Les Bell
Blog entry by Les Bell
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
NIST Selects Algorithm as Lightweight Cryptography Standard
Since 2018, the National Institute of Standards and Technologies has been working with industry and academic researchers in a multi-round review process to select a standard algorithm for protecting information created and transmitted on the Internet of Things.
While some devices on the IoT, such as cloud and fog computing services, have plenty of compute power, others, such as tiny sensors and actuators, have to operate on small batteries for periods of months or years. At the extreme low-power end we find such things as embedded medical devices, stress sensors inside roads and bridges and keyless entry fobs for cars, and these need 'lightweight' cryptographic algorithms which provide an acceptable level of security, but coupled with compact code size and memory usage, low energy consumption and acceptable speed.
The NIST review process started with 57 submissions, which were whittled down to 10 finalists before the final winner was selected. [Reaches for sealed envelope.] And the winner is . . . Ascon, a family of seven different algorithms, of which some or all will become part of the NIST lightweight cryptography standard. Ascon was developed in 2014 by a team of cryptographers from Graz University of Technology, Infineon Technologies, Lamarr Security Research and Radboud University, and had already been selected as the primary choice for lighweight authenticated encryption in the CAESAR competition, so it has a strong pedigree.
Authenticated encryption with associated data (AEAD) assures confidentiality of its encrypted payload, but also assures the authenticity of origin of associated data such as plaintext message headers and routing information. For higher-powered devices, these functions are typically performed by AES (FIPS 197) in Galois Counter Mode (SP 800-38D), but Ascon provides a good replacement for IoT devices. Similarly, while SHA2-256 is a widely-used hashing algorithm, Ascon fits the bill well for low-powered devices.
Uncredited, NIST Selects ‘Lightweight Cryptography’ Algorithms to Protect Small Devices, news release, 7 February 2023. Available online at https://www.nist.gov/news-events/news/2023/02/nist-selects-lightweight-cryptography-algorithms-protect-small-devices.
Multiple XSS Vulnerabilities in Document Management Systems
Rapid7 security researcher Matthew Kienow has duscovered multiple cross-site scripting (XSS) vulnerabilities in on-premises installations of open-source and freemium document management systems from four different vendors. The vulnerabilities and their statuses are listed below
Vendor | Product | Version | CVE Number |
Patch Status |
---|---|---|---|---|
ONLYOFFICE | Workspace | 12.1.0.1760 | CVE-2022-47412 | Unpatched |
OpenKM | OpenKM | 6.3.12 | CVE-2022-47413 | Unpatched |
OpenKM | OpenKM | 6.3.12 | CVE-2022-47414 | Unpatched |
LogicalDOC | LogicalDOC CE/Enterprise | 8.7.3/8.8.2 | CVE-2022-47415 | Unpatched |
LogicalDOC | LogicalDOC CE/Enterprise | 8.8.2 | CVE-2022-47416 | Unpatched |
LogicalDOC | LogicalDOC CE/Enterprise | 8.7.3/8.8.2 | CVE-2022-47417 | Unpatched |
LogicalDOC | LogicalDOC CE/Enterprise | 8.7.3/8.8.2 | CVE-2022-47418 | Unpatched |
Mayan | Mayan EDMS | 4.3.3 | CVE-2022-47419 | Unpatched |
In general, the XSS vulnerabilities arise because the products are not properly sanitizing and escaping <img> and <script> elements either in the uploaded documents, the in-app messaging system, the document filename field in an upload form or elsewhere in the application.
The Rapid7 blog post provides a full explanation of each vulnerability, along with a simple proof-of-concept which users can try in order to test their own installations. The PoC safely triggers a JavaScript alert() popup, but clearly much more sophisticated exploitation is possible (and the blog post discusses a few).
Mitigation suggestions include not allowing untrusted users to upload documents, but remediation really depends upon fixes being released by the vendors - none of whom had responded in a timely fashion.
Beardsley, Tod, Multiple DMS XSS (CVE-2022-47412 through CVE-20222-47419), blog post, 7 February 2023. Available online at https://www.rapid7.com/blog/post/2023/02/07/multiple-dms-xss-cve-2022-47412-through-cve-20222-47419/.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.