Tag: post mortem

Kaseya Says Yes

I just read the truesec analysis of the Kaseya VSA 0-day that hit the news earlier in the month. I love reading articles like this, but this one in particular I had to highlight.

The authentication… “bypass”… utilised as a first step: D’oh! How did something like that even get into production? The linked article has more details but essentially, if all authentication checks fail (when querying this particular file, not generally) instead of saying “Nope, you are not authenticated!” they instead say “Oh, you don’t supply a password that we can verify? Ok, let’s give you authenticated status anyway👍”.

Logic failures like this generally don’t happen in the ideal world because they’re blindingly obvious, so allow me to speculate for the rest of this paragraph. I can only assume that a developer temporarily set this up to diagnose a bug or test a feature and simply forgot to flip it back to “fail by default”. This is why peer review is important, though the rush to get things out to production works against this. It’s too easy to miss this kind of thing in the modern world. It shouldn’t be, but it is. There should be no blame here on any individual – I suspect a process/procedure needs to be looked at, or a team needs to be better resourced.

The Misconfigured Switch

I love reading technical post mortems from big-name organisations or experts in their respective fields. If you’re interested in reading some, here’s a list. They’re fantastic insights into some very complex and highly technical issues.

I investigated an odd issue recently involving a misconfigured switch which caused some very abnormal symptoms. I don’t think this qualifies as a legit post mortem article as I don’t have the niche expertise in any particular field to produce one, neither do I have in-depth knowledge of the network within which the issue occurred, but it’s about as close as I’ll be able to get to one at this time.

Here’s what happened.

(more…)