March 11, 2022

From The Editor

Welcome, and thanks for reading. In our second issue, we explore the data security impact of two newly discovered vulnerabilities and review recent data breaches in AWS and Azure. If you have feedback or suggestions, send a note to hello@openraven.com.

New Linux Vulnerability CVE-2022-0492 Affecting Cgroups: Can Containers Escape?

March 3, 2022

In February, Linux announced a high-severity privilege escalation vulnerability designated "CVE-2022-0492". Researchers at Unit42 identified how this vulnerability can be exploited to potentially escape containers. Control groups (cgroups) are a Linux kernel feature used to allocate and limit resources containing a release_agent file. The vulnerability exists in this file, and if notify_on_release is enabled, a full permissions binary runs. However, the file is not checked for admin privileges which is the vulnerability. The exploitation of this vulnerability depends on circumstances such as security modules and profiles in use. In the right situations, the vulnerability can be used to escalate privileges for malicious purposes.

Data Security Perspective:  All Linux users should immediately upgrade to the latest available version(s). Should an attacker exploit this vulnerability, they can gain access to sensitive data, gather system information and establish persistence. In addition, users should follow best security practices, including enabling Linux security modules such as Seccomp, SELinux, and AppArmor. As the vulnerability exists in the Linux kernel, all distributions are at risk and should follow security advisories for their distro. Users of AWS, GCP, and Kubernetes should enable Seccomp to restrict container privileges. 

AutoWarp: Critical Cross-Account Vulnerability in Microsoft Azure Automation Service

March 7, 2022

Researchers at Orca Security identified a critical vulnerability in the Microsoft Azure Automation Service. The vulnerability, named "AutoWrap," enables access to Managed Identity tokens for other user accounts, which can then grant full access to resources and data. Orca Researcher Yaniv Tsarimi wrote a simple Python script to make HTTP requests to a range of ports, retrieving other users' identity endpoints, including those in several large companies.   

Data Security Perspective: AutoWarp demonstrates how vulnerabilities can exist in systems often trusted to be secure. Malicious actors can exploit the flaw to gain complete control of resources and data and elevate privileges. Microsoft patched the vulnerability and has not identified any token misuse. In addition, Azure Automation users are encouraged to follow best practices.

Luxury Children's Fashion E-Commerce Site Exposes Customers Worldwide

February 21, 2022

The security team at SafetyDetectives discovered a breach affecting French fashion retailer Melijoe. Melijoe had a misconfigured S3 bucket that exposed roughly 200 GB of data. The data contained customer PII including addresses, birth dates, email addresses, gender, children's names, payment information, and past purchases. Melijoe uploaded data to the unsecured bucket from October 2016 until November 2021, when SafetyDetectives notified the company of the exposure. 

Data Security Perspective: Misconfigured S3 buckets are a common cause of data exposures. In this instance, Melijoe left their AWS S3 bucket publicly accessible due to a lack of password protection. S3 users should ensure buckets are configured with appropriate password protection. The Open Raven Data Security Platform and Magpie, our open-source CSPM, can alert users to misconfigurations and other security policy violations.

Related Magpie Rules: aws-storage-s3-bucket-default-lock-enabled | aws-storage-s3-bucket-level-public-access-prohibited | aws-security-best-practices

Internet Society Data Leak Exposed 80,000 Members' Login Details

February 18, 2022

The Internet Society (ISOC), a non-profit organization, announced a data leak due to a third-party vendor. Security researchers at Clario identified the exposed data after discovering a misconfigured Azure blob repository. The repository was publicly accessible and contained PII of members, including addresses, email addresses, login credentials, and names. The Internet Society stated that there is no evidence of any malicious actors accessing the information.  

Other News

Duncan Regional Hospital data breach impacts 92K

Cookware giant Meyer discloses cyberattack that impacted employees

Did You Know

….that well thought out, and well-maintained dataclasses are vital to any data classification software? Or that human data is one of the most difficult to match? In our latest article, Introduction to Regex Based Data Classification for the Cloud, you can learn everything you need to know about writing and developing dataclasses.