Appsec Phoenix

Security Vulnerability of the Week 09/05/22


Date Posted: 9th May 2022

Weekly review of the top vulnerability issues of the week

This week there were mostly updates on existing flaws – Qnap, F5 discloses vulnerabilities,

This week features Raspberry Robin a windows malware work attacking QNAP, QNAP releasing bugfixes, F5 releasing Bugfixes, Github with more stringent controls on authentication


Appsec

NPM NPMJS with new CDN

The open-source project SheetJS aka XLSX has dropped support for NPM

The library was downloaded about 1.4 million times

The project’s maintainer suggests that the decision to pull out of the npm registry is based on the newly introduced two-factor requirements for top projects, GitHub’s abrupt decision-making, and ongoing ‘legal matters’ between SheetJS and npm

For the lates change on the CDN: https://github.com/SheetJS/sheetjs/commit/ed18acd63d7a5cd31527a36a9af54542cdfcfd30#diff-b335630551682c19a781afebcf4d07bf978fb1f8ac04c6bf87428ed5106870f5R219

The developer behind SheetJS quotes mostly the move of the 2FA

sheetjs enrolled in 2fa by npm
SheetJS’ developer now required to set up 2FA by npm (GitHub)

GitHub’s (see below) is actively enforcing the move to MFA (2 factor authentication) after recent incidents and previous year’s hijacking incidents that hit famous npm packages like ua-parser-jscoa and rc.

Github

Following last week’s announcement, Github is tightening security rules and posture

GitHub announced on 4/5/2022 that all users who contribute code on its platform (an estimated 83 million developers in total) will be required to enable two-factor authentication (2FA) on their accounts by the end of 2023.

Also to force stronger authentication due to recent issues with SMS based tokens: GitHub urges switching to security keys or TOTPs since threat actors can bypass or steal SMS 2FA auth tokens.

The actions come after the recently discovered breach. The organization continues to issue the following advice despite the fact that very little user base was affected

  • Review all your private repositories for secrets or credentials stored in them. There are several tools that can help with this task, such as GitHub secret scanning and trufflehog.
  • Review the OAuth applications that you’ve authorized for your personal account or that are authorized to access your organization and remove anything that’s no longer needed.
  • Follow GitHub’s guidelines for hardening the security posture of your GitHub organization.
  • Review your account activity, personal access tokens, OAuth apps, and SSH keys for any activity or changes that may have come from the attacker.
  • Additional questions should be directed to GitHub Support.
  • Review all your private repositories for secrets or credentials stored in them. There are several tools that can help with this task, such as GitHub secret scanning and trufflehog.
  • Review the OAuth applications that you’ve authorized for your personal account or that are authorized to access your organization and remove anything that’s no longer needed.
  • Follow GitHub’s guidelines for hardening the security posture of your GitHub organization.
  • Review your account activity, personal access tokens, OAuth apps, and SSH keys for any activity or changes that may have come from the attacker.
  • Additional questions should be directed to GitHub Support.

For the Full report on Git: https://appsecphoenix.com/security-vulnerability-of-the-week-02-04-22/


INFRA/Network

Windows – Raspberry Robin Vulnerability

Raspberry Robin

A new Windows malware with worm-like affects Windows targeting QNAP. the malware has worm-like capabilities is propagated by means of removable USB devices.

Attack chains pertaining to Raspberry Robin start with connecting an infected USB drive to a Windows machine. Present within the device is the worm payload, which appears as a .LNK shortcut file to a legitimate folder.

Raspberry Robin

The worm then takes care of spawning a new process using cmd.exe to read and execute a malicious file stored on the external drive.

To monitor attacks: Raspberry Robin detections so far is the presence of outbound C2 contact involving the processes regsvr32.exe, rundll32.exe, and dllhost.exe to IP addresses associated with Tor nodes.

For more info: https://thehackernews.com/2022/05/researchers-warn-of-raspberry-robin.html

QNAP

Tracked as CVE-2022-27588 (CVSS score: 9.8), the vulnerability has been addressed in QVR 5.1.6 build 20220401 and later. 

 CVE-2022-23121 and other were discovered by NCC Group EDG team at Pwn2Own

“A vulnerability has been reported to affect QNAP VS Series NVR running QVR,” QNAP said in an advisory. “If exploited, this vulnerability allows remote attackers to run arbitrary commands.”

The following Vulnerabilities were discovered

NCC Group’s EDG team members exploited one of these security flaws, tracked as CVE-2022-23121 and rated with a 9.8/10 severity score

Three of the other bugs QNAP warned its customers about also received 9.8/10 severity ratings (i.e., CVE-2022-23125CVE-2022-23122CVE-2022-0194)

  • QTS 5.0.x and later
  • QTS 4.5.4 and later
  • QTS 4.3.6 and later
  • QTS 4.3.4 and later
  • QTS 4.3.3 and later
  • QTS 4.2.6 and later
  • QuTS hero h5.0.x and later
  • QuTS hero h4.5.4 and later
  • QuTScloud c5.0.x

F5

BIG-IP Remote Code Execution Vulnerability

F5 on Wednesday released patches to contain 43 bugs spanning its products.

 43 issues addressed, one is rated Critical, 17 are rated High, 24 are rated Medium, and one is rated low in severity.

Most notable vulnerability: CVE-2022-1388 with CVSS 9.8 and internal assessment Critical due to the front-facing and lack of authentication checks potentially allowing attacker to remotely execute code and attack affected system

“This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services,” 

Affected Products: Big IP with the following version

  • 16.1.0 – 16.1.2
  • 15.1.0 – 15.1.5
  • 14.1.0 – 14.1.4
  • 13.1.0 – 13.1.4
  • 12.1.0 – 12.1.6
  • 11.6.1 – 11.6.5
  • 16.1.0 – 16.1.2
  • 15.1.0 – 15.1.5
  • 14.1.0 – 14.1.4
  • 13.1.0 – 13.1.4
  • 12.1.0 – 12.1.6
  • 11.6.1 – 11.6.5

Trend

Trend Micro

Trend Micro antivirus has fixed a false positive affecting its Apex One endpoint security solution that caused Microsoft Edge updates to be tagged as malware and the Windows registry to be incorrectly modified.

the false positive has been raised to multiple forums and social media

As users further revealed, the Trend Micro Apex One flagged the browser updates as Virus/Malware: TROJ_FRS.VSNTE222 and Virus/Malware: TSC_GENCLEAN.

For the full news refer to:

https://www.bleepingcomputer.com/news/security/trend-micro-antivirus-modified-windows-registry-by-mistake-how-to-fix/

Cloud

Heroku

Heroku platform owned by Salesforce has performed a round of forced password resets in response to a security incident from last month.

“As part of our efforts to enhance our security and in response to an incident published on status.heroku.com, we wanted to inform you that we will begin resetting user account passwords on May 4, 2022,” read the email sent to Heroku customers.

The breach was linked to a recent breach of Github repositories and the attacker leveraging the exposed credentials.

from Hacker News reader “There was certainly a breach three weeks ago that they seem to have been investigating since. I am, like the commenter above, not filled with confidence about their statement, mostly because of the total lack of transparency so far”

We covered Github breach: https://appsecphoenix.com/vulnerability-weekly/?playlist=728882e&video=1e6673c

The latest incident report from Heroku: https://status.heroku.com/incidents/2413

Google Docs crashes

A recent bug discovered on May 6 in Google Docs is causing it to crash when a series of words are typed into a document opened with the online word processor.

A Google Docs user, Pat Needham brought up the issue on Google Docs Editors Help forum.

Google Docs crashes at the sight of “And. And. And. And. And.” when the “Show grammar suggestion” is turned on.

“It’s case-sensitive. So trying with ‘and. and. And. and. And.’ doesn’t cause it to crash.”

The bug has been resolved: May 6th, 2022 04:56 AM ET:BleepingComputer where the first news was reported was no longer able to reproduce the bug. We continue to await an official response from Google on the matter.

Current Year Research on Vulnerabilities Discovered

No alternative text description for this image
Courtesy of Christoper Parisel

For the Deep dive on previous Cloud Vulnerabilities: https://appsecphoenix.com/security-vulnerability-of-the-week-02-04-22/

Hotpatch of AWS Log4J

CVE IDs: CVE-2021-3100, CVE-2021-3101, CVE-2022-0070, CVE-2022-0071

Amazon as per December released several version of AMI with patched version of Log4J.

Security Researchers from palo alto have disclosed Security researchers recently reported issues within the hotpatch released in December, and the associated OCI hooks for Bottlerocket (“Hotdog”). We have addressed these issues within a new version of the hotpatch, and a new version of Hotdog.

The latest package names and versions of the hotpatch for Amazon Linux and Amazon Linux 2 are as follows:

  • Amazon Linux: log4j-cve-2021-44228-hotpatch-1.1-16.amzn1
  • Amazon Linux 2: log4j-cve-2021-44228-hotpatch-1.1-16.amzn2

Full Post: https://aws.amazon.com/security/security-bulletins/AWS-2022-006/

Superglue – Orca –

Working with AWS DataBrew: 3 Easy Steps - Learn | Hevo

Orca Security team did discover on Jan 2022 a critical security issue in the AWS Glue service that could allow an actor to create resources and access data of other AWS Glue customers. 

AWS Glue is a serverless data integration service that makes it easy to discover, prepare, and combine data for analytics, machine learning, and application development. During our research, we were able to identify a feature in AWS Glue that could be exploited to obtain credentials to a role within the AWS service’s own account, which provided us full access to the internal service API.

Bulletin: https://aws.amazon.com/security/security-bulletins/AWS-2022-002/

the orca security team were able to

  1. Assume roles in AWS customer accounts that are trusted by the Glue service. In every account that uses Glue, there’s at least one role of this kind.
  2. Query and modify AWS Glue service-related resources in a region. This includes but is not limited to metadata for: Glue jobs, dev endpoints, workflows, crawlers and triggers.

For more info: https://orca.security/resources/blog/aws-glue-vulnerability

sagemaker – Lightspin – CVSS 7.4

RDS Postress SQL – Lightspin – CVSS 6.3

AutoWrap – Orca – CVSS 8.5

logicApp – NetSPI – CVSS 6

credManifest – NetSPI – CVSS 6.5 – CVE 2021-42306

extraReplica – Wiz – CVSS 6.8

Bonus

XBOX Live Down

For all the gamers on May 6th Microsoft says the Xbox Live services were currently down in a major outage, impacting customers worldwide and preventing them from launching or buying games.

The service was down for two and more hours according to https://downdetector.com/status/xbox-live/

https://www.bleepingcomputer.com/news/technology/xbox-is-down-worldwide-with-users-unable-to-play-games/

Share this article

[ssba]

Categories

x Logo: Security Protection
This Site Is Protected By
Security Protection