Cyber Month in Review November 2023

Cyber Security Month in Review: November 2023

Looney Tuneable Linux Vulnerability, CVSS 4.0 Released, NCSC Warning, 1Password Incident, and Microsoft Updates

Advice on How to Stay Cyber Secure

Jack Smallpage, Information Security Officer at CyberLab, reviews the latest cyber security news and advises how to protect your data. He covers:

• Looney Tuneable Linux Vulnerability
• CVSS 4.0 Released
• NCSC Latest Warning
• 1Password Cyber Incident
• Latest Microsoft Updates

Welcome back to this month’s security in review. The world of security is always moving and evolving, with vulnerabilities, breaches and new guidance being released every day. 

The volume and complexity of some of these can sometimes be overwhelming and difficult to keep track of, so let’s use this article to help summarise some of this month’s highlights so that together, we can be more cyber aware.  

Looney Tunables – Check Your Linux!

CISA have urged admins to check their Linux instances this month after the disclosure of the “Looney Tunables” vulnerability in October. Tracked as CVE-2023-4911, the bug enables local attackers to gain root privileges by exploiting a buffer overflow weakness in the GNU C Library’s ld.so dynamic loader. 

The GNU C Library, commonly known as glibc, is a core component of most Linux systems, providing essential functions and libraries for applications. The ld.so dynamic loader is responsible for loading shared libraries into memory and linking them to the main executable at runtime. The loader operates with elevated privileges due to its necessary functions.  

The flaw arises from the GNU C Library’s handling of the GLIBC_TUNABLES environment variable, which is intended to fine-tune and optimize applications linked with glibc. According to Qualys, setting GLIBC_TUNABLES to a carefully crafted value can cause a buffer overflow, which could lead to arbitrary code execution within the loader, allowing it to be hijacked.  

Qualys confirmed that its team successfully identified and exploited the vulnerability to achieve root privileges on the default installations of Fedora 37 and 38, Ubuntu 22.04 and 23.04, and Debian 12 and 13. Most other distributions are said to be affected as well, though Alpine Linux is not because it uses musl libc rather than glibc. With a CVSS score of 7.8, this high severity vulnerability has already been exploited in the wild by malicious actors, who have targeted cloud environments with malware attacks. 

What Should I do (At a Glance)  

The Looney Tunables vulnerability is a serious security issue that affects a large number of Linux systems, which are sometimes otherwise forgotten by admins (especially in the world of shadow IT). Users and administrators of Linux systems are advised to update their glibc packages as soon as possible to prevent potential attacks. 

CISA have taken this threat particularly seriously, and has ordered U.S. federal agencies to secure their systems against the Looney Tunables vulnerability by applying the available patches or mitigations within 15 days of the directive, further recommending non-federal entities to take immediate action to protect their systems from the threat as well. 

Details on this notice can be found on CISA’s page: CISA Adds One Known Exploited Vulnerability to Catalog | CISA

Read the Qualys article here: CVE-2023-4911: Looney Tunables – Local Privilege Escalation in the glibc’s ld.so | Qualys Security Blog  

---

New CVSS 4.0 Rating Standard Released 

The Forum of Incident Response and Security Teams (FIRST) has announced the release of the Common Vulnerability Scoring System (CVSS) version 4.0, a new standard for assessing and communicating the severity of software vulnerabilities. 

CVSS is an open framework that provides a way to capture the principal technical characteristics of a security vulnerability and produce a numerical score denoting its severity. The score can be translated into various levels, such as low, medium, high, and critical, to help organizations prioritize their vulnerability management processes. 

CVSS version 4.0 is the next generation of the CVSS standard, which was first introduced in 2005 and has undergone several revisions since then. The latest version incorporates feedback from the CVSS user community and introduces several changes and improvements to the previous version, including: 

• A New naming scheme has been added to identify combinations of Base (CVSS-B), Base + Threat (CVSS-BT), Base + Environmental (CVSS-BE), and Base + Threat + Environmental (CVSS-BTE) 
• Finer granularity through the addition of new Base metrics and values 
• Enhanced disclosure of impact metrics 
• Temporal metric group renamed to Threat metric group 
• Threat metrics simplified and clarified 
• New Supplemental Metric Group to convey additional extrinsic attributes of a vulnerability that do not affect the final CVSS-BTE score 
• Additional focus on OT/ICS/Safety 

CVSS v4.0 aims to provide a more accurate and consistent way of measuring and communicating the severity of software vulnerabilities, as well as to address the evolving needs and challenges of the security industry. CVSS v4.0 is expected to be widely adopted by vendors, researchers, and organizations as the de facto standard for vulnerability scoring moving forward. 

What Should I do (At a Glance)  

The CVSS v4.0 specification document provides a detailed explanation of the CVSS framework, metrics, formulas, and scoring guidance, with the CVSS v4.0 calculator allowing users to generate CVSS scores using an interactive web interface. For more information, the CVSS v4.0 examples document provides a set of scored vulnerabilities to illustrate the application of CVSS v4.0. 

---

NCSC warns of enduring and significant threat to UK Infrastructure 

The National Cyber Security Centre (NCSC) has issued a warning to the UK’s critical infrastructure organisations about the increasing and unpredictable cyber threat from state-aligned groups, especially those sympathetic to Russia’s invasion of Ukraine. 

Critical infrastructure refers to the sectors that provide the country with essential services, such as water, electricity, communications, transport, finance and internet. The NCSC said that these sectors are facing an ‘enduring and significant’ threat from cyber adversaries who are not motivated by financial gain, but by ideological or political goals. 

An earlier NCSC’s alert, published back in April, said that some of these groups have stated an intent to launch ‘destructive and disruptive attacks’ that could have serious consequences for the UK’s national security and public safety. The NCSC have further seen the threat evolve over the past 18 months, partly due to the availability and capability of emerging technologies, such as artificial intelligence, and the changing geopolitical landscape, such as the challenge posed by China.  

The NCSC have more recently noted the emergence of a new class of cyber actors too, who are aligned with or influenced by state actors, but are not subject to their control or direction. These groups are often sympathetic to Russia’s further invasion of Ukraine, and the NCSC urge critical infrastructure organisations to take sensible and proportionate steps to protect themselves from the cyber threat, and to follow its guidance on how to enhance their cyber resilience. 

What Should I do (At a Glance)  

If you haven’t already, we strongly recommend visiting the following NCSC guidance page to help identify and improve your own resilience to secure your business moving forward: All topics – NCSC.GOV.UK 

More details on the recent alert as well as the 2023 NCSC annual review can be found here for further details of the landscape: NCSC warns of enduring and significant threat to UK’s… – NCSC.GOV.UK 

---

1Password Security Incident 

The popular password management platform “1Password” suffered a security breach towards the end of last month. The breach was linked to a problem with digital identity management platform Okta, which had suffered an attack on its customer support system earlier that month. 

According to 1Password, the attack was detected on September 29, 2023, by a member of its IT team after they received an email indicating that they had ordered a report including a list of all 1Password admins. The company’s incident response team was quickly engaged which found a suspicious IP address. The unknown attacker accessed the company’s Okta instance with admin privileges, but the investigation found no evidence of data exfiltration or access of any systems outside of Okta. 

What Should I do (At a Glance)  

1Password has confirmed that no customer data was compromised in the incident, and that users’ login details are safe. The company immediately terminated the activity, investigated, and found no compromise of user data or other sensitive systems, either employee-facing or user-facing. 

1Password released a public incident report on the 27th October which can be found here: Okta security incident report (public) (1password.com)

---

Another set of updates from Microsoft 

It’s been another busy month for Microsoft with yet another set of updates regarding announcements to their security, productivity, and AI offerings. We’ve listed the main ones below:  

Microsoft Copilot AI 

Microsoft has announced that its AI “Copilot” will be available for Windows 10 version 22H2 this month after the feature has already been available for Windows 11, Microsoft 365, and Bing. Copilot is a powerful productivity tool that uses generative AI to help users discover and create new content. With Copilot, users can save time and effort by prompting for information and services in one place by typing prompts in natural language or using their voice. Copilot can generate creative and innovative content that includes both text and images. 

The addition of Copilot to Windows 10 will enable organizations managing both Windows 11 and Windows 10 devices to consider the rollout of Copilot across their business for enhanced productivity.  

November Patch Tuesday 

This month’s Microsoft patch Tuesday also saw a total of 57 vulnerabilities, including 3 which are being exploited in the wild and a further 3 which are publicly disclosed. The actively exploited fixes in particular are: 

• CVE-2023-36036: A Windows Cloud Files Mini Filter Privilege Escalation bug, allowing an attacker to gain SYSTEM privileges.  
• CVE-2023-36033: A Windows DWM Core Library vulnerability also allowing an attacker to gain SYSTEM privileges.  
• CVE-2023-36025: A Windows SmartScreen Security Feature Bypass flaw that allows an attacker to bypass SmartScreen checks and their associated prompts. 

In addition to these actively exploited flaws, Microsoft have also patched 3 Critical rated vulnerabilities, with one being an Azure information disclosure, an RCE in Windows ICS, and a Hyper-V escape flaw allowing execution on the host device with SYSTEM privileges.  

If admins have not done so already, the update should be deployed across the network as soon as possible given the exposure and severity of some of the flaws within.  

MFA enforcement for admin portals 

Microsoft will soon implement Conditional Access policies that require multifactor authentication (MFA) for administrators signing into Microsoft admin portals. These policies will also require MFA for per-user MFA users for all cloud apps and for high-risk sign-ins. This is a proactive measure to protect against phishing and credential theft attacks that target privileged accounts. 

Microsoft Authenticator 

Microsoft Authenticator, the app that enables MFA for Microsoft accounts and services, has added a new feature that blocks suspicious MFA phone notifications by default. This feature uses Microsoft’s security intelligence to identify and suppress notifications that may originate from malicious sources, such as unfamiliar locations or anomalous behaviours. Users can still access and approve the requests if they open the app manually, but they won’t be bothered by unwanted prompts on their phone screens. 

---

Conclusion 

It’s been another busy month of security reviews, improvements and incidents as we move closer towards Christmas. With Windows being hit by a variety of exploits in the wild, Linux affected by the Looney Tunables flaw, and 1Password joining the list of companies affected by the Okta incident, there’s plenty to keep admins on their toes whilst more remedial and improvement actions from Microsoft’s latest updates and NCSC’s 2023 annual review help keep us looking forward to improve our defences in a proactive manner.  

As always, it is important to reiterate that this article has not included ALL security news or vulnerabilities disclosed this month. Others such as Samsung’s data breach, Veeam One’s critical bug, ApacheMQ’s RCE attacks, Fortinet’s ‘FortiSIEM’ critical injection bug, and VMware’s critical VCD authentication bypass are many examples of other updates you should be aware of and research. 

If you have been caught off-guard by some of this month’s developments, look at your security processes and see what changes you can make to ensure you don’t get caught out in the future. Just 20 minutes of research each day can help you keep on top of the significant security trends and alerts which help protect your business and keep you cyber aware! If you have any more questions or worries, please do not hesitate to get in touch and see what CyberLab can do to help you and your security posture.