Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

RNC Sues Google

The Republican National Committee has sued Google for allegedly directing the emails it send straight to users' spam folders. According to its filing in the US District Court in Califormia, Google is discriminating against the party by "throttling its email messages because of the RNC's political affiliation and views".

In rejecting the claims, the tech giant retorted, "As we have repeatedly said, we simply don't filter emails based on political affiliation. Gmail's spam filters reflect users' actions".

"We provide training and guidelines to campaigns, we recently launched an FEC (Federal Electrion Commission) -approved pilot for political senders, and we continue to work to maximize email deliverability while minimizing unwanted spam", said Google spokesperson José Castañeda.

Binoy, Rhea et. al., Republican National Committee sues Google over email spam filters, Reuters, 25 October 2022. Available online at https://www.reuters.com/world/us/republican-national-committee-sues-google-over-email-spam-filters-2022-10-22/.

CVSS 9.8 RCE Vulnerability in HyperSQL Database

Researchers at Code Intelligence have discovered a potential remote code execution vulnerability in all versions up to and including 2.7.0 of the HyperSQL database (HSQLDB). This is a critical vuln for two reasons: a) a CVSS score of 9.8 and b) the fact that HSQLDB is used in thousands of popular packages and programs, including LibreOffice, JBoss, Log4j, Hibernate, Spring-Boot - itself used in thousands of other products - and many others..

The vulnerability, which is recorded as CVE-2022-41853, is in the parsing procedure for binary and text format data processed by the java.sql.Statement and java.sql.PreparedStatement classes, and can be used to call any static method from any Java class in the classpath.

A fix will be available in HSQLDB version 2.7.1 and later; meanwhile, the issue can be remediated by defining the hsqldb.method_class_names property.

Wagner, Roman, Potential Remote Code Execution Vulnerability Discovered in HSQLDB, blog post, 10 October 2022. Available online at https://www.code-intelligence.com/blog/potential-remote-code-execution-in-hsqldb.

Exploits In The Wild for Cisco AnyConnect Secure Mobility Client

Cisco has advised customers to urgently update installations of the Cisco AnyConnect Secure Mobility Client for Windows, following the discovery by their product security incident response team of exploits circulating in the wild. The related vulnerabilities have been known for over two years, so a patch has long been available.

The two vulnerabilities allow the copying of user-supplied files to system directories, and the hijacking of DLL's. Put together, the two allow injection of arbitrary code and its execution with SYSTEM privileges. Although authentication is required, this would allow privilege escalation.

Uncredited, Cisco AnyConnect Secure Mobility Client for Windows Uncontrolled Search Path Vulnerability, Security Advisory, 25 October 2022. Available online at https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ac-win-path-traverse-qO4HWBsj.

Uncredited, Cisco AnyConnect Secure Mobility Client for Windows DLL Hijacking Vulnerability, Security Advisory, 25 October 2022. Available online at https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-anyconnect-dll-F26WwJW.

Event Log Vulnerabilities Can Lead to DoS

Two rather curious exploits discovered by Varonis can allow an attacker to crash the Event Log service of any Windows machine, or even DoS the machine by filling the hard drive space.

The two vulnerabilities exploit a vulnerability in the OpenEventLogW API which allows a user to open a handle for an event log on a local or remote machine. By default, non-privileged users cannot get a handle for event logs on remote machines - with one exception, the legacy "Internet Explorer" log, which still exists and has its own security descriptor that overrides the default permissions.

Varonis' researchers came up with two PoC exploits; LogCrusher will crash the Event Log on a remote machine, stopping logging and leaving security controls in the dark, while OverLog repeatedly backs up spurious entries created in the Internet Explorer Event Log to a file, eventually filling the hard drive and preventing the machine from swapping to disk.

Microsoft has responded with a patch that restricts the OpenEventLogW API remote access to the IE Event Log to local administrators only, reducing the likelihood of exploitation. We have often referred to Internet Explorer as a cancer wrapped around the heart and lungs of Windows; its eradication is proving difficult.

Taler, Dolev, The Logging Dead: Two Event Log Vulnerabilities Haunting Windows, blog post, 25 October 2022. Available online at https://www.varonis.com/blog/the-logging-dead-two-windows-event-log-vulnerabilities.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.