SANS NewsBites

Critical Fortinet and Kubernetes Vulnerabilities; NIST refurbishing NVD

March 15, 2024  |  Volume XXVI - Issue #21

Top of the News


2024-03-13

Fortinet Fixes Critical SQL Injection Flaw

Fortinet has released a fix for a critical vulnerability in the DB2 Administration Server (DAS) component of its FortiClient Enterprise Management Server (EMS) software. The flaw, an improper neutralization of special elements in an SQL command, can be exploited to execute unauthorized code.

Editor's Note

This has not been a good week for Fortinet. A PoC for this vulnerability is expected in the next few days. You must patch now! Vulnerability research firm Horizon3 released PoC for some vulnerabilities in Fortinet's wireless management product. These vulnerabilities have not been patched yet.

Johannes Ullrich
Johannes Ullrich

The flaw affects FortiClient EMS versions 7.0 (7.0.1 through 7.0.10) and 7.2 (7.2.0 through 7.2.2), so you’re going to want to apply the updates, ideally this week.

Lee Neely
Lee Neely

2024-03-14

Kubernetes Vulnerability

A researcher at Akamai discovered a remote code execution vulnerability in Kubernetes that could be exploited to attain remote code execution with system privileges on Windows endpoints within a Kubernetes cluster. The vulnerability (CVE-2023-5528) was fixed in updates released in November 2023.

Editor's Note

CVE-2023-5528 has a CVSS score of 8.8 and is in default installations of Kubernetes prior to version 1.28.4 either on premise or Azure Kubernetes service and can be exploited by the introduction of a malicious YAML file. The only mitigation is to update to 1.28.4 or higher, even if you’re not running on Windows nodes.

Lee Neely
Lee Neely

2024-03-11

NIST Looks Toward Improving NVD Tools and Methods

In mid-February, the US National Institute of Standards and technology’s (NIST’s) National Vulnerability Database (NVD) said that it “is currently working to establish a consortium to address challenges in the NVD program and develop improved tools and methods.” NIST says the process will likely cause delays in vulnerability analysis.

Editor's Note

The NVD database is crucial for many commercial and open source vulnerability management tools. I believe part of the problem is growing pains as the number of published vulnerabilities has skyrocketed. The NVD database should be compared to a public service like GPS that enabled many valuable services and has taken on a critical safety role. I hope they are able to resolve the issues quickly and continue processing vulnerabilities. If anything, one of NVDs problems has been the time it takes to publish the enriched data.

Johannes Ullrich
Johannes Ullrich

Some research find that less than 50% of vulnerabilities are analyzed, which means they’re not benefitting from context and value add to aid businesses in evaluating them; some don’t have root cause or CWE information. Regardless of shortfalls, the NVD is still the best game in town and addressing the issues will help us determine the relevance and priority of noted CVEs.

Lee Neely
Lee Neely

For automotive “vulnerabilities” (recalls) that have to be fixed, vehicle manufacturers are required to notify the National Highway Traffic Safety Administration who has maintained an easy to use database. Those manufacturers also have to pay for the vehicles to be fixed! The NHTSA had a 40 years head start over NIST/NVD but it really is time for legislation to treat software more like we treat vehicles.

John Pescatore
John Pescatore

The Rest of the Week's News


2024-03-14

FCC Adopts IoT Security Labeling Rule

The US Federal Communication Commission (FCC) has unanimously approved Cyber Trust Mark, a voluntary labeling program for Internet of Things (IoT) and other smart devices to show that they meet certain security standards. The Cyber Trust Mark logo will include a QR code that consumers can scan to get information about how long the device will be supported, whether it will get patches, and whether those patched will be automatically installed.

Editor's Note

This initiative may give consumers a choice. Let’s hope they use it to buy more secure devices. I may have been doing this for a bit too long to have much hope. Please prove me wrong. I do like that this includes a "life expectancy" to inform consumers for how long this device will receive updates. And yes, some kid will glue fake QR codes on boxes. Ignore them. QR codes are used all the time to direct users to manuals and other additional information.

Johannes Ullrich
Johannes Ullrich

This reminds me of various web “trust” seal programs: since search engines never favored sites with those trust seals, really not much impact on web site security levels. But when browsers started making it harder to get to sites not using SSL, rapid increase in security. It would be very good to see AI shopping tools have rules favoring higher levels of security in products.

John Pescatore
John Pescatore

This is targeting home IoT devices, baby monitors, home security cameras, internet connected appliances, fitness trackers, garage door openers, and voice-activated devices. CISA and folks at the department of justice have been tasked with setting standards and enforcement actions. The logo is being equated to the Energy Star label. This could really help consumers make good buying decisions provided the standards and claims are consistent and trustworthy.

Lee Neely
Lee Neely

Having an informed buyer is always a good thing. That said, having buyers use a QR code to get security information is an extra step that most will not take. In the meantime, creating a set of enforceable industry standards on device support (SW updates, Patches, Firmware, etc.) would be more beneficial.

Curtis Dukes
Curtis Dukes

Good start. I would like to see labeling about safe and appropriate use, for example, whether it is intended for connection to public networks or needs to be fire-walled.

William Hugh Murray
William Hugh Murray

Read more in

The Record: FCC adopts voluntary 'Cyber Trust Mark' labeling rule for IoT devices

Nextgov: FCC approves cyber labeling program for IoT devices

[[90]] CISA Secure Software Self-Attestation Form

[[100]] FCC Adopts IoT Security Labeling Rule


2024-03-13

Stanford University Says Last Year’s Cyberincident was a Ransomware Attack

Last fall, the Stanford University Department of Public Safety’s network suffered a cybersecurity incident; the university now acknowledges it was a ransomware attack that they failed to detect for months. Stanford became aware of the breach on late September 2023, more than four months after the network was initially breached. The new information was disclosed in a notification letter sent to 27,000 people whose personal data were affected by the attack.

Editor's Note

The Akira gang is taking credit for exhilarating 430GB of Stanford data. While the University is offering two years of credit monitoring with a $1m insurance reimbursement policy, the bigger question is why the gang had four months of dwell time. Are you equipped to detect any faster and have you tested? How about those new systems and services - does your onboarding include connecting them to your CSOC/monitoring? You really don’t want to discover a system for the first time when the phone rings.

Lee Neely
Lee Neely

2024-03-14

Nissan Oceania to Notify Customers Affected by Breach

Nissan Oceania plans to notify roughly 100,000 people in Australia and New Zealand that their personal information was stolen in a cybersecurity incident last year. The compromised data include national health insurance card, passport, and driver’s license numbers, as well as loan transaction information and salary and employment data.

Editor's Note

Estimates are 10% of their customer base had personal data exfiltrated. The remaining 90% had other less sensitive information compromised. Nissan is offering services from IDCARE, Equifax, ID Replacement and Centric depending on individual circumstances. Have you considered you may have to offer multiple credit monitoring/restoration options based on the locations of your customers/employees?

Lee Neely
Lee Neely

2024-03-13

Patch Tuesday, March 2024

Microsoft’s Patch Tuesday release for March 2024 includes fixes for more than 60 security issues. Among the issues addressed are a pair of critical vulnerabilities in Windows Hyper-V hypervisor.

Editor's Note

Patches from Microsoft, Adobe and Apple to focus on this month. Apple’s iOS releases to address zero days, Sonoma (macOS 14.4) which addresses 68 vulnerabilities, and Microsoft with their 60 fixes including CVE-2024-21334, a flaw in Open Management Infrastructure with a CVSS score of 9.8 and CVE-2024-21435, a flaw in OLE with a CVSS score of 8.8. Adobe released updates to Adobe Experience Manager, Adobe Premiere Pro, ColdFusion 2023 and 2021, Adobe Bridge, Lightroom, and Adobe Animate, and the newest Acrobat has a generative AI feature which scans your PDFs to better understand your questions and provide relevant help. You may want to disable that until you fully understand what it is doing and how. These can be disabled locally or by your organization admin.

Lee Neely
Lee Neely

2024-03-13

ChatGPT Plugin Vulnerabilities

A report from Salt Labs describes a handful of security flaws in ChatGPT plugins. The Salt Labs researchers identified three types of vulnerabilities in ChatGPT plugins: vulnerabilities in the plugin installation process; vulnerabilities in the PluginLab framework for developing ChatGPT plugins; and OAuth redirection manipulation.

Editor's Note

These plugins, known as Actions, allow content to be sent to other websites. Interaction with those sites often uses OAuth authentication, which isn’t a problem except Salt Labs is finding there are flaws in the implementation in a number of common Actions of these such that the auth tokens can be used to access other sites the user may have. While the plugins authors fixed these flaws, you’re going to want to develop a process for both vetting plugins as well as tracking fixes and updates to ensure you’re protected.

Lee Neely
Lee Neely

2024-03-14

French Unemployment Agency Breach

France Travail, the French government’s unemployment agency, says that its network was breached and that those responsible for the intrusion may leak or misuse data that belong to 43 million people. The incident affects people who were seeking jobs through the agency over the past 20 years.

Editor's Note

The exfiltrated data includes full name, date of birth, place of birth, NIR (think SSN), France Travail identifier, email address, mailing address and phone number. The agency will begin notifying affected individuals soon, they are providing guidance on monitoring your credit and identity, not yet offering such services to affected users.

Lee Neely
Lee Neely

2024-03-14

CISA Secure Software Self-Attestation Form

The US Cybersecurity and Infrastructure Security Agency (CISA) has released its Secure Software Self-Attestation form. The document was created in response to the 2021 cybersecurity executive order. The repository for online submissions is expected to be available later this month. Some experts have expressed concerns that the form lacks memory safe programing and software bill of materials (SBOM) requirements.

Editor's Note

The form mandates signing by a software contractor’s CEO when being filed to the U.S. government. An outside software assessor is also allowed to demonstrate the security features of the software offering, assuming it’s a qualified Third Party Assessor Organization certified by Federal Risk and Authorization Management Program (FedRAMP). while the current form doesn’t support SBOM or memory safe coding, it’s still a big step in the right direction, and those should be incorporated over time.

Lee Neely
Lee Neely

Three items of interest in the form: 1) Open source and software developed for the federal government is excluded; 2) Signature by CEO or designee that binds the company; and 3) doesn’t reflect the reality that is today’s distributed software development practice. It’s also unclear that completion of the form results in software that is trustworthy. Perhaps that will come with the next update to the form.

Curtis Dukes
Curtis Dukes

One small step in the direction of necessary software quality. Software needs to be held to the same standard of merchantability as other products. We cannot continue to build our infrastructure on this porous foundation.

William Hugh Murray
William Hugh Murray

Internet Storm Center Tech Corner

Microsoft Patch Tuesday March 2024

https://isc.sans.edu/diary/Microsoft+Patch+Tuesday+March+2024/30736

Using ChatGPT to Deobfuscate Malicious Scripts

https://isc.sans.edu/diary/Using+ChatGPT+to+Deobfuscate+Malicious+Scripts/30740

Increase in the number of phishing messages pointing to IPFS and to R2 buckets

https://isc.sans.edu/diary/Increase+in+the+number+of+phishing+messages+pointing+to+IPFS+and+to+R2+buckets/30744

Michael Holcomb: Mode Matters: Monitoring PLCs for Detecting Potential ICS/OT Incidents

https://www.sans.edu/cyber-research/mode-matters-monitoring-plcs-for-detecting-potential-ics-ot-incidents/

Critical Fortinet Vulnerabilities

https://fortiguard.fortinet.com/psirt

Fortinet New Vulnerabilities

https://www.horizon3.ai/attack-research/attack-blogs/fortiwlm-the-almost-story-for-the-forti-forty/

Fortinet Updates

https://www.helpnetsecurity.com/2024/03/14/cve-2023-48788-poc/

Arcserve UDP Vulnerability and PoC

https://www.tenable.com/security/research/tra-2024-07

Adobe Security Bulletins

https://helpx.adobe.com/security/security-bulletin.html

Kubernetes Local Volumes Command Injection Vulnerability

https://www.akamai.com/blog/security-research/kubernetes-local-volumes-command-injection-vulnerability-rce-system-privileges

Death Knell of NVD

https://resilientcyber.substack.com/p/death-knell-of-the-nvd

Unrestricted file upload vulnerability in ManageEngine Desktop Central

https://github.com/advisories/GHSA-fqf7-66f9-wqff

Siemens Fire Protection System Updates

https://cert-portal.siemens.com/productcert/html/ssa-225840.html