This Week in Security: Kali Purple, Malicious Notifications, and Cybersecurity Strategy
After a one-week hiatus, we’re back. It’s been a busy couple weeks, and up first is the release of Kali Purple. This new tool from Kali Linux is billed as an SOC-in-a-box, that follows the NIST CSF structure. That is a veritable alphabet soup of abbreviated jargon, so let’s break this down a bit. First up, SOC IAB or SOC-in-a-box is integrated software for a Security Operation Center. It’s intrusion detection, intrusion prevention, data analysis, automated system accounting and vulnerability scanning, and more. Think a control room with multiple monitors showing graphs based on current traffic, a list of protected machines, and log analysis on demand.
NIST CSF is guidance published by the National Institute of Standards and Technology, a US government agency that does quite a bit of the formal ratification of cryptography and other security standards. CSF is the CyberSecurity Framework, which among other things, breaks cybersecurity into five tasks: identify, protect, detect, respond, and recover. The framework doesn’t map perfectly to the complexities of security, but it’s what we have to work with, and Kali Purple is tailor-made for that framework.
Putting that aside, what Purple really gives you is a set of defensive and analytical tools that rival the offensive tools in the main Kali distro. Suricata, Arkime, Elastic, and more are easily deployed. The one trick that really seems to be missing is the ability to deploy Kali Purple as the edge router/firewall. The Purple deployment docs suggest an OPNSense deployment for the purpose. Regardless, it’s sure to be worthwhile to watch the ongoing development of Kali Purple.
Notification of Doom
It’s amazing the “features” that lie dormant in popular software, until discovered as vulnerabilities. Did you know that Microsoft Outlook had a property that defined the sound file that should play when an email triggered a reminder? That seems like a problem on its own. An arbitrary audio file is bad enough. But what makes this misfeature a vulnerability is the fact that the filename could be a remote path. So send an email, trigger a remote server access.
That access happens when the email is received, regardless of other security settings. It’s a pretty simple way to hijack a remote authentication, and gives away a shadow credential. That’s a technique where a KeyCredentialLink is slipped into the connection stream, and serves as a credential for authorization.
The fix for this issue, tracked as CVE-2023-23397, shipped on the 14th. Microsoft also published a script to clean those problematic emails. No word on whether this completely removes the custom sound feature completely, or just blocks outside file sources. This one is apparently being exploited in the wild, so get it patched.
Speaking of flaws being exploited, Google’s Threat Analysys Group discovered another Windows issue, where the SmartScreen warning can be bypassed. Windows sets a flag on downloaded files, the Mark of the Web (MotW), and warns the user that the file is from the internet and may be dangerous. Trusted developers can sign their installers and avoid the warning. CVE-2023-24880 is a technique where the signature on malicious MSI files is malformed, and the processing error leads to a bypass of the SmartScreen warning. This is being used in the Magniber ransomware campaign, and has been fixed in this month’s Patch Tuesday.
And for more Microsoft goodness, there’s CVE-2023-23415, a Remote Code Execution vulnerability in ICMP packets. It’s yet another case of packet fragments embedded in ICMPs causing problems. The caveat is that to be vulnerable, the machine has to have a process listening on a raw socket, and that machine also be accessible to ICMP packets. There isn’t a public exploit yet, and the PoC seems to cause crash rather than an RCE. Still, this is one to take a close look at.
The Government Will Fix It
The US Government has rolled out a National Cybersecurity Strategy (PDF) that’s sure to end ransomware, make everything secure, and — OK, maybe that’s a bit too much sarcasm. But the idea of a government policy to fix security is a bit scary. Among the proposed solutions are: liability for companies that ship insecure software, continuing the push for quantum-resistant cryptography, and pushing for better IPv6 rollout. It seems likely that one of those three ideas will actually have a positive outcome on security. I’ll leave the rest of the analysis to others, like Robert Graham, who sums the whole document up nicely, “Safen up!”
It’s like Homer Simpson trying to appear effective as “safety inspector” who sees his jobs as telling everyone to “safen up!”. pic.twitter.com/Uoe0ljRw7q
— Robᵉʳᵗ Graham @firstname.lastname@example.org (@ErrataRob) March 2, 2023
And the EU is getting in on the game, too. The headlining change here is to apply cybersecurity regulation to pure software. Does that include Open Source Software? Will the Linux kernel fall under those security guidelines? Nobody knows yet. Similar to software licenses, laws don’t have objective meaning until they’re tested in a courtroom.
Now don’t misunderstand, there are some great elements to both of these documents. The EU guidelines are going to require vulnerability disclosures, a published disclosure policy, and a contact address for vulnerability reporting. How many times have we covered stories about a researcher that struggles to get the attention of a big company, in order to report security findings? But even the good-sounding parts can be dangerous to mandate. Automatic updates are great, but there are some of my systems that I really don’t want to automatically pull firmware from the Internet. A “secure by default configuration” sounds good, but there’s a set of real trade-offs in any solution to the problem of secure initial setup. Pseudo-randomized passwords for every device sounds great, until the formula leaks for deriving the default password from the MAC address.
In the words of the G-Man himself, “prepare for unforeseen consequences.”
Github’s Insecure Security Advisory
Github is on a bit of a feature binge, and while there’s some great new tools in the mix, there is also the occasional bug that makes it through. Like this one, in Github’s Security Advisories, where an unprivileged user can report a vulnerability. Making that report automatically makes the reporter a collaborator, which can be great for getting things fixed. The problem was that this outside reporter was allowed to access the project’s Codespace, which is another new Github feature, for rapid iteration and testing.
Codespace comes with its own project environment variables, some of which can be secrets. Think AWS tokens, or access to a gerrit or Jenkins instance. Researchers from Ophinion Security noticed the loophole, and took the logical next step — hacking the Github internal repositories, via a user token for
gh-containers-bot. That definitely did the trick, and the issue got fixed in 24 hours
Bits and Bytes
Ring has been hit with a ransomware attack, maybe. And like such attacks of big companies go these days, the attackers, ALPHV, are threatening to dump private data. The only problem is that Ring claims point-blank that they haven’t been breached. But there’s enough evidence to say that ALPHV has *something*, and Ring claims that it was a third-party vendor that was breached. We’ll see if and when data starts leaking.
There’s a vulnerability in Home Assistant that affects Home Assistant AS and Supervised installs. It’s an authentication bypass in the Supervisor API, and looks to have been in the code since 2017. This is a CVSS 10.0, and while there is not yet any evidence of exploitation, if your Home Assistant install is exposed to the internet, your hair might just be on fire.
The GoAnywhere vulnerability just keeps going, as Rubrik is the latest to get caught by the vulnerability. The issue was disclosed earlier this year, and Clop has claimed credit for hitting over a hundred locations with the flaw. Rubrik is the latest high-profile firm to feel the pain, but this vulnerability really seems to have legs.
And finally, falling into the so-clever-it’s-silly category, malware for SonicWall appliances has a clever mechanism for surviving firmware updates. Namely, the infection checks for an official update, downloads it, and pre-installs itself into the new software package. So when the user or automated process finally triggers the install, the fix is already in. Devilishly clever.