[BreachExchange] Security Bytes #1: Vulns, Lists, and Zoom

Destry Winant destry at riskbasedsecurity.com
Tue May 19 10:01:30 EDT 2020


https://www.riskbasedsecurity.com/2020/05/14/security-bytes-1-vulns-lists-and-zoom/

Vulnerabilities in major security software, abandoned mailing lists,
and security issues in Zoom… There are many events developing and
occurring within the security industry that you should be aware of and
we want to capture these events as they unfold.

Everything is Vulnerable, Including Security Software

For those recovering from the aftermath of our second Vulnerability
Fujiwhara, you hopefully noticed that in addition to the usual
culprits of big releases, McAfee and IBM decided to join the fray.
What makes them particularly interesting is that they released 24
fixes for security software between them; 11 for McAfee in their
Endpoint Security (ENS) software and 11 for IBM in their QRadar SIEM.
That brings the total number of vulnerabilities in security software
to 7,590, or 3.3% of all disclosures.

That should concern all of us. Consider that if a security device like
a SIEM or a managed vulnerability scanner such as Tenable Nessus gets
compromised, the attackers not only have a wealth of knowledge about
vulnerabilities in your organization, but they may be able to leverage
it to directly compromise additional machines with credentials used by
that software to do authenticated scanning. Ouch.

SecurityFocus / BID / Bugtraq Mail List Shuttering?

In November, 2019, Art Manion from CERT notified us that Symantec
seems to have stopped updating its public BID database since July.
Despite its history of 27 years it remains untouched for nearly a
year, with the last entry, BID 109383 being published on July 26. A
while after that, we also noticed that the venerable Bugtraq mailing
list hasn’t had posts approved since February 24.

On December 2, 2019, we reached out to Symantec via Twitter about BID
not being updated but they did not reply. A subsequent email was then
sent to the BID contact email address asking for comment but it
bounced as the “address couldn’t be found”. An email sent to the
Bugtraq list admin also bounced. However, our third email that was
sent to the webmaster didn’t bounce, but we honestly aren’t hopeful
that we will receive a reply. And if you are reading this line, they
did not reply by the time we published this blog.

In regards to Bugtraq, the venerable Bugtraq mailing list was created
in November, 1993 by Scott Chasin, and became a defacto place to
disclose vulnerabilities for many years. After Chasin, Elias Levy took
over list moderation duties until 2001 and during his tenure, the list
transitioned to SecurityFocus. Then in August, 2002, Symantec acquired
SecurityFocus and Symantec’s threat analysts took over in subsequent
years.

Since inception, Bugtraq has produced almost 80,000 posts with 776 in
July, 2001 as the highest traffic month. Given the history of the list
and the value it has brought to the community, RBS sincerely hopes
that Symantec will pass the torch to someone else willing to continue
its legacy.

Zoom vs Webex Follow-up

Zoom, ZOOM, zoom. Most likely everyone is familiar with the security
and privacy issues affecting Zoom and it’s hard not to. These days,
every publication and security researcher has offered their “hot take”
on the state of Zoom and whether it’s safe to use – including us.

For an extremely comprehensive analysis on Zoom’s security and privacy
issues, check out our prior blog. For those who are knowledgeable on
the topic, you may have noticed that despite the coverage, there
haven’t been any widely adopted suggestions on an alternative product.
Perhaps the main reason for this is that many alternative products
suffer from the same kind of vulnerabilities and issues, or are simply
not well-known.

People have been asking us which video conference app is “safer”, but
the answer is dependent on your organization’s risk profile. While
assessing and counting vulnerabilities, be careful that you don’t
conflate Zoom’s vuln count. For those researching “Zoom”, you will
want to base your decisions on “Zoom.us”. But be aware that there is
“ZOOM International” (notice the all-caps) which has an entirely
different logo and headquarters, with its own set of distinct
vulnerabilities. There are also many other vendors out there using
“zoom” in some of their products which can make assessment tricky.

But the good news is that our data provides valuable insights to
arrive at a decision. Here is a quick snippet of vulnerabilities
disclosed in 2020 between Zoom.us and its predecessor, Webex:

Zoom.us – 5 vulnerabilities in 2020, with 3 being disclosed in April.
Webex – 7 vulnerabilities in 2020, with 2 being disclosed in April.

We have already seen many organizations defaulting back to Webex due
to their concerns over Zoom amid the media frenzy. However, some
organizations making this switch may not be aware that Webex also has
its own glaring security concerns. Out of the vulnerabilities
disclosed in 2020, the highest CVSS score was 9.3 and similarly to
Zoom, Webex had its own version of Zoombombing.

Like we mentioned in our Zoom article, organizations should take a
risk-based approach in choosing the right product. Recently, Zoom
announced that they acquired Keybase to work towards “truly private”
end-to-end encryption. But until that project is completed current
users will have to settle for AES-GCM with 256-bit keys. If your
organization is still unsure on which video conference platform to
use, the NSA released a set of guidelines on requirements it should
meet. But whatever you do, make sure you actually do your research.


More information about the BreachExchange mailing list