Using Client VPN with Your Firewall for WFH: a Setup for Disaster?

/0 Comments/in /by

It’s now been more than a year since many employees were first forced to work from home. With less than a week to prepare in some cases, very few business and employees were ready to make this shift. IT departments in particular were hard hit, as most had insufficient VPN licenses and/or horsepower to sustain that many client VPN connections. Employees weren’t ready, either, as many found work at the dining-room table necessitated weekly chiropractor visits after a few months. It hasn’t been easy for anyone!

But now that employees are properly set up with a decent desk, a good chair and a new daily routine, many are loving it. No more driving in traffic, no need to dress up, no need to pack a lunch … plus all the financial advantages that come with remote work, like less money spent on gas and vehicle maintenance and, in some cases, even a tax deduction.

Businesses are seeing the benefits, too. Many are finding they can cut their office space by half, if not more. There’s now no need for a satellite office just to accommodate 2-3 people, when those employees can work from home. And if the best candidate for a position is a six-hour drive away, who cares!

Many business owners have already decided work-from-home is here to stay — and in some industries, those who resist this change will find that candidates demand it. (I personally declined a job offer with a salary jump in the five figures. No way am I going back to an office!)

The Problem with Keeping Ad-Hoc Setups

Imagine you have 100 employees reporting to work in your office. Each day, they show up fully masked and follow all recommended COVID-19 protocols for distancing, handwashing, etc. But each night, they go to concerts, busy restaurants, packed bars or other large gatherings, all without masking or distancing. Then they come back to the office, and the cycle repeats itself again, and again, and again. How safe is your office, really? Even with safeguards in place, it would only be a matter of time before everyone in the office was exposed to the illness.

Relying on client VPN with your firewall creates a similar situation. The office is safe. You have a well-known, business-grade next-generation firewall with all the latest tech to block ransomware and other threats.

But what sort of firewall is there at home? Is there any security at all? Many employees use the ISP router with its default Wi-Fi password. This router is also connected to the rest of the devices in the home, including those of teenagers whose goals in life sometimes seem to be clicking on everything they possibly can on social media platforms AND consuming hundreds of gigabytes per month (or per day) worth of torrent.

You have 100 employee laptops, going home every night to different unsecured and potentially infected networks. Then, the next day, they connect to the office. The cycle repeats, week in and week out. To me, it’s a terrific plan to bring some bad stuff in your corporate network.

Some will say, “Yeah, but I have a good antivirus on the corporate laptop!” Sorry to call it out like that, but you’re living in denial. If all you need is antivirus on laptops, then why did you purchase a next-generation firewall, a SIEM, 2FA capabilities, email security, etc.?

How Do You Prevent Cyberattacks? Much the Same Way You Prevent COVID-19.

The best way to prevent COVID-19 infections is to stay home with your family: No restaurants, no bars, no airports. The solution for corporate laptops is exactly the same. The device stays in the office, all the time. No coffee shops, no airports, no home networks — it never leaves the employee’s desk.

But with many jobs requiring after-hours connectivity, and many employees still choosing (or being required) to work from home part-time, this isn’t realistic in many cases.

In these cases, client VPN can bridge the security gap — but not when connected to a firewall. For optimum security and usability, the VPN should be routed through an advanced VPN solution such as SonicWall’s Secure Mobile Access (SMA) solution.

SonicWall SMA Series has advanced client VPN features that allow employees to work from home while virtually keeping the laptop in the office all the time. SMA achieves this by combining two features:

  • Tunnel all VPN: This feature forces all your laptop network traffic to the head office through the VPN, cutting off access to the local network. Which is exactly what we want, as the local network can be anywhere the employee does work, including a coffee shop or an unsecured home network. By using “tunnel all,” the device is isolated from any unknown and untrusted network. It also means the laptop is, networking-wise, sitting in the office as all its traffic (access to local corporate servers, Facebook, Office 365, YouTube) is going through the VPN and out from your corporate firewall — complete with all inspections and controls just as though it were physically sitting in the office.
  • Always-on VPN: This key feature of SonicWall SMA isn’t available on firewalls. Always-on VPN forces the VPN client to connect automatically, as soon as any network access is found — even before you’ve unlocked your machine. This means that GPO and login script will work. Another advantage of always on VPN is that employees cannot disconnect the VPN: They’re locked in.

Used together, tunnel all VPN and always-on VPN ensure your corporate laptops are always safe and secured by keeping them (virtually) from ever leaving the office. In other words, a laptop can be anywhere physically, but as far as the corporate network is concerned, it cannot be anywhere other than on the secured corporate network. And when the laptop is physically in the office, a feature known as “Safe Network Detection” will detect the laptop on premises and will stop routing network access through the VPN.

Doing remote work with your firewall’s client VPN allows all your employees to gather bad stuff from untrusted and unsecured networks and bring these threats into the office through the VPN client. But with the SonicWall SMA Series, your corporate devices are always following government health guidelines — they stay in the office at all times, no exceptions. Regardless of where they are physically, there is only one network they have access to: the corporate network, which includes all the proven security mechanisms you’ve put in place to protect your corporate perimeter. Your employees get the flexibility they want, and you get the peace of mind you need.

 

Cybersecurity News & Trends – 05-14-21

/0 Comments/in /by

This week attackers once again turned their attention to local government, resulting in several cities and municipal police departments reporting breaches.

SonicWall in the News

Raab set to reveal aggressive cyber-attacks targeting 80 UK schools and Universities in March — UK Tech News

  • Foreign Secretary Dominic Raab alerted the Cyber UK conference that 80 British schools and universities were hit by ransomware attacks in March, forcing them to delay reopening.
    *Syndicated: Info Security Buzz

Working from home is making companies rethink IT spending. Here’s how it’s changing — TechRepublic

  • Businesses are prioritizing their IT spending to focus on tech investments that support a ‘hybrid’ mix of working at home in the office, according to new research.

Deep Dive: Terry Greer-King, VP EMEA, SonicWall — Intelligent CISO

  • Terry Greer-King, SonicWall VP EMEA, highlights SonicWall’s Boundless Security and how it uses automated threat detection and response to help organizations protect themselves.
    *Syndicated: Intelligent CIO – EUIntelligent CIO – Africa

We regret ‘creating problems’, say Colonial petroleum pipeline hackers — Financial Times

  • The DarkSide ransomware group has stated it is apolitical and only wanted to make money, according to the Financial Times

Catch Of The Week: Ransomware Shuts Down U.S. Pipeline — Los Alomas Daily Post

  • Colonial Pipeline, one of the top U.S. fuel pipeline operators, shut down its entire network after a ransomware attack, affecting the nearly half of the East Coast’s fuel supply.

The basics of backup: How to avoid disaster — Intelligent CISO

  • As the amount of data in existence surges, business leaders must ensure they have the correct processes in place to manage it and avoid data loss.

Industry News

After Colonial Pipeline hack, lawmakers want more action on pipeline security — Cyberscoop

  • A two-year-old federal pipeline initiative has shown promise, but more needs to be done, lawmakers say.

Despite Heightened Breach Fears, Incident Response Capabilities Lag — Dark Reading

  • Many organizations remain unprepared to detect, respond to and contain a breach, a new survey shows.

Biden signs executive order to improve federal cybersecurity — The Hill

  • President Biden signed an executive order aimed at improving federal cybersecurity on the heels of multiple major and damaging cyberattacks, including the one on the Colonial Pipeline.

Global cybersecurity leaders say they feel unprepared for attack: report — The Hill

  • A majority of global CISOs surveyed said they feel their organizations are unprepared to face a cyberattack, despite many believing they will face an attack in the next year.

South Korea orders urgent review of energy infrastructure cybersecurity — The Register

  • The review was spurred by the Colonial Pipeline outage, which stressed the fuel supply of the U.S. East Coast.

FBI, CISA publish alert on DarkSide ransomware — ZDNet

  • The advisory deals with ransomware-as-a-service, thrust into the spotlight by the Colonial Pipeline cyberattack.

Ransomware crooks post cops’ psych evaluations after talks with DC police stall — Ars Technica

  • A ransomware gang that hacked the District of Columbia’s Metropolitan Police Department has posted personnel records for almost two dozen officers, including psychological assessments and polygraph tests; driver’s license images; fingerprints; social security numbers; dates of birth; and residential, financial, and marriage histories.

Experts suggest French insurer AXA’s plan to shun ransomware payouts will set a precedent — Cyberscoop

  • While some say they’re surprised it hasn’t happened sooner, others are wondering how long it will take for the rest of the industry to follow suit.

Adobe: Windows Users Hit by PDF Reader Zero-Day — Security Week

  • Adobe on Tuesday warned that a gaping security hole in Adobe Reader, one of the most widely deployed software products, has been exploited in the wild in “limited attacks.”

City of Tulsa’s online services disrupted in ransomware incident — Bleeping Computer

  • The city of Tulsa, Okla., has suffered a ransomware attack that forced the city to shut down its systems to prevent further spread.

City of Chicago Hit by Data Breach at Law Firm Jones Day — Security Week

  • The city of Chicago on Friday said that employee emails were compromised in a Jones Day data breach involving Accellion’s FTA file sharing service.

Ransomware gangs get more aggressive against law enforcement — The Washington Times

  • Criminal hackers are increasingly using brazen methods to increase pressure on law-enforcement agencies to pay ransoms, including leaking or threatening to leak highly sensitive and potentially life-threatening information.

The Colonial Pipeline Hack Is a New Extreme for Ransomware — Wired

  • Profit-focused cybercriminal hackers have inflicted a disruption that military and intelligence agency hackers have never dared to, shutting down a pipeline that carries nearly half the fuel consumed on the East Coast of the United States.

DHS to hire 200 more cyber pros as Biden administration grapples with hacking threats — Cyberscoop

  • It’s part of “the most significant hiring initiative” the department has ever undertaken, according to Alejandro Mayorkas.

In Case You Missed It

Microsoft Security Bulletin Coverage for May 2021

/in /by

SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of May 2021. A list of issues reported, along with SonicWall coverage information is as follows:

CVE-2021-26419 Scripting Engine Memory Corruption Vulnerability
IPS 15554:Scripting Engine Memory Corruption Vulnerability (CVE-2021-26419)

CVE-2021-31166 HTTP Protocol Stack Remote Code Execution Vulnerability
IPS 15553:Windows HTTP Protocol Stack Remote Code Execution 3

CVE-2021-31170 Windows Graphics Component Elevation of Privilege Vulnerability
ASPY 180:Malformed-File exe.MP.180

CVE-2021-31181 Microsoft SharePoint Remote Code Execution Vulnerability
ASPY 181:Malformed-File exe.MP.181

CVE-2021-31188 Windows Graphics Component Elevation of Privilege Vulnerability
ASPY 182:Malformed-File exe.MP.182

Adobe Coverage:
CVE-2021-28550 Acrobat Reader Use After Free Vulnerability
ASPY 183:Malformed-File pdf.MP.473

CVE-2021-28560 Acrobat Reader Heap-based Buffer Overflow Vulnerability
ASPY 184:Malformed-File pdf.MP.474

The following vulnerabilities do not have exploits in the wild :

CVE-2020-24587 Windows Wireless Networking Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-24588 Windows Wireless Networking Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2020-26144 Windows Wireless Networking Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-26418 Microsoft SharePoint Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-26421 Skype for Business and Lync Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-26422 Skype for Business and Lync Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-27068 Visual Studio Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28455 Microsoft Jet Red Database Engine and Access Connectivity Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28461 Dynamics Finance and Operations Cross-site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2021-28465 Web Media Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28474 Microsoft SharePoint Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28476 Hyper-V Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28478 Microsoft SharePoint Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-28479 Windows CSC Service Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-31165 Windows Container Manager Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-31167 Windows Container Manager Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-31168 Windows Container Manager Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-31169 Windows Container Manager Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-31171 Microsoft SharePoint Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-31172 Microsoft SharePoint Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-31173 Microsoft SharePoint Server Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-31174 Microsoft Excel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-31175 Microsoft Office Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-31176 Microsoft Office Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-31177 Microsoft Office Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-31178 Microsoft Office Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-31179 Microsoft Office Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-31180 Microsoft Office Graphics Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-31182 Microsoft Bluetooth Driver Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-31184 Microsoft Windows Infrared Data Association (IrDA) Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-31185 Windows Desktop Bridge Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-31186 Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-31187 Windows WalletService Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-31190 Windows Container Isolation FS Filter Driver Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-31191 Windows Projected File System FS Filter Driver Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-31192 Windows Media Foundation Core Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-31193 Windows SSDP Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-31194 OLE Automation Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-31195 Microsoft Exchange Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-31198 Microsoft Exchange Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-31200 Common Utilities Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-31204 .NET and Visual Studio Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-31205 Windows SMB Client Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2021-31207 Microsoft Exchange Server Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2021-31208 Windows Container Manager Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-31209 Microsoft Exchange Server Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-31211 Visual Studio Code Remote Development Extension Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-31213 Visual Studio Code Remote Development Extension Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-31214 Visual Studio Code Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-31936 Microsoft Accessibility Insights for Web Information Disclosure Vulnerability
There are no known exploits in the wild.

Triple Threat: CRN’s 2021 Women of the Channel List Honors SonicWall Leaders

/0 Comments/in /by

SonicWall is celebrating the recognition of three global channel team members on CRN’s 2021 Women of the Channel List. Senior Director, Global Field Marketing, Nicola Scheibe; Senior Sales Manager, Global Installed Base Programs, Kenna Ith; and Channel Account Manager Alice Strange were named to the annual list, which recognizes the unique strengths, vision and achievements of female leaders in the IT channel space.
Nicola Scheibe Kenna Ith Alice Strange

“CRN’s 2021 Women of the Channel list acknowledges accomplished, influential women whose dedication, hard work and leadership accelerate channel growth,” said Blaine Raddon, CEO of The Channel Company. “We are proud to honor them for their many accomplishments and look forward to their continued contributions to the IT channel.”

A 15-year SonicWall veteran, Scheibe is responsible for all direct field marketing activities, as well as any joint activities with partners and distributors across SonicWall’s global regions. When asked about her accolade, she stated, “Working in channel is a rewarding experience. It also challenges me to look beyond my own plate and experience different mindsets, opinions, and various point of views.”

The women honored on this year’s list pushed forward with comprehensive business plans, marketing initiatives and other innovative ideas to support their partners and customers.

“During these unprecedented times, it’s now more important than ever to understand customer behaviors, competitive environment and constraints such as costs and resources,” said Ith.

This year’s list of women is credited with helping numerous partners through the uncertainty brought on by the global pandemic.

“With COVID-19 bringing so much change to the way companies do business, my support of partners has been a critical piece to ensure both their current success and ability to move forward through a changing landscape,” said Strange.

To becoming a SonicWall partner, please visit http://www.sonicwall.com/partners/become-a-partner.

RSA Conference 2021 Spotlights the Resilience of the Cybersecurity Industry

/0 Comments/in /by

Every year since 1991, the RSA Conference has offered tens of thousands of attendees an opportunity to hear from cybersecurity experts, see all the latest vendor offerings and connect with others in the IT sphere. But for the first time in more than a decade, during this year’s conference the Moscone Center in San Francisco will stand empty: no colorful booths, no swag and definitely no shaking hands.

Despite the fact that it will be fully virtual this year due to the ongoing COVID-19 pandemic, the conference — much like cybersecurity itself — lives on, relevant not in spite of but because of the times we find ourselves in. SonicWall is a Silver Sponsor of this year’s event, which will take place May 17-20.

The theme of RSA Conference 2021? Resilience.

“2020 tested us — it didn’t break us. We’re an industry built on resilience, a sector that adapts, innovates and evolves. But the next test is coming,” proclaims the conference website. “So let’s celebrate our strengths, share what we’ve learned and expand our community to continue protecting what matters most.”

A special live session, “Discord, Generation Z’s Hacking University,” provides a first-hand look at what one of the next tests might be. On Wednesday, May 19, at 1:30 p.m. PDT (Session ID: HT-W14), SonicWall Senior Strategist Brook Chelmo will highlight how the next generation of hackers is more ambitious and better-equipped than any that preceded them.

“Gen Z hackers are younger, have access to more resources and are more formidable than those who came before them,” Chelmo said. “Social media platforms like Discord and Telegram have become a hotbed for them to leverage as they ramp up efforts to spread highly sophisticated ransomware and malware with little to no chance of being caught.”

Though the easy availability of hacker tools has made malicious hacking easier than ever, Chelmo believes there are still a number of ways those in the cybersecurity industry can convince these young hackers to use their considerable knowledge for the betterment of all.

As these young and promising ethical hackers begin to take their place in the cybersecurity world, they’ll do so alongside powerful AI and machine-learning tools — some of which are already proving themselves worthy defenders, like SonicWall’s patented Real-Time Deep Memory Inspection (RTDMITM) technology.

During the first of two virtual briefing sessions, titled “Disrupting the Malware Business: How to Stop Evasive Malware with Memory Analysis,” SonicWall Vice President, Platform Architecture, Dmitriy Arapetov will focus on evasive threats, what makes them pervasive and how we can use RTDMI and other tools to stop them.

“Malware is a lucrative business in which cybercriminals expect a high return for their time and effort in coordinating and launching a successful attack, with a lot of effort being put into evasion of existing security tools,” Ayrapetov said. “Real-Time Deep Memory Inspection is a vital weapon to catch such evasive attacks early in the malware campaign.”

Attendees also will get a closer look at what some of these evasive threats are during the second virtual briefing session, when Chelmo discusses the findings in the recently released 2021 SonicWall Cyber Threat Report. Drawn from SonicWall Capture Labs telemetry data collected from millions of sensors worldwide, these findings show record increases across several threat types, and reveal which areas and which industries were worst hit by threats such as ransomware, IoT malware, cryptojacking and more.

During the conference, ticketholders will also have the opportunity to hear from a number of high-profile keynote speakers, including Apple co-founder Steve Wozniak and executives from Johnson & Johnson, Google Cloud and SolarWinds.

And as always, attendees will have the opportunity to connect with SonicWall reps, attend booth briefings, receive digital materials and speak with cybersecurity experts at the Digital Expo, which will be open Monday-Wednesday, 10 a.m. to 4 p.m. PDT, and Thursday 10 a.m. to 2 p.m. PDT.

With all the changes the past year has brought to the world of cybersecurity, RSA Conference 2021 will definitely be one you don’t want to miss. We look forward to connecting to you during the conference — in the meantime, if you’d like more information or want to schedule a meeting with a SonicWall cybersecurity expert, please visit www.sonicwall.com/events/rsa.

Apache OFBiz, Vulnerability

/in /by

Overview:

  Apache OFBiz is an open source enterprise resource planning (ERP) system. It provides a suite of enterprise applications that integrate and automate many of the business processes of an enterprise. Apache OFBiz is a framework that provides a common data model and a set of business processes. Beyond the framework itself, Apache OFBiz offers the following functionality:

  • Accounting (agreements, invoicing, vendor management, general ledger)
  • Asset maintenance
  • Catalogue and product management
  • Facility and warehouse management system (WMS)
  • Manufacturing execution / manufacturing operations management (MES/MOM)
  • Order processing
  • Inventory management
  • Automated stock replenishment etc.
  • Content management system (CMS)
  • Human resources (HR)
  • People and group management
  • Project management sales force automation
  • Work effort management
  • Electronic point of sale (ePOS)
  • Electronic commerce (eCommerce) and scrum (development)

  An insecure deserialization vulnerability has been reported in Apache OFBiz. This vulnerability is due to Java serialization issues when processing requests. A remote unauthenticated attacker can exploit this vulnerability by sending a crafted request.

  Successful exploitation would result in arbitrary code execution.

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2021-30128

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 8.7 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C).

  Base score is 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is none.
    • Scope is changed.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 8.7 (E:U/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is unproven.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

Technical Overview:

  An insecure deserialization vulnerability exists in Apache OFBiz. This vulnerability is due to missing input validation for malicious payloads sent in the [wpv-noautop]”cus-obj” tag[/wpv-noautop] XML element when a HTTP request is sent to the [wpv-noautop]”/webtools/control/SOAPService”[/wpv-noautop] Request-URI and also due to the existence of the secure deserialization bypass in the Java class [wpv-noautop]”org.apache.ofbiz.base.util.SafeObjectInputStream”[/wpv-noautop].

  The requests sent to this endpoint is initially handled by the Java class [wpv-noautop]”org.apache.ofbiz.webapp.control.RequestHandler”[/wpv-noautop] which determines the mapping for the URL. Next, the [wpv-noautop]invoke()[/wpv-noautop] method is called in the [wpv-noautop]”org.apache.ofbiz.webapp.event.SOAPEventHandler”[/wpv-noautop] class. This method then calls the method [wpv-noautop]deserialize()[/wpv-noautop] in the Java class [wpv-noautop]”org.apache.ofbiz.service.engine.SoapSerializer”[/wpv-noautop] which calls the method [wpv-noautop]deserialize()[/wpv-noautop] in the Java class [wpv-noautop]”org.apache.ofbiz.entity.serialize.XmlSerializer”[/wpv-noautop].

  The SOAP XML parsing is implemented in method [wpv-noautop]deserializeSingle()[/wpv-noautop] method in the Java class [wpv-noautop]”org.apache.ofbiz.entity.serialize.XmlSerializer”[/wpv-noautop]. If the tag name is [wpv-noautop]”cus-obj”[/wpv-noautop], the value of that XML element is stripped of all the space and colon [wpv-noautop]’:'[/wpv-noautop] characters in the method [wpv-noautop]fromHexString()[/wpv-noautop] also in the Java class [wpv-noautop]”org.apache.ofbiz.base.util.StringUtil”[/wpv-noautop] and the resulting byte array is passed to the method [wpv-noautop]getObject()[/wpv-noautop] in Java class [wpv-noautop]”org.apache.ofbiz.base.util.UtilObject”[/wpv-noautop]. This method then calls the method [wpv-noautop]getObjectException()[/wpv-noautop] in the Java class [wpv-noautop]org.apache.ofbiz.base.util.UtilObject[/wpv-noautop] where the insecure deserialization can occur.

  Note, that the code in the [wpv-noautop]getObjectException()[/wpv-noautop] method utilizes custom class called [wpv-noautop]”org.apache.ofbiz.base.util.SafeObjectInputStream”[/wpv-noautop] which extends Java standard library class ObjectInputStream. The Java class [wpv-noautop]”org.apache.ofbiz.base.util.SafeObjectInputStream”[/wpv-noautop] employs a whitelist of classes that are allowed to be deserialized. It allows deserialization of classes which contain the string [wpv-noautop]”java.”[/wpv-noautop].

  Also, the overloaded [wpv-noautop]resolveClass()[/wpv-noautop] method in this class calls the custom method [wpv-noautop]loadClass()[/wpv-noautop] in Java class [wpv-noautop]”org.apache.ofbiz.base.util.ObjectType”[/wpv-noautop]. The code in the method [wpv-noautop]loadClass()[/wpv-noautop] removes the name of the class to be loaded any string following and including the character ‘<'. This ensures that generic classes can be loaded. Additionally, the deserialization logic in JDK standard library class [wpv-noautop]ObjectStreamClass[/wpv-noautop] only checks the names of the classes before the deserialization by examining the name of the class after the last [wpv-noautop]'.'[/wpv-noautop] character (i.e., it does not check the entire class name before proceeding with the deserialization of the class). Therefore, an attacker can craft the serialized object with slightly altered class name that will be bypass the whitelist and JDK deserialization code that ensures the correct class is deserialized.

  A remote, unauthenticated attacker could exploit this vulnerability by sending a malicious HTTP request containing a crafted XML payload in the body of the HTTP request. Since OFBiz also uses a vulnerable versions of Apache Commons BeanUtils or ROME libraries, an attacker can craft malicious XML payload by employing the ysoserial gadget tool and by changing all the class names in the serialized object as described above.

  Successful exploitation of this vulnerability could result in arbitrary code execution in the context of the user running the application.

Triggering the Problem:

  • The target must be running a vulnerable version of the software.
  • The attacker must have network connectivity to the vulnerable server.

Triggering Conditions:

  The attacker sends an HTTP request containing a maliciously crafted serialized object within the SOAP data to
the affected target. The vulnerability is triggered when the server deserializes the data.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTPS, over ports 8080/TCP, 8443/TCP

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 14804 Apache OFBiz Insecure Deserialization 1
  • IPS: 14805 Apache OFBiz Insecure Deserialization 2
  • IPS: 15485 Apache OFBiz Insecure Deserialization 3
  • IPS: 15548 Apache OFBiz Insecure Deserialization 4
  • IPS: 15549 Apache OFBiz Insecure Deserialization 5

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Blocking communication between Apache OFBiz and untrusted networks.
    • Update to a non-vulnerable version of the product.
    • Filter attack traffic.

The vendor has released the following advisory regarding this vulnerability:
https://ofbiz.apache.org/security.htm

Cybersecurity News & Trends – 05-07-21

/0 Comments/in /by

This week’s news was full of attacks on government — including the Alaskan state government, the Belgian federal government and the U.S. Agency for Global Media.

SonicWall in the News

SonicWall capture ATP aces latest ICSA Lab test, finds more malware — The Evolving Enterprise

  • After 35 days of testing and 1,741 total tests, the multi-engine SonicWall Capture ATP sandbox service with RTDMI received a perfect score in the latest ICSA Labs Advanced Threat Defense test.

Video: 10 Minute IT Jams – SonicWall manager dissects zero trust security — Security Brief Asia

  • SonicWall Head of Presales for APAC Yuvraj Pradhan discusses the importance of zero-trust and its role in the future of cybersecurity.

Industry News

Belgian government, parliament, colleges hit by cyberattack — The Washington Times

  • The company providing internet services for Belgium’s parliament, government agencies, universities and scientific institutions announced that its network was under cyberattack.

CISA used new subpoena power to contact US companies vulnerable to hacking — Cyberscoop

  • The Department of Homeland Security’s cybersecurity agency used a new subpoena power for the first time to contact at least one U.S. internet service provider with customers whose software is vulnerable to hacking.

New Spectre attack once again sends Intel and AMD scrambling for a fix — Ars Technica

  • A new transient execution variant is the first exploit micro-ops caches.

Panda Stealer dropped in Excel files, spreads through Discord to steal user cryptocurrency — ZDNet

  • The malware hones in on cryptocurrency funds as well as VPN credentials.

U.S. Agency for Global Media data breach caused by a phishing attack — Bleeping Computer

  • The U.S. Agency for Global Media (USAGM) has disclosed a data breach that exposed the personal information of current and former employees and their beneficiaries.

Alaska Court System briefly forced offline amid cyber threat — The Washington Times

  • The Alaska court system has temporarily disconnected most of its operations from the internet after a cybersecurity threat on Saturday, including attacks on its website and the removal of the ability to look up court records.

TurgenSec finds 345,000 files from Filipino solicitor-general’s office were breached — ZDNet

  • Sensitive documents from the solicitor-general of the Philippines, including information on ongoing legal cases and passwords, were breached and made publicly available online, a UK security firm has said.

Digital Dollar Project to launch five U.S. central bank digital currency pilots — The Wall Street Journal

  • The U.S. nonprofit Digital Dollar Project said on Monday it will launch five pilot programs over the next 12 months to test the potential uses of a U.S. central bank digital currency, the first effort of its kind in the United States.

NSA Issues Guidance on Securing IT-OT Connectivity — Security Week

  • The NSA’s advisory, “Stop Malicious Cyber Activity Against Connected Operational Technology,” addresses the Department of Defense, national security system and defense industrial base organizations — but the recommendations can be useful to any industrial company.

Pulse Secure fixes VPN zero-day used to hack high-value targets — Bleeping Computer

  • Pulse Secure has fixed a zero-day vulnerability in the Pulse Connect Secure (PCS) SSL VPN appliance that is being actively exploited to compromise the internal networks of defense firms and government agencies.

New Buer Malware Downloader Rewritten in E-Z Rust Language — Threat Post

  • It’s coming in emails disguised as DHL Support shipping notices and is apparently getting prepped for leasing on the underground.

Codecov starts notifying customers affected by supply-chain attack — Cyberscoop

  • Codecov has started notifying the maintainers of software repositories, via both email and the Codecov application interface, that the company believes the affected repositories were downloaded by threat actors.

US prosecutors fine German software company for violating sanctions against Iran — The Hill

  • Software giant SAP SE agreed to pay over $8 million as part of the resolution with the Department of Justice, Commerce Department and Treasury Department, authorities said.

Researchers find two dozen bugs in software used in medical and industrial devices — Cyberscoop

  • Microsoft researchers have discovered some two dozen vulnerabilities in software embedded in popular medical and industrial devices that an attacker could use to breach those devices, and in some cases cause them to crash.

In Case You Missed It