NewsBites Volume XXV – Issue 30

Top of the News

2023-04-12

Azure Storage Account Key Vulnerability

Researchers from Orca found that Azure Storage shared key authorization is enabled by default, and “an attacker can not only gain full access to storage accounts and potentially critical business assets, but also move laterally in the environment and even execute remote code.” Organizations are urged to disable Azure Shared Key authorization and use Azure Active Directory authentication instead.

Editor's Note

This is one of those “ease of startup trumped security” design choices that were made in many products (think hard-coded passwords) and delighted bad guys. Good to see that Microsoft intends to “…move away from shared key authorization” even if it does sound odd to see it called “…part of ongoing experience improvements” Yes, in general it is an “improved experience” over when bad actors can take over storage accounts…

John Pescatore

So much for that easy button. If you're using it, turn off Azure Shared Key authorization, use AAD authentication. While it looked like you were just enabling read-only access, you were actually enabling modification/deletion capabilities as well. Expect Microsoft to publish updated guidance on using Azure Shared Storage shared key authorization, as well as configuration changes to make it disabled out-of-the-box.

Lee Neely

While I’m glad that this is being highlighted, let’s be clear on this one. It is standard stock behavior from Azure Storage. Yes, it’s a vector in very specific situations but this isn’t unauthenticated RCE. Much like the Omigod issue a few years ago, it’s awareness but not mass scale issues. The bigger issue with this service is we still find open Azure buckets in the wild with sensitive data.

Moses Frost

Here’s an example of the tug between enabling functions by default and secure configuration. Vendors typically provide products fully enabled; adversaries take advantage of the default configuration. The CIS Community Defense Model demonstrates that establishing and maintaining a secure configuration (Control 4) protects against the five major attack types, which reinforces the importance of secure configuration. See the CIS Azure Foundations Benchmark for secure configuration recommendations to protect the customer tenant.

Curtis Dukes

The resistance of developers to safe defaults, particularly to "safe out of the box," remains high. While safe defaults may make setup marginally more difficult, changing defaults late breaks things.

William Hugh Murray

April 2023 Patch Tuesday

On Tuesday, April 11, Microsoft released updates to address nearly 100 security issues in its software products. One of the flaws, a critical vulnerability in Windows Common Log File System Driver, is being actively exploited to gain elevated privileges. Another vulnerability of particular concern is a critical flaw in the Windows Message Queuing that could be exploited to allow remote code execution.

SAP Updates

SAP has released 24 security notes to address security issues in its products. Of the 24 notes, 19 are new and five are updates to previous notes. Two of the vulnerabilities addressed in this month’s batch of fixes are critical flaws in SAP Diagnostics Agent and the SAP BusinessObjects Business Intelligence Platform.

The Rest of the Week's News

2023-04-13

International Coalition Publishes Guidance for Secure Software by Design

Cybersecurity authorities from the US, the UK, Canada, Australia, New Zealand, Germany, and the Netherlands have jointly released guidance for building security into software during the development process. The document, Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and -Default, states that “it is crucial for technology manufacturers to make Secure-by-Design and Secure-by-Default the focal points of product design and development processes.”

Editor's Note

Buyer behavior is what shifts the balance. I’d like to see this group change that line to say, “it is crucial for technology *buyers* to make Secure-by-Design and Secure-by-Default the focal points of product *selection, evaluation and procurement* processes.” If buyers are willing to buy crappy products, sellers will always sell them.

John Pescatore

The guidance is reasonable as it builds off secure by design principles that have been around for well over a decade. I just wonder, do we need another document espousing the virtues of secure software by design? The focus should be on the really, really hard part: measuring compliance to these design principles.

Curtis Dukes

The idea is software should be secure by design, with a default secure configuration out of the box, and the complexity of that secure configuration is not a customer problem. Anything we can do to help customers keep their systems secure moves the bar in the right direction. My concern is this may be accomplishable with COTS systems, even so you have integrations and other business process-related changes create trust relationships which can be exploited. For individual components, like your web or application server, containers, etc. that you're using to deploy application services on top of, you're still going to need to work to secure these; the guidance provides top-down approaches you can leverage here as well.

Lee Neely

Security by design does not simply result in more secure software but improves overall software quality and schedule. (We do not miss schedule because we do not write code fast enough but because when we put it all together is does not work right. Manage quality and schedule will take care of itself.)

William Hugh Murray

Google White Paper Calls for Improvements to Vulnerability Management Ecosystem

In a white paper titled “Escaping the Doom Loop,” Google identifies the areas of the vulnerability management ecosystem that need improvement: looking beyond zero-days; making transparency the norm; supporting researchers; and escaping the doom loop of vulnerabilities and patches. Google’s proposed initiatives to address these issues are the creation of a Hacking Policy Council, “a group of like-minded organizations and leaders who will engage in focused advocacy to ensure new policies and regulations support best practices for vulnerability management and disclosure, and do not undermine our users’ security;” a security research legal defense fund to support good faith research; and exploitation transparency.

LinkedIn Adds Identity Verification Security Measures

LinkedIn has made three additional identity verification methods. Users may now verify their identity with the CLEAR platform once they have provided a government-issued ID and a phone number. They can verify their place of work through company email. They will also be able to use the Entra Verified ID platform, which is a collaborative effort with Microsoft.

US Senator Wyden is Concerned About FirstNet Security

US Senator Ron Wyden (D-Oregon) has written a letter to the Directors of the Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA), asking for annual audits of FirstNet, a phone network built for first responders and the military. Wyden has expressed particular concern about the nearly 50-year old Signaling System No. 7 (SS7) protocol, which contains vulnerabilities that allow mobile device tracking and call and text interception.

Microsoft: Guidance for Detecting BlackLotus UEFI Bootkit Compromise

Microsoft has published “Guidance for investigating attacks using CVE-2022-21894: The BlackLotus campaign.” The document can be used to help determine whether an environment has been compromised by the attack; it can also be used to recover from and prevent BlackLotus UEFI Bootkit compromise.

New WhatsApp Security Features

WhatsApp has announced it will introduce three new security features to prevent accounts from being taken over. Account Protect will add a layer of security to ensure that requests to move accounts from one devoice to another are legitimate. Device verification will “help prevent malware from stealing the authentication key and connecting to WhatsApp server from outside the users` device,” and Automatic Security Codes will use the security code verification feature to ensure users are communicating with their intended message recipients.

Fix Available for Critical Flaw in Hikvision Storage Solutions

Hikvision has released an advisory detailing a critical authentication bypass vulnerability in its Hybrid SAN and cluster storage products. The flaw could be exploited to obtain admin permissions. Hikvision has released updated versions of both products to address the vulnerability.