SANS NewsBites

Eleven Critical Flaws in Microsoft Software Must Be Patched, Including One Under Active Exploit; Known Control Web Panel Flaw Now Under Active Exploit; If You Haven’t Patched Fortinet SSL VPN, You May Have Already Been Compromised

January 13, 2023  |  Volume XXV - Issue #04

Top of the News


2023-01-11

Microsoft Patch Tuesday: January 2023

On Tuesday, January 10, Microsoft released fixes for nearly 100 vulnerabilities. One of the flaws, a privilege elevation vulnerability in Windows Advanced Local Procedure Call (ALPC), is being actively exploited. The vulnerability could lead to a browser sandbox escape and be exploited to gain system privileges. Eleven of the vulnerabilities are deemed critical; the others are rated important.

Editor's Note

As part of patch Tuesday, I wanted to highlight some embargoed research that ties into this update. The Unit42 group from Palo Alto created an interesting kit that produced a wide-ranging number of vulnerabilities, some of which were fixed in this update. If you're interested in finding vulnerabilities in software, I highly recommend you take a look at a talk called “Select Bugs From Binary Where Pattern like CVE-1337-Days”. We may see more easily found, exploited, and patched bugs, which could have short-term consequences and long-term benefits.

Moses Frost
Moses Frost

I’d like to see Microsoft consistently report on when Windows and Windows app (like Exchange, SharePoint, etc.) vulnerabilities are patched in their cloud-based, app as a service offerings. 2021 data said 2/3 of Exchange customers were using cloud-based Exchange service. If you are in the 1/3 still doing on prem and not able to patch rapidly, buy your CIO a cup of coffee and show her or him the numbers.

John Pescatore
John Pescatore

Today, Jan 13, is National Blame Somebody Else Day, and while blaming Microsoft may seem appropriate, it's not going to help if it felt like these came late. It was probably the holiday messing with our internal clocks. So, yeah, 93 flaws, 11 critical, 1 actively exploited. Icing on the cake - CVE-2023-21674, the one being exploited, is also a zero-day privilege escalation flaw, so you're likely on the hook for immediate remediation. There is also another printer subsystem update as well as a SharePoint Server bug allowing unauthenticated remote connections. Note the SharePoint fix also needs you to deploy an update to the SharePoint server. If you didn't get the update lined up for your regular patch window, get on it. Yes, this is a three-day weekend in the US, you should be able to blow this update out to your commodity systems, allowing you to focus on more specialized systems. Aside from isolated/air-gapped use cases, ask why you are still running your own SharePoint servers. The time has come to make sure you're leveraging standardized services which are hosted so you can focus on systems needed for your mission objectives.

Lee Neely
Lee Neely

2023-01-12

Critical Control Web Panel Vulnerability is Being Actively Exploited

Hackers are exploiting a known critical vulnerability in the Web Control Panel web hosting interface. The unauthenticated remote code execution flaw was patched in October 2022; users are urged to update to version 0.9.8.1147 or later.

Editor's Note

This is an attack on “CentOS Web Panel,” which is a very analogous project to the classic “Webmin” interfaces. None of these interfaces should be directly exposed to the Internet, but just like other internal management stations are, you can imagine these are as well. This one is tragically bad, as it’s an unauthenticated attack. Hopefully, these systems are not connected to internal networks. I would state that a VPN, SSH, or other secured connectivity method should be used. However, I suspect most of our readers are aware of this. Instead, what I will say is a cursory look on the internet does not suggest an extremely wide-scale deployment of this software exposed to the internet. We have yet to encounter this system on the Enterprise penetration tests we’ve been on.

Moses Frost
Moses Frost

If you're using the Centos Web Panel 7, apply the update from October. This flaw has a CVSS score of 9.8. Seriously, you can run OS level commands because of how the input is handled, making it pretty easy to exploit.

Lee Neely
Lee Neely

2023-01-12

Fortinet FortiOS SSL-VPN Flaw Was Exploited to Infect Government Systems

Fortinet says that an unknown threat actor exploited a critical flaw in its FortiOS SSL-VPN to infect systems at government and government-related organizations. Fortinet released a fix for the heap-based buffer overflow vulnerability (CVE-2022-42475) late last year. FortiOS SSL-VPN version 7.2.8 was released at the end of November; Fortinet published an advisory on December 12. In a January 11 blog post, Fortinet “details [their] initial investigation into this malware and additional IoCs identified during … ongoing analysis.”

Editor's Note

Hard to find actual data, but successful exploits against VPNs seem to happen disproportionately at US government agencies. Some is likely that they are targeted more, but OIG reports often point out poor patching performance on obvious targets like VPNs with published vulnerabilities.

John Pescatore
John Pescatore

Make sure you're incorporating all the IOCs in your threat hunting, and verify you've updated your Fortinet SSL-VPN's to the fixed FortiOS. The threat actor is working very hard to avoid detection, manipulating log files, shutting down logging and IPS services. The only workaround is disabling the SSL-VPN, which is likely unrealistic, even with all-hands on-deck. (no telecommuting.)

Lee Neely
Lee Neely

The Rest of the Week's News


2023-01-12

US FAA Addresses Notice to Air Missions System Outage; Flights Have Resumed

An outage of the US Federal Aviation Administration’s (FAA’s) Notice to Air Missions System (NOTAMS) caused the agency to ground domestic flight departures earlier this week. The FAA permitted air traffic to resume after 9 am on Wednesday. The FAA says that the problem appears to have been a damaged database file. NOTAMS, which operates separately from the FAA’s air traffic control system, is used to notify pilots of potential hazards.

Editor's Note

Every so often you need an incident to get attention (and funding) to fix broken systems. Let’s hope that this was all it took to get this system moved out of the 20th century. Some news suggests that the outage was due to not following procedures. But often there are reasons people do not follow procedures, for example if they are unpractical or if they just do not have the time/staffing required to follow procedures.

Johannes Ullrich
Johannes Ullrich

Ah, self-inflicted wounds: Squirrels chewing through wires, untrimmed tree branches shorting out electricity distribution lines have been the cause of some of the largest power outages. Bad router or switch updates have been the cause of the biggest telecommunications outages. But, I can’t remember once any large outage being blamed on a security patch pushed out too quickly.

John Pescatore
John Pescatore

One hopes this incident will similar regulatory review to the SouthWest issue earlier this year. Both underscore the need to have adequate staffing and updated applications/services, with automated failover. Ideally environments for regression testing and dynamic scaling. We've all been there when a "simple" change causes an unexpected outage. This would be a good time to check to make sure that critical systems are not only properly resourced but also have appropriate lifecycle plans which factor in the current workloads and demands.

Lee Neely
Lee Neely

While attention will be on the aging infrastructure used by the FAA, one has to ask how the file(s) got corrupted in the first place and found their way to both the primary and backup NOTAMS. A review and changes to the procedures for updating, testing, and pushing these system files to the operational network is warranted.

Curtis Dukes
Curtis Dukes

It was disappointing to see the number of people, many of them in the cybersecurity field, that jumped to the conclusion this outage was the result of a cyberattack. This type of overhyping of issues only leads to the undermining of the credibility of the cybersecurity industry. We need to do better in providing commentary on issues, not all IT incidents are cyber attacks.

Brian Honan
Brian Honan

One would like to know whether the decision to ground the fleet in the event of the failure of this application was planned or (more likely) ad hoc. In the presence of a plan there was surely a cheaper, both economically and politically, remedy.

William Hugh Murray
William Hugh Murray

2023-01-12

Critical Architectural Vulnerabilities in Siemens PLC

An architectural vulnerability in more than 100 models of Siemens SIMATIC and SIPLUS S7-1500 programmable logic controllers (PLCs) could be exploited to install firmware and bypass all protected boot features. Because of the nature of the flaw, it cannot be fixed with a software patch. Siemens notes that exploiting the flaw requires physical access to vulnerable devices; the company “recommends [that users] assess the risk of physical access to the device in the target deployment and to implement measures to make sure that only trusted personnel have access to the physical hardware.

Editor's Note

There are really only two options here - either limit physical access, or purchase replacement units which have the improved secure boot (with an immutable root of trust) which resolve this flaw. As exploiting the flaw requires physical tampering, you could consider tamper indicators, but make sure you are checking them. Consider the costs of physical restrictions, with monitoring, versus replacements.

Lee Neely
Lee Neely

These bugs are probably the worst-case scenarios for everyone involved. Very few organizations will be replacing their PLCs universally. Given this, organizations must accept that it's a risk whenever someone touches those PLCs. It will be curious if we ever read about an insider attack with these controllers.

Moses Frost
Moses Frost

This vulnerability serves as a reminder that organizations regularly review all aspects of their information security program. In this case both physical and personnel security processes are a primary focus for defensive actions based on this vulnerability.

Curtis Dukes
Curtis Dukes

2023-01-12

Cisco Advisory Warns of Vulnerabilities in Small Business Routers

Cisco has published an advisory alerting users to vulnerabilities in some of its small business routers. The flaws, an authentication bypass vulnerability and a remote commend execution vulnerability, affect Cisco Small Business RV016, RV042, RV042G, and RV082 routers. Cisco will not release updates to address the flaws.

Editor's Note

Cisco last sold these devices in 2016. Maybe they built them too well given how many of them still appear to be in use. Every device you buy comes with an expiration date and you need to plan and budget for timely replacements. I just wish the expiration date would be clearly visible on the device.

Johannes Ullrich
Johannes Ullrich

These are end-of-life products. Disablement of remote management and blocking access to ports 443 and 60443 are the only partial workarounds, the real fix is to replace these. With a CVSS score of 9.0, maybe do it quickly? I know, they are on your list, and you bought replacements which arrived, excellent! Deploy them, in the off chance you missed lining up replacements, leverage this information to justify rapid action.

Lee Neely
Lee Neely

These devices should be called “Cisco in name only.” The Small Business routers that are the constant front-page news here are part of the Small Business Unit for Cisco. Cisco IOS is not running on any of these units, and these units probably keep their internal Product Security Team (PSIRT) busy. The problem I see is that they carry the Cisco brand but have obvious security issues. Why we keep seeing C Memory Corruption bugs on web Interfaces is beyond me. As these units are sold to small companies, the worst part is that they will probably not be patched. Whenever I talk to a small business owner, I urge them into a cloud-managed system that auto updates. Pick one in that Prosumer / Small business space and have the manufacturer keep it up to date with a cloud-controlled system. It’s not the most ideal, but in the long run probably cheaper than paying for ransomware.

Moses Frost
Moses Frost

2023-01-10

US National Archives and Records Administration Updates Record Retention Rules

The US National Archives and Record Administration (NARA) has updated its General Records Schedule (GRS), which establishes rules for record retention. The update includes new requirements for how long government entities must retain cybersecurity logs and other network data. The updates GRS mandates that federal agencies must keep full capture packet data for at least 72 hours and cybersecurity event logs for 30 months.

Editor's Note

Both Packet Capture (PCAP) and event logs are important data sources for forensic teams investigating a cyber breach. While some cybersecurity professionals might question maintaining PCAP data for a minimum 72 hours, it’s a reasonable balance between storage requirements and equipping the cyber defender.

Curtis Dukes
Curtis Dukes

This only applies to the logs, not the data or content on systems that generated those logs. This means keep logs on centralized logging infrastructure, so you don't miss retention requirements with lifecycle activities of the systems generating logs. This ties back to directives contained in the May 2021 Cyber Security Executive Order (EO 14028).

Lee Neely
Lee Neely

Enterprises should consider similar retention rules to facilitate both routine management and necessary forensics.

William Hugh Murray
William Hugh Murray

2023-01-10

CISA Adds Two Flaws to Known Exploited Vulnerabilities Catalog

The US Cybersecurity and Infrastructure Security Agency (CISA) has added two privilege elevation vulnerabilities – one in Microsoft Exchange Server and one in Windows – to its Known Exploited Vulnerabilities (KDEV) Catalog. US Federal Civilian Executive Branch Agencies have until January 31 to mitigate the flaws.

Editor's Note

CVE-2022-41080 - an Exchange privilege escalation flaw from last year, can be combined with CVE-2022-41082 to achieve arbitrary code execution. CVE-2023-211674 is the same Windows ALPC privilege escalation flaw addressed in the Jan 10 Windows update we discussed previously. Good news, the patches for these are out, go deploy them. Bad news - you're still hanging onto those on-premises Exchange servers.

Lee Neely
Lee Neely

2023-01-12

Royal Mail Cyber Incident Disrupts International Deliveries

Earlier this week, the UK’s Royal Mail suffered a “severe service disruption” due to a cyber incident. The issue has disrupted only international shipping; domestic mail remains unaffected.

Editor's Note

To prevent massive backlogs, Royal Mail is asking customers to not post international items until further notice. They also subscription to service update emails so users can remain informed. The Royal Mail Label/Marking system used for international items was taken out by LockBit ransomware. It is not clear if this was the genuine LockBit, or another actor using the leaked LockBit 3.0 ransomware builder, which could mean the data is not decryptable. To add to the impact, Royal Mail is also involved in a dispute with the Communication Workers Union, over pay and conditions, and is threatening another strike; I bring this up as a scenario to consider in your BCP efforts. Understand where your fallback plan can fail and decide what you're going to do if it happens now, rather than later, to include management buy-in.

Lee Neely
Lee Neely

2023-01-12

Iowa School District Cancelled Classes After Cyberattack

A cyberattack compelled the Des Moines (Iowa) Public School District to cancel classes earlier this week. The attack also rendered the district’s Internet and network services unavailable. According to an update from the school district, access to Infinite Campus and to phones has been restored; they planned to resume classes on Thursday, January 12.

Editor's Note

Yay, DMPS is effectively back online. One expects the teacher workdays planned for next week will also be IT heads-down finish the cleanup days as well. DMPS also changed the dates of the semester to compensate for the days they cancelled classes. Make sure that if you're impacted by cancelled classes at your school, you check for any changes in schedule, including semester and holiday schedule.

Lee Neely
Lee Neely

More than a decade ago, school systems nationally migrated to online information sharing and reporting for both parents and students. Couple that with a limited IT and cybersecurity budget and they are an easy target for cybercriminals—principally ransomware gangs. The FY2022 State and Local Cybersecurity Grant Program provides an opportunity for funding to implement a cybersecurity plan within school districts.

Curtis Dukes
Curtis Dukes

Internet Storm Center Tech Corner

Prowler v3: AWS & Azure security assessments

https://isc.sans.edu/diary/Prowler+v3+AWS+Azure+security+assessments/29430


Passive Detection of Internet-Connected Systems Affected by Exploited Vulnerabilities

https://isc.sans.edu/diary/Passive+detection+of+internetconnected+systems+affected+by+vulnerabilities+from+the+CISA+KEV+catalog/29426


Microsoft January 2023 Patch Tuesday

https://isc.sans.edu/diary/Microsoft+January+2023+Patch+Tuesday/29420


Certified Pre-Pw0ned Android TV

https://github.com/DesktopECHO/T95-H616-Malware


ReVoLTE Attack

https://revolte-attack.net


Unauthenticated Remote DoS in ksmbd NTLMv2 Authentication

https://seclists.org/oss-sec/2023/q1/4


NGFW Data Exfiltration

https://cymulate.com/blog/data-exfiltration-firewall/


Cisco RV Series Vulnerabilities CVE-2023-20025

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sbr042-multi-vuln-ej76Pke5


Zoom Updates

https://explore.zoom.us/en/trust/security/security-bulletin/


Gootkit Abusing VLC

https://www.trendmicro.com/en_us/research/23/a/gootkit-loader-actively-targets-the-australian-healthcare-indust.html


Cacti Unauthenticated Remote Code Execution

https://www.sonarsource.com/blog/cacti-unauthenticated-remote-code-execution/


On the Security Vulnerabilities of Text-to-SQL Models

https://arxiv.org/pdf/2211.15363.pdf