SANS NewsBites

Check for and Fix Insecure Direct Object References in Web Apps; New Ivanti Vulnerability Amplifies Risk; Faster Patching and Broader Fixes Critical to Mitigating Software Risk

August 1, 2023  |  Volume XXV - Issue #60

Top of the News


2023-07-29

US and Australian Government Agencies Urge Check Web App Access Permissions

The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC), US Cybersecurity and Infrastructure Security Agency (CISA), and US National Security Agency (NSA) have published a joint cybersecurity advisory, Preventing Web Application Access Control Abuse. The document is designed “to warn vendors, designers, and developers of web applications and organizations using web applications about insecure direct object reference (IDOR) vulnerabilities.”

Editor's Note

These IDOR vulnerabilities were an entry in the OWASP top ten for many years, then were merged into Broken Access Control back in 2017. OWASP still has a good cheat sheet on IDOR at https://cheatsheetseries.owasp.org/cheatsheets/Insecure_Direct_Object_Reference_Prevention_Cheat_Sheet.html

John Pescatore
John Pescatore

The guidance comes down to suppliers using tools to detect insecure references, and using indirect reference maps to ensure IDs, Names, and keys are not exposed in URLs. Consumers evaluate web apps, prioritize those with best practices for SCRM, and keep them patched. Leverage OWASP and this guidance developing and accessing applications for security. IDOR is only one aspect of secure application development you need to track, don't get tunnel vision.

Lee Neely
Lee Neely

2023-07-31

Ivanti Discloses Second Vulnerability This Week

Ivanti has disclosed and released a fix for another vulnerability in its Endpoint Manager Mobile (EPMM) software, the second in just a week. Both vulnerabilities are being actively exploited. The more recently disclosed flaw can be exploited to perform arbitrary file writes to the EPMM server; it can be exploited in conjunction with the previously disclosed flaw to bypass administrator authentication and access control list (ACL) restrictions.


2023-07-30

Google’s Zero-Day Vulnerability Report: n-Days are Like 0-days on Android Devices

Google has published its annual zero-day vulnerability report for 2022. Google says that in 2022, there were 40 zero-days discovered in the wild. Google’s “key takeaways” include n-day vulnerabilities functioning like 0-days on Android because of patch lag, and more than 40 percent of the 0-days found in 2022 are variants of older vulnerabilities.

The Rest of the Week's News


2023-07-28

Wyden Wants Microsoft Held Responsible for “Negligent Cybersecurity Practices”

US Senator Ron Wyden (D-Oregon) has written to the Cybersecurity and Infrastructure Security Agency (CISA), the Department of Justice (DoJ), and the Federal Trade Commission (FTC), asking them to hold Microsoft accountable for its “negligent cybersecurity practices” that led to Chinee state-sponsored hackers gaining access to “hundreds of thousands of individual U.S. government emails” with the help of a stolen MSA encryption key. In the letter, Wyden also observes that “Microsoft never took responsibility for its role in the SolarWinds hacking campaign.”

Editor's Note

So far, the most scary part about this incident is Microsoft's continuing silence. Microsoft neither prevented, nor detected the compromise, and the continuing silence may indicate difficulties explaining what exactly happened.

Johannes Ullrich
Johannes Ullrich

Certainly, Microsoft has some explaining to do on how the MSA encryption key was protected and that may give rise to a failure to demonstrate a standard duty of care. That determination will most likely be made by the court.

Curtis Dukes
Curtis Dukes

US politicians of all types have long failed to enact any legislation that would support liability being assessed against software vendors. That is a necessary starting point for more than just posturing.

John Pescatore
John Pescatore

To quote from Spiderman, “With great power, comes great responsibility,” and the issues raised by Senator Wyden highlight to all cloud service providers, not just Microsoft, that if they want customers to engage with their services, they need to take the security of those services seriously.

Brian Honan
Brian Honan

While Microsoft is an easy target here, it's important to hold all cloud service providers equally accountable for cybersecurity to ensure they have a stake in the game. While there is little we can do about that, you can make sure that you've properly secured and approved cloud services, to include incident response and log file ingest capabilities. Even if you're using FedRAMP (or StateRAMP) cloud services, there are customer controls that must be implemented and verified.

Lee Neely
Lee Neely

2023-07-31

White House Announces US National Cyber Workforce Strategy

The Biden Administration has released its National Cyber Workforce and Education Strategy (NCWES). The strategy, which addresses both the immediate and long-term cyber workforce needs; rests on four pillars: equipping everyone with foundational cyber skills; transforming cyber education; expanding and enhancing the country’s cyber workforce; and strengthening the federal cyber workforce.


2023-07-31

Israeli Oil Refinery Websites Offline Due to DDoS Attack

The website of Israeli oil refining company BAZAN Group has been inaccessible to most people around the world since this past weekend following a distributed denial-of-service (DDoS) attack. The website is reportedly accessible within Israel. While the group claiming responsibility for the attack has published data it claims to have taken from BAZAN, the company says that “information and images being circulated are entirely fabricated and have no association with Bazan or its assets.”


2023-07-31

Apple Requiring Rationale for Use of Certain APIs

In an effort to improve user privacy, Apple will require app developers to provide rationales for using certain APIs in their apps. Starting later this year, Apple developers must explain in the app privacy manifest why they are using the APIs. The API categories covered by this requirement include those that access file timestamps, boot system time, available diskspace, active keyboard lists, and user defaults.


2023-07-29

Pentagon Investigating Insider Breach of Air Force Communications Systems

The Pentagon is investigating what appears to be an insider compromise of US Air Force communications systems. The information was revealed in a document obtained by Forbes. The document also suggests that the same individual may have breached FBI communications. After receiving a tip, law enforcement authorities conducted a raid on the individual’s home, where they discovered “he had ‘unauthorized administrator access’ to radio communications tech used by the Air Education and Training Command (AETC), ‘affecting 17 DoD installations.’”


2023-07-31

CISA Publishes Malware Analysis Reports on Malware Variants Targeting Barracuda Vulnerability

The US Cybersecurity and Infrastructure Security Agency (CISA) has published a trio of malware analysis reports about malware variants that exploit a remote command injection vulnerability in the Barracuda Email Security Gateway (ESG) Appliance. The flaw was exploited as far back as October 2022, before a patch was available. Barracuda released fixes for the vulnerability in May 2023.


2023-07-29

US Experts are Seeking Out and Eradicating Malware on Critical Infrastructure Networks

US Cyber experts are searching out malware embedded in networks that support power grids, communications systems, and water supplies at US military bases around the world. The situation began to emerge earlier this year when Microsoft detected anomalous code in telecom systems used in Guam and in the US. For months now, US officials and cyber experts have been scouring systems for the code and removing it.

Internet Storm Center Tech Corner

USPS Phishing Scam Targeting iOS Users

https://isc.sans.edu/forums/diary/USPS+Phishing+Scam+Targeting+iOS+Users/30078/

Do Attackers Pay More Attention to IPv6?

https://isc.sans.edu/diary/Do+Attackers+Pay+More+Attention+to+IPv6/30076

Shell Code in Images

https://isc.sans.edu/diary/ShellCode+Hidden+with+Steganography/30074

New Redis Malware Uses Unknown Initial Access Vector

https://www.cadosecurity.com/redis-p2pinfect/

https://unit42.paloaltonetworks.com/peer-to-peer-worm-p2pinfect/

Ivanti End Point Manager 2nd Zero Day

https://forums.ivanti.com/s/article/CVE-2023-35081-Arbitrary-File-Write?language=en_US

Ivanti Mobileiron Exploit Public

https://github.com/vchan-in/CVE-2023-35078-Exploit-POC/blob/main/cve_2023_35078_poc.py

Google Android 0-Day Summary

https://security.googleblog.com/2023/07/the-ups-and-downs-of-0-days-year-in.html

Wiping Sensitive Data from Printers

https://psirt.canon/advisory-information/cp2023-003/