Deserialized web security roundup: KeePass dismisses ‘vulnerability’ report, OpenSSL gets patched, and Reddit admits phishing hack

Your biweekly summary of application security vulnerabilities, innovative hacking methods, and recent cybersecurity developments.

KeePass has found itself in the spotlight following the identification of a suspected vulnerability that threatens its credibility.

Security experts alerted that it may be feasible to create a trigger that extracts all data from the KeePass database in plain text, potentially enabling unauthorized access to sensitive information. This vulnerability is tracked as CVE-2023-24055, though its significance is contested.

As reported by Bleeping Computer KeePass argues that this issue arises only when an attacker has already compromised an account, making the situation considerably more difficult.

The scrutiny surrounding password managers intensified following a previous security breach involving LastPass, where the company eventually acknowledged that encrypted password vaults had been exposed.

Although master keys for these vaults remained secure, the incident nevertheless raised significant concerns within the community.

The Cybersecurity and Infrastructure Security Agency (CISA) in the United States is advocating for technology providers to enhance the inherent security features of their products.

CISA director Jen Easterly and executive assistant director Eric Goldstein detailed these initiatives in an article published by Foreign Affairs magazine.

Stay updated on web security by subscribing to our newsletter – Daily Swig Deserialized here.

On Thursday, the developers behind OpenSSL released patches addressing various vulnerabilities within the encryption library, including a severe flaw classified as CVE-2023-0286. Exploiting this vulnerability could allow advanced attackers to either access system memory or trigger a denial of service on affected machines.

Additionally, news emerged that a sysadmin at Reddit had become a victim of a phishing attack, with the social media platform admitting that unauthorized individuals accessed certain internal documents, code, and business systems, albeit assuring users that “Reddit passwords and accounts are safe.”

The Daily Swig also recently covered how Google has devised strategies to counteract prototype pollution in JavaScript, a security vulnerability, alongside reports of a security researcher hacking into Toyota’s supplier management system, and controversies surrounding a new host of popular pen testing tool XSS Hunter since the last issue of Deserialized.

Here are additional cybersecurity stories and updates that caught our attention over the past two weeks:

Web Vulnerabilities

• Cisco devices / A flaw in technology used for application container/VM deployment due to unsanitized user input in the ‘DHCP Client ID’ option / Disclosed with patch on February 1
• Dompdf / Critical / URI validation failure in SVG parsing, risking potential object unserialization in PHP via the phar URL wrapper / disclosed with patch last week
• F5 BIG-IP / High / A format string vulnerability in iControl SOAP that allows authenticated attackers to crash the CGI process or potentially execute arbitrary code / Disclosed with a patch on February 1
• Jira Service Management Server and Data Center / Critical / Broken authentication / Vendor alert and patch issued on February 1
• Skyhigh Security Secure Web Gateway / High / XSS vulnerability in the single sign-on plugin / Disclosed with patch on January 26

Research and Attack Techniques

• A comprehensive examination of a remote source disclosure vulnerability in PHP development server sheds light on necessary follow-up actions. The flaw exposed PHP file source code as if it were static files, even though the issue has been addressed, “Shodan queries reveal many exposed instances” according to researchers.
• A vulnerability affecting Zoho ManageEngine’s SAML (Security Assertion Markup Language) implementation, labeled SAML ShowStopper, poses risks for SSO (Single Sign-On) deployments. Security researcher Khoa Dinh provides a thorough analysis, alerting that other vendors utilizing older xmlsec and xalan versions might face similar vulnerabilities.
• A blog post from Skylight Cyber outlines prevalent misconfigurations in the SaltStack IT orchestration platform, along with a novel template injection technique capable of achieving remote code execution.
• Proofpoint has reported that attackers leverage malicious third-party OAuth applications to infiltrate cloud environments. “Threat actors were able to meet Microsoft’s third-party OAuth app criteria by exploiting ‘verified publisher’ status,” according to researchers report.
• Researchers at Ermetic have uncovered a remote code execution (RCE) vulnerability impacting Azure services such as Function Apps, App Service, and Logic Apps. The EmojiDeploy vulnerability exploited CSRF (Cross-Site Request Forgery) against the Kudu source control management service.
• Security researcher ‘eta’ has successfully reverse-engineered the encoding process for barcodes on UK mobile rail tickets, allowing users to decode their tickets using an online tool he developed.

Bug Bounty and Vulnerability Disclosure

• Google has expanded its OSS-Fuzz project, providing a free platform for continuous fuzzing aimed at critical open-source projects. This initiative has helped uncover 8,800 vulnerabilities across 850 projects since its inception in 2016, and contributors integrating new projects will receive higher financial incentives.
• Security researcher Youssef Sammouda claimed a reward of $44,500 after identifying a vulnerability that allowed for the takeover of Facebook/Oculus accounts. His technical write-up details the hack, which relied on first-party access_token theft.

New Open Source InfoSec/Hacking Tools

• Checkmarx has developed a deliberately vulnerable API application based on the OWASP top 10 API vulnerabilities, called c{api}tal, intended as a learning and training resource focused on API security.
• Ronin 2.0 brings an enhanced version of an open-source Ruby toolkit for security research and development, featuring new API libraries and various CLI commands designed for scanning web vulnerabilities and executing exploits.
• A new version of EMBA has been released, which is an embedded device firmware security analyzer tailored for penetration testers. Additional details are available on its GitHub page.
• SH1MMER is an exploitation tool that can completely unenroll enterprise-managed Chromebooks.

For Developers

• Developers can find a valuable guide on integrating Nuclei, an open-source web application scanning tool, into their GitHub CI/CD pipelines.
• SBOM Scorecard is a tool that helps developers evaluate the adequacy of generated SBOMs by accessing relevant metadata for further queries.
• The precloud utility provides an open-source CLI that performs checks on infrastructure as code to identify potential deployment issues by comparing resources in CDK diffs and Terraform Plans against the current state of your cloud environment.

Additional Industry News

• The US standards organization NIST (National Institute of Standards and Technology) has introduced a new optional framework focused on the management of AI-related risks. NIST’s AI Risk Management Framework aims to enhance the incorporation of trustworthiness considerations in the design, development, utilization, and assessment of AI products, services, and systems.
• Scammers are purchasing Google ads to promote deceitful websites that impersonate login portals for the password manager Bitwarden.

For Leisure

Codebreakers have successfully deciphered a collection of over 500 encoded letters authored by Mary, Queen of Scots, during her imprisonment from 1578 to 1584.

Using a combination of “automated cryptanalysis, manual decryption, and contextual analysis,” the code, consisting entirely of symbolic graphics, was cracked, as reported by Ars Technica here.

The correspondence was conveyed via secret couriers to the French ambassador, Michel de Castelnau. However, Elizabeth I’s intelligence chief, Francis Walsingham, had an informant within the French embassy, who supplied the spy network with decoded versions of these letters.

A paper discussing the codebreaking efforts, aimed at aiding historians in their research, has been published in the journal Cryptologia.

PREVIOUS ISSUE: Deserialized web security roundup: Catastrophic cyber events, another T-Mobile breach, and continued LastPass issues