Version 6.2
New features
- In-depth Windows Kernel Analysis
- Improved archive analysis and report
- CSRF vulnerability fix
- Session fixation fix
- Manuals page
In-depth Windows Kernel Analysis
We greatly improved support for in-depth dynamic analysis of Windows kernel rootkits. This provides unprecedented insights into this pernicious type of malware hidden in the kernel of Microsoft Windows operating systems and helps better detect and respond to kernel-based threats with enhanced, in-depth analysis. This kernel-mode analysis capability adds to existing network-based detection of kernel components in the platform.
Improved archive analysis and report
When an archive file (such as a zip file) is submitted for analysis, multiple analysis tasks may now be started for different files contained within the archive. Furthermore, the analysis report for the archive itself now contains links to each individual analysis task.
CSRF vulnerability fix
This version fixes a cross-site request forgery (CSRF) vulnerability in the Lastline Portal. In previous versions of the portal, an attacker could trick the browser of a victim user, who is already authenticated to the portal, into performing malicious API requests on the Lastline Portal. Successful exploitation of the CSRF flaw could lead to the attacker obtaining the permissions of the victim user on the portal. The impact of this vulnerability is mitigated by the fact that the attacker would need to lure the victim user to visit a malicious website while he is authenticated to the portal.
Credit for reporting this vulnerability goes to Dana Traversie and Sean Wright from Dell SecureWorks and Francisco Ribeiro from Mimecast. This issue is tracked by Dell as Security Advisory SWRX-2015-002.
Session fixation fix
This version fixes an issue that, in specific scenarios, enables session fixation/hijack attacks against the Lastline Portal. Before this version, the Lastline portal did not regenerate the session token after a successful login. If an attacker were to obtain the session token assigned to an unauthenticated user (e.g., via a phishing or man-in-the-browser attack) and that user later logged in the Lastline Portal, then the attacker could leverage the session token to hijack an authenticated session. Notice that since the Lastline Portal has always stored the session token in an HTTP-only cookie, this issue was not exploitable using less powerful attacks (e.g., XSS) for a session hijacking attack.
Credit for reporting this vulnerability goes to Dana Traversie and Sean Wright from Dell SecureWorks. This issue is tracked by Dell as Security Advisory SWRX-2015-003.
Manuals page
A Manuals page has been added, which provides links to installation and configuration manuals as well as API documentation.
Released appliance versions
As part of this release, we are making available the following versions of Lastline appliances for use on-premise:
- Lastline Analyst version 606
Deprecation of API methods
The following API methods of the legacy API (/ll_api/ll_api) are being deprecated in this version:
- set_appliance_geoposition
The Lastline API documentation includes a deprecation schedule for methods in the legacy API, as well as information on how to replace usage of these deprecated methods with supported methods.