Text4Shell, GUAC for SLSA, OpenSSF Scorecards, Toner Deaf, OWASP Elections – ASW #217
Text4Shell isn't a new patching hell, using supply chain info with GUAC, OpenSSF Scorecards and metrics, Toner Deaf firmware persistence, upcoming OWASP Board Elections, Chrome browser exploitation
Announcements
Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!
We're always looking for great guests for all of the Security Weekly shows! Submit your suggestions by visiting https://securityweekly.com/guests and completing the form!
Hosts
- 1. Experts downplay reach of Apache bug ‘Text4Shell’
Java, curly braces, and interpolation -- the planets align for another RCE, but this one lacks the dimensional rift of its log4shell predecessor. With luck, we'll just label the language as Java4shell and work on better default configurations and design patterns.
The vuln announcement is at https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om
- 2. Announcing GUAC, a great pairing with SLSA (and SBOM)!
Supply chain acronyms are stretching their metaphors a bit too far now, but at least the projects are demonstrating investment in solving problems that developers face. This four-letter friend aims to provide better insight on the attack surface exposed by a known vuln within a software dependency: It brings together supply chain info into a graph, walks the graph, and provides an answer.
They'll be presenting more about this on Thursday at KubeCon.
Let's hope the next project dips into a new naming scheme.
- 3. Report Finds OpenSSF Scorecards Are Highly Effective Measures to Assess Project Security
How well can metrics drive a behavior? How do we build a culture that uses metrics to improve software security rather than devolve into gaming the metrics themselves?
The report is on the vendor's site -- thankfully not behind a registration wall!
- 4. TSA unveils new railroad cybersecurity directive
It's always good to step outside familiar software and see what types of security challenges other industries face that don't rely on JavaScript front-ends, a key-value store, and user-generated content. Doing so can inform our practices, recommendations, designs, and threat models.
- 5. Toner Deaf – Printing your next persistence (Hexacon 2022)
Fun hardware hacking and firmware dissection from NCC Group. Although mostly I included this as a missed opportunity to name it a more Halloween-friendly LexMark of the Beast.
- 6. SHA-3 Buffer Overflow
A researcher finds a memory safety issue in a reference implementation of the SHA-3 algorithm -- and it's been in there for ten years. Here's a chance to talk about implementation, copying implementations, test cases for implementations, secure coding, secure code reviews. In other words, a fun example of the eternal challenges in appsec and what progress does -- or doesn't -- look like.
- 7. My Manifesto for the OWASP Board Election – Mark Curphey
This is an interesting reflection on the current state and a future vision for OWASP from its founder. It's a constructive argument that aims to refine and build on what OWASP is doing, not to tear it down. I find the direction towards a product management approach appealing. And, in general, would love to see the OWASP brand recognized more immediately for other appsec resources than just the Top 10.
General information about the OWASP global board elections can be found here, including a list of all the candidates.
- 8. How I Got $10,000 From GitHub For Bypassing Filtration oF HTML tags
A walkthrough of an HTML injection attack where the researcher's initial report was a duplicate, followed by more research that ultimately found a clever combination of syntax from a JavaScript library for displaying math equations. Patience and a positive bug bounty experience led to a $10,000 award.
- 9. Chrome Browser Exploitation, Part 1: Introduction to V8 and JavaScript Internals
Last episode I included a link to a deep technical article on Linux kernel hacking. This week I found one on exploiting Chrome. We'll keep an eye out for similar long reads on topics that take more than a few minutes to cover. Let us know if you have any favorites we should highlight!
- 1. Break signature on malware, exploit windows
Modern Windows has functionality to alert the user before running a file downloaded from the Internet. People discovered that by altering the signature to an invalid one, that Window's "Mark-of-the-Web" would throw up it's hands and just execute the file.
- 2. Physicists Got a Quantum Computer to Work by Blasting It With the Fibonacci Sequence
Physicists figure out that a DOS attack using the fibonacci sequence keeps qubits entangled
- 3. SBOMs: An Overhyped Concept That Won’t Secure Your Software Supply Chain
Another counter-point to "must have SBOMs!" :)