RAMBleed: What you need to know

Yesterday; security researchers disclosed a vulnerability relating to how data is accessed after it is stored within computer memory modules eventually leading to partial data disclosure

================
TL DR:
================
This is a low severity (CVSS Base Score: 3.8) but notable vulnerability which cannot be exploited remotely. For organisations and customers; no action is required. It is up to software developers to use trusted execution environments (TEE) e.g. AMD SEV, ARM TrustZone or Intel SGX to protect important data or clear such data from memory after use. Some DDR4 modules are not vulnerable to Rowhammer.

================
How does this attack take place?
================
An attacker would first need to compromise your system and persuade you to run an application. Due to the physical effects of creating memory modules which are smaller and smaller the space between memory cells used to store data are subject to electrical interference. This can be exploited by an attacker by reading the data from a memory address of interest over and over again which eventually leads to data corruption causes the binary contents (0 or 1) used to store data to change/”flip” from 0 to 1 or vice versa.

This effect has been seen before in an attack dubbed “Rowhammer” in 2014. That attack can be mitigated by the use of memory modules that use ECC (Error Correction Code). However, this new technique RAMBleed cannot be mitigated by ECC (defined).

================
What must an attacker do to exploit this vulnerability?
================
An attacker must first map the memory which contains the data they wish to acquire. They can then work to control data each side in memory of the target data. Accessing this data over and over “hammers” the row with the data within it. If the data is 0, it will flip to 1 and if 1 becomes a zero (0). The attacker can then proceed to repeat this for one column down in the memory segment to obtain the next piece of target data. Researchers were able to obtain 3 to 4 bits (either 0 or 1) per second.

Researchers used this technique to obtain a 2048 bit OpenSSH key from the memory of a server. They did so by first using a technique they named “Frame Feng-Shui” that allows them to place the target data within a physical memory frame (area) of their choice in. The speed was 0.3 bits per second with an accuracy of 82%. By only obtaining some of the data and using a variant of the technique documented within the Heninger-Shacham algorithm they succeeded in obtaining the remainder of the key.

================
How can an organisation or a consumer/end-user defend against this attack?
================
Encrypted memory achieved by the use of trusted execution environments (TEEs) e.g. AMD Secure Encrypted Virtualization (SEV), ARM TrustZone or Intel Software Guard Extensions (SGX) will mitigate this attack since the attackers will obtain encrypted rather than ready to use/plain text data.

Alternatively; software developers can clear encryption keys or other sensitive data from memory after using it. Intel recommends it’s guidelines for resisting side-channel and timing side channel attackers:

A lesser known mitigation is the use of DDR4 memory modules that should disrupt the success of the Rowhammer attack. The Maximum Activation Count (MAC) of a memory row is not vulnerable to Rowhammer when the MAC has a value of “unlimited”.

This field exists within the SPD (Serial Presence Detect) technique of accessing memory. From the following page, many but not all of the examined DDR4 modules feature this setting. For example, my 4x 16 GB (64GB) Corsair Dominator Platinum PC4-21300 (CMX64GX4M4A2666C15) modules feature this setting and so appear not to be vulnerable to the Rowhammer technique. You can see this from the first attached screenshot (denoted by the value “Unlimited MAC”):

These screenshots were obtained from the RAMMon application available from PassMark.


Thank you.

Mitigating Microsoft’s June 2019 NTLM Vulnerabilities

Microsoft issued an update yesterday to resolve 2 vulnerabilities within Windows that can be used to allow an attacker to authenticate and run code remotely.

TL DR: Install the updates for CVE-2019-1019 and CVE-2019-1040 and follow the recommend guidelines in Preempt’s blog post:

================
If attackers exploited these issues; what would the result be?
================
Preempt responsibly disclosed 2 vulnerabilities as a result of 3 logic flaws in NTLM to Microsoft. As a result of previous disclosures Microsoft added the Message Integrity Code (MIC) field designed to guarantee that attackers cannot tamper with NTLM messages in any way. Preempt bypassed this allowing them to change NTLM authentication fields, reducing security.

Next; Server Message Block (SMB) Session Signing was bypassed by Preempt allowing attackers to relay NTLM authentication messages and establish SMB and DCE/RPC sessions. Enhanced Protection for Authentication (EPA) was bypassed allowing the altering of “NTLM messages to generate legitimate channel binding information.” Finally, their bypasses could allow “attackers to relay NTLM authentication requests to any server in the domain, including domain controllers, while establishing a signed session to perform remote code execution.” This potentially could lead to the entire Active Directory domain becoming compromised by moving laterally from system to system.

================
How can an organisation or a consumer/end-user defend against these attacks/bypasses?
================
Install the updates for CVE-2019-1019 and CVE-2019-1040:

Moreover; Preempt’s blog post provides the necessary recommendations to fully mitigate these issues.

================

For reference I have linked to how to enable the following mitigations:

Enforce SMB Signing

Block NTLMv1
Part 1

Further information link

Enforce LDAP Signing

Enforce EPA:
Part 1

Part 2

================

Thank you.

June 2019 Update Summary

With yesterday being the second Tuesday of the month; it means it’s Update Tuesday again. Microsoft resolved 88 vulnerabilities  (more formally known as CVEs (defined) with Adobe addressing 11 vulnerabilities of their own.

Adobe Campaign: 7x Priority 3 vulnerabilities (1x Critical, 3x Important, 3x Moderate)

Adobe ColdFusion: 3x Priority 2 vulnerabilities (3x Critical)

Adobe Flash Player: 1x Priority 1 vulnerability (1x Critical)

If you use Adobe ColdFusion, please apply the necessary updates as soon as possible. For that product, as per Adobe’s advisory, please make certain the Java JDK/JRE in use on the server is fully up to date in order to fully secure it. Please install the remaining updates for Campaign and Flash Player as soon as possible since they also resolve critical vulnerabilities.

====================
For Microsoft; this month’s list of Known Issues is available within their monthly summary page and applies to all currently supported operating systems. Not all issues have workarounds at this time. Windows 7 SP1, Windows Server 2008 R2 SP1 and Windows 8.1 and Windows Server 2012 R2 list known issues with McAfee products and should refer to the guidance linked to by Microsoft within the above linked to attempt to workaround these issues:

4493730                Windows Server 2008 Service Pack 2 Servicing stack update

4503027                Exchange Server 2019, Exchange Server 2016

4503028                Exchange Server 2010 Service Pack 3, Exchange Server 2013

4503263                Windows Server 2012 (Security-only update)

4503267                Windows 10, version 1607, Windows Server 2016

4503276                Windows 8.1, Windows Server 2012 R2 (Monthly Rollup)

4503279                Windows 10, version 1703

4503284                Windows 10, version 1709

4503285                Windows Server 2012 (Monthly Rollup)

4503286                Windows 10, version 1803

4503290                Windows 8.1 Windows Server 2012 R2 (Security-only update)

4503291                Windows 10

4503292                Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1 (Security-only update)

4503293                Windows 10, version 1903

4503327                Windows 10, version 1809, Windows Server 2019

====================
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates.

News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

====================
For this month’s Microsoft updates, I will prioritize the order of installation below:
====================
Microsoft Edge and Internet Explorer: CVE-2019-1038

Microsoft Speech API Remote Code Execution Vulnerability: CVE-2019-0985

Microsoft Scripting Engine:

CVE-2019-1002

CVE-2019-0991

CVE-2019-1080

CVE-2019-1023

CVE-2019-0992

CVE-2019-1024

CVE-2019-0990

CVE-2019-0988

CVE-2019-0989

CVE-2019-1055

CVE-2019-1052

CVE-2019-1051

CVE-2019-0920

CVE-2019-1003

Windows Hyper-V Remote Code Execution Vulnerability: CVE-2019-0709 , CVE-2019-0722 , CVE-2019-0620

ActiveX Data Objects (ADO) Remote Code Execution Vulnerability: CVE-2019-0888

Windows Task Scheduler: CVE-2019-1069 (disclosed by SandboxEscaper)

Windows AppX Deployment Service (AppXSVC): CVE-2019-1064 (disclosed by SandboxEscaper)

Windows Shell: CVE-2019-1053 (disclosed by SandboxEscaper)

Windows Installer: CVE-2019-0973 (disclosed by SandboxEscaper)

====================
Please install the remaining updates at your earliest convenience.

As per standard best practice; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

I have provided further details of updates available for other commonly used applications below.

Thank you.

=======================
VideoLAN VLC:
=======================
A new version of VLC is available for Apple macOS, Linux, Windows (desktop and Windows Store), Google Android and Apple iOS with some great performance improvements and resolving 33 security vulnerabilities (2 of which are high severity) as a result of the EU-FOSSA bug bounty programme which opened in January this year.

Further details are below:

http://www.videolan.org/vlc/releases/3.0.7.html

http://www.jbkempf.com/blog/post/2019/VLC-3.0.7-and-security

Version 3.0.7.1 has since been released to resolve other non-security issues. The most recent version can be downloaded from:

http://www.videolan.org/vlc/

=======================
Mozilla Firefox
=======================
Yesterday, Mozilla released Firefox 67.0.2 to address a single moderate severity vulnerability. Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to benefit from the above change.

=======================
Google Chrome:
=======================
Google released Google Chrome version 75.0.3770.80 to address 42 vulnerabilities in early June.

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 stacked small horizontal lines, sometimes called a “hamburger” button) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect.

=======================
VMware:
=======================
Earlier this month VMware published a security advisory to address a single Important severity vulnerability in VMware Tools for Linux and Windows.

If you use VMware Tools on Linux or Windows, please review the security advisory and apply the necessary updates.

Thank you.

Microsoft re-issues warning to patch BlueKeep Vulnerability

=======================
Update: 12th June 2019
=======================
TL DR:
Install the RDP patch if you have not already done so. Use the paid-for micropatch if you can’t take a system offline to reboot it. If you can’t do either of these follow Microsoft’s or the NSA’s advice to mitigate the vulnerability.
=======================

Microsoft on the 31st of May re-iterated it’s warning to patch vulnerable systems as soon as possible.

Meanwhile; multiple proof of concepts of who to exploit the vulnerability have been developed by security researchers:

This story continues with another security researcher creating a proof of concept Metasploit exploit for this vulnerability. The exploit works on Windows XP, Windows 7, Server 2008 and Server 2008 R2. Windows Server 2003 has the RDP vulnerability but the vulnerability couldn’t be exploited.

The NSA have since issued an advisory in addition to the two notifications from Microsoft linked to above.

For systems which cannot spare the down-time needed to reboot after installing the Microsoft patch, a micropatch from 0Patch is available for their Pro version subscribers:

As a proof of concept of how long it may take to patch a system; I used a VMware snapshot taken from a test Windows XP SP3 system I used back in 2012. The installation had no updates apart from SP3. After 40 minutes; all missing patches (2008 – 2014), the updates from 2017 (resolving EternalBlue; amongst others) and this year’s RDP update were installed. Patching the RDP vulnerability took less than a minute (including the restart and start-up of the system).

I repeated the above using the Automatic Updates feature of Windows XP. I was able to full patch the system in 30 minutes.

Systems which are better maintained than this would easily take less time (even if patched manually like I did); especially if tools such as WSUS or SCCM are used where vast number of systems can be patched very quickly.

Thank you.

=======================
Original Post: 4th June
=======================
Earlier this month Microsoft issued an update to resolve a critical vulnerability in Remote Desktop Services making use of the RDP protocol, port 3389.

TL DR: If you use Windows 7, Windows Server 2008 R2, Windows Server 2008, Windows Server 2003 or Windows XP, if you have not done so already, please install this update.

Why should this vulnerability be considered important?
As Microsoft reminded us when issuing the patch; this vulnerability requires no authentication or user interaction. It has the potential to spread just like the WannaCry and NotPetya infections did in 2017. Windows 8.1 and Windows 10 (and their Server equivalents) are NOT vulnerable.

Robert Graham from Errata Security on the 28th of May issued a report of the scan results from a widespread scan of the internet. He found approximately 950,000 vulnerable systems.

How can I protect my organisation or myself from this vulnerability?
The easiest method is to install the update available from Microsoft.

For Windows Server 2003 or Windows XP and Windows Vista; the update must be manually downloaded and installed from this link below since this update was not made available by the previous automatic mechanisms these versions of Windows had namely, Microsoft Update, Automatic Updates and Windows Update.

If you cannot install this security update; you can protect from this vulnerability by following the Workarounds listed in this link. Further explanation from Microsoft is also available from this link.

Microsoft on the 30th and 31st of May re-iterated it’s warning to patch vulnerable systems as soon as possible. Meanwhile; at least proof of concepts of who to exploit the vulnerability have been developed by at least 3 security researchers.

Thank you.

NoScript Extension Made Available for Google Chrome

In early April the very well-known Firefox extension NoScript became available for Google Chrome. This extension should still be considered beta as detailed in this ZDNet article but it’s fast approaching a stable status expected later this month.

This extension helps to reduce the attack surface of your web browser by only executing (allowing to run) JavaScript (defined) for the websites that you have allowed. This reduces the possibility of exploitation of vulnerabilities and reduces/eliminated online adverts. Unfortunately, due to limitations within Chrome; the anti-XSS (cross site scripting)(defined) filter of NoScript cannot be implemented at this time). Further background on NoScript is available from here.

Thank you.

May 2019 Update Summary

====================
Note to my readers:

Due to professional commitments over the last several weeks and for the next 2 weeks; updates and new content to this blog have been and will be delayed. I’ll endeavour to return to a routine manner of posting as soon as possible.

Thank you.
====================

Earlier today Microsoft and Adobe released their monthly security updates. Microsoft resolved 79 vulnerabilities (more formally known as CVEs (defined) with Adobe addressing 87 vulnerabilities.

Adobe Acrobat and Reader: 84x priority 2 vulnerabilities (48x Critical and 36x Important severity)

Adobe Flash: 1x priority 2 vulnerability (1x Critical severity)

Adobe Media Encoder: 2x priority 3 vulnerabilities (1x Critical severity and 1x Important severity)

If you use Acrobat/Reader or Flash, please apply the necessary updates as soon as possible. Please install their remaining priority 3 update when time allows.

====================
For Microsoft; this month’s list of Known Issues is available within their monthly summary page and applies to all currently supported operating systems. All issues however do have at least 1 workaround:

4493730   Windows Server 2008 Service Pack 2 (Servicing Stack Update)

4494440   Windows 10, version 1607, Windows Server 2016

4494441   Windows 10, version 1809, Windows Server 2019

4497936   Windows 10, version 1903

4498206   Internet Explorer Cumulative Update

4499151   Windows 8.1, Windows Server 2012 R2 (Monthly Rollup)

4499154   Windows 10

4499158   Windows Server 2012 (Security-only update)

4499164   Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1

4499165   Windows 8.1 Windows Server 2012 R2 (Security-only update)

4499167   Windows 10, version 1803

4499171   Windows Server 2012 (Monthly Rollup)

4499179   Windows 10, version 1709

4499180   Windows Server 2008 Service Pack 2 (Security-only update)

4499181  Windows 10, version 1703

====================
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates.

News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

====================
For this month’s Microsoft updates, I will prioritize the order of installation below:
====================
Windows RDP: CVE-2019-0708 (also includes an update for Windows Server 2003 and Windows XP)

Scripting Engine: CVE-2019-0924 ,  CVE-2019-0927 , CVE-2019-0922 , CVE-2019-0884 , CVE-2019-0925 , CVE-2019-0937 , CVE-2019-0918 , CVE-2019-0913 , CVE-2019-0912 , CVE-2019-0911 , CVE-2019-0914 , CVE-2019-0915 , CVE-2019-0916 , CVE-2019-0917

Windows DHCP Server: CVE-2019-0725

Microsoft Word: CVE-2019-0953

Microsoft Graphics Component: CVE-2019-0903

Microsoft Edge and Internet Explorer (multiple versions of Edge and IE affected)

Windows Error Reporting: CVE-2019-0863

Microsoft Advisory for Adobe Flash Player

Microsoft Windows Servicing Stack Updates

For the Intel Microarchitectural Data Sampling (MDS) vulnerabilities, please follow the advice of Intel and Microsoft within their advisories. A more thorough list of affected vendors is available from here.

====================
Please install the remaining updates at your earliest convenience.

As per standard best practice; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues. I have provided further details of updates available for other commonly used applications below.

Thank you.

=======================
Nvidia Graphics Drivers:
=======================
3 security vulnerabilities with the most severe having a CVSS V3 (defined) base score of 7.7 have been resolved within Nvidia’s graphics card drivers (defined) in May. These vulnerabilities affect Windows only. All 3 are local vulnerabilities rather than remote meaning that an attacker would first need to compromise your system before exploiting the Nvidia vulnerabilities to elevate their privileges. The steps to install the drivers are located here. If you use affected Nvidia graphics card, please consider updating your drivers to the most recent available.

=======================
VMware
=======================
VMWare has released the following security advisories:

Workstation Pro:

Security Advisory 1: Addresses 1x DLL hijacking vulnerability (defined)

Security Advisory 2: Addresses 4x vulnerabilities present in Workstation Pro and the products listed below. Please make certain to install Intel microcode updates as they become available for your systems as they become available in addition to these VMware updates:

VMware vCenter Server (VC)
VMware vSphere ESXi (ESXi)
VMware Fusion Pro / Fusion (Fusion)
vCloud Usage Meter (UM)
Identity Manager (vIDM)
vCenter Server (vCSA)
vSphere Data Protection (VDP)
vSphere Integrated Containers (VIC)
vRealize Automation (vRA)

If you use the above VMware products, please review the security advisories and apply the necessary updates.

Thank you.

No Fix Planned for Linksys Router Information Disclosure

Earlier this week a security researcher disclosed a vulnerability within Linksys routers that was thought to have been patched back in 2014.

TL DR: No fix for this vulnerability exists. It is made worse if your router is using the default password. With no fix from Linksys expected you may consider using OpenWrt firmware.

Why should this vulnerability be considered important?
This vulnerability is trivial to exploit and can be carried out remotely by an un-skilled attacker. A list of affected Linksys routers is available in Mursch’s report At the time of writing, Linksys have deemed the vulnerability “Not applicable / Won’t fix” following responsible disclosure by Mursch. This information disclosure vulnerability leaks (among other details):

  • MAC address (defined) of every device that’s ever connected to it (full historical record, not just active devices)
  • Device name (such as “TROY-PC” or “Mat’s MacBook Pro”)
  • Operating system (such as “Windows 7” or “Android”)
  • WAN settings
  • Firewall status
  • Firmware update settings
  • DDNS settings

A further example of the information disclosed is present in Mursch’s report. One of the more important elements disclosed is the MAC address. This unique “fingerprint” allows the tracking of a device as it moves across networks and allowing it’s geolocation using a service such as Wigle (we have mentioned Wigle before on this blog). Using this location data, an attacker could plan and conduct targeted attacks against your business/home.

As mentioned above; this vulnerability is made more severe if your Linksys router is using a default password; the following actions can be taken by an attacker (list courtesy of Mr. Troy Mursch):

  • Obtain the SSID and Wi-Fi password in plaintext
  • Change the DNS settings to use a rogue DNS server to hijack web traffic
  • Open ports in the router’s firewall to directly target devices behind the routers (example: 3389/TCP for Windows RDP)
  • Use UPnP to redirect outgoing traffic to the threat actors’ device
  • Create an OpenVPN account (supported models) to route malicious traffic through the router
  • Disable the router’s internet connection or modify other settings in a destructive manner

How can I protect my organisation/myself from this vulnerability?
If your router is one of the vulnerable models listed in Mursch’s report; please make certain the option for automatic firmware updates is enabled (if it is present). Should Linksys correct this vulnerability in the future, you will receive the fix automatically.

Please make certain your Linksys router is not using the default password it is supplied with. With no fix from Linksys expected you may consider using OpenWrt firmware.

Thank you.