In this week’s digest, we will discuss the following:
- Rancher stores plaintext credentials allowing for cluster takeover;
- ModSecurity WAF bypasses;
- six vulnerabilities in BIND; and
- Akamai flags more than 13 million domains per month as malicious so far this year.
Rancher Stores Plaintext Credentials Allowing for Cluster Takeover
Rancher is an open source Kubernetes platform that allows users to deploy and run container clusters across providers. A recent bug report shows that sensitive fields like passwords, API keys, and account tokens were being stored directly on Kubernetes objects in plaintext and available to anyone with access to the given object. This has serious implications for security controls inside Rancher-owned Kubernetes objects. As Linux system engineer Marco Stuurman explains:
“The attacker only needed the least possible privileges to a cluster Rancher manages. For example, our monitoring robot user’s only privilege was to proxy HTTP requests from Rancher to the monitoring instance running in the target cluster.”
Here are the current recommendations in effect by the vendors to remediate these issues.
- Rotate Rancher service account tokens; the maintainers of Ranchers have provided a script.
- Limit access to downstream Rancher instances.
- Check downstream clusters for potential signs of a breach.
- Change any credentials that might have gotten leaked.
ModSecurity WAF Bypasses
Thirteen new findings, including exceptional, critical, and high vulnerabilities, were discovered in a recent assessment of OWASP ModSecurity Core Rule Set (CRS) for their Web Application Firewall (WAF).
Two of the findings were based on content-type confusion where the WAF and backend server interpreted request content differently because of ModSecurity recommended rule set rules.
One of these vulnerabilities took specific use of how XML comments are ignored by the WAF and were able to inject valid “x-www-form-urlencoded” data that the WAF ignored due to being parsed as an XML comment.
Another set of findings was based on the “multipart/form-data” content type in which bypass is allowed by using the “Content-Dispositions” header, which allows an attacker to inject broken-up malicious strings.
CVE-2022-39955 is another example of one of the vulnerabilities to come out of this assessment. Using “utf-7” as an extra charset and encoding the body allows for ambiguous bypass.
These vulnerabilities and many more are fixed In the most recent patches done by ModSecurity and CRS.
Six Vulnerabilities in BIND
The Internet Systems Consortium (ISC) has released in BIND relating to resolver performance degradation, buffer overreads, memory leaks, and unexpected terminations.
CVE-2022-2795 is a vulnerability that floods the target resolver with queries that exploit this flaw; an advisory can severely degrade a resolver’s performance—likewise resulting in a DOS attack.
CVE-2022-2881 is an underlying bug that allows for reading past a specified buffer. This can result in memory that should not be read being read or even crashing the process entirely.
CVE-2022-2906, CVE-2022-38177, and CVE-2022-38178 are all related to memory leaks. These memory leaks are caused by malformed ECDSA or EdDSA signatures and other flaws, which allows for the running process to take more memory than it needs allowing for available memory on the system to be eroded and potentially a process crash due to lack of resources.
CVE-2022-3080 is a vulnerability that allows an attacker to send a specific query resulting in the resolver process crashing entirely.
These vulnerabilities were fixed in the most recent stable version of BIND 9.18 and 9.16 releases.
13 Million Malicious Domains Flagged in 1 Month
Akamai has flagged over 79 million domains since the beginning of 2022, about 13 million domains per month. Overall, this number represents over 20% of all new domains that have been successfully resolved.
These detections are based on something called Newly Observed Domains (NODs). Akamai determines a NOD as a domain that has not been resolved in 60 days. This can include newly bought domains or just newly-used domains. Similar detections look at when a domain was registered, which is a limited system, as some malicious actors are simply able to sit on a domain for a given amount of time once it is registered to use it and evade that system. Similarly, other organizations monitoring NODs are not on the scale that Akamai is; they are monitoring in time limits of 30 minutes to 72 hours and far off the 60 days that Akamai does.
NODs are not wholly useful on their own, but when combined with other intelligence, they can provide huge insight into domains and how they are utilized. Applications of NODs are such as phishing and rapid threat detection. However, these NODs are not limited to malicious activity detection purposes such as heuristic analysis.
Overall, it seems as though those NODs will continually be vital in threat hunting as well as determining malicious behavior and the current steps that Akamai is taking to pave the path forward.