Daily Archives: September 7, 2015

ISC Releases Security Updates for BIND (September 2015)

Last week the Internet Systems Consortium (ISC) released security updates to resolve 2 critical denial of service (defined) CVEs (defined) in its BIND DNS server software.

The first vulnerability is caused by incorrect boundary checking within the OpenPGP key module of the server. Such boundary checks are usually carried out to prevent buffer overflow attacks (defined). If an attacker can supply a specifically crafted response to a query from the server; such a response would cause a REQUIRE assertion failure which in turn causes BIND to exit. Assert functions are generally used in software code to trigger a program to halt when certain conditions occur.

According to ISC, this issue has no workarounds or known mitigations. The only solution is to install the updates to BIND as mentioned in this security advisory.

The final security update resolves an issue that is almost identical to the issue discussed in a previous blog post. As before if an attacker can send a malformed DNSSEC key by sending a query to the BIND server that requires the server to obtain a response from a DNS zone (the area in which a DNS server has authority for, defined here) containing this malformed key. In a similar manner to the first flaw (discussed above) attempting to parse (analyze data in a structured manner in order to create meaning from it) this malformed key will cause the server to halt due to an assertion and thus will not be able to carry out its role as a DNS server. While a workaround is available, it has a drawback and therefore it’s recommended to install the applicable security update rather than use this workaround.

Why Are These Issues Considered Critical?
As was previously seen with the last set of updates for BIND, these security issues when exploited can result in the BIND software being unavailable for use. For any device that uses your server for DNS services, those devices will no longer be able to access websites, other intranet resources or use email.

How Can I Protect Myself From These Issues?
If you use BIND (it is included with some Linux distributions e.g. Ubuntu, Redhat etc.) to provide any DNS services within your company or you know anybody who may be affected by these issues, please follow the advice in ISC’s security advisories to install the necessary updates to resolve these issues:

CVE-2015-5722: Parsing malformed keys may cause BIND to exit due to a failed assertion in buffer.c
CVE-2015-5986: An incorrect boundary check can trigger a REQUIRE assertion failure in openpgpkey_61.c

Thank you.

Siemens Issues Security Updates for SIMATIC HMI Devices and Software

In late August a set of security updates was made available by Siemens for its SIMATIC HMI devices, SIMATIC WinCC Runtime Advanced software, SIMATIC WinCC v7 software and SIMATIC NET PC-Software V12 and V13.

The HMI (Human Machine Interface) devices allow a user to easily interface with industrial control and supervisory control and data acquisition (SCADA) systems via widescreen displays and multi-touch devices. The SIMATIC WinCC Runtime Advanced and Professional software provide this capability. The SIMATIC NET PC-Software is required for communication between a controller (SIMATIC S7 controller) and PC-based solutions (e.g., SIMATIC WinCC).

These updates address 3 remotely exploitable CVEs (defined) which include resource exhaustion (defined), a man-in-the-middle (MITM) attack (defined) and password-hashing (defined) implementation flaws.

The resource exhaustion vulnerability could be exploited by an attacker if they were located on the network connection between an HMI panel and a PLC (i.e. a man-in-the-middle (MITM) attack) and they could send network packets to the HMI over TCP port 102. Such specifically crafted packets would result in a denial of service (defined) issue for these devices.

The separate man in the middle category of attack mentioned above involves a similar means of attack but this time the attacker is located between the PLCs and their communication partners allowing the attacker to both intercept the packets between these devices and to modify them.

Finally the password hashing vulnerability involves the attacker using the password hashes obtained through another means to grant themselves the same usage rights as the rightful users of those passwords to access SIMATIC WinCC and SIMATIC PCS 7 software.

Why Should These Issues Be Considered Important?
Using these vulnerabilities remote attackers could cause denial of service issues to the above mentioned Siemens devices and/or obtaining the permissions of legitimate users of the SIMATIC WinCC and SIMATIC PCS 7 software used to monitor and control these devices. With the large industrial systems these devices control/operate these flaws can have serious physical consequences (see the notable example mentioned below).

How Can I Protect Myself From These Issues?
Please follow the instructions within this ICS CERT security advisory (specifically the Mitigation section) to update any affected industrial Siemens products that you may be using.

One interesting aspect about these flaws is that the above mentioned Siemens HMI devices are in use by the well-known Large Hadron Collider located underground near Geneva, Switzerland and operated by the European Organization for Nuclear Research (CERN). This underlines the important functions that these devices control whether it be the Hadron Collider or your nearest power station.

Thank you.

Linux Foundation Issues Security Checklist for Sys Admins

The Linux Foundation recently made available a set of best security practices specifically aimed at Linux system administrators to assist them with protecting the systems they are responsible for from compromise.

The advice is divided into 4 severity levels categories: low, moderate, critical, and paranoid. The list of recommendations should help you better defend any Linux systems that you administer in your corporate environment and can be used to supplement your existing defences/procedures.

I hope that you find this list useful. The checklist can be viewed here. Further advice on hardening Linux workstations is provided at the end of a previous blog post

Thank you.

Cisco Issues Security Updates for Network Management Appliances

Last week Cisco issued security updates for the following 2 network management systems:

  • Cisco IMC Supervisor prior to software version 1.0.0.1
  • Cisco UCS Director (formally known as Cloupia Unified Infrastructure Controller) prior to software version 5.2.0.1

The updates address a single security issue that could allow an unauthenticated remote attacker to overwrite key system files which would result in the systems becoming unstable and thus unable to perform their responsibilities. Such unavailability could be called a DoS (Denial of Service) attack (Denial of Service, defined). This issue is caused by the incorrect validation of input passed to JavaServer Pages (JSP) within the above management systems. An attacker could take advantage of this fact by sending specifically crafted HTTP requests to these network management systems.

No workarounds are available for this vulnerability but there are no known instances of this issue being publically exploited. Cisco discovered this flaw during internal testing.

How Can I Protect Myself From This Issue?
If your company makes use of either of the above network management systems from Cisco, please follow the directions within this Cisco security advisory to install the necessary security updates.

Thank you.

Belkin N600 DB Wireless Dual Band N+ Router Contains Unpatched Security Issues

A particular model of consumer/home user broadband router/wireless access point from Belkin has been found to be vulnerable to a set of security issues that can have potentially serious consequences.

The Belkin N600 DB Wireless Dual Band N+ router model F9K1102 v2 with firmware version 2.10.17 and possibly earlier are affected.

There are 5 sets of issues (4 of which have been assigned CVEs, defined):

Use of Insufficiently Random Values – CVE-2015-5987: This issue would allow an attacker to spoof Belkin’s firmware update servers and to connect to any device (server, computer etc.) an attacker chooses.

Cleartext Transmission of Sensitive Information: This issue is somewhat related to the above issue since firmware update requests could be intercepted thus allowing an attacker to substitute a firmware update with an update of their choice or prevent firmware updates from taking place. An attacker would first have to be able to conduct a man in the middle (MITM) attack (MITM, defined) first for these malicious capabilities to become available to them.

Use of Client-Side Authentication – CVE-2015-5989: Due to the means of how the router checks if a legitimate user of the router is logged in, these values can be manually manipulated to allow an attacker to log into the administration interface (a webpage shown to the user to allow them to change the settings of the router) of the router with the same permissions as the legitimate user. The attacker would already need access to your local area network (LAN) (the network within your home) to carry out this method of attack. Carrying out this attack remotely would not be possible.

Cross-Site Request Forgery (CSRF) – CVE-2015-5990: If the owner/user of the router is logged into the administrative interface of the router and clicks on a link (within another browser tab) or accesses a website of the attacker’s choice the attacker will obtain the same permissions as the legitimate user. This is known as a Cross-Site Request Forgery (CSRF) attack (CSRF, defined here and here). If the issue mentioned below is also present (namely no password set by the user to access the admin interface) the attacker would not need for the user to be already logged in to use this attack against the legitimate user.

Credentials Management – CVE-2015-5988: If an attacker already has access to your home network they can access the admin interface of the router if the default configuration of the router has not been changed, namely if no password has been set.

Why Should These Issues Be Considered Important?
If an attacker can obtain full access to your router, they can change any setting they wish e.g. the DNS settings (as discussed in a previous post), disconnect you and other legitimate users from your own internet connection and have the possibility of installing rogue firmware onto your router.

While only one issue (Use of Insufficiently Random Values) can be exploited remotely with the remaining issues requiring access to your network or a man in the middle (MITM) connection these issues should still be considered serious since they have the potential to take control of your router away from you and denying access to your internet connection. The devices you have connected to the router may also visit websites that you didn’t intend (due to the DNS settings being changed as mentioned above).

How Can I Protect Myself From These Issues?
While Belkin has not released a firmware update to resolve these issue and may choose not to do so, I would recommend following the advice provided in this CERT advisory. Essentially not allowing untrusted users to access your home network and having strong passwords for your Wireless LAN key and password for the routers admin interface.

If you are an owner of this router or know someone who is, I hope that the above advice is useful to you in preventing any malicious user from using these issues against you or someone you know.

Thank you.

Web Browser Vendors Agree on End of Support for RC4

Update: 13th September 2016:
Microsoft have since disabled support for the RC4 algorithm in August 2016. They were the final major browser vendor to remove support. I very much welcome this change.

Thank you.

Update: 15th April 2016:
The Microsoft blog post mentioned below has now been updated to include that the RC4 algorithm will now not be disabled in the Microsoft security updates for April 2016 that have now have arrived. No further timelines/deadlines were provided.

In my opinion, I hope that this algorithm is disabled sooner rather than later after it was first considered to no longer be secure enough for use in 2013 it’s removal from active service has already taken too long.

Thank you.

Update: 1st April 2016:
Microsoft in a blog post published in March announced that they would be dropping support for RC4 within Edge and Internet Explorer 11 when the security updates for these products are released on the 12th of April. Within that post Microsoft provide a reference/advice for website administrators to migrate from RC4.

Thank you.

Update: 26th January 2016:
As mentioned within a separate blog post, as scheduled Mozilla removed support for the RC4 algorithm with their release of Firefox 44. Further details are available within that blog post.

Thank you.

Update: 10th January 2016:
Last month when Google made available the beta version of Google Chrome 48; the release notes (see the “Minor changes” section at the end of that post) mentioned that the RC4 cipher would no longer be supported going forward. This fact was reiterated in a later blog post in December announcing the gradual phasing out of SHA-1. This also aligns with Mozilla and Microsoft’s timeline of early 2016.

Further update: On the 20th of January Google made available Chrome version 48 via their Stable release channel making the removal of the RC4 algorithm available to a much wider audience.

Thank you.

=======================
Original Post:
=======================
Early last week 3 of the top browser vendors, Mozilla, Google and Microsoft announced their joint plans to remove support for the RC4 encryption algorithm used to secure some HTTPS websites in early 2016.

Mozilla currently plans to release Firefox 44 in late January 2016 with Google and Microsoft following suit in February.

Why Is This Change Significant?
As mentioned in Google’s discussion, RC4 is a 28 year old encryption algorithm that has successfully secured connections between servers and client devices during that time. However as I mentioned in a previous blog post and which Google references the same research paper as example 2 (among others), an increasing number of attacks are becoming possible on RC4. Google also mentions the IEFT’s decision stating that RC4 should no longer be used. Since the use of RC4 puts the information that it is attempting to secure at potential (but growing) risk RC4 should no longer be considered fit for purpose. Further background on this upcoming changes is provided in this InfoWorld blog post.

What Can I Do To Prepare For This Change?
For server/website operators, Google and Microsoft make suggestions for upgrading to newer cipher suites.

For web browser users, simply continue to keep your preferred web browser up to date to receive these changes in early 2016.

Update: 24th September 2015: Google have provided more advice and information regarding their transition away from RC4 and SSL v3 in this blog post.

Update: 7th February 2016:
In early 2013 Qualys published a thorough blog post with recommendations on transitioning from RC4.

I hope that the above advice/notice is helpful in preparing for this upcoming change.

Thank you.