USN-6921-1: Linux kernel vulnerabilities

Read Time:36 Second

Benedict Schlüter, Supraja Sridhara, Andrin Bertschi, and Shweta Shinde
discovered that an untrusted hypervisor could inject malicious #VC
interrupts and compromise the security guarantees of AMD SEV-SNP. This flaw
is known as WeSee. A local attacker in control of the hypervisor could use
this to expose sensitive information or possibly execute arbitrary code in
the trusted execution environment. (CVE-2024-25742)

Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
– DMA engine subsystem;
– HID subsystem;
– I2C subsystem;
– PHY drivers;
– TTY drivers;
– IPv4 networking;
(CVE-2024-35990, CVE-2024-35997, CVE-2024-35992, CVE-2024-35984,
CVE-2024-36008, CVE-2024-36016)

Read More

New Research in Detecting AI-Generated Videos

Read Time:55 Second

The latest in what will be a continuing arms race between creating and detecting videos:

The new tool the research project is unleashing on deepfakes, called “MISLnet”, evolved from years of data derived from detecting fake images and video with tools that spot changes made to digital video or images. These may include the addition or movement of pixels between frames, manipulation of the speed of the clip, or the removal of frames.

Such tools work because a digital camera’s algorithmic processing creates relationships between pixel color values. Those relationships between values are very different in user-generated or images edited with apps like Photoshop.

But because AI-generated videos aren’t produced by a camera capturing a real scene or image, they don’t contain those telltale disparities between pixel values.

The Drexel team’s tools, including MISLnet, learn using a method called a constrained neural network, which can differentiate between normal and unusual values at the sub-pixel level of images or video clips, rather than searching for the common indicators of image manipulation like those mentioned above.

Research paper.

Read More

USN-6923-1: Linux kernel vulnerabilities

Read Time:34 Second

Benedict Schlüter, Supraja Sridhara, Andrin Bertschi, and Shweta Shinde
discovered that an untrusted hypervisor could inject malicious #VC
interrupts and compromise the security guarantees of AMD SEV-SNP. This flaw
is known as WeSee. A local attacker in control of the hypervisor could use
this to expose sensitive information or possibly execute arbitrary code in
the trusted execution environment. (CVE-2024-25742)

Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
– TTY drivers;
– SMB network file system;
– Netfilter;
– Bluetooth subsystem;
(CVE-2024-26886, CVE-2024-26952, CVE-2023-52752, CVE-2024-27017,
CVE-2024-36016)

Read More

Why You Need a Web Application Firewall in 2024

Read Time:5 Minute, 50 Second

The content of this post is solely the responsibility of the author.  LevelBlue does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

Over the last decade, web applications have become integral to everyday life. This includes business and personal activities, facilitating everything from banking and transactions to marketing and social networking. This rise in popularity has made web applications a prime target for cybercriminals.

According to Verizon’s 2024 Data Breach Investigation Report, nearly 40% of cybersecurity incidents result from web application vulnerabilities. Businesses relying on these applications for everyday operations must implement robust security measures to ensure their app stack is resilient to threats and capable of maintaining uninterrupted service.

One of the most effective tools for safeguarding web applications is a web application firewall (WAF), which provides critical protection against a wide range of cyber threats.

Most Common Threats to Web App Security

Before we dive into how web application firewalls protect our web assets, let’s look at the most pressing security threats facing web applications in 2024. Stolen credentials are top of mind, as millions are available for sale on the dark web.

One of the most significant cyberattacks of the year involved compromised credentials from a third-party application in an attack on UnitedHealth, which jeopardized the data of one-third of Americans. Attackers were nested inside the victim’s systems for months before striking, highlighting how important real-time monitoring capabilities are for detecting suspicious behavior.

Zero-day exploits are also a common vector attackers have used in recent years to breach web applications. A zero-day vulnerability is unknown to the application vendor or the public at the time it is discovered and exploited by attackers. They can be quite dangerous if they’re not identified and patched quickly. In 2023, there were 97 reported zero-day vulnerabilities, a 50% increase from the year before.

Additionally, as web applications increasingly rely on each other to provide maximum functionality to the end user, API-related attacks have also become prevalent. App integrations must be executed correctly with strong authentication and authorization mechanisms. Input validation is also required to prevent injection attacks.

Modern WAF Solutions Are Essential to Improving Security

A web application firewall is a hardware or software-based solution used to monitor and filter HTTP traffic between a web application and the internet. WAFs provide two essential security features: traffic filtering and real-time monitoring.

WAFs use rule-based filters to inspect HTTP requests and responses. These filters detect and block a wide spectrum of attacks, including SQL injection, cross-site scripting (XSS), and cross-site request forgery (CSRF). By analyzing traffic in real time, a WAF solution can identify and mitigate threats as they occur, foiling attacks before they can exploit vulnerabilities in the web application.

If there is any suspicious behavior from a specific account or unusual traffic patterns indicating a potential attack, the WAF can immediately flag these events and trigger response actions. These could include blocking the identified threat, alerting security teams, or other automated responses to contain and mitigate the threat. With a modern WAF, businesses essentially get an intelligent, adaptive security system that not only defends against known threats but also anticipates and mitigates emerging ones.

The Latest Advancements in WAF Technology

Attackers have become highly proficient in masking their actions. For example, they have access to millions of IPs, which allows them to bypass geolocation-based filters. They also know how to make malicious web requests without using known threat signatures that would trigger a response from security systems.

With rapidly evolving threats, WAFs are also constantly advancing to provide more comprehensive and sophisticated protection. Modern WAF solutions offer advanced features like AI-driven threat detection and automated threat intelligence updates. These technologies help the firewall minimize false positives and facilitate critical functions such as policy and rule creation.

With machine learning, next-generation WAFs leverage behavior analysis to block attacks without relying on known attack patterns and manual security rules. The WAF builds sophisticated behavioral profiles of legitimate clients based on past behavior. By definition, a hostile user will eventually depart from legitimate behavior. As soon as this happens, the WAF will block them from further network access and lateral movement.

These capabilities mark a significant milestone in zero-day attack prevention, enabling detection before vulnerabilities are added to the available rulesets of known attacks. On another note, the growing role of AI for both threat detection and other enterprise purposes can be a double-edged sword. It potentially increases the attack surface and requires extra protections of proprietary machine learning models that harbor sensitive training data.

The use of AI security posture management provides continuous visibility of AI pipelines, helps detect misconfigurations in these services, and combined with WAF capabilities, facilitates proactive risk mitigation across the entire organizational infrastructure.

Other Measures to Secure Your Web Applications

As good as web app firewalls are, a strong cybersecurity program requires a multi-layered approach for comprehensive protection. The data WAFs generate is well-suited for integration with security information and event management (SIEM) software.

There, WAF traffic can be correlated with logs from other sources to help pinpoint the origin of threats, understand their scope, and respond more effectively. Additional measures you should take to maximize the security of your web applications include:

Regular security audits: Security audits involve thorough testing and analysis of your application’s code, configuration, incoming queries and infrastructure. They help uncover security flaws or vulnerabilities that could be exploited by attackers. Since code and configurations change quite regularly, it’s important to conduct regular security audits, especially after more significant updates.

Patch management: Application component providers and cybersecurity services regularly release updates and patches to address vulnerabilities or incorporate other security enhancements. Timely updates prevent attackers from exploiting known vulnerabilities. Before making any updates, back up your application data, databases, and configurations to prevent data loss in case something goes wrong.

Secure coding practices: Implement secure coding practices to minimize vulnerabilities in your application code. Educate developers on secure coding standards and perform regular code reviews. Attacks like SQL injections are still prevalent because of insecure coding practices. Even if fixing these issues is simple, many applications remain vulnerable due to a lack of awareness and bad practices.

Endnote

Web applications are the backbone of nearly everything we do online. The fact that 40% of attacks use a web app as an initial vector is a worrying sign, but it also points out just how reliant we are on them for our daily operations, communication, and transactions.

Security measures like web application firewalls are no longer optional but should be the minimum standard to protect our data and online interactions. WAFs are equipped with the latest technologies to ensure prompt detection and mitigation of threats. This is the only way forward considering how creatively attackers leverage advancements in AI and machine learning to their own advantage.

Read More

USN-6922-1: Linux kernel vulnerabilities

Read Time:26 Second

It was discovered that a race condition existed in the Bluetooth subsystem
in the Linux kernel when modifying certain settings values through debugfs.
A privileged local attacker could use this to cause a denial of service.
(CVE-2024-24857, CVE-2024-24858, CVE-2024-24859)

Chenyuan Yang discovered that the Unsorted Block Images (UBI) flash device
volume management subsystem did not properly validate logical eraseblock
sizes in certain situations. An attacker could possibly use this to cause a
denial of service (system crash). (CVE-2024-25739)

Read More

ZDI-24-1019: (Pwn2Own) Docker Desktop extension-manager Exposed Dangerous Function Privilege Escalation Vulnerability

Read Time:16 Second

This vulnerability allows local attackers to escalate privileges on affected installations of Docker Desktop. An attacker must first obtain the ability to execute high-privileged code within the container in order to exploit this vulnerability. The ZDI has assigned a CVSS rating of 8.2. The following CVEs are assigned: CVE-2024-6222.

Read More

ZDI-24-1020: SolarWinds Access Rights Manager deleteTransferFile Directory Traversal Arbitrary File Deletion and Information Disclosure Vulnerability

Read Time:14 Second

This vulnerability allows remote attackers to delete arbitrary files and disclose sensitive information on affected installations of SolarWinds Access Rights Manager. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 8.6. The following CVEs are assigned: CVE-2024-28992.

Read More