Hertzbleed, SynLapse, Java Deserialization, More MFA, Firmware Flaws, & Zombie 0-Day – ASW #201
This week in the AppSec News: SynLapse shows shell injection via ODBC, Java deserialization example, MFA for Ruby Gems ecosystem, simple flaws in firmware, the decade-long journey of a Safari vuln, & more!
Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!
Join us June 29th for a webcast with Tyler Robinson and Beau Bullock to learn how to pivot into the world of Crypto security. Visit https://securityweekly.com/webcasts to register with only your name and email! Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.
- 1. Hertzbleed Attack - "...were previously believed to be secure" is always a fun phrase to come across in appsec. Here we have a remote side-channel attack that's purportedly able to infer cryptographic keys. The name is an excellent riff on Heartbleed. What's also interesting is that the attack is demonstrated against a constant-time implementation of an algorithm. "Constant-time" is a common countermeasure to side-channel timing attacks -- it's roughly metaphorical to other security recommendations like "use prepared statements". The clever trick here was discovering how the dynamic frequency scaling in modern CPUs appears correlated to the data being processed by a cryptographic constant-time function. An attacker could submit chosen ciphertext to a target that would cause the algorithm (SIKE) to consume less power and have a higher CPU frequency, which translates to an observably shorter time to complete the expected operations. The combination of chosen ciphertext and observable timing difference worked revealed individual bits of the algorithm's key, which made it possible for the researchers to recover the entire key in 36 and 89 hours against two different implementations. Unlike Heartbleed, this probably won't upend sysadmins plans or cause a rush to patching affected servers, but the FAQ notes how Cloudflare and Microsoft have already deployed workarounds. Check out the research paper at https://www.hertzbleed.com/hertzbleed.pdf
- 2. SynLapse – Technical Details for Critical Azure Synapse Vulnerability - Orca Security reveals details of how they were able to bypass tenant isolation in Azure via command injection in a SAML authentication plugin. The walkthrough of the exploit demonstrates a clever use of the LOGIN_URL field for a database connection. Rather than returning a link, the field contains shell delimiters that causes the caller (coming from Azure) to execute the shell commands. It's yet another lesson on the implications of parsing, normalization, and the unfortunate surprises that arise from contexts that can be data or code.
- 3. CVE-2022-25845 – Analyzing the Fastjson “Auto Type Bypass” RCE vulnerability - Here's a detailed write-up about a Java deserialization flaw with a JSON-based attack vector. One takeaway is to be explicit about data types when deserializing data. Another is to revisit whether deserializing data is a desirable programming pattern in the first place.
- 4. Hardcoded Backdoor User and Outdated Software Components in Nexans FTTO GigaSwitch series - Came across this from the https://riskybiznews.substack.com/ newsletter. The list of vulns here look like classic 90s-era C coding mistakes. The communication timeline looks like two years from discovery to disclosure. For as much as we talk about modern DevOps or point to security work from huge organizations like Google, there's clearly lots of companies out there -- especially in firmware, it seems -- that are still struggling to add security practices to their SDLC.
- 5. An Autopsy on a Zombie In-the-Wild 0-day - Ah, the hero's journey as exemplified by appsec: Vuln is fixed. Vuln returns due to refactor. Vuln rediscovered. Vuln is fixed. The catch here is the timeline of that journey and the implications for appsec in terms of the complexity of tracking bugs, creating effective tests, and tracking software changes over a decade.
- 6. Making popular Ruby packages more secure - Another package ecosystem moving to mandatory MFA. This is always good news. Better news is MFA based on FIDO2 keys. Two other details to pay attention to in these kinds of migrations are the timeline -- pretty aggressive -- and what the account recovery process looks like since that's another avenue into account takeovers.
- 7. Making popular Ruby packages more secure - Another package ecosystem moving to mandatory MFA. This is always good news. Better news is MFA based on FIDO2 keys. Two other details to pay attention to in these kinds of migrations are the timeline -- pretty aggressive -- and what the account recovery process looks like since that's another avenue into account takeovers.
- 1. Accessing stale MMIO data on windows - Microsoft and Intel released a series of CVEs related to attackers being able to access stale data that previously was used by privileged processes
- 2. Critical auth vulns in cisco secure email and web manager