The Robots Are Coming!

 The debate around SOC automation has been a fun one to follow. Allie Mellen wrote a short but on the spot piece about it, reaffirming what seems to be the commonsense opinion on this topic today: Automation is good, but to augment human capacity, not replace it.

 

After that Anton brought up a very interesting follow up, confirming that view but also pointing to a scary future scenario, where automation would be adopted so extensively by the attackers that it would force defense to do the same. Does this scenario make sense? 

 

I believe it does, and indeed it forces defense to adopt more automation. But even if Anton says the middle ground position is “cheating”, I still think it is the most reasonable one. There will never be (until we reach the Singularity) a fully automated SOC, just as there will never be a fully automated attacker (until…you know). Why? Let’s look at the scenario Anton painted for this evolved attacker:

 

 

• You face the attacker in possession of a machine that can auto-generate reliable zero day exploits and then use them (an upgraded version of what was the subject of 2016 DARPA Grand Challenge)

• You face the attackers who use worms for everything, and these are not the dumb 2003 worms, but these are coded by the best of the best of the offensive “community”

• Your threat assessment indicates that “your” attackers are adopting automation faster than you are and the delta is increasing (and the speed of increase is growing).

 

 

Even if it looks scary, this scenario is still limited in certain points. You may have malware capable of creating exploits by itself, but what will they exploit? What is this exploitation trying to accomplish? There is an abstract level of actions that is defined by the creator of the malware. Using MITRE ATT&CK language, the malware is capable of generating multiple instances of a selection of techniques, but a human must define the tactics and select the techniques to be used. Quoting Rumsfeld, there will be more known unknowns, but the unknown unknown is still the realm of humans.

 

A few years ago, I had a similar discussion with a vendor claiming that their deep learning–based technology would be able to detect“any malware”. This is nonsense. Even the most advanced ML still needs to be pointed to some data to look at. If the signal required to detect something is not in that data, there’s no miracle. Let’s look at a simple example:

 

• A super network-based detection technology inspects ALL network traffic and can miraculously identify any attack.

• The attacker is on host A in this network, planning to attack host B, connected to the same network

• The attacker scans for Bluetooth devices from host A, finds host B, exploits host B via a Bluetooth exploit

• The super NDR/NIDS tool sits there patiently waiting to see an attack that never traverses the monitored network!

 

You may claim this is an edge scenario, but I’m using anexaggerated situation on purpose. There’s still many cases that we can relate to, such as breaches due to the use of shadow IT, cloud resources, etc. What I want to highlight is the type of lateral thinking very often employed by attackers in cybersecurity. And the lateral thinking is still exclusive of humans.

 

What I’m trying to say is that fully automated threats are scary, buy they lack the main force that makes detecting threats challenging. Defense automation can evolve to match the same level, but both sides will still rely on humans to tip the scale when those machines reach a balance point in capabilities.

 

What we have today is similar to those battling robots TV shows. Machines operated by humans. If things evolve as Anton suggests we will move to what happens in “robot soccer”: human created machines operating autonomously, but within a finite framework of capabilities.

Robot wars vs Robot Soccer

 

 

Threats and SOCs will become more automated for sure. As they automate, they become faster, so each side has to increase its own level of automation to keep up. But when automation limits are reached, the humans on the threat side must apply that lateral thinking to find other avenues to exploit. They need to take the Kirk approach to Kobayashi Maru. When this happens, the humans on the defense side become critical. They need to figure out what is happening and create new ways to fight against the new methods.

 

 

 

So, humans will still be necessary on both sides. Of course, the operational involvement will be greatly reduced, again, on both sides. But they will be there, waiting to react against the innovation introduced by their counterparts on the other side.

 

This may be an anticlimactic conclusion, and it is. But there are some interesting follow up conversations to have. The number of humans required, their skills and how they are engaged will be different. What does it mean for outsourcing? Do end users still need people on their side? If solution providers engage this problem in a smart way, we may be able to remove, or greatly reduce, the need for humans on the end user organization side, for example. The remaining humans would be on the vendor side, adapting the tools to react against the latest attacks. For the end user organization, the result may look very similar to full automation, as they would not need to add their humans to the mix. Will we end up with the mythical “SOC in a box”? Future will tell.

 

The post The Robots Are Coming! appeared first on Security Boulevard.

Read More

The post The Robots Are Coming! appeared first on Malware Devil.

https://malwaredevil.com/2021/03/16/the-robots-are-coming-2/?utm_source=rss&utm_medium=rss&utm_campaign=the-robots-are-coming-2

The Robots Are Coming!

 The debate around SOC automation has been a fun one to follow. Allie Mellen wrote a short but on the spot piece about it, reaffirming what seems to be the commonsense opinion on this topic today: Automation is good, but to augment human capacity, not replace it.

 

After that Anton brought up a very interesting follow up, confirming that view but also pointing to a scary future scenario, where automation would be adopted so extensively by the attackers that it would force defense to do the same. Does this scenario make sense? 

 

I believe it does, and indeed it forces defense to adopt more automation. But even if Anton says the middle ground position is “cheating”, I still think it is the most reasonable one. There will never be (until we reach the Singularity) a fully automated SOC, just as there will never be a fully automated attacker (until…you know). Why? Let’s look at the scenario Anton painted for this evolved attacker:

 

 

• You face the attacker in possession of a machine that can auto-generate reliable zero day exploits and then use them (an upgraded version of what was the subject of 2016 DARPA Grand Challenge)

• You face the attackers who use worms for everything, and these are not the dumb 2003 worms, but these are coded by the best of the best of the offensive “community”

• Your threat assessment indicates that “your” attackers are adopting automation faster than you are and the delta is increasing (and the speed of increase is growing).

 

 

Even if it looks scary, this scenario is still limited in certain points. You may have malware capable of creating exploits by itself, but what will they exploit? What is this exploitation trying to accomplish? There is an abstract level of actions that is defined by the creator of the malware. Using MITRE ATT&CK language, the malware is capable of generating multiple instances of a selection of techniques, but a human must define the tactics and select the techniques to be used. Quoting Rumsfeld, there will be more known unknowns, but the unknown unknown is still the realm of humans.

 

A few years ago, I had a similar discussion with a vendor claiming that their deep learning–based technology would be able to detect“any malware”. This is nonsense. Even the most advanced ML still needs to be pointed to some data to look at. If the signal required to detect something is not in that data, there’s no miracle. Let’s look at a simple example:

 

• A super network-based detection technology inspects ALL network traffic and can miraculously identify any attack.

• The attacker is on host A in this network, planning to attack host B, connected to the same network

• The attacker scans for Bluetooth devices from host A, finds host B, exploits host B via a Bluetooth exploit

• The super NDR/NIDS tool sits there patiently waiting to see an attack that never traverses the monitored network!

 

You may claim this is an edge scenario, but I’m using anexaggerated situation on purpose. There’s still many cases that we can relate to, such as breaches due to the use of shadow IT, cloud resources, etc. What I want to highlight is the type of lateral thinking very often employed by attackers in cybersecurity. And the lateral thinking is still exclusive of humans.

 

What I’m trying to say is that fully automated threats are scary, buy they lack the main force that makes detecting threats challenging. Defense automation can evolve to match the same level, but both sides will still rely on humans to tip the scale when those machines reach a balance point in capabilities.

 

What we have today is similar to those battling robots TV shows. Machines operated by humans. If things evolve as Anton suggests we will move to what happens in “robot soccer”: human created machines operating autonomously, but within a finite framework of capabilities.

Robot wars vs Robot Soccer

 

 

Threats and SOCs will become more automated for sure. As they automate, they become faster, so each side has to increase its own level of automation to keep up. But when automation limits are reached, the humans on the threat side must apply that lateral thinking to find other avenues to exploit. They need to take the Kirk approach to Kobayashi Maru. When this happens, the humans on the defense side become critical. They need to figure out what is happening and create new ways to fight against the new methods.

 

 

 

So, humans will still be necessary on both sides. Of course, the operational involvement will be greatly reduced, again, on both sides. But they will be there, waiting to react against the innovation introduced by their counterparts on the other side.

 

This may be an anticlimactic conclusion, and it is. But there are some interesting follow up conversations to have. The number of humans required, their skills and how they are engaged will be different. What does it mean for outsourcing? Do end users still need people on their side? If solution providers engage this problem in a smart way, we may be able to remove, or greatly reduce, the need for humans on the end user organization side, for example. The remaining humans would be on the vendor side, adapting the tools to react against the latest attacks. For the end user organization, the result may look very similar to full automation, as they would not need to add their humans to the mix. Will we end up with the mythical “SOC in a box”? Future will tell.

 

The post The Robots Are Coming! appeared first on Security Boulevard.

Read More

The post The Robots Are Coming! appeared first on Malware Devil.

https://malwaredevil.com/2021/03/16/the-robots-are-coming/?utm_source=rss&utm_medium=rss&utm_campaign=the-robots-are-coming

The Security Digest: #52

Hello and welcome to the 52nd TSD, your weekly blog post with top of mind security issues. TSD began as an internal newsletter 1 year …

The post The Security Digest: #52 appeared first on Cyral.

The post The Security Digest: #52 appeared first on Security Boulevard.

Read More

The post The Security Digest: #52 appeared first on Malware Devil.

https://malwaredevil.com/2021/03/16/the-security-digest-52-3/?utm_source=rss&utm_medium=rss&utm_campaign=the-security-digest-52-3

The Security Digest: #52

Hello and welcome to the 52nd TSD, your weekly blog post with top of mind security issues. TSD began as an internal newsletter 1 year …

The post The Security Digest: #52 appeared first on Cyral.

The post The Security Digest: #52 appeared first on Security Boulevard.

Read More

The post The Security Digest: #52 appeared first on Malware Devil.

https://malwaredevil.com/2021/03/16/the-security-digest-52-2/?utm_source=rss&utm_medium=rss&utm_campaign=the-security-digest-52-2

The Security Digest: #52

Hello and welcome to the 52nd TSD, your weekly blog post with top of mind security issues. TSD began as an internal newsletter 1 year …

The post The Security Digest: #52 appeared first on Cyral.

The post The Security Digest: #52 appeared first on Security Boulevard.

Read More

The post The Security Digest: #52 appeared first on Malware Devil.

https://malwaredevil.com/2021/03/16/the-security-digest-52/?utm_source=rss&utm_medium=rss&utm_campaign=the-security-digest-52

PYSA Ransomware Pillages Education Sector, Feds Warn

A major spike of attacks against higher ed, K-12 and seminaries in March has prompted the FBI to issue a special alert.
Read More

The post PYSA Ransomware Pillages Education Sector, Feds Warn appeared first on Malware Devil.

https://malwaredevil.com/2021/03/16/pysa-ransomware-pillages-education-sector-feds-warn/?utm_source=rss&utm_medium=rss&utm_campaign=pysa-ransomware-pillages-education-sector-feds-warn

IR.2.092 Incident Preparation (CMMC Level 2)

Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities.

The post IR.2.092 Incident Preparation (CMMC Level 2) appeared first on Security Boulevard.

Read More

The post IR.2.092 Incident Preparation (CMMC Level 2) appeared first on Malware Devil.

https://malwaredevil.com/2021/03/16/ir-2-092-incident-preparation-cmmc-level-2/?utm_source=rss&utm_medium=rss&utm_campaign=ir-2-092-incident-preparation-cmmc-level-2

Exchange exploitation and architecting for visibility

By Alex Kirk, Corelight Global Principal for Suricata The new Microsoft Exchange vulnerabilities disclosed earlier this month highlight the importance of  architecting for security visibility on the network.  At most organizations the communications between users and Exchange servers are  encrypted. The initial malicious payload and web shells planted upon successful exploitation of these vulnerabilities also…Read more »

The post Exchange exploitation and architecting for visibility appeared first on Security Boulevard.

Read More

The post Exchange exploitation and architecting for visibility appeared first on Malware Devil.

https://malwaredevil.com/2021/03/16/exchange-exploitation-and-architecting-for-visibility-3/?utm_source=rss&utm_medium=rss&utm_campaign=exchange-exploitation-and-architecting-for-visibility-3

Mom & Daughter Duo Hack Homecoming Crown

A Florida high-school student faces jail time for rigging her school’s Homecoming Queen election.
Read More

The post Mom & Daughter Duo Hack Homecoming Crown appeared first on Malware Devil.

https://malwaredevil.com/2021/03/16/mom-daughter-duo-hack-homecoming-crown/?utm_source=rss&utm_medium=rss&utm_campaign=mom-daughter-duo-hack-homecoming-crown

Exchange exploitation and architecting for visibility

By Alex Kirk, Corelight Global Principal for Suricata The new Microsoft Exchange vulnerabilities disclosed earlier this month highlight the importance of  architecting for security visibility on the network.  At most organizations the communications between users and Exchange servers are  encrypted. The initial malicious payload and web shells planted upon successful exploitation of these vulnerabilities also…Read more »

The post Exchange exploitation and architecting for visibility appeared first on Security Boulevard.

Read More

The post Exchange exploitation and architecting for visibility appeared first on Malware Devil.

https://malwaredevil.com/2021/03/16/exchange-exploitation-and-architecting-for-visibility-2/?utm_source=rss&utm_medium=rss&utm_campaign=exchange-exploitation-and-architecting-for-visibility-2

Exchange exploitation and architecting for visibility

By Alex Kirk, Corelight Global Principal for Suricata The new Microsoft Exchange vulnerabilities disclosed earlier this month highlight the importance of  architecting for security visibility on the network.  At most organizations the communications between users and Exchange servers are  encrypted. The initial malicious payload and web shells planted upon successful exploitation of these vulnerabilities also…Read more »

The post Exchange exploitation and architecting for visibility appeared first on Security Boulevard.

Read More

The post Exchange exploitation and architecting for visibility appeared first on Malware Devil.

https://malwaredevil.com/2021/03/16/exchange-exploitation-and-architecting-for-visibility/?utm_source=rss&utm_medium=rss&utm_campaign=exchange-exploitation-and-architecting-for-visibility

Chrome Zero Days, Schneider Electric Meters, Exchange Redux, & Signal – SWN #107

This week: Dr. Doug talks more chrome zero days, Schneider Electric Meters, Exchange redux, Signal, iPhone, Nvidia, and the triumphant return of Jason Wood for Expert Commentary on the Security Weekly News!

Time Stamps:

1:20- Another Chrome Zero Day
3:50- Claroty uncovers vulnerabilities in Schneider Electric Smart Meters
6:28 – Iphone App allows your calls to be shared with pretty much anyone , anywhere.
9:08 – Red Canary and others find China Chopper being used in Exchange Attacks
11:30 – Microsoft release tools to check and repair Exchange
13:24 – The UK is planning to track all internet browsing
14:48 – Chinese government blocks Signal in China
17:40 – Jason Wood!
27:21 – Nvidia RTX 3060 mining restrictions bypassed.

Visit https://www.securityweekly.com/swn for all the latest episodes!

Show Notes: https://securityweekly.com/swn107

The post Chrome Zero Days, Schneider Electric Meters, Exchange Redux, & Signal – SWN #107 appeared first on Malware Devil.

https://malwaredevil.com/2021/03/16/chrome-zero-days-schneider-electric-meters-exchange-redux-signal-swn-107/?utm_source=rss&utm_medium=rss&utm_campaign=chrome-zero-days-schneider-electric-meters-exchange-redux-signal-swn-107

Security & Compliance Legal Highlights – Part Deux – SCW #65

We’re letting Priya have the bulk of the time to discuss what’s on her mind in terms of legal implications of security & compliance news and events.

Visit https://www.securityweekly.com/scw for all the latest episodes!

Show Notes: https://securityweekly.com/scw65

The post Security & Compliance Legal Highlights – Part Deux – SCW #65 appeared first on Malware Devil.

https://malwaredevil.com/2021/03/16/security-compliance-legal-highlights-part-deux-scw-65/?utm_source=rss&utm_medium=rss&utm_campaign=security-compliance-legal-highlights-part-deux-scw-65

Security & Compliance Legal Highlights – SCW #65

We’re excited to have Priya Chaudry with us today, so we are going to focus our discussion on news and events with legal implications (or the legal implications of news and events)!

For starters, the U.S. Cyber Command recently held a virtual edition of its 2021 Legal Conference. The annual conference explores current law and policy issues related to offensive and defensive cyberspace operations.

Visit https://www.securityweekly.com/scw for all the latest episodes!

Show Notes: https://securityweekly.com/scw65

The post Security & Compliance Legal Highlights – SCW #65 appeared first on Malware Devil.

https://malwaredevil.com/2021/03/16/security-compliance-legal-highlights-scw-65/?utm_source=rss&utm_medium=rss&utm_campaign=security-compliance-legal-highlights-scw-65

ESB-2021.0907 – [RedHat] openvswitch: Denial of service – Remote/unauthenticated

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2021.0907
                        openvswitch security update
                               16 March 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           openvswitch
Publisher:         Red Hat
Operating System:  Red Hat
Impact/Access:     Denial of Service -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-35498 CVE-2020-27827 

Reference:         ESB-2021.0639
                   ESB-2021.0559
                   ESB-2021.0520

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2021:0834
   https://access.redhat.com/errata/RHSA-2021:0837
   https://access.redhat.com/errata/RHSA-2021:0835

Comment: This bulletin contains three (3) Red Hat security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: openvswitch2.11 security update
Advisory ID:       RHSA-2021:0834-01
Product:           Fast Datapath
Advisory URL:      https://access.redhat.com/errata/RHSA-2021:0834
Issue date:        2021-03-15
CVE Names:         CVE-2020-27827 CVE-2020-35498 
=====================================================================

1. Summary:

An update for openvswitch2.11 is now available in Fast Datapath for Red Hat
Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact
of
Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Fast Datapath for Red Hat Enterprise Linux 7 - noarch, ppc64le, s390x, x86_64

3. Description:

Open vSwitch provides standard network bridging functions and support for
the OpenFlow protocol for remote per-flow control of traffic.

Security Fix(es):

* openvswitch: limitation in the OVS packet parsing in userspace leads to
DoS (CVE-2020-35498)

* lldp/openvswitch: denial of service via externally triggered memory leak
(CVE-2020-27827)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1908845 - CVE-2020-35498 openvswitch: limitation in the OVS packet parsing in userspace leads to DoS
1921438 - CVE-2020-27827 lldp/openvswitch: denial of service via externally triggered memory leak

6. Package List:

Fast Datapath for Red Hat Enterprise Linux 7:

Source:
openvswitch2.11-2.11.3-86.el7fdp.src.rpm

noarch:
openvswitch2.11-test-2.11.3-86.el7fdp.noarch.rpm

ppc64le:
openvswitch2.11-2.11.3-86.el7fdp.ppc64le.rpm
openvswitch2.11-debuginfo-2.11.3-86.el7fdp.ppc64le.rpm
openvswitch2.11-devel-2.11.3-86.el7fdp.ppc64le.rpm
python-openvswitch2.11-2.11.3-86.el7fdp.ppc64le.rpm

s390x:
openvswitch2.11-2.11.3-86.el7fdp.s390x.rpm
openvswitch2.11-debuginfo-2.11.3-86.el7fdp.s390x.rpm
openvswitch2.11-devel-2.11.3-86.el7fdp.s390x.rpm
python-openvswitch2.11-2.11.3-86.el7fdp.s390x.rpm

x86_64:
openvswitch2.11-2.11.3-86.el7fdp.x86_64.rpm
openvswitch2.11-debuginfo-2.11.3-86.el7fdp.x86_64.rpm
openvswitch2.11-devel-2.11.3-86.el7fdp.x86_64.rpm
python-openvswitch2.11-2.11.3-86.el7fdp.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2020-27827
https://access.redhat.com/security/cve/CVE-2020-35498
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYE9xHtzjgjWX9erEAQjwVBAAkRuAaKeYk3oEV7DcV71G9uGyU0dxuMv/
hEplUvevYEqAJrl9O4+Vtt4oLI/Rs/lNVu+vlS81ycMFXcJ4Gv5kCzJCM0Dq7iuY
K63hJtKtUhDwXYymkSfTansrf3TNJcDsUsm1vfhedN47drUG6KUEBurFhmLx0WXC
XoVtTWLaiqZIavYxRSWHaCOdTVHe+qM1DbBkGV5AhxxduHKVBRsBNXNHZk7O3nZ1
TmbMHIChTu8ixS/spYuBAnaoBCxFApIM/N+NpoTZzgVG1U2oANLksUdsS5JSr+xc
6OfzBznLdsH7vcJHgHzGWtI+fjXhUw+MqBtg5RM+Fj46IlSJ26MABbXTKwuZhUHy
pJfzsPehiRo9WgsyrgxlpsQ8VT8fEZN/0KPCh3jZS2VMHJ5fw6sr5mZYOKxmcaPf
hrv25mzCilcyCcmP2N8avIJV0UtNodSfmRffKNl2YkkWJrSHDGKG5KDoYHpnboTy
meWa4G3z84xSxMO11nUTpG4BYiW2Q4uqJRPQYpbn9nrb7QzXrgzQO6mntFMhDYC+
CwDjtPD0ysv18NZCcesUuLTBCk6KrunHSHx9SbKZkOelguY8KzCUKiJq1np86det
ixju1rfA+D+YrUTrZszrgKoJYceqgTtQLRzOCssJ/HSU3w02QQRv2hVSL85fDyve
WpP/19GcjEs=
=OFDc
- -----END PGP SIGNATURE-----


- --------------------------------------------------------------------------------


- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: openvswitch2.11 security update
Advisory ID:       RHSA-2021:0837-01
Product:           Fast Datapath
Advisory URL:      https://access.redhat.com/errata/RHSA-2021:0837
Issue date:        2021-03-15
CVE Names:         CVE-2020-27827 CVE-2020-35498 
=====================================================================

1. Summary:

An update for openvswitch2.11 is now available in Fast Datapath for Red Hat
Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Fast Datapath for Red Hat Enterprise Linux 8 - noarch, ppc64le, s390x, x86_64

3. Description:

Open vSwitch provides standard network bridging functions and support for
the OpenFlow protocol for remote per-flow control of traffic.

Security Fix(es):

* openvswitch: limitation in the OVS packet parsing in userspace leads to
DoS
(CVE-2020-35498)

* lldp/openvswitch: denial of service via externally triggered memory leak
(CVE-2020-27827)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1908845 - CVE-2020-35498 openvswitch: limitation in the OVS packet parsing in userspace leads to DoS
1921438 - CVE-2020-27827 lldp/openvswitch: denial of service via externally triggered memory leak

6. Package List:

Fast Datapath for Red Hat Enterprise Linux 8:

Source:
openvswitch2.11-2.11.3-83.el8fdp.src.rpm

noarch:
openvswitch2.11-test-2.11.3-83.el8fdp.noarch.rpm

ppc64le:
network-scripts-openvswitch2.11-2.11.3-83.el8fdp.ppc64le.rpm
openvswitch2.11-2.11.3-83.el8fdp.ppc64le.rpm
openvswitch2.11-debuginfo-2.11.3-83.el8fdp.ppc64le.rpm
openvswitch2.11-debugsource-2.11.3-83.el8fdp.ppc64le.rpm
openvswitch2.11-devel-2.11.3-83.el8fdp.ppc64le.rpm
python3-openvswitch2.11-2.11.3-83.el8fdp.ppc64le.rpm
python3-openvswitch2.11-debuginfo-2.11.3-83.el8fdp.ppc64le.rpm

s390x:
network-scripts-openvswitch2.11-2.11.3-83.el8fdp.s390x.rpm
openvswitch2.11-2.11.3-83.el8fdp.s390x.rpm
openvswitch2.11-debuginfo-2.11.3-83.el8fdp.s390x.rpm
openvswitch2.11-debugsource-2.11.3-83.el8fdp.s390x.rpm
openvswitch2.11-devel-2.11.3-83.el8fdp.s390x.rpm
python3-openvswitch2.11-2.11.3-83.el8fdp.s390x.rpm
python3-openvswitch2.11-debuginfo-2.11.3-83.el8fdp.s390x.rpm

x86_64:
network-scripts-openvswitch2.11-2.11.3-83.el8fdp.x86_64.rpm
openvswitch2.11-2.11.3-83.el8fdp.x86_64.rpm
openvswitch2.11-debuginfo-2.11.3-83.el8fdp.x86_64.rpm
openvswitch2.11-debugsource-2.11.3-83.el8fdp.x86_64.rpm
openvswitch2.11-devel-2.11.3-83.el8fdp.x86_64.rpm
python3-openvswitch2.11-2.11.3-83.el8fdp.x86_64.rpm
python3-openvswitch2.11-debuginfo-2.11.3-83.el8fdp.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2020-27827
https://access.redhat.com/security/cve/CVE-2020-35498
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYE9xOdzjgjWX9erEAQi/8Q/8CvM+H/StcBuPAmVQAY7JVm8pkf4JdX8j
STlwTLuvcoWEBUOChus7K68cC/VPHj5y3GEiujAxF9hx+EdeVR1HmC90/XVgrWAa
qQZzLnGxW+IsRkJ/wbYB37KU+OXFFAjNE2sO9WqPGoFbNQbpi0wuUyX8r3t8af+k
hnW/obtlW1Y6fVwt3u1yNDyPcReK3sSi5nv10w6bGOTqcCdva2n5nReddBlEPJpf
km19eN6E+lQxSrh1g6xKBBr8pPKFPCCj80we7KP3JFPAht4WRHxJEsXaBVCyv3qo
UVHQfSl30AVfE8MoBLcc2NG/Ys/rUd4TPt83ttHYVxpYuFQc/XWA0B7U59GUTZHZ
pLfhL1piKlok9fl0euyPXTjMJBUWh9PQmIT2NlisdjDwR3Hhxeh+3Q/DxBvEEBzN
UDovueQyL0NHa506VMMlTGLCmUbDv9h/UGOP2VslaUAmBcGsYkQaHk17XHkmGd7N
Ahp5S4nzj7NG/g5djYdEMaXtDrrWhrfc0oy00f6wQ/I6j/HlBN6S6nZjJ80x0Uop
UiJfiJ3aRrmDmua2X7x4k5/zUyy/9DIbpdKzGEjQPuG2YNTo8lbiRo5c1w/VtzhY
T60HGL0/JCqW/XiUkCljpUR32y8DPE38ZkMrl/NFsafA/flhzYzEe8jxNh+ImRML
dlxkXwSX8X0=
=pvQr
- -----END PGP SIGNATURE-----


- --------------------------------------------------------------------------------


- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: openvswitch2.13 security update
Advisory ID:       RHSA-2021:0835-01
Product:           Fast Datapath
Advisory URL:      https://access.redhat.com/errata/RHSA-2021:0835
Issue date:        2021-03-15
CVE Names:         CVE-2020-27827 CVE-2020-35498 
=====================================================================

1. Summary:

An update for openvswitch2.13 is now available in Fast Datapath for Red Hat
Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact
of
Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Fast Datapath for Red Hat Enterprise Linux 7 - noarch, ppc64le, s390x, x86_64

3. Description:

Open vSwitch provides standard network bridging functions and support for
the OpenFlow protocol for remote per-flow control of traffic.

Security Fix(es):

* openvswitch: limitation in the OVS packet parsing in userspace leads to
DoS (CVE-2020-35498)

* lldp/openvswitch: denial of service via externally triggered memory leak
(CVE-2020-27827)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1908845 - CVE-2020-35498 openvswitch: limitation in the OVS packet parsing in userspace leads to DoS
1921438 - CVE-2020-27827 lldp/openvswitch: denial of service via externally triggered memory leak

6. Package List:

Fast Datapath for Red Hat Enterprise Linux 7:

Source:
openvswitch2.13-2.13.0-81.el7fdp.src.rpm

noarch:
openvswitch2.13-test-2.13.0-81.el7fdp.noarch.rpm

ppc64le:
openvswitch2.13-2.13.0-81.el7fdp.ppc64le.rpm
openvswitch2.13-debuginfo-2.13.0-81.el7fdp.ppc64le.rpm
openvswitch2.13-devel-2.13.0-81.el7fdp.ppc64le.rpm
openvswitch2.13-ipsec-2.13.0-81.el7fdp.ppc64le.rpm
python3-openvswitch2.13-2.13.0-81.el7fdp.ppc64le.rpm

s390x:
openvswitch2.13-2.13.0-81.el7fdp.s390x.rpm
openvswitch2.13-debuginfo-2.13.0-81.el7fdp.s390x.rpm
openvswitch2.13-devel-2.13.0-81.el7fdp.s390x.rpm
openvswitch2.13-ipsec-2.13.0-81.el7fdp.s390x.rpm
python3-openvswitch2.13-2.13.0-81.el7fdp.s390x.rpm

x86_64:
openvswitch2.13-2.13.0-81.el7fdp.x86_64.rpm
openvswitch2.13-debuginfo-2.13.0-81.el7fdp.x86_64.rpm
openvswitch2.13-devel-2.13.0-81.el7fdp.x86_64.rpm
openvswitch2.13-ipsec-2.13.0-81.el7fdp.x86_64.rpm
python3-openvswitch2.13-2.13.0-81.el7fdp.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2020-27827
https://access.redhat.com/security/cve/CVE-2020-35498
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYE9xUtzjgjWX9erEAQjIMQ//ZwJVnyOEvinQ5yCE+9dYp8RNaVS4YzxI
Mf8ZdMDYoWXDq72enECN/XUWkJ4NTu1kdIYQqYIfS3nzDDNCHDsvJ2cxnjyIEMDc
RyRCpvSLws/iLnaHzU4cLZORrLxzNc6pZ9Kcm1Yi7SJrhSvVEtIF9JhQLgO/nFsL
jo6fgaA8PAfAOGg1/cN88giHrEz88XeMp0pTtcPNW6VuQbI1zGjsh4+m9DvfYsin
I9L8pa8rlmCkdr2huXesJD7LLEQ+Sk4lw1JfR1Cw/8ZrKqUU3OvjOzOVGooq5ANc
eLjXAeVcy+8D6l+88w6wgPZeSBv3rC4q/ze7tYTiQRHCI56cm2FRJpB3Hng1k3PV
49dR/PLMoDhswjCjfJRWn376lPUlHEyIdtRlHmgPTN7Pbp9QyMKXrwVMc9tbyQ+L
Laev6y2ACj1CDyLKO63KzkZIEH2Zs52rkpbk0mwFLKf5hM5S/L8MOhjBLNiAVBY9
xqLefW9RmhvDtF6Nad8LLZLDb7hBaTQu8kE2+uthm7P5ZvtVlnkJXpvyGPSWMecg
v0nCs1Exiuusd0Y7Zaa9uR/D3OFraNr+cvhf+dBOj+Ff9xH58WSl5ZoPCAmm+IkD
thPOLYGCWBpxRmTLtS/8IJR2TycdwpYMydi2WCwO52LtY076/QDxbAxwe1tDBU3Y
6j7JgB7G8jw=
=y4Ny
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYE/rGuNLKJtyKPYoAQjpMw//bM3CbL8gpGOlki1FeVr1xzLlcebUbA3R
Xax6N+w9jYxgAtVjnWXgIrm3rHw8G0Mf1oeqQwWaCNnuko6UMo7gxk+QTgjaUurc
CuGRsaTElP/X5fn8ocKBVI2NF31OPTU5RDjNUhhS3V6KViOY/IWQNSpTKQHLoHvF
k9A004eO9340Ec3a/tn24xIbcG5h6Azv1nfHcOteXY6FP1NHQrLDYEPE+pYIpUpC
ZNi3EI6P+t2fe75F1SbuuY4DkEYh5kCxw8uX75+D1CJQKFz6UJ99qaLTbXOUB+87
vH7BRlfNCyY6pLoZAxWY/aGgm52N/O90jEkQlZqqfvvrBtI5Jz2Xcp866JDVYHEI
GaN+RZXoDWlFfrfatVK1M0+gc28+lxbqDSnSft2X+nP2muAHFbMia14FPl/MQG+h
xARKhoaUV0CvuZnfLWkMllhSZw6S6Vci4ArsM4A5x535aFIsnEiO3nXxuiebZFXG
T9D4vfV2lABjkapNq+RWemnFi3ignAK0WIiUtn+ahNDTQJE33E8TrYHfB2nxsaCz
qo1hQ8hweZ02hZu2C+o/cr1pdpGc70ABNUvgy3fjye/Nw2p30c0gdnxKHniaraz3
TfrAe3V9CS+YZwPYOSTnyTSd95GkdBdJpticxj7dwb91jMd9MAs8IU7QL1pZDSK6
vYgXraOds2w=
=coA4
-----END PGP SIGNATURE-----

Read More

The post ESB-2021.0907 – [RedHat] openvswitch: Denial of service – Remote/unauthenticated appeared first on Malware Devil.

https://malwaredevil.com/2021/03/16/esb-2021-0907-redhat-openvswitch-denial-of-service-remote-unauthenticated/?utm_source=rss&utm_medium=rss&utm_campaign=esb-2021-0907-redhat-openvswitch-denial-of-service-remote-unauthenticated

Network Security News Summary for Tuesday March 16th, 2021

A brief daily summary of what is important in cybersecurity. The podcast is published every weekday and designed to get you ready for the day with a brief, usually about 5 minutes long, summary of current network security-related events. The content is late breaking, educational and based on listener input as well as on input received by the SANS Internet Storm Center. You may submit questions and comments via our contact form at https://isc.sans.edu/contact.html .

The post Network Security News Summary for Tuesday March 16th, 2021 appeared first on Malware Devil.

https://malwaredevil.com/2021/03/16/network-security-news-summary-for-tuesday-march-16th-2021/?utm_source=rss&utm_medium=rss&utm_campaign=network-security-news-summary-for-tuesday-march-16th-2021

Exabeam Launches First-ever Comprehensive Use Case Coverage for Successful Outcome-based Security

Prescriptive end-to-end framework enables organizations to protect against external threats, compromised insiders and malicious insiders FOSTER CITY, Calif., March 16, 2021 – Exabeam, the security analytics and automation company, today announced a set of new functionalities aligned across Exabeam’s products to solve specific security challenges. The new Threat Detection, Investigation & Response (TDIR) use case..

The post Exabeam Launches First-ever Comprehensive Use Case Coverage for Successful Outcome-based Security appeared first on Security Boulevard.

Read More

The post Exabeam Launches First-ever Comprehensive Use Case Coverage for Successful Outcome-based Security appeared first on Malware Devil.

https://malwaredevil.com/2021/03/15/exabeam-launches-first-ever-comprehensive-use-case-coverage-for-successful-outcome-based-security/?utm_source=rss&utm_medium=rss&utm_campaign=exabeam-launches-first-ever-comprehensive-use-case-coverage-for-successful-outcome-based-security

Be Prepared for Anything with EDRP

Recently, a historic snowstorm hit in the south affecting millions of people throughout Mississippi, Louisiana, Kentucky, West Virginia and Texas. Areas not usually accustomed to elements associated with snowstorms including freezing temperatures, snow and ice were devastated by the affects. An article by, The New York Times titled, “Texas Winter Snowstorm: What to Know”, detailed […]

The post Be Prepared for Anything with EDRP appeared first on Phoenix TS.

The post Be Prepared for Anything with EDRP appeared first on Security Boulevard.

Read More

The post Be Prepared for Anything with EDRP appeared first on Malware Devil.

https://malwaredevil.com/2021/03/15/be-prepared-for-anything-with-edrp-2/?utm_source=rss&utm_medium=rss&utm_campaign=be-prepared-for-anything-with-edrp-2

How your iPhone could tell you if you’re being stalked

The latest iOS beta suggests that Apple’s next big update will include an iPhone feature that warns users about hidden, physical surveillance of their location. The feature detects AirTags, Apple’s answer to trackable fobs made by Tile, and serves to block the potential abuse of the much-rumored product.

While the feature represents great potential, digital surveillance experts said that they were left with more questions than answers, including whether surveilled iPhone users will be pointed to helpful resources after receiving a warning, how the feature will integrate with non-Apple products–if at all–and whether Apple coordinated with any domestic abuse advocates on the actual language included in the warnings.

Erica Olsen, director of Safety Net at the National Network to End Domestic Violence, emphasized the sensitivities of telling anyone–particularly domestic abuse survivors–about unknown surveillance that relies on a hidden device.

“It could be extremely scary to get a notification about a device and have no idea where to start to locate and disable it,” Olsen said. “That’s not to say that it’s a bad thing; it just needs to be thorough.”

Apple did not respond to questions regarding the language of its notifications or about the company’s potential outreach to external domestic abuse advocates in crafting the feature. Members of the Coalition Against Stalkerware–of which Malwarebytes is a founding partner–said they were open to collaborate with Apple on the feature.

New “Item Safety Alerts”

According to 9to5Mac, the latest beta version for iOS 14.5 includes an update to the “Find My” app, which helps users locate iPhones, iPads, iPod Touches, and Mac computers that may have been lost or stolen. Importantly, while each of those devices can run the Find My app for their respective operating systems, it is only the iPhone version of the app–as witnessed in the iOS 14.5 beta–that includes a new setting called “Item Safety Alerts.”

The setting is turned on by default, and, according to Apple blogger and iOS developer Benjamin Mayo, any attempts to turn off the setting will result in a warning that reads:

“The owner of an unknown item will be able to see your location and you will no longer receive notifications when an unknown item is found moving with you.”

Something I hadn’t considered before: new beta includes a Item Safety setting in Find My. This is how Apple is trying to prevent ‘stalking’ with AirTags. If someone secretly hides a tag in your possessions, your phone will notice and warn you about it. pic.twitter.com/NVJyAZlthw

— Benjamin Mayo (@bzamayo)

March 4, 2021

As the iOS update is still in beta, there is limited information, and the “notifications” referenced in the Item Safety Alerts advisory have not been revealed. However, the advisory itself reveals the purpose of the alerts: To warn iPhone users in the future about whether separate, unknown devices are being tracked that are in close, frequent proximity to their iPhone.

In theory, this type of surveillance has been possible for years. By abusing the intentions of Apple’s Find My app, a stalker or a domestic abuser could plant a device that can be tracked by Find My, such as an iPhone or an iPod touch, onto a victim and track their movements. But, while this type of location monitoring was possible, it also had some obvious obstacles. One, purchasing a capable device could be expensive, and two, the actual devices that can be tracked are rather easy to find, even to unsuspecting victims. After all, it isn’t every day that someone just happens to find an entirely different phone in their gym bag.

Those obstacles could fade away, though, if Apple follows through on releasing its next, rumored product.

According to multiple tech news outlets, Apple will release physical location-tracking tags in 2021, dubbed “AirTags.” The devices could directly compete with the company Tile, which makes small, physical squares of plastic which can slipped into personal items likes luggage, purses, backpacks, wallets, and other important items that could be lost or stolen.

Unfortunately, the smaller a location-tracking device is, the easier it is to use it against someone without their consent, as revealed by a woman in Houston who said her ex stalked her after planting a Tile device in her car. The woman, who remained anonymous for her safety, told ABC 13 news in an interview:

“It was shocking. In a million years, it never occurred to me that could be possible and instantly everything made sense. I think that’s what’s important that for people who are in a domestic violence situation or stalking situation to know that should be a consideration.”

The iOS 14.5 beta feature, then, makes much more sense when accounting for a potential future with Apple’s AirTags. Malicious users could purchase AirTags and sneak them into a person’s purse or their backpack without their knowledge.

The new “Item Safety Alerts” could curb that type of abuse, though, warning users about unrecognized devices that are located in the same vicinity as their current device, but are not registered through their own Find My app.

Important considerations for Apple

Several representatives from members of the Coalition Against Stalkerware said that Apple’s new feature has real potential to help users, but without more details, many questions remain.

Tara Hairston, head of public affairs for North America at Kaspersky, said she wanted to know more about how Find My could work with third-party devices, so that clandestine surveillance could be detected beyond the use of Apple’s rumored AirTags, and beyond the use of an iPhone, too. According to 9to5Mac, the updates to Find My include a new “Item” tab to track third-party accessories, but questions from Malwarebytes Labs to Apple about the extent of that cross-functionality went unanswered.

Hairston also expressed concerns about the development of the feature.

“A question I have is whether Apple has discussed the alert’s language with professionals and advocates that work with domestic violence survivors to ensure that it is not re-traumatizing for them,” Hairstone said. “Furthermore, does Apple plan to provide information regarding what someone should do if they confirm that they are being tracked, especially if they are a survivor? Accounting for these types of safety considerations would result in more holistic support for vulnerable populations.”

These are routine considerations for the Coalition Against Stalkerware, which was intentionally built as a cross-disciplinary group to help protect users from the threats of stalkerware. For the same reason that the coalition’s domestic violence advocates are not the experts on technological sample detection, the coalition’s cybersecurity vendors are not the experts on protecting survivors from domestic abuse. But when the members work together, they can do informed, great things, like developing a new way to detect stalkerware which can happen outside of a compromised device–a critical need that many cybersecurity vendors did not know about until joining the coalition.

At Malwarebytes Labs, we await the release of Apple’s feature, and we are eager to learn about the work that went into it. Any company taking steps to limit non-consensual surveillance is a good thing. Let’s work together to make it great.

The post How your iPhone could tell you if you’re being stalked appeared first on Malware Devil.

https://malwaredevil.com/2021/03/15/how-your-iphone-could-tell-you-if-youre-being-stalked/?utm_source=rss&utm_medium=rss&utm_campaign=how-your-iphone-could-tell-you-if-youre-being-stalked

Importance of Culture, Engaging The Board, & 8 New Roles! – BSW #209

This week, in the Leadership and Communications section, The importance of culture in digital transformation, 4 ways to keep the cybersecurity conversation going after the crisis has passed, 8 new roles today’s security team needs, and more!
Visit https://www.securityweekly.com/bsw for all the latest episodes!
Show Notes: https://securityweekly.com/bsw209

The post Importance of Culture, Engaging The Board, & 8 New Roles! – BSW #209 appeared first on Malware Devil.

https://malwaredevil.com/2021/03/15/importance-of-culture-engaging-the-board-8-new-roles-bsw-209/?utm_source=rss&utm_medium=rss&utm_campaign=importance-of-culture-engaging-the-board-8-new-roles-bsw-209