Welcome to The Threat Show powered by Fletch. This week we break down major threats you need to know about if you’re using Apple devices, SQLite, or Microsoft Azure. Host Robert Wagner interviews Peter Schawacker, a cybersecurity veteran of a quarter century, about the changing role of CISO and where things are headed.
Stranger Strings: An exploitable flaw in SQLite!
A newly discovered vulnerability in SQLite (a commonly used tight application packaged database) has actually been around for 22 years and can at best lead to denial of service, and at worst trigger remote code execution.
Mitigation: Update all your apps that use SQLite. If you’re running critical apps and are afraid to patch, this might be a tricky process, but you don’t want to expose yourself to this vulnerability.
Darien: “This is a supply chain vulnerability, your main app isn’t what’s at risk, it’s the dependent libraries (SQLite).”
Robert: “If it’s been around for 22 years, is it really undiscovered, or did people discover and keep a tight lid on it?”
Darien: “It’s not like you can put a web application firewall in front of SQLite like a typical database, because it’s designed to be embedded into an application stack.”
CVEs: CVE-2022-35737
Apple fixes new zero-day used in attacks against iPhones, iPads
Apple released iOS 16.1 which includes a fix for a new zero-day vulnerability. There is no evidence that this vulnerability has been used to compromise systems in the wild but now that the word is out there, threat groups might be motivated to attempt to exploit this vulnerability.
Mitigation: The patch is available but won’t be applied automatically, you have to manually kick off the update process. In the future this will be less of an issue as iOS 16.1 has a security rapid release mechanism that deploys patches quickly to devices connected to the internet.
Darien: “This (iOS 16.1’s security rapid release mechanism) will help address these issues faster in the future, but it doesn’t affect you now because iOS 16.1 is the minimum version you need to have this feature. It’s a bit of a chicken and egg problem.”
Chris: “Apple is a victim of unintended consequences; everytime Apple comes out with something it breaks a whole series of apps.”
CVEs: CVE-2022-32917, CVE-2022-32894, CVE-2022-32893, CVE-2022-22674, CVE-2022-22675, CVE-2022-22587, CVE-2022-22594, CVE-2022-42827
Microsoft Azure SFX bug let hackers hijack Service Fabric clusters
Microsoft Azure’s Service Fabric Explorer version 1 (SFXv1) has a recently discovered flaw that is hard to detect and can allow attackers to gain full administrative rights to all the resources controlled by this component. Microsoft has deprecated v1 and told users to switch to v2, but if you didn’t hear about that change you could be vulnerable to this and future attacks.
Mitigation: There is a patch for v1, but they won’t be proactively auditing the code for v1. If you’re on version 1, go to version 2. If you’re dependent on v1, you might have to wait until Microsoft forces the update.
Chris: “That’s part of the ethos of Microsoft, force everybody to update.”
CVEs: CVE-2022-35829
