USN-6473-2: pip vulnerabilities

Read Time:38 Second

USN-6473-1 fixed vulnerabilities in urllib3. This update provides the
corresponding updates for the urllib3 module bundled into pip.

Original advisory details:

It was discovered that urllib3 didn’t strip HTTP Authorization header
on cross-origin redirects. A remote attacker could possibly use this
issue to obtain sensitive information. This issue only affected
Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2018-25091)

It was discovered that urllib3 didn’t strip HTTP Cookie header on
cross-origin redirects. A remote attacker could possibly use this
issue to obtain sensitive information. (CVE-2023-43804)

It was discovered that urllib3 didn’t strip HTTP body on status code
303 redirects under certain circumstances. A remote attacker could
possibly use this issue to obtain sensitive information. (CVE-2023-45803)

Read More

How prepared is your company for a supply chain attack?

Read Time:5 Minute, 26 Second

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

In a supply chain attack, hackers aim to breach a target’s defenses by exploiting vulnerabilities in third-party companies. These attacks typically follow one of two paths. The first involves targeting a service provider or contractor, often a smaller entity with less robust security. The second path targets software developers, embedding malicious code into their products. This code, masquerading as a legitimate update, may later infiltrate the IT systems of customers.

This article delves into specific instances of supply chain attacks, explores the inherent risks, examines common strategies employed by attackers, as well as effective defense mechanisms, and offers supply chain risk management tips.

Understanding the scope and danger of supply chain cyberattacks

In their assaults on supply chains, attackers are driven by various objectives, which can range from espionage and extortion to other malicious intents. These attacks are merely one of many strategies hackers use to infiltrate a victim’s infrastructure.

What makes supply chain attacks particularly dangerous is their unpredictability and extensive reach. Companies can find themselves compromised by mere misfortune. A case in point is the 2020 incident involving SolarWinds, a network management software firm. The company fell victim to a hack that resulted in extensive breaches across various government agencies and private corporations. Over 18,000 SolarWinds customers unknowingly installed malicious updates, which led to an undetected, widespread malware infiltration.

Why do companies fall victim to supply chain attacks?

Several factors contribute to the susceptibility of companies to supply chain attacks:

Inadequate security measures

A staggering 84% of businesses have high-risk vulnerabilities within their networks. For companies involved in software production and distribution, a supply chain attack represents a significant breach of security protocols.

Reliance on unsafe components

Many firms utilize components from third-party vendors and open-source software (OSS), seeking to cut costs and expedite product development. However, this practice can backfire by introducing severe vulnerabilities into a company’s infrastructure. OSS platforms and repositories frequently contain security loopholes. Cybersecurity professionals have identified over 10,000 GitHub repositories susceptible to RepoJacking, a form of supply chain attack exploiting dependency hijacking. Furthermore, the layered nature of OSS, often integrating third-party components, creates a chain of transitive dependencies and potential security threats.

Overconfidence in partners

Not many companies conduct thorough security evaluations of their service providers, typically relying on superficial questionnaires or legal compliance checks. These measures fall short of providing an accurate picture of a partner’s cybersecurity maturity. In most cases, real audits are an afterthought triggered by a security incident that has already taken place.

Additional risk factors precipitating supply chain attacks encompass insecure development processes, compromised product development and delivery tool chains, software deployment mishaps, and the risks inherent in utilizing various devices and equipment.

What techniques do hackers use?

The prevalent forms of supply chain attacks include:

Software attacks: Hackers target the vendor’s software source code. They can covertly disrupt systems by embedding malicious components into a trusted application or hijacking the update server. These breaches are notoriously hard to identify since the perpetrators frequently use stolen, yet valid, certificates to sign the code.

Hardware attacks: Perpetrators target physical devices within the supply chain, like keyboards or webcams, often exploiting backdoors for unauthorized access.

Firmware attacks: Cybercriminals implant malicious software into a computer’s startup code. These attacks are executed the moment the device is powered on, jeopardizing the whole system. Without specific protective measures, these quick, stealthy breaches will likely remain unnoticed.

Initiating a supply chain attack often involves using spyware to steal employee credentials and social engineering tactics, including phishing, typo-squatting, and fake apps. Additionally, hackers may employ SQL injection, exploit system misconfigurations, hunt for sensitive data using OSINT, launch brute-force attacks, or even engage in physical break-ins.

In attacks via open-source components, hackers may use the following tactics:

• Dependency mismatch – Hackers forge internal package names and publish malware to the open-source registry at an abnormally high version level. When an admin or build system accesses an artifact without specifying a specific version, the package manager defaults to loading the latest (infected) version.

• Malicious code injection – attackers gain access to popular libraries by compromising (or on behalf of) a developer. Companies implementing malicious OSS become victims of attacks and distributors of infected software.

• Typo-squatting – hackers release malicious components under misspelled versions of well-known library names. Developers often inundated with numerous daily routines and pressed for time, may unknowingly use these deceptive alternatives.

How to protect your company from supply chain attacks?

To fortify your defenses against supply chain attacks, consider the following strategies:

Implement a comprehensive suite of best practices designed to safeguard every phase of your software’s update and patch management.
Deploy automated tools for ongoing network monitoring, identifying and responding to unusual activity promptly.
Implement a Zero Trust model, assuming that any device or user could potentially be compromised. This approach requires robust identity verification for anyone trying to access resources in your network.
Regularly assess the security protocols of your suppliers and partners. Do not rely on surface-level evaluations; use in-depth tools to thoroughly audit their security processes.
Divide your network into segments so critical data and services are separated.
In anticipation of potential cyberattacks that could result in data loss or encryption, establish a robust data backup system.
Prepare for worst-case scenarios and create a detailed incident response plan to mitigate and recover from supply chain attacks.
Use threat intelligence to understand potential attack vectors and identify any breaches in third-party systems. Collaborate with other businesses and industry groups for threat intelligence sharing.
If you develop software, ensure secure coding practices are in place. Utilize Software Composition Analysis (SCA) tools to track and analyze the components you are using in your software for vulnerabilities.

Conclusion

Supply chain attacks stand as some of the most pressing and dangerous threats today. These incidents can trigger substantial disruptions in business operations, impede collaborations with vital partners, incur huge financial costs, damage reputation, and potentially lead to legal consequences due to non-compliance. It is impossible to completely protect against a supply chain attack, but adopting fundamental information security practices can help diminish risks and identify breaches early on. It is important to use a holistic approach to protection: combine different tools and methods, thus covering as many vulnerabilities as possible.

Read More

USN-6449-2: FFmpeg regression

Read Time:56 Second

USN-6449-1 fixed vulnerabilities in FFmpeg. Unfortunately that update
could introduce a regression in tools using an FFmpeg library, like VLC.

This updated fixes the problem. We apologize for the inconvenience.

Original advisory details:

It was discovered that FFmpeg incorrectly managed memory resulting
in a memory leak. An attacker could possibly use this issue to cause
a denial of service via application crash. This issue only
affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2020-22038)

It was discovered that FFmpeg incorrectly handled certain input files,
leading to an integer overflow. An attacker could possibly use this issue
to cause a denial of service via application crash. This issue only
affected Ubuntu 20.04 LTS. (CVE-2020-20898, CVE-2021-38090,
CVE-2021-38091, CVE-2021-38092, CVE-2021-38093, CVE-2021-38094)

It was discovered that FFmpeg incorrectly managed memory, resulting in
a memory leak. If a user or automated system were tricked into
processing a specially crafted input file, a remote attacker could
possibly use this issue to cause a denial of service, or execute
arbitrary code. (CVE-2022-48434)

Read More

ZDI-23-1696: Adobe Acrobat Reader DC Font Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability

Read Time:17 Second

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Adobe Acrobat Reader DC. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2023-44371.

Read More

ZDI-23-1697: Adobe Acrobat Reader DC Font Parsing Use-After-Free Remote Code Execution Vulnerability

Read Time:17 Second

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Adobe Acrobat Reader DC. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2023-44359.

Read More

ZDI-23-1698: Adobe Acrobat Reader DC Font Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability

Read Time:17 Second

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Adobe Acrobat Reader DC. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2023-44371.

Read More

ZDI-23-1699: Adobe Acrobat Reader DC Font Parsing Memory Corruption Remote Code Execution Vulnerability

Read Time:17 Second

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Adobe Acrobat Reader DC. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2023-44371.

Read More