BigID Security Bulletins
Last Updated: 11/25/2024

Critical Vulnerability Identification – Orch2

On November 21, 2024, the BigID Product Security Incident Response Team (PSIRT) was alerted to the inadvertent logging of vault application secrets to the orchestrator service logs by a BigID employee. The issue is isolated to customers who use AWS Secrets Manager, HashiCorp, and BeyondTrust vaults. BigID has already engaged impacted customers based on the unique attributes of their deployment and provided guidance and mitigations. In addition, patches have already been deployed for cloud customers and published for on-prem customers to download. Orchestrator service logs are available under the Advanced Tools section of the platform, or other log storage systems that customers may forward logs to. Customers that do not use AWS Secrets Manager, HashiCorp, or BeyondTrust vaults are not impacted. 


Attacking UNIX Systems via CUPS 

On September 26th, an attack path affecting the CUPS packages was publicly disclosed and gained some interest in the security community.

After a thorough investigation into the vulnerability write-up, it’s clear that the BigID product and Cloud are not affected.

Investigation details

BigID has concluded that cups libraries are installed in the following list of services:

  • bigid-metadata-search
  • bigid-corr-new
  • bigid-catalog-processor
  • bigid-lineage
  • bigid-reports
  • bigid-config-service
  • bigid-snippet-persister

From the 4 registered CVEs, CVE-2024-47175 will be flagged in the above stated services. 

However, according to Red Hat, the base image provider of these services:

“RHCOS and RHEL include libs-cups as a build-time dependency. However, the vulnerability is not exploitable with just the client libraries unless a print server based on OpenPrinting is actively running.

RHEL and RHCOS does not have cups-browsed enabled by default so the impact for those are set to ‘Low’”

Since BigID does not make use of any printer related functionality and does not change the default configuration, there is no impact of this CVE on the BigID product. Furthermore, the BigID Cloud does not expose the affected UDP port, completely mitigating the WAN attack vector described in the write-up.


Microsoft and Crowdstrike Outages

Vulnerability details

On Friday, July 19, 2024, two unrelated outages were reported, both impacting Microsoft services. BigID experienced minimal impact to our services and business operations.

The first outage, impacting Azure, stemmed from a configuration change in a portion of Azure’s backend workloads. This caused an interruption between storage and compute resources resulting in connectivity failures that affected downstream Microsoft 365 services. Services are slowly restoring and updates can be found at https://status.cloud.microsoft/. As a result of the outage, there was some interruption of the availability of https://docs.bigid.com/, but it is back online and operating as expected. The remaining BigID services, end-devices, and reliance on partners are unaffected.

The second outage is related to Crowdstrike displaying the Blue Screen of Death (BSOD) after installing the latest update for their Falcon Sensor. The issue has been identified, isolated and a fix has been deployed to Crowdstrike’s customer base. BigID does not use Crowdstrike products in our business operations and therefore are not impacted.

Snowflake

Vulnerability details

On Friday, May 31, 2024, Hudson Rock researchers reported a hacker claim of breaching Snowflake, affecting several organizations. Snowflake promptly investigated these reports and found no evidence of any compromise within their environment. They notified any potentially affected customers. BigID has followed Snowflake’s recommended actions and investigated the provided indicators of compromise (IoCs). Our proactive security measures and controls around our Snowflake account ensured that we remain unaffected by this incident.

XZ Utils Security Notice

Vulnerability details

On Friday, March 29, 2024, security researchers discovered a malicious backdoor embedded within the compression utility XZ. This utility is widely used in Linux distributions, including those from Red Hat and Debian and is being tracked as vulnerability CVE-2024-3094. The known malicious code was found in versions ​​5.6.0 and 5.6.1, and consumers have been notified to downgrade to version 5.4.6 immediately. BigID has completed our security investigation process and can confirm that we are not impacted by CVE-2024-3094.

MongoDB Security Notice

Vulnerability details

On December 16th, MongoDB publicly announced they have suffered a security incident across their Corporate systems which was discovered on December 13th, 2023. This is still a developing story from MongoDB as they have engaged forensic firms and law enforcement to continue their investigation. In our commitment to transparency and security, we want to share that we, BigID, do leverage MongoDB Atlas for our cloud-based customers. It is important to note that MongoDB Atlas access is authenticated via a separate system from MongoDB corporate systems, and they have found no evidence that the Atlas cluster authentication system has been compromised. Based on information currently available, MongoDB Atlas is not impacted as they have not identified any security vulnerability in any MongoDB product as a result of this incident. However, we’re being proactive by staying up to date with their alerts page and updating this bulletin accordingly with any further updates provided by MongoDB.

Update: MongoDB Security Notice

On December 18th, Mongo updated the status of their security incident to be classified as a phishing attack with a high degree of confidence. They continue to find no evidence of unauthorized access to MongoDB Atlas clusters or the Atlas cluster authentication system. Their investigation and work with the relevant authorities is ongoing. MongoDB will update their alert page with pertinent information as we further investigate the matter. MongoDB did provide a list of Indicators of Compromise (IOCs) with relevant IPs from the Mullvad VPN service. BigID has conducted a retrospective investigation and saw none of these IPs communicating with the BigID Cloud service.

HTTP/2 Zero-Day Vulnerability

Vulnerability details

On October 12, 2023, Cloudflare, along with Google and Amazon AWS, disclosed the existence of a novel zero-day vulnerability dubbed the “HTTP/2 Rapid Reset” attack. This attack exploits a weakness in the HTTP/2 protocol to generate enormous, hyper-volumetric Distributed Denial of Service (DDoS) attacks. BigID has scanned our environment and although we do utilize this protocol, we leverage Cloudflare HTTP DDoS Attack protection and therefore there is no impact to BigID.

Okta Customer Support Management System Breach

Vulnerability details

In October 2023, Okta reported a security breach of its customer support management system where a small portion of its customer information was downloaded by a hacker.. In late November, Okta confirmed that contact information for all of their customers was compromised. Although BigID uses Okta for identity services, we also leverage multi-factor authentication for our critical systems. As a result, no customer environments or data were impacted by this breach.

Confluence Zero-Day Vulnerability CVE-2023-22515

Vulnerability details

On October 4, 2023, Atlassian announced a security vulnerability in its Confluence Data Center and Server software. BigID uses Confluence internally for collaboration and knowledge management; however, we leverage Atlassian-hosted Confluence Cloud which is not impacted by this vulnerability.

Datadog Import-in-the-Middle Vulnerability

Vulnerability details

On August 6, 2023, we were informed about a recent vulnerability discovered in DataDog, a service that many companies, including ours, use for monitoring. We take such announcements very seriously as they have the potential to impact our service, as well as your data security and privacy.

In response to this, our security team has been working diligently to assess our systems. We are pleased to report that an exhaustive review of all our codebase revealed no indications of the flags that would make our code susceptible to these vulnerabilities. Therefore, we are confident that our use of DataDog does not pose a threat to the security of our service or your data. However, in our commitment to transparency and security, we want to share that we are running versions of dd-trace, which do contain the vulnerabilities. These, under normal circumstances, may pose risks, but we have found no unsafe usage in our repositories.

As an additional measure, we are forwarding this information to all our development teams to ensure they are fully aware of the situation and perform the necessary actions to upgrade to versions that don’t contain the above mentioned vulnerabilities. We will continue to closely monitor the situation and will take all necessary steps to maintain the highest level of data security.

MOVEit Transfer Critical Vulnerability CVE-2023-34362

Vulnerability details

On June 1, Progress Software announced a security vulnerability in their MOVEit Transfer software, which is used to securely move files. This problem lets unauthorized people get into the software’s database and modify the information stored there. Luckily, BigID doesn’t use the MOVEit software, so we’re not affected directly. However, we’re being proactive by contacting our vendors to see if they use the software and if it could affect us indirectly. To date, none of our critical vendors have reported any issues that would affect BigID or our customers.