Les Bell
Blog entry by Les Bell
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
Confluence 0-day Exploited; Atlassian Releases Updates
A newly-discovered 0-day vulnerability - CVE-2023-22515 - in Confluence Data Center and Confluence Server is under active exploitation. Atlassian considers the vulnerability to be critical, and stated in an advisory:
Atlassian has been made aware of an issue reported by a handful of customers where external attackers may have exploited a previously unknown vulnerability in publicly accessible Confluence Data Center and Server instances to create unauthorized Confluence administrator accounts and access Confluence instances.
Atlassian has rushed out new versions of Confluence Data Center and Confluence Server which fix the vulnerability: versions 8.3.3, 8.4.3 and 8.5.2. Customers are urged to update to these (or later) versions. Versions prior to 8.0.0 are unaffected, as are Atlassian Cloud sites (i.e. those hosted by Atlassian in the atlassian.net domain).
Atlassian's security advisory also provides a suggested reconfiguration for mitigation on those installations which are unable to update immediately, as well as some IOC's.
Atlassian, CVE-2023-22515 - Privilege Escalation Vulnerability in Confluence Data Center and Server, security advisory, 4 October 2023. Available online at https://confluence.atlassian.com/security/cve-2023-22515-privilege-escalation-vulnerability-in-confluence-data-center-and-server-1295682276.html.
CISA, NSA Developer and Vendor Guidance on IAM
A new publication written by the Enduring Security Framework - a CISA- and NSA-led public/private cross-sector working group - addresses the key challenges faced by developers and vendors in easing the adoption and secure deployment of multi-factor authentication and single-sign-on technologies. The report focuses on technical gaps and challenges, enabling developers and integrators to refine their existing tools to address these and, if necessary, develop new tools, but also touches on non-technical issues like cost, staffing and user experience.
Among the key issues identified is MFA terminology and definitions. For example, "2-step verification", "two-factor authentication" and "multi-factor authentication" are used interchangably, along with vague terms like "push notification" which do not map cleanly to technical security properties such as those defined in NIST SP 800-63. This makes it difficult for customers to compare a range of technologies with subtle technical differences and different levels of assurance.
Both vendors and customers often exclude public-key infrastructure from consideration as MFA, a point I often make during classes: to log in to various servers, I have to have both my SSH private key (something I have) and the passphrase which unlocks that key (something I know) - does that count as two factor authentication? Audiences are divided, but this report takes the view that it does.
The report also discusses the complexity and usability challenges for SSO and federated identity management, such as the tradeoffs between functionality, complexity and usability, and the issues of ensuring SSO can enable secure MFA across all use cases, including privileged access, such as high-level admin accounts used in setting up SSO itself.
The report concludes with 11 recommendations, from standardization of terminology to further research into development of a secure-by-default, easy to use, SSO system to address the gaps in the market.
CISA, CISA and NSA Release New Guidance on Identity and Access Management, cybersecurity advisory, 4 October 2023. Available online at https://www.cisa.gov/news-events/alerts/2023/10/04/cisa-and-nsa-release-new-guidance-identity-and-access-management. PDF report directly available online at https://media.defense.gov/2023/Mar/21/2003183448/-1/-1/0/ESF%20IDENTITY%20AND%20ACCESS%20MANAGEMENT%20RECOMMENDED%20BEST%20PRACTICES%20FOR%20ADMINISTRATORS%20PP-23-0248_508C.PDF.
Apple Rushes Out Kernel Fix
Apple has released an emergency security update for iPhones and iPads, following discovery of a 0-day vulnerability which was being actively exploited. The vulnerability, CVE-2023-42824, in the XNU kernel, allowed a local privilege escalation; Apple said that "this issue may have been actively exploited against versions of iOS before iOS 16.6".
The update also fixes CVE-2023-5217, a heap buffer overflow vulnerability in libvpx.
Apple, About the security content of iOS 17.0.3 and iPadOS 17.0.3, security advisory, 4 October 2023. Available online at https://support.apple.com/en-us/HT213961.
Upcoming Courses
- SE221 CISSP Fast Track Review, Virtual/Online, 13 - 17 November 2023
- SE221 CISSP Fast Track Review, Sydney, 4 - 8 December 2023
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.