blog

Security Vulnerability of the Week 02/05/22 (updated)

This second week we focus on Application security and Mostly on cloud security vulnerabilities being disclosed throughout the year

This week’s Features: Jet Brain Toolkit, Oracle Mysql, Zoom, Cloud security vulnerabilities

—-

Appsec

Jet Brain: IntelliJ IDEA, PyCharm …

  • CVE-2022-29813 Risk still to be assessed – affecting – IntelliJ IDEA before 2022.1
  • TeamCity – High – Credential Disclosure – (No CVE, CWE – 522 )

Patch Fixes: https://www.jetbrains.com/privacy-security/issues-fixed/

Oracle

Oracle Fixes 136 Vulnerabilities With April CPU | Threatpost

Affected products:

MySQL Connectors, versions 8.0.28 and priorMySQL
MySQL Enterprise Monitor, versions 8.0.29 and priorMySQL
MySQL Server, versions 5.7.37 and prior, 8.0.28 and priorMySQL
MySQL Workbench, versions 8.0.28 and priorMySQL

Link to the Advisory https://www.oracle.com/securitylerts/cpuapr2022.html

Zoom

Some of the zoom video controllers on-prem got vulnerabilities –

  • CVE-2021-34414 vulnerability (which obtained a CVSS 3.1 score of 7.2
  • CVE-2021-34415, with a CVSS 3.0 score of 7.5

The patch is available for all the CVEs

Affected devices

  • Meeting Connector Controller up to version 4.6.348.20201217
  • Meeting Connector MMR up to version 4.6.348.20201217
  • Recording Connector up to version 3.8.42.20200905
  • Virtual Room Connector up to version 4.4.6620.20201110
  • Virtual Room Connector Load Balancer prior to version 2.5.5495.20210326.

Minor vulnerability – CVE-2021-34416 with a CVSS 3.0 score of 5.5

Egor Dimitrenko discovery affected the following:

  • Meeting Connector up to version 4.6.360.20210325
  • Meeting Connector MMR up to version 4.6.360.20210325
  • Recording Connector up to version 3.8.44.20210326
  • Virtual Room Connector up to version 4.4.6752.20210326
  • Virtual Room Connector Load Balancer up to version 2.5.5495.20210326

Github

This is more of a breach due to stolen oauth 2 tokens. Github private repo are not affected

Since this campaign was first spotted on April 12, 2022, the threat actor has already accessed and stolen data from dozens of victim organizations using Heroku and Travis-CI-maintained OAuth apps, including npm.

As per bleeping computer article GitHub disclosed the breach on the evening of April 15th, three days after discovering the attack, when the malicious actor accessed GitHub’s npm production infrastructure.

“The applications maintained by these integrators were used by GitHub users, including GitHub itself,” revealed today Mike Hanley, Chief Security Officer (CSO) at GitHub.

Impacted Applications:

According to Hanley the list of impacted OAuth applications includes:

  • Heroku Dashboard (ID: 145909)
  • Heroku Dashboard (ID: 628778)
  • Heroku Dashboard – Preview (ID: 313468)
  • Heroku Dashboard – Classic (ID: 363831)
  • Travis CI (ID: 9216)

Github has shared the following guidance:

GitHub shared the following guidance with potentially impacted customers to help them investigate logs for evidence of data exfiltration or malicious activity:

  • Review all your private repositories for secrets or credentials stored in them. There are several tools that can help with this task, such as GitHub secret scanning and trufflehog.
  • Review the OAuth applications that you’ve authorized for your personal account or that are authorized to access your organization and remove anything that’s no longer needed.
  • Follow GitHub’s guidelines for hardening the security posture of your GitHub organization.
  • Review your account activity, personal access tokens, OAuth apps, and SSH keys for any activity or changes that may have come from the attacker.
  • Additional questions should be directed to GitHub Support.

Cloud

Current Year Research on Vulnerabilities Discovered

No alternative text description for this image
Courtesy of Christoper Parisel

Azure –

Chaos DB- Wiz – CVSS 9 – Aug 26 – 2021

#ChaosDB is an unprecedented critical vulnerability in the Azure cloud platform that allows for remote account takeover of Azure’s flagship database – Cosmos DB. 

Who found the #ChaosDB vulnerability?

ChaosDB was discovered by @nirohfeld and @sagitz_ from @wiz_io Research Team. If you have questions you can reach us at research@wiz.io.

https://chaosdb.wiz.io/

AzureScape – Palo alto – CVE 2019-5936 CVSS 9.6 – September 9 2021

The Unit 42 Threat Intelligence team has identified the first known vulnerability that could enable one user of a public cloud service to break out of their environment and execute code on environments belonging to other users in the same public cloud service. This unprecedented cross-account takeover affected Microsoft’s Azure Container-as-a-Service (CaaS) platform. 

Exploitation:

There is no knowledge of Azurescape being exploited in the wild. It’s possible the vulnerability existed from ACI’s inception, so there is a chance that some organizations were affected. Azurescape also affected ACI containers in ​​Azure Virtual Networks.

https://www.paloaltonetworks.com/blog/2021/09/azurescape/

Omi God – CVE 2021-3847 – CVSS 9.8 – September 14 2021

Wiz Research Team recently found four critical vulnerabilities in OMI, which is one of Azure’s most ubiquitous yet least known software agents

https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure/


CVE-2021-38647
 – Unauthenticated RCE as root

CVE-2021-38648 – Privilege Escalation vulnerability

CVE-2021-38645 – Privilege Escalation vulnerability

CVE-2021-38649 – Privilege Escalation vulnerability

Service Affected:

Many different services in Azure are affected, including Azure Log AnalyticsAzure Diagnostics and Azure Security Center

AWS

breakFormation – Orca – CVSS 9 – Aug – 2021

Note Vulnerability was fixed in 6h

Tzah Pahima, discovered a vulnerability in AWS allowing file and credential disclosure of an AWS internal service.

The Vulnerability was an XXE (XML External Entity) vulnerability found in the CloudFormation service. This could have been used to leak sensitive files found on the vulnerable service machine and make server-side requests (SSRF) susceptible to the unauthorized disclosure of credentials of internal AWS infrastructure services.

Service Affected: CloudFormation, the service that enables you to easily provision AWS resources (such as EC2 instances and S3 buckets) using templates. CloudFormation also allows you to use API calls to dynamically create and configure resources.

See more details

Other (covered in future release)

superglue – Orca –

sagemaker – Lightspin – CVSS 7.4

RDS Postress SQL – Lightspin – CVSS 6.3

AutoWrap – Orca – CVSS 8.5

logicApp – NetSPI – CVSS 6

credManifest – NetSPI – CVSS 6.5 – CVE 2021-42306

extraReplica – Wiz – CVSS 6.8

INFRA/Network

QNAP

QNAP has asked customers this week to disable the AFP file service protocol on their network-attached storage (NAS) appliances until it fixes multiple critical Netatalk vulnerabilities

 CVE-2022-23121 was discovered by NCC Group EDG team at Pwn2Own

NCC Group’s EDG team members exploited one of these security flaws, tracked as CVE-2022-23121 and rated with a 9.8/10 severity score

Three of the other bugs QNAP warned its customers about also received 9.8/10 severity ratings (i.e., CVE-2022-23125CVE-2022-23122CVE-2022-0194)

Vulnerability in Netatalk:

Netatalk is a free and open-source implementation of the Apple Filing Protocol (AFP), allowing Unix-like OSes to serve as file servers for macOS clients.

QNAP says the Netatalk vulnerabilities (fixed in QTS 4.5.4.2012 build 20220419 and later) impact the following operating system versions:

  • QTS 5.0.x and later
  • QTS 4.5.4 and later
  • QTS 4.3.6 and later
  • QTS 4.3.4 and later
  • QTS 4.3.3 and later
  • QTS 4.2.6 and later
  • QuTS hero h5.0.x and later
  • QuTS hero h4.5.4 and later
  • QuTScloud c5.0.x

Previous Vulnerability:

Western Digital decided to deprecate the service and remove it from My Cloud OS altogether in firmware update 5.19.117, so users of WD NAS devices are advised to upgrade to that version or later.

Bonus:

Android new security policy

Google has published new data safety on android that enables you to specify what information are disclosed

The transparency measure, which is built along the lines of Apple’s “Privacy Nutrition Labels,” was first announced by Google nearly a year ago in May 2021.

This is part of an effort to make android a more safe and controlled environment

Massive DDoS Attack

Graph of the 15.3 million rps DDoS attack

Cloudflare Detects a DDoS Attack peaking at 15 Million requests https://blog.cloudflare.com/15m-rps-ddos-attack/

the article mentions: “While this isn’t the largest application-layer attack we’ve seen, it is the largest we’ve seen over HTTPSHTTPS DDoS attacks are more expensive in terms of required computational resources because of the higher cost of establishing a secure TLS encrypted connection. “

Francesco is an internationally renowned public speaker, with multiple interviews in high-profile publications (eg. Forbes), and an author of numerous books and articles, who utilises his platform to evangelize the importance of Cloud security and cutting-edge technologies on a global scale.

Discuss this blog with our community on Slack

Join our AppSec Phoenix community on Slack to discuss this blog and other news with our professional security team

From our Blog

Explore ASPM’s role in modern application security, offering a panoramic view that extends beyond code vulnerabilities. This guide demystifies concepts like traceability, reachability analysis, and asset lineage, pivotal for securing digital assets. Learn how ASPM empowers organizations with actionable insights for precise vulnerability management. #Cybersecurity #ASPM #ApplicationSecurity
Francesco Cipollone
Explore the transformative role of ASPM in cybersecurity. Uncover how Application Security Posture Management aligns business and security objectives for effective vulnerability management and risk reduction. Discover Phoenix Security’s innovative approach to tackling the staggering challenge of CVEs with a strategic focus on prioritization. #ASPM #Cybersecurity #VulnerabilityManagement
Francesco Cipollone
Explore the critical insights into the latest container security vulnerabilities named leaky vessels, including CVE-2024-21626, CVE-2024-23651, CVE-2024-23653, and CVE-2024-23652, BuildKit flaws, with our comprehensive guide on mitigation strategies, best practices for application security, and tips for robust vulnerability management in Docker and Kubernetes environments. Stay ahead in securing your container deployments against potential threats with ASPM help
Francesco Cipollone

Jeevan Singh

Founder of Manicode Security

Jeevan Singh is the Director of Security Engineering at Rippling, with a background spanning various Engineering and Security leadership roles over the course of his career. He’s dedicated to the integration of security practices into software development, working to create a security-aware culture within organizations and imparting security best practices to the team.
In his role, Jeevan handles a range of tasks, from architecting security solutions to collaborating with Engineering Leadership to address security vulnerabilities at scale and embed security into the fabric of the organization.

James Berthoty

Founder of Latio Tech

James Berthoty has over ten years of experience across product and security domains. He founded Latio Tech to help companies find the right security tools for their needs without vendor bias.

Christophe Parisel

Senior Cloud Security Architect

Senior Cloud Security Architect

Chris Romeo

Co-Founder
Security Journey

Chris Romeo is a leading voice and thinker in application security, threat modeling, and security champions and the CEO of Devici and General Partner at Kerr Ventures. Chris hosts the award-winning “Application Security Podcast,” “The Security Table,” and “The Threat Modeling Podcast” and is a highly rated industry speaker and trainer, featured at the RSA Conference, the AppSec Village @ DefCon, OWASP Global AppSec, ISC2 Security Congress, InfoSec World and All Day DevOps. Chris founded Security Journey, a security education company, leading to an exit in 2022. Chris was the Chief Security Advocate at Cisco, spreading security knowledge through education and champion programs. Chris has twenty-six years of security experience, holding positions across the gamut, including application security, security engineering, incident response, and various Executive roles. Chris holds the CISSP and CSSLP certifications.

Jim Manico

Founder of Manicode Security

Jim Manico is the founder of Manicode Security, where he trains software developers on secure coding and security engineering. Jim is also the founder of Brakeman Security, Inc. and an investor/advisor for Signal Sciences. He is the author of Iron-Clad Java: Building Secure Web Applications (McGraw-Hill), a frequent speaker on secure software practices, and a member of the JavaOne Rockstar speaker community. Jim is also a volunteer for and former board member of the OWASP foundation.

Join our Mailing list!

Get all the latest news, exclusive deals, and feature updates.