Discourse RCE, Trojan Source, WhatsApp Security, & Privacy Engineering – ASW #172

CISA posted a recent warning about an RCE vuln in Discourse. It's notable due to the prevalence of the software and the impact of the relatively easily exploited vuln. It's a neat vuln to read about because of how cleverly it goes about manipulating signed requests to achieve an RCE. The researcher starts with a simple premise -- how to inject an arbitrary path into a call to Ruby's open() -- and the hurdles they overcame in order to bypass what seemed like decent security checks. Read the Discourse advisory at https://github.com/discourse/discourse/security/advisories/GHSA-jcjx-pvpc-qgwq Read the CISA advisory at https://us-cert.cisa.gov/ncas/current-activity/2021/10/24/critical-rce-vulnerability-discourse

This is one of those articles that catches my eye as well as John's, hence the two-for-one-special in the articles of the week. It's a mix of high-level and detailed security controls for software. Think of it as a more prescriptive method of a vendor security checklist. One of the items, SSO, is important to enterprises -- but it's also often a premium (if supported at all). Hopefully the future of SaaS will see SSO as an ubiquitous, free default in the same way we expect HTTPS Only. One of the best checks on this list is the push for security libraries in the application design controls. Using ORM and UI frameworks to get rid of classes of vulnerabilities might mean we'll one day have SQL injection and cross-site scripting be the relics they should have been a decade (or more) ago. You can find more about it from the Google security blog at https://security.googleblog.com/2021/10/launching-collaborative-minimum.html

Reading about threat models and security assessments written by others is a great way to improve your own. Here's a detailed writeup by NCC Group about their security assessment of WhatsApp. It may have some inspiration on system design if you're dealing with passwords, encrypted communications, or privacy by design. Or it may be an inspiration for additional threats to consider when reviewing other types of systems. And even if the specific details seem less relevant, you can always look at it from the perspective of how to communicate security findings and recommendations. Unrelated to this report, but related to OPAQUE protocol it refers to, is this research blog from Cloudflare that provides a great overview of Password-Authenticated Key Exchange (PAKE) at https://blog.cloudflare.com/research-directions-in-password-security/ Check out AWS 145 for info on a similar analysis of TikTok by Citizen Lab. You can find the show notes at https://securityweekly.com/asw145

Privacy engineering has distinct requirements and objectives that separate it from appsec, but you have to have a secure foundation in order to create privacy-by-design on top of it. While the article describes specialities that these engineering teams could dive into, many of them also represent opportunities for security engineering teams to improve software for their users -- whether it's tooling and dashboards for DevOps teams or attention to the user experience (UX) for DevOps and end users alike.

The latest All Day DevOps was help on October 28th, 2021 and, being all day and six tracks of presentations, it had a massive amount of material. In fact, a little too much to get through for this week's show. Instead, we wanted to highlight this resource for you and, if there's a favorite session you come across, let us know why it grabbed your attention and what others could learn from it!

Google, Salesforce, Okta, Slack and others put together a checklist for what they want to see at minimum in a product prior to purchase. Mostly standard items, the 72 hour incident notification catches my eye. Some of the password requirements are interesting, as well...

*scary music* News broke Monday morning of a new vulnerability that's had coordinated disclosure across several different languages. The basic idea is a unicode string has the ability to inform the unicode renderer if it should be left-to-right or right-to-left. This provides the ability for a comment to look like a comment, but actually affect code outside what's actually the comment. The interesting thing here is this appears to be the first vulnerability that's not specific to a particular programming language. (h/t https://krebsonsecurity.com/2021/11/trojan-source-bug-threatens-the-security-of-all-code/)