Deserialized web security roundup: KeePass dismisses ‘vulnerability’ report, OpenSSL gets patched, and Reddit admits phishing hack

Welcome to your biweekly summary of application security vulnerabilities, emerging hacking techniques, and the latest news in cybersecurity.

KeePass has recently found itself defending its integrity following allegations of a security vulnerability. Security researchers have signaled that a potential flaw could enable a trigger that exports all data from the KeePass database in clear text, potentially leading to unauthorized data access. This issue is tracked as CVE-2023-24055.

According to a report by Bleeping Computer, KeePass argues that this vulnerability only poses a threat if an attacker has already compromised an account, suggesting it’s already too late for security in such cases.

Security concerns regarding password managers have been heightened following a significant security breach involving LastPass last year, during which the vendor confessed to a leak of encrypted password vaults.

While master keys for these vaults were not exposed, thus mitigating the potential damage, the incident raised serious concerns across the sector.

The US Cybersecurity and Infrastructure Security Agency (CISA) is advocating for tech manufacturers to ensure their products are secure from the ground up. CISA Director Jen Easterly and Executive Assistant Director Eric Goldstein detailed these initiatives in an essay featured in Foreign Affairs magazine.

Stay updated with the latest web security news directly in your inbox! Subscribe to our new newsletter – Daily Swig Deserialized

On Thursday, the OpenSSL project released updates addressing various vulnerabilities within the encryption library, including a critical flaw (CVE-2023-0286) that allows sophisticated attackers to read system memory or trigger denial of service scenarios on affected systems.

The same day revealed that a systems administrator at Reddit had fallen prey to a phishing attack. The social news platform acknowledged that attackers had gained access to some internal documents and systems, although they reassured users that “Reddit user passwords and accounts are safe.”

The Daily Swig has recently covered various topics such as Google’s proposals to combat prototype pollution, a security breach involving Toyota, and privacy issues concerning a popular penetration testing tool called XSS Hunter. You can explore the full range of our recent articles on The Daily Swig’s website.

Here are several more web security stories and notable cybersecurity updates that have garnered attention over the past two weeks:

Web Vulnerabilities

• Cisco devices: A vulnerability due to unsanitized user input for the ‘DHCP Client ID’ option affecting technology for deploying application containers/virtual machines. Disclosed with patch on February 1.
• Dompdf: A critical URI validation failure on SVG parsing that can lead to arbitrary object deserialization in PHP. Disclosed with patch last week.
• F5 BIG-IP: A high-severity format string flaw in iControl SOAP allows authenticated attackers to crash the CGI process or execute arbitrary code. Disclosed with a patch on February 1.
• Jira Service Management Server and Data Center: A critical broken authentication vulnerability. Vendor alert and patch issued on February 1.
• Skyhigh Security Secure Web Gateway: A high-severity XSS vulnerability in a single sign-on plugin. Disclosed with a patch on January 26.

Research and Attack Techniques

• A detailed analysis of a remote source disclosure vulnerability in PHP development server outlines necessary follow-up actions. The flaw, which exposed PHP source code as static files, was patched, but researchers still find many instances exposed via Shodan queries.
• A vulnerability in Zoho ManageEngine’s SAML implementation, termed SAML ShowStopper, threatens enterprise SSO deployments. Security researcher Khoa Dinh provides an in-depth analysis, alarming vendors using outdated versions of xmlsec and xalan.
• Skylight Cyber’s blog highlights common configuration errors in the SaltStack IT orchestration platform and covers a “novel template injection technique” that allows remote code execution.
• Proofpoint has found that attackers are deploying malicious third-party OAuth applications to infiltrate cloud environments. They abuse Microsoft’s ‘verified publisher’ status for this infiltration, as noted in a report.
• Researchers at Ermetic have detected an RCE vulnerability affecting Azure cloud services such as Function Apps, App Service, and Logic Apps. The EmojiDeploy vulnerability involved CSRF attacks on the Kudu source control management service.
• Security researcher ‘eta’ has successfully reverse-engineered the barcode encoding for UK mobile rail tickets, enabling others to decode their tickets with a tool he developed.

Bug Bounty / Vulnerability Disclosure

• Google has expanded its OSS-Fuzz project, a platform that continuously fuzzes critical open-source projects and has identified 8,800 vulnerabilities since its inception.
• Researcher Youssef Sammouda secured a payout of $44,500 for discovering a flaw leading to the potential takeover of Facebook/Oculus accounts, detailed in a technical write-up.

New Open Source Infosec/Hacking Tools

• Checkmarx has launched a vulnerable API application based on the OWASP top 10 API security vulnerabilities, known as c{api}tal, designed for learning and training in API security.
• Ronin 2.0 introduces a new version of a free, open-source Ruby toolkit for security research and development, optimized for tasks related to web vulnerability scanning and exploitation.
• Developers have released an updated version of EMBA, a firmware security analyzer designed for penetration testers. More details can be found on its GitHub page.
• A new exploit called SH1MMER has emerged, enabling users to unenroll enterprise-managed Chromebooks entirely.

For Developers

• Developers can explore an informative post discussing how to integrate Nuclei, an open-source web application scanning tool, into GitHub CI/CD pipelines.
• SBOM Scorecard assists developers in assessing the quality of Software Bill of Materials (SBOM) outputs, enabling rich metadata queries.
• The precloud utility features a CLI tool designed to run checks on infrastructure-as-code, identifying potential deployment concerns through CDK diffs and Terraform Plans against cloud account states.

More Industry News

• The US standard-setting organization NIST (National Institute of Standards and Technology) has introduced a new voluntary framework aimed at managing risks associated with AI technologies. The AI Risk Management Framework is focused on ensuring AI product trustworthiness during their lifecycle.
• Scammers are buying Google ads that direct users to fraudulent login websites masquerading as Bitwarden, a password management tool. Read more.

For Fun

Codebreakers have successfully decoded over 500 letters written in a graphical code by Mary, Queen of Scots during her captivity from 1578 to 1584. The deciphering involved a combination of computerized cryptanalysis, manual code-breaking, and linguistic analysis, as reported by Ars Technica in this article.

The letters were originally relayed via secret couriers primarily to the French ambassador, Michel de Castelnau. Elizabeth I’s spymaster had a mole in the French embassy, allowing access to the decoded communications.

A paper discussing the code-breaking efforts was published in the journal Cryptologia, which may aid historians in their research on this era.

PREVIOUS EDITION: Deserialized web security roundup: ‘Catastrophic cyber events’, another T-Mobile breach, more LastPass issues.