• CramHacks
  • Posts
  • CramHacks Chronicles #37: Weekly Cybersecurity Newsletter!

CramHacks Chronicles #37: Weekly Cybersecurity Newsletter!

My take on transitive vulnerabilities, Pinning GitHub Actions, Ebury backdoor, Supply Chain Steganography, CVE Enrichment

🥳 Happy Monday! 🥳

I hope you’re having a great week thus far. I want to introduce you to our new puppy, Nalu, whom we adopted this past weekend 🐕️. In only three days, she has already introduced us to new adventures 🤣.

I was on the Absolute AppSec Podcast with Seth Law and Ken Johnson! Watch the video below for my take on the software supply chain industry.

🎤 🎤 🎤 Next week, I’m excited to be on the Unscripted Podcast with David Raviv! Again, talking about my love, software supply chain security 😈.

Table of Contents

General News

Overrated and underperforming: transitive reachability analysis
This is my latest Semgrep blog post! Check out some of my latest points for why transitive vulnerabilities are a money pit and why vendors selling you on transitive reachability are the ones with the shovel.

👋 My research on transitive vulnerabilities has been enlightening. Reachability does not equal exploitability, but you’d kind of hope it is somewhat close. None of the 100+ reachable transitive vulnerabilities (found via call graph analysis) I’ve triaged were even questionably exploitable.

Who is pinning GitHub Actions?
Fabian Kammel created this GitHub project to collect data on the top 10,000 GitHub repositories (by stars) and assess which follow GitHub’s best practice when using third-party actions, which states, “Pin actions to a full-length commit SHA.”

👋 Only ~2% were found to have third-party actions fully pinned!

Open Charter gives open source users predictability amidst the licensing change trend
Sid Sijbrandij discusses the trend of OSS companies like HashiCorp and Redis transitioning from open-source to non-compete licenses, advocating for OCV’s Open Charter: “a legal statement of a company’s commitment to open source that protects open-source code as a public benefit.”

Malware / Exploits

Linux maintainers were infected for 2 years by SSH-dwelling backdoor with huge reach
From 2009 to 2011, malware infected at least four servers inside kernel.org, and stole encrypted passwords for 551 user accounts; attackers cracked about half of these passwords and used the servers for malicious activities like spamming. The malware, Ebury, exploited the OpenSSH service to create backdoors on infected hosts, enabling remote root access and the theft of additional SSH credentials.

👋 Why is this relevant to today? Ebury may have been discovered 15 years ago, but it is still chugging along, having backdoored nearly 400,000 Linux, FreeBSD, and OpenBSD servers.

Malicious Go Binary Delivered via Steganography in PyPI
Phylum detected malicious PyPI packages “requests-darwin-lite” and “ml-linear-regression” using disguised binaries within large media files, exploiting Python’s cmdclass for targeted system attacks.

👋 Either they’re getting smarter, or Phylum is getting better at detecting these. Kudos to the Phylum Research Team, I seem to be always singing their praises.

R Programming Language: Statement on CVE-2024-27322
The R Core Team has fixed a serialization bug (CVE-2024-27322) involving unbound promises created by deserializing manipulated files in R 4.4.0.

👋 Language vulnerabilities are always interesting. As the blog post mentions, “The ability to write malicious code in R does not imply that the language itself is insecure.” Therefore, is it the responsibility of the language maintainers to remediate these? Or should they just be seen as weaknesses in the language that developers need to account for? 🤯

Open Source

Enhancing Open Source Security: Introducing Siren by OpenSSF
Siren is a centralized platform introduced by the Open Source Security Foundation (OpenSSF) and includes open-source threat intelligence sharing, real-time updates on threats, unrestricted communication under TLP:CLEAR guidelines, and a community-driven approach to enhance collective cybersecurity defense.

👋 I suspect shared threat intelligence in the open-source space can be majorly impactful with enough contributors.

Trail of Bits: A peek into build provenance for Homebrew
Joe Sweeney and William Woodruff announce that the core work to support cryptographically attesting to all bottles built in the official Homebrew CI is now in public beta. Therefore, bottles built come with a verifiable statement and the necessary metadata for SLSA Build L2 compatibility.

dependabot-core is now open source with an MIT license
This is the component of Dependabot that contains the logic to create pull requests for dependency updates and enables other GitHub Dependabot features, including grouped updates and auto-triage rules.

👋 Thank you, GitHub 🙏 

Vulnerability Management

A Deep-dive into Exploit Prediction Scoring System (EPSS) — Part 1
Vishal Garg outlines the EPSS model, covering its development, historical context, core elements, and the potential benefits for organizations incorporating EPSS into their vulnerability management strategies.

CVE Record Format version 5.1.0
The latest updates to the CVE Record Format (version 5.1.0) and CVE Services (version 2.3.0) introduced support for CVSS version 4.0. Also, the updates include support for single product IDs and a range of other product identifiers such as UPC, GTIN, GMN, Package URLs, and SKUs, enhancing the precision in tracking and managing vulnerabilities across different products.

👋 Support for pURLs is pretty big. It seems that folks are now more enticed to go straight to the source for vulnerability data, as opposed to the NVD.

CISA’s ‘vulnrichment’ aims to fix the NVD
CISA’s “Vulnrichment” initiative enhances CVE records by adding Common Platform Enumeration (CPE) for specific identification, Common Vulnerability Scoring System (CVSS) for risk assessment, Common Weakness Enumeration (CWE) for categorizing types of vulnerabilities, and Known Exploited Vulnerabilities for highlighting actively exploited threats.

👋 The GitHub project has a note: “Of all the enriched data types, consistent and universal software identification, currently in the form of CPE, is the most difficult to accurately generate and maintain.”

Why is it the most difficult to generate and maintain? Because it’s stupid. That’s why 🙂. Get rid of it so we can move on with our lives. Do you use CPEs? I’d like to learn more about use cases and maybe have someone change my mind about this.

Until Next Time! 👋 

Hey, you made it to the bottom – thanks for sticking around!

Questions, ideas, or want to chat? Slide into my inbox! 💌

Don’t hesitate to forward if someone could benefit from this.

See you next Monday!