Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

NSA Wants to Finally Kill Buffer Overflows

The National Security Agency has produced a very useful information sheet with guidance for software developers to prevent and mitigate memory safety issues, which underlie the majority of exploitable vulnerabilities.

The most well-known memory safety problem is the buffer overflow, which can be used to place an attacker's code onto the stack and get it executed. But there are other problems, such as failing to balance the allocation and freeing of memory, leading to memory leaks, memory corruption via double-freeing or attempts to use memory after it has been freed.

The NSA wants to drive the adoption of memory safe languages which protect programmers (and their users) from these issues. Many of these languages, such as Java, C#, Ruby and Swift, are already popular for application programming, but we are now seeing the adoption of systems programming languages which offer similar advantages, such as Go and Rust. They also recommend the use of both static and dynamic application security testing tools.

The NSA's information sheet is written at a suitable level for senior managers and project managers - the people who are able to drive the selection of languages for development projects. Developers really should already know this stuff.

NSA Media Relations, NSA Releases Guidance on How to Protect Against Software Memory Safety Issues, press release, 10 November 2022. Available online at https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/3215760/nsa-releases-guidance-on-how-to-protect-against-software-memory-safety-issues/.

Alleged Lockbit Ringleader Arrested

The US Department of Justice has unsealed a criminal complaint filed in the District of New Jersey, charging a dual Russian and Canadian national for his alleged participation in the Lockbit global ransomware campaign. Mikhail Vasiliev, 33, of Bradford, Ontario, is charged with conspiracy to intentionally damage protected computers and to transmit ransom demands, and if convicted, faces a maximum of five years in prison.

According to court documents, Lockbit first appeared around January 2020, and has become one of the most active and destructive ransomware variants, having been deployed against as many as a thousand victims in the US and around the world. The Lockbit members have made at least $US100 million in ransom demands.

Vasiliev is currently in custody in Canada, awaiting extradition to the US, following a long investigation by the FBI Newark Field Office, Newark Cyber Crimes Task Force, with assistance from the FBI Atlanta Field Office, the FBI Pittsburgh Field Office, the FBI Miami Field Office, the FBI’s Legal Attaché-Ottawa, the Jersey City Police Department, the New Jersey State Police, the New Jersey Office of Homeland Security and Preparedness and the DoJ's Office of International Affairs.

DoJ Office of Public Affairs, Man Charged for Participation in LockBot Global Ransomware Campaign, press release, 10 November 2022. Available online at https://www.justice.gov/opa/pr/man-charged-participation-lockbit-global-ransomware-campaign.

Three Vulns in Popular Web Server

Palo Alto Networks' Unit 42 researchers have discovered three different vulnerabilities in the open source OpenLiteSpeed Web Server, and confirmed that these also affect the enterprise version, LiteSpeed Web Server. Together, these medium and high severity vulns can be chained to gain root privileges and remote code execution on the server - and with approximately 1.9 million instances of LiteSpeed Server on the Internet, the impact could be high.

The three vulnerabilities are

• Remote Code Execution (CVE-2022-0073) rated High severity (CVSS 8.8)
• Privilege Escalation (CVE-2022-0074) rated High severity (CVSS 8.8)
• Directory Traversal (CVE-2022-0072) rated Medium severity (CVSS 5.8)

Unit 42 disclosed the vulnerabilities to LiteSpeed Technologies, which has released patches: version v1.7.16.1 for OpenLiteSpeed and version 6.0.12 for LiteSpeed. The fixes mainly improve some sanitization regular expressions as well as correct the setting of a PATH environment variable.

Avetisyn, Artur, Aviv Sasson, Ariel Zelivansky and Nathaniel Quist, Unit 42 Finds Three Vulnerabilities in OpenLiteSpeed Web Server, blog post, 10 November 2022. Available online at https://unit42.paloaltonetworks.com/openlitespeed-vulnerabilities/.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.