2 Microsoft 0-day, Linux kernel 6.0, Github Arctic Code Vault - This Week in Security - Sept 24-30
This Week in Security
September 24th to 30th, 2022
2 Microsoft 0-day, Linux kernel 6.0 and Github Arctic Code Vault
Tikka Nagi is the editor for this week. I joined F5SIRT in 2021 after a year long hiatus. Prior to that, I spent 8 years as an ENE for F5 security products.
This week saw a couple of Microsoft Zero days and an Atlasssian CVE getting on CISA’s radar. Linux Kernel 6.0 was released and Github’s Arctic Code Vault became a real vault.
CISA Adds Microsoft Exchange and Atlasssian Bitbucket Vulnerabilities to Exploited List
CISA Known Exploited Vulnerabilities Catalog a list of vulnerabilities that the US Cybersecurity and Infrastructure Security Agency (CISA) has identified as being actively exploited.
CISA recommends that Federal Civilian Executive Branch (FCEB) agencies prioritize the mitigation of this list of vulnerabilities as part of their vulnerability management plan. This week following three vulnerabilities were added to this list:
CVE-2022-41082 Microsoft
Exchange Server Microsoft Exchange Server Remote Code Execution Vulnerability
Microsoft Exchange Server contains an unspecified vulnerability which allows for authenticated remote code execution. Dubbed "ProxyNotShell," this vulnerability is chainable with CVE-2022-41040 which allows for the remote code execution.
CVE-2022-41040 Microsoft
Exchange Server Microsoft Exchange Server Server-Side Request Forgery Vulnerability
Microsoft Exchange Server allows for server-side request forgery. Dubbed "ProxyNotShell," this vulnerability is
chainable with CVE-2022-41082 which allows for remote code execution.
Microsoft Corp. is investigating reports that attackers are exploiting two previously unknown vulnerabilities in Exchange Server, a technology many organizations rely on to send and receive email. Microsoft says it is expediting work on software patches to plug the security holes. In the meantime, it is urging a subset of Exchange customers to enable a setting that could help mitigate ongoing attacks.
CVE-2022-36804 Atlasssian
Bitbucket Server and Data Center
Atlasssian Bitbucket Server and Data Center Command Injection Vulnerability
Multiple API endpoints of Atlasssian Bitbucket Server and Data Center contain a command injection vulnerability where an attacker with access to a public Bitbucket repository, or with read permissions to a private one, can execute code by sending a malicious HTTP
- https://www.cisa.gov/uscert/ncas/current-activity/2022/09/30/cisa-adds-three-known-exploited-vulnerabilities-catalog
- https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/
- https://jira.atlassian.com/browse/BSERV-13438
- https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/
- https://gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html
- https://nakedsecurity.sophos.com/2022/09/30/urgent-microsoft-exchange-double-zero-day-like-proxyshell-only-different/
Linux Kernel 6.0 Officially Released
After approximately 2 months of development, Linus Torvalds announced the release of Linux kernel 6.0.
The kernel has numerous updates and new drivers. On top of that, it has many bug fixes and tweaks to provide better performance than previous kernels, including the tweaks to task placement on large systems, performance improvements to the in-kernel TLS implementation, and a new IORING_RECV_MULTISHOT flag to enable multi-shot operation with recv() calls.
“Security-wise, Linux kernel 6.0 implements fetching of random-number seeds from bootloader’s setup data to the x86 and m68k kernels, support for the SafeSetID security module to control setgroups() changes, support for the ARIA encryption algorithm, as well as support for hooks attached to a control group or a single target process to the BPF security module.”
References
- https://lkml.org/lkml/2022/10/2/255
- https://9to5linux.com/linux-kernel-6-0-officially-released-this-is-whats-new
Fake CISCO Profiles on LinkedIn
If you have been paying attention to any of the recent breaches and attacks you’d know that hackers use LinkedIn to do reconnaissance on the target company. This is very common for the attacks that involve part social engineering. A good example of it was recounted in an episode, covering the LinkedIn breach, of DarkNet Diaries:
“So, the hacker starts looking on LinkedIn’s website for people who worked there; engineers, system administrators, anyone who might have access into that VPN.”
“This hacker found a LinkedIn engineer who probably had remote VPN access as well as access to the database inside, and the hacker zeroed in on this guy. The hacker saw this engineer’s LinkedIn profile and on his profile there was a URL to this engineer’s personal website. Basically, it was like this engineer’s name.com.”
The episode goes on to describe, in detail, how the hack was carried out using that engineer’s personal machine.
Now it appear that LinkedIn is back in spotlight for a potential malicious use case. Last week, krebsonsecurity.com reported that “Someone has recently created a large number of fake LinkedIn profiles for Chief Information Security Officer (CISO) roles at some of the world’s largest corporations.”
As of that story writing you could still find Fake CISO profiles for Chevron and ExxonMobile on LinkedIn. It is worth noting that LinkedIn hasn’t implemented simple checks to improve the trust. For example, unlike Twitter it does not show “created on” date or offer verified account mark for those who chose to validate their accounts.
If you think LinkedIn profiles are not a serious security threat you’d be surprised what hackers can do with LinkedIn data. Darknet Diaries has a very entertaining and meticulous first hand account of how the POTUS Twitter account was compromised using LinkedIn data:
“JACK: Trump’s LinkedIn password in 2012 was ‘yourefired’, all lowercase, no spaces, no special characters. ‘You’re fired’ was the catchphrase he used on his reality TV show The Apprentice.
JACK: Edwin was just too curious. He went straightaway to twitter.com, typed in the username @realDonaldTrump and typed in the password ‘yourefired’. It worked to a degree. Twitter didn’t just let him in right away but it also didn’t say Incorrect Password. Instead, it asked Edwin to confirm the e-mail address for the account.
VICTOR: So, we got the extra check for his e-mail address but at that time, we knew of course hey, the password is”
- https://krebsonsecurity.com/2022/09/fake-ciso-profiles-on-linkedin-target-fortune-500s/
- https://twitter.com/briankrebs/status/1575528459077656576
- https://darknetdiaries.com/episode/86/
- https://darknetdiaries.com/episode/87/
Hyundai's Easy-to-Steal Cars
Hyundai Motor Company is offering a $170 security kit to owners of older Hyundai vehicles. The kit includes a kill switch and an alarm, the kit is not offered by the manufacturer Kia Motors.
Hyundai and KIA vehicles have been targets of car thieves in recent months because it’s incredibly easy to do so, and thieves are sharing how-to videos on social media. The raft of thefts is so bad that an average of six Hyundai vehicles are stolen each day just in Milwaukee, according to local news station WTMJ.
Vehicle owners will be expected to pay for the installation of the kit, which could cost up to $500, according to a lawyer working on one of many class action lawsuits against Hyundai over the issue. Automotive News said 15 different suits have been filed in 14 states. The lawsuits ask for monetary damages and for Hyundai to recall the affected models because the automaker did not install engine immobilizers as standard equipment until November 2021.
GitHub's Arctic Code Vault is now a literal vault
The GitHub Arctic Code Vault is a data repository preserved in the Arctic World Archive, a very-long-term archival facility 250m deep in the permafrost of an Arctic mountain.
The vault contains snapshots of every active public repository on GitHub.com as of February 2, 2020, preserved in multiple formats. The purpose of the repository is to preserve open-source software for future generations. The repository is not expected to be accessed or opened for at least 1,000 years.
The GitHub Arctic Code Vault was announced on February 2, 2020, the day of the snapshot. The project is a collaboration between GitHub, Microsoft, and the Svalbard Global Seed Vault. The GitHub Arctic Code Vault comes at the price tag of about $1 billion.