Security Boulevard

California court refuses to dismiss computer crime charges against an entity that analyzed Hunter Biden’s laptop.

The post The Return of the Laptop From Hell appeared first on Security Boulevard.

But as we start delegating LLMs and LAMs the authority to act on our behalf (our personal avatars), we create a true data privacy nightmare.

The post How the Promise of AI Will Be a Nightmare for Data Privacy appeared first on Security Boulevard.

Frequently asked questions about multiple vulnerabilities in the Common UNIX Printing System (CUPS) that were disclosed as zero-days on September 26.

Background

The Tenable Security Response Team (SRT) has compiled this blog to answer Frequently Asked Questions (FAQ) regarding a series of vulnerabilities in the Common UNIX Printing System (CUPS). We will update this blog as more information becomes available.

FAQ

What is CUPS?

Common UNIX Printing System (CUPS) is an open-source printing system for Linux and other UNIX-like operating systems. CUPS uses the IPP (Internet Printing Protocol) to allow for printing with local and network printers.

What are the vulnerabilities associated with the recent CUPS disclosure?

As of September 26, the following four CVE identifiers were assigned for vulnerabilities related to CUPS:

CVE Description Affected Component CVSSv3* CVE-2024-47076 libscupsfilters Improper Input Validation or Sanitization Vulnerability libcupsfilters 8.6 CVE-2024-47175 libppd Improper Input Validation or Sanitization Vulnerability libppd 8.6 CVE-2024-47176 cups-browsed Binding to an Unrestricted IP Address Vulnerability cups-browsed 8.4 CVE-2024-47177 cups-filters Command Injection Vulnerability cups-filters 9.1

*These CVSSv3 scores are current as of September 26..

What are CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, and CVE-2024-47177?

CVE-2024-47076 is a flaw in the libcupsfilters library in which IPP packets are not validated or sanitized. This provides the attacker the ability to send malicious data to the CUPS system.

CVE-2024-47175 affects the libppd library and is an input validation issue. IPP data is not properly validated or sanitized before being written to a temporary PostScript Printer Description (PPD) file. This can result in an attacker injecting malicious data into the PPD file.

CVE-2024-47176 was assigned to a bug affecting the cups-browsed library. According to the blog post from Simone Margaritelli, the package allows any packet from any source to be trusted on the IPP port (default 631). Because of this, an attacker could send a crafted packet that would trigger a Get-Printer-Attributes IPP request, which would then reach out to an attacker controller URL.

CVE-2024-47177 impacts the cups-filters library and could allow an attacker to execute arbitrary commands using “via the FoomaticRIPCommandLine PPD parameter.”

The combination of these vulnerabilities could result in an attacker crafting a fake printer, thereby allowing them to execute arbitrary code whenever a print job has been started by the impacted host.

How severe are these vulnerabilities?

While there has been a lot of attention given to these vulnerabilities prior to disclosure, based on what has been disclosed as of September 26, these flaws are not at the level of something like Log4Shell or Heartbleed. We encourage organizations not to panic about these flaws as most attackers continue to exploit known vulnerabilities in internet facing assets.

When were these vulnerabilities first disclosed?

On September 23, Simone Margaritelli posted on X (formerly Twitter) that he recently reported a critical severity, CVSSv3 9.9 unauthenticated remote code execution (RCE) vulnerability that affects “all GNU/Linux systems” to Canonical, Red Hat and others. According to Margaritelli, disclosure and coordination with multiple Linux vendors was not a smooth process. Over the next several days, Margaritelli provided additional details about the disclosure woes and several media outlets began publishing warnings over this critical vulnerability.

* Unauthenticated RCE vs all GNU/Linux systems (plus others) disclosed 3 weeks ago.
* Full disclosure happening in less than 2 weeks (as agreed with devs).
* Still no CVE assigned (there should be at least 3, possibly 4, ideally 6).
* Still no working fix.
* Canonical, RedHat and… pic.twitter.com/N2d1rm2VeR

— Simone Margaritelli (@evilsocket) September 23, 2024

On September 26, Margaritelli posted on X that full disclosure would be happening at 20:00 UTC despite the early posts suggesting that full disclosure would be withheld until early October.

Full disclosure happening at 20:00 UTC today, in a bit more than 2 hours.

— Simone Margaritelli (@evilsocket) September 26, 2024

Were these exploited as zero-days?

No. There is currently no evidence that these vulnerabilities have been exploited in the wild as zero-days prior to disclosure on September 26.

Is there a proof-of-concept (PoC) available for these vulnerabilities?

A proof-of-concept (PoC) developed by Margaritelli is included in the GitHub advisory for CVE-2024-47176.. Additionally, a PoC has been published on GitHub based on a commit in the OpenPrinting CUPS repository.

Are patches or mitigations available?

Due to the early public disclosure, there are currently no patches available for the four vulnerabilities disclosed on September 26. However, to mitigate these flaws until the patches are available, it is advised to disable and remove cups-browsed from vulnerable systems. Additionally, CUPS is set to listen on UDP port 631, so it is advised to block all traffic to UDP port 631.

A security bulletin published by Red Hat highlights mitigations for high availability and non-high availability scenarios, the latter essentially stopping and disabling the cups-browsed service. In high availability scenarios they advised changing the BrowseRemoteProtocols directive values from default “dnssd cups” to “none.”

How many internet facing assets are potentially impacted by these vulnerabilities?

CUPS is not installed by default with many *nix distributions. In many distributions, the default configuration should limit the ability to access the default port.

As of September 26, a search on Shodan.io showed just over 75,000 internet-accessible hosts running CUPS. A search on the FOFA Search Engine returned over 270,000 unique IP addresses with nearly 70,000 linked specifically to IPP. Based on these findings, there are a significant number of hosts that do appear to be internet-accessible with a majority of the results using the default port, 631.

Source: Shodan.io

Source: FOFA

Has Tenable released any product coverage for these vulnerabilities?

A list of Tenable plugins for these vulnerabilities can be found on the individual CVE pages as they’re released:

• CVE-2024-47076
• CVE-2024-47175
• CVE-2024-47176
• CVE-2024-47177

This link will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.

Get more information

• Blog: Attacking UNIX Systems via CUPS, Part I
• GitHub Advisory for CVE-2024-47076 in libcupsfilters
• GitHub Advisory for CVE-2024-47175 in libppd
• GitHub Advisory for CVE-2024-47176 in cups-browsed
• GitHub Advisory for CVE-2024-47177 in cups-filters
• GitHub: Leaked CUPS disclosure prior to publication

Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

The post CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, CVE-2024-47177: Frequently Asked Questions About Common UNIX Printing System (CUPS) Vulnerabilities appeared first on Security Boulevard.

Amazingly, Medium has fixed the stats so my blog/podcast quarterly is back to life. As before, this covers both Anton on Security and my posts from Google Cloud blog, and our Cloud Security Podcast (subscribe).

Dall-E via Copilot, prompt “security blog quarterly, steampunk”

Top 7 posts with the most lifetime views (excluding paper announcement blogs):

1. Security Correlation Then and Now: A Sad Truth About SIEM
2. Can We Have “Detection as Code”?
3. Revisiting the Visibility Triad for 2020 (update for 2024 is coming soon BTW!)
4. Beware: Clown-grade SOCs Still Abound
5. Detection Engineering is Painful — and It Shouldn’t Be (Part 1)
6. Why is Threat Detection Hard?
7. A SOC Tried To Detect Threats in the Cloud … You Won’t Believe What Happened Next

(the above is the same as last quarter)

Top 4 posts with paper announcements:

• New Paper: “Future of the SOC: SOC People — Skills, Not Tiers”
• New Paper: “Future of the SOC: Forces shaping modern security operations”
• New Paper: “Future Of The SOC: Process Consistency and Creativity: a Delicate Balance” (Paper 3 of 4)
• New Paper: “Autonomic Security Operations — 10X Transformation of the Security Operations Center” (the classic 2021 ASO paper!)

Top 10 Cloud Security Podcast by Google episodes (excluding the oldest 3!):

1. EP75 How We Scale Detection and Response at Google: Automation, Metrics, Toil
2. EP8 Zero Trust: Fast Forward from 2010 to 2021
3. EP47 “Megatrends, Macro-changes, Microservices, Oh My! Changes in 2022 and Beyond in Cloud Security”
4. EP109 How Google Does Vulnerability Management: The Not So Secret Secrets!
5. EP103 Security Incident Response and Public Cloud — Exploring with Mandiant
6. EP17 Modern Threat Detection at Google
7. EP71 Attacking Google to Defend Google: How Google Does Red Team
8. EP12 Threat Models and Cloud Security
9. EP105 Security Architect View: Cloud Migration Successes, Failures and Lessons
10. EP107 How Google Secures It’s Google Cloud Usage at Massive Scale

Now, fun posts by topic.

Security operations / detection & response:

• “Security Correlation Then and Now: A Sad Truth About SIEM”
• Migrate Off That Old SIEM Already! (VIDEO!)
• “Can We Have “Detection as Code”?”
• “Revisiting the Visibility Triad for 2020”
• “Beware: Clown-grade SOCs Still Abound”
• “Why is Threat Detection Hard?”
• “A SOC Tried To Detect Threats in the Cloud … You Won’t Believe What Happened Next”
• “Stop Trying to Take Humans Out of SOC … Except … Wait… Wait… Wait…”
• “Top 10 SIEM Log Sources in Real Life?” (NEWER VERSION)
• “Debating SIEM in 2023, Part 1”
• “Debating SIEM in 2023, Part 2”
• “How to Make Threat Detection Better?”
• “SIEM Content, False Positives and Engineering (Or Not) Security”
• “Modern SecOps Masterclass: Now Available on Coursera”

Cloud security:

• “Using Cloud Securely — The Config Doom Question”
• “Who Does What In Cloud Threat Detection?”
• “How to Solve the Mystery of Cloud Defense in Depth?”
• “Does the World Need Cloud Detection and Response (CDR)?”
• “Use Cloud Securely? What Does This Even Mean?!”
• “How CISOs need to adapt their mental models for cloud security”
• “Who Does What In Cloud Threat Detection?”
• “Cloud Migration Security Woes”
• “Move to Cloud: A Chance to Finally Transform Security?”
• “It’s a multicloud jungle out there. Here’s how your security can survive“

CISO, culture, FMC, etc

• “New Office of the CISO Paper: Organizing Security for Digital Transformation”

AI security:

• ”Our Security of AI Papers and Blogs Explained” [this has a whole lot of AI security fun links that you so want to click!]
• “No Deep AI Security Secrets In This Post!”
• New Paper: “Securing AI: Similar or Different?“
• “The Prompt: What to think about when you’re thinking about securing AI”
• “To securely build AI on Google Cloud, follow these best practices”

Enjoy!

Previous posts in this series:

• Anton’s Security Blog Quarterly Q2 2024
• Anton’s Security Blog Quarterly Q1 2024 Lite
• Anton’s Security Blog Quarterly Q3 2023
• Anton’s Security Blog Quarterly Q2 2023
• Anton’s Security Blog Quarterly Q1 2023
• Anton’s Security Blog Quarterly Q4 2022
• Anton’s Security Blog Quarterly Q3 2022
• Anton’s Security Blog Quarterly Q2 2022
• Anton’s Security Blog Quarterly Q1 2022
• Anton’s Security Blog Quarterly Q4 2021
• Anton’s Security Blog Quarterly Q3 2021
• Anton’s Security Blog Quarterly Q2 2021
• Anton’s Security Blog Quarterly Q1 2021
• Anton’s Security Blog Quarterly Q3.5 2020

The post Anton’s Security Blog Quarterly Q3 2024 appeared first on Security Boulevard.

As recent events have shown, our technology systems are so connected that any interruption can cause global chaos. Organizations need robust defenses to protect their data and operations, and it starts with identity.  The NIST Cybersecurity Framework is comprised of six core functions: Identify, Protect, Detect, Respond, Recover, and Govern. It provides a structured approach to...

The post How The NIST Cybersecurity Framework is enhanced by Identity Continuity appeared first on Strata.io.

The post How The NIST Cybersecurity Framework is enhanced by Identity Continuity appeared first on Security Boulevard.

Keep Your Organization Safe with Up-to-Date CVE Information  The National Institute of Standards and Technology (NIST) continues to identify critical cybersecurity vulnerabilities that require immediate action via reports from its National Vulnerability Database (NVD). These reports clarify the ongoing risks organizations face if vulnerabilities are not promptly addressed, including data breaches and system compromises. Recent...

The post New Threats in Cybersecurity: September 2024 CVE Roundup appeared first on TrueFort.

The post New Threats in Cybersecurity: September 2024 CVE Roundup appeared first on Security Boulevard.

The post GovWare 2024 appeared first on Eclypsium | Supply Chain Security for the Modern Enterprise.

The post GovWare 2024 appeared first on Security Boulevard.

Various Security Experts at CISO Global  …In the world of supply chain security, vigilance is your best friend. Stay informed, stay alert, and always prioritize security in your decisions. After all, in this interconnected digital world, we’re all in this together. Imagine you’re hosting a dinner party, and you’ve carefully planned every dish to accommodate […]

The post A Treacherous Dinner Party: The Global Effort to Maintain Supply Chain Security appeared first on CISO Global.

The post A Treacherous Dinner Party: The Global Effort to Maintain Supply Chain Security appeared first on Security Boulevard.

Enhance threat investigations by combining the world’s largest threat intelligence data lake with powerful automation and workflow...

The post Announcing the Team Cymru Scout Integration With Palo Alto Cortex XSOAR appeared first on Security Boulevard.

Authors/Presenters:Wentao Hou, Jie Zhang, Zeke Wang, Ming Liu

Our sincere thanks to USENIX, and the Presenters & Authors for publishing their superb 21st USENIX Symposium on Networked Systems Design and Implementation (NSDI '24) content, placing the organizations enduring commitment to Open Access front and center. Originating from the conference’s events situated at the Hyatt Regency Santa Clara; and via the organizations YouTube channel.

Permalink

The post USENIX NSDI ’24 – Understanding Routable PCIe Performance for Composable Infrastructures appeared first on Security Boulevard.

NIS2, which stands for Network and Information Systems 2, and DORA, the Digital Operational Resiliency Act are two separate but interrelated pieces of legislation affecting organizations that do business in the EU. These two standards share many of the same high-level goals in that they both establish a consistent set of cybersecurity and resilience requirements […]

The post Simplifying Compliance With NIS2 and DORA  appeared first on Eclypsium | Supply Chain Security for the Modern Enterprise.

The post Simplifying Compliance With NIS2 and DORA  appeared first on Security Boulevard.

via the comic humor & dry wit of Randall Munroe, creator of XKCD

Permalink

The post Randall Munroe’s XKCD ‘Physics Lab Thermostat’ appeared first on Security Boulevard.

The impact of CSAM shouldn’t end on October 31st. The goal of a successful Cyber Security Awareness Month is to increase engaged learning and a positive

The post Countdown to CSAM: How to extend the impact of CSAM beyond October appeared first on Security Boulevard.

Authors/Presenters:Sarah Wooders and Shu Liu, UC Berkeley; Paras Jain, Genmo AI; Xiangxi Mo and Joseph Gonzalez, UC Berkeley; Vincent Liu, University of Pennsylvania; Ion Stoica, UC Berkeley

Our sincere thanks to USENIX, and the Presenters & Authors for publishing their superb 21st USENIX Symposium on Networked Systems Design and Implementation (NSDI '24) content, placing the organizations enduring commitment to Open Access front and center. Originating from the conference’s events situated at the Hyatt Regency Santa Clara; and via the organizations YouTube channel.

Permalink

The post USENIX NSDI ’24 – Cloudcast: High-Throughput, Cost-Aware Overlay Multicast in the Cloud appeared first on Security Boulevard.

Multiple grocery store chains recently faced a 42 million requests credential stuffing attack on their mobile apps. Learn how DataDome stopped the attack in its tracks, keeping the customer safe.

The post How DataDome Protected Grocery Chains from a Mobile App Credential Stuffing Attack appeared first on Security Boulevard.

Mobile phishing attacks are on the rise, with 82% of phishing sites now targeting mobile devices, marking a 7% increase over the past three years.

The post Mobile Phishing Attacks Explode, Enterprise Devices Targeted appeared first on Security Boulevard.

https://youtu.be/VVHoUNwQc6k Missed the Cloud Security Alliance Startup Pitchapalooza? Watch the Recording Now! Earlier this year, in May 2024, the Cloud...

The post Symmetry Systems Shines as Finalist in Cloud Security Alliance Startup Pitchapalooza appeared first on Symmetry Systems.

The post Symmetry Systems Shines as Finalist in Cloud Security Alliance Startup Pitchapalooza appeared first on Security Boulevard.

The personal information of almost 3,200 Capitol Hill staffers, including passwords and IP addresses, were leaked on the dark web by an unidentified bad actor after some victims used their work email addresses to sign up for online services, according to reports.

The post Congressional Staffers’ Data Leaked on Dark Web: Report appeared first on Security Boulevard.

In what has become an annual ritual between Silicon Valley and the Beltway, a House subcommittee pressed a tech company over a glitch. And the company promised to do better. During a hearing Tuesday, federal lawmakers reacted with measured outrage at CrowdStrike Inc.’s software outage that wreaked havoc with key sectors of the global digital..

The post CrowdStrike Gets Grilled By U.S. Lawmakers Over Faulty Software Update appeared first on Security Boulevard.

Authors/Presenters:Abhishek Dhamija, Balasubramanian Madhavan, Hechao Li, Jie Meng, Shrikrishna Khare, Madhavi Rao, Lawrence Brakmo, Neil Spring, Prashanth Kannan, Srikanth Sundaresan, Soudeh Ghorbani

Our sincere thanks to USENIX, and the Presenters & Authors for publishing their superb 21st USENIX Symposium on Networked Systems Design and Implementation (NSDI '24) content, placing the organizations enduring commitment to Open Access front and center. Originating from the conference’s events situated at the Hyatt Regency Santa Clara; and via the organizations YouTube channel.

Permalink

The post USENIX NSDI ’24 – A Large-Scale Deployment of DCTCP appeared first on Security Boulevard.