NewsBites Volume XXVI – Issue 50

Top of the News

2024-06-27

Joint Guidance on Memory Safety Bugs in Open Source Software

In December 2023, government agencies from the Five Eyes countries (Australia, Canada, New Zealand, the UK, and the US) published joint guidance offering steps for developing roadmaps to eliminating memory safety vulnerabilities. A new jointly published document from the US Cybersecurity and Infrastructure Security Agency (CISA), the FBI, Australia's Cyber Security Center (ACSC), and the Canadian Centre for Cybersecurity (CCCS) provides a starting point for these roadmaps by investigating the scale of memory safety risk in selected open-source software (OSS). According to the report, more than half of the 172 listed Open Source Security Foundation projects include code written in languages that are not memory-safe.

Editor's Note

In October of 2022, Consumer Reports released a report noting roughly 60 to 70 event of browser and kernel vulnerabilities, as well as security bugs in C/C++ code bases, are due to memory unsafety. Estimates are that there are as many as 25 million lines of open-source code which are written in memory unsafe languages. For years, developers have been encouraged to use tools to validate that code is safe and secure as well as memory safe. Not a lot of traction is being made on that path, so the other option is to create code using a memory safe language, even so care has to be taken to avoid traditional errors such buffer overflow.

Lee Neely

While this paper focuses on open source software, the percentages of commercial software using non memory-safe languages is likely much lower, if at all. Use this to start required all software (including SaaS) procurements to ask about current code/plans of all vendors and to include this as an evaluation criterion.

John Pescatore

Secure software development practices don't change overnight and the move to memory-safe languages will take time. Highlighting open-source software only validates the resource constraints they operate under and why the timeline to transition will be longer.

Curtis Dukes

It is not as though this problem is novel. It accounts for much of the software quality problem. That it persists is the issue.

William Hugh Murray

Update Now: Critical Vulnerability in MOVEit Transfer is Being Actively Exploited

A critical improper authentication vulnerability in the MOVEit file transfer tool that can be exploited to bypass authentication measures is being actively exploited. Users are urged to update to the latest patched version of the tool as soon as possible. Progress Software has also identified a vulnerability in a third-party component of MOVEit Transfer and has made recommendations for mitigating that issue.

Editor's Note

CVE-2024-5806, authentication vulnerability in SFTP module, has a CVSS score of 9.1. Beyond updating to the newest versions of MOVEit transfer, make sure that you're also not exposing RDP on your MOVEit servers to the Internet, and limit outbound access to only trusted endpoints. Next move to a more modern data interchange mechanism, the old school file transfer server is a known target and will continue to be compromised.

Lee Neely

Definitely prioritize patching but there are also many alternatives to MOVEit if you are able to change. All software will always have to be patched but many products are more frequently exhibiting critical, costly vulnerabilities than others.

John Pescatore

Given that it's being actively exploited it's a must patch. As this is the second (third?) major vulnerability with their software in the past year it begs the question, what changes did Progress Software institute in their secure software development practices?

Curtis Dukes

The Rest of the Week's News

2024-06-27

Emerson Gas Chromatograph Vulnerabilities

Researchers from Claroty's Team82 discovered several vulnerabilities in an Emerson Rosemount 370XA gas chromatograph. These devices are often connected to a network so technicians can operate them remotely, in this case using a proprietary Emerson protocol. Team82 conducted their research on an emulated device. They found four vulnerabilities, all of which were confirmed by Emerson. CISA released an advisory in January, and the vendor notified customers at that time of available firmware updates, noting that 'if the affected product is isolated from the internet as recommended and running on a well-protected network consistent with industry best practices, the potential risk is lowered.'

Editor's Note

We've seen this movie before. The thing is, this movie was released in January and you may have not watched it yet. The fix is to update the firmware _AND_ make sure that you're properly isolating these devices, ensuring they are neither directly Internet accessible nor accessed by unauthorized systems. Have your team review the Emerson Security web page making sure nobody missed or skipped a step.

Lee Neely

There are many IoT devices, appliances, out there, that if subjected to the same scrutiny, would show the same kinds of problems. Many, not to say most, are not fit to be attached to the public networks. By default, prefer attachment only to private networks. The irony is that appliances, single-application purpose built devices are inherently easier to secure than multi-application or multi-user systems supporting late programming.

William Hugh Murray

CDK Global Says SaaS Outage Likely to Last Through the End of June

CDK Global, the software-as-a-service (SaaS) provider for 15,000 US automobile dealerships now says that an outage due to a ransomware attack is likely to last at least through the end of June. The attack hit CDK last Tuesday (June 18). While the company was attempting to get its systems back online the following day, they experienced a second attack. Recently, news outlets have been reporting that CDK plans to pay the ransom demand.

Editor's Note

It appears that CDK is preparing to pay a ransom of tens of millions of dollars. While services are down, affected dealerships are having to use manual methods, including finding alternate processes for their month-end closing. Car buyers are also affected as they cannot register vehicles purchased from CDK clients. Have you played a scenario where a key business function service provider is down for weeks to months, or may even need to be replaced? Consider what you'd do if you didn't have the old data to migrate to a new provider, or where you could have your own archives of data to avoid that dependency.

Lee Neely

Supply chain attacks are becoming the norm as ransomware gangs change tactics. What it highlights is deeper target analysis by the gangs with the aim of increasing the probability of a ransom payout. If the anonymous source is correct, the change in tactics has paid off.

Curtis Dukes

Siemens Patches Vulnerabilities in Sicam Products

Siemens has released updates to address several vulnerabilities affecting their Sicam products. Two of the vulnerabilities are rated high-severity: a buffer overread issue that could be exploited to achieve code execution or denial-of-service conditions, and a privilege elevation issue that could allow execution of arbitrary code with root privileges.

Editor's Note

The Energy Sector is the most common application for these devices as they are used for substation automation. CVE-2024-31484, buffer overflow, CVSS score 7.8 ; CVE-2024-31485, command injection, CVSS score 7.2 and CVE-2024-31486, client MQTT passwords not properly protected, CVSS score 5.3. Plan A should be to apply the patch. If you need a workaround, limit physical and logical access to the devices, which you should already be doing.

Lee Neely

GitLab Releases Patches for 14 Vulnerabilities

GitLab has released updates for GitLab Community Edition (CE) and Enterprise Edition (EE) to address 14 security issues, including a critical improper access control vulnerability (CVE-2024-5655) that could be exploited 'to trigger a pipeline as another user under certain circumstances.' The updates also include fixes for three high-severity vulnerabilities. Users are urged to update to GitLab CE/EE versions 17.1.1, 17.0.3, and 16.11.5 as soon as possible.

Editor's Note

CVE-2024-5655, improper access control, has a CVSS 3.1 score of 9.8. There aren't workarounds here, you need to update to one of the new CE/EE versions. Note this is about your on-premises GitLab installation, and while there isn't any information about active exploits, that this is making news now should soon change that.

Lee Neely

GAO Report: US DOD Background Check Security Concerns

According to a report from the US Government Accountability Office (GAO), the Department of Defense's (DOD) Defense Counterintelligence and Security Agency (DCSA) conducts background investigations using both recently developed DOD National Background Investigation Services systems and legacy systems formerly owned by the Office of Personnel Management (OPM).Ó Among the GAOÕs findings: DCSA chose controls for the systems they use, but did not follow current guidance; privacy controls for certain background investigation systems were not fully implemented; and DCSA did not ensure that users had current training and certifications.

Editor's Note

In short, GAO is citing DCSA for not following the DOD rules. While systems were properly categorized, security controls were selected from NIST SP 800-53 Rev 4, rather than Rev 5 which was released in 2020. Agencies are expected to adopt the new revision within a year of its release. Part of the issue is that Rev 5 adds two control families; in this case the privacy controls family is a significant omission. Beyond controls included in the security baseline, it's not a bad idea to consider additional risks which may merit creating local controls to mitigate risk. The goal is to secure the system and meet regulatory requirements.

Lee Neely

LockBit Operators Stole Data from Arkansas Bank, Not the Federal Reserve

LockBit ransomware operators recently threatened to release data they said was taken from the US Federal Reserve Bank. Some of the data were posted to the LockBit website on June 26; examination of the information indicates that it was likely taken from Arkansas-based Evolve Bank & Trust. Evolve has confirmed the breach and leak of their data. The US Federal Reserve Board recently issued an enforcement action against Evolve Bancorp and Evolve Bank & Trust for 'engag[ing] in unsafe and unsound banking practices by failing to have in place an effective risk management framework for those partnerships.'

Editor's Note

While preferable to the Federal Reserve, it's still not fun for Evolve Bank & Trust. Already under the spotlight for inadequate risk management, they are going to have some additional difficult conversations with regulators relating to the breach. The challenge will be to remain focused on the incident and not get distracted by taunting from LockBit. Key will be demonstrating measures taken to prevent recurrence. Evolve is already offering affected individuals credit monitoring and identity theft protection for a year.

Lee Neely

Crimea Experiencing Internet Disruption

Authorities in Crimea are warning that distributed denial-of-service (DDoS) attacks targeting the area's telecommunications organizations. The 'massive' attacks, which began on Wednesday, June 26, have disrupted Internet connectivity. One of the targeted telecoms provides services to Sevastopol's emergency call center. Officials say that call center services were disrupted, but have been restored as of Thursday, June 27. Sevastopol is Crimea's largest city.

Editor's Note

DDoS attacks are mostly an annoyance for most individuals. That said, Crimea is in a military conflict zone, attacks on its critical infrastructure are to be expected.

Curtis Dukes

Something to consider when you have operations in a contested area. Even when you're operating outside such an area, make sure you have a fail-over plan, even if the plan is to be offline, to cover outages from your ISP and possibly cellular providers. Make sure that you've tested the viability of failing over to these services.