-rce-and-multiple-vulnerabilities/


Raspberry Robin Update

https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/