This week in the Security News: A Security Maturity Model for Hardware Development, Palo Alto Networks fixed a high-severity auth bypass flaw in PAN-OS, New UEFI rootkit Black Lotus offered for sale at $5,000, What are SBOMS, & Critical Remote Code Execution issue impacts popular post-exploitation toolkit Cobalt Strike
Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.
Paul Asadoorian
- Researchers find 633% increase in cyber-attacks aimed at open source repositories
- AMD, Google, Microsoft & NVIDIA Announce “Caliptra” Open-Source Root of Trust – Phoronix
- Toner Deaf – Printing your next persistence (Hexacon 2022)
- Critical Remote Code Execution issue impacts popular post-exploitation toolkit Cobalt Strike
This is a supply chain issue. Let me clarify, this is a Log4j-style supply chain issue. This means it's a vulnerability management issue, but in software that is used by software, that then ends up in software that you (or an attacker) are using. Interesting how we could leverage this to attack the attackers (that's a separate issue). The fix is to apply the patch, from the vendor who applied a patch, like patching squared.
- Introducing Our 8th Annual State of the Software Supply Chain Report
- A software bill of materials (SBOM): What it is — and why it matters for software supply chain security
"SBOMs are often compared to the infamous black and white nutrition label most Americans are used to, in which all of the food items’ ingredients and daily value percentages are listed. " - Except they are nothing like this. Food ingredients don't change, once you make a food product with a recipe, it has the same profile once it ships (unless ingredients were tampered with or altered, different threat). When it comes to software or firmware, the recipe changes with each update. Also, an ingredient can be safe one day, but the next day be a completely toxic ingredient because someone found a vulnerability. SBOMs are only useful if you can update them. Also, the value in an SBOM is what you do with it. Just using it to be reactive is not as useful as being proactive. Looking at trends, most frequently used components, and least frequently used components. This analysis can help identify threats well in advance of an attack.
- CVE-2022-42889 Test application
- NVD – CVE-2022-42889
- Banks face their ‘darkest hour’ as crimeware powers up
- In GUID We Trust
- Palo Alto Networks fixed a high-severity auth bypass flaw in PAN-OS
This is a huge problem. An enterprise pays A LOT of money for an enterprise-grade appliance (Firewall, VPN, etc...). It comes with a vulnerability that allows an attacker to bypass authentication, which in turn allows an attacker to bypass ANY AND ALL security controls the device has to offer, effectively rendering it useless. We deserve better, auth bypass flaws are fairly easy to find and fix before the product ships. Vendors should do that.
- New UEFI rootkit Black Lotus offered for sale at $5,000
"Black Lotus is able to disable security solutions, including Hypervisor-protected Code Integrity (HVCI), BitLocker, and Windows Defender. The rootkit is able to bypass security defenses like UAC and Secure Boot, it is able to load unsigned drivers used to perform a broad range of malicious activities." - Right up until the Secure Boot bypass I was potentially not impressed. If they do have 0day against a Windows bootloader, they should sell it for more than $5k, which makes me think they don't, and wouldn't it be funny if it was just a re-packaging of this: https://github.com/HackingThings/OneBootloaderToLoadThemAll
- Amazon Out of Control and Inside Your Homes: Every Product a Spy
I think we lack some evidence on just how much these devices collect, the toilet is funny: "What it knows: When you flush, or activate a cleansing spray or heated seat. Why that matters: You can’t get much more intimate than your bathroom time." I mean, all of these details individually aren't a big deal, but together could be problematic. We need tougher legislation that restricts just how much data can be collected, and more importantly who its shared with or sold to. I like these devices as they add convenience to my life (and my family), but don't share my data. Also, is Google any better? I ditched most Amazon devices from my house, I use some Google things, I turn off the assistant on my phone/watch/earbuds, I do have a Ring, and switched to a non-cloud security camera system (Reolink).
- A Security Maturity Model for Hardware Development
This sounds great, but how do we get developers at the hardware level (microcode and firmware) to care about security? Often, the security features are in the hardware, but not implemented by developers because of other pressures, like deadlines.
- conf-presentations/fuzzing_NVIDIA_drivers-tdore.pdf at master · quarkslab/conf-presentations
- Linux Fixes 5 Gaping Holes in Wi-Fi
This is interesting: "Can we please stop running network drivers and network stacks in kernel mode? … It’s 2022 and we’ve got more than enough compute power: … The performance hit for running these in user-land is negligible." Also talk of RUST is coming to save the day. But don't hold your breath, it will be a LONG time before most distros see kernel 6.x, and even longer before most drivers are coded and tested in RUST.
- FortiOS, FortiProxy, and FortiSwitchManager Authentication Bypass Technical Deep Dive (CVE-2022-40684)
Forging some header values basically gives an attacker full access to the entire web API, allowing them to manage the device. This is bad. You should patch it immediately. This has been added to the CISA KEV, which means attackers are exploiting it.
