Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Big Day for Network Admins

It could be a long weekend for network admins, with both Cisco and Juniper releasing updates to deal with vulnerabilities.

For Cisco, the problem is an API vulnerability in the RESTful API of SD-WAN vManage. The API performs insufficient request validation, which could allow an unauthenticated, remote attacker to send a crafted API request, allowing either the retrieval or the update of the vManage instance configuration.

The vulnerability only affects the REST API and not the web management interface or command-line interface. Administrators can use the CLI show log command to review the vManage logs, looking for entries that may indicate a compromise. The vulnerability can be mitigated by using access control lists to restrict access to the API to only trusted IP addresses.

Juniper admins have to deal with multiple vulnerabilities in Juno OS, some of which can be exploited to take control of the affected system. The vulnerabilities range from buffer overflows in the flowd flow processing daemon on SRX series devices causing crashes, through an exception handling error in the processing of datagrams routed over VXLAN tunnels which can cause a DoS, to multiple vulnerabilities in the PHP code of the J-Web management interface. The fix is, of course, a software update.

It now being Friday, this puts network admins on the horns of a dilemma: the zeroth rule of system administration is:

Patch not on a Friday, lest ye be condemned to work the entire weekend fixing stuff

But these are security fixes, so best hop to it!

Cisco, Cisco SD-WAN vManage Unauthenticated REST API Access Vulnerability, security advisory, 12 July 2023. Available online at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-vmanage-unauthapi-sphCLYPA.

Juniper, Junos OS and Junos OS Evolved July Security Bulletins, security advisories, 12 July 2023. Available online at https://supportportal.juniper.net/s/global-search/%40uri?language=en_US#sort=relevancy&f:ctype=[Security%20Advisories]&f:level1=[OS].

Security Researchers Targeted by Fake PoC Code

A salutary tale for malware analysts and security researchers: in an audacious attack, an unidentified threat actor is targeting them via a fake proof-of-concept that will install a backdoor on their systems, allowing the threat actor to gain access to the system and intelligence on their activities.

The PoC was shared on GitHub by an account named ChrisSander22, and while the PoC has now been removed it is not clear whether it was taken down by GitHub or its owner. However, the PoC has circulated independently within the security community.

The PoC claims to be a demonstration of CVE-2022-34918, a Linux kernel vulnerability, and upon casual inspection, that is exactly what it seems to be. Like many low-level exploits, it is distributed as C source code. Now, a lot of open-source code needs to be configured for the target operating system, and so developers are familiar with using tools like autoconf and automake, which set things up correctly. These tools make use of the M4 macro language to simplify the process, and so some of the files used, like aclocal.m4, become familiar and arouse no suspicion.

Except that in this case, the supplied aclocal.m4 is not a text file containing macros, but an ELF format binary executable. This was discovered by researchers at Uptycs when their XDR was triggered by the PoC attempting to make network connections and transfer data. Zeroing in on the aclocal.m4 file, they found that is run from within the PoC makefile and upon reverse-engineering it, they found that it copies itself to a hidden directory, renaming the copy to kworker, adds a command to the user's .bashrc file to restart itself, and then downloads a shell script from a C2 server and runs it.

This script then exfiltrates the /etc/passwd file (which will not contain password hashes but can still be useful), adds the attacker's public key to ~/.ssh/authorized_keys to permit future access and then sets about exfiltrating more data, such as the contents of the victim's home directory. Of course, with SSH access, the attacker can return for anything else they want.

The Uptycs blog post provides an interesting analysis, along with guidance for identifying and removing the backdoor, including IOC's.

Hegde, Nischay and Siddartha Malladi, PoC Exploit: Fake Proof of Concept with Backdoor Malware, blog post, 12 July 2023. Available online at https://www.uptycs.com/blog/new-poc-exploit-backdoor-malware.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.