2024년 3월 6일 수요일

홈페이지 jQuery 라이브러리에서 CVE-2019-11358 취약점 패치 여부 확인 방법

현재 홈페이지에서 사용 중인 jQuery 라이브러리가 CVE-2019-11358 취약점 패치를 적용했는지 확인하는 방법은 다음과 같습니다.


1. jQuery 버전 확인

홈페이지 소스 코드를 확인하여 jQuery 라이브러리 버전을 직접 확인합니다.

웹 개발자 도구를 사용하여 jQuery 버전을 확인합니다.


2. jQuery CDN 사용 여부 확인

만약 홈페이지에서 jQuery CDN을 사용한다면, CDN URL을 통해 버전 정보를 확인할 수 있습니다.

예를 들어 jQuery 1.12.4 버전은 //code.jquery.com/jquery-1.12.4.min.js URL을 사용합니다. 만약 URL에 1.12.4 이후 버전 정보가 포함되어 있다면, 취약점 패치가 적용된 버전입니다.


3. 취약점 검사 도구 사용

다양한 취약점 검사 도구를 사용하여 홈페이지의 jQuery 버전 및 취약점 존재 여부를 확인할 수 있습니다. npm audit, yarn audit, Snyk, 또는 OWASP Dependency Check와 같은 도구를 사용하여 프로젝트의 의존성을 스캔하고 CVE-2019-11358 취약점에 대한 경고가 사라졌는지 확인합니다. 이러한 도구들은 프로젝트 내에 사용된 라이브러리의 취약점 정보를 제공합니다.

NVD CVE-2019-11358: https://nvd.nist.gov/vuln/detail/CVE-2019-11358

Snyk: https://snyk.io/

OWASP Dependency-Check: https://owasp.org/www-project-dependency-check/


4. 추가 정보

CVE-2019-11358 취약점은 jQuery 1.x 버전에 존재하는 XSS 취약점입니다. 공격자가 악성 스크립트를 실행하여 사용자 정보를 절취하거나 시스템을 손상시킬 수 있습니다. jQuery 3.4.0 이상 버전은 이 취약점에 대한 패치가 적용되었습니다. 취약점 패치를 적용하는 것이 가장 안전한 방법입니다.

jQuery 공식 문서에서 취약점 관련 정보 및 패치 적용 방법을 확인할 수 있습니다.

jQuery Security Advisories: https://github.com/jquery/jquery/security/advisories


이 수정사항은 jQuery 3.4.0에 포함되어 있으나, 이전 jQuery 버전을 패치하기 위한 patch diffs도 있습니다. https://github.com/DanielRuf/snyk-js-jquery-174006


5. 주의 사항

취약점 검사 도구는 100% 정확하지 않을 수 있습니다.

취약점 패치를 적용하기 전에 홈페이지 호환성을 확인해야 합니다.

2024년 3월 4일 월요일

The Complete Guide to Network Equipment Vulnerability Assessment Criteria: An Essential Checklist from a Security Expert

In today's rapidly evolving digital landscape, the security of network infrastructure and the robustness of network devices against vulnerabilities have become paramount for organizations worldwide. 

With cyber threats becoming more sophisticated and pervasive, it's essential to understand the standards for assessing vulnerabilities in network equipment. 

This guide aims to provide a comprehensive overview of the criteria for evaluating network infrastructure security and the vulnerabilities of network equipment. 

By equipping yourself with this knowledge, you can ensure that your network remains impervious to the ever-changing threats, safeguarding your organization's data and assets.



1. Criteria for assessing network infrastructure security vulnerabilities


Configure network line (ISP) redundancy

  • If your network (ISP) line is configured as single, ensure that your network line (ISP) is configured as redundant because a line failure can cause service failure.


Configure network equipment redundancy

  • Ensure that network equipment is configured for redundancy as there is a risk of service failure in case of equipment failure while operating in a single equipment configuration.


Configure information security system redundancy

  • Check whether the information protection system is redundantly configured as there is a risk of service failure in case of equipment failure while the information protection system is operating in a single equipment configuration.

Configure critical server redundancy

  • Check whether the critical server is redundantly configured as there is a risk of service failure in case of equipment failure during operation with a single equipment configuration of the server.

Existence of aging equipment with software and hardware end of support (EOS)

  • Check for end-of-service (EOS) aging equipment, as vendor support for software and hardware can lead to unwanted degradation and failure of equipment, patching of new vulnerabilities, etc.

Having separate zones for recovery in the event of a disaster or failure

  • Whether network sections such as disaster recovery centers or backup centers are in place in case of emergencies such as disasters or failures.

Configure network segregation by business characteristics

  • Check that network segments are appropriately segregated by business characteristics, as a lack of segregation could potentially expose the entire network to risk in the event of a breach.

Configure network segregation between dev/test and production networks

  • In the case of development and test (verification system) servers, there is a possibility that the strength of security settings is set lower than that of production servers, and it may be outside the scope of protection of the information protection system, so check whether the sections are separated and operated separately.

Control user access to critical server sections

  • If access control is not performed from the user's device to the main server section, there is a risk of exposure to unauthorized access and malware, so check whether the user's device is performing control so that only access that meets the user's authorization is allowed when accessing the main server.

Control access between separate network segments

  • Ensure that appropriate access controls are in place with least privilege policies to prevent unauthorized access between segregated network segments based on the nature of the business.

Presence or absence of security policy-unenforced bypass routes

  • Checks for bypass routes to uncontrolled network contacts within segregated network segments.

Lack of access control to unnecessary sections of the external communications network

  • Check whether there are sections or systems that are directly accessible from the outside due to inadequate access control other than DMZ sections that are allowed to be accessed from the external communication network.

Internal Communications Network Public IP Usage Controls

  • Check whether unnecessary public IPs are assigned to the internal communication network because public IPs are directly accessible from the outside and may allow inappropriate access.

Whether to block external communication network for information system (server, DB) located in the internal section

  • If the internal server can access the external communication network, there is a risk of information leakage or virus infection, so check whether the internal section information system is allowed to access the outside.

Adequacy of access control to external and internal communication networks (groupware, etc.) from critical devices

  • There is a risk of malware infection due to access to the external communication network from critical devices, and there is a possibility of leakage or destruction of important information.

Whether you recognize the failure and have a plan in place to respond

  • Check whether a monitoring system is in place to immediately recognize and respond to failures, as it is difficult to immediately identify and respond to failures if the person in charge is not aware of them.

Appropriateness of intrusion detection system configuration for each network segment

  • Check if there are any exempted sections as intrusion attempts and abnormal traffic cannot be detected if the network sectional intrusion detection system is missing or installed in an inappropriate location.

Appropriateness of DMZ configuration for servers (such as web servers) that communicate with the external network.

  • Check whether public servers that should be located in the DMZ section are located in the internal section, as this may cause a breach of that section and the entire section.

Appropriateness of security settings for network management system activity history, log management, and user rights settings

  • There is a risk that important information may be exposed to unauthorized persons due to improper permission settings of the network management system, and it may be difficult to identify the cause in the event of a failure due to improper work history and log management.


2. Criteria for assessing network equipment security vulnerabilities


Whether to back up network equipment settings

  • To ensure that the system can be quickly restored to normal in the event of an emergency, such as a failure or downtime of network equipment.

Set SNMP Community Name Complexity

  • When setting the SNMP Community String, set it to comply with complexity to ensure that it is not easily inferred by unauthorized parties.

Set SNMP community permissions

  • Set the SNMP Community String permission to Read Only (RO) to ensure that unauthorized parties cannot change network configuration information even if they capture the Community String.

Set up SNMP access control (ACL)

  • Set up SNMP access lists (ACLs) to limit the exposure of network information, such as blocking SNMP access from unauthorized parties.

Block external interface SNMP access

  • Apply access list (ACL) blocking settings for SNMP service ports on the external interface of network equipment to restrict access by unauthorized users.

Whether to create local users and manage permissions

  • Create a local user when accessing the device to block access by unauthorized people

Whether to use enhanced authentication (AAA)

  • Enable Authentication Authorization Accounting (AAA) authentication for device access to prevent unauthorized access.

Using duplicate weak passwords

  • Check for duplicate passwords used by users, administrators, etc. as duplicate passwords can lead to account information leakage by unauthorized persons.

Whether to set enable secret

  • To encrypt the Enable password, which was exposed in plain text, so that it cannot be easily identified by unauthorized parties if the network equipment configuration is exposed.

Whether to set a secure encryption algorithm

  • Encrypt user and administrator passwords to make it difficult for unauthorized parties to identify passwords on the device if the network device configuration file is exposed to the outside world.

Set password complexity

  • To ensure that password complexity policies are followed to prevent attackers from gaining access to network equipment when they attempt to gain access.

Remote management access control

  • To prevent unauthorized users from accessing network equipment remotely.

Whether to set a session timeout

  • Check whether an automatic timeout is set for sessions that are inactive for a certain period of time to prevent unauthorized use of the system in the user's absence, and if so, check whether the session timeout is excessive.

Using insecure protocols (such as TELNET) for VTY connections

  • Use encryption protocols when accessing network equipment via a remote terminal (VTY) to prevent plain text data from being exposed to attackers by network sniffing attacks.

Whether to block unnecessary auxiliary input/output ports (AUX)

  • To disable unused I/O ports to prevent access by unauthorized parties

Whether to block unnecessary Source routing

  • Source routing is a feature that allows packets to be sent to a path of the packet sender's choosing, rather than through a routing path, to prevent unauthorized parties from exploiting it for attacks.
  • Check the settings on your router or switch to ensure that the IP source routing option is disabled.
  • For Cisco equipment, check that the no ip source-route command is included in the configuration file (config).

Whether Proxy ARP blocking is enabled

  • To block unauthorized parties because they can forge packet addresses to request Proxy ARPs and use the responses to obtain information about the router and network.
  • If Proxy ARP is enabled, you must disable the feature. For Cisco equipment, you can disable Proxy ARP using the no ip proxy-arp command in interface configuration mode.

IP Directed Broadcast blocking check - IOS 11

  • Disable IP Directed Broadcast to block DoS attacks (such as Smurf attacks)
  • Connect to the router, and verify that IP Directed Broadcast is disabled. On routers running Cisco IOS 12.0 or later, IP Directed Broadcast is disabled by default; however, on routers running IOS 11.x or earlier, you might need to manually disable it.
  • On Cisco routers, you can disable IP Directed Broadcast by using the no ip directed-broadcast command in interface configuration mode.

Whether to run unnecessary services

  • To eliminate potential risks, as unnecessary services that are not required for operations can make you a target for unintentional attacks.

NTP settings and whether to synchronize time

  • For system time accuracy and accurate log analysis when events occur

Enable logging

  • To enable monitoring for network equipment operation and security

Whether to set a time for logging messages

  • To include the exact time in log messages to enable analysis of the attack.

Whether to set the logging buffer size

  • Cisco routers store log messages in a memory buffer, and you can set the size of the buffer to a certain level for debugging or monitoring purposes.

Set up remote log server integration

  • To manage separate log files by installing a log server remotely because there are limitations to storing logs on network devices, and logs may be deleted.

Setting console logging levels

  • To prevent unnecessary log message output, as sometimes log messages are only output to the console and are not operationally necessary.

Setting up ingress filters on external interfaces

  • Setting up an ingress filter on an external interface to filter packets entering the internal network

Set up an egress filter on an external interface

  • Set an egress filter on an external interface to filter packets sent from the inside to the outside

Setting up anti-spoofing filters

  • To block spoofing attacks by filtering incoming packets on the external interface using the internal network IP band as the source IP.

Setting up IP multicast blocking

  • If IP multicast is not enabled, filter multicast packets to prevent them from being exploited in attacks.
  • To verify that multicast is enabled, use commands that look up the relevant settings. For example, on Cisco devices, you can use the show ip multicast routing command.

Setting up ICMP blocking

  • Block ICMP packets from outside to inside to prevent internal information from being leaked and to prevent denial-of-service attacks, etc.

Setting up ICMP redirect blocking

  • To prevent routing table changes by blocking ICMP redirect packets on external interfaces

Setting up ICMP unreachable blocking

  • To prevent ICMP unreachable messages from being used to expose whether certain ports on network equipment are enabled or disabled when scanning and exploited for DoS attacks.

Setting up ICMP mask-reply blocking

  • To block the ICMP mask-reply service to prevent network configuration information from being exposed to unauthorized parties.

Set ICMP Timestamp, Information Requests blocking settings

  • Block ICMP Timestamp, Information Requests to prevent network information from being exposed to unauthorized parties.

Set up filtering to block denial-of-service (DDoS) attacks

  • To block ports where denial-of-service attacks can occur

Availability of the latest/urgent security patches and updates

  • To ensure that the latest version of the network equipment operating system and the last released security patches have been reviewed (including testing against stable versions of the operating system and the latest security patches) and implemented

Whether to restrict command execution permissions

  • Set the user's per-command privilege level to Level 15 to prevent access by unauthorized parties.

Disable warning messages at logon

  • To display an appropriate warning message via banner to users accessing the router

Whether to enable tcp keepalives

  • Use TCP KEEPALIVES to block the session when the remote user is terminated to prevent attacks via hijacking and to ensure that the session is terminated normally.

Disable unused interfaces

  • To prevent unauthorized persons from obtaining network information and causing disruptions to communication equipment through unused interfaces.

Hardening switch hub security

  • Security settings to prevent network traffic from being exposed to or tampered with by unauthorized parties

Whether passwords are periodically changed and managed

  • Check whether the passwords of network equipment accessors are changed/managed periodically as there is a threat of password theft due to password dictionary attacks if the password is not changed for a long period of time.

Whether vulnerable services are running

  • Check whether vulnerable services* are running as there are threats such as equipment information exposure and transmission information exposure if vulnerable services are running.
    * CDP, LLDP, TFTP, Finger, identd, Smart Install, etc.


#NetworkSecurity #CyberSecurityTips #VulnerabilityAssessment #TechSafety #DigitalDefense #InfoSec #CyberThreats #SecureNetworking #ITSecurity #NetworkInfrastructure

2023년 3월 17일 금요일

마이크로소프트 Outlook의 권한 상승 취약점(CVE-2023-23397) 제로데이 취약점

 

면책 조항 

이 블로그에는 민감한 정보가 포함되어 있습니다. 그러나 이 정보는 일부 공개적으로 알려져 있기 때문에 모든 정보를 삭제하지 않기로 결정했습니다. 공격의 간단성과 사용자 상호작용이 필요하지 않는 사실 때문에 모든 사용자가 즉시 시스템을 패치하도록 촉구하고 있습니다.

 

Microsoft Outlook

 

2023년 3월 14일, 마이크로소프트는 Microsoft Outlook의 권한 상승 취약점(CVE-2023-23397)에 대한 보안 패치를 공개했습니다. 

특수하게 만들어진 이메일은 Outlook 클라이언트에 의해 검색 및 처리될 때 취약점을 자동으로 유발시킬 수 있습니다. 이러한 이메일은 미리보기 창에서 이메일이 볼 수 있기 전에 악용될 수 있으며, 공격자는 대상 장치가 공격자가 제어하는 서버에 인증하도록 강제하여 자격 증명 해시를 도용할 수 있습니다. 

우크라이나 컴퓨터 긴급 대응 팀(CERT-UA)은 이 취약점을 마이크로소프트에 보고했습니다. 마이크로소프트의 위협 인텔리전스에 따르면, 러시아 기반의 위협 주체는 2022년 4월부터 12월까지 유럽의 여러 정부, 군사, 에너지 및 교통 기관을 대상으로 공격을 수행하는 데 이 취약점을 사용했습니다.

 

MDSec는 이미 이 공격의 POC를 시연했으며 보안 연구원 @KevTheHermit은 악성 이메일 공격 샘플을 발견했습니다. 

딥 인스팩트 위협 연구소는 CERT-UA가 보고한 가능한 공격을 포함하여 이 취약점을 악용하는 추가 샘플을 발견했습니다. 

샘플은 다섯 가지 서로 다른 클러스터로 그룹화 할 수 있습니다. 아래는 공격의 타임라인입니다:

 

CVE-2023-23397을 이용한 공격의 타임라인

 

가능성 있는 행위자

마이크로소프트는 이 공격을 러시아 기반의 위협 행위자에게 귀속했습니다. 루마니아, 폴란드 및 우크라이나를 대상으로 한 공격은 러시아의 이해관계와 일치하고, 요르단과 터키를 대상으로 한 공격은 다른 위협 행위자와 관련이 있을 수 있습니다. 

이 NTLM 수확을 유발하는 공격 벡터는 2020년 이란 위협 행위자에 의해 관찰되었습니다. 또한 러시아와 이란은 사이버 협력 협약을 체결했습니다. 

이전에 요르단 외무부는 이란 위협 행위자의 대상이 되었으며, 이는 취약점이 이란인들과 공유되었을 수 있다는 것을 나타낼 수 있습니다. 

NTLM 수확은 해시 릴레이 공격이나 오프라인 패스워드 크래킹에 사용될 수 있으며, 이는 공격자가 공격 대상 조직에 사전 액세스 권한을 가지고 있거나 다중 인증을 필요로 하지 않는 원격 인증 서비스에 대한 지식을 가지고 있는 것을 나타냅니다.

 

위협 사냥

마이크로소프트는 PowerShell 스크립트를 제공(https://microsoft.github.io/CSS-Exchange/Security/CVE-2023-23397/)하여 취약성을 포함한 잠재적으로 악성적인 메시지를 후행적으로 검색할 수 있습니다. 이 스크립트는 노트, 약속, 작업 세 가지 유형의 메시지를 찾습니다.

 

마이크로소프트의 PowerShell 코드는 세 가지 구체적인 유형의 메시지를 찾습니다.

이는 해당 유형의 메시지 중 어느 하나가 취약점을 유발할 수 있다는 것을 나타낼 수 있습니다. Outlook을 사용하는 경우, 일부 유형에 대해 익숙할 수 있습니다.

 

수동으로 작업 또는 약속을 생성하는 방법

 

MDSec는 자신들의 POC에서 "약속" 메시지를 사용했지만, 실제 공격에서는 "작업" 메시지가 사용되었습니다.

 

악성 이메일에서 ITW(IPM.Task) 속성

 

다음 쿼리를 VirusTotal에서 사용하여 취약점이 포함 된 의심스러운 이메일을 찾았습니다. "content:{490050004d002e005400610073006b00} tag:outlook" 

이메일에 UNC 경로가 포함 된 경우, 이는 취약성을 사용하는 악성 작업을 나타냅니다. 

그러나 우리는 위의 쿼리에서 찾을 수 없는 9월 기간에 폴란드 대상에게 보낸 이메일에서 잔류정보를 발견했습니다.

 

CVE-2023-23397의 특성을 포함하는 9월 파일

 

결론

2022년 4월부터 공격의 증거를 발견했지만, 더 이른 시기에 이를 악용할 가능성이 있습니다.

 

우리가 사용한 것은 공개적으로 제공되는 데이터 뿐이므로, 실제 공격 대상의 범위는 훨씬 더 크다는 것을 고려해야 합니다.

 

마이크로소프트는 공격을 러시아 기반 위협 행위자로 규정했지만, 공개적인 증거는 다른 위협 행위자도 이 취약점을 이용했을 가능성을 보여줍니다.

 

이 공격은 사용자의 상호 작용이 필요하지 않기 때문에, Outlook 응용 프로그램을 사용하는 모든 사용자는 가능한 한 빨리 시스템을 패치하도록 권장합니다.

 

또한, 마이크로소프트에서 제공하는 PowerShell 스크립트를 실행하여 교환 서버에서 후행적으로 악성 이메일을 찾는 것을 제안합니다.

 

 

IOCs

24.142.165[.]2 
101.255.119[.]42 
113.160.234[.]229 
168.205.200[.]55 
181.209.99[.]204 
185.132.17[.]160 
213.32.252[.]221

 

자료출처 : CVE-2023-23397: Exploitations in the Wild – What You Need to Know | Deep Instinct

홈페이지 jQuery 라이브러리에서 CVE-2019-11358 취약점 패치 여부 확인 방법

현재 홈페이지에서 사용 중인 jQuery 라이브러리가 CVE-2019-11358 취약점 패치를 적용했는지 확인하는 방법은 다음과 같습니다. 1. jQuery 버전 확인 홈페이지 소스 코드를 확인하여 jQuery 라이브러리 버전을 직접 확인합니다. 웹 ...