Networking

Users of HAProxy 2.0 and earlier versions are being urged to push through updates after a vulnerability was found that could allow “an attacker to bypass the check for a duplicate HTTP Content-Length header, permitting a request smuggling attack or a response-splitting attack.””Our analysis confirmed that the duplication is achieved by making use of the memory layout of HAProxy’s internal representation of an HTTP message to slip a select character from the header’s name to its value,” HAProxy explained in a blog.”Due to the difficulty in executing such an attack, the risk is low.”HAProxy provided a list of affected versions and fixed versions while also providing a workaround for those who are not able to update right away.The vulnerability was announced earlier this week by researchers with JFrog, who released a report on the problem.JFrog researchers Ori Hollander and Or Peles wrote that CVE-2021-40346 is an Integer Overflow vulnerability that makes it possible to conduct an HTTP Request Smuggling attack, explaining that it has a CVSSv3 score of 8.6. “This attack allows an adversary to ‘smuggle’ HTTP requests to the backend server, without the proxy server being aware of it,” the researchers said, commending HAProxy CTO Willy Tarreau and their security team for “promptly and professionally handling this issue.”

Tarreau released his own note on the issue, thanking JFrog for their work.”Quite honestly they’ve done an excellent job at spotting this one because it’s not every day that you manage to turn a single-bit overflow into an extra request, and figuring this required to dig deeply into the layers,” Tarreau said. Vulcan Cyber CEO Yaniv Bar-Dayan said the HAProxy load balancing software is “one of the most commonly used components of our digital age,” calling it “plumbing used to build the infrastructure behind the Web.” Bar-Dayan explained that it is distributed with Linux operating systems and by cloud service providers, and is used in production by some of the largest web services and applications in the world. “This vulnerability has the potential to have a wide-spread impact, but fortunately there are plenty of ways to mitigate risk posed by this HAProxy vulnerability, and many users most likely have already taken the necessary steps to protect themselves,” Bar-Dayan told ZDNet. “CVE-2021-40346 is mitigated if HAProxy has been updated to one of the latest four versions of the software. Like with most vulnerabilities, CVE-2021-40346 can’t be exploited without severe user negligence. The HAProxy team has been responsible in their handling of the bug. Most likely the institutional cloud and application services that use HAProxy in their stack have either applied upgrades or made the requisite configuration changes by now. Now it is up to all HAProxy users to run an effective vulnerability remediation program to protect their businesses from this very real threat.”Michael Isbitski, technical evangelist at Salt Security, added that HAProxy is a multi-purpose, software-based infrastructure component that can fulfill a number of networking functions including load balancer, delivery controller, SSL/TLS termination, web server, proxy server and API mediator. “It’s a popular free open source choice along with F5 NGINX. HAProxy deployments are prominent in many organizational networks and the collective Internet,” Isbitski said. “Depending how a given HAProxy instance is deployed, potential risks include user session hijacking, authorization bypass, sensitive data exposure, unauthorized command execution and unauthorized data modification.”Other experts, like NTT Application Security vice president Setu Kulkarni, noted that HAProxy has over 500 million downloads from dockerhub and for an adversary, targeting such widely used critical components that are open source is a lucrative option, Kulkarni said. “With access to code, they can now pretty much run static application security tests to determine weaknesses and once they’ve found a potential vulnerability to exploit, they can execute large scale attacks. In the case of HAProxy, the key is to upgrade to the latest version of the software package where the vulnerability has been fixed — the burden of this task has to be shared equally by DevOps, SecOps and RunOps teams to ensure that the system continues to remain operational as a critical component as HAProxy is being upgraded,” Kulkarni said.  More

Google Cloud is reorganizing its technical management team as Brad Calder will take over product and engineering for the cloud unit and Urs Hölzle takes over technical infrastructure for Google overall. Hölzle had overseen parts of the day-to-day product engineering efforts for Google Cloud. The reorg, outlined internally by Google Cloud, comes as the company has scaled its revenue, focused on industry sales and landed large enterprise accounts under CEO Thomas Kurian. With the move, Calder becomes the leader of Google Cloud’s product and engineering teams. Calder’s official title will be vice president of engineering product for Google Cloud/Technical Infrastructure. Calder joined Google Cloud in 2015 and has been leading a large product and engineering org. Hölzle will remain senior vice president of technical infrastructure and Google Fellow. Hölzle will continue to collaborate and work closely with Kurian as well as Google CEO Sundar Pichai but will focus on long-term architecture and infrastructure across Google. Indeed, Hölzle will manage the technical infrastructure org responsible for global capacity delivery, unified fulfillment optimization, data center ops and construction, reliability, network infrastructure and cloud chief information security officer. In a nutshell, Calder will productize Google’s infrastructure via Google Cloud and Hölzle will focus on what’s next.Google Cloud confirmed the reorg and a spokesperson said:As Google Cloud grows, we regularly evaluate the best organizational structure to better scale our business and provide a world-class experience for our customers. More

Image: Optus
Moreton Bay Regional Council has rolled out a number of IoT water tank sensors that remove the need to send staff to remote locations to check on water levels. The sensors are connected via low Earth orbit nanosatellites, and have been estimated to save the council around AU$20,000 each year. The council partnered with Optus Enterprise and Myriota on the deployment, with Optus parent company Singtel having a stake in Myriota. “As a council we have made great strides in implementing smart technologies, from our AI road scanning system on garbage trucks to pathway defect detection e-bikes, just to name a few,” Mayor Peter Flannery said. “These water tanks are critical in supplying water for toilets and other amenities at our region’s remote areas, which are used by many locals and tourists each year.” Further up the Queensland coast, Livingstone Shire Council said last year it was trialling smart lights to help confused turtle hatchlings. Due to the street lighting around the area, sometimes when the hatchlings leave their eggs, they can become disorientated, fail to find the horizon, and stray from the path they should be taking into the ocean. Even after they reach the sea, the hatchlings can sometimes be lured back by the lights.

The lights are connected to a LoRaWAN network provided by NNNCo, which was deployed to the shire in 2019. On Thursday, Optus launched a feature in its My Optus app dubbed Sidekick that allows customers to ask contacts to check in with them. “Many of us can identify with that feeling of wanting someone to check in with us in a little while to make sure we are okay, even if we can’t exactly pinpoint why we feel that way. It may feel awkward to ask someone for that extra assurance,” Optus director of digital AI Kate Brodie said. “Optus Sidekick can help you prearrange a time when Optus will let the people you care about know you want them to check in on you, and only gets in touch if that time arises. We have also discovered that it’s not just women who may want to use Optus Sidekick, but also kids walking home from school, people out for a late-night walk, and even an elderly neighbour who walks to the store alone.” A beta of the feature is being run on iOS. Related Coverage More

Atlassian CISO Adrian Ludwig spoke to ZDNet this week to discuss the Atlassian Confluence vulnerability — CVE-2021-26084 — and defend the company’s response to the problem.Ludwig said the vulnerability was initially reported through Atlassian’s bug bounty program on June 30th by Benny Jacob and that their security team quickly realized it was a critical issue. The patch was available by August 15 and security bulletins were sent out on August 25. They also submitted the vulnerability and patch to NIST and other government organizations so that it could be disseminated further. The information was sent out to Atlassian’s channel partners and account managers so that emails to customers could be sent out. Atlassian has its own test instances of Confluence and began seeing evidence of automated exploitation around September 1. Ludwig said it was bots probing the services and attempting to exploit them using the vulnerability. “As part of our normal process evaluating a vulnerability, we go back through the logs of our environment and our infrastructure and look to see whether there’s any historic exploitation. In this instance, we did not see any exploitation prior to our security advisory going out, but we did see it starting about September 1st,” Ludwig explained. “On September 3, having confirmed that, and also, having heard that there were plenty of folks that have not yet patched, we put out an update to our advisory saying that we have seen evidence of active exploitation and also encouraging people to patch.”Ludwig said Atlassian sent a second notification to customers after security companies and government agencies, like US Cybercom, began to send out notices about the problem. 

Despite Atlassian’s efforts, thousands of organizations were still vulnerable to the issue. Security company Censys found that the number of vulnerable Confluence instances was more than 8,500 as of September 5. Jenkins, a leading open source automation server, announced on Saturday that its deprecated Confluence service was successfully attacked through the Confluence exploit. As of Wednesday evening, security company GreyNoise found that hundreds of organizations were still being targeted through the vulnerability despite the notices and news coverage of the problem. GreyNoise CEO Andrew Morris said there was a big uptick on Wednesday in Atlassian Confluence attacks, with “over a hundred devices opportunistically exploiting the vuln and counting. If you haven’t patched, you’re owned.”Morris told ZDNet that GreyNoise runs a large network of collector sensors in hundreds of data centers around the globe and saw the first opportunistic exploitation occur at 4:45 pm on August 31st.”We’ve seen it ramp up quite a bit in the last few days. And now, just today alone, we’ve seen over a hundred devices opportunistically attempting to exploit this vulnerability out on the internet,” Morris said, putting the number at 144.  “All that means is that if if Atlassian Confluence customers have not patched in the last week, it’s still extremely important for them to do so, but what’s even more important than that is probably calling an incident response team or network hunt team because there’s a really good chance — I would say like, 99.999% — that any Confluence customers that have not patched in the last week have probably been compromised.”Bad Packets reported that CVE-2021-26084 exploit activity was being detected from hosts based in Russia targeting their Atlassian Confluence honeypots. They previously said they “detected mass scanning and exploited activity from hosts in Brazil, China, Hong Kong, Nepal, Romania, Russia and the US targeting Atlassian Confluence servers vulnerable to remote code execution.”Of the instances in Atlassian’s environment, Ludwig said all of the attacks have been automated and all of them have been cryptomining. Morris noted that it is hard to tell who exactly is exploiting the vulnerability because many times threat actors commoditize access, exploiting new vulnerabilities and then selling access to the system to other actors. “They could be some combination of APTs, criminal groups, financially motivated groups, government state actors, or even people that are trying to build up their botnet quite a bit. So it’s not altogether clear,” he said. “But usually when things like this happen, at least some amount of the bad guys are directly financially motivated and usually the quickest path to monetization is using cryptojacking. In this case, I don’t have any evidence to suggest what the bad guys are doing once they compromised these devices.”The problem with updatesLudwig told ZDNet that the vulnerability is a “classic challenge that on-premise software has had to deal with forever.””I remember 20 years ago, when I was at Adobe, we made a decision that we were going to start doing monthly security bulletins because that was a way to drive more consistency in terms of getting updates out there,” Ludwig said. “But even that level of consistency is just not sufficient to get people to patch on a regular basis. We’re fortunate that the Atlassian products don’t have, frankly, a lot of security advisories that go out. It can be months, if not a year, between when these go out. They’re relatively uncommon, but that also makes it a little bit more challenging to make sure that people are updating quickly because they’re not in practice the same way they might be for some of their other enterprise products.”He added that those who have internet facing services and are not able to update in 24-48 hours should consider moving to the cloud. “You really need to consider getting to a point where your security is not dependent on the process that just doesn’t conform with modern expectations for how quickly you need to update. Right now, I don’t think we’re ever architecturally going to fix the fact that it’s hard to push out a software update, notify everybody, have them take action and do that faster than exploitation starts to happen,” Ludwig explained. Ludwig said Atlassian does not know how many organizations have not updated their systems or which ones may have run a script that they provided as part of the advisory process for customers that did not want to update. Ludwig said he personally checked with customer support this week and noted that they are getting comments and questions as some run into issues updating their software. “In general, the volume of that has been lower than we’ve seen for previous security instances. So it seems like things are going pretty well,” Ludwig said. “For those who are attempting to do the update, it seems to be working. And the script also provides an easy way for people to make sure their environment is protected.”Ludwig added that they followed up with some customers on Friday and have provided Atlassian field teams with additional information.He told ZDNet it was difficult to know how many customers had been affected, how many customers are still not in a safe place and how many customers are “not in a safe place because they’ve made a conscious decision.””We will follow up when we can, but my expectation is that there will always be some number of instances of software on the internet that’s out of date and that’s being exploited,” Ludwig explained. “Ultimately, we want to do everything that we can to make sure customers get patched or apply the scripts that they need to as quickly as possible.”A number of IT experts defended Atlassian’s response, saying it is typically difficult to get customers to update software, particularly during and after holiday weekends.  David McNeely, CTO at ThycoticCentrify, said it was particularly difficult given that it simply takes time and in many cases requires changes to control approvals and subsequent downtime to manually perform updates or patching. Morris of GreyNoise similarly defended Atlassian’s response, noting that this kind of thing happens “pretty regularly.””I think that when something like this happens, it’s really easy to rush and want to pile on to Atlassian for doing the wrong thing or making their customers vulnerable. They are responsible, I’m not absolving them of responsibility. But this happens to pretty much every software company on the planet,” Morris said. “From time to time, a vulnerability is disclosed, a patch is released and then there’s a period of time where the vendor wants you to patch as soon as humanly possible. But they can’t make you do it.”This situation is particularly bad because of how many organizations are affected and because the timing — Labor Day weekend — was tough, Morris added. “It was kind of a perfect storm because Confluence runs on the internet, which means that it has to be resilient to attackers that would come in from anywhere on the entire Internet. It’s not like it’s buried deep inside someone’s network, where it would be a little bit safer by default,” Morris added. “If this is running in your environment, I would really, really strongly recommend patching and calling an incident response team.”  More

Image: Microsoft
Microsoft has announced plans to cement Azure Space as a key player in the growing Australian space market through new partnerships with Nokia, the University of Adelaide’s Australian Institute for Machine Learning (AIML), and the South Australian government.Microsoft launched its Azure Space initiative last October. Azure Space was developed by the tech giant to position Azure in the space and satellite-related connectivity and compute part of the cloud market.Azure Space Australia’s operations are based in Adelaide’s Lot Fourteen and is headed up by former US Air Force colonel Lynn McDonald.On Thursday, the tech giant said it inked an agreement with Nokia and the South Australian government to build communications, connectivity, and advanced data processing solutions featuring satellite imagery, AI analytics, and 5G-based technology that could be used for various applications such as rail safety, mine automation, defence, and public sector use cases.Microsoft’s Azure cloud, Azure Edge, Azure Orbital, and emerging Azure Space, AI, and machine learning technologies, plus Nokia’s 5G Digital Automation Cloud platform will be leveraged to build these capabilities, Microsoft said.Nokia also plans to expand its Adelaide-based 5G services so it can co-develop these use cases with the Azure Space team. “We are delighted about this agreement with the South Australian government and the opportunity to work with Nokia as we bring together interdisciplinary experts to develop, test, and deploy new technologies and strategies that respond to some of the biggest challenges facing organisations today,” McDonald said.

“This important collaboration with Nokia will allow Australian organisations in multiple sectors to take a giant leap forward into a new era of communications and cloud computing, making the most of space data and technology and catapulting them to the very forefront of digital innovation.”Additionally, Microsoft has signed a memorandum of understanding with AIML to jointly explore how advanced cloud computing, AI, computer vision, and machine learning can be applied in space.Dubbed Project AI Off Earth, the pair will conduct modelling, emulation, and simulation of complex space operations and systems; build algorithms for on-board satellite data processing; develop solutions for the remote operation and optimisation of satellites, constellations, and swarms; and address space domain awareness and debris monitoring.”Although focused on in-space technologies, Project AI Off Earth will explore how space-related technologies and data, and cognitive systems can be used to support automation of multiple different industries, help establish smart cities, as well as address sustainability and important environment challenges,” Microsoft Australia Azure Space engineer Nicholas Moretti said.These latest announcements follow the launch of a Microsoft for Space Startups Australia Program in July. The new program was designed to support space startups, give them access to Azure credits, and provide a range of Microsoft technologies, technical specialists, and mentors. Office of Planetary Observations and Spiral Blue were named as the first startups to join the initiative. Related Coverage More

National Broadband Network CEO Stephen Rue told an Australian Communications Consumer Action Network (ACCAN) conference on Wednesday that the broadband wholesaler is open to the idea of consumers being able to purchase a prepaid NBN plan. “We sell our services through retailers, and we’d be very happy to work with retailers to the extent that they want to bring in prepaid products that services a portion of the community and we’d be very happy to work with them,” he said. “We ourselves, we don’t sell directly to consumers.” NBN is currently involved in a Special Access Undertaking consultation that has seen the wholesaler float three possible future pricing options. On the options put forward by NBN, ACCAN said the halfway house model that removes CVC on plans of 100Mbps and quicker was the least worst choice, followed by the reworking of its current pricing structure, and finally the flat priced model that removes CVC altogether. At the time in August, ACCAN called on NBN to introduce its low-income product before current pricing discussions were completed due to New South Wales being in lockdown. “NBN Co has been consulting on a low-income product for vulnerable households since 2019, and we were led to believe that this much needed product would finally come to market this year. We’re still waiting,” ACCAN CEO Teresa Corbin said.

“People need connectivity now; they can’t afford to wait for months and months until the regulatory process is over.” ACCAN said in its submission that the entry-level plan should be the 25Mbps plan, not the current 12Mbps. On Wednesday, Corbin confirmed the prepaid option was raised in conversations around NBN pricing. “We’ve had on the table on offer to work with industry around a low-income product or the sort of new product … with the prepaid,” Rue said. “It’s an ongoing discussion.” Related Coverage More

Image: Aussie Broadband
Aussie Broadband announced on Wednesday it would raise AU$114 million via an institutional placement. Making good on its statement in its recent results that the company expected to make one acquisition in the first half of FY22, the company said the money would be used to “support growth by M&A, new business product and technology development, and/or further fibre and network build.” “We are very encouraged by the strong level of support from new and existing institutional, sophisticated, and professional investors. We greatly appreciate the backing of existing shareholders who participated in the placement and welcome new shareholders that have joined the register as part of the equity raise,” Aussie Broadband managing director Phillip Britt said. “There are promising opportunities to execute transformational acquisitions in the business segment that will complement and improve Aussie Broadband’s position in the market.” The announcement follows the company appointing a head of mergers and acquisitions in April.  In its full-year results, the telco reported revenue increased 84% to AU$350 million, and earnings before interest, tax, depreciation, and amortisation prior to AU$1.5 million in IPO expenses jumped five-fold to AU$19 million. In the fourth quarter alone, the company reported revenue of AU$100 million. See also: Best internet provider in Australia 2021: Top ISPs

Aussie Broadband said when handing down its results, that due to ongoing lockdowns around the country and the impact on NBN CVC expense, it would not be providing guidance. In the recent ACCC NBN speed report, Aussie Broadband saw its error rate blow out, doubling its 0.18 daily outage rate to 0.36. This increase occurred as every other telco tested saw a dropping error rate. Responding to the numbers, Britt said the company “keeps an eagle eye on network usage” and upgrades the network if it sees peaks beyond its normal range. “The ACCC’s report here covers data over a 24-hour period. That means it includes things like scheduled outages, CVC upgrades, and fibre upgrades. Typically, planned outages take place between midnight and 6am. This is to minimise the impact to end users because most people don’t use the internet at that time,” Britt told ZDNet. “One of the reasons why we do this is simply to move customers from one CVC and put them onto another one, so the current CVC doesn’t get overloaded. “We also think it’s important to look at outages that last for longer than 60 seconds because these are more likely to have an impact on end user experience. From the ACCC’s report, we’re relatively low compared to other telcos in this area.” Earlier in the week, Aussie Broadband announced it entered into a decade-long deal with VicTrack to access each other’s fibre network.The swap will give Aussie Broadband the ability to roll out its 100G business fibre services to Traralgon, Morwell, Warragul, Pakenham, Geelong, Ballarat, Bendigo, and Warrnambool, as well as additional redundancy in metro areas. The telco will also build access for VicTrack to a number of NBN points of interconnect for a cost of AU$1.4 million.Thanks to the deal, Aussie Broadband said the capital expenditure previously allocated for Victoria could now be shifted to other states.Related Coverage More

SoftBank announced on Tuesday it has gained a 4.5% equity stake in Deutsche Telekom as part of a new long-term partnership. The partnership will see both telcos enter into an equity share agreement, which will entail Deutsche Telekom acquiring around 45 million T-Mobile US shares from SoftBank in exchange for issuing 225 million new Deutsche Telekom shares to SoftBank. In a subsequent step, Deutsche Telekom will also exercise call options to acquire an additional 20 million T-Mobile US shares from SoftBank by re-investing $2.4 billion of expected disposal proceeds from the announced sale of T-Mobile Netherlands. Deutsche Telekom is the parent company of T-Mobile US. As a result of these transactions, SoftBank will become a 4.5% shareholder in Deutsche Telekom while its equity stake in T-Mobile US will drop to 3.3%. The deal will also see SoftBank become the second largest private shareholder of Deutsche Telekom. According to SoftBank, the Japanese conglomerate’s 300 portfolio companies will gain access to approximately 240 million new customers across Europe and the US. “The transaction diversifies our telecoms exposure and results in SoftBank becoming DT’s second largest private shareholder, while retaining meaningful exposure to high-growth TMUS,” SoftBank COO Marcelo Claure said.

The move follows SoftBank last year selling around two-thirds of its T-Mobile US shares to Deutsche Telekom. Last year’s deal was split into two parts: The first being SoftBank Group selling over 198 million of its T-Mobile US shares to T-Mobile US itself, while the second was an option to buy an additional 100 million T-Mobile US shares. At the time of the sale, SoftBank had only owned a stake in T-Mobile for two months after the telco merged with the then-SoftBank owned Sprint. Last month, SoftBank Group reported a 39% year-on-year dip for its first-quarter results, posting ¥761.5 billion in net income. This was despite the company posting almost ¥1.48 trillion in net sales for the quarter, which was 15.6% more when compared to the same period last year.Related Coverage More