This Week in Cybersecurity: May 01-07, 2022

Major News Stories

  • The drama of the April 15 Heroku security incident continues.
    • Initally, details surrounding the incident were light; however, this week, Heroku posted the following update:

      On April 7, 2022, a threat actor obtained access to a Heroku database and downloaded stored customer GitHub integration OAuth tokens. Access to the environment was gained by leveraging a compromised token for a Heroku machine account. According to GitHub, the threat actor began enumerating metadata about customer repositories with the downloaded OAuth tokens on April 8, 2022. On April 9, 2022, the attacker downloaded a subset of the Heroku private GitHub repositories from GitHub, containing some Heroku source code.

      GitHub identified the activity on April 12, 2022, and notified Salesforce on April 13, 2022, at which time we began our investigation. As a result, on April 16, 2022, we revoked all GitHub integration OAuth tokens, preventing customers from deploying apps from GitHub through the Heroku Dashboard or via automation. We remain committed to ensuring the integration is secure before we re-enable this functionality.

      Separately, our investigation also revealed that the same compromised token was leveraged to gain access to a database and exfiltrate the hashed and salted passwords for customers’ user accounts. For this reason, Salesforce is ensuring all Heroku user passwords are reset and potentially affected credentials are refreshed. We have rotated internal Heroku credentials and put additional detections in place. We are continuing to investigate the source of the token compromise.

    • As a result of the above disclosure, Heroku this week forced a password reset for all users.
  • New work by US / Israeli security researches aims to demonstrate that Apple’s M1 chipset may be vulnerable to Spectre-like data leakage.
    • Recall that Spectre is the name of a security vulnerability that exploits Intel processors’ speculative execution pipeline. Initially designed to improve performance, in 2018 it came to light that speculative execution could be leveraged by an attacker to leak private information.
    • Researchers created https://www.prefetchers.info to highlight similar concerns with Apple’s new M1 chipset.
    • Currently, the attack is mostly conceptual and “not that bad”, but it will be worth keeping an eye on in the coming months.
  • A few interesting deep-dive reads from the week:

Other Software with Critical Patches Available

  • Zoom: Several patches for high-severity bugs landed this week.

Learning – Understanding CVEs

Next week, we’ll start a deep-dive into a Rails CVE, but first it seems like we should answer the question - what exactly is a “CVE”?

CVE stands for “Common Vulnerabilities and Exposures”. It is a publicly-available list of unique identifiers for software vulnerabilities. The list was first published in September of 1999 and is managed by the MITRE corporation.

When a software vulnerability is discovered and reported, it can be assigned a CVE identifier by a CVE Numbering Authority (CNA). Some well-known CNAs include Red Hat, IBM, Cisco, Oracle, and Microsoft.

CVEs are assigned a severity score using the Common Vulnerability Scoring System (CVSS), a set of open standards for assigning a number to a vulnerability to assess its severity. The CVSS uses a scale of 0.0 (least severe) to 10.0 (most severe). CVE entries are also given a CVE ID in the format CVE-YYYY-<ID number here>. For example, the first Ruby on Rails CVE was published in August of 2006 and was given the ID of CVE-2006-4111.

We’ll take a look at CVE-2006-4111 in more detail next time. In the meantime:

Sources & Resources

The following were used or referenced when preparing this debrief.

Thanks for reading, stay safe out there, and have a great weekend! 👩🏼‍💻 🌐 🧑🏾‍💻

Written on May 6, 2022 by Alex Smith
At Maxwell, we live our values (ROCKS) everyday. Come tackle worthwhile challenges and make impactful change with us.