Guidance on Memory Safety Bugs in Open Source Software; Critical MOVEit Vulnerability

In October of 2022, Consumer Reports released a report noting roughly 60 to 70 event of browser and kernel vulnerabilities, as well as security bugs in C/C++ code bases, are due to memory unsafety. Estimates are that there are as many as 25 million lines of open-source code which are written in memory unsafe languages. For years, developers have been encouraged to use tools to validate that code is safe and secure as well as memory safe. Not a lot of traction is being made on that path, so the other option is to create code using a memory safe language, even so care has to be taken to avoid traditional errors such buffer overflow.

Lee Neely

While this paper focuses on open source software, the percentages of commercial software using non memory-safe languages is likely much lower, if at all. Use this to start required all software (including SaaS) procurements to ask about current code/plans of all vendors and to include this as an evaluation criterion.

John Pescatore

Secure software development practices don't change overnight and the move to memory-safe languages will take time. Highlighting open-source software only validates the resource constraints they operate under and why the timeline to transition will be longer.

Curtis Dukes

It is not as though this problem is novel. It accounts for much of the software quality problem. That it persists is the issue.

William Hugh Murray

CVE-2024-5806, authentication vulnerability in SFTP module, has a CVSS score of 9.1. Beyond updating to the newest versions of MOVEit transfer, make sure that you're also not exposing RDP on your MOVEit servers to the Internet, and limit outbound access to only trusted endpoints. Next move to a more modern data interchange mechanism, the old school file transfer server is a known target and will continue to be compromised.

Lee Neely

Definitely prioritize patching but there are also many alternatives to MOVEit if you are able to change. All software will always have to be patched but many products are more frequently exhibiting critical, costly vulnerabilities than others.

John Pescatore

Given that it's being actively exploited it's a must patch. As this is the second (third?) major vulnerability with their software in the past year it begs the question, what changes did Progress Software institute in their secure software development practices?

Curtis Dukes

We've seen this movie before. The thing is, this movie was released in January and you may have not watched it yet. The fix is to update the firmware _AND_ make sure that you're properly isolating these devices, ensuring they are neither directly Internet accessible nor accessed by unauthorized systems. Have your team review the Emerson Security web page making sure nobody missed or skipped a step.

Lee Neely

There are many IoT devices, appliances, out there, that if subjected to the same scrutiny, would show the same kinds of problems. Many, not to say most, are not fit to be attached to the public networks. By default, prefer attachment only to private networks. The irony is that appliances, single-application purpose built devices are inherently easier to secure than multi-application or multi-user systems supporting late programming.

William Hugh Murray

It appears that CDK is preparing to pay a ransom of tens of millions of dollars. While services are down, affected dealerships are having to use manual methods, including finding alternate processes for their month-end closing. Car buyers are also affected as they cannot register vehicles purchased from CDK clients. Have you played a scenario where a key business function service provider is down for weeks to months, or may even need to be replaced? Consider what you'd do if you didn't have the old data to migrate to a new provider, or where you could have your own archives of data to avoid that dependency.

Lee Neely

Supply chain attacks are becoming the norm as ransomware gangs change tactics. What it highlights is deeper target analysis by the gangs with the aim of increasing the probability of a ransom payout. If the anonymous source is correct, the change in tactics has paid off.

Curtis Dukes

The Energy Sector is the most common application for these devices as they are used for substation automation. CVE-2024-31484, buffer overflow, CVSS score 7.8 ; CVE-2024-31485, command injection, CVSS score 7.2 and CVE-2024-31486, client MQTT passwords not properly protected, CVSS score 5.3. Plan A should be to apply the patch. If you need a workaround, limit physical and logical access to the devices, which you should already be doing.

Lee Neely

CVE-2024-5655, improper access control, has a CVSS 3.1 score of 9.8. There aren't workarounds here, you need to update to one of the new CE/EE versions. Note this is about your on-premises GitLab installation, and while there isn't any information about active exploits, that this is making news now should soon change that.

Lee Neely

In short, GAO is citing DCSA for not following the DOD rules. While systems were properly categorized, security controls were selected from NIST SP 800-53 Rev 4, rather than Rev 5 which was released in 2020. Agencies are expected to adopt the new revision within a year of its release. Part of the issue is that Rev 5 adds two control families; in this case the privacy controls family is a significant omission. Beyond controls included in the security baseline, it's not a bad idea to consider additional risks which may merit creating local controls to mitigate risk. The goal is to secure the system and meet regulatory requirements.

Lee Neely

While preferable to the Federal Reserve, it's still not fun for Evolve Bank & Trust. Already under the spotlight for inadequate risk management, they are going to have some additional difficult conversations with regulators relating to the breach. The challenge will be to remain focused on the incident and not get distracted by taunting from LockBit. Key will be demonstrating measures taken to prevent recurrence. Evolve is already offering affected individuals credit monitoring and identity theft protection for a year.

Lee Neely

DDoS attacks are mostly an annoyance for most individuals. That said, Crimea is in a military conflict zone, attacks on its critical infrastructure are to be expected.

Curtis Dukes

Something to consider when you have operations in a contested area. Even when you're operating outside such an area, make sure you have a fail-over plan, even if the plan is to be offline, to cover outages from your ISP and possibly cellular providers. Make sure that you've tested the viability of failing over to these services.

Lee Neely