SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals
SEC595Cyber Defense
SANS Community Benefits
Connect, learn, and share with other cybersecurity professionals
Top of the News
OpenSSH Server Critical RCE Vulnerability
Researchers at Qualys have published details about a critical unauthenticated remote code execution vulnerability in OpenSSH server. The flaw could be exploited to execute code as root on Linux systems. The problem is due to a signal handler race condition. There are two associated CVEs because the issue Qualys identified (CVE-2024-6387) is a regression of a vulnerability (CVE-2026-5051) that was patched nearly 18 years ago.
Editor's Notes
- Slide 1 of 2
This is a signal handler race condition. When a user doesn't login in the LoginGraceTime interval (600 seconds default) and sshd is sent a SIGALRM asynchronously, attackers can take advantage of functions, such as syslog(), which are not async-signal safe. The tricky part is identifying the vulnerable versions of OpenSSH. OpenSSH versions before 4.4p1 are vulnerable, 4.4p1 up to, but not including 8.5p1 are not vulnerable due to a patch for CVE-2006-5051), while versions 8.5p1 up to, but not including 9.8p1 are vulnerable due to removal a critical component which blocks the exploit. OpenBSD systems are unaffected due to security mechanisms included in that OS since 2001. The optimal fix is to apply the patches when released for your distribution. In the meantime, limit access to SSH services, using network-based controls, not through controls in your OpenSSH service as well as monitor SSH connections for abuse, particularly Internet facing ones.
- Slide 2 of 2
Race condition vulnerabilities can be finicky to exploit and require a different skill set to master. That said, given upwards of 700K potential victims, evil doers are paying attention. Prudence dictates downloading and patching as updates become available.
Slide 1 of 0- Slide 1 of 2
Juniper Releases Out-of-Cycle Fix for Critical Flaw in Session Smart Router
Juniper Networks has released an out-of-cycle software update to address a critical authentication bypass vulnerability in Session Smart Router, Session Smart Conductor, and WAN Assurance Router running in high-availability redundant configurations. Users are urged to apply updates as soon as possible.
Editor's Notes
CVE-2024-2973, API authentication bypass flaw, CVSS 3.1 or 4.0 score of 10.0 should get your attention. Juniper has updated SS$-5.6.15, SSR-6.1.9-lts, SSR-6.2.5-sts and subsequent versions. Make sure you're on one of those versions. Juniper claims the fix is applied automatically on managed routers by a Conductor or on WAN assurance routers. The fix can be applied without downtime to the router, it may impact the web-based and API management for up to 30 seconds. That should make this far easier to deploy than updates which disrupt user traffic.
End-of-Life D-Link Routers are Under Attack
Researchers at GreyNoise say that threat actors are targeting unsupported D-Link routers via a path traversal vulnerability (CVE-2024-0769) that was disclosed in January 2024. At that time, the National Institute of Standards and Technology's (NIST's) National Vulnerability Database (NVD) noted that the affected products were unsupported when [the CVE was] assigned. Users are urged to replace affected products with newer, supported products.
Editor's Notes
- Slide 1 of 2
CVE-2024-0769, path traversal flaw in a HTTP POST, CVSS score of 9.8, had POC exploit code published in January. Regardless of whether the D-Link DIR-859 routers were supported in January, at this point, these are EOL devices you need to replace them, like now, then excess the old ones, don't leave them where someone could redeploy them, and the vulnerability.
- Slide 2 of 2
Individuals/organizations should always plan for HW/SW obsolescence, especially when the vendor announces that a product is no longer be supported. That's a no-brainer and widely recognized security best practice. Otherwise, you become a target and the question the court will be asking is harm caused by this lapse in security judgment.
Slide 1 of 0- Slide 1 of 2
The Rest of the Week's News
Cisco Releases Fixes for Command Injection Vulnerability in Cisco NX-OS Software CLI
Cisco has released updates to address an OS command injection vulnerability in the CLI of Cisco NX-OS Software. The issue is due to insufficient validation of arguments passed to certain configuration CLI commands. Exploitation of the flaw requires admin credentials; an authenticated local attacker could execute arbitrary commands.
The advisory includes a list of affected products as well as a list of products that are confirmed not to be affected. Cisco was alerted to the vulnerability (CVE-2024-20399) by researchers from Sygnia.
Editor's Notes
Cisco has assigned CVE-2024-20399 a CVSS score of 6.0. While the exploit requires existing administrative credentials, the exploit allows execution of commands as root in the underlying OS. Devices running the Cisco NX-OS without the bash-shell feature, you're likely vulnerable. There are no workarounds, so you'll need to apply the update as well as verify that your device has sufficient memory as well as meet hardware and software requirements for continued support.
US Federal Communications Commission Drafts Cybersecurity Rules for Emergency Systems
The US Federal Communications Commission has released drafted final rules for bolstering the cybersecurity of the country's emergency alert and warning systems. The rules would apply to both the US Emergency Alert System, which broadcasts warnings on radio and television, and the US Wireless Emergency Alert system, which sends warnings to cell phones. The rules would require communications providers with emergency alert systems to develop and implement cybersecurity risk management plans, and to have contingency plans for broadcasting warnings.
Editor's Notes
- Slide 1 of 2
On the surface, these draft cybersecurity rules seem reasonable and easily implementable. The only one that is questionable is the 24-hour notification of equipment defect. Equipment defects should already be accounted for in the contingency plan for delivering alerts to the public.
- Slide 2 of 2
With luck, this will reduce or eliminate abuses of emergency alert and warning systems. If you are using such a system in your shop, make sure that you've not opened yourself up to abuse in the name of making things easier in a disaster. Keep an eye on these rules as they finalize for suggestions to keep the bar sufficiently high.
Slide 1 of 0- Slide 1 of 2
Indonesian National Data Center Info Mostly Not Backed Up
Following the June 20 ransomware attack on Indonesia's national data center, Indonesian president Joko Widodo has ordered an audit of the country's data centers following the revelation that most of the information stored at the targeted data center was not backed up. While backup services were available, they were optional, not mandatory.
Editor's Notes
- Slide 1 of 2
Not backing up one's data in today's hyper-connected, hyper-informed world is mystifying, especially for government. Revisit CIS Critical Security Control 11, Data Recovery, and its five safeguards. Yes, there is a cost in time and resources but there comes a day.
- Slide 2 of 2
Beware of services which are offered as optional. It makes the acceptance much easier, but you can wind up with gaps in your defenses. Decide whether you want to accept alternate solutions, which you want to verify meet the same requirements as your standard offering or set a deadline by which your standard services are required. Make sure that you can monitor for use, as well as having some tangible consequences for non-compliance. During an incident is not the time to discover services are not backed up.
Slide 1 of 0- Slide 1 of 2
Australian Police Charge One Person in Connection with 'Evil Twin' WiFi Access Points
Australian law enforcement authorities have charged one person with nine counts of various cybercrimes for allegedly setting up phony WiFi access points at airports and on domestic flights with the intent of stealing account credentials. The 'evil twin' access points were created to resemble legitimate networks, and required users to sign in to email and social media accounts. The access credentials were then allegedly saved to the suspect's devices.
Editor's Notes
- Slide 1 of 2
The Evil Twin attack leverages preferred networks in your device, so it's a good idea to prune that list. In addition, make sure devices are not configured to AutoConnect to discovered hotspots, and that users are trained on proper protocols for using non-corporate WiFi - such as VPNs. Don't assume that since most services operate over TLS, they are then immune from MITM or SSL downgrade scenarios. Reduce the odds of success by leveraging HSTS and SSL preload configurations on services you control.
- Slide 2 of 2
Credential harvesting is a leading attack technique used by cybercriminals. Mimicking public WiFi via a rogue hotspot, only increases the likelihood of success as they are difficult to identify, and users need to remain online. Protect your accounts with multi-factor authentication.
Slide 1 of 0- Slide 1 of 2
Poseidon macOS Malware Campaign Steals Data
Researchers at Malwarebytes have detected a malware campaign that targets macOS systems through malicious Google ads for the Arc browser. The campaign drops an information stealer that exfiltrates account passwords, VPN configurations, and other data.
Editor's Notes
The Arc browser is being touted as the Chrome replacement (calmer and more personal user experience) you're looking for. Users who download the fake DMG file are prompted to install Arc by right-clicking and opening rather than the traditional double click or drag to Applications folder. The right-click mechanism bypasses the restriction that prevents installation of apps not signed by an Apple vetted developer. Make sure your user training includes caution around not just installing applications from known good sources, but also standard mechanisms.
Microsoft Informs More Customers That Their eMails Were Stolen
Microsoft is notifying more Office 365 customers that their email messages may have been compromised by threat actors known as Midnight Blizzard. Affected customers received communication from Microsoft that says, 'You are receiving this notification because emails were exchanged between Microsoft and accounts in your organization, and those emails were accessed by the threat actor Midnight Blizzard as part of their cyber-attack on Microsoft.' Some of the recently notified customers were aware their emails were compromised; to others, Microsoft's notification was the first time heard that their messages had been stolen.
Editor's Notes
In essence, if you were communicating with Microsoft Corporate accounts, which were compromised during the Midnight Blizzard campaign, back in April, you'll be notified. Microsoft has created a portal for you to view the affected emails, which could be mistaken for a phishing attack, so read carefully.
Lurie Children's Hospital and Prudential Financial Release More Info About Ransomware Attacks
Chicago's Lurie Children's Hospital has filed updated incident notices with several state regulators regarding the January 2024 cyberattack that disrupted services for months. Lurie's most recent disclosures indicate that the incident compromised sensitive information belonging to nearly 800,000 people. New Jersey-based Prudential Financial has filed an updated incident notice about a February 4 breach. Initially, Prudential said that the incident affected more than 36,000 individuals; the revised notice places the number of affected individuals at 2.56 million.
Editor's Notes
While it's distressing that the affected user counts have increased so much, it's good to see the institutions discovering and disclosing the full scope of the incident. Having been, as many of you have as well, a member of at least one group with exfiltrated information, I can attest it's important to know sooner than later when you're affected, which is why I advocate having ID theft and credit monitoring/restoration services regardless of your information being compromised.
Internet Storm Center Tech Corner
SSH "regreSSHion" Remote Code Execution Vulnerability in OpenSSH.
https://isc.sans.edu/diary/SSH+regreSSHion+Remote+Code+Execution+Vulnerability+in+OpenSSH/31046
Support of SSL 2.0 on web servers in 2024
https://isc.sans.edu/diary/Support+of+SSL+20+on+web+servers+in+2024/31044