Deserialized web security roundup: KeePass dismisses ‘vulnerability’ report, OpenSSL gets patched, and Reddit admits phishing hack

Your bi-weekly update on application security vulnerabilities, innovative hacking methods, and other essential cybersecurity information.

KeePass has recently found itself under scrutiny regarding a reported vulnerability within its password management software.

Security experts cautioned that a potential flaw could allow an attacker to trigger the export of all data from the KeePass database in plaintext format, subsequently stealing confidential information. This vulnerability, tracked under CVE-2023-24055, has sparked differing opinions about its severity.

According to a report by Bleeping Computer, KeePass indicates that this issue arises only when an attacker already has control over a compromised account, rendering it largely ineffective otherwise.

Password managers have faced intensified scrutiny following a security breach involving LastPass last year, which led to the vendor admitting that encrypted password vaults were compromised.

Although the master keys for these vaults remained secure, the incident raised significant concerns regarding data safety.

The US Cybersecurity and Infrastructure Security Agency (CISA) is advocating for technology manufacturers to adopt a security-by-design approach for their products.

CISA director Jen Easterly and executive assistant director Eric Goldstein elaborated on these plans in an essay featured in Foreign Affairs magazine.

Want the latest web security news direct to your inbox? Subscribe to our new newsletter – Daily Swig Deserialized

Recently, developers for the OpenSSL project issued patches addressing various vulnerabilities in the encryption library, including a serious flaw tracked as CVE-2023-0286. This problem could allow clever attackers to either read system memory or initiate a denial of service on compromised systems.

Additionally, it was reported that a system administrator on Reddit fell victim to a phishing attack. The social news platform confirmed that attackers had gained access to various internal documents, code, and business systems, but asserted that user passwords and accounts remained secure.

The Daily Swig previously reported that Google has introduced measures to combat prototype pollution – a category of JavaScript vulnerability. Other reports included an incident where a security researcher breached Toyota’s supplier management network and the privacy concerns surrounding a newfound host of a popular penetration testing tool, XSS Hunter. For more detailed coverage, you can visit The Daily Swig‘s homepage.

Here are some additional web security stories and cybersecurity updates that have come to our attention over the last two weeks:

Web Vulnerabilities

• Cisco devices – A flaw in the technology enabling the deployment of application containers/virtual machines directly on devices was discovered due to improper sanitization of user input for the ‘DHCP Client ID’ option. Disclosed with patch on February 1.
• Dompdf – Critical. A URI validation failure occurred during SVG parsing, which could allow for a bypass, leading to arbitrary object unserialization on PHP via the phar URL wrapper. Disclosed with patch last week.
• F5 BIG-IP – High severity. An issue related to format string manipulation in iControl SOAP could allow authenticated attackers to crash the iControl SOAP CGI process or potentially execute arbitrary code. Disclosed with a patch on February 1.
• Jira Service Management Server and Data Center – Critical. A broken authentication vulnerability was discovered. Vendor alert and patch issued on February 1.
• Skyhigh Security Secure Web Gateway – High. An XSS vulnerability was found within a single sign-on plugin. Disclosed with patch on January 26.

Research and Attack Techniques

• A thorough analysis of a remote source disclosure vulnerability in PHP development servers highlighted necessary follow-up actions. Despite being resolved, researchers note that “Shodan queries reveal many exposed instances of the built-in server.”
• A critical vulnerability known as SAML ShowStopper found in Zoho ManageEngine’s SAML implementation poses risks to enterprise SSO deployments. Security researcher Khoa Dinh has provided a detailed analysis indicating that other vendors reliant on earlier versions of xmlsec and xalan could also face threats.
• A blog by Skylight Cyber highlights common misconfigurations in the SaltStack IT orchestration platform and introduces a novel template injection technique capable of enabling remote code execution on various servers.
• Proofpoint reports that malicious third-party OAuth applications are being utilized to breach organizations’ cloud environments. The attackers used Microsoft ‘verified publisher’ status to meet the requirements for third-party apps, facilitating their infiltration. Read more in their report here.
• Researchers from Ermetic uncovered an RCE vulnerability impacting Azure services, such as Function Apps and Logic Apps, linked to the EmojiDeploy vulnerability traced back to CSRF attacks on the Kudu SCM service.
• Security researcher ‘eta’ disclosed that they successfully reverse-engineered the encoding process for barcodes associated with UK mobile rail tickets, providing a means for others to decode their own tickets using a web tool they developed.

Bug Bounty / Vulnerability Disclosure

• Google has expanded its OSS-Fuzz project, a program for continuous fuzz testing of critical open-source projects. The initiative has identified over 8,800 vulnerabilities across 850 projects since its launch in 2016, now incentivizing integration of new projects into OSS-Fuzz with increased financial rewards.
• Security researcher Youssef Sammouda received a payout of $44,500 for uncovering a flaw enabling takeover of Facebook/Oculus accounts. Detailed in a technical report, the exploit depended on First-Party access_token stealing.

New Open Source InfoSec/Hacking Tools

• Checkmarx has developed a vulnerable API application based on the OWASP top 10 API vulnerabilities called c{api}tal, aiming to serve as a resource for learning and training in API security.
• Ronin 2.0 has been released, bolstering a free and Open Source Ruby toolkit for security research and development, featuring updated API libraries and various functionalities for vulnerability scanning and exploitation.
• A new version of EMBA has been introduced, specifically tailored as a firmware security analyzer for embedded devices, detailed on its GitHub page.
• SH1MMER, an exploit designed to completely unenroll enterprise-managed Chromebooks.

For Developers

• Developers should explore an instructive post on implementing Nuclei, an open-source tool for web application scanning, into their GitHub CI/CD pipelines.
• SBOM Scorecard offers a tool for developers to evaluate the quality of generated SBOMs based on accessible metadata.
• The precloud utility serves as an open-source CLI tool that checks infrastructure as code for potential deployment issues, dynamically testing resources against your cloud account’s current state.

Industry News

• The US standards organization NIST (National Institute of Standards and Technology) has launched a new voluntary framework aimed at managing AI-related risks. NIST’s AI Risk Management Framework seeks to enhance the incorporation of trustworthiness considerations into the design, development, and evaluation phases of AI products, services, and systems.
• Scammers are placing ads on Google to promote fraudulent websites designed to impersonate login portals for the password management tool Bitwarden.

Interesting Tidbits

Codebreakers have successfully decoded over 500 letters penned by Mary, Queen of Scots during her years in captivity from 1578 to 1584. This code, composed solely of graphic symbols, was decoded through a combination of computerized cryptanalysis, manual code-breaking, and linguistic analysis, as reported by Ars Technica here.

The letters were communicated via secret couriers to prominent figures such as the French ambassador, Michel de Castelnau. However, the spymaster of Elizabeth I, Francis Walsingham, had an informant within the French embassy who provided him with decoded versions of these letters.

A research paper documenting the codebreaking efforts could assist historians studying that period and has been published in the journal Cryptologia.

PREVIOUS EDITION – Deserialized web security roundup: ‘Catastrophic cyber events’, another T-Mobile breach, more LastPass problems