Daily Archives: November 10, 2015

November 2015 Security Updates Summary

Earlier today Microsoft issued 12 security bulletins to address 53 CVEs (defined). As always further details are available within their Security Bulletin Summary.

At the time of writing there were a number of bulletins that have Known Issues associated with them (as mentioned in the Security Bulletin Summary), they are:

====================
MS15-121: Security update for Schannel to address spoofing: This knowledge base article mentions that any custom providers for SChannel will no longer work after this update is installed. Microsoft advises working with the vendor of such custom providers to update them.

MS15-123: Skype for Business November 2015 cumulative update (kb3108096): Issues with instant messages not being received and loss of video when joining a meeting are mentioned. There is a workaround for the latter issue.

MS15-115: Description of the security update for Windows: While this update is listed as having Known Issues none are currently present within the above linked to knowledge base article.

MS15-122: Description of the security update for Windows Kerberos: While this update is listed as having Known Issues none are currently present within the above linked to knowledge base article.

====================
Update: 13th November 2015:
An additional workaround for the remaining Known Issue that occurs after installing MS15-123: Skype for Business November 2015 cumulative update (mentioned above) is not available from this link.

Moreover, MS15-115: Security update for Windows was re-published on the 11th of November due to issues causing Microsoft Outlook to crash or being unable to log into Windows after installing this update. According to the aforementioned link, these issues should now be resolved.
====================

Microsoft also issued a security advisory for Windows Hyper-V to address 2 CVEs with Important severity that could lead to a denial of service issue (defined). Please add this update to your Patch To-Do List if you make use of this software.

At this time, the IT Pro Patch Tuesday blog does not mention any known issues, it may be updated at a later stage.

Adobe issued updates to Flash Player and Adobe AIR, its application runtime to resolve 17 critical CVEs. Flash Player updates for Linux, Apple Mac OS X and Windows are available from this link (which can be used if you don’t have automatic updating enabled or simply wish to install the update as soon as possible). Users of Google Chrome have received (I have confirmed this); this Flash update within this Chrome update. Microsoft has announced the availability of their Flash update by updating this security advisory for users of Internet Explorer 10, 11 and Microsoft Edge installed on Windows 8.0, 8.1 and Windows 10 (respectively).

You can monitor the availability of security updates for the majority of your software from the following website (among others) or use Secunia PSI:

—————-
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the Protecting Your PC page):
https://www.us-cert.gov/
—————-

If you use any of the above software, please install the appropriate updates as soon as possible.
Steps for installing updates for Windows are provided on the “Protecting Your PC” page.

I would recommend installing the update to Adobe Flash Player first if you make use of this web browser plugin. Their update addresses 17 critical security issues which may be exploited by exploit kits (defined) within a short timeframe.

If you wish to prioritize the deployment of the Microsoft security updates, I would recommend an installation order of Security Update for Windows; Internet Explorer, Windows Journal, Microsoft Office and Microsoft Edge due to their severity (successful exploitation results in remote code execution; namely allowing a remote attacker to carry out any action of their choice). After installing these updates, install any remaining applicable Microsoft security updates.

=======================
Update: 17th November 2015:
If your organization uses Windows BitLocker you may wish to prioritize the installation of the Security Update for Kerberos (MS15-122) since it addresses a potentially severe authentication bypass vulnerability that could lead to the data on your BitLocker encrypted devices being much more easily obtained by an attacker. Further details are available in a more recent blog post.
=======================

One other security pre-caution that you may wish to take if you have Microsoft EMET installed is to use it to protect you from Adobe Flash being used to exploit vulnerabilities when you open a Microsoft Office document or Adobe PDF file. I provide recommendations of how to do this at the end of July’s Update Summary.

As always as a routine precaution I would recommend backing up the data on any device for which you are installing updates in order to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

SAP Releases Security Updates for HANA Database November 2015

Yesterday the security firm Onapsis issued 21 security advisories (detailing 22 security issues) for SAP’s HANA database. As mentioned in previous blog posts, this a database that is stored in RAM (computer memory) for very fast performance (although the database is periodically written to a hard disk for the purpose of recovery checkpoints)).

All 22 issues are remotely exploitable with only 1 requiring an attacker to be already authenticated (logged into) into the database.

Why Should These Issues Be Considered Important?
The severity of the security issues disclosed can be summarized as follows:

9x critical issues: These issues could allow an unauthenticated remote attacker to take any action they wish with any of your business information stored within your HANA database. The attacker could also shut down the database.

6x high risk issues: Such issues could allow an attacker to access sensitive business information or conduct a DoS (denial of service)(defined) attack on your database since the database would be in an unusable state until restarted as a result of exploiting these issues.

7x medium risk issues: These issues could allow an attacker to obtain the values of environmental variables used within the HANA database, create directories (folders) of their choice, create files of their choice, lists the files within database and access sensitive information.

As noted by Onapsis in their analysis within this blog post the critical issues mentioned above are some of the most severe they have encountered since they allow the attacker unprecedented access to your database.

How Can I Protect Myself From These Issues?
To address the flaws within SAP HANA it is recommended to refer to the security advisories mentioned in this Onapsis blog post. Those 21 downloadable PDF advisories contain the necessary links to obtain patches from SAP for these issues.

In addition, Onapsis has published the first in a series of blog posts focused on improving the security of SAP HANA installations. They provide best practice advice for the configuration of this database as well as user privileges etc.

If you are in any doubt or would like further advice, please contact SAP Support for more information.

Thank you.

Preventing A CryptoWall v4 Ransomware Infection

Update: 10th January 2016:
In addition to the information/advice in this blog post; a more recent blog post also discusses a new type of ransomware threat and how to protect yourself against it

Thank you.

=======================
Original Post:
=======================
Early last week the technical support website BleepingComputer announced the discovery of a new version of the well-known CryptoWall ransomware.

Why Should I Be Concerned About This Malware?
As was previously mentioned in my post concerning ransomware, such malware infections encrypt your important files usually making them irretrievable. However, this new version of ransomware also encrypts the files names of the files that it encrypts making it hard to tell just what files you have lost since the names are now replaced with random characters. This also means that you will be unable to carry out a forensic data recovery of the encrypted files.

This means that you will be unable to recover any files that have been encrypted unless the ransom is paid (which I do not recommend doing, for the reasons given in my previous ransomware blog post). Some strains of ransomware had implementation in their encryption methods. This version of CrypytoWall doesn’t.

How Can I Protect Myself From This Malware?
As well as following the advice in my previous post on ransomware to prevent an infection, for this version of CryptoWall the most important action that I would recommend taking is a full backup of your most critical data (business and/or personal) and at least one such backup should not be connected to your computer (if it’s connected at the time the malware infects your computer, your backup could also be encrypted). In addition, test that you can restore any data that you wish from your backup before such a malware infection occurs.

Moreover, be very cautious of any attachment received within an email from people you know or from a company (well known or otherwise) stating that they have a delivery confirmation, a business document or an invoice for you to view. This malware can be installed when such documents are viewed. Furthermore ransomware infections can originate from phishing (defined) emails.

Finally, this thread on the BleepingComputer website can be used to discuss this infection or to receive support if you have been affected by it.

Thank you.

NTP Project Releases Security Update

In late October the NTP Project; the maintainers of the Network Time Protocol (NTP)(defined) issued a security update to resolve 13 medium and low CVEs (defined) in this commonly used protocol. This update brings the version of NTP to 4.2.8p4.

Why Should These Issues Be Considered Important?
3 of the issues addressed by this security update were discovered and responsibly disclosed (defined) to NTP by 4 researchers from Boston University. Their research is described in this paper.

The first issue involves the use of a Kiss-of-Death packet that is normally used to prevent a client device (e.g. a desktop or laptop computer etc.) from repeatedly requesting the correct time from an NTP server when the client device may be experiencing technical issues. This prevents the NTP server becoming inadvertently overloaded. An attacker can exploit this issue by sending a Kiss-Of-Death packet to a victim device from any location (what is known as an off-path attack). This packet depending on the poll value within it has the potential to prevent that victim device from correctly setting it’s clock for a year or more.

The second issue resolved is very similar but involves the attacker sending a large number of queries requesting the correct time to the NTP server. These queries have been spoofed to look like they came from the victim device. The server then responds to the victim device with the above mentioned Kiss-Of-Death packet again disabling the victim devices means of updating it’s clock. This issue could be exploited if the first issue mentioned above has already been patched on the time server. This results in the victim device experiencing a denial of service issue (defined) since it can no longer set it’s clock due to no fault of it’s own.

The third and final issue requires that the attacker be positioned in a man-in-the-middle (defined) position between the client and the server which could allow the attacker to roll back the time on the victim device that bypasses the 16-minute threshold that is usually imposed to prevent a server from setting a client devices clock more than 16 minutes from the actual correct time.

If a device has its clock set to an inaccurate time that differs too much from the correct time it can cause that device to no longer be able to carry out actions that primarily use correct time to function properly. The use of timestamps is primarily employed in cryptography to prevent replay attacks (defined) or to determine if a digital certificate is still valid (among other purposes). For the full details of how features such as TLS (defined here and here), DNSSEC (defined), DNS (defined) (among others) as well as the online cryptocurrency Bitcoin can be affected as a result of these issues please refer to page 2 and 3 of the above mentioned paper.

Since the above features (among others) rely on a device having an accurately set clock and given that an attacker can exploit these 3 issues relatively easily these issues should be patched as soon as possible.

How Can I Protect Myself from These Issues?
NTP is available for most operating systems primarily Linux and Mac OS X (however versions for Windows also exist). In addition, almost any device can request the correct time from an NTP server and thus could be affected by these issues even if NTP is not installed on the device (but would need to be installed on the server).

Full details of these issues are provided by the NTP project on this page (see the October 2015 entry). Updated versions of NTP are available from this page. For Linux systems the relevant updates can also be obtained via the Package Manager bundled with your Linux distribution (see this link (Debian) and this link (Ubuntu) that should assist you in using the package manager for your distribution of Linux). Apple usually update NTP via their App Store and Software Update, details are available on this page.

In addition, recommendations to more thoroughly protect against all of the flaws discussed in the above mentioned research paper are provided on this page.

Thank you.

Xen Project Patches 7 Year Old Critical Security Vulnerability

In late October the Xen Project who is the maintainer of its very popular Xen Project virtualization software (defined) released a series of security advisories to resolve 9 security issues (consisting of 8 CVEs (defined)) within their software. The most serious of which (described in this advisory) has been present within the software for the last 7 years (but went undetected during that time).

Why Should These Issues Be Considered Important?
The most serious issue which affects version 3.4 (onwards) of the Xen Project involved how a guest server (namely a server which only exists in software rather than a physical device enabling multiple servers to exist on a single physical server) accesses the memory of the physical server within which it resides. This was due to code that validates access to the page table (see page 10 and 11 of this PDF for a definition of a level 2 table specific to this vulnerability. This slide deck explains the more general concept) being bypassed under certain conditions meaning that the guest server (if under the control of an attacker or malware) could have escalated it’s privileges to completely control the physical server.

The remaining 8 security issues could also cause a severe impact to your server infrastructure since they are denial of service issues (defined).

How Can I Protect Myself From These Issues?
While mitigations are available for the majority of these issues, it is recommended to apply the necessary security updates if you use the Xen Project virtualization software within your organization.

The main Xen security advisories page is located here. Links to the appropriate advisories with steps to install the necessary updates are provided below:

Thank you.

Microsoft Extends Bug Bounty Program to ASP.NET and .NET Core

In late October Microsoft extended it’s Bug Bounty for security vulnerabilities within it’s Core CLR (Common Language Runtime), the execution engine for .Net Core, and ASP.Net (both technologies are open source and currently in late beta testing). These technologies are used to build web applications and in the implementation of websites.

As with previous bug bounties security researchers will be rewarded financially for discovering and responsibly disclosing (defined) these flaws to Microsoft. Their submissions need to include both a functioning exploit and a high quality white-paper. The newly extended bounty program which includes the above mentioned technologies will run from the 20th of October 2015 until the 20th of January 2016.

I’m very pleased to see that Microsoft continues to extend their bug bounty program to include the fundamental frameworks used to create web apps and websites. Any successful submissions will not only benefit the researchers but all of the customers who use and will use these technologies in the future.

Bounties for Online Services, Microsoft Edge and Internet Explorer 11 Technical Preview have been paid out in the past illustrating the success of such programs which benefits everyone.

Further details of the bug programme for ASP.NET and .NET Core are available within the following links:

Microsoft Bounty Programs Expansion – .NET Core and ASP.NET Beta Bounty
Microsoft Bounty Programs
Microsoft CoreCLR and ASP.NET 5 Beta Bug Bounty Program Terms

Thank you.