Patch [FIX] Tuesday, Episode Summary
In this episode, the hosts (Tom Bowyer, Jason Kikta, and Mat Lee) discuss the latest security vulnerabilities and updates from Apple and Microsoft. They highlight the importance of memory safety and the challenges of migrating to memory safe languages. They also discuss the need for educating users on security vulnerabilities and the role of a dedicated security team in prioritizing security and compliance.
Read the Patch [FIX] Tuesday Transcript
Tom Bowyer: Happy Patch Tuesday everyone and welcome to March of 2024 and to the Automox Fix Tuesday podcast. It's me Tom Bowyer again and today I'm joined by Mat and Jason, you both wanna introduce yourself?
Jason Kikta: Yeah, hi, I'm Jason Kikta, I'm the CISO here at Automox. Mat.
Mat Lee: And I am Mat. I am a security engineer here at Automox.
Tom Bowyer: Awesome. Thank you both for joining me on our wonderful March adventure.
Yeah, it was, it was almost like, uh, the folks at Cupertino decided yesterday when they dropped 14.4 to kind of upstage Patch Tuesday and, uh, really, uh, bring out a parade of things. So, uh, it's, it's definitely a spicy weekend info sack and, and a lot of stuff that, you know, needs to be dealt with right away.
Tom Bowyer: Yeah.
Yeah, for sure.
Mat Lee: Yeah. I mean, I think, I mean, we're just scrolling through that list, not even reading. And I think it took us two to five minutes to even get through the list. We're just watching that scroll bar, like keep scrolling.
Jason Kikta: Just keeps going.
Tom Bowyer: Yeah. I mean, it's been a long, you know, Apple usually releases like three or four or five, right in their updates, but they must've had a busy year or. Yeah. You know, the.
Jason Kikta: I lost count.
And some of them are minor, but there are some ones in there that we're going to talk about that are just, wow. I mean, they're, they're pretty, you know, seem, seem pretty unpleasant in scope. And, and it, it wasn't even so much a particular CVE. The thing that caught my eye when we looked through the Apple list was how it, you know, it was, it was like five or six CVEs centered around
a central topic that just kind of kept going and they're all different distinct CVEs. And that is pretty rare these days to see that it still happens, but it's not a common occurrence to be sure.
Tom Bowyer: Yeah.
Mat Lee: Yeah, I think it was across the board too, right? Across a lot of components. I mean, WebKit got hit pretty hard. We saw Siri could leak some sensitive files potentially. And the good old hidden photos trick. So don't put anything in there that you don't want to be seen.
Tom Bowyer: Very interesting.
Yeah.
Jason Kikta: Yeah.
That's right. That's right.
Tom Bowyer: Yeah, no kidding. And I've said it multiple times, I think, in this podcast, but I do feel like the last two years, and even into this year, that there has been a renewed focus on Apple's security. And I don't think I've seen so much security updates than I've ever seen from Apple. So it's just...
Jason Kikta: Yeah.
Tom Bowyer: I think people are, you know, they're really starting to take a very close look on the Apple internals and I think a lot of it is from that. But
Mat Lee: Yeah, it's cool seeing the community come together to find these, right? I mean, it's researchers across all different domains coming together to kind of disclose these. So that's cool to see as well.
Jason Kikta: Yeah. Although they haven't forgot about Microsoft either. And Tom, you were saying this first one in Azure is pretty spicy.
Tom Bowyer: Yeah.
Yeah. So CVE 2024 21400, and it's a pretty long one. So bear with me here. Microsoft Azure Kubernetes Service, Confidential Container, Elevation of Privilege Vulnerability. You know, if they added a couple more words to it, I think it would be easier to say, but you know, reading through the notes, it...
To me, this sounds like, right? An attacker who successfully exploited this vulnerability could steal credentials and affect resources beyond the security scope managed by Azure Kubernetes Service Confidential Containers, right? And, you know, I'm speculating a little bit here, but it, you know, just reading this, it sounds like I can get onto a node.
of a managed Kubernetes service.
Mat, yeah, and I'm also curious, right? Having spent so much time inside and outside Kubernetes, kind of what your take is on this and almost like, you know, what makes your hair stand up when you see things like this?
Mat Lee: Yeah, so I think sort of just with everyday Kubernetes clusters, things that we run in, you know, that everybody runs in their prod environment, it's really not secure by default. And you really have to put in the work to make it secure. And I think with this confidential computing, you know, when we think of confidential computing, we think security and it's locked down, it's isolated, it could be like air gapped, whatever. And so I think with
with this vulnerability that just unleashes so many possibilities for an attacker to jump on a confidential system and either extract secrets, just like you said, parts of the node, any sort of things on the node, workloads like pods. And from what I'm reading, it's with this ConfCom CLI tool. And I just think...
You know, if you're running a really sensitive workload in confidential computing, I think the thought is this should be secure and this kind of opens up, you know, just the possibilities for so much, uh, just private sensitive information to be, to be utilized by an attacker.
Tom Bowyer: Right.
Jason Kikta: Yeah. When I saw the part about, you know, an attacker can access the Untrusted AKS Kubernetes Node and AKS Confidential Container to take over Confidential guests and Containers beyond the network stack. It might be bound to that. That alarmed me pretty good because, you know, I mean, to Tom's point, there's, this is a bit of speculation, but that sounds like this is a cross tenant attack. And, uh, you know, if so that, you know, that breaks the
Tom Bowyer: Yeah.
Jason Kikta: security assumptions that a lot of folks have and really presents an elevated risk.
Tom Bowyer: Yeah. Especially in a hosted environment, right? When I see something like in the patch notes, say it verbatim in a, in unauthenticated attacker can move the same workload onto a machine they control where the attacker is root. And you know, where my head gets spinning, it's like, I'm an attacker. Do I have an AKS cluster? And then I'm moving workloads from that
for somewhere where I have access to like these other nodes, right? Like I'm, that's where I'm stuck. You know, that's where I'm paranoid. It's like, am I spoofing like kubelet or something? And they're moving their internal node onto my node through like some kind of weird internal kubelet attack, right? Right.
Mat Lee: I'm trying to think of like...
I mean, could it be something with etcd as well, like state or something like that? Or maybe, I don't know, like, yeah, I'm kind of, I was just thinking that same thing, like trying to figure out how they would kind of move those workloads, whatever those might be, under their own system. And so it's probably got to do something with the back end or state or something that's saving whatever those workloads are doing, right?
Tom Bowyer: Yeah. Or like exporting the containers, you know, like you can dump the container with Docker or et cetera and export it and move it off. And I just, yeah, scary stuff to be honest. You know.
Jason Kikta: Yeah, I'm a little surprised it only got a 9.0 on a CVSS scale. But on the other hand, the exploit code maturity is listed as proof of concept. So fingers crossed that this one was caught early. And if you patch quickly enough, your exposure will be minimal. But definitely not one to put off. This is a must do.
Mat Lee: Yeah, and I think.
Tom Bowyer: Oh. Yeah.
Yeah, agreed. And, you know, a lot of it is just kind of knowing what you're running and understanding the security implications of that, right? Like a lot of the times we trust these vendors to, you know, manage a lot of this backend risk and, you know, these things come up and it's important as.
Jason Kikta: Yeah, I mean, this, this is the kind of risks that we spend all day, every day managing and, and it's, it's not easy and it's, it's constant. You can never let your guard down and why we have so many people on our team. It just, it requires a lot of investment and it requires just constant vigilance.
Tom Bowyer: Yeah, agreed.
Mat Lee: Yep. I'm just like Tom said, observability is huge, right? Having visibility into your whole stack. And, uh, I mean, if you don't have that and you don't know what's running, like you can't baseline that and then you don't know when something bad is in there. So.
Jason Kikta: Right. And then you, you know, you got to get your detections, right. You got to tune those detections so you don't get alert fatigue. You got to automate your alerts. You got to automate some of your responses. You have to have a playbook that you've rehearsed and practiced again and again and again, and it's just, it is not a minimal thing.
Tom Bowyer: Yeah. Speaking of letting our guard down, you know, this next one, CVE 2024 26164 Microsoft Django Backend for SQL Server Remote Code Execution Vulnerability, right? This all stems from
Jason Kikta: Hahaha!
Tom Bowyer: SQL I, you know, everyone's favorite attack vector from 2008, still hanging around these products, you know, an attacker could use the unsanitized parameter into a SQL query to trigger SQL injection. I mean, is that not just like the definition of one equals one?
Mat Lee: What year is it?
Jason Kikta: the fifth the other
Tom Bowyer: And, you know, Mat.
Jason Kikta: It's like you go down the base score metrics like network low, none, unchanged, high, high. And you're just like, Oh, no.
Tom Bowyer:
Yeah, and you know, Mat, I'm curious, you know, your thoughts there, right? I feel like this is the entry level security vulnerability that everyone always plays with in the very beginning, right? And just curious what your thoughts are on this one.
Mat Lee: Yeah, I mean, I am starting to learn the sort of AppSec, Red Team, you know, been doing a lot of hack the box lately. So trying to learn those skills. And I always see the retired machines, sometimes those are SQLI and those are years old. So it's really interesting. I mean, everybody says all the tools are in place these days to mitigate SQLI, but then we see things like this come up where it's,
It's a plugin to basically use with Django and SQL. And it seems like it's pretty heavily used. I mean, if you look at their GitHub repo, got a couple hundred stars, stuff like that. So it's really interesting to see from, I guess, a novice in this area stepping into it, seeing these kind of surface in these patch notes.
Jason Kikta: Yeah, it's rare to see these days. And just seeing that you could use the unsanitized parameter into a SQL query to trigger SQL injection, that's just not really where we're supposed to be anymore. So it's surprising not just that it's there, but that it's probably been there for a while and that it's escaped detection for this long. Or.
Perhaps I'm mistaken and this is a relatively recent introduction that has somehow circumvented security checks, but this is why security review of your CI CD pipeline and the code coming out of it is so important to just make sure that even small mistakes don't happen because
Tom Bowyer: Yeah.
Jason Kikta: The implications can be so large. And I mean, I'm reading here successful exploitations, vulnerability simply requires the attacker or targeted user to leverage Microsoft app access application to automatically talk to a SQL server while utilizing remote SQL server additives that they control. That is not a high bar. That is really pretty easy to do. Uh, and you know, again, it's, it's not one to, to wait on because this one will eat your lunch.
Tom Bowyer: Yeah.
Yeah. And you know, those backend package updates are pretty simple, I assume. Right. You probably should be pinning your packages anyway. So this is just a simple PR, hopefully caught from the your upstream, you know, SCA tools. So, but still funny to see in this day and age. Um, and you know,
Jason Kikta: Hmm.
Yeah, RCE through SQL injection. Like you said, Mat, what year is it?
Tom Bowyer: Hahaha
Mat Lee: Yeah. I mean, it's cool, but also concerning to see this in the wild. So yeah, just thought that was an interesting one to see in their patch notes.
Tom Bowyer: Yeah. Well, yeah.
Jason Kikta: Yeah, there's probably some people who do introductory Red Team training packages right now are like cheering like, yeah, my content still relevant.
Tom Bowyer: Yo.
Mat Lee: Yep, exactly.
Tom Bowyer: Yeah, I mean, and like the tool maturity in the space is rather high, right? I tools like SQL map, you know, everyone's favorite Red Team tool, you get it off GitHub and you just fired away and it's just firing thousands of, you know, SQLI payloads and this will probably just be another one eventually, I assume. So it's the bar is rather low for this, right?
which I always find interesting.
Mat Lee: And turns out you can successfully DOS a server with SQL map as well. So that's fun also. Another benefit.
Jason Kikta: Hahaha!
Tom Bowyer: Right. Yeah. But you know, some other good stuff as well in the Patch Tuesday Notes. So you know, take a look and see. But I think we'll spend the rest of this time talking about these super juicy Apple ones. You know, I
Jason Kikta: That update yesterday was extreme. I guess day before yesterday. Now just like going through my and watching my, you know, I have a MacBook Pro, I have an M2. Like it's, it's not a, you know, this is not some ancient thing and it just, it took a long time and I'm, you know, my iPhone as well, like it's sat there and sat there and like, you know, and I was, it was odd because I had looked at.
Tom Bowyer: I know.
Jason Kikta: the little notes about, you know, what's in this update. And it was talking mostly about features and things. And I'm like, like none of this, like you're adding emojis. This doesn't sound, it doesn't sound as beefy. And then we went through and looked at the, uh, at the security notes and it just keeps going. And it's so many, I mean, the one that got me at first, you know, there were really two, uh, the, the WebKit one, but, but the Apple Image Viewing was the first one that caught my eye.
Tom Bowyer: Right. Ha ha ha.
Mat Lee: Yeah.
Tom Bowyer: Oh yeah.
Jason Kikta: I mean, I'm just going to read off. I'm going to rattle off the CVE's as quick as I can here, just to prove a point of CVE 2024 they're all 2024 - 23270, 23257, 23258, 23286, and 23234 that's just their image related stuff and image processing, image IO and the Intel graphics driver.
Wow. And they're impactful bugs, right? These are not minor things. Execute Arbitrary Code with Kernel Privileges. Processing an image may result in disclosure of process memory. Somebody lost a fantastic exploit chain. Here's what happened. Yeah. Arbitrary code execution, arbitrary code execution, and arbitrary code execution with kernel privileges, of course. It just, oof.
Tom Bowyer: Yeah.
Yeah.
That's what it sounds like to me.
Jason Kikta: Out of Bounds Write, Buffer Overflow. This, to me, I was listening to a podcast that we all enjoy, the Risky Business podcast, and I was listening to last week's episode, and the host, Patrick Gray, talk about how the White House had put out that paper talking about memory safe vulnerabilities and how they had, and their reaction at first was the same as mine of,
You know, that's not a lot of exploitation these days because we see so many mass exploitation events that are really focused around misconfiguration and people who make their, you know, they don't focus enough on secure by default. The vendors don't focus enough on secure by default.
And so the, you know, the sort of secure development stuff is easy for people to sort of, uh, you know, say is, is not as high a priority, like it's important, but it's, you know, is it as high a priority to use memory safe languages? But. You know, they came back in last week's episode and said, you know, Hey, we were wrong because we went and we looked at the raw numbers and we had some points, you know, someone on our show did some further investigation, uh, Tommy ran actually do some additional investigation and like it is over half of.
security flaws these days are still memory related and related to memory safety. And we see it here in this image processing and image IO stuff where it's just, you know, improve memory handling, improve memory handling, out of down, out of bounds read, like it just buffer over buffer overflow, right? Like what, what decade is this like buffer overflow, but it's still happens today. And so, you know, I think that
Tom Bowyer: Yeah.
Yeah.
I'm sorry.
Jason Kikta: policy memo from the White House is right on. I know we've done a lot of talking about it at Automox of, of cleaning up the last vestiges of our non-memory safe languages and getting rid of them because it's just, it's too easy to make errors there. And I know we've, we spend a lot of time focused on ensuring those aren't on our product. And it's just, it's, it's very hard to do even with, you know, strong, well-trained developers and a robust security team.
like, and Apple certainly has those and yet these things happen.
Tom Bowyer: Yeah. It's, you know, it's hard to manage memory. Right. And I think that's why so many languages moved higher in the stack, because a lot of that stuff is abstracted away and you don't have to really manage memory anymore in some of the newer languages. And, you know, I get it. You know, it might not be as performant, right, once it's compiled. But, you know, I get it because, right.
Tom Bowyer: I shouldn't have to worry about my user opening a PDF and, you know, the Mac kernel overflows and they can put some shellcode in the image.
Jason Kikta: Yeah. And, and it's really hard when you're writing an operating system, right? When you're writing it, I mean, and look at modern operating systems like modern Windows, modern macOS are very performant on older hardware. You know, they last, they last a long time, much longer than they used to. Um, and a lot of work has gone into that and they, you know, to some extent it still relies on some memory unsafe languages.
So, you know, can they get away from it entirely? No. Will they ever get away from it completely? Probably not. But, you know, it's just, we've made so many advances in hardware that I think it's probably time for the industry. You know, I think the white house is right. And I think it's probably time for the industry to recoup some of those gains into migrating libraries that can handle it, you know, into something memory safe to prevent the sort of thing.
Tom Bowyer: Yeah. And, you know, speaking of memory, right. If, if we continue on this train of Apple goodness, you know, we get, we bet we get down the WebKit and I swear like the, this has sprinkles of, you know, Operation Triangulation from last year where they use that like five exploit chain and it was like some memory safety issues and PDF, right. Or it might've been image IO. I can't remember exactly, but you know,
Jason Kikta: Ha ha ha.
Mat Lee: Oh, WebKit.
Tom Bowyer: they went through like four or five vulnerabilities to, you know, attack Apple. And this kind of feels like a lot of the same, right? This WebKit stuff where web content may, processing web content may lead to arbitrary code execution, right? Like, is that not like just everyone's biggest fear where your user clicks on a link and a phishing email and you don't even have to get them to like execute something, right? They're just running Safari and, you know, have at them, right?
Tom Bowyer: And, you know, Mat, I'm curious your thoughts on, you know, a lot of this stuff and, you know, how we can kind of educate our users to some of these things without kind of putting on the paranoid hat and scaring them half to death, right?
Mat Lee: Yeah, I mean, it's interesting, right? Because, you know, there's so much research behind all these memory related vulnerabilities. And I think the first thing that came to mind when the White House issued that press release was, you know, what's the effort to actually move everything to a memory safe language, right? Is it just packages? Is it?
a full uplift of a whole application? Is it just moving everything over? So while I think that's a really interesting thing that they're doing, I don't know if it's gonna be realistic for a lot of orgs unless they're looking to maybe rebuild something potentially from the ground up, right? I guess it's all sort of dependent on the organization. But as far as users, right?
I mean, training is the hardest thing in cybersecurity, right? You can send out as many phishing campaigns, as many articles. I think it's balancing the technical with potentially showing what one of these things can do and explaining it to somebody who may not be as technical, where that's the hardest thing. So all of these things, it's a little worrisome, because just like you said, it's
a user could just go to a web page and download a file and then boom, bam, like your Mac is just kind of, I mean, it's rooted, right? So I mean, as much training as you can, but there's always going to be users that, you know, you send out phishing and they're, they're always the ones like first one to click on it. Right. And so it's, I don't know if there's a good answer for it besides maybe even like
Mat Lee: demos or something showing how this can be dangerous or something like that. Right.
Tom Bowyer: Yeah, agreed. And a lot of what you said kind of reminds me of, like two or three years ago, there was this big push in the industry from all of our Linux friends to rewrite the kernel in Rust, right? And Linus was like, who's gonna rewrite 30 million lines of code in Rust? You know? You know, that's just, it's just an undertaking like.
Jason Kikta: Yep, I remember that.
Yeah, I'll get right on that.
Tom Bowyer: know because the kernel is written you know mostly in C so right like
Jason Kikta: It's one of the things of like the best time to start was 10 years ago. The second best time to start is now. Right. It just, it's going to be painful. It's going to require a lot of work, but you know, this is necessary work that just needs to happen. And it's going to be interesting too, to see what happens in the software sector, because I think, you know, as we've discussed a lot of times, the companies like us that are prioritizing and have made it a priority for a long time are going to.
do really well and there's other companies out there that are, kind of in the position of being for lack of a better term, they're cash cows and so they're pretty stable, their feature stable. They've got an established market. They don't put a lot of, you know, work into updating and modernizing their product besides what is absolutely necessary. And when you have a major sea change, sea, sea change like this, it's necessary.
Tom Bowyer: Yeah.
Jason Kikta: It's beyond what their resource to do. And so some are going to have to make that investment and others are going to choose not to make that investment. It'll be interesting to watch the market forces play out because I think, I think the ones who aren't making it a priority are going to, are going to hurt in a bad, bad way over the next few years when the comparison becomes more stark.
Tom Bowyer: Yeah, you know, those security questionnaires will start rolling in like, is your product using memory safe languages? Yes or no. Right? Like that's just kind of the market forces. And
Jason Kikta: Uh-uh.
Yeah, there's going to be some ugly answers to those compliance questionnaires and I can't wait.
Mat Lee: Yeah, I wonder, I wonder also if people will prioritize certain parts of their apps, right? Or things that are running on computers. I mean, maybe, maybe there's just like parts of an agent or something that runs that you might just want to convert those pieces if possible, or prioritize those pieces, which are dealing with sensitive data or something along those lines, right?
Jason Kikta: I think we should, right?
Yeah, no, absolutely. I think that's, you know, you can look at a, at your stack and say, okay, what deals, you know, what's, what is user exposed, right? What can be touched by, by users or by, you know, outside entities that I can't control, what, like what's public facing, what's down, what's downloadable. What takes right input, not, you know, what, what process is input, right? Like start there. Those are the places to really begin, you know, most of.
The bugs that we see of any flavor these days has to do with, you know, taking input, right? Parsing, parsing is always, always a huge area for errors to turn into exploitable bugs. And so, you know, you start with those, those things, you build out a methodical plan to expand it and you just keep going. But if you don't make that investment, you know, and take it seriously and sustain it over time, you, you'll never get there.
Mat Lee: which comes back to the point of investing in a security team, right? Because plugging that all security team because developers, you know, they're going to develop and, you know, some are very security conscious, but it's just a lot of, I mean, that's why we exist, right? Is to advise, to help them prioritize and point out issues. So.
Jason Kikta: Yeah. It's. That's right. It's not overhead. It's table stakes.
Tom Bowyer: Yeah, it's true. That is the truth these days. Well, that's all the time we have for today. We thank you for listening to our Fix Tuesday podcast every Patch Tuesday. And if you're interested, there are other podcasts, you know, shout out to his CISO podcast. That's a great one. Um, and again, thanks everyone for joining in. We hope your week is.
Patch [FIX] Tuesday Takeaways
Apple's recent release notes reveal numerous security vulnerabilities, emphasizing the need for regular updates and patches.
Memory safety is a critical aspect of software development, and vulnerabilities related to memory handling and memory safety are still prevalent.
Educating users about security vulnerabilities and promoting secure practices can help mitigate risks.
Investing in a dedicated security team is essential for identifying and addressing vulnerabilities in a timely manner.
Start your free trial now.
By submitting this form you agree to our Master Services Agreement and Privacy Policy
