23.3.14 Release Notes

🚧

Important Changes to Review

Changes to Paths for Hosted Customers
As of Release 23.3.7, accessing static data via /divvy/ will no longer work. In cases like this, you will need to use /static/ instead which should function identically. The most common examples or usage of these paths is in the Logo URL of custom packs that reference cloud provider images and in some Plugins.
[ENG-20367]

Updates to Endpoint Handling
InsightCloudSec’s 23.2.28 release included updates to our internal webserver library, Flask. As a result, some of our endpoint handling has changed in the following ways:

• Any requests submitting JSON to an endpoint must explicitly include the Content-Type: application/json header (e.g. for POST requests).
• Any requests POSTing empty bodies may fail with a 500 error as empty bodies for endpoints that expect one aren’t valid JSON.
• Plugins that declare custom endpoints will also be affected by the above changes.

For more information about the above changes, refer to the details linked here.
[ENG-23896]

InsightCloudSec Software Release Notice - 23.3.14 Release

Release Highlights (23.3.14)

InsightCloudSec is pleased to announce Release 23.3.14. This release includes updates to our Least-Privileged Access(LPA) capability to include GCP. In addition, 23.3.14 includes 17 new Insights, one in support of Azure and 16 in support of Kubernetes Guardrails. We have also updated one Query Filter, added two new Query Filters, added two new Bot actions, and provided 14 bug fixes.

• Contact us through the unified Customer Support Portal with any questions.

📘

Self-Hosted Deployment Updates (23.3.14)

Release availability for self-hosted customers is Thursday, March 16, 2023. If you’re interested in learning more about becoming a hosted customer, reach out through our Customer Support Portal.

Our latest Terraform template (static files and modules) can be found here: https://s3.amazonaws.com/get.divvycloud.com/prodserv/divvycloud-prodserv-tf/example-usage/aws/release/divvycloud-tf-release.zip

Modules can be updated with the terraform get -update command.

Features & Enhancements (23.3.14)

GCP Least-Privileged Access (LPA)

23.3.14 includes the expansion of our Least-Privileged Access (LPA) feature to GCP. In InsightCloudSec, the LPA feature collects and presents the actions executed by a given user or role within a given time period. These logged actions are collected and analyzed to provide administrators the ability to review access patterns over a 90 day period to determine what someone uses regularly versus what permissions are unused and therefore likely not required for that person.

Check out our GCP LPA Documentation for more information.
[ENG-21528]

Other Features & Enhancements

• Updated the resource CSV export for private images, snapshots, and SSM documents to include the trusted account listing. [ENG-23563]

• Added previous_days to the permission API, If start and end aren't provided then previous_day is used to calculate these values. If all 3 aren't provided then previous_days defaults to 90 days. [ENG-23874]

• Added "Resource Tag" as an available advanced filter within Host Vulnerability Management. [ENG-24371]

• We have added two AWS RDS properties to the UI, AutoMinorUpgrades and PerformanceInsightsEnabled. [ENG-24405]

Insights (23.3.14)

AZURE

• Storage Account with File Share Soft Delete Disabled (Azure) - New Insight identifies Azure Storage Accounts that have File Share Soft Delete Disabled. Uses new Query Filter Storage Account with File Share Soft Delete Enabled/Disabled. [ENG-20492]

KUBERNETES

• Researched and added CVE-2022-0492 (no CVSS Score yet) to K8s Guardrails. CVE-2022-0492: Privilege escalation vulnerability causing container escape.

  • Kubernetes: CVE-2022-0492: Privilege escalation vulnerability causing container escape - Attackers can exploit the vulnerability to escalate their privileges on vulnerable hosts and bypass namespace isolation. In specific conditions, the vulnerability can cause privilege escalation and container escapes. The current K8s clusters that are supported for this insight are GKE, EKS and AKS. [ENG-14873]

• The following new ISTIO-SECURITY-2022-004 Insights have been added to Guardrails [ENG-14950]:

  • ISTIO: CVE-2022-24726 (CVSS 7.5) - Unauthenticated control plane denial of service attack due to stack exhaustion. The Istio control plane, istiod, is vulnerable to a request processing error, allowing a malicious attacker that sends a specially crafted or oversized message, to crash the control plane process. This can be exploited when the Kubernetes validating or mutating webhook service is exposed publicly. This endpoint is served over TLS port 15017, but does not require any authentication from an attacker.

  • ISTIO: CVE-2022-24921 (CVSS 7.5) - Regexp.Compile in Go before 1.16.15 and 1.17.x before 1.17.8 allows stack exhaustion via a deeply nested expression.

  • ISTIO: CVE-2022-21657 (CVSS 3.1) - Envoy does not restrict the set of certificates it accepts from the peer, either as a TLS client or a TLS server, to only those certificates that contain the necessary extendedKeyUsage (id-kp-serverAuth and id-kp-clientAuth, respectively). This means that a peer may present an e-mail certificate (e.g. id-kp-emailProtection), either as a leaf certificate or as a CA in the chain, and it will be accepted for TLS.

  • ISTIO: CVE-2022-21656 (CVSS 3.1) - A certificate authentication bypass allows malformed certificates issued by a malicious CA to be accepted as valid for a host. This may allow for monster-in-the-middle attacks.

• The following ISTIO-SECURITY-2022-003 Insights have been added to Guardrails [ENG-14574]:

  • ISTIO: CVE-2022-23635 (CVSS 7.5) - Unauthenticated control plane denial of service attack. The Istio control plane, istiod, is vulnerable to a request processing error, allowing a malicious attacker that sends a specially crafted message which results in the control plane crashing. This endpoint is served over TLS port 15012, but does not require any authentication from the attacker.

  • ISTIO: CVE-2021-43824 (CVSS 6.5) - Potential null pointer dereference when using JWT filter safe_regex match.

  • ISTIO: CVE-2021-43825 (CVSS 6.1) - Use-after-free when response filters increase response data, and increased data exceeds downstream buffer limits. Sending a locally generated response must stop further processing of request or response data. Envoy tracks the amount of buffered request and response data and aborts the request if the amount of buffered data is over the limit by sending 413 or 500 responses. However when the buffer overflows while response is processed by the filter chain the operation may not be aborted correctly and result in accessing a freed memory block.

  • ISTIO: CVE-2021-43826 (CVSS 6.1) - Use-after-free when tunneling TCP over HTTP, if downstream disconnects during upstream connection establishment.

  • ISTIO: CVE-2022-21654 (CVSS 7.3) - Incorrect configuration handling allows mTLS session re-use without re-validation after validation settings have changed.

  • ISTIO: CVE-2022-21655 (CVSS 7.5) - Incorrect handling of internal redirects to routes with a direct response entry.

  • ISTIO: CVE-2022-23606 (CVSS 4.4) - Stack exhaustion when a cluster is deleted via Cluster Discovery Service. When a cluster is deleted via Cluster Discovery Service (CDS) all idle connections established to endpoints in that cluster are disconnected. A recursion was introduced in the procedure of disconnecting idle connections that can lead to stack exhaustion and abnormal process termination when a cluster has a large number of idle connections.

• Added new Insight Kubernetes: CVE-2022-3294: Node address isn't always verified when proxying - A security issue was discovered in Kubernetes where users may have access to secure endpoints in the control plane network. Kubernetes clusters are only affected if an untrusted user can modify Node objects and send requests proxying through them. [ENG-21276]

  • Added check for CVE-2022-3162: Unauthorized read of Custom Resources Medium (6.5). Added new Insight Kubernetes: CVE-2022-3162: Unauthorized read of Custom Resources - A security issue was discovered in Kubernetes where users authorized to list or watch one type of namespaced custom resource cluster-wide can read custom resources of a different type in the same API group they are not authorized to read. [ENG-21229]

  • Added CVE to Advisor: CVE-2021-25749 CVSS Rating: Low (3.4). Added new Insight Kubernetes: CVE-2021-25749: runAsNonRoot logic bypass for Windows containers - A security issue was discovered in Kubernetes that could allow Windows workloads to run as ContainerAdministrator even when those workloads set the runAsNonRoot option to true. [ENG-19668]

  • Added CVE to K8s Advisor: CVE-2022-3172 CVSS Rating: Medium (5.1). Added new Insight Kubernetes: CVE-2022-3172: Aggregated API server can cause clients to be redirected (SSRF) - A security issue was discovered in kube-apiserver that could allow an attacker-controlled aggregated API server to redirect client traffic to any URL. This could lead to the client performing unexpected actions as well as leaking the client's credentials to third parties. [ENG-19667]

Query Filters (23.3.14)

AZURE

• Public IP Address With/Without Address - New Query Filter surfaces Azure ephemeral IPs that do not have an assigned public IP address. [ENG-14808]

• Storage Account with File Share Soft Delete Enabled/Disabled - New Query Filter identifies Identify Storage Accounts which have Soft Delete Enabled/Disabled. [ENG-20492]

MULTI-CLOUD/OTHER

• Access List In Use - Modified Query Filter to add a new option Running Instances Only to only evaluate Access Lists connected to Instances that are in a running/available state or their Network Interfaces.

  • Further, we have refined how this Query Filter evaluates Network Interfaces when selecting the "Resource Type = Instance" or "Using Public Subnet" option. This change may reduce the number of Access Lists shown in use when selecting "Resource Type = Instance" when not selecting Network Interfaces and may increase the number of Access Lists shown in use when selecting "Using Public Subnet".
    [ENG-24162]

• Database Instance Minimal TLS Version - Query Filter updated to optionally exclude database instances using NNE from results as NNE encryption does not have a TLS version to check. [ENG-23498]

Bot Actions (23.3.14)

AWS

• We have added a BotFactory action “Enable Storage Container Transit Encryption” - New Bot action enforces transit encryption for AWS S3 buckets by updating their bucket policies – either by adding a statement, updating a statement, or adding a policy. [ENG-14863]

MULTI-CLOUD/OTHER

• We have added the ability to schedule the BotFactory action “Modify Volume”. Scheduling the action allows for delays, but also enables event tracking to monitor the success or failure of the event. [ENG-24536
• “Disable User API Keys” - New Bot action allows action solely on the API Access Keys. The existing BotFactory action “Disable User” can also disable API Access Keys, but it disables the user's console login as well. [ENG-24171]

Bug Fixes (23.3.14)

• Fixed a bug with permission definitions on AWS accounts that was causing a parsing issue when scanning for cloud visibility. [ENG-24652]

• Fixed a bug that prevented RDS maintenance windows from being harvested and displayed in the UI. [ENG-24488]

• Fixed performance issue involving HVA table requesting data multiple times on load. [ENG-24468]

• Fixed a bug where GCP principals did not have custom policies attached. [ENG-24460]

• Fixed a bug in the UI where Bot scopes were not properly reflected when multiple exclusion badges were used. [ENG-24404]

• Updated the permissions check for AWS Govcloud to look for correct permission "dms:DescribeEndpoints", not "dms:DescribeReplicationEndpoints". Of note, the online AWS Govcloud read-only policy has the correct permission, so no functionality was affected. [ENG-24380]

• Added missing Event Grid Subscription read permissions to Azure Roles. [ENG-24374]

• Fixed user enumeration security bug in password reset workflow. [ENG-24206]

• Fixed a bug that prevented harvesting of AWS CloudWatch rules not associated with the default eventbus. [ENG-24126]

• Resolved an issue with StoredParameterHarvester where it was required to have the ssm:GetParameter property. [ENG-24116]

• Fixed an issue that prevented AWS GovCloud Application Load Balancers from being surfaced correctly as having SSL listeners configured affecting the Insight and Query Filter Load Balancer Without SSL Listener. [ENG-24112]

• Added the Minimum TLS Version property for AWS RDS with Oracle engines based upon their option group setting. We also track the use of Native Network Encryption (NNE) and have updated the Query Filter Database Instance Minimal TLS Version to optionally exclude database instances using NNE from results as NNE encryption does not have a TLS version to check. [ENG-23498]

• Fixed an issue with Query Filter Load Balancer With/Without Cloud Armor Policy (GCP) giving false positives; "waf_type" is now stored for WAFs harvested from GCP. [ENG-23410]

• Addressed an issue affecting sorting resources by Account ID on the Host Vulnerability Management page. [ENG-22261]

Reference: Required Policies & Permissions

📘

Policies required for individual CSPs are as follows:

Alibaba Cloud

• Read Only Policy

AWS

• Commercial
  • Managed Read Only Supplement Policy
  • Customer-Managed Read Only Policy
    • Part 1
    • Part 2
    • Part 3
  • Commercial Power User Policy
• GovCloud
  • Read Only Policy
    • Part 1
    • Part 2
  • Power User Policy
• China Read Only Supplement

Azure

• Commercial
  • Custom Reader User Role
  • Power User Role
  • Reader Plus User Role
• GovCloud
  • Custom Reader User Role
  • Power User Role

GCP

• For GCP, since permissions are tied to APIs there is no policy file to maintain. Refer to our list of Recommended
  APIs that is maintained as part of our GCP coverage.

Oracle Cloud Infrastructure

• Power User Policy
• Read Only Policy

Host Vulnerability Management

• Host VM User Policy

For any questions or concerns, as usual, reach out to us through your CSM, or the Customer Support Portal.