Episode 6: February 06 2022

Argo CD Security Bug Opens Kubernetes to Attackers, Critical Vulnerabilities Discovered in Airspan Networks Mimosa, Hackers Exploit 0-Day Vulnerability in Zimbra, Dozens of Security Flaws Discovered in UEFI Firmware, Samba Bug Allows Remote Attackers to Execute Code as Root

Bullet points of key topics + chapter markers
[00:41] Argo CD Security Bug Opens Kubernetes to Attackers
[04:24] Critical Vulnerabilities Discovered in Airspan Networks Mimosa
[08:11] Hackers Exploit 0-Day Vulnerability in Zimbra
[12:11] Dozens of Security Flaws Discovered in UEFI Firmware
[16:35] Samba Bug Allows Remote Attackers to Execute Code as Root

NOTES

Argo CD Security Bug Opens Kubernetes Cloud Apps to Attackers

  • a high-severity security vulnerability in Argo CD
  • About Argo CD
    • which is a continuous-delivery platform deployed as a Kubernetes controller in the cloud
      • it’s used to deploy applications, then continuously monitor them in real time as they run.
    • can enable attackers to access targets’ application-development environments
      • paving the way for stealing passwords, API keys, tokens, and other sensitive information.
  • Vulnerability
    • CVE-2022-24348
      • CVSS 7.7 out of 10
    • the bug is a path-traversal issue, which allows Malicious Actors access to files and directories that are stored outside their permission purview
    • exploit the bug by loading a malicious Kubernetes Helm Chart YAML file into the Argo CD system, then using it to “hop” from their own application ecosystem to access other applications’ data
      • “A Helm Chart is a YAML file that embeds different fields to form a declaration of resources and configurations needed in order for deploying an application
      • The application being built may have certain building blocks, which could be housed in other files that function as self-contained application parts kept in a repository.
    • If cyber attackers successfully exploit the bug, they can read the contents of other files present on the repo server, which can contain sensitive information
    • While that’s concerning enough, researchers also noted that an exploit could offer a foothold for moving laterally through an organization’s cloud.
    • How to Fix
      • Update Argo Cd ASAP

CISA Warns of Critical Vulnerabilities Discovered in Airspan Networks Mimosa

  • The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday published an Industrial Controls Systems Advisory (ICSA) warning of multiple vulnerabilities in the Airspan Networks Mimosa equipment
    • could be abused to gain remote code execution, create a denial-of-service (DoS) condition, obtain sensitive information, compromise Mimosa’s AWS (Amazon Web Services) cloud EC2 instance and S3 Buckets, and execute unauthorized remote code on all cloud-connected Mimosa devices
  • Airspan Network’s Mimosa product line provides hybrid fiber-wireless (HFW) network solutions
    • service providers, industrial, and government operators
    • both short and long-range broadband deployments.
  • The seven flaws, which were discovered and reported by CISA, affect the following products —
    • Mimosa Management Platform (MMP) running versions prior to v1.0.3
    • Point-to-Point (PTP) C5c and C5x running versions prior to v2.8.6.1, and
    • Point-to-Multipoint (PTMP) A5x and C-series (C5c, C5x, and C6x) running versions prior to v2.5.4.1
  • CISA
    • 7 Vulnerabilities
      • 3x 10 out of 10 CVSS
        • adversary to execute arbitrary code
        • access secret keys
        • modify configurations
      • 4 others
        • allow an attacker to inject arbitrary commands
        • crack hashed (but not salted) passwords
        • gain unauthorized access to sensitive information.
  • What you can do:
    • users are recommended to update
      • MMP version 1.0.4 or higher
      • PTP C5c and C5x version 2.90 or higher
      • PTMP A5x and C-series version 2.9.0 or higher.
    • isolate control system networks from the business network

Hackers Exploited 0-Day Vulnerability in Zimbra Email Platform to Spy on Users

 

  • Malicious Actors are exploiting a Zero day Vuln in Zimbra
    • Open Source email platform
  • Operation Codes Name EmailTheif
    • Discovered by Volexity (CyberSec company)
  • Allow execution of Javascript code
  • Dec 14, 2021
    • Attacks started
  • Group
    • TEMP_HERETIC
      • Believed to be a Chinese based group
      • None of the infrastructures identified matches infrastructure used by previously classified threat groups
      • However, based on the targeted organization and specific individuals of the targeted organization, and given the stolen data would have no financial value, it is likely the attacks were undertaken by a Chinese APT actor.”
    • Targeting European government
    • Media
  • Impact Zimbra
    • Ver 8.8.15
  • Two Phases
    • the first stage aimed
      • reconnaissance
      • distributing emails designed to keep tabs if a target received and opened the messages
    • Second Stage
      • multiple waves of email messages were broadcasted to trick the recipients into clicking a malicious link.
  • 74 Knowns outlook.com emails used
  • For the attack to be successful, the target would have to visit the attacker’s link while logged into the Zimbra webmail client from a web browser The link itself, however, could be launched from an application to include a thick client, such as Thunderbird or Outlook.”
  • The unpatched flaw, should it be weaponized, could be abused to exfiltrate cookies to allow persistent access to a mailbox, send phishing messages from the compromised email account to widen the infection, and even facilitate the download of additional malware.
  • Protect
    • “Users of Zimbra should consider upgrading to version 9.0.0, as there is currently no secure version of 8.8.15,

Dozens of Security Flaws Discovered in UEFI Firmware Used by Several Vendors

  • Bull Atos, Fujitsu, HP, Juniper Networks, Lenovo
    • 23 new high severity security vulnerabilities
      • Unified Extensible Firmware Interface (UEFI) firmware
      • Insyde Sofware’s InsydeH2O UEFI firmware
    • majority of the anomalies diagnosed
      • in the System Management Mode (SMM).
  • What is UEFI
    • Software specification that provides a standard programming interface connecting a computer’s firmware to its operating system during the booting process
    • In x86 systems, the UEFI firmware is usually stored in the flash memory chip of the motherboard.
  • Exploit
    • 23 CVS’s issued
      • CVSS scores: 7.5 – 8.2 out of 10
    • attackers can successfully install malware
      • survives operating system re-installations
      • allows the bypass of endpoint security solutions (EDR/AV), Secure Boot, and Virtualization-Based Security isolation,
    • allow a malicious actor to run arbitrary code with SMM permissions
      • that handles power management, hardware configuration, thermal monitoring, and other functions.
    • SMM executes at the highest privilege level and is invisible to the OS
    • chained together to bypass security features
      • install the malware in a manner that survives operating system re-installations and achieves long-term persistence on compromised systems
    • creating a communications channel to exfiltrate sensitive data.
  • Protection
    • Insyde has released firmware patches
    • But OEM implementations could take a considerable amount of time to be pushed out.

New Samba Bug Allows Remote Attackers to Execute Arbitrary Code as Root

  • Samba released an update – Jan 31
    • Addresses multiple vulnerabilities
      • CVE-2021-44141 (CVSS score: 4.2)
        • Information leak via symlinks of the existence of files or directories outside of the exported share (Fixed in Samba version 4.15.5)
      • CVE-2022-0336 (CVSS score: 3.1)
        • Samba AD users with permission to write to an account can impersonate arbitrary services (Fixed in Samba versions 4.13.17, 4.14.12, and 4.15.4)
      • CVE-2021-4414 (Major)
        • CVSS Score of 9.9 out of 10
        • impacts all versions of Samba before 4.13.17
      • An attacker can leverage this vulnerability to execute code in the context of root.”            
    • Samba maintainers said, All versions of Samba prior to 4.13.17 are vulnerable to an out-of-bounds heap read-write vulnerability that allows remote attackers to execute arbitrary code as root on affected Samba installations that use the VFS module vfs_fruit
  • CERT Coordination Center (CERT/CC), the flaw also affects widely used Linux distributions such as Red Hat, SUSE Linux, and Ubuntu.
  • Samba?
    • Samba is a popular freeware implementation of the Server Message Block (SMB) protocol that allows users to access files, printers, and other commonly shared resources over a network.
  • Fix

Samba administrators are recommended to upgrade to these releases or apply the patch as soon as possible to mitigate the defect and thwart any potential attacks exploiting the vulnerability.

Leave a Reply

Your email address will not be published.