Daily Archives: August 2, 2015

Cisco Releases Security Updates Across Its Product Range

In late July Cisco released security updates to address a range of security vulnerabilities across their product range. The following devices/products were affected:

Cisco Application Policy Infrastructure Controller (APIC) and Cisco Nexus 9000 Series ACI Mode Switch
Cisco IOS Software
Cisco Unified MeetingPlace Web Conferencing application
Cisco ASR 1000 Series Aggregation Services Routers

The Application Policy Infrastructure Controller (APIC) and Cisco Nexus 9000 Series ACI Mode Switch were affected by an access vulnerability that could allow an authenticated but remote attacker to access these devices with root pirivileges. The attacker would need to access the cluster management configuration of the APIC. No workarounds are available for this vulnerability but there are no known instances of this issue being publically exploited. Cisco discovered this flaw during internal testing.

In addition, any Cisco device that runs their IOS operating system (not to be confused with Apple’s iOS , note the lower case i) and that has the TFTP file server functionality enabled is vulnerable to a denial of service (DoS) attack by an unauthenticated remote attacker by sending a number of TFTP requests to such a device. The device will then hang (stop functioning normally) and need to be restarted to resume normal operation. Workarounds for this issue are available (in addition, the TFTP server feature is not enabled by default). Cisco discovered this issue during internal product testing but an external security researcher also found this issue and developed publically available exploit code.

What is TFTP?
Trivial File Transfer Protocol (TFTP) is simplified file transfer protocol that lacks security features and the more advanced capabilities of the more widely known and used File Transfer Protocol (FTP). TFTP operates over UDP usually on port 69 (but can be configured to work on other nonstandard port numbers).

User Datagram Protocol (UDP) is a connectionless transport protocol (as opposed to the connection oriented nature of Transmission Control Protocol (TCP)). UDP is used by services such as Domain Name Service DNS (port 53) and Dynamic Host Configuration Protocol DHCP (ports 67 (server), port 68 (client)). UDP is also used for broadcasting on a computer network as well as real-time multiplayer video games, streaming videos services and Voice over IP (VoIP).

Aside 2:
What is a DoS (Denial of Service) attack?
In the context of a Cisco device mentioned above a DoS (Denial of Service) attack is the result of a person or an organization being without (not having the use of) a necessary service or device needed for them to do business or carry out a desired task. In this instance the Cisco device (but this could also be used in the context of another device from another vendor) would need to be powered off and on in order for it to resume its normal operation/function. This

The Cisco Unified MeetingPlace Web Conferencing application is vulnerable to specifically crafted HTTP requests being sent to it by an unauthenticated remote attacker. This attack will result in that attacker being able to then reset the password of authorized users of this application and thus gain full access to the application. No workarounds are available for this vulnerability but there are no known instances of this issue being publically exploited. Cisco discovered this flaw during internal testing.

The final security update delivered by Cisco affected the ASR 1000 Series Aggregation Services Routers. This issue is caused by the improper re-assembly of fragmented IPv4 or IPv6 packets which can be sent by an unauthenticated remote attacker. This type of attack is sometimes known as a Teardrop attack (where the fragment offsets of packets overlap and cause the device attempting to reassembling them to crash) resulting in a denial of service (DoS) condition i.e. your Cisco router no longer functions as expected. It would be necessary to power on/off to resolve this.

How Can I Protect Myself From These Issues?
If your company uses any of the above mentioned Cisco products, please follow the directions within the four Cisco security advisories mentioned at the beginning of this post to install the necessary security updates.

Thank you.

Sophos Report on Angler Exploit Kit

Update: 7th September 2015:
A recent report from Cisco discussed further in this article describes the increasing prevalence and success of the Angler exploit kit due to it quickly integrating newly disclosed security vulnerabilities, it’s use of domain shadowing and a delay in Adobe Flash users installing security updates.
Original Post:

With the recent disclosure of several Adobe Flash zero day (zero day, defined) security vulnerabilities which were quickly taken advantage of by attackers using malware exploit kits, it is becoming more important to know how to defend against these attacks.

This Sophos report provides a detailed analysis of how the exploit kits operate with a specific emphasis on the most prevalent exploit kit, the Angler exploit kit. At the end of the report, in the comments section Sophos describes the recommended actions to take to prevent such attacks occurring either by your website becoming compromised or the exploit kit attacking one of your computing devices. I have also highlighted these recommendations below (my thanks to Sophos for providing them):

  • Uninstall browser plugins such as Adobe Flash and/or Microsoft Silverlight if you don’t use them. However if you do make use of them, consider having more control over their usage (e.g. Click to Play, supported by all browsers except Internet Explorer).
  • Keep your operating system e.g. Linux, Apple Mac OS X or Windows and your most used programs up to date and install all security updates made available for them. I discuss updating/patching within the “Protecting Your PC” page.
  • Install anti-malware software. Both paid for and free versions are available (e.g. Malwarebytes, Avast, Microsoft Security Essentials etc.). Apple Mac OS X and Linux versions are also available (the provided links are examples of the many products available). Please choose a package that meets your needs in terms of functionality and price. Products which include heuristics (heuristics, defined) should have more success in preventing these attacks from infecting your devices.

Since the exploits delivered by these exploit kits seek to evade detection using obfuscation (further information on obfuscation techniques) and building unique exploits for each request received to access the exploit website makes the detection of these threats using anti-malware increasingly difficult. Anti-sandbox techniques (e.g. detecting virtual machines and tools such as Fiddler) are also used to make analysis of the exploit samples more difficult by malware researchers seeking to build detections against them.

In addition to the recommendation of using anti-malware software; for corporate environments the use of next-generation IPS (NGIPS) (Intrusion Prevention Systems, defined) can be used to detect these exploits as they attempt to attack your devices.

Within the Sophos report a technique is mentioned that was employed by the attackers using exploit kits to bring traffic to websites of their choice, this technique is known as DNS shadowing. This is a technique where a legitimate websites domain name (www-example.com) is used to create subdomains (e.g. random.malware.example.com or malware.example.com) that can then be used by the attackers. These subdomains have a very short life time (e.g. a matter of minutes) which makes them difficult to predict and block using blacklists (a list of IP addresses or domain names e.g. www-example.com that are blocked due to those addresses or domain sending spam or hosting malware (that is delivered to the visitors to such websites).

These subdomains can be created since the login credentials for the domain registration e.g. from companies such as GoDaddy have been compromised by the attackers. Since many website owners infrequently check these accounts it makes them more susceptible to being compromised without being noticed. These accounts initially become compromised by a phishing attack. As well as using the advice within the phishing article linked to above, as per Sophos’ advice the following would be recommendations to detect and prevent such occurrences of your domain registration account becoming compromised:

  1. Send email notifications after DNS changes: This will allow to take action to re-secure your account e.g. changing your password and/or enabling two-factor authentication.
  2. Implement two-factor authentication: This article explains how to enable this feature for GoDaddy accounts.

The above 3 suggestions from Sophos (in addition to the use of NGIPS for corporate environments) along with the advice concerning the protection of your domain registration accounts should you keep safe from this prevalent and sophisticated exploit kit.

Thank you.

Drupal Releases Security Updates for Open Semantic Framework (OSF)

The very popular website Content Management System (CMS) Drupal has released security updates to resolve 3 security issues within version 7 of their product when the Open Semantic Framework (OSF) module is installed.

One issue involves a Cross-site Scripting (XSS) that can be exploited by visiting a specifically crafted URL (a website link) but only when the OSF Ontology module is installed and enabled within your website.

The second issue can be exploited using a Cross Site Request Forgery (CSRF) attack that would allow the attack to obtain the privileges of the logged in Drupal user (which could be a Drupal administrator) to create new OSF datasets (most likely to contain false or misleading data). Only websites that have the OSF Import module installed and enabled could be vulnerable to this issue.

The final issue is present in both the OSF Import and Ontology modules mentioned above and could allow an attacker to delete any file of their choice from your Content Management System (CMS).

All 3 issues involve a user or an administrator of the Content Management System visiting a specifically crafted URL (a website link) to exploit these vulnerabilities. In order to reduce the risk of these issues being exploited (this should be used in conjunction with installing the necessary updates mentioned in the Drupal advisory) I would suggest using caution when clicking on any links in emails, instant messages or social networking posts when the links were received unexpectedly or the wording of such messages is suspicious. For shortened links, consider using a preview service to check the destination of the full link before visiting it. Links to preview services are available within the “Protecting Your PC” page of this blog.

Drupal users should upgrade to version 7.x-3.1 of the OSF module to resolve to these issues. Further information and steps to install the updates are available in the Drupal Security Advisory.

Thank you.