image of breaking badness
Breaking Badness
Breaking Badness

117. Fire in the Wall!

Here are a few highlights from each article we discussed:

To Patch a Predator: A Double Header on Firewall Vendor Vulnerabilities

  • Today we are covering a rare combo-story because two different firewall vendors had vulnerabilities – Sophos and Zyxel
  • For those who are unaware, Tim Helming used to be in the firewall world
    • There’s a lot of terminology that is firewall-adjacent out there, so to disambiguate things:
      • The fact is that in most organizations, particularly the larger ones, it’s fairly rare to see a device that is a simple “firewall” in the old sense—basically a packet filter that says “these addresses can send traffic to these other addresses over these ports and protocols.”
      • Nowadays you have pretty sophisticated devices that do a whole lot of different functions in one box (which could be a hardware box or a virtual machine software package)
      • You’ll hear terms like “Next Generation Firewall” or NGFW, which is a swiss army knife of functions like packet filtering, other kinds of routing including VLANs and other sophisticated routing protocols, VPNs, failover, and a lot of specialized packet inspection with antivirus, anti-spam, anti-malware, reputation lookups, file sandboxing and detonation, email quarantine, SSL teardown and inspection, cryptographic acceleration, and so on
      • So there’s a pretty large software surface area to keep bug-free. And a lot of them are running packages OEM’d from other providers, too.
  • Regarding the Sophos vulnerability
    • To begin, the firewall (and we will go ahead and use that catch-all term) is a pretty bad place to have significant vulnerabilities
      • In the castle-and-moat analogy, it’s like the wrong party getting the drawbridge controls, or the moat draining of its water
    • The Sophos issue is, to quote them directly: “An authentication bypass vulnerability allowing remote code execution was discovered in the User Portal and Webadmin of Sophos Firewall and responsibly disclosed to Sophos.”
      • Most of these firewall devices have these kinds of functions—user portals that can be used for authentication to permit things like connecting to the corporate VPN, or to be allowed to surf the Web via the web filtering on the device; and the webadmin portal is a browser-based configuration UI that the firewall admins use to change settings on the device
      • When you can bypass authentication for these things, you have the potential for a malicious party to change firewall settings, or to grab packet captures or logs, or any number of bad things
      • And by changing settings, of course, they can create nice pathways for themselves right into the protected environment
      • Additionally, the firewall config also amounts to a super useful map of the protected environment as well, saving time on pesky tasks like running network scans.
  • The Zyxel bug compared to the Sophos bug
    • They are similar in that they both allow an attacker to gain administrative access to the device
      • The downstream effects of the Zyxel bug are essentially the same as those of the Sophos one, with undoubtedly some variations in what kinds of things you can get from the device itself in terms of network mapping, packet capture, logs, etc.
  • CISA actually issued a warning to private and public sector orgs to prioritize patching regarding the Sophos bug, but not the Zyxel bug, even though Zyxel regards the severity of theirs as a 9.8 out of 10
    • However, it’s worth noting that the NIST CVE rating of the Sophos one is also a 9.8 of 10
    • As to why CISA targeted one but not the other, we can only speculate on this one, but it may be that Zyxel tends to focus on the lower end of the market, including home office devices or those for small to medium enterprises
    • Sophos has gear for those markets too but tends to focus a little more toward the larger enterprise end of the continuum
    • Another reason may be that there were specific reports of exploits of the Sophos vulnerability in the wild and we haven’t yet seen reports of the Zyxel one exploited in the wild
    • It’s also worth noting that, to date, where those exploits of the Sophos bug were being observed was primarily in South Asia (they aren’t more specific than that region).
  • The CISA warning gives Federal Civilian Branch Agencies until April 21 to secure their security systems
    • The CISA orders are specific about what actions must be taken and when
    • Currently no information regarding the teeth behind those orders (i.e. no word on fines or other ramifications)
    • The main exposure here is simply the exposure of the device and what that implies for unauthorized access to protected networks.
  • Sophos and Zyxel are telling their customers to patch their networks
    • Though it may seem anticlimactic, it’s still extremely important

Spring Has Sprung…A Security Advisory

  • For those who are unaware, Spring is a popular Java application framework that has been around for 19 years. It’s used by web app developers around the world to build enterprise-grade java applications.
  • Last week, 2 vulnerabilities were discovered, though the second got a lot more press
    • The first was in SpringCloud, an open-source microservices network
    • The second was published on GitHub without advanced notice and was dubbed “Spring4Shell” before it was removed
    • The code was shared on other repositories and it was confirmed it was a legitimate exploit for a new vulnerability
  • On March 31, Spring released a security advisory stating this impacts Spring MVC and Spring WebFlux applications on JDK 9 or higher
  • This vulnerability was disclosed to Spring on Tuesday, March 29, and by odeplutos, meizjm3i of AntGroup FG, and they developed and tested a fix that was set for release on March 31, but the patch was pushed forward ahead of the release schedule
  • Sample code had also been affected by the vulnerability, which is dangerous because developers commonly use sample code for their own apps, meaning there could be vulnerable apps online
  • The next step for Spring admins is to prioritize deploying security updates
    • Spring4Shell scanners have already been created
    • Reports of the vulnerability are actively being exploited in the wild

    Two Truths and a Lie

    Introducing our newest segment on Breaking Badness. We are going to play a game you are all likely familiar with called two truths and a lie, with a fun twist. Each week, one us with come prepared with three article titles, two of which are real, and one is, you guessed it, A LIE.

    You’ll have to tune in to find out!

    Current Scoreboard

    Breaking Badness Two Truths and a Lie

    This Week’s Hoodie/Goodie Scale

    To Patch a Predator: A Double Header on Firewall Vendor Vulnerabilities

    [Taylor]: 4.5/10 Hoodies
    [Tim]: 3/10 Hoodies

    Spring Has Sprung…A Security Advisory

    [Taylor]: 5/10 Hoodies
    [Tim]: 5/10 Hoodies

    That’s about all we have for this week, you can find us on Twitter @domaintools, all of the articles mentioned in our podcast will always be included on our podcast recap. Catch us Wednesdays at 9 AM Pacific time when we publish our next podcast and blog.

    *A special thanks to John Roderick for our incredible podcast music!