Category: Internet

World Backup Day: Because Real Life Can Have Save Points Too

March 31 is World Backup Day. Get 1-up on theft, device failure and data loss by creating and checking backups — both for your organization and for yourself. 

You’ve been playing for hours. You’ve faced two tough enemies in a row, and all signs indicate you’re about to take your remaining 12 hit points straight into a boss fight.

Up ahead a glowing stone beckons like a glimmering oasis.

“Would you like to save your progress?” a popup asks as you approach.

Um. YES!

But as obvious a choice as that seems, when the same opportunity presents itself in real life, a shocking number of people don’t take advantage of it.

What Do You Have to Lose?

The digital revolution has brought about unprecedented efficiency and convenience, ridding us of the need for bulky filing cabinets, media storage, photo albums, rolodexes and more. But every time we outsource the storage of our data to the cloud, we become a little more reliant on digital devices that are anything but infallible.

According to WorldBackupDay.com, more than 60 million computers worldwide will fail this year, and more than 200,000 smartphones—113 every minute—will be lost or stolen. But while the devices themselves are replaceable, their contents often aren’t. Imagine what could be at stake: All the photos you’ve taken of your children over the past two years. Every message you ever sent your spouse, all the way back to the very beginning. The last voicemail you ever got from your grandmother. All could disappear in an instant, even when associated with cloud accounts, as experienced below.

But the loss isn’t always just sentimental. Sometimes it’s professional too, as journalist Matt Honan found out in 2012. Honan used an iCloud account for his data, but had no backups — and when hackers gained access to the account, they remotely wiped his phone, tablet and computer. They also took over and deleted his Google account. “In the space of one hour,” Honan told Wired, “my entire digital life was destroyed.”

Good Backups Are Good Business

Businesses have fallen victim to devastating data loss, as well. In 1998, Pixar lost 90% of its film “Toy Story 2,” then in progress, due to the combination of a faulty command and insufficient backups.

And when social media/bookmarking site Ma.gnolia.com experienced a database failure resulting in the loss of all user data, it ultimately shuttered the company. “I made a huge mistake in how I set up my [backup] system,” founder Larry Halff said of the incident. 

The Cultural Cost of Insufficient Backups

While World Backup Day’s primary goal is to encourage people to create and check their backups, it also aims to spark discussion of an enormous task: how to preserve our increasingly digital heritage and cultural works for future generations.

Due to insufficient archiving and backup practices, many cultural properties have already disappeared. For example, an entire season of the children’s TV show “Zodiac Island” was lost forever when a former employee at the show’s internet service provider deleted over 300GB of video files, resulting in a lawsuit over the ISP’s lack of backups.

And decades before, a similar fate befell the now-iconic sci-fi series “Dr. Who.” The Film Library of Britain and BBC Enterprises each believed the other party was responsible for archiving the material. As a result, the BBC destroyed its own copies at will, resulting in the master videotapes of the series’ first 253 episodes being recorded over or destroyed. Despite the existence of secondary recordings and showrunners obtaining copies from as far away as Nigeria, 97 episodes are still unaccounted for and presumed lost for good.

How to Ensure Your Digital Future Today

With so much at stake, you’d think almost everyone would back up their data at least occasionally. This isn’t the case, however. According to WorldBackupDay.com, only about 1 in 4 people are backing up their data regularly, and an astounding 21% have never made a backup.

This phenomenon is also seen at the corporate level. While 45% of companies have reported downtime from hardware failure and 28% reported a data loss event in the past 12 months, FEMA reports that 1 in 5 companies don’t have a disaster recovery/business continuity plan (and thus don’t typically have current backups.) With 20% of SMBs facing catastrophic data loss every five years, being left unprepared is much less an “if” than a “when.”

The difference in outcome for these businesses is stark. Ninety-three of businesses that experienced data loss and more than ten days of downtime filed for bankruptcy within a year. But 96% of businesses that had a disaster recovery plan fully recovered operations.

While a good backup plan will require ongoing attention, today is a great day to start — and even one backup is a tremendous improvement over no backups at all. The World Backup Day website is full of information on online backup services, external hard drive backup, computer backup, smartphone backup, creating a NAS backup, and other methods of preserving your data.

If you’re like many IT professionals and already understand the importance of backups, today’s a perfect day to test your backups out and make sure they’re still fully operational. It’s also a good opportunity to share the importance of backups with bosses, colleagues and friends.

After all, if you’re an individual, you won’t get an “extra life” to go back and relive all the memories you might lose if your device fails. And if you’re a small- or medium-sized business owner and lose all your data, having backups might be the difference between “Continue” and “Game Over.” On World Backup Day and every day, the choice is up to you.

To learn more about backups, visit WorldBackupDay.com.

Source :
https://blog.sonicwall.com/en-us/2022/03/world-backup-day-because-real-life-can-have-save-points-too/

Hackers can crash Cisco Secure Email gateways using malicious emails

Cisco has addressed a high severity vulnerability that could allow remote attackers to crash Cisco Secure Email appliances using maliciously crafted email messages.

The security flaw (tracked as CVE-2022-20653) was found in DNS-based Authentication of Named Entities (DANE), a Cisco AsyncOS Software component used by Cisco Secure Email to check emails for spam, phishing, malware, and other threats.

This bug is due to an insufficient error handling issue in DNS name resolution found and reported to Cisco by Rijksoverheid Dienst ICT Uitvoering (DICTU) security researchers.

“An attacker could exploit this vulnerability by sending specially formatted email messages that are processed by an affected device,” Cisco explained.

“A successful exploit could allow the attacker to cause the device to become unreachable from management interfaces or to process additional email messages for a period of time until the device recovers, resulting in a DoS [Denial-of-Service] condition.”

To make things even worse, continued attacks can cause the targeted devices to become completely unavailable, which results in a persistent DoS condition.

The company’s Product Security Incident Response Team (PSIRT) said that it found no evidence of malicious exploitation in the wild before the security advisory was published on Wednesday.

Vulnerable component not enabled by default

While the security vulnerability can be exploited remotely by unauthenticated attackers, Cisco says the vulnerable DANE email verification component is not enabled by default.

Admins can check if DANE is configured by going to the Mail Policies > Destination Controls > Add Destination web UI page and confirming whether the DANE Support option is toggled on.

Cisco has also confirmed that CVE-2022-20653 does not impact Web Security Appliance (WSA) and Secure Email and Web Manager or devices without the DANE feature enabled.

The company also provided a workaround requiring customers to configure bounce messages from Cisco ESA instead of from downstream dependent mail servers to block exploitation attempts.

Earlier this month, Cisco patched several maximum severity flaws with proof-of-concept exploit code available that would enable threat actors to take control of Small Business RV Series routers without authentication.

Source :
https://www.bleepingcomputer.com/news/security/hackers-can-crash-cisco-secure-email-gateways-using-malicious-emails/

OpenSSL cert parsing bug causes infinite denial of service loop

OpenSSL has released a security update to address a vulnerability in the library that, if exploited, activates an infinite loop function and leads to denial of service conditions.

Denial of service attacks may not be the most disastrous security problem. However, it can still cause significant business interruption, long-term financial repercussions, and brand reputation degradation for those affected.

That is especially the case for software like OpenSSL, a ubiquitous secure communication library used by many large online platforms. Therefore, any vulnerability that affects the library can significantly impact a large number of users.

Certificates causing DoS

In this case, the high-severity OpenSLL problem lies in a bug on the BN_mod_sqrt() function, that if served a maliciously crafted certificate to parse, it will enter an infinite loop.

The certificate has to contain elliptic curve public keys in compressed form or elliptic curve parameters with a base point encoded in compressed form to trigger the flaw.

“Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack,” describes OpenSSL’s security notice.

“The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters.” 

Unfortunately, the problem impacts quite a few deployment scenarios, such as: 

  • TLS clients consuming server certificates
  • TLS servers consuming client certificates
  • Hosting providers taking certificates or private keys from customers
  • Certificate authorities parsing certification requests from subscribers
  • Anything else which parses ASN.1 elliptic curve parameters

The vulnerability is tracked as CVE-2022-0778, and affects OpenSSL versions 1.0.2 to 1.0.2zc, 1.1.1 to 1.1.1n, and 3.0 to 3.0.1. 

Google’s security researcher Tavis Ormandy discovered the certificate parsing vulnerability and reported his findings to the OpenSSL team on February 24, 2022.https://platform.twitter.com/embed/Tweet.html?creatorScreenName=BleepinComputer&dnt=false&embedId=twitter-widget-0&features=eyJ0ZndfZXhwZXJpbWVudHNfY29va2llX2V4cGlyYXRpb24iOnsiYnVja2V0IjoxMjA5NjAwLCJ2ZXJzaW9uIjpudWxsfSwidGZ3X3NrZWxldG9uX2xvYWRpbmdfMTMzOTgiOnsiYnVja2V0IjoiY3RhIiwidmVyc2lvbiI6bnVsbH0sInRmd19zcGFjZV9jYXJkIjp7ImJ1Y2tldCI6Im9mZiIsInZlcnNpb24iOm51bGx9fQ%3D%3D&frame=false&hideCard=false&hideThread=false&id=1503771787733069826&lang=en&origin=https%3A%2F%2Fwww.bleepingcomputer.com%2Fnews%2Fsecurity%2Fopenssl-cert-parsing-bug-causes-infinite-denial-of-service-loop%2F&sessionId=311e29408eba4153b418ae523e23f843cf490dd1&siteScreenName=BleepinComputer&theme=light&widgetsVersion=f9f80a909a60b%3A1648751432723&width=550px

The fixed versions released yesterday are 1.1.1n and 3.0.2, while only premium users of 1.0.2 will be offered a fix through 1.0.2zd.

Because version 1.0.2 does not parse the public key during the parsing of the certificate, the infinite loop is slightly more complicated to trigger than the other versions, but it’s still doable.

OpenSSL 1.0.2 has reached EOL and is not actively supported, so non-premium users are advised to upgrade to a new release branch as soon as possible.

Already exploited by threat actors?

Although OpenSSL has not said that the bug is already used by threat actors, Italy’s national cybersecurity agency, CSIRT, has marked it as actively exploited in the wild.

Bleeping Computer has contacted the OpenSSL team to request a clarification on this point, and they told us they are not aware of any active exploitation at this time.

Even if the message is mixed on that front, the low complexity of exploitation and the published information will allow threat actors to test and play quickly with the vulnerability in the future.

An OpenSSL spokesperson shared the following statement with Bleeping Computer:

The flaw is not too difficult to exploit, but the impact is limited to DoS. The most common scenario where exploitation of this flaw would be a problem would be for a TLS client accessing a malicious server that serves up a problematic certificate. TLS servers may be affected if they are using client authentication (which is a less common configuration) and a malicious client attempts to connect to it. It is difficult to guess to what extent this will translate to active exploitation.

Because most users obtain OpenSSL from a third party, there’s no centralized authority to count upgrade stats, so it’s impossible to estimate how many vulnerable deployments are out there.

Source :
https://www.bleepingcomputer.com/news/security/openssl-cert-parsing-bug-causes-infinite-denial-of-service-loop/

Critical SonicWall firewall patch not released for all devices

Security hardware manufacturer SonicWall has fixed a critical vulnerability in the SonicOS security operating system that allows denial of service (DoS) attacks and could lead to remote code execution (RCE).

The security flaw is a stack-based buffer overflow weakness with a 9.4 CVSS severity score and impacting multiple SonicWall firewalls.

Tracked as CVE-2022-22274, the bug affects TZ Series entry-level desktop form factor next-generation firewalls (NGFW) for small- and medium-sized businesses (SMBs), Network Security Virtual (NSv series) firewalls designed to secure the cloud, and Network Security services platform (NSsp) high-end firewalls.

Exploitable remotely without authentication

Unauthenticated attackers can exploit the flaw remotely, via HTTP requests, in low complexity attacks that don’t require user interaction “to cause Denial of Service (DoS) or potentially results in code execution in the firewall.”

The SonicWall Product Security Incident Response Team (PSIRT) says there are no reports of public proof-of-concept (PoC) exploits, and it found no evidence of exploitation in attacks.

The company has released patches for all impacted SonicOS versions and firewalls and urged customers to update all affected products.

“SonicWall strongly urges organizations using impacted SonicWall firewalls listed below to follow the provided guidance,” the company said in a security advisory published on Friday.

ProductImpacted PlatformsImpacted VersionFixed Version
SonicWall FireWallsTZ270, TZ270W, TZ370, TZ370W, TZ470, TZ470W, TZ570, TZ570W, TZ570P, TZ670, NSa 2700, NSa 3700, NSa 4700, NSa 5700, NSa 6700, NSsp 10700, NSsp 11700, NSsp 13700, Nsv 270, NSv 470, NSv 8707.0.1-5050 and earlier7.0.1-5051 and higher
SonicWall NSsp FirewallNSsp 157007.0.1-R579 and earlierMid-April (Hotfix build 7.0.1-5030-HF-R844)
SonicWall NSv FirewallsNSv 10, NSv 25, NSv 50, Nsv 100, NSv 200, Nsv, 300, NSv 400, NSv 800, NSv 16006.5.4.4-44v-21-1452 and earlier6.5.4.4-44v-21-1519 and higher

NSsp 15700 firewall gets hotfix, full patch in April

The only affected firewall still waiting for a patch against CVE-2022-22274 is the NSsp 15700 enterprise-class high-speed firewall.

While a hotfix is already available for those reaching out to the support team, SonicWall estimates that a full patch to block potential attacks targeting this firewall will be released in roughly two weeks.

“For NSsp 15700, continue with the temporary mitigation to avoid exploitation or reach out to the SonicWall support team who can provide you with a hotfix firmware (7.0.1-5030-HF-R844),” the company explained.

“SonicWall expects an official firmware version with necessary patches for NSsp15700 to be available in mid-April 2022.”

Temporary workaround available

SonicWall also provides a temporary workaround to remove the exploitation vector on systems that cannot be immediately patched.

As the security vendor explained, admins are required to only allow access to the SonicOS management interface to trusted sources.

“Until the [..] patches can be applied, SonicWall PSIRT strongly recommends that administrators limit SonicOS management access to trusted sources (and/or disable management access from untrusted internet sources) by modifying the existing SonicOS Management access rules (SSH/HTTPS/HTTP Management),” SonicWall added.

The updated access rules will ensure that the impacted devices “only allow management access from trusted source IP addresses.”

The company’s support website also provides customers with more information on how to restrict admin access and tips on when to allow access to the firewalls’ web management interface.

“SonicWall has proactively communicated mitigation guidance to any impacted organizations,” the security vendor told BleepingComputer. 

Source :
https://www.bleepingcomputer.com/news/security/critical-sonicwall-firewall-patch-not-released-for-all-devices/

Sophos warns critical firewall bug is being actively exploited

British-based cybersecurity vendor Sophos warned that a recently patched Sophos Firewall bug allowing remote code execution (RCE) is now actively exploited in attacks.

The security flaw is tracked as CVE-2022-1040, and it received a critical severity rating with a 9.8/10 CVSS base score. 

It enables remote attackers to bypass authentication via the firewall’s User Portal or Webadmin interface and execute arbitrary code.

The vulnerability was discovered and reported by an anonymous researcher who found that it impacts Sophos Firewall v18.5 MR3 (18.5.3) and older.

“Sophos has observed this vulnerability being used to target a small set of specific organizations primarily in the South Asia region,” the company said in an update to the original security advisory.

“We have informed each of these organizations directly. Sophos will provide further details as we continue to investigate.”

Hotfixes and workarounds

To address the critical bug, Sophos released hotfixes that should be automatically deployed to all vulnerable devices since the ‘Allow automatic installation of hotfixes’ feature is enabled by default.

However, hotfixes released for end-of-life versions of Sophos Firewall must manually upgrade to patch the security hole and defend against the ongoing attacks.

For these customers and those who have disabled automatic updates, there’s also a workaround requiring them to secure the User Portal and Webadmin interfaces by restricting external access.

“Customers can protect themselves from external attackers by ensuring their User Portal and Webadmin are not exposed to WAN,” Sophos added.

“Disable WAN access to the User Portal and Webadmin by following device access best practices and instead use VPN and/or Sophos Central for remote access and management.”

In the wild exploitation of Sophos Firewall bugs

Sophos provides detailed information on enabling the automatic hotfix installation feature and checking if the hotfix was successfully deployed.

After toggling on automatic hotfix installation, Sophos Firewall will check for new hotfixes every thirty minutes and after restarts.

Patching your Sophos Firewall instances is critically important especially since they have been previously exploited in the wild, with threat actors abusing an XG Firewall SQL injection zero-day starting with early 2020.

Asnarök trojan malware was also used to exploit the same zero-day to try and steal firewall credentials from vulnerable XG Firewall instances.

The zero-day was also exploited in attacks attempting to push Ragnarok ransomware payloads onto Windows enterprise networks.

Source :
https://www.bleepingcomputer.com/news/apple/sophos-warns-critical-firewall-bug-is-being-actively-exploited/

Trend Micro fixes actively exploited remote code execution bug

Japanese cybersecurity software firm Trend Micro has patched a high severity security flaw in the Apex Central product management console that can let attackers execute arbitrary code remotely.

Apex Central is a web-based management console that helps system admins manage Trend Micro products and services (including antivirus and content security products and services) throughout the network.

They can also use it to deploy components (e.g., antivirus pattern files, scan engines, and antispam rules) via manual or pre-scheduled updates.

The vulnerability (CVE-2022-26871) is a high severity arbitrary file upload weakness in the file handling module that unauthenticated attackers can abuse for remote code execution.

On Thursday, Trend Micro said it observed attempts to exploit the vulnerability in the wild as part of an ongoing attack.

“Trend Micro has observed an active attempt of exploitation against this vulnerability in-the-wild (ITW) in a very limited number of instances, and we have been in contact with these customers already,” the company said.

CISA orders federal agencies to patch

The Japanese antivirus vendor also urged customers of affected products (on-premise and as a Service) to update to the latest released version as soon as possible.

“Please note that the SaaS version has already been deployed on the backend and no further action is required from SaaS customers on this issue,” the company added for SaaS customers.

When asked how many customers were targeted in these attacks and if any of their networks were breached following these exploitation attempts, Trend Micro spokesperson Funda Cizgenakad told BleepingComputer that the company is “not able to comment on customers” since “this is confidential.”

On Thursday, following Trend Micro’s disclosure, the Cybersecurity and Infrastructure Security Agency (CISA) ordered federal civilian agencies to patch the actively exploited Apex Central bug within the next three weeks, until April 21, 2022.

The cybersecurity agency also urged private and public sector organizations in the US to prioritize patching this actively exploited bug to decrease their networks’ exposure to ongoing attacks.

CISA added the Trend Micro flaw to its Known Exploited Vulnerabilities Catalog, a list of security bugs exploited in the wild, with seven others, including a critical Sophos firewall bug.

Source :
https://www.bleepingcomputer.com/news/security/trend-micro-fixes-actively-exploited-remote-code-execution-bug/

Apple Issues Patches for 2 Actively Exploited Zero-Days in iPhone, iPad and Mac Devices

Apple on Thursday rolled out emergency patches to address two zero-day flaws in its mobile and desktop operating systems that it said may have been exploited in the wild.

The shortcomings have been fixed as part of updates to iOS and iPadOS 15.4.1, macOS Monterey 12.3.1, tvOS 15.4.1, and watchOS 8.5.1. Both the vulnerabilities have been reported to Apple anonymously.

Tracked as CVE-2022-22675, the issue has been described as an out-of-bounds write vulnerability in an audio and video decoding component called AppleAVD that could allow an application to execute arbitrary code with kernel privileges.

Apple said the defect was resolved with improved bounds checking, adding it’s aware that “this issue may have been actively exploited.”

The latest version of macOS Monterey, besides fixing CVE-2022-22675, also includes remediation for CVE-2022-22674, an out-of-bounds read issue in the Intel Graphics Driver module that could enable a malicious actor to read kernel memory.

The bug was “addressed with improved input validation,” the iPhone maker noted, once again stating there’s evidence of active exploitation, while withholding additional details to prevent further abuse.

The latest updates bring the total number of actively exploited zero-days patched by Apple to four since the start of year, not to mention a publicly disclosed flaw in the IndexedDB API (CVE-2022-22594), which could be weaponized by a malicious website to track users’ online activity and identities in the web browser.

  • CVE-2022-22587 (IOMobileFrameBuffer) – A malicious application may be able to execute arbitrary code with kernel privileges
  • CVE-2022-22620 (WebKit) – Processing maliciously crafted web content may lead to arbitrary code execution

In light of active exploitation of the flaws, Apple iPhone, iPad, and Mac users are highly recommended to upgrade to the latest versions of the software as soon as possible to mitigate potential threats.

The iOS and iPad updates are available to iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).

Source :
https://thehackernews.com/2022/03/apple-issues-patches-for-2-actively.html

Zyxel Releases Patches for Critical Bug Affecting Business Firewall and VPN Devices

Networking equipment maker Zyxel has pushed security updates for a critical vulnerability affecting some of its business firewall and VPN products that could enable an attacker to take control of the devices.

“An authentication bypass vulnerability caused by the lack of a proper access control mechanism has been found in the CGI program of some firewall versions,” the company said in an advisory published this week. “The flaw could allow an attacker to bypass the authentication and obtain administrative access to the device.”

The flaw has been assigned the identifier CVE-2022-0342 and is rated 9.8 out of 10 for severity. Credited with reporting the bug are Alessandro Sgreccia from Tecnical Service Srl and Roberto Garcia H and Victor Garcia R from Innotec Security.

The following Zyxel products are impacted –

  • USG/ZyWALL running firmware versions ZLD V4.20 through ZLD V4.70 (fixed in ZLD V4.71)
  • USG FLEX running firmware versions ZLD V4.50 through ZLD V5.20 (fixed in ZLD V5.21 Patch 1)
  • ATP running firmware versions ZLD V4.32 through ZLD V5.20 (fixed in ZLD V5.21 Patch 1)
  • VPN running firmware versions ZLD V4.30 through ZLD V5.20 (fixed in ZLD V5.21)
  • NSG running firmware versions V1.20 through V1.33 Patch 4 (Hotfix V1.33p4_WK11 available now, with standard patch V1.33 Patch 5 expected in May 2022)

While there is no evidence that the vulnerability has been exploited in the wild, it’s recommended that users install the firmware updates to prevent any potential threats.

CISA warns about actively exploited Sophos and Trend Micro flaws

The disclosure comes as both Sophos and SonicWall released patches this week to their firewall appliances to resolve critical flaws (CVE-2022-1040 and CVE-2022-22274) that could allow a remote attacker to execute arbitrary code on affected systems.

The critical Sophos firewall vulnerability, which has been observed exploited in active attacks against select organizations in South Asia, has since been added by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to its Known Exploited Vulnerabilities Catalog.

Also added to the list is a high-severity arbitrary file upload vulnerability in Trend Micro’s Apex Central product that could allow an unauthenticated remote attacker to upload an arbitrary file, resulting in code execution (CVE-2022-26871, CVSS score: 8.6).

“Trend Micro has observed an active attempt of exploitation against this vulnerability in-the-wild (ITW) in a very limited number of instances, and we have been in contact with these customers already,” the company said. “All customers are strongly encouraged to update to the latest version as soon as possible.”

Source :
https://thehackernews.com/2022/03/zyxel-releases-patches-for-critical-bug.html

Is there such a thing as Spring4Shell?

Very early in the morning on March 30th (for me), my colleague DeveloperSteve posted a “Hey, have you seen this?” message in our slack channel. It was an “advance warning” of a “probable” remote code execution (RCE) in the massively popular Java Spring framework. I would come to find out that even earlier than that, the Snyk Security team started investigation a potential RCE in Spring after seeing a tweet that has since been deleted.

Details seemed sketchy at best at this point (about 1:20am EDT). There was a tweet with screenshots that had been deleted. There were references to a pull request (PR) that, as it turns out, was first put up on February 18th, but only merged on March 29th.

Various parties were trying to make the nickname “Spring4Shell” stick (or, sometimes just SpringShell), while Spring Core maintainers were adding comments to the PR saying there was no known RCE.

So, just what the heck was going on and what is going on now?

What’s the bottom line (for now)?

There’s a credible RCE vulnerability in spring-beans package, which is part of Spring Core. This is a key enabler of the inversion of control (IoC) capabilities of Spring. This is often referred to as dependency injection.

If you’ve used the @Autowired annotation or utilized the magic of constructor injection, you’ve encountered dependency injection in the Spring ecosystem.

In affected versions, an RCE is achievable by manipulating the ClassLoader via a carefully composed HTTP POST request.

At this time, the exploit is only known to be possible with a Java Runtime Environment (JRE) version 9 or greater AND Tomcat version 9 or greater.

The best immediate remediation is to deploy your application in an older version of the JRE and/or an older version of Tomcat.

We’ll continue to provide updates through our vulnerability database as the situation evolves.

Where is all the confusion coming from?

One of the first blog posts our team was alerted to in the wee hours of March 30th has since been deleted. This post referenced a tweet that was also deleted. Despite the double-delete, there was a verifiable reference to a commit to Spring Core related that is related to deserialization (a Java feature that has led to RCEs before – Log4Shell, anyone?).

The comment on this commit says:

Since SerializationUtils#deserialize is based on Java's serialization
mechanism, it can be the source of Remote Code Execution (RCE)
vulnerabilities.

As the day progressed, there was more buzz (with very little verifiable fact to back it up) that we might be dealing with an RCE in Spring Core.

Further down in the comments, a Spring Core committer validated another comment stating that this commit had nothing to do with any known RCE.

And, in fact, if you look at the PR the commit resolves, it was first opened on February 18th.

Now, here’s the kicker: while all this was going on, the Interwebs was busy conflating this evolving issue with another known issue in a completely different project: Spring Cloud Function. So as to not further this confusion, I won’t go into the details of this vulnerability. Suffice it to say that if you’re reading something on vulnerabilities in Spring Cloud, you’re barking up the wrong tree for information on Spring4Shell (please, can we give it a different name?)

So, what is Spring4Shell after all?

Stay tuned

We’ll be updating this blog as we learn more about Spring4Shell (last update: March 31, 2022)

Out of an abundance of caution and not wanting to act on incomplete information, security researchers at Snyk spent time reviewing the situation over the course of the day on March 30th.

At this time, our conclusion is that there’s a credible RCE threat in the Spring Core spring-beans package. For better or worse, Spring4Shell is sticking. It makes sense as there’s already a legitimate Spring Shell project in the Spring ecosystem.

Spring4Shell remediation

A new version of the Spring Framework has been released that the current exploit does not work on. It’s version 5.2.20.

And, if you work with Spring Boot, just today version 2.5.12 was released which integrates the changes to the Spring framework and spring-beans. Note: The latest Spring Boot release, 2.6.5, does NOT have these fixes in place. The Spring Boot team is working on release 2.6.6 which will include these updates as well. We’ll keep you posted when that becomes available.

Here’s a list of remediation steps you can take in order of preference:

  • If you use Spring Framework directly, upgrade to version 5.2.20
  • If you use Spring Boot, use version 2.15.12Note: This may represent a downgrade if you are already on 2.6.x as that version has not yet been updated to integrate these fixes
  • If you can’t upgrade your version of Spring at this time, use a version 8 JRE and/or Tomcat container to mitigate the issue

It’s worth noting that there will likely be additional updates to Spring as more (and potentially different) vulnerabilities are discovered. This is often the trajectory when a high degree of focus is put on a high severity issue like this (Log4Shell, anyone?).

Snyk’s tools have already been updated to notify you if you’re project is vulnerable!

Head on over to Snyk to sign up for a free account. From there (or on the command line) you can test your project to see if it’s vulnerable to Spring4Shell.

We expect to update this post and to produce a PoC code repository to demonstrate the RCE in version 9 and greater of the JRE and Tomcat. Tune in here for updates.

Source :
https://snyk.io/blog/is-there-such-a-thing-as-spring4shell/

New Data Centers Show Cisco’s Investment in a Global Cloud Architecture

You want a cybersecurity solution that safeguards your enterprise, not one that slows it down. So, finding a security partner that maintains a global data center network is crucial – this reduces latency and improves reliability. Fortunately, the Cisco Umbrella team backs an award-winning solution with an ever-expanding data center network that spans the globe.

Our data centers – located at key Internet Exchange Points (IXPs) around the world – improve Software-as-a-Service (SaaS) performance by up to 33% over direct internet access (DIA). And our engineers continue to build out this network to support global enterprise customers. We supplement this growing data center network with Anycast routing and a robust assortment of peering relationships, enabling Cisco Umbrella customers to experience the best of both worlds when it comes to security and performance.     

Expanding Cisco Umbrella’s Data Center Network

The Cisco Umbrella data center network allows our customers to utilize cybersecurity functionality that includes – but isn’t limited to – DNS-layer security, Secure Web Gateway (SGW), and Cloud Access Security Broker (CASB). A security efficacy test performed by AV-TEST found that Cisco Umbrella had the highest threat detection rate in the industry at 96.39%. And thanks in part to the network of data centers backing Umbrella, this security doesn’t come at the expense of performance.

The most recent additions to the Cisco Umbrella data center network include both brand-new locations and upgrades to existing facilities in:

Our team chooses new locations for their proximity to IXPs, allowing customers to take advantage of faster service. We also prioritize carrier-neutral data centers and heavily utilize colocation facilities. This gives users peace of mind, since Cisco Umbrella is fortified against downtime caused by carrier outages.

How Anycast Routing Makes a Difference

Anycast augmented routing allows our team to maximize performance for our customers. Anycast routing automatically selects the best path to a Cisco Umbrella data center, evaluating things like availability and connection quality.

Not only does Anycast routing reduce latency, but it also helps shield Cisco Umbrella users from outages. If one of the data centers in our network goes down, traffic will automatically fail over to the best available data center. Alternately, users can manually configure tunnels to a Cisco Umbrella data center of their choice to ensure ongoing availability and redundancy.  

Reducing Latency With Peering Partners

Of course, a robust data center network isn’t the only factor affecting latency within a cybersecurity solution. That’s why Cisco Umbrella maintains peering partnerships with 1,000+ internet service providers (ISPs), Content Delivery Networks (CDNs), and Software-as-a-Service (SaaS) providers. These partnerships result in more than 6,000 peering sessions with our premier partners.

Text reading "Some of our peering partners." Underneath the text are logos for AT&T, BT Media & Broadcast, GoogleFiber, Verizon, Amazon, Netflix, Dell Services, Huawei, Microsoft, Alibaba.com, SalesForce, Google, Facebook, Box, Baidu, and Cisco Webex.

Peering partnerships serve as a valuable shortcut between customer networks, ISPs, CDNs, and SaaS solutions. This reduces routing hops and shrinks latency, allowing customers to enjoy enhanced performance without ever sacrificing Cisco Umbrella’s world-class security.

Ready to See the Cisco Umbrella Data Center Network In Action?

Explore the full potential of Cisco Umbrella when you sign up for a free, personalized demo today!

Source :
https://umbrella.cisco.com/blog/new-data-centers-show-cisco-investment-global-cloud-architecture

Exit mobile version