Daily Archives: September 20, 2015

Cisco Networking Devices Compromised by SYNful Knock Attack

Update: 23rd September 2015:
The 2 blog posts mentioned below that were written by FireEye found that the SYNful Knock had affected at least 14 routers in countries such as Mexico, Ukraine, India, and the Philippines. However joint research carried out by Cisco and Shadowserver has shown that 199 unique IP addresses are exhibiting SYNful Knock behavior.

ShadowServer’s result are shown within this blog post (which contains further advice on how to prevent this attack affecting your Cisco routers). They intend to keep these statistics updated as time progresses.

In addition, Cisco has created a page regarding SYNful Knock containing useful resources on how to detect and prevent this attack. Their blog post also mentions a Snort Rule (an IPS (defined)) which can be used to detect this attack.

I hope that above additional resources are useful to you in protecting/remediating your network.
Thank you.

Original Post:
Last week a series of blog posts were published by FireEye which provide in-depth technical details of an attack named “SYNful Knock”.

In a previous blog post I mentioned that Cisco had released security updates to address an issue that would allow an attacker to install a compromised/tampered with version of the Cisco IOS operating system on Cisco networking devices. SYNful Knock is a very similar attack that carries out those actions to replace the legitimate Cisco IOS with one that can be completely controlled by the attacker by their inclusion of a backdoor (defined).

Why Should This Issue Be Considered Serious?
The exact purpose of this attack is not clear but the result of replacing the legitimate Cisco IOS with a version controlled by an attacker will allow them to conduct surveillance on the data passing through the network device, control all functions/settings of the device as well as using these devices as highly stealthy “beachheads” with which to launch further attacks. Attackers can also direct legitimate users to spoofed websites, carry out data theft and/or denial of service attacks (defined) since your routers could be made to no longer carry out their role/function.

In addition, due to the above mentioned stealthy nature of this attack, it is more difficult than usual to detect whether your Cisco networking devices have been compromised. As noted in this article, Tony Lee of FireEye mentions that this attack is not likely to be the first and only time the Cisco IOS is modified in a stealthy manner and that very similar attacks and more sophisticated attacks are likely to occur in the future.

Moreover this attack affects multiple Cisco networking devices, specifically:

Cisco 1841 router
Cisco 2811 router
Cisco 3825 router

As noted by FireEye, it is very likely that further devices are vulnerable to this attack due to similarities throughout Cisco’s networking devices and since they share the same IOS operating system.

How Can I Protect Myself From This Issue?
FireEye have dedicated a blog post detailing methods used to detect if your Cisco devices are compromised.

If this is the case, they recommend re-imaging your Cisco device with a clean IOS image obtained from Cisco. You can verify that the image is clean “as intended” by checking that the hash value (defined) from Cisco matches the hash value of the image that you have downloaded.

Furthermore FireEye recommend hardening your devices against future attacks of this nature.

Most importantly as noted by FireEye make sure that if you have to re-image a router that it’s settings are customized to meet your needs and that default usernames and passwords are not used.

Finally, it is believed that this attack occurs due to compromised credentials (username and password) being used to initially access the router to carry out the attack or that the credentials are left at the default settings. However as again noted by FireEye if you know that your router did not use default credentials you may need to begin sweeping every device on your network looking for signs of compromise since the attack will most likely have already come from a compromised system/device within your network.

The Mitigation section of FireEye’s second blog post provides a link to a whitepaper to share among your incident response team should a network sweep become necessary.

Thank you.

Cisco Releases Multiple Security Updates

Last week Cisco issued security updates for the following products:

  • Cisco Prime Collaboration Assurance: This software assists with the maintenance and installation of Cisco Unified Communications and Cisco TelePresence components as well as the provisioning of users and services.
  • Cisco Prime Collaboration Provisioning Web Framework: Part of the above mentioned software
  • Cisco TelePresence Server: This product provides video conferencing and interacts with Cisco Unified Communications Manager and other Cisco products.

These updates address elevation of privilege and remote code execution vulnerabilities in the above products.

Why Should These Issues Be Considered Important?
In the case of the issues with Prime Collaboration Assurance and Prime Collaboration Provisioning Web Framework the vulnerabilities could be exploited by an attacker who already has access to your network (e.g. using an earlier phishing attack (defined) or brute forcing (defined) a password) sending a specifically crafted URL (defined) to the affected system with the software installed.

The vulnerabilities within Prime Collaboration Assurance will allow the attacker to perform actions as an administrator for any customer managed by the system. For the Prime Collaboration Provisioning Web Framework the vulnerability would allow the attacker to create a new user account with administrator privileges and then access/manipulate any data they choose.

Finally, the most serious vulnerability being addressed is a buffer overflow vulnerability (defined) in Cisco TelePresence Server could allow a remote attacker to cause your server to crash (a denial of service attack (defined)) by sending a specially crafted URL to the system.

In addition for all of these vulnerabilities, no workarounds are available for them. Thankfully at this time Cisco is not aware of any of these flaws being used to attack customers.

How Can I Protect Myself From These Issues?
If your company makes use of either the above management software of video conferencing server, please follow the directions within the Cisco security advisories below to install the necessary updates:

Multiple Vulnerabilities in Cisco Prime Collaboration Assurance
Cisco Prime Collaboration Provisioning Web Framework Access Controls Bypass Vulnerability
Cisco TelePresence Server Denial of Service Vulnerability

Thank you.

Schneider Electric Releases Critical Security Update

Last week, the Schneider Electric Corporation released a critical security update to address 1 critical CVE (defined) within their StruxureWare Building Expert automation system.

The critical issue is due to the fact that when a user is logging into the system, their credentials (username and password) are sent unencrypted to the system over the network connection between your device (the client device) and the system (the server). It is unclear from Schneider’s advisory by what means an attacker can discover the plaintext credentials (i.e. unencrypted user credentials (e.g. username and password)) but it is very likely by using a man-in-the-middle (MITM) (defined) attack or simply by having access to the client device and monitoring it’s network traffic.

Why Should This Issue Be Considered Important?
Since an attacker can potentially login in this automation system using the same credentials that you would, they can perform any action they wish which in the worst case scenario will be obtaining total control over the system.

In addition, there are no workarounds for this issue but Schneider are unaware of this issue being used to attack customers. This issue was responsibly disclosed (defined) to them by an independent security researcher, Artyom Kurbatov.

How Can I Protect Myself From This Issue?
Schneider have released an update to this automation system bring it to version 2.15. All versions previous to this are vulnerable to this issue. Please follow the directions within this ICS-CERT security advisory which also references the advisory from Schneider (PDF) for this issue to install the necessary update.

As mentioned in the ICS-CERT advisory if you are unsure about the risks of upgrading the firmware of your building management system, please contact your account manager or Schneider Technical Support for assistance.

Thank you.

Google Addresses Android Lockscreen Issue

Earlier this month Google released a security update to address 8 CVEs (defined) (2x critical severity, 4x high, 1x moderate, 1x low) within the Android smartphone operating system.

Among these issues was an Android lockscreen bypass. This issue involved entering a very large number of characters into the password prompt of the Android lockscreen when the Camera app is also open.

How Severe Is This Issue?
Google assigned it a moderate severity since it is an easy but tedious process to exploit this bug. In addition, this issue is only present if you are using a password to protect the lockscreen of your Android smartphone. More common methods of entering a PIN or using a pattern lock do not appear to be affected by this issue.

Moreover once exploited the attack will only have access to the apps on the home screen, they don’t obtain access to soft buttons or the keyboard. The security researcher who reported this issue to Google used Android Debug Bridge (adb) to access any data on the phone once it was in this partially unlocked state. Further discussion of this issue is provided in this Sophos blog post.

How Can I Protect Myself From This Issue?
Google released an over the air security update for its Nexus devices to fix this lockscreen (as well as other security issues). Please ensure that your Android device is running version 5.x (build LMY48M or later) to resolve this and the other security issues.

If your mobile carrier has not yet issued this update to your Android phone, please consider contacting them to check when this update will be issued to you and if possible find out how they plan on updating your phone each month as Google make updates available.

Thank you.