Daily Archives: August 19, 2015

Cisco Issues Guidance to Protect Against Rogue IOS Firmware Installation

Update: 20th September 2015: As discussed in a more recent blog post, attackers are now re-imaging Cisco networking devices with modified IOS firmware in order to take control of your networking equipment. These devices can then be used for possible further attacks within your network (among other malicious actions).

The first type of attack using this technique has been called “SYNful Knock”. Details including how to detect, mitigate and recover from this attack are provided in the above linked to blog post.

Thank you.

Original Post:
Earlier this month Cisco issued a security bulletin to notify it’s customers of an evolution in the way that attackers compromise corporate networking devices. After obtaining access to the devices (either physical access or gaining administrative privileges by another means) an attacker can then utilize the standard means of field upgrading the built in firmware of a device.

Why Should These Issues Be Considered Important?
With the attacker modified version of the firmware installed on the Cisco networking devices the attackers can manipulate it’s behavior and settings. In addition since the code is installed in the firmware of the device this means that it persists/survives a reboot of the device and makes removal of the modified firmware far more difficult.

How Can I Protect Myself From These Issues?
Since no vulnerability is used to install unauthorized firmware updates Cisco has provided extensive guidance within their security bulletin to harden the devices against this and other attacks. Please follow the guidance to harden your Cisco IOS devices against these more persistent attacks (advice on removing such threats if your firmware has already been compromised is also provided).

Thank you.

SAP Releases Security Updates for Mobile Platform

3 security issues (detailed below) were found by Onapsis security and reported to SAP in relation to SAP’s Mobile platform specifically version 3.0 SP5 earlier this month.

None of the issues are remotely exploitable but if an attacker has access to the mobile device no further authentication would be needed for them to exploit these issues.

Why Should These Issues Be Considered Important?
Since all of the issues discussed below make it easier for an attacker to attempt to retrieve the encrypted data or provide them with a fixed encryption key in an attempt to brute force, if they were successful your encrypted data is no longer secure.

How Can I Protect Myself From These Issues?
SAP recommends implementing/installing the patches discussed within SAP Security Note 2094830. This note is also mentioned within this Onapsis blog post. Please note that a SAP Marketplace account is required to access the contents of this Security Note. An account can be created from this page.

If you are in any doubt or would like further advice, please contact SAP Support for more information.

Thank you.

Issue 1: SAP Mobile Platform DataVault Keystream Recovery:
This component is used to access encrypted data on mobile devices. Due to an implementation error it is possible to recover the keystream (defined) for the encrypted data. Thus it becomes possible to retrieve part of the unencrypted plaintext corresponding to encrypted data within the DataVault of the mobile device. There is also a limited possibility that an attacker could re-encrypt the data within the vault (potentially blocking access to the legitimate/original authorized person).

Having both the plaintext and the encrypted version of data will allow the use of a known plaintext attack (see Aside below for a definition).

Issue 2: SAP Mobile Platform Predictable Encryption Password for Configuration Values:

The password of the SAP DataVault is derived from the combination (more details below) of easily obtainable (plaintext i.e. “in the clear”) values. This password is used to encrypt important configuration details of the SAP DataVault e.g. the count of invalid attempts to unlock a secure store.

The password is a combination of a value stored in plaintext within the secured store in addition to another fixed value. The salt value (a random value added to another value to make the encryption key unique each time a new key is created) is also a fixed value. These fixed values are the same for all installations of the SAP Mobile DataVault (this is similar to static encryption keys discussed in a previous blog post).

Issue 3: SAP Mobile Platform DataVault Predictable Encryption Password for Secure Storage:

If no password or salt value is provided during the initial creation of the DataVault, the password and salt are then derived from a combination of fixed values and the ID number of the vault. This again results in a fixed encryption key used to secure the data within the vault.

What is a known plaintext attack?

This attack relies on recovering and analyzing a matching plaintext and cipher text pair with the goal of deriving the key that was used. Techniques such as reverse-engineering, frequency analysis (e.g. looking for the word “the” usually the most common word that is used) and brute force attempts are used to carry out such an attack. Obtaining the key will allow you to decrypt cipher texts encrypted with the same key.

Please note that encryption algorithms have defences against such attacks e.g. using a large keystream, initialization vectors (IVs), substitution and transposition (among others) usually making such attacks non-trivial.

Removing Conficker in 2015

In early August a research paper was published by a team of Dutch researchers trying to determine the reasons why there are more than 1 million computers worldwide still infected with variants of the Conficker malware (others known as Downadup) more than 6 years after it began spreading.

The reasons appears to be that the infections are present on systems that are no longer maintained or are embedded systems that cannot easily be accessed to carry out the removal of the malware. In addition, ISPs (Internet Service Providers) around the world have worked with their customers to remove this malware. However while their efforts have paid off, when the malware is removed efforts are not made to patch the now cleaned up systems and they quickly become infected again.

The research paper also points out that 15% of the systems infected with GameOverZeus are also infected by Conficker. The security vulnerability (CVE-2008-4037, CVE defined) exploited by Conficker in order to propagate itself affects the following versions of Windows:

Windows 2000 Service Pack 4
Windows XP Service Pack 2 and Service Pack 3
Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2
Windows Vista (32 bit and 64 bit) with or without Service Pack 1
Windows Server 2003 (32 and 64 bit) Service Pack 1 and Service Pack 2
Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems
Windows Serer 2008 (32 bit and 64 bit)
Windows Server 2008 for Itanium-based Systems

This security vulnerability was resolved by Microsoft with this security bulletin.

In order to assist with removing this malware from any systems I would like to offer the following advice:

For single computers used for home or small business use (up to a maximum of 5 computers):

  • If you don’t wish to continue using your old computer:
    Back up your important data to external media e.g. a USB jump/flash drive, an external hard disk or recordable CD/DVD. Computers than can run these above mentioned older versions of Windows should still have all that you need to back up your data e.g. USB ports and CD/DVD recording (burning) drives.
  • Responsibly dispose of your old computer and upgrade to a new computer. Follow the advice on the “Protecting Your PC” page to keep it free from malware.

If you want to continue using your old computer:

  • Disconnect the infected computer from the internet.
  • Using a malware free computer (e.g. a friends or a computer at an internet café) to download the Conficker Removal tool from Symantec. Bring the tool to the infected using an external hard drive, USB jump/flash drive, or CD/DVD. Run the tool by double clicking it.

The tool will remove all traces of the infection from the computer. I tested this tool on a Windows XP SP3 computer (disconnected from the internet) and it took just over 5 minutes to complete a full scan of the system.

  • If you suspect any other malware may be present on the infected computer, I would suggest using another computer to download any of the following free tools and transfer those tools as described above to the infected computer. Complete a full system scan with any of these tools.

I tested all of these tools using a Windows XP SP3 system not connected to the internet. All tools were able to complete scans without the assistance of an internet connection:

Microsoft Safety Scanner
Sophos Virus Removal Tool
Malwarebytes Anti Malware (free edition)

For Malwarebytes, the included definitions dated from June 2015 since no internet connection was available. Updating using this MBAM rules tool appeared to succeed but had no effect. The Microsoft and Sophos tools did not have this limitation.

  • Once the computer is free of malware, ensure the Window Firewall is turned on, re-connect the computer to the internet.
  • Visit Microsoft Update (for Window 2000, Windows XP and Server 2003 systems) to download and install all necessary security updates. Windows Vista and Windows Server 2008 systems can use the built-in Windows Update to download all necessary security updates.
  • Install anti-malware software that is compatible with your computer. Free and paid for software products are listed on this page. Corporate anti-malware software is listed here. Contact the manufacturer/vendor of the software to check it’s compatibility with your version of Windows if you are purchasing a paid for version. If an anti-malware product is not available for your version of Windows, disconnect the computer from the internet (to significantly reduce the possibility of malware infection) and consider purchasing a new computer sometime in the future at a time convenient to you.
  • If you wish, disconnect the computer from the internet (see the bullet point above about available anti-malware software). Continue using your computer as normal.

Update: 7th September 2015:
Please note that my suggestion to disconnect a Windows computer (that no longer receives security updates on a monthly basis) from the internet is an effective suggestion to reduce it’s risk of infection however air-gapping (defined) a device is not perfect solution.

If a device such as an external hard disk or USB flash/jump drive is connected to a computer not connected to the internet, it can still become infected if an infected file is present on this storage device and that file is transferred and loaded/opened on that computer.

To attempt to address some of the pitfalls of air-gapping I would recommend scanning all files that you intend to transfer using an up to date malware scanner or use VirusTotal.com (only for single or a small numbers of files, don’t upload files that contain private/sensitive data) before using files on older Windows systems to minimize the risk of malware infection. The link referenced above referring to air-gapped systems includes further advice which you may or may not decide to implement.


For computers for small businesses or larger businesses (more than 5 computers):
While the above steps to remove malware can be applied to any number of computers, the process becomes tedious and time consuming when more than 5 computers are infected. I would recommend seeking the assistance of qualified corporate IT security companies in your locality to perform a malware clean-up. Such companies generally offer a network security assessment and can provide on-going assistance to keep your network safe from security threats.

US-CERT has written an in-depth easily to follow guide with advice on how to remove the Conficker malware and prevent it from spreading further.

I hope that the above advice and resources are assistance to you in removing the Conficker malware from any Windows devices that you may have.

Thank you.

Further Android Vulnerabilities Disclosed

IBM X-Force have disclosed a serious security vulnerability in Google Android, the popular smartphone operating system. The flaw was disclosed in their research paper and presented at the USENIX Woot ’15 conference in Washington D.C.

The flaw known as the Android serialization vulnerability affected Android versions 4.3 (codenamed Jelly Bean) to 5.1 (Lollipop) and the upcoming version of Android currently codenamed M Preview 1. It affects approximately 55% of current Android phones in use. It allows the execution of code of an attacker’s choice but can only be exploited if malware was installed on the victim’s device.

How this does flaw work?
To demonstrate the issue, the security researchers replaced a genuine app with a fake one which would allow them to obtain any sensitive data that was entered into that app. The fake app was designed to target the privileged system_server process of Android in order to use it’s SELinux profile to allow the app to carry out privileged actions.

The researchers scanned a large number of Android app classes (see “Aside” at the end of this post for a definition), one was found that met of the following criteria:

  1. Is serializable;
  2. Contains a finalize method;
  3. Contains an attacker-controlled field.

This class, known as OpenSSLX509Certificate contained a controllable pointer (which points to code (tasks or actions) next to be carried out). Using this pointer the researchers were able to control which address in Androids memory to point at. They were then able to change the contents of this memory space to contain code of their choice.

Next, they bypassed ASLR (defined) by using the fact that all apps and some services including this fake app inherit the same memory layout (the very thing that ASLR is designed to prevent) since the fake app is also forked from the Zygote process (an app launcher process).

Moreover, the researchers managed to have their app execute (carry out their intended actions) as follows:

Overwriting the callback function pointer and then triggering a call to that pointer. This allows control of the program counter (PC)(The program counter is a register within your CPU which always holds the memory location of the next instruction to be executed).

Pointing the PC to a ROP (return oriented programming) gadget (both defined) and employs a stack pivoting technique. This ROP chain changes the memory space (mentioned above) to enable it to have the ability to run/execute code. The intended code is then placed within the memory space and executed.

Why Should This Issue Be Considered Important?
With the code of their choice placed in a location in memory that allows code to execute (carry out a set of actions); this allows the researchers to carry out any or all of the following actions:

  • Load arbitrary kernel modules in devices with kernel compiled with CONFIG_MODULES (kernel modules run with the highest level of privilege and can carry out any action they choose);
  • Steal data from any apps (e.g., by exploiting Android KeyChain app, which is allowed to run shell commands and access data);
  • Change SELinux policy rules;
  • Replace the code (APKs) of arbitrary apps.

How Can I Protect Myself From This Issue?
Sophos provides easy to use advice to protect yourself from this issue. In short, your Android smartphone should receive a patch to resolve this issue. The IBM researchers worked with Google to develop a fix for this issue.

Please note that the IBM researchers also found security issues in numerous Software Development its (SDKs) used to create Android apps. They also worked with the creators of such SDKs to develop fixes for the issues found. Further information on these flaws are provided in their detailed blog post.

My thanks to these researchers for providing an in-depth explanation of both the serialization and SDK issues.

Google Admin App Sandbox Bypass
The Android serialization issue was not the only issue recently disclosed by security researchers. The Google Admin app which allows users to access their Google for Work accounts was also found to contain an issue that allows attackers access to the files being used by the Google Admin app.

How this does flaw work?
Apologies but this explanation is as short as I can make it while explaining what’s happening as we go along:

The Google Admin app does not handle file URLs (examples of a URL would file://test.txt) correctly. The Google Admin app like other apps on Android is sandboxed (isolated within a protected container with no direct means of communicating with other apps) from other apps. To enable apps to communicate for useful and legitimate purposes Android uses inter process communication (IPC).

One such app interface is called setup_url. This can be used by another app to create an intent (a description of the action that an app wishes to perform, full definition here). Using this intent the attacker sets the URI (Uniform Resource Identifier) to a file on the device with the setup_url (mentioned above) to a file that the attacker can write to (has write access to).

A function (see Aside below for a definition) with the Google Admin app will then load this file (which the attacker can write to) with the same permissions the Google app possesses while the Google app renders (draws) the file/page in its WebView class (which enables it to display webpages, unsurprisingly!). The attacker can then add HTML code to this file and will then use an iframe (an HTML code tag used to embed one file within a currently in use HTML file) to load the file again.

The penultimate action for the attack is to delete the file that they can write to and replace it with a symbolic link (a means of representing a link to a file or a folder in a simpler way, an example is given at the end of this forum thread and a further explanation in this Sophos blog post) to a file of the same name within the Google App’s protected sandbox.

Finally, after one second has passed WebView will load the file within the sandbox. Since both the WebView and the WebView with the inserted iframe have the same URL (Uniform Resource Locator) the Same Origin Policy (a policy/rule that prevents code usually JavaScript from site A accessing private data belonging to site B) allows the WebView to query the contents of the WebView with the iframe (since the URLs are the same, the Same Origin Policy is not broken). Thus the HTML code added by the attacker can read the files within the iframe.

Why Should This Issue Be Considered Important?
A malicious app installed on your Android device could be able to read any data within any file contained in the normally inaccessible sandbox (protected storage area) of the Google Admin app.

How Can I Protect Myself From This Issue?
Please ensure that you have the latest version of the Google Admin app as described in this Sophos blog post since Google has addressed the above issue in this update.

What is a class?

In the context of computer programming a class is set of variables (containers that store single values). The variables can be of different types e.g. integer and float (to represent floating point numbers e.g. 1.25). A class also contains one or more functions.

Functions allow a class to do something e.g. a class named Car would contains functions for accelerate, brake, park etc. A class allows a programmer to create an object which contains all of these variables and functions ready to use.

Blog Post Shout Out

With the prevalence of data breaches becoming more common e.g. the compromise of the US Office of Personnel Management (OPM), Carphone Warehouse as well the notorious compromise of the retailer Target last year; it’s prudent to take steps to protect corporate/customer data from compromise.

I wanted to respectfully provide a shout out for the following 2 blog posts which provide practical, actionable advice on more thoroughly securing corporate data:

Sysadmins who fail to change default configurations, leave petabytes of data at risk by Graham Cluley

The Top Ways Cybercriminals Infiltrate Retailers’ Systems and Steal Customer Data by Kevin Beaver (IBM)

I hope that you find these posts useful. Thank you.

Microsoft Releases Out of Band Internet Explorer Security Update

Yesterday Microsoft released an unscheduled security update for Internet Explorer to resolve 1 critical CVE. At this time, no Known Issues are listed for this update within the revised Security Bulletin Summary page. I have installed this update on multiple Windows 8.1 64 bit and Windows 7 64 bit systems with no issues. If Internet Explorer is not open/running, a restart should not be needed (after closing IE on my systems, no restart was needed to complete the installation of the update).

If you need more time to test and install the patch you can use Microsoft EMET to mitigate the exploitation of the memory corruption vulnerability that this security update resolves before later installing the update (no other workarounds are available).

Microsoft Edge included with Windows 10 is not affected by this security issue but the update will be offered to Windows 10 users since Internet Explorer is still part of Windows 10 (for compatibility reasons).

Users of Windows Server 2012 R2 and Windows 8.1 may notice a second update (KB3089023) is being offered by Windows Update. This update is not a security update but an update of Adobe Flash Player to correct a possible error message that you may encounter under certain circumstances.

Please install the security update as soon as possible since it is addresses a zero day vulnerability (defined) and as mentioned in the security bulletin exploitation of this vulnerability is taking place.

Thank you.