Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Acer Confirms Breach

It seems like only yesterday we reported on the alleged exfiltration of 160 GB of assorted product information and strategic presentations from Taiwanese tech manufacturer Acer. (Oh, wait - it was.)

Now Acer has confirmed the breach, adding that they had "detected an incident of unauthorized access to one of our document servers for repair technicians. ... While our investigation is ongoing, there is currently no indication that any consumer data was stored on that server". It seems that the breach is confined to Acer's intellectual property.

Hardcastle, Jessica Lyons, Acer confirms server intrusion after miscreant offers 160GB cache of stolen files, The Register, 8 March 2023. Available online at https://www.theregister.com/2023/03/08/acer_confirms_server_breach/.

Microsoft Introduces Local Security Authority Protection

The Local Security Authority (LSA) Subsystem process - lsass.exe - is responsible for enforcing the security policy on a Windows system. It authenticates users logging on, handles password changes and creates access tokens. In short, if an attacker can compromise this process, they own you and the machine, and possibly a chunk of your network.

The latest pre-release, Windows 11 Insider Preview Build 25314, released yesterday to the Canary Channel, adds a new feature called Local Security Authority protection. This prevents an entire class of attacks by preventing unsigned drivers and plugins from loading into the LSA. This could potentially cause some incompatibilities, but Microsoft says the company will audit for a period of time to check for these and if no incompatibilities are detected, LSA protection will automatically be turned on.

The setting for this can be seen in the Windows Security application under "Device Security" -> "Core Isolation".

Another security improvement in this build is the disabling of the Remote Mailslot Protocol. Mailslots were the NetBIOS equivalent of the UDP protocol - a simple, connectionless protocol - and hardly anything uses it these days.

Langowski, Amanda and Brandon LeBlanc, Announcing Windows 11 Insider Preview Build 25314, blog post, 8 March 2023. Available online at https://blogs.windows.com/windows-insider/2023/03/08/announcing-windows-11-insider-preview-build-25314/.

Jenkins Vulnerabilities Allow RCE

Jenkins is an extremely versatile open-source cloud automation and orchestration server which is a near-essential part of the DevOps pipeline. Perhaps the key to its flexibility is its support for plugins. Now researchers at Aqua Nautilus have discovered a chain of vulnerabilities which they have dubbed CorePlague, in Jenkins Server and Update Center. Exploitation of these vulnerabilities - CVE-2023-27898 and CVE-2023-27905 - can allow an unauthenticated attacker to execute arbitrary code on the Jenkins server, leading to complete compromise of the system.

The key to the vulnerabilities is a stored XSS exploitable by a Jenkins plugin with a malicious core version, which the attackers upload to the Jenkins Update Center. The vulnerability will be triggered when the victim opens the Available Plugin Manager on their Jenkins Server, when the XSS allows the attacker to run arbitrary code using the Script Console API. The exploitation does not require the manipulated plugin to be installed - the malicious plugin could simply be on the public Jenkins Update Center.

The Jenkins team were notified back in January, and have issued patches for both the Jenkins Server and for the Jenkins Update Center. Users should check their server versions and update.

Goldman, Ilay and Yair Kadkoda, CorePlague: Severe Vulnerabilities in Jenkins Server Lead to RCE, blog post, 8 March 2023. Available online at https://blog.aquasec.com/jenkins-server-vulnerabilities.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.