US Developer's Workstation Exposed State Department's Network Data, Researchers Find (forbes.com) 16
Long-time Slashdot reader chicksdaddy writes: Sensitive systems and data for the U.S. Department of State could have been exposed by a third party development workstation running the eXide software, according to researchers for the hacking crew Sakura Samurai. According to a report in Forbes, the researchers took advantage of a new State Department Vulnerability Disclosure Program to look for security flaws in one of 8 wild-carded State Department domains included in the program. Using automated tools to do reconnaissance on one of the subdomains the State Department had included in its VDP, researcher Jackson Henry discovered a vulnerable workstation running the open source, web based eXide IDE. It was linked to a third party doing work for the State Department and contained a number of serious security holes including Cross Site Scripting (XSS), Remote File Inclusion (RFI), and Server Side Request Forgery (SSRF) flaws. All are powerful weapons in the hands of a sophisticated cyber adversary.
After reporting their findings to the State Department on April 27th, researcher Jackson Henry and Sakura Samurai received acknowledgement of their report on April 29th. The vulnerable endpoint in question was taken offline by the State Department by May 13th. Henry and Sakura Samurai then began working with the State Department on public disclosure of the vulnerabilities, while also communicating with the developers responsible for the open source project to get the flaws fixed, according to communications shared with Forbes.
The discovery of flaws buried in an open source development tool underscores the risks that federal agencies face as more and more government business shifts to the web. "The State Department can't audit every open source package it uses," Henry said. "That's why the VDP is such a big thing (and) a step in the right direction."
It is also an endorsement of the benefits of a quiet security revolution within the federal government in recent months, as agencies have responded to Binding Operational Directive 20-01, a new requirement from the CISA, the Cybersecurity and Infrastructure Security Agency, that Executive Branch agencies publish and maintain public vulnerability disclosure programs, or VDPs — a kind of front door for bug hunters and "white hat" cybersecurity professionals.
After reporting their findings to the State Department on April 27th, researcher Jackson Henry and Sakura Samurai received acknowledgement of their report on April 29th. The vulnerable endpoint in question was taken offline by the State Department by May 13th. Henry and Sakura Samurai then began working with the State Department on public disclosure of the vulnerabilities, while also communicating with the developers responsible for the open source project to get the flaws fixed, according to communications shared with Forbes.
The discovery of flaws buried in an open source development tool underscores the risks that federal agencies face as more and more government business shifts to the web. "The State Department can't audit every open source package it uses," Henry said. "That's why the VDP is such a big thing (and) a step in the right direction."
It is also an endorsement of the benefits of a quiet security revolution within the federal government in recent months, as agencies have responded to Binding Operational Directive 20-01, a new requirement from the CISA, the Cybersecurity and Infrastructure Security Agency, that Executive Branch agencies publish and maintain public vulnerability disclosure programs, or VDPs — a kind of front door for bug hunters and "white hat" cybersecurity professionals.
Safety in coding. (Score:2)
Using automated tools to do reconnaissance on one of the subdomains the State Department had included in its VDP, researcher Jackson Henry discovered a vulnerable workstation running the open source, web based eXide IDE. It was linked to a third party doing work for the State Department and contained a number of serious security holes including Cross Site Scripting (XSS), Remote File Inclusion (RFI), and Server Side Request Forgery (SSRF) flaws. All are powerful weapons in the hands of a sophisticated cyber adversary.
Good thing open-source is following good practices keeping stuff like that out of the code. ;-)
Question on the Timeline (Score:4, Insightful)
"After reporting their findings to the State Department on April 27th, researcher Jackson Henry and Sakura Samurai received acknowledgement of their report on April 29th. The vulnerable endpoint in question was taken offline by the State Department by May 13th. "
On the face of it, this reporting suggests that details of multiple, serious vulnerabilities were identified on April 27th, acknowledged 2 days later... and then left on a publicly-accessible machine for another 16 days.
A check of the linked page hosted by the State Department (which lists the in-scope domains) provides a list of what look to be production networks - i.e. this was not a case of the State Department offering white hat teams the chance to look over some test networks.
If those vulnerabilities were as serious as the article suggests:-
1. What is going on over at the State Department?
2. Where did the person responsible for a 16 day delay in patching land, after they fired him out of a canon?
Re: (Score:2)
- If it was a contractor no one cares enough to check.
- If it was a government employee they moved up to the next desk with a promotion and pay raise.
Re: (Score:2)
Re: (Score:3)
"Where did the person responsible for a 16 day delay in patching land, after they fired him out of a canon?"
Actually, this is not uncommon. What do you do when you find a vulnerability in a piece of hardware or software? Just pull the plug and learn nothing, or do you monitor the device, watch for traffic in and out of the device, follow the source and destination of the traffic, etc?
The instructions in our office when we find a compromised piece of equipment are to do nothing to the device and to contact the company's CIRT using a secure method so they can begin forensic analysis on the device. It is believab
Re: (Score:3)
1. What is going on over at the State Department?
It's the same thing that's going on in the DoD. They feel overwhelmed with the security requirements of modern software development, have no idea how to get things secure, and have basically given up at this point. As one person told me, "All our information has already been leaked, so what difference does it make?"
None of this, of course, is the correct approach.
Re: (Score:2)
They fired him out of a camera?
Actually, it's not that surprising. I've seen some Canon lenses that were the size of a small cannon.
Did they actually allow (Score:3)
someone to install "unapproved" software without a risk assessment, analysis and formal approval process?
That's usually the tip of a slippery slope that leads to issues like this one.
Re: (Score:2)
Fix is available (Score:1)
> researcher Jackson Henry discovered a vulnerable workstation running the open source, web based eXide IDE.
Fix can be downloaded here [microsoft.com]
Literally speaking (Score:2)
"The State Department can't audit every open source package it uses,"
They literally can audit every open source package they use.
Open Source risks and the web? (Score:1)
Has slashdot run out of anti-commie cyber BS?
eXist-db 5.3.0 Source Code [github.com]