SANS NewsBites

DigiCert Revokes Certificates; Mozilla Announces TLS-Distrust Date for Entrust Root Certificates; Domains Vulnerable to “Sitting Ducks” Hijacking

August 2, 2024  |  Volume XXVI - Issue #59

Top of the News


2024-08-01

DigiCert Revokes Certificates Lacking Sufficient Domain Control Verification

On Monday, July 29, DigiCert announced that due to a flaw in their Domain Control Verification (DCV) process, they would be revoking some certificates. Certification Authority / Browser Forum (CABF) rules require that the problematic certificates be revoked within 24 hours of the problem’s detection. While DigiCert’s write-up of the situation includes instructions for replacing affected certificates, the deadline for replacing the certificates has passed. The issue affected 83,267 certificates belonging to 6,807 customers, roughly 0.4%of all DigiCert’s certificates.

Editor's Note

DigiCert's violation of the CA rules are relatively minor, and highly unlikely to cause issues. However, mass revocations like this can be disruptive for affected entities. One DigiCert customer obtained a court order to delay the revocation. The "CA ecosystem" has been the source of the most significant vulnerabilities in TLS in recent years. Compared to weaknesses in TLS algorithms and implementations, CA vulnerabilities have been exploited regularly. In response, the CA/Browser forum established very strict rules around verifying domain control. Seeing them enforce these rules is a good thing, but I don't think customers are ready for it yet. Expect more revocation actions like this in the future, and get a handle on how you manage the certificate lifecycle.

Johannes Ullrich
Johannes Ullrich

DC validation is one where they have you create a CNAME DNS record with a specific random value which they used to verify the domain was, indeed, yours. The problem is the random value didn't always start with an underscore, required by RFC1034, which meant it could collide with a legitimate CNAME. The flaw was introduced in a software update back in August 2019, which is now fixed. If you're a DigiCert user, you should have been notified that your cert was going to be revoked, and you needed to take action. The due date was July 31, 1930 UTC. Either check your account for certificate status or do a revocation check on existing DigiCert certificates if you're not certain this was addressed. While there was a delay option prior to the cutoff, if you're revoked the only option is to replace those certificates.

Lee Neely
Lee Neely

This is a good example of a Certificate Authority having a process in place and then actually taking action if a problem occurs. It is also a good test to see if your authentication processes will actually notice that certificates have been revoked …

John Pescatore
John Pescatore

Many people got hit with a short notice request to emergency swap their certificates. Be kind to your IT folks between this and the CrowdStrike fiasco; they have been kicked enough this month. For people leaders, how are you managing your individual people contributor’s burnout? Watch for it, as there have been a lot of people running around the last month putting out different fires.

Moses Frost
Moses Frost

2024-08-01

Mozilla Sets TLS Distrust-After Dates for Entrust Root Certificates

Mozilla has announced that they will stop trusting Entrust TLS root certificates after November 30, 2024. In May, Mozilla published a letter to the Mozilla community describing “a substantial number of compliance incidents” related to Entrust. On July 31, Mozilla announced that they had reached their decision to set distrust-after dates based on those compliance incidents, an insufficient effort from Entrust to address those concerns, and community feedback. Google announced their decision to end trust in Entrust certificates in June, citing “a pattern of concerning behaviors.”

Editor's Note

See my comment about the DigiCert revocation. The CA/Browser forum is getting serious about enforcing CA rules. You must be ready to deal with mass-revocations or even CA removals.

Johannes Ullrich
Johannes Ullrich

If you're using Entrust's public CA for your SSL/TLS certificates, you have two options: Either stay the course, hoping Entrust can convince browser vendors to continue to trust their CA, or switch to a different provider for these certificates. While you can also configure browsers to continue to trust their CA, this is impractical with public/external facing services. While the changes to Mozilla and Chrome are scheduled for November, you probably don't want to wait until then if you're replacing certificates.

Lee Neely
Lee Neely

(Disclosure: I worked for Entrust in 1998-1999) It is good to see browser providers taking proactive action to assure the quality of certificates. Strong authentication is needed both to fight ransomware and to enable persistent ubiquitous data encryption. If you are at renewal time for Entrust certs, read their statements on how Entrust-branded certs will be provided in the interim.

John Pescatore
John Pescatore

This may be a first: a CA that has failed to meet the requirements set forth for EV certificates. This ends Entrust’s Root CAs. Google already removed them from the trusted list in Chrome.

Moses Frost
Moses Frost

Some finger pointing by Entrust but in the end, the right call by both Firefox and Google. This ends over 20 years of trust in the Entrust name but proves that oversight has a role in something as important as a root CA.

Curtis Dukes
Curtis Dukes

2024-08-01

Domains Vulnerable to Sitting Ducks Hijacking Technique

Researchers from Eclypsium and Infoblox have discovered an attack technique that allows domain name hijacking. Dubbed “Sitting Ducks,” the attack takes advantage of authentication misconfigurations at domain registrars and inadequate verification of ownership at DNS providers.

Editor's Note

Remember that once you start using a new domain "for real", you are pretty much obligated to maintain it indefinitely. Even our honeypots, in particular those located in cloud environments, often see "orphan" DNS requests to IP addresses no longer acting as an authoritative DNS server for the particular domain. You must maintain a minimum DNS infrastructure even for inactive domain to prevent them from being taken over by others.

Johannes Ullrich
Johannes Ullrich

There are several scenarios that enable this attack, such as sub domains with different DNS servers or abuse of a stale/forgotten configuration allowing an attacker to leverage a typically expired domain. Check the security of your domain provider when you use a separate provider for DNS, validate your DNS delegation, particularly to services where the accounts may no longer be active or in your control, and check your DNS provider for mitigations for the Sitting Ducks attack. Additionally, you can leverage the free monitoring services from the Shadowserver Foundation to detect this attack.

Lee Neely
Lee Neely

This is a fascinating vulnerability. Please be sure to look at the issues with each DNS provider you are concerned about. I found one in which the “vulnerable” category was placed, but it had false positives because the responses that came back were different. This is to say that just because you are marked “vulnerable” does not mean you are exploitable, which will confuse everyone.

Moses Frost
Moses Frost

The Rest of the Week's News


2024-07-30

Apple’s July Updates

On Monday, July 29, Apple released security updates to address vulnerabilities in multiple versions of macOS, iOS, and iPadOS, as well as in watchOS, tvOS, and visionOS. Apple has also released an updated version of Safari (17.6) for macOS Monterey and Ventura. One of the vulnerabilities (CVE-2024-23296), a memory corruption issue in iOS and iPadOS, is reportedly being actively exploited.

Editor's Note

This update is particularly interesting for users of older devices. Apple included patches for an already exploited vulnerability. Current operating systems received these patches a few months ago, and now Apple is providing them for older versions as well.

Johannes Ullrich
Johannes Ullrich

Patch all your mobile devices, Laptop, iPhone, iPad, Apple Watch, Vision Pro, etc. before heading to Las Vegas, even if you're planning to keep them offline or in Airplane mode. These updates address a number of CVE's, some of which apply to multiple products. Note that fixes were applied to iOS/iPadOS 16 for the older devices. Even if you're not on the go, take a second to update. Don't miss the separate Safari update for macOS 12 & 13.

Lee Neely
Lee Neely

Just in time for Hacker Summer Camp! If you're on IOS, patch; it should be set as automatic.

Moses Frost
Moses Frost

2024-07-31

California is Digitizing Car Titles

California’s Department of Motor Vehicles (DMV) has digitized millions of car titles; users should be able to access those digital titles starting sometime next year through a yet-to-be developed app and related digital wallet. The action was taken to comply with a 2022 executive order from California Governor Gavin Newsom that directs government applications to use blockchain technology.

Editor's Note

Digitizing car titles is only part of the story. The use of the Avalanche blockchain to support the system, which will be connected to an app and digital wallet, has the potential to not only speed the processes around titles, but also make fraud much more difficult with immutable records in place. Note the system for owner access won't be in place until 2025.

Lee Neely
Lee Neely

We are about to determine how solid Blockchain is to verify ownership. I guess this is a risk if there is no other paper trail …

Moses Frost
Moses Frost

Stuart Haber, one of the inventors of blockchain, reports that many of the proposals that he has seen for the application of blockchain do not benefit from it, could be done with conventional databases. One wonders at such a directive. Rather, what is needed is permission to use it for appropriate applications.

William Hugh Murray
William Hugh Murray

2024-07-31

Ransomware Attack on Blood Donation Non-Profit has Created Blood Shortages in Southeastern US

A ransomware attack that targeted the OneBlood non-profit blood donation center has them depending on manual processes and “operating at a significantly reduced capacity.” OneBlood provides blood and platelets to hospitals in Alabama, Florida, Georgia, North Carolina, and South Carolina. OneBlood has asked affected hospitals “to activate their critical blood shortage protocols.”

Editor's Note

n addition to asking affected hospitals to activate their shortage protocols, they have also reverted to manual mechanisms so they can continue to collect donations, albeit at a dramatically reduced rate, while resources like the AABB Disaster Task Force and Blood Centers across the country are routing blood and platelets to OneBlood. While it's not yet known which ransomware gang is behind the attack, given the criticality of the blood supply, it's safe to assume they see a high likelihood of a ransomware payout. There is an urgent need for O (positive and negative) as well as platelet donations; it is not a bad time to go to your local donation center and help out.

Lee Neely
Lee Neely

In today’s era, failover to manual processes will impact business operations. Work that into your disaster recovery plan. As far as the ransomware gang, shame, shame, shame.

Curtis Dukes
Curtis Dukes

2024-07-30

Microsoft Says Azure Outage Caused by Flawed DDoS Response

Microsoft says that an eight-hour Azure and Microsoft 365 outage on Tuesday, July 30, was due to “an error in the implementation” of their distributed denial-of-service (DDoS) attack response mechanisms. Rather than mitigate the incident, the buggy protection mechanism amplified the attack.

Editor's Note

Given Microsoft's claims of robust DDoS protections, this is a bit awkward. That the flaw in implementation amplified the attack rather than mitigated it is a distraction. Trends show the duration of DDoS attacks is shrinking, likely attributed to effective countermeasures. The thing to do here is ask those providing DDoS services for you about their testing and guarantee of effectiveness. Make sure you've got coverage for in-house and hosted (cloud or outsourced) services.

Lee Neely
Lee Neely

Definitely not on the scale (time and reach) of the recent CrowdStrike meltdown but impactful nonetheless. This continues a trend, industry wide, where internal quality assurance processes have not been fully implemented. Unfortunate for MSFT it keeps them on the cyber news cycle.

Curtis Dukes
Curtis Dukes

2024-07-31

FCC Cybersecurity Pilot for K-12 Schools and Libraries

The US Federal Communications Commission (FCC) has published details about their Schools and Libraries Cybersecurity Pilot Program, which was developed to help K-12 schools and libraries improve cybersecurity on their networks and reduce the likelihood of cyberattacks. Applications for the program will open on August 29.

Editor's Note

This three-year pilot program is evaluating the effectiveness of using the Universal Service Fund to support eligible cybersecurity service and equipment and how that raises the bar for schools and libraries. The pilot has a $200 million funding cap, which they are expecting to allocate to schools at $13.60/student, annually, with a minimum award of $15,000/year as well as a maximum award of $1.5 million/year. Library funding is based on locations and square footage with a range of $15,000 to $175,000/year. This is separate from the funds which provided for broadband connectivity to schools. If you're a school or library, which are currently ransomware targets, this could give the hand-up needed to implement needed protections.

Lee Neely
Lee Neely

Finally additional, new money, to support the cyber underserved. As a first step, K-12 schools and libraries should conduct a risk assessment to outline gaps in their cybersecurity program. If schools and libraries need help with the assessment, leverage the Multi-State ISAC for assistance.

Curtis Dukes
Curtis Dukes

2024-08-02

SMTP Spoofing Vulnerabilities

The CERT Coordination Center (CERT/CC) at Carnegie Mellon University has published a vulnerability note describing a pair of vulnerabilities that could be exploited to spoof email addresses. The issue affects multiple Simple Mail Transfer Protocol (SMTP) servers. CERT/CC writes, “An authenticated attacker using network or SMTP authentication can spoof the identity of a shared hosting facility, circumventing any DMARC policy and sender verification provided by a domain name owner.”

Editor's Note

There are two flaws here: CVE-2024-7208, sender email not verified against authorized domains and CVE-2024-7209, shared SPF record spoofing. The vulnerabilities don't have CVSS scores, nor have many vendors stepped up to say they are vulnerable, or have addressed the flaw. The researchers from PayPal, Caleb Sargent and Hao Wang, who discovered the attack, are presenting their findings in a talk titled “Into the Inbox: Novel Email Spoofing Attack Patterns,” on Wednesday at Black Hat. Aside from making sure your SPF, DKIM and DMARC records are as specific as possible, you can consider the use of S/MIME or PGP for messages requiring high assurance of the sender identity.

Lee Neely
Lee Neely

2024-08-01

Bitdefender Addresses Vulnerability in GravityZone Update Server Proxy Service

Bitdefender has released a fix for a critical vulnerability affecting their GravityZone Update Server. The flaw could be exploited to launch server-side request forgery attacks that lead to unauthorized access and data compromise. The vulnerability is due to a verbose error handling in the proxy service of GravityZone Update Server. The issue affects Bitdefender GravityZone Console versions prior to before 6.38.1-5 running on premises; cloud instances are not affected.

Editor's Note

Bitdefender gives CVE-2024-6980 a CVSS-B score of 9.2. If you're running the GravityZone Console on premises, check to see if it auto-updated to version 6.38.1-5 or higher. Enable auto-update if it's not already set.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

Apple Updates Everything: July 2024 Edition

https://isc.sans.edu/diary/Apple+Patches+Everything+July+2024+Edition/31128

Increased Activity Against Apache OFBiz CVS-2024-32113

https://isc.sans.edu/diary/Increased+Activity+Against+Apache+OFBiz+CVE202432113/31132

Tracking Proxy Scans with IPv4.Games

https://isc.sans.edu/diary/Tracking+Proxy+Scans+with+IPv4Games/31136

Threat Actor Impersonates Google via Fake Ad For Authenticator

https://www.malwarebytes.com/blog/news/2024/07/threat-actor-impersonates-google-via-fake-ad-for-authenticator

Who Knew? Domain Hijacking is so easy

https://blogs.infoblox.com/threat-intelligence/who-knew-domain-hijacking-is-so-easy/

DigiCert Certificate Revocation Incident

https://www.digicert.com/support/certificate-revocation-incident

Microsoft Azure Outage

https://azure.status.microsoft/en-us/status/history/

Improving Security of Chrome Cookies

https://security.googleblog.com/2024/07/improving-security-of-chrome-cookies-on.html

VMWare ESXi Vulnerability Actively Exploited CVE-2024-37085

https://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/

Weak VoWiFi Encryption CVE-2024-22064

https://idw-online.de/en/news837652