Patch Tuesday, cURL, passkey - October 8th - 14th, 2023 - F5 SIRT - This Week in Security

Introduction:

I am back as the editor this week after a long break. Last week, the world witnessed a horrific terror attack by Hamas on Israel. As a human being who values peace, I condem this horrific violence and stand with the nation of Israel and it's people. May there be peace on earth! 

As a regular listerner of DarkNet diaries, I was surprised to see the latest episode bear the name of my homeland Punjab. I have always liked the storytelling aspect of this podcast by Jack Ryhsider and really enjoyed the introduction of this episode. The introduction is unrelated to the main story of the episode and listening to it trasnported me back to my childhood.  The main story covers scammers, who are of Punjabi origin, and use social engineering to scams other innocent people of Punjabi origin all over the world. It is sad and also a reminder that Socail Engineering remains, and is likely to forever remain, a huge security and privacy challenge.

TLDR of the main stories:

Patch Tuesday Highlights:

• Microsoft released 103 patches for products like Windows, Exchange Server, and Azure.
• 13 patches are critical; 90 are important.
• Two vulnerabilities are under active attack.
• Notable vulnerabilities include a wormable bug in Microsoft Message Queuing and an issue in Azure Network Watcher.

cURL Vulnerability:

• cURL version 8.4.0 addresses a heap corruption issue in the SOCKS5 handler.
• Affected versions: 7.69.0 to 8.3.0.
• Impact: Systems accepting arbitrary URLs without hostname validation using a SOCKS5 proxy configuration.
• Recommendation: Update system curl and conduct a dependency audit.

Google's passkey:

• Google offers passkey as a default passwordless option for Cybersecurity Awareness month.
• Users can unlock devices with a fingerprint, face scan, or pin.
• Recommendation: Use a hardware key like Yubikey and consider using Chrome to avoid iCloud Keychain prompts on Safari.

Top 10 Security Misconfigurations by NSA and CISA:

• The advisory lists common misconfigurations like default software configurations, poor patch management, and weak MFA methods.
• Recommendations include removing default credentials, regular updates, and urging software manufacturers to embed security controls.

Patch Tuesday

Microsoft introduced "Patch Tuesday" 20 years ago. Over the years, more companies have adopted this practice. Microsoft October release at a glance: 

• Released 103 new patches addressing various products including Windows, Exchange Server, Office, ASP.NET Core, Azure, and Skype for Business.
• 13 patches are rated Critical and 90 are Important.
• Two of the CVEs are under active attack:
  1. Microsoft WordPad Information Disclosure Vulnerability: Could lead to the disclosure of NTLM hashes.
  2. Skype for Business Elevation of Privilege Vulnerability: Acts more like an information disclosure than a privilege escalation.

• Notable vulnerabilities include:
  • Microsoft Message Queuing Remote Code Execution Vulnerability: A wormable bug.
  • Windows IIS Server Elevation of Privilege Vulnerability: Could allow an attacker to log on as another user.
  • A bug in Azure Network Watcher: Could allow an attacker to route Packet Captures to their control.

• There are nearly 30 Elevation of Privilege (EoP) bugs, many of which require an attacker to run a specially crafted program.
• 12 Information disclosure bugs were fixed, including the one under active attack.
• Fixes for around a dozen Denial of Service (DoS) bugs.
• One cross-site scripting (XSS) bug fixed in Microsoft Dynamics 365.

References: 

1. https://msrc.microsoft.com/update-guide/releaseNote/2023-Oct
2. https://isc.sans.edu/diary/October+2023+Microsoft+Patch+Tuesday+Summary/30300

cUrl Vulnerability

cURL released version 8.4.0 on October 11th, 2023, to address a heap corruption issue in the SOCKS5 handler in both the CLI application and the libcurl C library. The vulnerability, CVE-2023-38545, affects libcurl versions from 7.69.0 to 8.3.0. The issue arises when cURL is given a hostname longer than 255 bytes during a SOCKS5 request, leading to memory corruption.

Impact:

• Systems are affected if they accept arbitrary URLs from untrusted users without hostname validation and pass them to cURL or libcurl using a SOCKS5 proxy configuration.
• Heap corruption can lead to crashes due to corrupted heaps, especially on modern OS with features like ASLR.

F5's Response: F5 issued a Security Advisory with detailed reponse that can be seen on my.f5.com.

Recommendations:

• Update system curl in your build environment and/or container images.
• For various programming languages (Node, Python, Rust, C#, Ruby, Go, PHP, Swift), the general advice is to update the system curl.
• Libraries that use libcurl should be audited to determine how they include it as a dependency.

The most immediate and impactful action to take is to update curl and libcurl via system package managers. This will significantly reduce the exposed attack surface. If resources allow, conduct a dependency audit to identify which libraries use libcurl and their linking methods. 

References: 

• https://curl.se/docs/CVE-2023-38545.html

passkey

Earlier this year, Google introduced support for passkeys, a more secure and simpler method for signing into online accounts. passkeys allows users to unlock their device using a fingerprint, face scan, or pin to use passkeys. For Cybersecurity Awareness month Google is offering passkey as default passwordless option across personal Google accounts. There are a few other companies that are already supporting passkey. Having switched to a passkey option on Google, Github and Amazon I highly recommend that you make this the default option. Ideally, you should use a hardware key, like Yubikey, as the passkey instead of the device itself. If you are using Safari on Mac,  MacOS will try to force you to enable icloud Keychains in order to use passkey. As someone not fond of storing my credentials on a cloud I was a bit annoyed. The good news is that you can use Chrome instead of Safari and the icloud keychain prompt disappears.

References: 

• https://blog.google/technology/safety-security/passkeys-default-google-accounts

Top 10 Security Misconfigurations from NSA and CISA

The NSA and CISA have released a joint cybersecurity advisory to highlight the most common cybersecurity misconfigurations observed in large organizations. These misconfigurations are often exploited by malicious actors using various tactics, techniques, and procedures (TTPs). The advisory lists the top 10 misconfigurations, emphasizing the systemic weaknesses in many organizations and the need for software manufacturers to adopt secure-by-design principles.

Top 10 Common Network Misconfigurations:

1. Default configurations of software and applications: Often lead to unauthorized access and malicious activity.
2. Improper separation of user/administrator privilege: Results in quick lateral movement for compromised accounts.
3. Insufficient internal network monitoring: Leads to undetected adversarial compromise and improper traffic collection.
4. Lack of network segmentation: Allows unrestricted lateral movement across systems.
5. Poor patch management: Leaves systems vulnerable to known exploits.
6. Bypass of system access controls: Alternate authentication methods can be compromised.
7. Weak or misconfigured multifactor authentication (MFA) methods: Certain MFA methods can be bypassed or exploited.
8. Insufficient access control lists (ACLs) on network shares and services: Leads to unauthorized access to sensitive data.
9. Poor credential hygiene: Facilitates unauthorized access and lateral movement.
10. Unrestricted code execution: Allows malicious payloads to run within a network.

Key Recommendations:

• Network defenders are urged to implement various mitigations, including removing default credentials, disabling unused services, regular updates, automating patching, and restricting and monitoring administrative accounts.
• Software manufacturers are encouraged to improve security outcomes by embedding security controls, eliminating default passwords, providing quality audit logs, and mandating MFA.

The advisory underscores the importance of addressing these common misconfigurations to enhance cybersecurity resilience. It also stresses the role of software manufacturers in ensuring that security measures are integral to their development practices.

References: 

• https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-278a