We talk about the best technologies & strategies to detect and remediate against threat actors within your βοΈ environments but today we wanted to talk about the TOP EXPLOITED CVEs in 2022/early 23 to help your prepare the best mitigation strategies for your hybrid envs π§΅π
Log4Shell | CVE-2021-44228 - What is It?
It is a remote code execution (RCE) flaw found on Apache Log4j 2 Java logging library. It allows remote attackers to control servers over the Internet.
At discovery, all the versions of Log4j 2 were open to the vulnerability!
Log4Shell | CVE-2021-44228 - Why Care?
a. CVSS 10 - Critical Severity
b. Ubiquitous and widespread nature of vulnerability - present in supply chain everywhere
c. Top Vulnerability linked to China-linked threat actors
d. Widely exploited - 1 million exploits in first 72 hrs
Log4Shell | CVE-2021-44228 - How it Works?
Log4Shell | CVE-2021-44228 - How to Mitigate?
a. Run vuln scan to detect its presence.
b. Overlay runtime information to determine most exploitable machines with open attack vectors and paths.
c. Quarantine hosts where detected in memory
d. Patch - logging.apache.org/log4j/2.x/security.html
Runc Container Breakout Vulnerability | CVE-2019-5736 - What is it?
There is a Docker vuln where itβs possible to overwrite the host `runc` binary & obtain root access on the host. When malicious actors have root access, they can escalate their privileges & stage attacks!
Runc Container Breakout Vulnerability | CVE-2019-5736 - Why Care?
a. W/ root control they basically have the π to the kingdom on that particular server - it could allow lateral spread but also execution of malicious attacks
b. POCs of exploit in circulation
Runc Container Breakout Vulnerability | CVE-2019-5736 - How It Works?
The researchers who revealed the vulnerability discovered that an attacker can trick runC into executing itself by asking it to run /proc/self/exe, which is a symbolic link to the runC binary on the host.
Runc Container Breakout Vulnerability | CVE-2019-5736 - How to Mitigate
RunC has been patched by re-executing a temp copy of itself when it starts. Consequently, /proc/[runc-pid]/exe now points to the temp file, & the runC binary canβt be reached from w/i the container.
Gitlab | CVE-2021-22205 - What is it?
An issue in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser, which resulted in a remote command execution.
Gitlab | CVE-2021-22205 - Why Care?
a. Gitlab has 30 million users
b. CVSS 10 Critical Severity
c. β’ Anyone able to upload an image that goes through the GitLab Workhorse could achieve RCE via a specially crafted file.
Gitlab | CVE-2021-22205 - How it Works?
With the DjVu annotation, a threat actor with network access to port 443 can transmit an image containing malicious metadata. After, they can execute arbitrary commands on the server as the git user.
Gitlab | CVE-2021-22205 - How to Mitgate?
a. This issue was remediated and patched in the GitLab 13.10.3, 13.9.6, and 13.8.8 release from April 14, 2021 about.gitlab.com/releases/2021/04/14/security-release-gitlab-13-10-3-released/.
b. If you can't upgrade quickly, a hotpatch is available forum.gitlab.com/t/cve-2021-22205-how-to-determine-if-a-self-managed-instance-has-been-impacted/60918/2.
In conclusion, we will continue to make π§΅s that highlight threats you should take mitigation action against but best practices are:
a. Update systems
b. Utilize hardware-based MFA
c. Consume threat research to stay ahead
d. Implement CNAPP w/ active runtime protection
If you like this content - like/retweet this 𧡠& follow us @deepfence
Want to see a demo of how Deepfence's CNAPP w/ active runtime protection helps detect & protect against major attacks, schedule a demo w/ @ryancsmith2222, Head of Product,
go.deepfence.io/15-minute-demo
Deepfence
@deepfence
Securing your apps in production across the entire cloud native continuum β clouds, Kubernetes, containers, serverless, and more