Episode 06: February 06 2022

February 6, 2022 Jim Guckin CyberSecurity News Byte 20:2429.41M Comments Off on Episode 06: February 06 2022

Bullet points of key topics + chapter markers
[00:41] Argo CD Security Bug Opens Kubernetes to Attackers
[04:24] Critical Vulnerabilities Discovered in Airspan Networks Mimosa
[08:11] Hackers Exploit 0-Day Vulnerability in Zimbra
[12:11] Dozens of Security Flaws Discovered in UEFI Firmware
[16:35] Samba Bug Allows Remote Attackers to Execute Code as Root

NOTES

Argo CD Security Bug Opens Kubernetes Cloud Apps to Attackers

  • a high-severity security vulnerability in Argo CD
  • About Argo CD
    • which is a continuous-delivery platform deployed as a Kubernetes controller in the cloud
      • it’s used to deploy applications, then continuously monitor them in real time as they run.
    • can enable attackers to access targets’ application-development environments
      • paving the way for stealing passwords, API keys, tokens, and other sensitive information.
  • Vulnerability
    • CVE-2022-24348
      • CVSS 7.7 out of 10
    • the bug is a path-traversal issue, which allows Malicious Actors access to files and directories that are stored outside their permission purview
    • exploit the bug by loading a malicious Kubernetes Helm Chart YAML file into the Argo CD system, then using it to “hop” from their own application ecosystem to access other applications’ data
      • “A Helm Chart is a YAML file that embeds different fields to form a declaration of resources and configurations needed in order for deploying an application
      • The application being built may have certain building blocks, which could be housed in other files that function as self-contained application parts kept in a repository.
    • If cyber attackers successfully exploit the bug, they can read the contents of other files present on the repo server, which can contain sensitive information
    • While that’s concerning enough, researchers also noted that an exploit could offer a foothold for moving laterally through an organization’s cloud.
    • How to Fix
      • Update Argo Cd ASAP

CISA Warns of Critical Vulnerabilities Discovered in Airspan Networks Mimosa

  • The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday published an Industrial Controls Systems Advisory (ICSA) warning of multiple vulnerabilities in the Airspan Networks Mimosa equipment
    • could be abused to gain remote code execution, create a denial-of-service (DoS) condition, obtain sensitive information, compromise Mimosa’s AWS (Amazon Web Services) cloud EC2 instance and S3 Buckets, and execute unauthorized remote code on all cloud-connected Mimosa devices
  • Airspan Network’s Mimosa product line provides hybrid fiber-wireless (HFW) network solutions
    • service providers, industrial, and government operators
    • both short and long-range broadband deployments.
  • The seven flaws, which were discovered and reported by CISA, affect the following products —
    • Mimosa Management Platform (MMP) running versions prior to v1.0.3
    • Point-to-Point (PTP) C5c and C5x running versions prior to v2.8.6.1, and
    • Point-to-Multipoint (PTMP) A5x and C-series (C5c, C5x, and C6x) running versions prior to v2.5.4.1
  • CISA
    • 7 Vulnerabilities
      • 3x 10 out of 10 CVSS
        • adversary to execute arbitrary code
        • access secret keys
        • modify configurations
      • 4 others
        • allow an attacker to inject arbitrary commands
        • crack hashed (but not salted) passwords
        • gain unauthorized access to sensitive information.
  • What you can do:
    • users are recommended to update
      • MMP version 1.0.4 or higher
      • PTP C5c and C5x version 2.90 or higher
      • PTMP A5x and C-series version 2.9.0 or higher.
    • isolate control system networks from the business network

Hackers Exploited 0-Day Vulnerability in Zimbra Email Platform to Spy on Users

 

  • Malicious Actors are exploiting a Zero day Vuln in Zimbra
    • Open Source email platform
  • Operation Codes Name EmailTheif
    • Discovered by Volexity (CyberSec company)
  • Allow execution of Javascript code
  • Dec 14, 2021
    • Attacks started
  • Group
    • TEMP_HERETIC
      • Believed to be a Chinese based group
      • None of the infrastructures identified matches infrastructure used by previously classified threat groups
      • However, based on the targeted organization and specific individuals of the targeted organization, and given the stolen data would have no financial value, it is likely the attacks were undertaken by a Chinese APT actor.”
    • Targeting European government
    • Media
  • Impact Zimbra
    • Ver 8.8.15
  • Two Phases
    • the first stage aimed
      • reconnaissance
      • distributing emails designed to keep tabs if a target received and opened the messages
    • Second Stage
      • multiple waves of email messages were broadcasted to trick the recipients into clicking a malicious link.
  • 74 Knowns outlook.com emails used
  • For the attack to be successful, the target would have to visit the attacker’s link while logged into the Zimbra webmail client from a web browser The link itself, however, could be launched from an application to include a thick client, such as Thunderbird or Outlook.”
  • The unpatched flaw, should it be weaponized, could be abused to exfiltrate cookies to allow persistent access to a mailbox, send phishing messages from the compromised email account to widen the infection, and even facilitate the download of additional malware.
  • Protect
    • “Users of Zimbra should consider upgrading to version 9.0.0, as there is currently no secure version of 8.8.15,

Dozens of Security Flaws Discovered in UEFI Firmware Used by Several Vendors

  • Bull Atos, Fujitsu, HP, Juniper Networks, Lenovo
    • 23 new high severity security vulnerabilities
      • Unified Extensible Firmware Interface (UEFI) firmware
      • Insyde Sofware’s InsydeH2O UEFI firmware
    • majority of the anomalies diagnosed
      • in the System Management Mode (SMM).
  • What is UEFI
    • Software specification that provides a standard programming interface connecting a computer’s firmware to its operating system during the booting process
    • In x86 systems, the UEFI firmware is usually stored in the flash memory chip of the motherboard.
  • Exploit
    • 23 CVS’s issued
      • CVSS scores: 7.5 – 8.2 out of 10
    • attackers can successfully install malware
      • survives operating system re-installations
      • allows the bypass of endpoint security solutions (EDR/AV), Secure Boot, and Virtualization-Based Security isolation,
    • allow a malicious actor to run arbitrary code with SMM permissions
      • that handles power management, hardware configuration, thermal monitoring, and other functions.
    • SMM executes at the highest privilege level and is invisible to the OS
    • chained together to bypass security features
      • install the malware in a manner that survives operating system re-installations and achieves long-term persistence on compromised systems
    • creating a communications channel to exfiltrate sensitive data.
  • Protection
    • Insyde has released firmware patches
    • But OEM implementations could take a considerable amount of time to be pushed out.

New Samba Bug Allows Remote Attackers to Execute Arbitrary Code as Root

  • Samba released an update – Jan 31
    • Addresses multiple vulnerabilities
      • CVE-2021-44141 (CVSS score: 4.2)
        • Information leak via symlinks of the existence of files or directories outside of the exported share (Fixed in Samba version 4.15.5)
      • CVE-2022-0336 (CVSS score: 3.1)
        • Samba AD users with permission to write to an account can impersonate arbitrary services (Fixed in Samba versions 4.13.17, 4.14.12, and 4.15.4)
      • CVE-2021-4414 (Major)
        • CVSS Score of 9.9 out of 10
        • impacts all versions of Samba before 4.13.17
      • An attacker can leverage this vulnerability to execute code in the context of root.”            
    • Samba maintainers said, All versions of Samba prior to 4.13.17 are vulnerable to an out-of-bounds heap read-write vulnerability that allows remote attackers to execute arbitrary code as root on affected Samba installations that use the VFS module vfs_fruit
  • CERT Coordination Center (CERT/CC), the flaw also affects widely used Linux distributions such as Red Hat, SUSE Linux, and Ubuntu.
  • Samba?
    • Samba is a popular freeware implementation of the Server Message Block (SMB) protocol that allows users to access files, printers, and other commonly shared resources over a network.
  • Fix

Samba administrators are recommended to upgrade to these releases or apply the patch as soon as possible to mitigate the defect and thwart any potential attacks exploiting the vulnerability.