Issue 177: Vulnerabilities in Veeam product, RCE in Parse Server module, insecure API threat to mobile apps

This week, we have news of two critical vulnerabilities patched in the Veeam data backup solution, a remote code execution (RCE) vulnerability in the popular Parse Server API server module, views on how insecure APIs threaten mobile application security, and how attackers are increasingly focusing on APIs as the attack vector of choice.

Vulnerability: Two critical vulnerabilities in Veeam data backup solution

Veeam recently announced two critical vulnerabilities in their Backup and Replication product for backups of virtual environments. The vulnerabilities are tracked as CVE-2022-26500 and CVE-2022-26501, both with a CVSS score of 9.8, and could allow an attacker to remotely execute code. All versions of their product are affected but patches have already been released for versions 10 and 11. Users on version 9 are advised to upgrade to a supported version.

The Veeam product provides a remote access service on TCP port 9380 which unfortunately did not authenticate remote users. An attacker could use the remote access service to access internal APIs, including uploading and executing malicious code.

This is an all too familiar example of API2:2019 — Broken authentication — always ensure that all API endpoints enforce authentication, even if they are only exposed on internal interfaces.

 Vulnerability: Remote code execution vulnerability in Parse Server module

This week’s second vulnerability is also a remote code execution (RCE) vulnerability, this time in the popular Parse Server API server module for Node/Express applications. The vulnerability is tracked as CVE-2022-24760 and scores an (im)perfect 10 on the CVSS scale. All versions below 4.10.7 are impacted by this vulnerability, and users are advised to upgrade their package versions through the NPM package manager.

The vulnerability has its origins in a prototype pollution vulnerability that can allow RCE, cross-site scripting (XSS), and SQL injection attacks. In this case, the culprit was a function in the DatabaseController.js module and it affected MongoDB and PostgreSQL frameworks, although potentially any database backend could be impacted.

Article: How the rise in APIs is creating risk in mobile applications

We recently hosted a webinar on protecting mobile applications and their APIs, and this week we have views from Appdome on how APIs can expose mobile applications to risk.

Recent research within banking, fintech, and cryptocurrency exchanges discovered that the majority of applications used hardcoded API keys or tokens. Additionally, the backend APIs allowed researchers to change PIN codes and transfer funds between accounts. Even if a perfectly secure mobile application were to be developed, end users would still be vulnerable to attacks due to insecurities in the backend API — a chain is only as strong as the weakest link.

The author highlights three main reasons for increasingly insecure APIs:

  • Proliferation and decentralized management of APIs: The numbers of APIs are growing at ever-increasing speeds, whilst simultaneously they are being developed in an ad-hoc or decentralized manner outside of standard controls and protections.
  • Skill shortage for securing APIs: A proliferation of technologies and platforms poses an increased burden on technologists to maintain their skillsets.
  • General-purpose AppSec tooling is not sufficient to protect APIs: APIs require specialist security testing tools, traditional AppSec tooling is not up to the job of securing APIs.

The author concludes that the number one way to address API security is through automation driving DevSecOps, in particular:

  • Understand desired security outcomes: Jointly agree on the desired security posture of the product.
  • Shift security left: Developers must build API security in as early as possible in the API development cycle.
  • Automate security implementation: Automate much of the security process to remove manual dependencies.
  • Integrate into existing workflows: Take full advantage of automation, such as CI/CD systems.
  • Verify and validate desired security outcomes instantly: Automatically check security postures.

Article: Attackers increasingly focused on APIs as an attack vector

Finally this week, we have views on how APIs are becoming the preferred attack vector for adversaries. Recent research indicates that nearly 70% of transactions were API transactions: the more transactions, the more opportunities to take advantage of.

The author identifies three emerging categories of attack, namely:

  • Gift card fraud, loan fraud, and payment fraud
  • Commoditization of bots-as-a-service
  • Account takeover

The key takeaway for API builders: “Attackers aren’t slowing down any time soon, and it’s time businesses match that rate of innovation.”

Webinar: Final session in OWASP API Security Top 10 Challenges

This week, we have the final in the series of webinars with Dr. Philippe De Ryck, Web Security Expert with Pragmatic Web Security.

Join us on Thursday, 24 March at 11 AM (EST) / 4 PM (GMT), as Philippe discusses the remaining topic in the OWASP API Security Top 10.

This promises to be a very useful session for anyone tasked with API development, as Philippe once again brings his considerable expertise and experience to the audience.

Get API Security news directly in your Inbox.

By clicking Subscribe you agree to our Data Policy