SANS NewsBites

Perimeter Security Devices from Citrix, Sonicwall, and Ivanti Continue to Put Enterprises at Risk

January 19, 2024  |  Volume XXVI - Issue #05

Top of the News


2024-01-18

Citrix Vulnerabilities Added to KEV; One Has a One-Week Mitigation Deadline

Citrix has published an advisory regarding two vulnerabilities that affect Citrix NetScaler ADC and NetScaler Gateway. The US Cybersecurity and Infrastructure Security Agency (CISA) has added both to its Known exploited Vulnerabilities (KEV) catalog. One of the vulnerabilities (CVE-2023-6548) is a code injection issue; CISA has given Federal Civilian Executive Branch (FCEB) Agencies until January 24 to apply patches or upgrade to a fixed version. The second vulnerability (CVE-2023-6549) is an improper restriction of operations within the bounds of a memory buffer issue; FCEB agencies have until February 7 to address that flaw.

Editor's Note

Citrix, Ivanti, Sonicwall. This edition of NewsBites covers three different known to be exploited vulnerabilities in commercial perimeter security devices. This shouldn't be news to anybody. Back in 2020, we added this as one of our top attack vectors for our annual RSA keynote. You must include perimeter devices in your vulnerability management process and you must be able to mitigate vulnerabilities within days, not weeks, months or years.

Johannes Ullrich
Johannes Ullrich

This is separate from the November/December CitrixBleed flaw, but with the success of those exploits, threat actors are likely to be seeking similar results with these, particularly CVE-2023-6548. Apply the update, then make sure the management interface is either logically or physically isolated. Beyond this flaw, threat actors are searching for, finding, and attacking exposed management interfaces. While it’s increasingly necessary for these to be available for remote support, you still need to only access them via a secure pathway.

Lee Neely
Lee Neely

2024-01-16

Ivanti Vulnerabilities are Being Actively Exploited

Two vulnerabilities affecting Ivanti Connect Secure VPN are being actively exploited. Ivanti released suggested mitigations for the flaws last week while they develop patches. Researchers from Volexity observed the vulnerabilities being exploited by multiple threat actors “across nearly all verticals.”

Editor's Note

The vulnerability has been exploited since before it was made public. But with PoC exploits being available now, internet-wide scanning for vulnerable devices has started. At the Internet Storm Center, our honeypots have picked up some of the exploit attempts starting Wednesday.

Johannes Ullrich
Johannes Ullrich

If you were delaying, waiting for the patch, or concerned about the impacts of the mitigation, you need to get it deployed now, and check for IOCs. Per Volexity, the early exploits started on December 3rd, but as of Jan 11th, the scanning and attempted exploits went through the roof. Three tasks here: first, make sure the mitigations are in place; fecond, based on the release date for the patch for your version of the VPN, have a deployment plan with dates; third, make sure your remote access and boundary control devices are at the top of the list when it comes to applying patches/security updates.

Lee Neely
Lee Neely

2024-01-16

SonicWall Firewalls Unpatched Against Known Vulnerabilities

Researchers from Bishop Fox has observed that nearly 180,000 SonicWall firewalls have not been patched against two stack-based buffer overflow vulnerabilities. SonicWall released advisories with fixes for the vulnerabilities in their next-generation firewall (NGFW) series 6 and 7 in March 2022 (CVE-2022-22274) and March 2023 (CVE-2023-0656).

Editor's Note

What’s concerning is that for one vulnerability, 62% of devices are vulnerable two years later. For the other vulnerability, 76% of devices are vulnerable one year later. It speaks to a lack of a patch management process in those organizations. It’s hard for them to be able to demonstrate a standard duty of care should they be attacked and subsequently hauled into court. Follow the mitigation advice, remove the web management interface from public access, and update the firmware.

Curtis Dukes
Curtis Dukes

The Rest of the Week's News


2024-01-18

GPU Kernel Vulnerability Could Leak Data from Memory

Researchers from Trail of Bots have discovered a vulnerability that affects multiple brands of graphics processing unit (GPU) chips. The flaw could be exploited to steal data from the GPU’s memory. The issue affects chips used in Apple, Qualcomm, and AMD products; it may also affect Imagination GPUs. In their Wired article, Lily Hay Newman and Matt Burgess write, “As more companies ramp up development of artificial intelligence systems, they are increasingly turning to graphics processing unit (GPU) chips for the computing power they need to run large language models (LLMs) and to crunch data quickly at massive scale.”

Editor's Note

This is being referred to as the LeftoverLocals vulnerability, and the flaw is used to read another user’s data in the GPU. Not every affected device has a patch or mitigation yet. Patches are being developed by AMD, Qualcomm and other chip manufacturers; expect those around March. Google has released updates to ChromeOS, Apple has a fix in their M3 and A17 chips, and devices with as far back as their A12 CPU, with the latest OS, are also fixed. Exploiting the flaw requires local access, so start with making sure you’re monitoring for unauthorized accounts or unexpected application. Make sure you’re keeping the firmware and OS current.

Lee Neely
Lee Neely

2024-01-17

GitHub Rotates Keys After Learning of Flaw That Could Allow Access to Credentials

In late December, GitHub learned through its Bug Bounty program about a vulnerability that allowed access to environment variables in a production container. GitHub.com has been patched and affected credentials have been rotated. The issue also affects GitHub Enterprise Server (GHES); a patch is available for GHES versions 3.8.13, 3.9.8, 3.10.5, and 3.11.3.

Editor's Note

This is a good example of the ROI of a well-managed bug bounty program, paired with the processes, resources and willpower to rapidly fix vulnerabilities found in your products or services. Investment in both is required but there are many success stories to point out demonstrating great rates of return on the overall investment in your customers’ safety.

John Pescatore
John Pescatore

GitHub has been highly responsive in mitigating this vulnerability. Rotating, or changing the cryptographic keys, is a standard security practice. Well done GitHub!

Curtis Dukes
Curtis Dukes

2024-01-17

Chrome Updated to Fix Zero-day

Google has updated the stable release of its Chrome browser to address four security issues, including an out-of-bounds memory access (CVE-2024-0519) issue in the V8 JavaScript engine that is being actively exploited. Two of the other security fixes also address vulnerabilities in the V8 JavaScript engine.

Editor's Note

This is Google Chrome’s first zero-day of 2024. Given its large install base globally, it has become a frequent target of both hackers and security researchers. Simply refresh your browser to install the latest version of the browser.

Curtis Dukes
Curtis Dukes

2024-01-18

Rapid SCADA Vulnerabilities

The US Cybersecurity and Infrastructure Security Agency (CISA) has published an advisory alerting users to seven vulnerabilities in the Rapid SCADA open source industrial automation platform. The CVSS v3 scores for the flaws range from 5.3 to 9.8; the critical vulnerability is a hard-coded credentials issue. The next most-serious issue is a path traversal vulnerability that has a CVSS v3 score of 8.8. CISA was alerted to the vulnerabilities by researchers at Claroty. Rapid CDADA has not replied to inquiries from CISA or Claroty.

Editor's Note

The Rapid SCADA platform is open source and very attractive to small-to-medium businesses for developing OT systems. There are no patches available at this time, so the risks have to be mitigated via isolation (segmentation, not Internet accessible, only access from approved devices) and monitoring. Given the target is a SMB, it’s likely the best strategy is to make sure they have a VPN to access the system versus making it directly accessible.

Lee Neely
Lee Neely

2024-01-18

FBI and CISA Publish China-Made Drone Guidance

The FBI and US Cybersecurity and Infrastructure Security Agency (CISA) have jointly published guidance for the use of drones manufactured in China. The guidance starts by saying that “Chinese-manufactured unmanned aircraft systems (UAS), more commonly referred to as drones, continue to pose a significant risk to critical infrastructure and U.S. national security.“

Editor's Note

While this is directed towards critical infrastructure, we should all read it. The guidance outlines the risks of Chinese-manufactured UAS, to include what the manufacturer is compelled to provide to the PRC. Consider that the threat not only includes data collected while in operation but also includes risks in any provided firmware updates. The guidance also points to the DOD Blue cleared UAS list (https://www.diu.mil/blue-uas-cleared-list) for devices which don’t have these risks.

Lee Neely
Lee Neely

China’s 2017 national intelligence law does require Chinese companies to ‘work’ with the government and is very concerning. That said, there is already large usage of drone technology in this country, many of which are manufactured in China. I’m afraid the guidance is a tad late and given it doesn’t require replacement, likely not to be followed.

Curtis Dukes
Curtis Dukes

2024-01-19

FTC Announces Order Barring Another Data Aggregator from Selling Location Information

On Thursday, January 18, the US Federal Trade Commission (FTC) has issued an order banning a second data aggregation company from selling precise location information. The order is part of an agreement the FTC reached with InMarket Media regarding allegations the company did not obtain users’ consent before using their location data for marketing and advertising. The FTC issued another order earlier this month prohibiting X-Mode Social/Outlogic from sharing or selling sensitive location data.

Editor's Note

The FTC is flexing its regulatory muscle to protect user ‘opt-out’ requests. Separately, over the last two years, several states have enacted privacy legislation. For those states, the AG can use the FTC order to pursue data aggregators operating in their state.

Curtis Dukes
Curtis Dukes

This was only a week after the ban on Outlogic. Data brokers are being held to not only obtaining consent for use of precise location data, but also the retention of that data (InMarket was keeping it for five years). InMarket permission indicated the data would be used for discounts and promotions. This is also embedded in the InMarket SDK, which has been incorporated into over 300 applications. Time to double check the location sharing settings on your apps, particularly where it doesn’t make sense, such as a photo editing app.

Lee Neely
Lee Neely

2024-01-17

Semiconductor Manufacturer Experiences Cyber Incident

Taiwanese semiconductor manufacturer Foxsemicon appears to have been the target of a cyberattack. The company’s website displayed a message from the alleged attackers, claiming that Foxsemicon’s data have been stolen and encrypted. In a statement released to the Taiwan Stock Exchange, Foxsemicon said they had regained control of their website and is working with security experts.

Editor's Note

While there are claims this is a LockBit attack, the attackers aren’t following LockBit’s normal process. For example: LockBit discloses the victim on their DarkWeb site, not by defacing their website. Further, there have been an increasing number of attacks on Taiwanese companies relating to their recent elections as China would like to see a change in their ruling party. Most of these manifested as DDoS attacks. As LockBit is not a politically motivated group, if they were indeed behind this, it would be for some other reason, such as financial gain.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

More Scans for Ivanti Connect "Secure" VPN. Exploits Public

https://isc.sans.edu/diary/More+Scans+for+Ivanti+Connect+Secure+VPN+Exploits+Public/30568

Ivanti Vulnerability Widespread Scanning

https://isc.sans.edu/diary/Scans+for+Ivanti+Connect+Secure+VPN+Vulnerability+CVE202346805+CVE202421887/30562

https://www.volexity.com/blog/2024/01/15/ivanti-connect-secure-vpn-exploitation-goes-global/

Ivanti Endpoint Manager Mobile / MobileIron Core Vuln exploited CVE-2023-35082

https://www.cisa.gov/known-exploited-vulnerabilities-catalog

Number Usage in Passwords

https://isc.sans.edu/diary/Number+Usage+in+Passwords/30540

Attacks against Exposed Databases

https://twitter.com/fasterthanlime/status/1741935393413402739

Citrix Patches Already Exploited Vulnerability

https://support.citrix.com/article/CTX584986/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20236548-and-cve20236549

GitHub Key Rotation

https://www.bleepingcomputer.com/news/security/github-rotates-keys-to-mitigate-impact-of-credential-exposing-flaw/

Outlook Vulnerability Discovery and New Ways to Leak NTLM Hashes

https://www.varonis.com/blog/outlook-vulnerability-new-ways-to-leak-ntlm-hashes

A Lightweight Method to Detect Potential iOS Malware

https://securelist.com/shutdown-log-lightweight-ios-malware-detection-method/111734/

macOS Infostealers

https://www.sentinelone.com/blog/the-many-faces-of-undetected-macos-infostealers-keysteal-atomic-cherrypie-continue-to-adapt/

CISA and FBI Release Known IOCs Associated with Androxgh0st Malware

https://www.cisa.gov/news-events/alerts/2024/01/16/cisa-and-fbi-release-known-iocs-associated-androxgh0st-malware

Atlassian Confluence Remote Code Execution Vulnerability

https://confluence.atlassian.com/security/cve-2023-22527-rce-remote-code-execution-vulnerability-in-confluence-data-center-and-confluence-server-1333990257.html

Google Chrome 0-day

https://chromereleases.googleblog.com/2024/01/stable-channel-update-for-desktop_16.html