Your fortnightly rundown of AppSec vulnerabilities, new hacking techniques, and other cybersecurity news

Deserialized web security roundup: KeePass dismisses 'vulnerability' report, OpenSSL gets patched, and Reddit admits phishing hack

KeePass has become the latest password manager utility obliged to defend its reputation following the discovery of an alleged vulnerability.

Security researchers warned that it might be possible to set up a trigger that exports everything from the KeePass database in cleartext, before syphoning off secret data. The vulnerability – whose seriousness is disputed – is being tracked as CVE-2023-24055.

As Bleeping Computer reports, KeePass maintains the issue only comes into play in cases where an attacker already has control of a compromised account – in which case it’s ‘game over’ already.

Issues in password managers have been a particular focus for security researchers since a mishandled security incident involving LastPass last year that eventually prompted the vendor to admit encrypted password vaults had leaked.

Master keys for these vaults were not exposed, limiting the scope for harm, but the affair was nonetheless troubling.

The US Cybersecurity and Infrastructure Security Agency (CISA) is pushing plans to require technology manufacturers to make their products secure by design.

CISA director Jen Easterly and executive assistant director Eric Goldstein outlined the proposals in an essay published by Foreign Affairs magazine.

Want the latest web security news direct to your inbox? Sign up to our new newsletter – Daily Swig Deserialized

On Thursday, developers of the OpenSSL project released patches covering a variety of vulnerabilities in the encryption library, including a high impact flaw (tracked as CVE-2023-0286). The flaw meant that sophisticated attackers might be able to either read system memory or cause a denial of service on affected systems.

Thursday also brought news that a sysadmin on Reddit had fallen victim to a phishing attack. The social news site admitted that attackers had “gained access to some internal documents, code, and some internal business systems” while stating that it reckoned “Reddit user passwords and accounts are safe”.

The Daily Swig also recently reported that Google has developed proposals to mitigate the impact of prototype pollution (a class of JavaScript vulnerability), how a security researcher hacked into Toyota’s supplier management network, and on a privacy storm involving a new host of popular pen testing tool XSS Hunter since the last edition of Deserialized. You can catch up with the full range of our recent news coverage by visiting The Daily Swig’s homepage.

Here are some more web security stories and other cybersecurity news that caught our attention in the last fortnight:

Web Vulnerabilities

  • Cisco devices / Technology to deploy application containers/virtual machines directly on devices was flawed because user input for the ‘DHCP Client ID’ option wasn’t sanitized / Disclosed with patch on February 1
  • Dompdf / Critical / URI validation failure on SVG parsing / URI validation can be bypassed on SVG parsing, potentially leading to arbitrary object unserialize on PHP, through the phar URL wrapper / disclosed with patch last week
  • F5 BIG-IP / High / Format string flaw in iControl SOAP allows an authenticated attacker to crash the iControl SOAP CGI process or, potentially, execute arbitrary code / Disclosed with a patch on February 1
  • Jira Service Management Server and Data Center / Critical / Broken authentication / vendor alert and patch issued on February 1
  • Skyhigh Security Secure Web Gateway / High / XSS in single sign-on plugin / Disclosed with a patch on January 26

Research and attack techniques

  • A detailed analysis of a remote source disclosure vulnerability in PHP development server offers pointers towards necessary follow-up work. The flaw – which meant that the source code of PHP files was exposed as if they were static files – was resolved, but even so “Shodan queries reveal many exposed instances of the built-in server”, the researchers warn
  • A vulnerability in Zoho ManageEngine’s SAML (Security Assertion Markup Language) implementation – dubbed SAML ShowStopper – leaves enterprise-based SSO (Single-Sign-On) deployments at a heightened risk of attack. Security researcher Khoa Dinh offers a detailed analysis of flaw in warning that any vendors (not just ManageEngine) relying on older versions of xmlsec and xalan might be at similar risk
  • A blog post by Skylight Cyber details common misconfigurations in the SaltStack IT orchestration platform, as encountered in the wild, as well as detailing a “novel template injection technique that can achieve remote code execution on a salt-master (or master-of-masters) server”.
  • Proofpoint has discovered that attackers are using malicious third-party OAuth apps to infiltrate organizations’ cloud environments. “Threat actors satisfied Microsoft’s requirements for third-party OAuth apps by abusing the Microsoft ‘verified publisher’ status,” the security researchers report
  • Researchers from Ermetic have discovered an RCE vulnerability impacting services such as Function Apps, App Service and Logic Apps on Azure cloud. The EmojiDeploy vulnerability was sprung through CSRF against source control management service (SCM) Kudu
  • Security researcher ‘eta’ has successfully reverse-engineered the encoding process for barcodes associated with UK mobile rail tickets. The work allows interested parties to decode their own tickets with a web tool developed by the researcher

Oculus gamerA security researcher earned $44k from an Oculus account takeover exploit

Bug bounty / vulnerability disclosure

  • Google has expanded its OSS-Fuzz project, a free platform for continuous fuzzing to critical open source projects. The technology, which has helped to identify 8,800 vulnerabilities across 850 projects since its launch in 2016, is getting a boost through the offer of higher financial rewards for contributors that integrate new projects into OSS-Fuzz.
  • Security researcher Youssef Sammouda claimed a $44,500 payout after discovering a security flaw that made it possible to take over Facebook/Oculus accounts. As explained in a technical write-up by Sammouda, the hack relied on First-Party access_token stealing.

New open source infosec/hacking tools

  • Checkmarx has put together a built-to-be-vulnerable API application based on the OWASP top 10 API vulnerabilities. The utility – dubbed c{api}tal – is designed to be a learning and training resource focused on API security.
  • Ronin 2.0 offers a revamped version of a free and Open Source Ruby toolkit for security research and development. The latest version of Ronin, enhanced with new API libraries, contains many different CLI commands and Ruby libraries optimized to carry out a range of tasks including scanning for web vulnerabilities and running exploits.
  • Developers have released a new version of EMBA – an embedded device firmware security analyzer geared to the needs of penetration testers. Its functionality is explained on a GitHub page.
  • SH1MMER, an exploit capable of completely unenrolling enterprise-managed Chromebooks.

For devs

  • Developers should check out an informative post on integrating Nuclei, an open-source tool for scanning web applications, into their GitHub CI/CD pipelines
  • SBOM Scorecard offers a tool that helps developers to quantify what a well-generated SBOM looks like, accessing the richness of metadata that can later be queried
  • The precloud utility offers an open source CLI that runs checks on infrastructure as code to catch potential deployment issues. The tool, which offers dynamic tests for infrastructure-as-code, works by “comparing resources in CDK diffs and Terraform Plans against the state of your cloud account”

More industry news

For fun

Codebreakers have decoded a cache of more than 500 encoded letters written by Mary, Queen of Scots, during her years of captivity between 1578 and 1584.

The code – made up only of graphical symbols – was cracked using a combination of “computerized cryptanalysis, manual code-breaking, and linguistic and contextual analysis”, Ars Technica reports.

The letters were relayed by secret couriers, principally to the French ambassador, Michel de Castelnau. However Elizabeth I’s spymaster, Francis Walsingham, had a mole in the French embassy who gave the spy access to decoded copies of the correspondence.

A paper on the codebreaking work, likely to help historians researching the period, was published by specialist journal Cryptologia.

PREVIOUS EDITION Deserialized web security roundup: ‘Catastrophic cyber events’, another T-Mobile breach, more LastPass problems