Monday,
July 15, 2024

📋 Chef's weekly selections

Although the internet caught on fire last week, cyber fire fighters saved the day and the internet. Rest easy brave ASD diners, there are only 40 AWS Linux CVEs to chew on this week. You don’t see any CVEs in Red Star OS, do you. Time to switch?

Unrelated to very secure North Korean operating systems, we’re going to start publishing articles from veteran and aspiring AWS security chefs soon. Want to publish your work on awssecuritydigest.com? Send us a pitch to iwritegood@awssecuritydigest.com.

  1. Thwacking DDOS with AWS WAF

    Somebody please make Rami McCarthy an employment offer he can’t refuse. I read slower than he writes awesome security blog posts. This week he surprises us with a not-so-awful AWS WAF use case - thwacking DDoS. Thwacking is good and so is this post. It’s a super practical way to do initial response to denial of service when you are limited by other options or need to do it on the cheap.

  2. Poor mans MFA for AWS Client VPN

    Unfortunately Ian Mckay made a typo in his blog post title this week. It should have read “Cursed MFA for AWS Client VPN”. It’s okay though, apparently if you put the AWS Client VPN, Slack, and thumbsup emoji in a pot and stir it, it comes out edible. You can improve Ian’s code by replacing 👍 with 🧑‍🍳.

  3. Building the foundations: A defender’s guide to AWS Bedrock

    I don’t include many AI related posts because they are generally hot garbage. However, Anton Ovrutsky soon to be formly of Sumo Logic, does a really good job describing some approaches to detecting malicious Bedrock usage. I’d love to see how they stack up in the real world

Bonus: Bonus: I highly recommend everyone regularly visit Cloud Security Lab a Week (S.L.A.W). It’s just a sweet way to learn AWS security.

🥗 AWS security blog

👾 r/aws

🧁 IAM permission changes

🍔 AWS API Changes

🍹 Updated AWS Managed IAM Policies

Managed Policy changed since last week: 7

  1. 🚩 AWSIAMIdentityCenterAllowListForIdentityContext
  2. AWSLicenseManagerLinuxSubscriptionsServiceRolePolicy
  3. 🚩 AWSSystemsManagerForSAPFullAccess
  4. AmazonQDeveloperAccess
  5. AmazonQFullAccess
  6. 🚩 AmazonSageMakerCanvasFullAccess
  7. AppStudioServiceRolePolicy

🔀 Weekly diff

🤖 Powered by MAMIP | 🚩 Sensitive IAM Actions included

☕︎ CloudFormation updates

No new resources.

🍪 Amazon Linux CVEs

  • CVE-2024-6655 - gtk3: gtk2: Library injection from CWD
  • CVE-2024-39493 - Resolved in Linux kernel: Acrypto: qat - Fix ADF_DEV_RESET_SYNC memory leak
  • CVE-2024-39492 - Resolved in Linux kernel: Amailbox: mtk-cmdq: Fix pm_runtime_get_sync() warning in mbox shutdown
  • CVE-2024-39491 - Resolved in Linux kernel: ALSA: hda: cs35l56: Fix lifetime of cs_dsp instance
  • CVE-2024-6608 - It was possible to move the cursor using pointerlock from an iframe. This allowed moving the cursor outside of the viewport and the Firefox window. This vulnerability affects Firefox < 128.
  • CVE-2024-6615 - Memory safety bugs present in Firefox 127. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 128.
  • CVE-2024-6611 - A nested iframe, triggering a cross-site navigation, could send SameSite=Strict or Lax cookies. This vulnerability affects Firefox < 128.
  • CVE-2024-6610 - Form validation popups could capture escape key presses. Therefore, spamming form validation messages could be used to prevent users from exiting full-screen mode. This vulnerability affects Firefox < 128.
  • CVE-2024-6607 - It was possible to prevent a user from exiting pointerlock when pressing escape and to overlay customValidity notifications from a `&lt;select&gt;` element over certain permission prompts. This could be used to confuse a user into giving a site unintended permissions. This vulnerability affects Firefox < 128.
  • CVE-2024-6606 - Clipboard code failed to check the index on an array access. This could have lead to an out-of-bounds read. This vulnerability affects Firefox < 128.
  • CVE-2024-6605 - Firefox Android allowed immediate interaction with permission prompts. This could be used for tapjacking. This vulnerability affects Firefox < 128.
  • CVE-2024-6612 - CSP violations generated links in the console tab of the developer tools, pointing to the violating resource. This caused a DNS prefetch which leaked that a CSP violation happened. This vulnerability affects Firefox < 128.
  • CVE-2024-5569 - A Denial of Service (DoS) vulnerability exists in the jaraco/zipp library, affecting all versions prior to 3.19.1. The vulnerability is triggered when processing a specially crafted zip file that leads to an infinite loop.
  • CVE-2024-6613 - The frame iterator could get stuck in a loop when encountering certain wasm frames leading to incorrect stack traces. This vulnerability affects Firefox < 128.
  • CVE-2024-39684 - Tencent RapidJSON is vulnerable to privilege escalation due to an integer overflow in the `GenericReader::ParseNumber()` function of `include/rapidjson/reader.h` when parsing JSON text from a stream. An attacker needs to send the victim a crafted file which needs to be opened; this triggers the integer overflow vulnerability (when the file is parsed), leading to elevation of privilege.
  • CVE-2024-6604 - Memory safety bugs present in Firefox 127, Firefox ESR 115.12, and Thunderbird 115.12. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 128 and Firefox ESR < 115.13.
  • CVE-2024-6614 - The frame iterator could get stuck in a loop when encountering certain wasm frames leading to incorrect stack traces. This vulnerability affects Firefox < 128.
  • CVE-2024-38517 - Tencent RapidJSON is vulnerable to privilege escalation due to an integer underflow in the `GenericReader::ParseNumber()` function of `include/rapidjson/reader.h` when parsing JSON text from a stream. An attacker needs to send the victim a crafted file which needs to be opened; this triggers the integer underflow vulnerability (when the file is parsed), leading to elevation of privilege.
  • CVE-2024-37372 - The Permission Model assumes that any path starting with two backslashes \ has a four-character prefix that can be ignored, which is not always true. This subtle bug leads to vulnerable edge cases. This vulnerability affects Windows users of the Node.js Permission Model in version v22.x and v20.x
  • CVE-2024-6600 - Due to large allocation checks in Angle for GLSL shaders being too lenient an out-of-bounds access could occur when allocating more than 8192 ints in private shader memory on mac OS. This vulnerability affects Firefox < 128 and Firefox ESR < 115.13.
  • CVE-2024-38081 - .NET, .NET Framework, and Visual Studio Elevation of Privilege Vulnerability
  • CVE-2024-3596 - RADIUS Protocol under RFC 2865 is susceptible to forgery attacks by a local attacker who can modify any valid Response (Access-Accept, Access-Reject, or Access-Challenge) to any other response using a chosen-prefix collision attack against MD5 Response Authenticator signature.
  • CVE-2024-30105 - .NET Core and Visual Studio Denial of Service Vulnerability
  • CVE-2024-6603 - In an out-of-memory scenario an allocation could fail but free would have been called on the pointer afterwards leading to memory corruption. This vulnerability affects Firefox < 128 and Firefox ESR < 115.13.
  • CVE-2024-6601 - A race condition could lead to a cross-origin container obtaining permissions of the top-level origin. This vulnerability affects Firefox < 128 and Firefox ESR < 115.13.
  • CVE-2024-6609 - When almost out-of-memory an elliptic curve key which was never allocated could have been freed again. This vulnerability affects Firefox < 128.
  • CVE-2024-36137 - A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-write flag is used.
  • CVE-2024-6237 - A flaw was found in the 389 Directory Server. This flaw allows an unauthenticated user to cause a systematic server crash while sending a specific extended search request, leading to a denial of service.
  • CVE-2024-35264 - .NET and Visual Studio Remote Code Execution Vulnerability
  • CVE-2024-22020 - A security flaw in Node.js allows a bypass of network import restrictions.
  • CVE-2024-36138 - The CVE-2024-27980 was identified as an incomplete fix for the BatBadBut vulnerability. This vulnerability arises from improper handling of batch files with all possible extensions on Windows via child_process.spawn / child_process.spawnSync. A malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled.
  • CVE-2024-6602 - A mismatch between allocator and deallocator could have lead to memory corruption. This vulnerability affects Firefox < 128 and Firefox ESR < 115.13.
  • CVE-2024-22018 - A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-read flag is used. This flaw arises from an inadequate permission model that fails to restrict file stats through the fs.lstat API. As a result, malicious actors can retrieve stats from files that they do not have explicit read access to.
  • CVE-2024-38095 - .NET and Visual Studio Denial of Service Vulnerability
  • CVE-2024-6409 - A signal handler race condition vulnerability was found in OpenSSH's server (sshd), where a client does not authenticate within LoginGraceTime seconds (120 by default, 600 in old OpenSSH versions).
  • CVE-2024-24974 - The interactive service in OpenVPN 2.6.9 and earlier allows the OpenVPN service pipe to be accessed remotely, which allows a remote attacker to interact with the privileged OpenVPN interactive service.
  • CVE-2024-38372 - Undici is an HTTP/1.1 client, written from scratch for Node.js. Depending on network and process conditions of a `fetch()` request, `response.arrayBuffer()` might include portion of memory from the Node.js process. This has been patched in v6.19.2.
  • CVE-2024-27459 - The interactive service in OpenVPN 2.6.9 and earlier allows an attacker to send data causing a stack overflow which can be used to execute arbitrary code with more privileges.
  • CVE-2024-27903 - OpenVPN plug-ins on Windows with OpenVPN 2.6.9 and earlier could be loaded from any directory, which allows an attacker to load an arbitrary plug-in which can be used to interact with the privileged OpenVPN interactive service.
  • CVE-2024-39695 - Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. An out-of-bounds read was found in Exiv2 version v0.28.2. The vulnerability is in the parser for the ASF video format, which was a new feature in v0.28.0.