Tag Archives: Micro-Segmentation

SpeakUp – Lateral movement made easy

10 March 2019

A remote command-injection vulnerability dubbed SpeakUp (CVE-2018-20062) (1) in the ThinkPHP development framework was widely reported in the news some weeks ago. Technically, SpeakUp is simply one more command-injection vulnerability with CVSS V3.0 base score Critical that results in full loss of integrity if exploited.

CVE-2018-20062 alike Vulnerabilities 2018

CVE-2018-20062 alike Vulnerabilities 2018

CVE-2018-20062-class vulnerabilities are quite rare. As of 10 March 2019 only 182 of the 16517 vulnerabilities published in 2018 belong to this class. Exploitation of any of these vulnerabilities results in full loss of integrity of the attacked system. In the worst case, the compromised system becomes the new base of operations for the attacker and allows him to compromise further systems.

Tara Seals provides a brief outline (2) on ThreatPost of the initial infection routine. For more details see the Checkpoint Research report (3) about SpeakUp.

Lateral movement in Linux-based networks places special challenges on the attacker. In general, vulnerabilities in applications must be used for propagation. SpeakUp uses an impressive arsenal of old vulnerabilities in application frameworks for propagation. Seals writes:

“To spread, SpeakUp’s propagation code exploits known vulnerabilities in six different Linux distributions, including JBoss Enterprise Application Platform security bypass vulnerabilities (CVE-2012-0874); a JBoss Seam Framework remote code execution (RCE) flaw (CVE-2010-1871); a JBoss AS 3/4/5/6 RCE exploit; a Oracle WebLogic wls-wsat Component Deserialization RCE (CVE-2017-10271); a vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (CVE-2018-2894); a Hadoop YARN ResourceManager command-execution exploit; and an Apache ActiveMQ Fileserver File Upload RCE vulnerability (CVE-2016-3088).”

The table below shows some details of the above mentioned vulnerabilities.

CVE

Application Framework

CVSS Base Score

Attack Vector

CVE-2012-0874

JBoss Enterprise Application Platform (EAP)

6.8 (CVSS v2.0)

V:N/AC:M/Au:N/C:P/I:P/A:P (CVSS v2.0)

CVE-2010-1871

JBoss Enterprise Application Platform (EAP)

6.8 (CVSS v2.0)

(AV:N/AC:M/Au:N/C:P/I:P/A:P) (CVSS v2.0)

CVE-2017-10271

Oracle WebLogic Server

7.5 (CVSS v3.0)

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (CVSS v3.0)

CVE-2018-2894

Oracle WebLogic Server

9.8 (CVSS v3.0)

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (CVSS v3.0)

CVE-2016-3088

Fileserver web application in Apache ActiveMQ

9.8 (CVSS v3.0)

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (CVSS v3.0)

Any of the listed vulnerabilities enables the attacker to create new operations bases. In the worst case, he can jump across network boundaries, e.g. from the DMZ into the company intranet or from the company intranet into the production network.

How to stop this kind of attacks?

From the tactical point of view, vulnerability management is the key to stop this kind of attacks as early as possible. CVE-2018-20062-class vulnerabilities and remote code or script execution vulnerabilities must be patched directly after they show up on the market. At least in the DMZ and on systems on both sides of network boundaries. This will prevent the attacker from lateral movement.

Vulnerability management relies on asset management. And on CI/CD across the entire application stack because without automated testing it is not possible to make sure that the application is still working after the patches have been applied.

From a strategic point of view, measures must be applied to enlarge the resilience of application systems against cyber attacks. This includes e.g. micro segmentation or Web Application Firewalls but also Linux native enhancements like AppArmor or SELinux.

And this holds for both, cloud and on-premise hosted applications.

Have a great week.


References

1. NIST NVD. NVD – CVE-2018-20062 [Internet]. 2018 [cited 2019 Feb 6]. Available from: https://nvd.nist.gov/vuln/detail/CVE-2018-20062

2. Seals T. SpeakUp Linux Backdoor Sets Up for Major Attack [Internet]. threatpost. 2019 [cited 2019 Feb 6]. Available from: https://threatpost.com/speakup-linux-backdoor/141431/

3. Check Point Research. SpeakUp: A New Undetected Backdoor Linux Trojan [Internet]. Check Point Research. 2019 [cited 2019 Feb 6]. Available from: https://research.checkpoint.com/speakup-a-new-undetected-backdoor-linux-trojan/


 

Advertisements

Is Micro-Segmentation the new universal remedy?

28 May 2015

On Saturday, I blogged about globally defined service accounts and their impact on the attack surface. In my opinion, rigorous avoidance of globally defined service accounts, combined with the concept of trusted administration zones, is an effective means to boost IT security.

In the past month I was involved in discussions about a network segmentation, which is a common means to increase IT security. The relatively new and less spread micro-segmentation technology is hailed as universal remedy.

Let me quote briefly from the VMWare white paper ‘Data Center Micro-Segmentation, A Software Defined Data Center Approach for a ”Zero Trust” Security Strategy’:

“Micro-segmentation of the data center network can be a huge help to limit that unauthorized lateral movement”

That’s true, but if you use globally defined service accounts for administration of the systems in segmented networks, the ‘huge help’ will be considerably lower. This is because e.g. the Active Directory services are working on network layers where segmentation has no impact.

The old rule still applies: Isolated security measures do not necessarily increase the overall security level.

But the combination of network segmentation with strict avoidance of globally defined service accounts and trusted administration zones will make the difference.

Have a good day!