asw150

Application Security Weekly Episode #150 – May 10, 2021

Subscribe to all of our shows and mailing list by visiting: https://securityweekly.com/subscribe

1. Delivering On the Promise of Application Security – 12:30 PM-01:00 PM

Sponsored By

sponsor
Visit https://securityweekly.com/prismacloud for more information!

Announcements

  • Do you want to stay in the loop on all things Security Weekly? Visit https://securityweekly.com/subscribe to subscribe on your favorite podcast catcher or our Youtube channel, sign up for our mailing list, join our Discord Server, and follow us on our newest live-streaming platform, Twitch!

  • In our next technical training webcast on May 13th at 11am ET, see how attackers gain access to endpoints, and learn how to use defensive strategies to protect against those attacks! In our May 27th webcast at 11am ET, we’ll explore the latest attacks against DNS and the latest techniques that make it possible to discover and disrupt attacks. Then join our webcast on June 3 to learn about pen testing tools and why every organization should be using them regularly. Visit https://securityweekly.com/webcasts to register now! If you missed any of our previously recorded webcasts or technical trainings, they are available for your viewing pleasure at https://securityweekly.com/ondemand

Description

While the vision for app security is relatively clear, executing on that vision is still somewhat of a work in progress. Fast-moving, interdependent pieces—custom code and open source packages, infrastructure and network configurations, user entitlements—make for complex systems. In this episode, we discuss the challenge in addressing each piece independently and consider how consolidated, multi-purpose tools may present an emerging solution.

This segment is sponsored by Prisma Cloud/ Palo Alto Networks.

Visit https://securityweekly.com/prismacloud to learn more about them!

Guest(s)

Ankur Shah

Ankur Shah – VP, Product Management at Prisma Cloud

@ankurdotshah

Ankur has spent 16+ years bringing innovative security, collaboration and virtualization technologies to market. He is passionate about building products from the ground up into market leaders. He joined Palo Alto Networks through the acquisition of RedLock where he ran product management for securing public clouds. In his current role as a VP of products, he is responsible for driving product strategy, roadmap and execution for public cloud security. In his previous role, he built and led go-to-market efforts for the CASB solution at CipherCloud. Ankur has also held leadership positions at Symantec, Citrix and Cisco. He holds a B.S. in electrical engineering and an MBA from the UCLA Anderson School of Management.

Hosts

JohnKinsella

John Kinsella

@johnlkinsella

Chief Architect at Accurics

MikeShema

Mike Shema

@Codexatron

Product Security Lead at Square

2. AirTags & Threat Models, Qualcomm Modem Vuln, Exim RCE(s), & Binary Hardening – 01:00 PM-01:30 PM

Announcements

  • Security Weekly listeners save $100 on their RSA Conference 2021 All Access Pass! RSA Conference will be a fully virtual experience from May 17th-20th, 2021. Security Weekly will be live streaming Monday-Thursday in the virtual broadcast alley, interviewing some of the top sponsors and speakers for the event. To register using our discount code, please visit https://securityweekly.com/rsac2021 [securityweekly.com] and use the code 5U1CYBER! We hope to “see” you there!

  • Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!

Description

This Week in the AppSec News, Mike and John talk: “Find My threat model” with AirTags, Qualcomm modem vuln hits lots of Android, an Exim update patches lots of vulns, measuring hardened binaries, a maturity model for k8s, & more!

Hosts

JohnKinsella

John Kinsella

@johnlkinsella

Chief Architect at Accurics

  1. A maturity model for Kubernetes – I’m providing this partially for discussion – is this what a k8s maturity model should look like?
MikeShema

Mike Shema

@Codexatron

Product Security Lead at Square

  1. AirTag review: They work great—maybe a little too great – Find My Threat Model — Apple’s AirTags are out and under scrutiny. Apple has designed some privacy protections and countermeasures to abuse, particularly the malicious use of AirTags for stalking. However, the controls largely apply to just the iPhone ecosystem. This makes for an interesting exercise in threat modeling and evaluating how effective a control really is if it requires being a part of that ecosystem and what a better default design could be.

    One hardware teardown, including links to additional resources and work from others on reverse engineering these devices, is at https://colinoflynn.com/2021/05/apple-airtag-teardown-test-point-mapping/

    We covered some privacy-related aspects of AirDrop in episode 148. You can find the associated paper at https://www.usenix.org/system/files/sec21fall-heinrich.pdf. Many of those authors also looked into the “Find My” feature and released a paper back in March. Check it out for an overview of the protocols involved and their review of its design. You can find that paper at https://arxiv.org/pdf/2103.02282.pdf

  2. An estimated 30% of all smartphones vulnerable to new Qualcomm bug – The word of the week may be ecosystem. Qualcomm has system-on-chip modem that handles cell traffic like 4G and 5G. This modem has its own protocol for communicating with other subsystems and software components, including the Linux kernel. Researchers started fuzzing this protocol and found a service vulnerable to a heap overflow. With this in hand, it’s game over for the modem’s software and the integrity guarantees of Qualcomm’s TrustZone, giving an attacker potential access to SMS and voice on an affected Android device. The ecosystem angle kicks in when users try to figure out if they’re affected and start looking for patches from their device providers.
    Check out the original research at https://research.checkpoint.com/2021/security-probe-of-qualcomm-msm/
    For some additional background on fuzzing TrustZone and security, CheckPoint has another article from 2019 at https://research.checkpoint.com/2019/the-road-to-qualcomm-trustzone-apps-fuzzing/
  3. Security researchers found 21 flaws in this widely used email server, so update immediately – These vulns came out of a “thorough code audit” conducted by Qualys in the fall of 2020. They have new life now that an update is available from Exim. Given that at least one vuln has a description of “unauthenticated RCE” and MTAs are by nature exposed to the internet, it’s time to start updating systems. Another reason this stands out is that many of the vulns affect all versions of Exim, reaching back as its roots 17 years ago in 2004. It seems even the boring services like MTAs and DNS still have some fruitful attack surface for patient researchers. And considering how many of these vulns related to memory safety issues (heap overflows, underflows, and out-of-bounds writes) and integer overflows, this is the type of software project where a refactor in another language starts to sound desirable.
    More details on the blog post at https://blog.qualys.com/vulnerabilities-research/2021/05/04/21nails-multiple-vulnerabilities-in-exim-mail-server
  4. Python-Babel/Babel Locale Directory Traversal / Arbitrary Code Execution – It may not be in the most popular Python package and it may have a pretty limited exploitation scenario, but it does have one of our favorite types of flaws — directory traversal. It’s a quick read and a reminder that simple flaws should ideally have simple means of detection. Whether you’re running a commercial SAST, a simple linter, or something in between, the ability to identify code that handles path manipulation should be a requirement. And if you’re not looking at the code itself, you can always review the environment where the code runs to ensure it’s well isolated and only has access to the resources (filesystem or otherwise) it needs.
  5. Hundreds Of Millions Of Dell Computers At Risk Due to Multiple BIOS Driver Privilege Escalation Flaws – Throwing this article into the mix for its combination of two recurring themes for this episode: hardware/firmware security and flaws with long lifespans. Even if you’re not running an affected system, the write-up offers insights on analyzing drivers on Windows systems. This is also a good example of how drivers have been a prominent attack vector against operating systems — they have varying code quality, can have insufficient access control for privileged actions, and are avenues to the kernel. This class of vulns isn’t limited to Windows. It’s one of the motivating reasons that the Linux kernel is looking at drivers for its initial adoption of Rust within its codebase. We talked about that and another firmware vuln, Boothole, back in episode 147.
  6. CITL Static Analysis Release – We’ve mentioned the CITL a few times over the years and the benefits of evaluating what steps software builders have taken to harden their binaries. They’ve just open sourced their tools analyzing binaries. Even in 2021 we’ve covered some vulns in software that didn’t have basic stack protections or similar exploitation countermeasures that modern compilers and operating systems make easy to implement. CITL has some past research on browsers and operating systems; it would be great to see this expand into IoT, especially in the Industrial and OT side of things.
  7. Branch predictor: How many “if”s are too many? Including x86 and M1 benchmarks! – This article doesn’t have a direct security theme to it, but it is a fun read about the transformation of code to CPU instructions. It’s an accessible read despite the low-level nature. If you’re been reading about Spectre-style attacks, it would add some more insight into CPU behavior.
    The question it brings to my mind is: Are you smarter than a compiler? In compiled languages, it’s not uncommon to run into inscrutable code or code intended to be more optimal than the compiler can supposedly optimize. While there can be edge cases in high-performance computing where such source code sorcery might be required, this is a chance to advocate for the idea that readable code is secure code. Code that someone else can understand and maintain is better than clever tricks. After all, compilers have advanced enough that they not only can optimize code extremely well, they also provide sanitizers to help identify when that code runs into undefined behavior or misuses a memory address.
    Yet as with all things appsec, context matters — if you’re trying to zero memory in order to remove a secret, then compilers might actually be working against you unless you’re using functions explicitly designed for such a purpose.
  8. Making the Internet more secure one signed container at a time – This is a brief followup on the SigStore effort we covered back in episode 143. Google has now released code to sign and verify signatures for containers. It’s a good step in the spirit of “show, don’t tell” for making efforts successful. Not only does this help make it easier to sign containers within the CI/CD process, but also to verify them. After all, there’s no point in signing software if no one checks the signature. We’ve seen this kind of failure before with HTTPS and its invalid certificate errors that everyone just clicks through anyway.

    Check out the repo at https://github.com/sigstore/cosign

  9. Cloud Native Glossary – Wondering about a cloud native technology, property, or concept? Want to talk about blue green deployments until you’re blue in the face and your friends are green with envy? Well, this glossary will get you started on the basics so you can understand common principles behind cloud native architectures. The structure is particularly nice because it presents each term not only with an understandable definition, but also puts it into context in terms of why it’s important (the problem it addresses) and how it addresses that problem. This format, using clearly explained terms with a problem statement and solution, would also lend itself very well to threat modeling.
  10. Microsoft IIS CGI Filename Decode Error Vulnerability – A bonus article for appsec archivists: The infamous “double decode” vuln in IIS was disclosed 20 years ago. This directory traversal flaw plagued unpatched web servers for several years and was absurdly trivial to exploit. Since then we’ve seen web servers, particularly IIS, become significantly hardened against this and other flaws. But we’ve also seen this attack surface shift from the web server to the web frameworks and packages running on those servers. Directory traversal might not be as prevalent now, but it still persists.
    Check out the advisory from Microsoft at https://docs.microsoft.com/en-us/security-updates/securitybulletins/2001/ms01-026