Pwn2own, Verizon’s DBIR, Zoom’s XMPP Flaws, $10M Bounty, & More Bad Packages – ASW #199

The 15th DBIR is out. It's always an excellent reference in communication, both in terms of text (how the report explains its results and analysis) and visualization (how the report presents its data). From an appsec perspective, major attack vectors remain phishing and web hacking. If you haven't migrated to a FIDO2 MFA solution, now's the time to do so. The report looks at patching and, while exploiting known vulns remains far behind breaches based on credential compromise and phishing, they noted an increase in incidents this year. Fortunately, they also observed that more vulns are being patched faster. According to their data, in 2018 roughly 50% of patches were applied within 90 days (days taken to fix findings). In 2022 they saw most findings in this category fixed within 90 days. There's a section dedicated to "Basic Web Application Attacks" that reinforces just how basic attacks can be to still succeed. Once again, stolen credentials top the list. Exploiting vulns comes in second, with the usual suspects of things like SQL injection still making the list.

We dip back into the world of smart contract security to highlight a staggering $10 million bounty payout. That's (at least) an order of magnitude larger than even the big bounty programs like Apple and Google. And what does the fix boil down to? A few lines of boilerplate to execute a single-line transaction to call initialize() on a contract. So, a missing 10-letter function call and a $10 million payout -- 10/10 for the mind-bogglingly large sum for clever work. p.s. hope the researcher asked for the bounty in hard cash...

The bug writeup has really good details on the issues, which include parsing behavior differences between two XML libraries. That kind of behavior is a favorite topic to highlight, as it's independent of the implementation language and all about adherence to specs, design decisions, and choices of defaults. Check out the bug details at https://bugs.chromium.org/p/project-zero/issues/detail?id=2254

Supply chain, expired domain (re-registered with $5 investment), source code modified -- this article hits all the supply chain zeitgeist points, fortunately the impact looks relatively small. But not so small to be ignored. One compromised package went looking for environment variables like AWS keys and exfiltrated them. The investigation into the packages identified the individual behind the compromise, who said he was conducting this as part of bug bounty research. Read more at https://www.bleepingcomputer.com/news/security/hacker-says-hijacking-libraries-stealing-aws-keys-was-ethical-research/ and the individual's own words at https://sockpuppets.medium.com/how-i-hacked-ctx-and-phpass-modules-656638c6ec5e.

Good news and bad news here -- bad news is that a misused JWT could allow arbitrary user impersonation, good news is that the system isn't vulnerable in its default configuration. Hopefully we see a growing trend of "not in its default configuration" related to security advisories, but that also has to mean the default configuration is the useful one to devs. JWTs are easy to pick on since they're prone to misuse or misconfiguration themselves. The advisory has some more details at https://github.com/argoproj/argo-cd/security/advisories/GHSA-r642-gv9p-2wjj. This was also a nice example of looking at how the devs patched the flaw. In this case, it took about 30 lines of code across two files to fix it. But then the devs put in another 400 or so lines of testing. It's a critical kind of bug, so kudos for a non-cynical example of taking security seriously. Check out the commit at https://github.com/argoproj/argo-cd/commit/a809469d9af10c626449bfcb8b9a09a9d2dc9065

A few interesting takeaways on what CISO types have on their mind regarding the security of SaaS they service and consume.

Interesting writeup on how a malware package is communicating with it's C2 servers using DNS as a side channel

Quanta makes "generic" servers which are usually either white-labeled and resold as other brands, or used in large scale datacenters. A 3 year old vulnerabilty has been found that a user with shell access to the system can overwrite the BMC memory and have it do their will...