Microsoft Dumps a Key, Grafana Logs a Key, URL Parsers Disagree, Old Bug in Ubuntu – ASW #254
A key compromised from a crash dump (and the many, many lessons that followed), more examples of mishandling secrets, URL parsing mismatches show path traversal works well in Rust, an old Linux kernel bug shows how brittle code can be (even when it's heavily audited), an example of keeping OSS projects alive, a quick note on BLASTPASS, and a look at privacy in cars, and more!
Announcements
Security Weekly listeners: InfoSec World 2023 is just weeks away! Have you registered to join over 2,500 cybersecurity experts on September 25-27 in Lake Buena Vista, FL? InfoSec World is your gateway to a world of knowledge and growth. Don't miss the chance to enhance your career, connect with industry leaders, and make an impact on the rapidly evolving landscape.
Secure your seat using code ISW23-SECWEEK20 to save 20% off your registration. Register today: securityweekly.com/infosecworld2023
Hosts
- 1. Results of technical investigations for Storm-0558 key acquisition
A secret key makes its way into a crash dump. That crash dump makes its way from a prod environment to a debugging one. A threat actor makes their way into an engineer's system with access to that environment -- giving them a key that can be used to forge access to mail systems even though those system shouldn't be validating the unexpected scope of that key.
And that's just the start of the appsec lessons to take from this breach.
Many articles covered this:
- 2. Grafana security update: GPG signing key rotation
Our exposed secrets episodes continues with a signing key logged in cleartext because a legacy CI/CD system couldn't support the preferred centralized solution.
We could also go on about the poor UX of GPG keys, but there's plenty to learn from this in terms of handling keys and designing systems where security controls are consistent wherever those keys go.
- 3. Apache Superset Part II: RCE, Credential Harvesting and More
This one's a bit older, but fits in with the theme of stolen secrets. Here's an example where an app uses a default, hard-coded secret -- and, of course, no one changes the default. The researchers scanned over a thousand instances and found more than 70% still used this default value. Those numbers might not feel impactful in the grand scheme of the internet, but it's very significant in terms of design anti-patterns.
Also check out their previous post on the topic.
- 4. When URL parsers disagree (CVE-2023-38633) – Canva Engineering Blog
We've seen parsing problems previously. We've specifically seen URL parsing problems. And now Rust joins the list with a problem that leads to path traversal(!).
I like how the writeups walk through the feature (an XInclude element in XML), the steps they took to identify a payload that could bypass validation, and the easy way they bypassed canonicalization.
Check out additional details in the issue's discussion page.
I came across this one from Risky Biz News.
- 5. Old bug, shallow bug: Exploiting Ubuntu at Pwn2Own Vancouver 2023
I love talking about newly found bugs with ancient histories. This is a nine year old bug in the nftables feature in Ubuntu's kernel.
What's notable here is that this isn't an obscure area of code. The researchers even state, "Throughout 2022 and 2023 more than a dozen vulnerabilities were found in this subsystem and multiple LPE exploits relied on them.”
What stands out for me is how they described their approach in choosing what to audit and the question is brings up about when audits have found all the useful bugs. After all, if we spend time continuously auditing one section of code, that means other areas are being neglected.
In other words, when do we know we've had enough eyes to find all the shallow bugs?
- 6. crates.io Postmortem: User Uploaded Malware | Inside Rust Blog
Not much to comment on here. Rust is dealing with the growing pains of curating a package manager and its packages. But the language is also eight years old. At what point should these growing pains and solutions to typosquatting and malicious packages have been introduced?
- 7. Release jq 1.7 · jqlang/jq · GitHub
I use jq a lot, especially as part of the toolchain for how I generate the wordclouds for the "Describe appsec in three words" prompt to our guests.
I included this because it shares a theme of maintaining OSS projects we touched on in the interview segment with Simon Bennetts of Zed Attack Proxy.
- 8. BLASTPASS: NSO Group iPhone Zero-Click, Zero-Day Exploit Captured in the Wild – The Citizen Lab
There aren't too many details about the exploit itself, but I wanted to note this as a win for the iPhone's Lockdown Mode. We can talk about strategies like architectures that isolate parsers from more privileged code (like the "Blast Door" introduced to iPhone 14), memory safe languages (there's a lot of legacy C and C++ still to be replaced), and fuzzing to proactively find more vulns (images are an especially good target for fuzzers).
But Lockdown Mode introduced an additional approach -- give the user a choice between a convenient UX and disabling some features that are historically popular attack paths.
- 9. It’s Official: Cars Are the Worst Product Category We Have Ever Reviewed for Privacy | Mozilla Foundation
Another quick article that I grabbed mostly to reference our discussion with Eve Mater about identity and privacy in cars back in episode 249.
- 1. The State of WebAssembly 2023
The CNCF has released the latest version of developer's thoughts on Web Assembly. There's some interesting stats in here like 30% of respondents are using wasm for WASM, what draws them them to WASM(speed), and that COBOL is the primary language in 3% of WASM apps (what?).
- 2. Memory safe…sudo
We don't see too many rewrites of open source packages. Looks like the memory safety group have decided to rewrite sudo in rust.
As hard as it would be to do, it'd be interesting to see how many issues this actually mitigates...
- 3. Keys stolen from lastpass breach being cracked and used to steal crypto?
Brian Krebs has a story on what looks like a pattern of crypto theft that seems to point back to data stolen from the lastpass breach and then cracked.
What's the appsec takeaway? How would you ensure that if your sensitive data was compromised, that it couldn't be easily(for various values of "easily") cracked?