Deserialized Web Security Summary – Fortinet, Citrix Flaws; another Uber breach; hack NFTs on Black Hat
Your fortnightly overview of AppSec vulnerabilities, new hacking techniques and other cyber security news
Our second cybersecurity roundup begins with news that a number of network security flaws in products from Fortinet and Citrix have each been subject to active attack.
These attacks were respectively enabled by memory corruption vulnerabilities in FortiOS SSL-VPN, as well as a critical arbitrary code execution vulnerability in Citrix ADC and Citrix Gateway (CVE-2022-27518). It is unclear whether these attacks are connected, but their occurrence can still be said to underscore the importance of patching SSL VPN devices, which have previously been vectors for pushing ransomware onto corporate networks, among other attacks.
Uber this week suffered a data breach as a result of a cyber security incident at a third-party vendor, which resulted in the exposure of employees’ personal information. The incident represents just the latest security breach to affect the app firm, which was previously blamed for the delayed disclosure of a breach in 2016 that exposed the account records of customers and drivers. More recently, back in September, Uber’s internal IT systems were breached by a social engineering attack.
Over at Black Hat Europesecurity researcher Nitesh Dhanjani discussed the impact of price floors for pools of non-fungible tokens (NFTs) and how attacks focused on business dynamics have the potential to wreak havoc on marketplaces. Dhanjani also talked about off-chain and on-chain synchronization algorithms, and how the differences between the two blockchain-related environments can be abused.
I also attended the event for The Daily Swigreporting on a keynote where security researcher Daniel Cuthbert said the industry’s fixation on zero-day vulnerabilities was only a partial solution to making the internet fundamentally secure. We also covered some of the best hacking tools from the event.
Among other stories about The Daily Swig the last few days were one Akamai WAF bypass via Spring Boot, SQL injection payloads smuggled past WAFs, and a crypto maintainer rejecting a fake cryptocurrency vulnerability submitted using ChatGPT.
Here are some other cyber security stories and other cyber security news that caught our attention over the past fortnight:
- Apache CXF / Critical / SSRF (server-side request forgery) vulnerability when parsing the href attribute of XOP / Exposed with patch, December 13
- Grails Spring Security Core plugin / CVE-2022-41923 / Critical / “Vulnerability allows an attacker to access one endpoint (ie, the targeted endpoint) by using the authorization requirements of another endpoint” / Revealed with patch, November 22
- Microsoft .NET / CVE-2022-41089 / Critical / “Malicious actor could cause a user to execute arbitrary code as a result of parsing malicious xps files” / Revealed with a patch, December 13
- Ping / CVE-2022-23093 / Memory management vulnerability involving the implementation of networking protocols by FreeBSD prompted the developers to test their own software, which uncovered a flaw in OpenBSD’s implementation of Ping dating back to software changes introduced 24 years ago
Research and attack techniques
- A researcher documented how it is possible to exploit misconfigurations in cross-origin resource sharing (CORS) – a mechanism for controlling access to restricted website resources from external domains – to run various attacks. CORS misconfiguration issues have historically been downplayed, but can apparently be exploited to bypass CSRF protection or run cross-site tracking (XST) attacks.
- Lightspin uncovered a serious flaw in an AWS hosting service that allows software developers to find and share public container images. Attackers can potentially delete all images in AWS Elastic Container Registry (ECR) public gallery or update the image content to inject malicious code, prompting AWS to fix the issue within a day of its publication.
- A series of bugs in three popular applications that allow an Android device to be used as a external keyboard and mouse was revealed by Synopsys Cybersecurity Research Center (CyRC) Authentication, authorization and insecure communication flaws potentially opened up attacks including keystroke sniffing.
- Supposedly “air-gapped” networks without direct access to the Internet often require DNS services to resolve a company’s internal DNS records—a weakness potential hackers could exploit, as a Pentera blog post explains.
- SALT Labs used one LEGO-run the site as a testbed to illustrate the overall risk posed by API security issues. Researchers uncovered a number of API-related security issues in LEGO’s Brick Lane, including a potential vector for internal manufacturing data and systems or manipulating users into relinquishing control of their accounts.
LEGO has reportedly fixed a number of API security issues found by SALT Labs
Bug bounty / vulnerability disclosure
- HackerOne revealed that cloud-based vulnerabilities account for a growing share of vulnerabilities reported by bug bounty hunters, now totaling 65,000 in 2022, a year-on-year increase of 21%.
- A security researcher who discovered a means of gaining unauthorized access to resumes stored on LinkedIn may have been overwhelmed by the $5,000 bounty he received for the find, given the potential impact of the problem on users of the Microsoft-owned business-focused social network. An Insecure Direct Object Reference (IDOR) security vulnerability, inadvertently introduced in October 2022, could have allowed recruiters and perhaps more nefarious parties to download resumes without permission.
- Swedish video surveillance giant Axis Communications has launched a private bug bounty program with Bugcrowd.
New open source infosec/hacking tools
- Node Security Shield – a defensive tool that uses a permissions approach to protect zero-day protection for NodeJS applications. The tool was inspired by the infamous Log4Shell vulnerability, a zero-day vulnerability in Log4j, a popular Java logging framework.
- Invoke-DNSteal – allows pen testers to perform file transfers using the DNS protocol as a covert communication channel.
- Cubeshark – API Traffic Viewer for Kubernetes, which provides “deep visibility and monitoring of all API traffic and payloads entering, exiting and across containers and pods inside a Kubernetes cluster”
- Google has announced a free scanner that allows open source developers to check their software projects for vulnerable dependencies. The tool – called OSV-Scanner – builds on Google’s work in developing an open-source vulnerability database.
- OWASPbest known for its ‘Top 10 Web Application Security Risks’, supports the creation of a similar scheme to index classes of security risks in the AppSec world and DevSecOps. The Top 10 CI/CD Security Risk Taxonomy aims to catalog risks in the CI/CD pipeline. “Insufficient Flow Control Mechanisms” topped the nascent list.
- The SHA-1 cryptographic algorithmin use since 1995, has reached the end of its life, the National Institute of Standards and Technology (NIST) announced, which says the federal government should phase out its use by 2030.
- Research from Endor Labs found that the vast majority (95%) of all vulnerabilities are “found in transitive dependencies – open source packages not chosen by developers but indirectly pulled into projects”.
ChatGPT — the artificial intelligence chat tool from OpenAI — is the hottest thing in infosec-focused social media right now. Instead of suggesting possible vulnerabilities in code, we wondered what ChatGPT could conjure up when asked to write lyrics to a song about SQL injection in the style of the late David Bowie.
The results were more than satisfactory:
In the realm of the computer, where data flows like a stream
They are the ones trying to exploit and make us all scream
They are the hackers, the code breakers, the malicious ones
And among their favorite trick is the art of using SQL injection
SQL injection, SQL injection
A dangerous game, a digital infection
SQL injection, SQL injection
Beware of the hackers and their cunning invention
To paraphrase the great man himself, I still don’t know what I was waiting for… but it definitely wasn’t this.
RECOMMENDED Black Hat Europe 2022: A defensible internet is possible, but only with industry renewal