April 7, 2022

New Spring Java Framework Zero-Day Allows Remote Code Execution

March 30, 2022

A zero-day vulnerability has been found in the Spring Core Java Framework. The vulnerability “Spring4Shell” or “CVE-2022-22965” allows for remote code execution due to a bypass for “CVE-2020-1622”, a vulnerability in Java Beans API. For a malicious actor to exploit Spring4Shell, a simple HTTP request to a vulnerable system with DataBinder enabled, and an appropriate payload based on configuration is required. Microsoft released research detailing how an attacker can change the AccessLogValue class to create a .jsp containing a web shell based on the specified parameters that can then be used to execute commands from the attacker. 

Data Security Perspective: Users are encouraged to update Spring Framework versions 5.3.18 and 5.2.20. Other workarounds include upgrading Tomcat, downgrading to Java 8, or setting “disallowedFields” on WebDataBinder globally. While there are multiple conditions required to exploit this vulnerability, there are reports of it being exploited in the wild. Users should immediately seek to prevent exploitation. 

Stop Neglecting Your Cloud Security Features: Check Point Research Found Thousands of Open Cloud Databases Exposing Data In The Wild

March 15, 2022

Researchers at Check Point have identified over 2,000 insecure Firebase databases. Many of the exposed application databases have millions of downloads and expose customer data, including bank information, location, health data, phone numbers, and private keys, among other sensitive data. The applications had previously been uploaded to VirusTotal, an anti-virus repository, with the insecure data available for anyone who comes across it. 

Data Security Perspective: While cloud misconfigurations can be seen as a simple security issue, many organizations are continuing to have damages occur from databases that are improperly secured. Properly configuring data stores is incredibly important, especially when handling sensitive and customer data, as leaks can be expensive. The exposure of databases can be utilized by attackers for malicious purposes such as modifying the content for extortion.

Related Magpie Rules: aws-storage-s3-bucket-default-lock-enabled | aws-storage-s3-bucket-level-public-access-prohibited | aws-security-best-practices | gcp-storage-cloud-bucket-public-access

Cr8escape: New Vulnerability in CRI-O Container Engine Discovered By Crowdstrike (CVE-2022-0811)

March 15, 2022

A vulnerability in Kubernetes container engine, CRI-O, has been identified by security researchers at Crowdstrike. Named “cr8escape”, or “CVE-2022-0811” is a high severity flaw that, if exploited, could enable a malicious actor to gain root access and have control over a Kubernetes pod. With access to a pod, an attacker could host malware, exfiltrate data, or use for privilege escalation. 

Data Security Perspective: Users of Kubernetes CRI-O should immediately update to the most recent version. In addition, OpenShift 4+ and Oracle Container Engine for Kubernetes use CRI-O may also be vulnerable. 

‘Dirty Pipe’ Linux Vulnerability Discovered

March 7, 2022

A Linux vulnerability was discovered by security researcher Max Kellerman that enables data to be overwritten in arbitrary read-only files. The vulnerability, designated “CVE-2022-0847” affects Linux Kernel versions 5.8 and over, although it was patched in later versions. To enable an attacker to exploit the vulnerability, they will need read permissions and other conditions and carry out a series of movements of data within a pipe. All together not highly complicated. The read permissions are essential as they are necessary for the splice() function to write to the pipe from the target file. However, write permissions are not needed. An attacker can exploit this vulnerability to elevate privileges, which can be used as part of an attack such as escaping a container.  

Data Security Perspective: Any vulnerability that enables threat actors to have elevated privileges is always high risk, as it can typically be used to gain access to other systems depending on their intent. If an attacker were to exploit this vulnerability, all of the target’s systems would be under their control, including their data. Linux users are urged to immediately update their kernel version. 

Ex CafePress Owner Fined $500,000 For 'Shoddy' Security, Covering Up Data Breach

March 17, 2022

The former owner of CafePress, an e-commerce platform, has been fined $500,000 due to how they mishandled security, particularly in relation to customer data. The Federal Trade Commission (FTC) outlined how the company failed to secure sensitive customer data, was unable to prevent data breaches in addition to attempting to hide serious breaches. Improperly secured data included customer PII including cleartext password reset answers, partial card payment, phone numbers, and unencrypted Social Security numbers. This data was then posted for sale online, with CafePress still not patching the vulnerability that enabled the exfiltration until months later.

Data Security Perspective: While many of the issues in this story were due to malpractice on the part of CafePress, it is important that all organizations have visibility into sensitive data locations. As highlighted by this story, data breaches are expensive for companies. 

Other News

Unsecured Microsoft SQL, MySQL Servers Hit By Gh0stCringe Malware

BIG sabotage: Famous npm Package Deletes Files to Protest Ukraine War

KrisShop Falls Prey to Data Breach, Nearly 5k Customer Accounts Impacted 

Facebook Fined $18.6M Over String Of 2018 Breaches of EU’s GDPR

Useful Tools

Previous newsletters covered recent Linux vulnerabilities. We thought we would highlight a useful open source tool called Lynis. Lynis can be used to scan UNIX-based systems to identify vulnerabilities. Lynis also supports penetration testing, auditing, compliance, and system hardening projects..

Cloud Security Bulletins