asw163

Application Security Weekly Episode #163 – August 23, 2021

Subscribe to all of our shows and mailing list by visiting: https://securityweekly.com/subscribe

1. Challenges in Open Source Application Security – 12:30 PM-01:00 PM

Announcements

  • CyberRisk Alliance, in partnership with InfraGard, has launched the Critical Infrastructure Resilience Benchmark study. Measure your readiness for ransomware by completing the survey and getting your score. Visit https://securityweekly.com/CIRB to take the survey

  • InfoSec World 2021 is proud to announce its keynote lineup for this year’s in-person event! Hear from Robert Herjavec plus heads of security at the NFL, TikTok, U.S. Department of Homeland Security, Stanford University, and more… Plus, Security Weekly listeners save 20% on world pass and main conference registration! Visit https://securityweekly.com/isw2021 to register now!

Description

Open Source is the new mainstream of software development. However not much attention is paid on security in the upstream community for creating robust and secure software. At the LF, we are working on some initiatives and tools to help bridge the gap between functional and secure code, so that the benefits flow downstream to all users of OSS.

Guest(s)

Shubhra Kar

Shubhra Kar – Global CTO and GM of Products & IT at The Linux Foundation

@ShubhraKar

Shubhra is a passionate technology leader with over twenty years of experience in open source, cloud, enterprise architecture, DevOps, IoT and Realtime Monitoring and Analytics. Shubhra’s career spans early stage startups to NASDAQ-listed companies generating nearly $10B+ in annual revenue. He is a bottoms up Product leader, with previous lives of developer, enterprise architect, management consultant, pre-sales director, and chief evangelist before finding his calling in product management. At the Linux foundation, Shubhra created the LFX platform with services for every stage of the open source supply chain. He also runs the Cloud and Release engineering team serving 700 open source projects

He came to the Linux Foundation from Joyent/Samsung, where as VP of Products, he ran multiple product lines – primarily services like Multi-Cloud Kubernetes, Machine Learning, Serverless and Monitoring/Analytics/Logging/Tracing. Previous to Samsung, Shubhra served as VP of Product and Marketing at startups like InfluxData (#1 Time Series platform in the world) and StrongLoop (acquired by IBM) and is also the current Marketing Chair of the Node.js Foundation. He has also held management and technical leadership positions at CA Technologies and Infosys (India’s first startup to bluechip success story).

Hosts

JohnKinsella

John Kinsella

@johnlkinsella

Co-founder & CTO at Cysense

MikeShema

Mike Shema

@Codexatron

Product Security Lead at Square

2. BlackBerry’s BadAlloc, Glibc’s NULL, Backtick Command Injection, & ProxyLogon Details – 01:00 PM-01:30 PM

Announcements

  • Security Weekly Unlocked will be held IN PERSON this December 5-7 at the Hilton Lake Buena Vista!

    We are excited to announce our first round of speakers: Lesley Carhart, David Kennedy, Alyssa Miller, O’Shea Bowens, Marina Ciavatta, Patrick Coble, Chris Eng, Eric Escobar, Nick Leghorn, Michael Schladt, Kevin Johnson, and Justin Kohler!

    Visit https://securityweekly.com/unlocked to register and check out our rockstar lineup!

  • Join us August 26th at 11am eastern to learn how to implement cloud security that actually works. Visit https://securityweekly.com/webcasts to register now! If you missed any of our previously recorded webcasts or technical trainings, they are available for your viewing pleasure at https://securityweekly.com/ondemand

Description

This week Mike & John discuss: BlackBerry addresses BadAlloc bugs, glibc fixes a fix, more snprintf misuse that leads to command injection, ProxyLogon technical details, & more in the AppSec News!

Hosts

JohnKinsella

John Kinsella

@johnlkinsella

Co-founder & CTO at Cysense

  1. A good example of a security disclosure – I got a message from a 3d printing monitoring service that I use – The Spaghetti Detective. Almost the very first words? “I screwed up.” We all make mistakes – I love the transparency. Hoping to see less marketing in the disclosures, more of this.
  2. Google releases their CA service – Every few years I try to run a CA for internal purposes. I always dislike it. Java is usually involved. Looking forward to giving this offering from GCP a try in the near future. We often need an internal/private CA, but it shouldn’t be hard to setup/use.
  3. Blackberry admits they have a vuln announced months ago, patches
  4. Realtek SDK vulns expose 200 IOT devices – I’m just going to quote the opening paragraph on this story:

    “Taiwanese chip designer Realtek is warning of four security vulnerabilities in three software development kits (SDKs) accompanying its WiFi modules, which are used in almost 200 IoT devices made by at least 65 vendors.”

  5. Fix for glibc vuln causes glibc vuln – When we look at https://blog.tuxcare.com/cve/tuxcare-team-identifies-cve-2021-38604-a-new-vulnerability-in-glibc, we see “While the free() call is immune to NULL pointers being passed to it, pthread_attr_destroy() is not.”

    Also no, not every linux thing needs glibc. mlibc is awesome and should get more use.

    As an aside – if every time an article reports a CVSS score then has to say what that score means, perhaps there’s a problem with CVSS, or how we as an industry describe vulnerabilities?

MikeShema

Mike Shema

@Codexatron

Product Security Lead at Square

  1. Windows EoP Bug Detailed by Google Project Zero – It’s no surprise that an operating system with decades of backwards compatibility has a huge attack surface. Microsoft developed the AppContainer as a sandbox for legacy apps. It requires explicit allow lists of resources for a process to access. The folks at Google’s Project Zero identified a weakness in the AppContainer rule sets that would allow for elevation of privilege (EoP). However, the risk associated with the flaw was such that Microsoft initially chose not to address it and followup from Project Zero notes that the flaw requires very specific scenarios. What’s good to see in this kind of vuln analysis is a deep dive into the technology that highlights the basics of the technology and where more fundamental issues might be in its architecture. Check out this background at https://googleprojectzero.blogspot.com/2021/08/understanding-network-access-windows-app.html
  2. Fortinet FortiWeb OS Command Injection – This is the kind of throw-back vuln that has an underlying design pattern that needs to be thrown out. The exploit works by smuggling backticks into a “Name” field of a SAML configuration page, which get passed to an snprintf() function for some command-line concatenation. Since backticks have a special semantic meaning in a command shell, it gives an attacker command execution. Ultimately, the vulnerable function was trying to copy a file from one destination to another — something that could be more securely handled with functions dedicated to copying files than building up a command line for “cp”.
  3. A New Attack Surface on MS Exchange Part 1 – ProxyLogon! – The ProxyLogon technical details are out now! We first covered this back in episode 142. This write-up goes into nice detail about the attack surface of Exchange Server and some of the thought process in searching for vulns. If you enjoy technical write-ups you’ll like it. If you enjoy running your own mail server, maybe think again about doing so — mail is a critical service with all sorts of threats that the modern choice is to just go with a SaaS provider.

    Check out episode 142 at https://securityweekly.com/asw142

  4. How to Hack Apple ID – Most of the technical write-ups we come across are taking apart C code or reverse engineering a binary, so it’s extra fun to come across a blog post like this that goes deep into some of the JavaScript implementation behind iCloud authentication in the browser. It touches on Apple’s particular implementation of OAuth, cleverly using the PostMessage interface, and bypassing a URL-based security check with the tried-and-true attacker-owned domain in the authority — in other words, something like https://arbitrary.domain@target/.
  5. BadAlloc Vulnerability Affecting BlackBerry QNX RTOS – Here’s the CISA alert for BlackBerry’s RTOS that accompanies the article John highlighted for this week. We first noted BadAlloc back in May and how it demonstrated some nice fuzzing at scale coming out of Microsoft. It may not be a surprise that these C-based SDKs and operating systems have memory safety issues, but these are also the kinds of issues that compilers, linters, and the fuzzing techniques used by Microsoft should be finding early on in the development process before these builds go to production. Of course, it’ll also be nice to see the day when the implementations shift to different programming languages in order to avoid this class of vulns.

    Check out episode 149 at https://securityweekly.com/asw149.

  6. Introducing GoKart, a Smarter Go Security Scanner – Golang already has a popular open source security scanner: Gosec. Even so, it’s nice to see a project that expands on static analysis for Go programs. In this case, GoKart improves on taint analysis in order better track input validation issues and therefore reduce false positives while also hoping to find more exploitable vulns, thus reducing false negatives. We’re curious what your experience has been with gosec and how you’ve adopted static analysis into your Go projects. Let us know!

    Check out the repo at https://github.com/praetorian-inc/gokart