Linux and Windows Address Page Cache Vulnerabilities

In early January security researchers located further vulnerabilities in how Windows and Linux operating systems use a memory page cache.

How severe are these vulnerabilities and what is their impact?
One of the co-authors of the academic paper disclosing these vulnerabilities described the work as mostly “a matter of academic interest” meaning that attackers are less likely to take advantage of these vulnerabilities.

Local attacks:
For the localised rather than remote variant of utilizing these vulnerabilities; the attacker must already have gained access to the victim system to read the target memory page. The attacker could do this by “[having a] malicious process on the operating system or when processes run in sandboxes that have shared files”.

Other actions an attacker could potentially carry out are:

• Cloning an open window and replacing the legitimate application window
• Gathering the root (Linux) or administrator (Windows) password

Remote attack:
To exploit the vulnerabilities remotely; the researchers leveraged “timing differences between memory and disk access, measured on a remote system, as a proxy for the required local information”. This was achieved by measuring the times when soft page faults (the page is erroneously mapped, with the help of a process that runs on a remote server) occurred. The researchers were successful in sending data covertly from an unprivileged malicious process within the victim system to a remote server fulfilling the role of a web server. They used a technique from previous research namely the NetSpectre attack to distinguish cache hits and misses over a network connection. This was successful on systems with mechanical hard drives (HDDs) and solid-state disks (SSDs). SSDs were more complex since the timing differences were smaller but the researchers compensated by using larger files to distinguish between cache hits and misses.

How can I protect my organization/myself from these vulnerabilities?
Since these vulnerabilities are more academic in nature; attackers are less likely to exploit them. Linus Torvalds has explained that the code to resolve this vulnerability has been checked in and is undergoing testing before being more widely rolled out. For Windows; Build 18305 of the upcoming Windows 19H1 (otherwise known as Version 1903) due for release in April 2019 contains fixes for these vulnerabilities. It is anticipated Microsoft will back-port this patch to earlier Windows versions.

In addition; the mitigations for the Spectre vulnerabilities from last year should address the remote attack vector using the NetSpectre attack method.

Why are there so many timing attacks being disclosed lately?
Since modern systems rely on timing for almost every component e.g. the CPU (internal caches and registers respond in nanoseconds (ns)), the memory/RAM (e.g. CAS latency), HDDs (measured in milliseconds (ms) e.g. 8.9 ms), SSDs (e.g. 0.05 ms , much faster) we are likely to continue to see further vulnerabilities disclosed as further scrutiny is applied to devices and architectures that have been in use for many years.

E.g. the affected code from Linux was timestamped in 2000 and stated that further revision should be carried out when more information was known. 19 years later we know more and are revising that code. It’s a similar situation with Windows where the revised code works to ensure low privilege processes can no longer access page cache information or shared cache information. As The Register points out; “something complex that’s just working can remain untouched for a very long time, lest someone breaks it” and is more likely to contain vulnerabilities since nobody has taken the time to look for what has been there for years.

Thank you.

January 2019 Update Summary

====================
Updated: 9th January 2019
====================
Happy New Year to all of my readers. Thanks very much.

Today Microsoft made available monthly updates resolving 47 vulnerabilities (more formally known as CVEs (defined)) respectively. Further details are available from Microsoft’s monthly summary page.

Separately Adobe released out of band (unscheduled) updates last week for Acrobat 2017 and Acrobat DC/Acrobat DC. These updates address 2x critical CVEs.

Other updates released today are as follows:
Adobe Connect: 1x priority 3 CVE resolved
Adobe Digital Editions: 1x priority 3 CVE resolved
Adobe Flash Player: reliability/performance update only

While the Flash Player update is a non-security update it’s likely Adobe chose to release it via the usual channels since it’s what people are familiar with and it helps to get updates out sooner.

Similar to last month; Microsoft’s updates come with a long list of Known Issues that will be resolved in future updates. They are listed below for your reference:

KB4468742
KB4471389
KB4480116
KB4480961
KB4480962
KB4480963
KB4480966
KB4480970
KB4480973
KB4480975
KB4480978

You can monitor the availability of security updates for most your software from the following websites (among others) or use one of the utilities presented on this page:

====================
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates.

News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

====================
For this month’s Microsoft updates, I will prioritize the order of installation below:
====================
Windows DHCP Client (Further details here)

Microsoft Edge and Internet Explorer (multiple versions of Edge and IE affected)(please also remember last months’s Internet Explorer update).

Microsoft Hyper-V (CVE-2019-0550 and CVE-2019-0551)

Microsoft Exchange (CVE-2019-0586)(Further details here)
====================
Please install the remaining updates at your earliest convenience.

As usual; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues. I have provided further details of updates available for other commonly used applications below.

Please find below summaries of other notable updates released this month.

Thank you.

====================
Intel Security Advisories:
====================
Intel have released a series of security advisories so far this month. Of highest priority is the advisory for their Intel PROSet/Wireless WiFi Software to resolve a high severity CVSS Base Score 7.8 vulnerability. The security advisory affects many of their WiFi adapters.

Further important updates for their System Support Utility and Intel SGX SDK and Intel SGX Platform Software were also made available. Meanwhile lower severity issues were addressed in Intel’s SSD data-center tool for Windows, Intel NUC Firmware and Intel Optane SSD DC P4800:

If you use any of the affected software or products, please update them as soon as possible especially in the case of the PROSet/Wireless WiFi Software.

Asus and Gigabyte Software Flaws Unresolved

In mid-December security researchers from SecureAuth disclosed local elevation of privilege and code execution vulnerabilities within software and drivers (defined) from hardware vendors Asus and Gigabyte.

What is the severity and impact of these vulnerabilities?
=======================
ASUS Aura Sync v1.07.22 and previous versions:
=======================
For the Asus Aura Sync software; two vulnerable drivers are installed and have the potential to allow local code execution by an attacker.

There are three vulnerabilities within this software:

CVE-2018-18535: affects the Asusgio driver by leaving an exposed read/write method available for model specific registers (MSRs)(defined). This weakness can be leveraged to execute arbitrary code with System level (defined)(ring 0) privileges. Diego Juarez, the security researcher who discovered these vulnerabilities; created proof of concept code to allow insecure access to the MSRs via a stray kernel (defined) function pointer (defined) allowing the bypass of kernel address space layout randomization (KASLR)(defined) which results in a denial of service (DoS) condition in the form of a Blue Screen of Death (BSoD). This would have medium to high impact depending on the criticality of the system that is rendered temporarily unavailable by the BSoD.

CVE-2018-18536: the proof of concept for this vulnerability results in the system rebooting. This was achieved by utilizing the ability to read and write data to IO ports using the GLCKIo and Asusgion drivers. This ability can be used to run code of your choice with elevated privileges. This would have a high to critical severity since any code of the attackers choice could be leveraged for a purpose of their choosing.

CVE-2018-18537: can be used to trigger a system crash. This is achieved by writing 32 bits of data (DWORD)(explanation) to an address of an attackers choice. This can corrupt data and lead to unexpected behavior such as a crash. This would have a low to high depending upon the type of data that became corrupted.

=======================
Gigabyte App Center v1.05.21 and previous
Aorus Graphics Engine v1.33 and previous
Xtreme Gaming Engine v1.25 and previous
OC Guru II v2.08
=======================
CVE-2018-19320: has the potential to grant the attacker full access to the affected system and is thus medium to high in severity. The proof of concept for this is the same as for CVE-2018-18537 (above). CVE-2018-19322 is very similar to CVE-2018-18636 described above. CVE-2018-19323 is again very similar to CVE-2018-18535 already described above.

Finally CVE-2018-19321 could place an attacker in complete control of the victim system upon exploiting drivers within the Gigabyte App Center; Aorus Graphics Engine, Xtreme Gaming Engine or OC Guru (version numbers listed above). The proof of concept provided crashed the system but would be of medium to high severity due to the potential for further malicious action.

How can I protect my organization or myself from these vulnerabilities?
As per the Asus and Gigabyte advisories; only Asus fixed one of the disclosed vulnerabilities. If you use any of the above affected software, please update it to the most recent version available. In addition; exercise standard caution regarding handling emails, email attachments and the clicking of links (no matter in what form you receive such links). These vulnerabilities are all locally exploitable and thus require you to take an action out of the ordinary to harm your system.

The fact that neither company responded effectively is a concern; especially given how widely used these software applications are across the many hardware products both vendors sell to organisations and individuals.

The relevant advisories from SecureAuth are linked to here (Asus) and here (Gigabyte).

Why am I highlighting the vulnerabilities in these software packages?
I am highlighting these vulnerabilities since they re-demonstrate that any software installed on a system can contain vulnerabilities not just internet facing or widely used applications (making these Asus and Gigabyte applications a lot less likely to be updated by end-users). While this software may be considered innocuous (since it does not directly access the internet (except in the case to check for updates)) and is not used to open files/documents; given the low-level drivers the software uses; they still have the potential to provide an attacker with a means for malicious action.

I am aware of the availability of the Asus Aura Sync software since it is offered as a download for my Asus Rampage VI motherboard. I have not installed it since the motherboard LEDs already work (due to the UEFI firmware controlling them) to my satisfaction without software. Thus I chose not to install the software since I didn’t need it. While my system isn’t affected since the Asus software is not installed; it’s a concern that widely used applications are not being patched.

While I can acknowledge Gigabyte stating it is a hardware company; clearly the drivers and software it distributes to use and optimize/customize those products requires some maintenance from time to time; especially in the case where a vulnerability notification is provided. While Asus resolved one vulnerability it did not resolve the remaining two even when it too was provided with the necessary technical details.

Thank you.

December 2018: Further Zero Day Vulnerabilities Disclosed

In the 3rd week of December; a security researcher using the name SandboxEscaper (who we have discussed twice before on this blog) announced a 3rd zero-day (defined) vulnerability followed by a 4th on the 30th of December.

For the 3rd vulnerability: Windows 7 and Windows 10 are confirmed as impacted. Windows 8.1 may also be vulnerable. For the 4th vulnerability; Windows 10 Version 1803 (Build 17134) has been confirmed as impacted (it’s unknown if newer builds of Window 10 or if Windows 7/8.1 are vulnerable).

How severe are these vulnerabilities and what is their impact?
I’ll break these into 2 sections:

=======================
Vulnerability 3:
Arbitrary file read issue: Uses MsiAdvertiseProduct:
=======================
From the limited information available this vulnerability does not appear to be remotely exploitable. The attacker would already need to have compromised an account on your Windows system in order to run the necessary proof of concept code. This vulnerability should be considered medium but not critical severity. When exploited it can allow an attacker to read/copy any files they choose using the permissions from the Windows Installer Service namely LocalSystem privileges (the highest level of privilege)(defined). The vulnerability makes use of a time to check to time to use (TOCTOU) race condition type.

In the same manner as the previous vulnerabilities it may be leveraged in the wild before it is patched by Microsoft; this is my reason for advising exercising caution with email and clicking unexpected links (within emails, links within IM clients or social networks). Security researcher Will Dormann found this exploit inconsistent when used. Meanwhile Acros Security CEO Mitja Kolsek stated It was very likely a micropatch for this exploit would be available before the holiday period.

=======================
Vulnerability 4:
Arbitrary file overwrite issue: Proof of concept overwrites pci.sys
=======================
As above; this vulnerability does not appear to be remotely exploitable. The attacker would already need to have compromised an account on your Windows system in order to run the necessary proof of concept code. This vulnerability should be considered medium but not critical severity. When exploited it can allow an attacker to overwrite pci.sys with information about software and hardware problems, collected through the Windows Error Reporting (WER) but the attacker can also influence what data is used to overwrite the original file. The vulnerability again makes use of a race condition which means that the exploit doesn’t always provide the attacker with the intended result. This is especially true for systems with a single CPU core.

However; the choice of pci.sys for the proof of concept was an example; any file could be used (confirmed by Will Dormann).

How can I protect my organization/myself from these vulnerabilities?
The same advice issued for the first two zero day disclosures again applies here. This US-CERT advisory also provides advice for safely handling emails.

If you wish to deploy the micropatch from the firm 0patch; please test how well it works in your environment thoroughly BEFORE deployment in your production environment.

It can be obtained by installing and registering 0patch Agent from https://0patch.com Such micropatches usually install and need no further action when Microsoft officially patches the vulnerability since the micropatch is only active when a vulnerable version of the affected file is used; once patched the micropatch has no further effect (it is then unnecessary).

Thank you.

December 2018 Update Summary

====================
Update: 3rd January 2019
====================
Apologies for the delay.

Microsoft made available an out of band (un-scheduled) security update available for Internet Explorer on the 19th of December. This vulnerability is being actively exploited; thus if you have not already done, please update your Windows systems. All supported Windows Server and consumer versions of Windows are affected. The full table of affected Windows versions is available here from Microsoft.

For Lenovo laptops running Windows 10 Version 1607 with less than 8 GB of system memory (RAM); Microsoft has provided the following workarounds since this new security update inadvertently causes these systems to be unbootable:

====================
Restart the affected machine using the Unified Extensible Firmware Interface (UEFI). Disable Secure Boot and then restart.

If BitLocker is enabled on your machine, you may have to go through BitLocker recovery after Secure Boot has been disabled.

Microsoft is working with Lenovo and will provide an update in an upcoming release.
====================

Thank you.

====================
Original Post:
====================
Earlier today Microsoft and Adobe made available monthly updates addressing 39 vulnerabilities and 88 vulnerabilities (more formally known as CVEs (defined)) respectively. As always; more information is available from Microsoft’s monthly summary page and Adobe’s blog post.

While Adobe’s update addresses a large number of vulnerabilities; Microsoft’s released updates are fewer in overall vulnerabilities and should be considered light when compared to some months this year. If you use Adobe Flash Player, if you have not already done so; please ensure it is up to date (version 32.0.0.101). They addressed a zero day (defined) vulnerability with that update earlier this month which was in use by an APT group (defined in this context it is an organised group making use of zero day vulnerabilities).

Unfortunately; Microsoft’s updates also come with a list of Known Issues that will be resolved in future updates. They are listed below for your reference:

KB4471318: Windows 7 SP1 and Windows Server 2008 R2 SP1 : Workaround provided

KB4471321 : Windows 10, Version 1607Windows Server 2016 : resolutions are in progress

KB4471324 Windows 10, Version 1803 : resolution in progress

KB4471327 : Windows 10, Version 1703 : resolution in progress

KB4471329 Windows 10, Version 1709 : resolution in progress

As briefly mentioned above Adobe issued updates for Adobe Acrobat and Reader:

Adobe Acrobat and ReaderPriority 2: Resolves 40x Critical CVEs ands 48x Important CVEs

If you use Adobe Acrobat or Reader, please update it as soon as possible especially given the large number of critical vulnerabilities that were patched.

You can monitor the availability of security updates for most your software from the following websites (among others) or use one of the utilities presented on this page:

====================
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates.

News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

====================
For this month’s Microsoft updates, I will prioritize the order of installation below:
====================
Microsoft Edge and Internet Explorer (multiple versions of Edge and IE affected)

CVE-2018-8611 : Windows Kernel (defined) (this vulnerability is already being exploited)

====================
Please install the remaining updates at your earliest convenience.

As usual; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues. I have provided further details of updates available for other commonly used applications below.

Please find below summaries of other notable updates released this month.

Thank you.

=======================
Mozilla Firefox
=======================
Also earlier today Mozilla made available security updates for Firefox and Firefox ESR (Extended Support Release):

Firefox 64: Resolves 2x critical CVEs (defined), 5x high CVEs, 3x moderate CVEs and 1x low CVE

Firefox ESR 60.4: Resolves 1x critical CVE, 4x high CVEs and 1x low CVE.

Further details of the security issues resolved by these updates are available in the links above. Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to resolve these security issues.

Update:
Separately; Firefox 64 now includes small pop-ups known as “snippets” which turned out to be an experiment by Mozilla. If you wish to turn them off; the steps are available here.

Meanwhile extension recommendations within Firefox 64 can be disabled using these steps.

=======================
Google Chrome:
=======================
Google released Google Chrome version 71.0.3578.80 to address 43 vulnerabilities.

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 stacked small horizontal lines, sometimes called a “hamburger” button) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect.

Oracle VirtualBox Zero Day Disclosed

In early November a security researcher publicly disclosed (defined) a zero day (defined) vulnerability within Oracle’s VirtualBox virtualisation software.

How severe is this vulnerability?
In summary; this vulnerability is serious but it could have been worse. In order to exploit it, an attacker would first need to have obtained elevated privileges on your system; root (defined) in the case of Linux and administrator (defined) in the case of Windows. Using this privilege the attacker can leverage the exploit to escape from the confines of the virtual machine (VM)(defined) into the system which hosts the virtual machine (in other words; the system which houses the virtual machine within its physical infrastructure). Once outside of the virtual machine the attacker must then elevate their privileges again since breaking out of the VM only gives them user level/standard privileges and not elevated privileges in the physical system. Thus the attacker would then need to use a separate exploit for another vulnerability (not related to this VirtualBox flaw) to elevate their privileges again to become root/admin within the physical system.

Obviously; the consequences of exploiting this vulnerability on a shared service/cloud infrastructure system would be more serious since multiple users would be affected all at once and the further exploitation of the resulting host systems could potentially provide the attacker with control over all the virtual machines.

How can an attacker exploit this vulnerability?
VirtualBox makes use of the Intel Pro/1000 MT Desktop (82540EM) network adapter to provide an internet connection to the virtual machines it manages. The attacker must first turn off this adapter in the guest (virtualised) operating system. Once complete they can then load a custom Linux kernel module (LKM)(defined) (this does not require a reboot of the system). That custom LKM contains the exploit derived from the technical write up provided. That new LKM loads its own custom version of the Intel network adapter. Next the LKM exploits a buffer overflow (defined) vulnerability within the virtualised adapter to escape the guest operating system. The attack must then unload the custom LKM to re-enable the real Intel adapter to resume their access to the internet.

How can I protect myself from this vulnerability?
While this is a complex vulnerability to exploit (an attacker would need to chain exploits together in order to elevate their privilege on the host system after escaping the VM), the source code needed to do so is available in full from the researcher’s disclosure; increasing the risk of it being used by attackers.

At the time of writing; this vulnerability has not yet been patched by VirtualBox. It affects versions 5.2.20 and earlier when installed on Ubuntu version 16.04 and 18.04 x86-64 guests (Windows is believed to be affected too). While a patch is pending; you can change the network card type to PCnet or Para virtualised Network. If this isn’t an option available or convenient for you; you can an alternative to the NAT mode of operation for the network card.

Thank you.

November 2018 Update Summary

Yesterday Microsoft and Adobe published their routine monthly updates resolving 62 and 3 vulnerabilities (more formally known as CVEs (defined)) respectively. More information is available from Microsoft’s monthly summary page and Adobe’s blog post.

Microsoft’s updates also come with a list of Known Issues that will be resolved in future updates. They are listed below for your reference:

KB4467691

KB4467696

KB4467686

KB4467702 (file type association issue to be resolved later in November 2018)

KB4467107

As summarized above; Adobe issued 3 updates for the following products:

Adobe Acrobat and Reader: Priority 1: Resolves 1x Important CVE (see also this page for a Windows 10 additional mitigation)

Adobe Flash Player: Priority 2: Resolves 1x Important CVE

Adobe Photoshop CC: Priority 3: Resolves 1x Important CVE

As per standard practice if you use any of the above Adobe software, please update it as soon as possible especially in the case of Acrobat DC and Reader DC due to the public proof of concept code released.

You can monitor the availability of security updates for most your software from the following websites (among others) or use one of the utilities presented on this page:

====================
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates.

News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

====================
For this month’s Microsoft updates, I will prioritize the order of installation below:
====================
Microsoft Edge and Internet Explorer (multiple versions of Edge and IE affected)

Windows Kernel (a zero day (defined) vulnerability in Windows Server 2008, Server 2008 R2 and Windows 7)

Microsoft Dynamics 365

Windows Deployment Services (if used within your organization)

Microsoft Office (11x CVEs + 3x further CVEs in Office SharePoint)

Windows VBScript

Microsoft Graphics Component

Microsoft Bitlocker

====================
Please install the remaining updates at your earliest convenience.

As usual; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues. I have provided further details of updates available for other commonly used applications below.

Please find below summaries of other notable updates released this month.

Thank you.

=======================
Nvidia Graphics Drivers:
=======================
A low severity vulnerability (this is a local rather than a remotely exploitable vulnerability) with a CVSS V3 (defined) base score 2.2 had been found within Nvidia’s graphics card drivers (defined). At the time of writing no fix is yet available but will address it in a future driver release. Please monitor their security advisory for further updates.