Using Application and User Agent Fingerprinting to Mitigate Risk
Wanted: A New Way to Manage Software Risk
All software applications have vulnerabilities, whether known or unknown. Case in point, at the bottom of this blog post I have attached an advisory from the Center for Internet Security regarding vulnerabilities to be found in the Google Chrome browser. But I could just as easily have provided security notes about Safari, Microsoft Edge, Internet Explorer, Microsoft Windows or many other pieces of software. No software will ever be fully free of issues.
Given that reality, the challenge for security teams is to manage this risk appropriately while continuing to do business. You cannot shut down your business every time there’s a published vulnerability that could possibly affect your users or infrastructure.
Enter Application Intelligence
So, how do you manage software risk while continuing to do business? A new method is to use application intelligence, filtering and metadata.
Let’s say that a security organization has published a list of exploitable browser issues like we see below. Using Gigamon Application Intelligence capabilities, the security administrator could define a regular expression, or REGEX, that captures all browser versions affected by the vulnerability.
The administrator would then map the traffic associated with that list to a different tool path. As one example, the tool path could forward to a web proxy for intercept. Using an intercept path, the security team could then provide a portal page listing download links for approved software.
Taking the Example Further
Gigamon Application Intelligence really shows its flexibility when you combine the above scenario with a secondary concern. What if, for example, the browser is on a guest laptop not controlled by the internal IT organization? You probably don’t want to force that traffic to an internal portal.
Because Gigamon Application Intelligence is an integral part of the full Gigamon filtering and security stack, the IT organization could instead direct guest network traffic to not pass through the path that has the regular expression applied for browser version. Boom — you’ve solved two problems easily and effectively without unduly burdening day-to-day business. The Gigamon Community has an entire group devoted to discussing Application Intelligence. Take a look for tips and ideas — or leave your own.
SUBJECT: Multiple Vulnerabilities in Google Chrome Could Allow for Arbitrary Code Execution
OVERVIEW:
Multiple vulnerabilities have been discovered in Google Chrome, the most severe
of which could allow for arbitrary code execution. Google Chrome is a web
browser used to access the Internet. Successful exploitation of the most severe
vulnerabilities could allow an attacker to execute arbitrary code in the
context of the browser. Depending on the privileges associated with the
application, an attacker could install programs; view, change, or delete data;
or create new accounts with full user rights. If this application has been
configured to have fewer user rights on the system, exploitation of the most
severe of these vulnerabilities could have less impact than if it was
configured with administrative rights.
THREAT INTELLIGENCE: There are currently no reports of these vulnerabilities being exploited in the wild.
SYSTEMS AFFECTED:
- Google Chrome versions prior to 77.0.3865.90
RISK:
Government:
- Large and medium government entities: High
- Small government entities: Medium
Businesses:
- Large and medium business entities: High
- Small business entities: Medium
Home users: Low
TECHNICAL SUMMARY:
Multiple vulnerabilities have been discovered in Google Chrome, the most severe
of which could result in arbitrary code execution. These vulnerabilities can be
exploited if a user visits, or is redirected to, a specially crafted web page.
Details of the vulnerabilities are as follows:
- Use-after-free in UI. (CVE-2019-13685)
- Use-after-free in error. (CVE-2019-13686)
- Use-after-free in media. (CVE-2019-13687)
- Use-after-free in media. (CVE-2019-13688)
Successful exploitation of the most severe of these vulnerabilities could allow an attacker to execute arbitrary code in the context of the browser, obtain sensitive information, bypass security restrictions and perform unauthorized actions, or cause denial-of-service conditions.
RECOMMENDATIONS:
We recommend the following actions be taken:
- Apply the stable channel update provided by Google to vulnerable systems immediately after appropriate testing.
- Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
- Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
- Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.
- Apply the Principle of Least Privilege to all systems and services.
REFERENCES:
Google:
https://chromereleases.googleblog.com/2019/09/stable-channel-update-for-desktop_18.html
CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13685
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13686
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13687
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13688
Featured Webinars
Hear from our experts on the latest trends and best practices to optimize your network visibility and analysis.
CONTINUE THE DISCUSSION
People are talking about this in the Gigamon Community’s Application Intelligence group.
Share your thoughts today