asw201

Application Security Weekly Episode #201 – June 21, 2022

Subscribe to all of our shows and mailing list by visiting: https://securityweekly.com/subscribe

1. IE11 Goes to Zero — A History of Browser Security and Bug Bounties – 12:00 PM-12:30 PM

Announcements

  • Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!

Description

IE has gone to 11 and is no more. There’s some notable history related to IE11 and bug bounty programs. In 2008, Katie Moussouris and others from Microsoft announced their vulnerability disclosure program. In 2013 this evolved into a bug bounty program piloted with IE11, with award ranges from $500 to $11,000. Ten years later, that bounty range is still common across the industry. The technical goals of the program remain similar as well — RCEs, universal XSS, and sandbox escapes are all vulns that can easily gain $10,000+ (or an order of magnitude greater) in modern browser bounty programs. So, even if we’ve finally moved on from a browser with an outdated security architecture, we’re still dealing with critical patches in modern browsers. Fortunately, the concept of bounty programs continues.

References:

https://www.blackhat.com/presentations/bh-usa-08/Reavey/MSRC.pdf
https://media.blackhat.com/bh-usa-08/video/bh-us-08-Reavey/black-hat-usa-08-reavey-securetheplanet-hires.m4v
https://web.archive.org/web/20130719064943/http://www.microsoft.com/security/msrc/report/IE11.aspx
https://web.archive.org/web/20190507215514/https://blogs.technet.microsoft.com/bluehat/2013/07/03/new-bounty-programs-one-week-in/

Hosts

JohnKinsella

John Kinsella

@johnlkinsella

Co-founder & CTO at Cysense

MikeShema

Mike Shema

@Codexatron

Security Partner at Square

2. Hertzbleed, SynLapse, Java Deserialization, More MFA, Firmware Flaws, & Zombie 0-Day – 12:30 PM-01:00 PM

Announcements

  • Don’t miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!

  • Don’t forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.

Description

This week in the AppSec News: SynLapse shows shell injection via ODBC, Java deserialization example, MFA for Ruby Gems ecosystem, simple flaws in firmware, the decade-long journey of a Safari vuln, & more!

Hosts

JohnKinsella

John Kinsella

@johnlkinsella

Co-founder & CTO at Cysense

  1. Accessing stale MMIO data on windows – Microsoft and Intel released a series of CVEs related to attackers being able to access stale data that previously was used by privileged processes
  2. Critical auth vulns in cisco secure email and web manager
MikeShema

Mike Shema

@Codexatron

Security Partner at Square

  1. Hertzbleed Attack – “…were previously believed to be secure” is always a fun phrase to come across in appsec. Here we have a remote side-channel attack that’s purportedly able to infer cryptographic keys. The name is an excellent riff on Heartbleed. What’s also interesting is that the attack is demonstrated against a constant-time implementation of an algorithm. “Constant-time” is a common countermeasure to side-channel timing attacks — it’s roughly metaphorical to other security recommendations like “use prepared statements”. The clever trick here was discovering how the dynamic frequency scaling in modern CPUs appears correlated to the data being processed by a cryptographic constant-time function. An attacker could submit chosen ciphertext to a target that would cause the algorithm (SIKE) to consume less power and have a higher CPU frequency, which translates to an observably shorter time to complete the expected operations. The combination of chosen ciphertext and observable timing difference worked revealed individual bits of the algorithm’s key, which made it possible for the researchers to recover the entire key in 36 and 89 hours against two different implementations.

    Unlike Heartbleed, this probably won’t upend sysadmins plans or cause a rush to patching affected servers, but the FAQ notes how Cloudflare and Microsoft have already deployed workarounds.

    Check out the research paper at https://www.hertzbleed.com/hertzbleed.pdf

  2. SynLapse – Technical Details for Critical Azure Synapse Vulnerability – Orca Security reveals details of how they were able to bypass tenant isolation in Azure via command injection in a SAML authentication plugin. The walkthrough of the exploit demonstrates a clever use of the LOGIN_URL field for a database connection. Rather than returning a link, the field contains shell delimiters that causes the caller (coming from Azure) to execute the shell commands. It’s yet another lesson on the implications of parsing, normalization, and the unfortunate surprises that arise from contexts that can be data or code.
  3. CVE-2022-25845 – Analyzing the Fastjson “Auto Type Bypass” RCE vulnerability – Here’s a detailed write-up about a Java deserialization flaw with a JSON-based attack vector. One takeaway is to be explicit about data types when deserializing data. Another is to revisit whether deserializing data is a desirable programming pattern in the first place.
  4. Hardcoded Backdoor User and Outdated Software Components in Nexans FTTO GigaSwitch series – Came across this from the https://riskybiznews.substack.com/ newsletter.

    The list of vulns here look like classic 90s-era C coding mistakes. The communication timeline looks like two years from discovery to disclosure. For as much as we talk about modern DevOps or point to security work from huge organizations like Google, there’s clearly lots of companies out there — especially in firmware, it seems — that are still struggling to add security practices to their SDLC.

  5. An Autopsy on a Zombie In-the-Wild 0-day – Ah, the hero’s journey as exemplified by appsec: Vuln is fixed. Vuln returns due to refactor. Vuln rediscovered. Vuln is fixed.

    The catch here is the timeline of that journey and the implications for appsec in terms of the complexity of tracking bugs, creating effective tests, and tracking software changes over a decade.

  6. Making popular Ruby packages more secure – Another package ecosystem moving to mandatory MFA. This is always good news. Better news is MFA based on FIDO2 keys. Two other details to pay attention to in these kinds of migrations are the timeline — pretty aggressive — and what the account recovery process looks like since that’s another avenue into account takeovers.
  7. Making popular Ruby packages more secure – Another package ecosystem moving to mandatory MFA. This is always good news. Better news is MFA based on FIDO2 keys. Two other details to pay attention to in these kinds of migrations are the timeline — pretty aggressive — and what the account recovery process looks like since that’s another avenue into account takeovers.