A new vector for exploiting a vulnerable version of Google SLO Generator has been discovered, which facilitates remote code execution (RCE). It allows an attacker to gain access to the system and deploy malicious code as if it came from a trusted source inside the network.
Google SLO Generator is a Python library widely used by engineers who want to track the performance of their web API. The tool is used by thousands of Google services, but before a September 2021 patch, it harbored dangerous and exploitable functions, potentially exposing user input data.
Michael Assraf, co-founder and CEO of Vicarius, explains that this route to exploitation was previously unheard of and has created a new way to exploit outdated versions for worse results than mere information disclosure.
It’s unclear how many of the more than 167,000 apps using this library are running vulnerable versions, according to Vicarius, who released a report detailing the attack path. Users who have updated the code will not be exposed to this attack, but that said, unpatched vulnerabilities are still the most common way companies can be successfully attacked.
Assraf also raises the issue of potentially problematic workarounds as security researchers discover new vectors to exploit vulnerable software instances. Developers often use workarounds to protect against known exploits rather than rolling out a systematic update/patch.
“Developers who fall into this category will be vulnerable to this new exploit, as well as anyone who hasn’t deployed the patch yet,” he says.
Millions of unpatched devices remain a problem
Externally accessible vulnerabilities are expected to remain a favorite attack vector for cybercriminals in the future. A report released this week by Rezilion found that vulnerabilities as old as a decade remain unpatched in software and internet-connected devices.
The study identified more than 4.5 million internet-connected devices that remain open to vulnerabilities discovered between 2010 and 2020. The report also identified active scan/exploit attempts in most of these vulnerabilities.
Yotam Perkal, Director of Vulnerability Research at Rezilion, explains that there are multiple reasons why unpatched vulnerabilities are so common.
“First, many organizations with less mature security programs don’t even have visibility into the vulnerabilities they have in their environment,” he explains. “Without the proper tooling and vulnerability management processes in place, they’re basically blind to risk and can’t fix what they don’t know. »
Second, even for organizations with mature vulnerability management processes, patching presents a challenge: it requires considerable time and effort and can often lead to unforeseen patch compatibility issues.
“With the steady increase in the number of new vulnerabilities discovered every year, organizations are simply struggling to keep up,” he explains.
Unpatched vulnerabilities are a major security concern
Assraf calls unpatched vulnerabilities one of the largest, most pervasive, and most fixable security issues across the board, and for a multitude of reasons.
“This problem transcends industry and company size, although larger companies are generally more vulnerable due to the sheer volume of systems and users in place,” he adds.
He points out that there are also new vulnerabilities popping up daily, so dealing with “zero vulnerabilities” is a bit of a pipe dream.
Also, large-scale updates sometimes break things and create unintended consequences and compatibility issues, leaving many people to take a “If it ain’t broke, don’t fix it” stance.
“The problem is it’s broken, you just don’t see the crack in the armor until you’ve been raped,” Assraf warns. “Other common issues are visibility, shadow IT, and distributed teams that lead to ownership complications. »
From his perspective, visibility is the first step to getting vulnerabilities and patches under control, because you can’t fix what you don’t know is broken.
“Having an accurate and continuously updated inventory of all assets and devices in your environment is an essential first step,” he explains.
Then you have to know how to prioritize available updates for those systems and assets, which is a common place where companies fall short and the volume starts to just become noise.
Perkal says he thinks the key to being more proactive about unpatched vulnerability risks is awareness.
“Once you’re aware of the risk, make sure you have the right processes and tools in place that will allow you to take effective action,” he says. “Ultimately, applying an existing patch to a known vulnerability that is known to be exploited in the wild should be the easy part of good security hygiene. »
A July report from Palo Alto Networks’ Unit 42 also suggested attackers play favorites when considering which software vulnerabilities to target.
Fix fix issue with business context
Assraf says it’s common to prioritize by criticality with major frameworks like CVSS, which assign severity ratings to known vulnerabilities — several security vendors also assign their own black box rating systems.
“What’s important to consider, and where this step – and suppliers – often fail, is the failure to consider the business context,” he says.
It is therefore important to focus on the potential threats that will have the greatest impact on your unique digital environment, not necessarily a third-party rating assigned without context.
“The most mature organizations will then automate the remediation process based on this context, updating the most critical systems while minimizing downtime and impact through strategic deployment planning,” says Assraf. .
Perkal points out that most of the code running in an organization comes from various third parties, whether open source or commercial.
“While this allows organizations to focus on their core business logic and release code faster, it also introduces security risk in the form of software vulnerabilities,” he explains. “Fixing everything just isn’t feasible. »
According to him, to be able to address risk effectively, attack surface management platforms that can intelligently prioritize the most important vulnerabilities, as well as automate some of the mitigation and remediation aspects, can help address this risk.
“The most concerning thing I learned from the research is that these old, known and exploitable vulnerabilities are still as pervasive as ever,” he adds. “It’s particularly concerning because it’s likely that the same analysis we’ve done is also being conducted by attackers, and by leaving this huge attack surface vulnerable, we’re making it easier for them.” »