Introduction
CDG’s Engineering team thought we would start putting out some regular updates of happenings in the world of security news and vulnerabilities.
With the daily bombardment of cyber news, this will be our chance to recap and give our take on what is worth keeping your eyes on. Let’s take a look at what’s been happening!
News – The war on Truth Continues
“Never let a good crisis go to waste.”
– Winston Churchill
This well-remembered quote led to the establishment of the United Nations, unfortunately not all those wanting positive change in the world adapted this mantra. As the conflict between Russia and Ukraine continues into its fourth week, we are seeing more and more phishing and scamming attempts in relation to aid for Ukraine.
Crises are taken advantage of by scammers who pull at heartstrings and allow awful human offenses to distract from obvious attempts to steal money or data. During these times when a story such as the Ukrainian invasion is dominating the eyes and ears of everyone, it is most important to be very wary of emails, text messages, social media messages, etc.
What might look like a non-profit organization, images of Ukrainian families left with nothing, and a seemingly legitimate donate button, could be a scam.
Before you click:
Do your due diligence.
- Search the internet for the organization yourself.
- Ensure they are legitimate.
- Donate through the organization’s site directly, not through an email, social media channel, or message you directly received.
These are things we all know to do every day, but with so much going on, it’s easy to allow ourselves to be distracted. Stay focused. Stay safe.
Further reading:
Vuln – There’s a Dirty Pipe in Linux’s Kernel
Coming from Ionos / CM4all researcher Max Kellermann is an interesting new easily-exploitable, high-severity vulnerability. It’s been a few years since the security community has seen this kind of finding within the Linux kernel.
Dirty Pipe, aptly named after the infamous Dirty Cow of 2016, is an exploit allowing privilege escalation from any local Linux account. This includes the “nobody” user that typically has the least level of privilege in the OS. The vulnerability was introduced in version 5.8 of the kernel and has persisted until recent releases 5.16.11, 5.15.25, and 5.10.102.
This is an important vulnerability to patch and patch quickly. Systems directly accessible from the internet have the potential to allow a bad actor to leverage other vulnerabilities to gain local access, and from there, weaponize Dirty Pipe to escalate to the “root” user. That is game over.
Alternatively, any local users with access can leverage Dirty Pipe to gain “root” access when they shouldn’t have it. Remember, it is the inside bad actor, the “insider threat,” that is more common.
All major operating systems have patches available. Any regular security updates will have this kernel update in it.
TLDR; Any system running Linux kernel 5.8 – 5.16.11, 5.15.25, or 5.10.102 must immediately be patched to prevent potential privilege escalation to “root” level access. Patch as soon as possible.
Further reading:
Vuln – A Storm is Brewing, and it’s Gaining Power
APC has been a trusted name in UPS (uninterrupted power supply) devices for decades, with tens of millions of devices sold globally. These UPSs are backup battery devices that allow any devices connected to them to remain powered during loss-of-power events. This is important anywhere critical infrastructure can exist.
Their Smart-UPS line of devices is popular at home, in offices, and in data centers. Newer versions of these devices are directly connected to the internet, allowing for direct access to/from the APC Cloud. The Cloud will manage the device updates, downtime scheduling, alerts for power events, etc.
Researchers at Armis have recently discovered how three vulnerabilities, dubbed “TLStorm” when combined, can allow a bad actor to masquerade as the APC Cloud and take over one of these devices. This leads to RCE (remote code execution) which can cause destruction to the device and those connected to it, disabling of the device, or potentially the creation of a significant botnet.
APC has released firmware upgrades for the vulnerable devices and they should be patched immediately. It is imperative to patch your hardware devices as well as your software. We highly recommend reviewing the list of devices in the Armis article linked below and patching any of them that exist within your environments.
TLDR; Unpatched APC Smart-UPS devices have vulnerabilities that could allow RCE of the devices themselves. Patch as soon as possible.
Further reading:
Vuln – Time to “Git” your Labs Up to Date
There is a new critical vulnerability within both Gitlab Community and Enterprise editions. Technical details of the vulnerability CVE-2022-0549 have not been released yet, however it seems to be clear that the vulnerability allows for the retrieval of a runner registration token, which would allow for takeover of a runner and through it, access to the infrastructure it is able to reach.
Gitlab was made aware of this vulnerability through a responsible disclosure and patches have already been released. The details of the releases are available now. If you are running any version from 12.10 to 14.6.4, 14.7 to 14.7.3, or 14.8 to 14.8.1, it is important to update to the latest versions available.
Please note that updating will reset existing runner registration tokens and any automated processes using these tokens will be broken in this update.
With orchestration software such as Gitlab requiring the scope to manage infrastructure, it is important to stay on top of findings such as these. Ideally, any internal tools, especially tools with this level of scope, should be limited to internal network access only (i.e. through a VPN).
Having tools such as Gitlab available openly on the internet is not advisable and we highly recommend putting a plan in place to move them internally as soon as possible if this is the case. If your instance of Gitlab is currently limited to a VPN, this particular vulnerability is not critical to you as it is not openly exploitable unless the bad actor was already within your VPN.
TLDR; There is an important security update to Gitlab CE and EE that prevents the exposure of your runner registration token. Patch as soon as possible.
Further reading:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0549
https://about.gitlab.com/releases/2022/02/25/critical-security-release-gitlab-14-8-2-released/
