Argo CD Security Bug Opens Kubernetes to Attackers, Critical Vulnerabilities Discovered in Airspan Networks Mimosa, Hackers Exploit 0-Day Vulnerability in Zimbra, Dozens of Security Flaws Discovered in UEFI Firmware, Samba Bug Allows Remote Attackers to Execute Code as Root

Bullet points of key topics + chapter markers
[00:41] Argo CD Security Bug Opens Kubernetes to Attackers
[04:24] Critical Vulnerabilities Discovered in Airspan Networks Mimosa
[08:11] Hackers Exploit 0-Day Vulnerability in Zimbra
[12:11] Dozens of Security Flaws Discovered in UEFI Firmware
[16:35] Samba Bug Allows Remote Attackers to Execute Code as Root

NOTES

Argo CD Security Bug Opens Kubernetes Cloud Apps to Attackers

• a high-severity security vulnerability in Argo CD
• About Argo CD
  • which is a continuous-delivery platform deployed as a Kubernetes controller in the cloud
    • it’s used to deploy applications, then continuously monitor them in real time as they run.
  • can enable attackers to access targets’ application-development environments
    • paving the way for stealing passwords, API keys, tokens, and other sensitive information.
• Vulnerability
  • CVE-2022-24348
    • CVSS 7.7 out of 10
  • the bug is a path-traversal issue, which allows Malicious Actors access to files and directories that are stored outside their permission purview
  • exploit the bug by loading a malicious Kubernetes Helm Chart YAML file into the Argo CD system, then using it to “hop” from their own application ecosystem to access other applications’ data
    • “A Helm Chart is a YAML file that embeds different fields to form a declaration of resources and configurations needed in order for deploying an application
    • The application being built may have certain building blocks, which could be housed in other files that function as self-contained application parts kept in a repository.
  • If cyber attackers successfully exploit the bug, they can read the contents of other files present on the repo server, which can contain sensitive information
  • While that’s concerning enough, researchers also noted that an exploit could offer a foothold for moving laterally through an organization’s cloud.
  • How to Fix
    • Update Argo Cd ASAP

CISA Warns of Critical Vulnerabilities Discovered in Airspan Networks Mimosa

• The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday published an Industrial Controls Systems Advisory (ICSA) warning of multiple vulnerabilities in the Airspan Networks Mimosa equipment
  • could be abused to gain remote code execution, create a denial-of-service (DoS) condition, obtain sensitive information, compromise Mimosa’s AWS (Amazon Web Services) cloud EC2 instance and S3 Buckets, and execute unauthorized remote code on all cloud-connected Mimosa devices
• Airspan Network’s Mimosa product line provides hybrid fiber-wireless (HFW) network solutions
  • service providers, industrial, and government operators
  • both short and long-range broadband deployments.
• The seven flaws, which were discovered and reported by CISA, affect the following products —
  • Mimosa Management Platform (MMP) running versions prior to v1.0.3
  • Point-to-Point (PTP) C5c and C5x running versions prior to v2.8.6.1, and
  • Point-to-Multipoint (PTMP) A5x and C-series (C5c, C5x, and C6x) running versions prior to v2.5.4.1
• CISA
  • 7 Vulnerabilities
    • 3x 10 out of 10 CVSS
      • adversary to execute arbitrary code
      • access secret keys
      • modify configurations
    • 4 others
      • allow an attacker to inject arbitrary commands
      • crack hashed (but not salted) passwords
      • gain unauthorized access to sensitive information.
• What you can do:
  • users are recommended to update
    • MMP version 1.0.4 or higher
    • PTP C5c and C5x version 2.90 or higher
    • PTMP A5x and C-series version 2.9.0 or higher.
  • isolate control system networks from the business network

Hackers Exploited 0-Day Vulnerability in Zimbra Email Platform to Spy on Users

• Malicious Actors are exploiting a Zero day Vuln in Zimbra
  • Open Source email platform
• Operation Codes Name EmailTheif
  • Discovered by Volexity (CyberSec company)
• Allow execution of Javascript code
• Dec 14, 2021
  • Attacks started
• Group
  • TEMP_HERETIC
    • Believed to be a Chinese based group
    • None of the infrastructures identified matches infrastructure used by previously classified threat groups
    • However, based on the targeted organization and specific individuals of the targeted organization, and given the stolen data would have no financial value, it is likely the attacks were undertaken by a Chinese APT actor.”
  • Targeting European government
  • Media
• Impact Zimbra
  • Ver 8.8.15
• Two Phases
  • the first stage aimed
    • reconnaissance
    • distributing emails designed to keep tabs if a target received and opened the messages
  • Second Stage
    • multiple waves of email messages were broadcasted to trick the recipients into clicking a malicious link.
• 74 Knowns outlook.com emails used
• For the attack to be successful, the target would have to visit the attacker’s link while logged into the Zimbra webmail client from a web browser The link itself, however, could be launched from an application to include a thick client, such as Thunderbird or Outlook.”
• The unpatched flaw, should it be weaponized, could be abused to exfiltrate cookies to allow persistent access to a mailbox, send phishing messages from the compromised email account to widen the infection, and even facilitate the download of additional malware.
• Protect
  • “Users of Zimbra should consider upgrading to version 9.0.0, as there is currently no secure version of 8.8.15,

Dozens of Security Flaws Discovered in UEFI Firmware Used by Several Vendors

• Bull Atos, Fujitsu, HP, Juniper Networks, Lenovo
  • 23 new high severity security vulnerabilities
    • Unified Extensible Firmware Interface (UEFI) firmware
    • Insyde Sofware’s InsydeH2O UEFI firmware
  • majority of the anomalies diagnosed
    • in the System Management Mode (SMM).
• What is UEFI
  • Software specification that provides a standard programming interface connecting a computer’s firmware to its operating system during the booting process
  • In x86 systems, the UEFI firmware is usually stored in the flash memory chip of the motherboard.
• Exploit
  • 23 CVS’s issued
    • CVSS scores: 7.5 – 8.2 out of 10
  • attackers can successfully install malware
    • survives operating system re-installations
    • allows the bypass of endpoint security solutions (EDR/AV), Secure Boot, and Virtualization-Based Security isolation,
  • allow a malicious actor to run arbitrary code with SMM permissions
    • that handles power management, hardware configuration, thermal monitoring, and other functions.
  • SMM executes at the highest privilege level and is invisible to the OS
  • chained together to bypass security features
    • install the malware in a manner that survives operating system re-installations and achieves long-term persistence on compromised systems
  • creating a communications channel to exfiltrate sensitive data.
• Protection
  • Insyde has released firmware patches
  • But OEM implementations could take a considerable amount of time to be pushed out.

New Samba Bug Allows Remote Attackers to Execute Arbitrary Code as Root

• Samba released an update – Jan 31
  • Addresses multiple vulnerabilities
    • CVE-2021-44141 (CVSS score: 4.2)
      • Information leak via symlinks of the existence of files or directories outside of the exported share (Fixed in Samba version 4.15.5)
    • CVE-2022-0336 (CVSS score: 3.1)
      • Samba AD users with permission to write to an account can impersonate arbitrary services (Fixed in Samba versions 4.13.17, 4.14.12, and 4.15.4)
    • CVE-2021-4414 (Major)
      • CVSS Score of 9.9 out of 10
      • impacts all versions of Samba before 4.13.17
    • An attacker can leverage this vulnerability to execute code in the context of root.”            
  • Samba maintainers said, All versions of Samba prior to 4.13.17 are vulnerable to an out-of-bounds heap read-write vulnerability that allows remote attackers to execute arbitrary code as root on affected Samba installations that use the VFS module vfs_fruit

• CERT Coordination Center (CERT/CC), the flaw also affects widely used Linux distributions such as Red Hat, SUSE Linux, and Ubuntu.
• Samba?
  • Samba is a popular freeware implementation of the Server Message Block (SMB) protocol that allows users to access files, printers, and other commonly shared resources over a network.
• Fix

Samba administrators are recommended to upgrade to these releases or apply the patch as soon as possible to mitigate the defect and thwart any potential attacks exploiting the vulnerability.