Our cyber blog ‘Xcina on Security’ encourages teams to engage in essential cybersecurity discussions and prepare for rising threats. Peter Lane, our Information Security Consultant writes on news, providing commentary covering a range of cyber security-related issues making the headlines.
Know Your (Network) Ingredients
Whilst some large organisations have dedicated teams to create their own tools and solutions, many rely on software or products purchased from third party vendors. However, the more of these purchased products organisations use, the more difficult it is for them to keep track of all the attributes and elements that are contained within them. Security in software supply chains is very important.
When vulnerabilities are identified with tools and solutions used within networks, organisations need to know where it is in the first place in order to know what to do about it.
This week Google announced the opening of GUAC (Graph for Understanding Artifact Composition).
GUAC is a collaboration of industry leading experts to study software supply chain management. Google, IBM, Intel and others will focus on creating data sets of each software’s build, security and dependency.
How Significant is This?
This effort is one is the most significant acts implemented by industry leaders to help address the explosion in software supply chain attacks — most notably the widespread Log4j vulnerability that is still exposing organisations across the world exposed to further attacks.
This follows the executive order in 2021 by United States of America President Joe Biden for all US government agencies to create a Software Bill of Materials (SBOM) to identify all components within their environments and report them to NIST.
A comparison has been drawn to nutrition labels on food. Many people around the world search through these to identify what is in their food but a remarkably low number of organisations will know what can be found inside their networks.
What Needs to Be Done
Keeping an ‘SBOM’ will aid in identifying vulnerabilities such as Log4j once they become public. Xcina Consulting Ltd can help organisations define and implement a suitable process or identify software appropriate for its needs.
For more information on how we may help you, contact firstname.lastname@example.org.
Also this week …
Microsoft published guidance to address a recently discovered vulnerability affecting a tool [SFXv1 Web Client] used by customers to inspect and manage Azure Service Fabric clusters.
Service Fabric is an open-source project, and it powers core Azure infrastructure, and is also designed to deliver highly available and durable services at cloud-scale.
Why Is This Important?
CVE-2022-35829 – a vulnerability known as “cross-site scripting” that involves the injection of malicious code into otherwise benign and trusted websites would allow an attacker to gain full “administrator” permissions on the Service Fabric cluster.
How This Affects You
It is believed that this has not yet been exploited and in fact, it would require organisations to manually switch to a different version of the system.
Xcina Consulting advises organisations to inform their employees to take appropriate measures to prevent any possible exploitation.
Organisations should determine if they are running the SFXv1 Web client. A vulnerable version of Service Fabric Explorer (SFXv1) has the URL that ends in “old.html”.
If organisations are on an unsupported version of Service Fabric Runtime (8.1.316 and below), they are vulnerable to attacks.
Microsoft will be releasing an update to remove the weak configuration and we will be monitoring this closely and share any further updates.
Why is this Important?
Fortinet issued a communication regarding the weakness on 6th October 2022, however since then there has been widespread exploitation of the vulnerability.
CVE-2022-40684 may allow an unauthenticated attacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests
Fortinet recommends that customers validate their configuration with their Network departments.
About the Author
Connect on LinkedIn
Learn more about the principles that underpin this topic. To discuss how the above impact your business, get in touch with our team. We provide our clients with pragmatic advice and support to help them achieve a robust and defensible position.
Other articles from Peter and the Information Security team can be found here.