Control plane RCE are everywhere and CI/CD compromised Oct 23th–29th – F5SIRT This Week in Security
This week in security editor is Lior. This week security news highlights are that RCE’s are everywhere, and they are located at the control plane (configuration utility GUI/API) that are open to the public internet.
RCE – is a Remote Code Execution, a code that is executed in the software generated by a remote request. Those RCE bugs are inherited by software principles. The granularity that makes software such a great tool is also the challenge in keeping all those moving parts secured. It is always easier to find one open window and always a major challenge in keeping all entry points closed. This is why security defense exists, to close this gap.
Reducing the risk to RCE’s can be done by removing the control plane interface from the public internet which can be done by SSL VPN into the environment (intranet/ DMZ style) and only then allow access to the utility. This will prevent any public access attempt to exploit the control plane RCE vulnerability. Some environments and topologies force you to place the control plane in the public internet and reducing the risk can be done by hardening best practices and placing a WAF in front of your control plane GUI that provides RCE virtual patching mitigation. WAF can also mitigate other attacks on public control plane such as brute forcing the login page or even DoSing the device login page. We at f5 SIRT continue to advocate our approach for many years, setting any configuration utility in the public internet poses a critical risk and it is just a matter of time until they will be hacked. Protect you control plane and keep it safe.
F5 Warns of Critical Remote Code Execution Vulnerability in BIG-IP
Recently F5 published quarterly security notification (QSN) and last week an out of band security notification (OOBSN) for critical vulnerability fix. F5 established a Quarterly Security Notification that provides a way to prepare for the vulnerabilities fix ahead of time with a known date.
Out of band notifications are emergency notification where a security vulnerability exists and needs to be addressed ASAP. The nature of vulnerability disclosure when working with other parties such as security companies and security researchers can result in an out of band notification before they become public. This reflects the security commitment that F5 invest in its software to keep the customer safe.
North Korean Attackers Exploiting Critical CI/CD Vulnerability
This is probably the best way to spread malicious software. Taking over the distribution repository so that any customer accessing this repo will download a malicious code. Notable quotes:
”.. Observed two North Korean nation-state actors – Diamond Sleet and Onyx Sleet – exploiting the remote code execution vulnerability, CVE-2023-42793, since early October 2023.”
“The flaw, which has a 9.8 CVSS severity rating, affects multiple versions of JetBrains TeamCity server used by organizations for DevOps and other software activities.”
“North Korean threat actors are actively exploiting a critical vulnerability in a continuous integration/continuous deployment (CI/CD) application used in software development, Microsoft has warned.”
Critical RCE flaws found in SolarWinds access audit solution
Yet another RCE. Notable quotes:
“Security researchers found three critical remote code execution vulnerabilities in the SolarWinds Access Rights Manager (ARM) product that remote attackers could use to run code with SYSTEM privileges.
SolarWinds ARM is a tool that enables organizations to manage and audit user access rights across their IT environments. It offers Microsoft Active Directory integration, role-based access control, visual feedback, and more. “
Okta Support System Hacked, Sensitive Customer Data Stolen
Customer uploading files to vendors support. Vendor can’t know what they upload but can assume they are safe. Vendor can also assume they are malicious as part of zero trust security. Notable quotes:
“Identity and access management tech firm Okta on Friday warned that hackers broke into its support case management system and stole sensitive data that can be used to impersonate valid users.
A security notice from Okta security chief David Bradbury said the company found “adversarial activity” that leveraged access to a stolen credential to access the support case management system.
Bradbury said the compromised Okta support case management system is separate from the production Okta service, which was not impacted and remains fully operational. He said the Auth0/CIC case management system was also not impacted by this incident.”