After six days and thousands of pwned users, Cisco poised to patch IOS XE flaw
ALSO: SolarWinds using plaintext passwords; North Korea attacks TeamCity; Critical vulns, and more
Security in brief On Friday, Cisco released more details about the critical zero-day bug it disclosed on Monday, and said it hopes to have a fix available to customers beginning Sunday.
"Through ongoing investigation, we uncovered the attacker combined two vulnerabilities to bypass security measures (the first for initial access and the second to elevate privilege once authenticated)," a Cisco spokesperson told The Register about the issue.
As of October 19, about 36,541 Cisco devices have been compromised, according to exposure management outfit Censys.
In its updated security advisory, Cisco revealed the intruders first exploited CVE-2023-20198 for initial access and then issued a privilege 15 command. This flaw – which received a perfect 10 CVSS score – "allowed the user to log in with normal user access," according to the advisory.
Then, the miscreants exploited a second flaw in the web UI feature – CVE-2023-20273, which received a CVSS rating of 7.2. This allowed the local user to elevate privileges to root, write the implant to the file system, and hijack the device.
"We have now identified a fix that covers both vulnerabilities and estimate initial releases will be available to customers starting October 22," the Cisco spokesperson explained. "However, there are actions customers can take immediately."
These include disabling the HTTP Server feature on all internet-facing systems, or at the very least restricting its access to trusted source addresses.
Okta hit again, hackers make off with customer access tokens
Identity-as-a-service platform Okta has been hit by another security breach, this time giving intruders access to sensitive customer files used for solving support tickets.
Okta acknowledged the incident in a Saturday blog post penned by CSO David Bradbury, in which he revealed that an "adversarial" actor used stolen credentials to gain access to Okta's support case management system. They may have made off with HTTP Archive (HAR) files used to replicate browser activity for troubleshooting.
"HAR files can also contain sensitive data, including cookies and session tokens, that malicious actors can use to impersonate valid users," Bradbury wrote.
Okta claimed it has notified affected customers, so if you haven't heard your organization probably wasn't affected. Okta recommends all customers sanitize credentials, cookies and session tokens in HAR files as a best practice before sharing them with anyone.
Okta didn't make any mention of the impact of the attack in its acknowledgement, but reports elsewhere indicate that the attacker may have had access to the support platform for at least two weeks before Okta realized what had happened.
One of the Okta customers notified, BeyondTrust, told KrebsOnSecurity that they had notified Okta about activity likely related to the support breach on October 2, when they noticed someone trying to use an Okta account belonging to a BeyondTrust employee to create a new admin account in the Okta environment.
BeyondTrust had shared a HAR account with Okta for a support ticket just 30 minutes prior to detecting the unauthorized activity, and determined the session cookies from the file were used by the attacker. Naturally, this led BeyondTrust to assume Okta itself had been breached, which the company denied.
Speaking to Krebs, Okta deputy CISO Charlotte Wylie said on October 2 that it didn't believe the BeyondTrust incident was a result of an Okta failure. Wylie reportedly changed her tune this week, admitting a "very, very small subset" of its customers had been affected.
"This is a known threat actor that we believe has targeted us and Okta-specific customers," Wylie told Krebs, though it's not clear who may be responsible for the incident.
This isn't the first time Okta has suffered a breach in recent memory. It's a troubling trend for a business devoted to identity and access management – especially given this latest breach was caused by stolen credentials.
Critical vulnerabilities of the week: 387 Oracle patches edition
Continuing its tradition of massive security patch dumps, Oracle this week released 387 security patches for dozens of pieces of software this week, several of which are rated critical.
The most severe is the appearance of a CVE-2023-22946, a CVSS 9.9 issue in Apache Spark that allows users to specify a proxy user, with the ability to run commands with the proxy's privileges. The issue is present in Oracle Business Intelligence Enterprise Edition and Financial Services Model Management and Governance software.
Of course, there are hundreds more to deal with, so get patching.
- CVSS 9.8 – CVE-2023-5391: Schneider Electric's EcoStruxure Power Monitoring Expert and Power Operations software contains a deserialization vulnerability that could be used for RCE.
- CVSS 8.2 – CVE-2023-29464: Rockwell Automation FactoryTalk Linx software is improperly validating input, allowing an attacker to read data from memory or cause denial of service.
- CVSS 8.1 – Multiple CVEs: VMware Aria Operations for Logs contains an authentication bypass vulnerability that can be used by an attacker to inject files into vulnerable OSes for RCE purposes.
SolarWinds storing passwords in plain text
In an ideal world the downright devastating 2020 supply chain hack of SolarWinds would've been the impetus for better development habits. A patch released this week for the firm's Access Rights Manager (ARM) proves that we're not in an ideal world. Several high-priority issues are addressed – including plain-text passwords stored in memory.
Not ideal for software that's supposed to manage access rights.
The rest of the fixes identified in ARM version 2023.2.1 had to do with error generation, but those aren't the real issues. The big problems, aside from those plain-text passwords, are the eight CVEs fixed in the update, as the issues identified all beg the question of how safe ARM ever really has been.
The most severe are four CVEs with CVSS scores of 8.8 – each of which has to do with remote code execution vulnerabilities. Two of the four allow unauthenticated users to abuse a SolarWinds service through deserialization of untrusted data to execute remote code, while the other two use RCE to enable directory traversal.
For those who don't recall what happened to SolarWinds in 2020, its Orion network monitoring software was compromised in a supply chain attack perpetrated by Russian hackers who altered downloads on the SolarWinds website to force downloads of nastyware.
"SolarWinds has developed a patch for these issues and communicated with customers about the steps needed to apply the fix to harden their environments," a company spokesperson told The Register. "We are not aware of any evidence that any of these vulnerabilities have been exploited."
IT admins suck at password security too, study finds
Plenty of technical issues, the old saying goes, exist between the keyboards and chairs of end users. But when it comes to password security IT administrators are just as culpable as those they assume are the source of their troubles, a recent study found.
Cyber security firm Outpost24 reported this week that, in an analysis of more than 1.8 million administrator passwords harvested from infected systems, "admin" was the most popular – with more than 40,000 occurrences.
Other top entries are what you'd expect, with egregious examples like 123456, Password, demo, root and admin123 all taking spots in the top 20.
"These are passwords that the administrators have saved in their browser or other applications within their computers," Outpost24 researcher Victor Acin told us. Whether those are passwords administrators are selecting, or defaults no one bothered changing, is unknown. "It is possible that some are part of that default appliance configuration, and others are passwords [admins are] setting themselves."
It's sleeting in TeamCity – better patch up
Microsoft Threat Intelligence researchers are warning of a new North Korean hacking campaign opportunistically targeting JetBrains' TeamCity Server software used for CI/CD applications in DevOps environments.
The groups in question are Diamond Sleet and Onyx Sleet (a.k.a., PLUTONIUM). While both are exploiting the same vulnerability, they're taking different approaches once they've gained access. In both cases, however, persistence appears to be part of the plan.
The vulnerability in question is CVE-2023-42793, with a CVSS score of 9.8 described by NIST as "authentication bypass leading to RCE."
JetBrains released a patch to address the issue in September, but Microsoft notes that it only identified the North Korean campaign in early October – meaning threat actors are looking for vulnerable instances to attack.
Older versions of TeamCity Server (only v.2023 was patched with 2023.05.4) going back to 2018 and prior are all vulnerable. Plugins have been released for older installations that fix the issue as well. ®