by Anant Shrivastava
Last month or two have seen a massive number of bug disclosures around the Azure ecosystem. Paloalto team identified that Azure container environment was running a vulnerable runC environment released in 2016 and since this is a Container as a Service set up the onus of keeping the runC component up to date was with Azure where they failed. Wiz team discovered multiple bugs including the most severe one dubbed as OMIgod a vulnerability in the OMS platform that Azure uses for back end operations. Wiz team was also responsible for finding ChaosDB vulnerability which affected Azure Cosmos DB and allowed unauthenticated access to Cosmos DB across the Azure environment.
Always being a client’s responsibility and never a vendor’s - Identity and Access Management (IAM) helps assess the security of the AWS environment, one of the major portions of the cloud. The recreational step-by-step details allow users to gain a better understanding of IAM issues. For instance, lack of Multi-Factor Authentication (MFA) and other misconfigurations leading to administrative access to AWS account.
“Processing a maliciously crafted PDF may lead to arbitrary code execution.” A zero-day zero-click wild exploitation bug was found by Citizen Lab via a Saudi activist device. It was infected with NSO Group’s Pegasus spyware, the exploit called FORCEDENTRY aims at Apple’s image rendering library and is effective against Apple iOS, macOS, and WatchOS devices. Fortunately, Apple has released a fix for the same on 13th September 2021. Ensure your Apple devices are updated.
A post-authentication vulnerability that turns out to be a pre-authentication one! Confluence is a team workspace environment by Atlassians for collaborative purposes. An Object-Graph Navigation Language (OGNL) vulnerability was spotted parsing expression and is still under active exploitation. The vulnerability was disclosed by Benny Jacob (SnowyOwl) via Atlassian public bug bounty program. PoC’s started surfacing by various entities including iamnoooob and rootxharsh. PeterJson worked a PoC which could perform the attack in a pre-authenticated environment increasing the severity by many folds and submitted it to VMWare to claim a bounty on a VMware infrastructure. However, within 17 hours of their first report to VMWare, Dhiyaneshwaran released a PoC of the same publicly identical to the specifically crafted exploit payload leading to a massive leak of pre-authentication Remote Control Execution (RCE) exploit payload for Atlassian Confluence.
Ever wondered how to create CTF scenarios and Training Series? PwnSpoof from Punk Security got you covered. PwnSpoof is a custom log file spoofer to simulate web attack scenarios. It is constructed to produce authentic web attack logs applicable in the real world. Software is in its early days but is a promising toolset.
August every year brings with itself Defcon and a plethora of village sessions along with it. This year was no exception. We saw AppSec Village 2021 laser-focused on application security vulnerabilities and the good part is that the videos are out already so everyone can learn from the awesome presentations. Check out the Appsec Village 2021 Playlist of talk that happened at Defcon 29.
With the release of the much-needed Open Web Application Security Project (OWASP) Top 10, OWASP is shifting its focus to major systemic issues in the applications. Where the primary aim is fixing the root cause rather than instances. What's new? The Top 10’s are not solely specific vulnerabilities like in most cases, rather they are vulnerability classes comprising numerous Common Weakness Enumeration’s (CWE) per entry. By accepting a matured approach they are displaying that the Application Security Verification Standard (ASVS) should be the standard rather than OWASP Top 10.
Anant Shrivastava
Anant Shrivastava is an information security professional with 12+ yrs of corporate experience with expertise in Network, Mobile, Application, and Linux Security. During his career, he has been a speaker and a trainer at various international conferences (Black Hat -USA, ASIA, EU, Nullcon, c0c0n, and many more). Anant also leads Open Source projects such as Android Tamer and CodeVigilant. In his free time, he likes to participate in open communities targeted towards spreading information security knowledge such as null (null.community). His work can be found at anantshri.info