SANS NewsBites

Prioritize Patching of all iOS and Android Devices; Are Your Crash Dumps Giving Away the Keys to Your Castle?

September 8, 2023  |  Volume XXV - Issue #71

Top of the News


2023-09-07

Apple Releases Updates to iOS, iPadOS, watchOS, and macOS to Fix Exploited Vulnerabilities

Apple today released iPadOS and iOS 16.6.1, watchOS 9.6.2 and macOS Ventura 13.5.2. These updates address two already exploited vulnerabilities, CVE-2023-41061 and CVE-2023-41064. Both vulnerabilities may lead to arbitrary code execution. Apple credits the Citizen Lab at The University of Torontoʼs Munk School. Citizen Lab has discovered several vulnerabilities in Apple's operating systems in the past. They often are related to commercial software used by governments to attack activists.

Editor's Note

You probably want to have these vulnerabilities patched by the weekend. Note that Apple will likely release major operating system versions within a week or two. It will be interesting to see if these new versions arrive with patches for these vulnerabilities.

Johannes Ullrich
Johannes Ullrich

While there are only two vulnerabilities, CVE-2023-41064, Buffer overflow in ImageIO and CVE-2023-41061, a validation issue in Wallet. One or the other exists in the updated iOS/iPadOS 16.6.1, macOS 13.5.2 and watchOS 9.6.2. Queue these up for pushing to devices as soon as they are available in your MDM. Odds are iOS/iPadOS 17 will drop next week, you want to get these updates out, so you have time to not rush the decision to pull the trigger on iOS/iPadOS 17.

Lee Neely
Lee Neely

See item below about critical Android vulnerabilities needing priority patching as well this week.

John Pescatore
John Pescatore

2023-09-07

Microsoft (Finally) Explains How Hackers Obtained Security Key

Microsoft has released the findings of its investigation into how threat actors were able to acquire a “Microsoft account (MSA) consumer key to forge tokens to access OWA and Outlook.com.” An April 2021 consumer signing system crash led to an automated crash dump; sensitive information like signing keys is not supposed to be included in these dumps, but a bug allowed the key to slip through. The crash dump was later moved to a debugging environment. At some point after April 2021, the threat actors managed to compromise a Microsoft engineer’s account. That engineer had access to the debugging environment.

Editor's Note

It was very important for Microsoft to shed some light into what exactly happened. The explanation sounds reasonable, but Microsoft admits that its logs were incomplete due to its limited log retention. I find it interesting that the adversary noted the key embedded in the crash dump.

Johannes Ullrich
Johannes Ullrich

Several takeaways: (1) Are you exposing keying material/auth tokens in crash dumps? (2) Are crash dumps ending up in exposed network segments? And (3) Has your business made it too easy for consumers and workers to simultaneously be customers and employees?

Lee Neely
Lee Neely

This isn't a case of just one thing allowing that key to be compromised. Multiple factors led to the disclosure, all of which have been fixed. Read the Microsoft analysis and consider how your secure environments could be impacted through inadvertent data transfer to less secure environments. Crash dumps have historically contained a lot of sensitive data, which makes them useful for analysis and debugging, make sure that you're considering that when moving or sharing them, internally and externally, particularly with third parties , make sure that you're aware of access, retention and protections before just sending dumps or raw log files.

Lee Neely
Lee Neely

If we are to take Microsoft at their word and no reason not to, an unfortunate sequence of events coupled with a generous amount of luck by the adversary in finding the signing key in the crash dump. It does beg the question why the signing key would have been in the crash dump to begin with, but it is what it is, and it has now been corrected. I do applaud Microsoft for describing the sequence of events, even with the likelihood of facing additional ridicule.

Curtis Dukes
Curtis Dukes

Kudos to Microsoft for sharing this report and the technical details. It is well worth reading this report as it highlights how an advanced attacker can rely on dwell time and their skills, not to mention some luck, to compromise a target.

Brian Honan
Brian Honan

This seems like a highly unlikely congruence of failures and events that explains in part why it has taken Microsoft so long to inform. There are two lessons for the rest of us. Signing keys should not be online when not in use and strong authentication is essential for all personnel. The lesson for Microsoft and its competitors is that their signing is a sensitive application: it plays a role on which their customers, indeed all of us, depend.

William Hugh Murray
William Hugh Murray

2023-09-06

Android’s September Security Bulletin

The Android Security Bulletin for September 2023 includes fixes for 33 security issues, including a high-severity flaw in the Android Framework that is being actively exploited. The vulnerability can be exploited to gain elevated privileges without user interaction. The bulletin also includes fixes for four critical vulnerabilities: three remote code execution bugs in the Android System and a WLAN memory firmware corruption issue in a Qualcomm component.

Editor's Note

Seems like both Android and iOS have seen a lot of high severity vulnerabilities discovered. Given that a very high percentage of user and business transactions have moved from Windows to those two operating systems, that makes sense – and demands that “time to patch” for phones and tablets be shortened.

John Pescatore
John Pescatore

With both Android and Apple updates this week, it's a good time to get those pushed out to your fleet of devices. Make sure you're casting the risk of patching/updates commensurate with the amount of business conducted on these devices.

Lee Neely
Lee Neely

A particularly tough security fix month for Android. This coupled with an increase in Apple iOS vulnerabilities begs the question, are we seeing a transition in how adversaries target organizations. The reality is that more and more business functions are carried out using mobile devices. The adversary is simply shifting their tactics to this new reality.

Curtis Dukes
Curtis Dukes

Many of the nerds and geeks that have been the great champions of Android (and other open systems) are able to assess the risk of using it and use it accordingly. This includes configuration management and timely patching. Most of its users, specifically including children and the elderly, are not so able. Those who sell Android to such users should provide stable and reliable configurations and maintain such configurations on a timely schedule.

William Hugh Murray
William Hugh Murray

The Rest of the Week's News


2023-09-05

SEC’s New Cyber Disclosure Rules Now in Effect

The US Securities and Exchange Commission’s (SEC’s) new cyber disclosure rules took effect on Tuesday, September 5. Publicly traded companies are now required to disclose their cybersecurity risk management strategies and how their boards manage cybersecurity oversight and governance. Cyber event disclosure reporting requirements do not take effect until mid-December for large companies, and six months after that for smaller companies.

Editor's Note

The four day reporting clock doesn’t start until a management decision is made that an incident is deemed “material.” I think the worry that such decisions by corporate management will be rushed is overplayed – past experience has been more that early estimates of impact usually turn out to be lower than actual financial impact.

John Pescatore
John Pescatore

If you're publicly traded, of any size, you need to read and understand these rules. Effectively you have four days to report any incident which is "material" in nature. Make sure you have a clear understanding of what material means as well as what you're expected to report and how. As you refine your working definition of material, make sure that your legal team is involved. Note that in addition to the reporting rule, requirements about describing your cybersecurity risk management strategy as well as board/management role definition in their oversight in cybersecurity went into effect on the 5th. Make sure that what you report is defendable as meeting requirements as well as able to survive an audit.

Lee Neely
Lee Neely

And so it begins. I do hope that the SEC anonymizes the risk management strategies into some sort of annual report. We can all benefit in learning how publicly traded financial companies manage cyber risk and perhaps apply that to other industrial sectors.

Curtis Dukes
Curtis Dukes

2023-09-05

Unpatched Vulnerabilities in PHPFusion Content Management System

Researchers at Synposys have detected two vulnerabilities in the PHPFusion content management system. One is an authenticated local file inclusion vulnerability that could lead to remote code execution. The second is a vulnerability “due to an out-of-date dependency in the “Fusion File Manager” component accessible through the admin panel” and could be exploited to read files and write files to arbitrary locations. Both flaws exist in PHPFusion versions 9.10.30 and older; there are currently no patches available.

Editor's Note

Herein lies one of the principal concerns in using open-source software; for critical vulnerabilities, who is on point to develop and release a patch. Notwithstanding a White House meeting last year with agreement by commercial software vendors to ‘stabilize’ open-source products, vulnerability management is still a problem. With the vulnerability disclosure certain details are now known with no patch available. For those 15 million websites, buckle up, mischief and mayhem are heading your way.

Curtis Dukes
Curtis Dukes

CVE-2023-2453, local file inclusion, CVSS score 8.3, CVE-2023-4480, arbitrary file read, CVSS score 5.2, both don't have patches. The file inclusion flaw requires an authenticated user, at any level, to exploit, the arbitrary read flaw requires admin access. While you can mitigate the local file inclusion flaw by disabling the Fusion file manager, you may not be able to live with the reduced functionality. It may be simpler to leverage a WAF to block nefarious attempts to exploit either flaw until a fix is released. Also make sure you are reviewing user accounts to make sure they are all legit.

Lee Neely
Lee Neely

2023-09-05

MITRE and CISA Publish OT Attack Emulator

The MITRE Corporation and the US Cybersecurity and Infrastructure Security Agency (CISA) have released a cyberattack emulation tool for Operational Technology (OT) networks. Caldera for OT is available as an extension for the MITRE Caldera open-source platform. The tool was jointly developed by CISA and the Homeland Security Systems Engineering and Development Institute (HSSEDI).

Editor's Note

Even if you they aren’t critical infrastructure, your OT systems are likely more important than you think. Take a look at this open-source tool. The idea is to build a specific threat and launch it against a network to see where you may be vulnerable. This can also help you train your Blue team on identifying threats without actually doing harm.

Lee Neely
Lee Neely

2023-09-05

Vulnerabilities in SEL Applications

Researchers from Nozomi Networks Labs have found nine vulnerabilities in Schweitzer Engineering Labs (SEL’s) SEL-5030 acSELeratorQuickSet and SEL-5037 GridConfigurator applications. Four of the flaws are rated high-severity; the rest are medium severity. SEL has released updates to address the vulnerabilities.

Editor's Note

The high-risk vulnerabilities include over privileged execution, (CVE-2023-31175), missing authentication for critical function (CVE-2023-34392), use of hard-coded credentials (CVE-2023-31173) and cross-site-request forgery (CVE-2023-31174). The fix is to update your installations of QuickSet and GridConfigurator to the latest versions.

Lee Neely
Lee Neely

2023-09-05

Germany’s Financial Regulatory Authority Website Suffers DDoS Attack

The website of Germany’s Federal Financial Supervisory Authority (BaFin) was the target of a distributed denial-of-service (DDoS) attack that began on Friday, September 1. BaFin is part of the country’s Ministry of Finance; it supervises banks, other financial institutions, and insurance service providers.

Editor's Note

It is worth noting that this is not how you keep your regulator at bay. BaFin states they did all the right things to prevent a DDoS attack, and even so, they were impacted. Keep an eye out for lessons learned from them. In the meantime, make sure you're doing all the right things, and get a list of what that means to your staff. Walk through your environment(s) to make sure nothing is left without protection.

Lee Neely
Lee Neely

There has been a serious uptick in DDoS attacks globally over the last few months. This event provides an opportunity for organizations to revisit their risk mitigation procedures against DDoS attacks. One question to be answered, what is the SLA with the service provider to limit the effect of a DDoS attack on business operations.

Curtis Dukes
Curtis Dukes

2023-09-06

Threat Actors Exploit MinIO Vulnerabilities to Gain Network Access

Researchers at Security Joes found that threat actors are exploiting two vulnerabilities in the MinIO distributed object storage framework to achieve unauthorized remote code execution. The attackers convinced a DevOps engineer to upload a maliciously-crafted version of MinIO. The vulnerabilities were disclosed in March; one of the flaws (CVE-2023-28432) was added to CISA’s Known Exploited Vulnerabilities catalog on April 21.

Editor's Note

Per the KEV, vender updates should have been applied by May 12th. There are no workarounds here, you have to apply the updates. The listing in the KEV should trigger your "this is being actively exploited" response.

Lee Neely
Lee Neely

2023-09-07

CISA DDoS Mitigation Guidance

The US Cybersecurity and Infrastructure Security Agency (CISA) has published distributed denial-of-service (DDoS) mitigation adoption guidance for federal civilian executive branch (FCEB) agencies. The document urges agencies to conduct an impact analysis to determine the effect a successful DDoS attack would have on their services. Once that is complete, agencies should select appropriate mitigation options.

Editor's Note

Back in October 2022 CISA put out guidance essentially telling agencies to look at existing service offerings to protect high value assets against DDoS and other attacks. Not sure there is really much need for a lot of risk assessments now – just clean the pipes.

John Pescatore
John Pescatore

Public or private sector, the guidance is relevant. Use the process to assess the impact first as that factors into your consideration of mitigations, on premise, cloud or CDN based. Note the trade offs and considerations for each option listed.

Lee Neely
Lee Neely

The frequency and duration of DoS attacks is sufficiently high that most enterprises should plan for them. Mitigation may involve upstream providers who should be included in the planning.

William Hugh Murray
William Hugh Murray

2023-09-06

Atlantic Council Report on China’s Vulnerability Disclosure Requirements

The Atlantic Council has published a report detailing their findings from an investigation into China’s law requiring that technology companies doing business within the country disclose software vulnerabilities to the China’s Ministry of Industry and Information Technology (MIIT) within 48 hours of discovery. Specifically, the report examines MIIT’s vulnerability databases and who benefits from the information they hold.

Editor's Note

The risk is that the MIIT data is shared with state sponsored threat actors, allowing for targeted attacks, likely faster than patches or fixes are released, let alone implemented. Consider which platforms or products you're using which fall under this VDP and evaluate those relationships. Even if you change nothing, note the risk and make sure it's accepted at an appropriate level.

Lee Neely
Lee Neely

A valuable report that highlights how nation-state’s can use their laws to essentially ‘weaponize’ vulnerability disclosure for their advantage. This presents an opportunity for aligned nations to flag this law as problematic and offer to work towards standardizing a reasonable vulnerability reporting requirement available to every nation.

Curtis Dukes
Curtis Dukes

Internet Storm Center Tech Corner

Apple Patches 0-Days

https://support.apple.com/en-us/HT201222

iOS Fleezeware/Scareware

https://isc.sans.edu/diary/FleezewareScareware+Advertised+via+Facebook+Tags+Available+in+Apple+App+Store/30198

Security Related DNS Records

https://isc.sans.edu/diary/Security+Relevant+DNS+Records/30194

Common Usernames Submitted to Honeypots

https://isc.sans.edu/diary/Common+usernames+submitted+to+honeypots/30188

Microsoft Reveals Details about Key Loss

https://msrc.microsoft.com/blog/2023/09/results-of-major-technical-investigations-for-storm-0558-key-acquisition/

Cross Tenant Impersonation Prevention and Detection

https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection

Aruba Vulnerabilities

https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-014.txt

TP Link Vulnerabilities

https://jvn.jp/en/vu/JVNVU99392903/

September Android Updates

https://source.android.com/docs/security/bulletin/2023-09-01

Google Chrome Update

https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop.html

Atlas VPN Tunnel Termination Vulnerability

https://www.reddit.com/r/cybersecurity/comments/167f16e/atlasvpn_linux_client_103_remote_disconnect/

TPM LUKS Bypass

https://pulsesecurity.co.nz/advisories/tpm-luks-bypass