Security Snacks #17 – SolarWinds RCE, NAT Slipstream v2 & Accellion under attack

By Anna Hammond

February 5, 2021

Security Snacks is a weekly digest of the most notable InfoSec news.
Its purpose is to provide a one-stop source for getting a high-level view of the state of security and hacking.

Click here to subscribe

Supply chain attacks seem to be the new normal. Just this week… 1.6 million US unemployment claims were exposed because of vulnerabilities in legacy software used by the Washington State Auditor’s Office. In parallel to the campaign attributed to Russian state-sponsored hackers, suspected Chinese attackers also targeted SolarWinds to hack a US government agency. And a bug in an encryption library used by GnuPG could’ve had serious impact if it weren’t for a Google Project Zero researcher.

Read on for details!

Notable Security News

SolarWinds patches vulnerabilities that could allow full system control

Three new vulnerabilities were discovered in SolarWinds products by a Trustwave SpiderLabs researcher. The most serious bug results in unauthenticated remote code execution.

CISA director announced that 30% of “SolarWinds hack” victims didn’t actually use SolarWinds.

Investigations revealed that independently from the previously disclosed operations, suspected Chinese hackers also exploited SolarWinds vulnerabilities to hack at least one US government agency.

Last, members of US Congress are asking the NSA to share what it knows about the 2015 Juniper Networks supply chain attack. They want to know whether an encryption backdoor introduced in Juniper by the NSA played any role in the hack.

SonicWall fixes actively exploited SMA 100 zero-day vulnerability

SonicWall is warning about a zero-day in its SMA 100 devices reported by NCC Group and exploited in the wild. The vulnerability allows attackers to gain admin privileges to the device’s management interface then remote code execution. The good news is that patches are already available.

The Accellion Mess: What Went Wrong?

Several unpatched vulnerabilities in Accellion’s legacy File Transfer Appliance resulted in multiple data breaches. After New Zealand’s Reserve Bank, the latest victim is the Washington State Auditor’s Office. The personal information of 1.6 million people who filed for unemployment benefits was exposed.

Knock, knock. Who’s there? NAT. Nat who? A NAT URL-borne killer

Researchers at Armis developed a new variant of the NAT Slipstreaming attack first disclosed in October by Samy Kamkar. The original attack, triggered by JavaScript running on a malicious site, allowed remote access from the Internet to victims’ machines bypassing NAT and firewall defenses. Nat Slipstream v2 allows access not only to a victim’s device but also any internal IP on the network. This means that any embedded, unmanaged devices like printers or IP cameras would be reached by attackers.

Critical Libgcrypt Crypto Bug Opens Machines to Arbitrary Code

Google Project Zero’s Tavis Ormandy found a critical heap buffer overflow vulnerability in Libgcrypt, the open-source encryption library used by GnuPG. It leads to remote code execution and is “easily exploitable”.

Other Interesting News

The good

The bad

And some ethically reported bugs

You may also like