Typosquatting NPM, vulnerability analysis, and AI challenges – ASW #307
This week, in the Application Security News, we spend a lot of time on some recent vulnerabilities. We take this opportunity to talk about how to determine whether or not a vulnerability is worth a critical response.
Can AI fully automate DevSecOps Governance? Adrian has his reservations, but JLK is bullish.
Is it bad that 70% of DevSecOps professionals don't know if code is AI generated or not?
All that and more on this week's news segment.
Hosts
- 1. What happens to Linux when Linus Torvalds dies?
The answer to the question isn't terribly dramatic, but it's still a good question to consider. Most of the tech in our hands everyday and the tech that makes it possible to access and use the Internet were invented by folks that are still alive today.
Will their legacy be to serve as bar trivia questions, or will it be more substantial? Will there be a Linus Torvalds AI bot, trained on his hundreds of thousands of emails, posts, and pull request comments? I'm predicting no - not unless we learn how to make LLMs properly sassy. They just refuse to be mean or negative in any way today.
- 2. Max-Critical Cisco Bug Enables Command-Injection Attacks
I love a good chance to evaluate the risk of vulnerabilities. It often isn't clear until you dig into the vulnerability details. What's the access vector? What does the exploit do? What level of privilege would the attacker gain?
In this case, it sounds really bad - wireless access points with a CVSS 10 vulnerability! The access vector is network, attack complexity is low, no authentication required. Sounds like an urgent one, right?
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
But then, why is the EPSS score 0.04? Probably because exploiting the vulnerability requires access to the access point's web management console, which isn't going to be available outside the network.
So that means, you need to be on the inside to hack them. But if you're on the internal network already, you have no need for hacking them.
Many vulnerabilities have this paradoxical effect. Vulnerabilities look terrifying, until you take a closer look and realize that no attacker would ever leverage it, because it doesn't make sense from the attacker's perspective.
- 3. 6 Infotainment Bugs Allow Mazdas to Be Hacked With USBs
This is another area where, as the article's author points out several times, that vulns haven't typically been exploited in the wild. Like, ever. Diving into the details again tells us why - it requires physical access to the car and the ability to turn it on. If you have those two things, you can steal the car - you don't really have a need for exploits on a USB key (maybe, if cars had a USB port accessible on the outside of the car?)
It's a useful thought exercise though - are there legit attack scenarios with cars that could start getting hit at scale? Nearly all modern cars have some connectivity to the public Internet, and we've seen hacks via the Internet, mobile apps, or APIs in the past. It seems like a fleet of cars would be a great potential ransomware attack. A fleet of semi trucks belonging to a long haul shipping carrier? Amazon's Rivian delivery trucks? All Ford 150s?
- 4. 70 percent of DevSecOps professionals can’t identify AI source code origins
"Almost 70 percent of DevSecOps professionals can't detect AI source code origins, creating massive security risks, according to a new report"
Is it really though? Who cares where the code comes from - it has to go through the same gauntlet of quality, functional, and security testing, right?
The source report is here
- 5. AI Will Soon Automate DevSecOps Governance – DevOps.com
what year is it.gif
- 6. Dookie Demastered
Hilarious. I'm only sad it's all gone and I didn't get a chance to grab a Welcome to Paradise Gameboy cartridge!
- 1. Stop me if you heard this before: Malicious npm packages target Roblox devs
Socket Security researchers discovered five malicious npm packages deploying malware to steal credentials and other data through typo squatting (such as node-dll, which I'm guessing is attempting to spoof dll for dynamically linked lists). It looks like the packages were "only" downloaded 320 times before removal.
- 2. Palo Alto gives early warning to secure management interfaces
In a refreshing change, a software vendor tells customers to secure the management interfaces to their PANW devices. While they don't know all the details yet, they've gotten word of a RCE vulnerability being exploited in the wild, and are trying to help customers stay safe.
And the linked web page on how to secure the management interface looks decent, too.