December 2021 Edition

Welcome to Nullcon’s Newsletter! With so much going on in the infosec industry, it’s often difficult to keep up with everything. Subscribe to our #MonthlyNewsletter to stay updated with current happenings.


Latest Updates in Cloud Sector


Multiple Security Mistakes by Cloud Service Providers

Recently, the shared responsibility model in the Cloud environment is put to test where multiple entities have proven that Cloud Service Providers (AWS, GCP, and Azure) are not keeping their end of the bargain. Scott Piper has collected these issues in one place for a record. For instance, when the compute API is enabled on a GCP Project, the default compute is created giving primitive role Editor assigned by default. It allows for a wide range of privilege escalation and resource abuse in the project. Secondly, it took AWS over 273 days to fix when an attacker figured out what privileges they have in a victim account without being logged in CloudTrail. Scott Piper has also raised that AWS restricts what they allow to be pentested and has no bug bounty which is believed by some to limit the issues that become public with AWS.




Jupyter Notebook Takeover Instance with AWS SageMaker

Amazon SageMaker is a fully managed machine learning service, it allows data scientists and developers to quickly and easily build and train machine learning models. Lightspin detected an account takeover issue in AWS SageMaker Service, meaning that a threat actor can access the Notebook Instance metadata endpoint and steal the access token for the attached role. Using the access token, the attacker can read data from S3 buckets, create VPC endpoints, and more actions that are allowed by the SageMaker execution role and the “AmazonSageMakerFullAccess” policy. The reported vulnerability to the AWS security team has been remediated since then.




Over-Privileged Service Accounts Create Escalation of Privileges and Lateral Movement in Google Cloud

Netskope surveyed its clients and put out statistics around their behavior leading to created or exposed vulnerabilities. Service accounts are security administrators, however, made for use by client scripts, applications, or Google services, for example, virtual machines-the assistance accounts play roles/permissions that administer the access of the scripts/applications/services utilizing them. There are standard best practices for service accounts, however many GCP environments lag behind in implementing these best practices. The article shows how these violations in best practices can allow attackers to chain together attack steps to gain broader access to resources in a GCP environment and that real-world data support the feasibility of these IAM-related attack vectors.




NotLegit: Azure App Service Vulnerability Exposed Hundreds of Source Code Repositories

The Wiz Research Team detected a NotLegit vulnerability, where the Azure App Service exposed hundreds of source code repositories. They detected an insecure default behavior in the Azure App Service that exposed the source code of customer applications written in PHP, Python, Ruby, or Node, that were deployed using “Local Git.” The vulnerability, dubbed as “NotLegit,” has existed since September 2017 and has probably been exploited in the wild. Microsoft took this incident seriously, fixed it thoroughly, and awarded Wiz a $7,500 bounty fee which they then decided to donate.





Latest Updates in Infrastructure


It-Depends: Dependency Tracking

It-Depends is a tool to naturally fabricate a dependency graph and Software Bill of Materials (SBOM) for packages and arbitrary source code stores. It involves listing all third-party dependencies for a software package, mapping those dependencies to know security vulnerabilities as well as comparing the similarities between two packages based on their dependencies. It supports c/c++ projects, automates the resolution of native library dependencies partially based on dynamic analysis. Additionally, it also enumerates all possible dependency resolutions, not just a single feasible resolution.




Log4J Debacle: RCE 0-Day Exploit Found, a Popular Java Logging Package

The Log4j vulnerability that came to light at the end of the year can undoubtedly be considered a major event in the security community. Originally disclosed on December 9th, a 0-day exploit in the popular Java logging library log4j (version 2) results in Remote Code Execution (RCE), by logging a certain string. The impact of the exploit which is full server control and how easy it is to exploit is quite severe. Many services such as Steam, Apple iCloud as well as apps like Minecraft are vulnerable to this exploit. To spot if your system has been compromised - CanaryTokens is an open-source web app that generates the exploit string automatically and sends an email notification when the DNS is queried. Considering the huge impact of the Log4j vulnerability, Anglerfish and Apacket honeypots have caught 2 waves of attacks using the Log4j vulnerability to form botnets and a quick sample analysis showed that they were used to form Muhstik and Mirai botnets respectively, both targeting Linux devices.




X. Org Server Hit by its Latest Batch of Security Vulnerabilities

Four more CVEs were made public around input validation failures in the X.Org Server that could lead to local privilege escalation. Given the age of the X.Org/X11, code-base security issues have become quite frequent. It was nearly a decade ago that the X.Org Server was considered a “security disaster.” This is for cases where the X.Org Server is still running as a privileged process and supporting remote code execution for SSH X forwarding sessions. The security issues involve out-of-bounds writes with different aspects of the X.Org Server around render, xfices, xext, and record code.





Latest Updates in Web Application


Released with High Severity Security Fix: Grafana 8.3.1, 8.2.7, 8.1.8 and 8.0.7

A path traversal bug was identified in Grafana that was patched. A tweet by Abdelrhman Zayed points to the fact that the bug was known and ignored by the Grafana community assuming they are aware of the situation and the code review tool is giving a false positive. However, they released fixes for CVE-2021-43798 within 24 hours. It is for CVE-2021-41090 the Grafana Agent and CVE-2021-43798 is for Grafana the software. Only CVE-2021-43798 was a 0day exploit. The patch release includes a high severity security fix that affects Grafana versions from v8.0.0-beta 1 through v8.3.0.




A Poisoning Web Cache Bug was Discovered in Symfony PHP Framework

The misusing of HTTP headers left websites based on top of the Symfony platform vulnerable to poisoning web cache attacks. Symfony is popularly known for its PHP framework for web applications, it is an open-source project with more than 200 million notable downloads. The platform was viewed to be vulnerable against web cache poisoning attacks, possibly uncovering sensitive data, for example, clients’ IP addresses. Web cache poisoning attacks target the intermediate storage points between web servers and client devices, such as point of presence servers, proxies and load balancers. The vulnerability in open-source projects has since been patched since then.




3 Malicious Packages were Removed by PyPI Admins After +10,000 Downloads

PyPI is the repository for Python Packages, it has been battling with malicious code for a long time. There were three packages in total, identified as potentially malicious via the import urllib.request string, since it is commonly used to exfiltrate data or download malicious files. Andrew Scott, maintainer for the Python security project mentioned, these packages included their source code URL as an existing popular library, so anyone browsing the package in PyPI or analyzing how popular the library was would see a large number of GitHub stars and forks that indicated a good reputation. Recently, they have again removed a few packages, of which two packages: malware-deploying package and data-stealing package laid undiscovered for 10 months.




Share



About the Expert

Author

Anant Shrivastava

Anant Shrivastava is an information security professional with 12+ yrs of corporate experience with expertise in Network, Mobile, Application, and Linux Security. During his career, he has been a speaker and a trainer at various international conferences (Black Hat -USA, ASIA, EU, Nullcon, c0c0n, and many more). Anant also leads Open Source projects such as Android Tamer and CodeVigilant. In his free time, he likes to participate in open communities targeted towards spreading information security knowledge such as null (null.community). His work can be found at anantshri.info