Monthly Archives: December 2015

ISC Releases Security Updates for BIND (December 2015)

Earlier this month the Internet Systems Consortium (ISC) released a security update to address a critical denial of service issue (defined) within their BIND DNS software.

This vulnerability is caused by an error in the parsing (analyzing data in a structured manner in order to create meaning from it) of incoming responses allowing records within those responses to have incorrect classes causing them to be accepted rather than rejected. If the parsing was carried out correctly the incorrect class would be detected. A single specifically crafted packet sent to BIND will cause it to trigger a REQUIRE assertion failure which will cause BIND to exit.

Why Is This Issue Considered Critical?
A single specifically crafted response sent to BIND will cause it to trigger a REQUIRE assertion failure when the records within that response are later cached. An attacker could exploit this issue to cause BIND to exit resulting in a denial of service for the legitimate clients of the BIND server. Recursive DNS (defined) BIND servers are at high risk to this issue.

This issue affects a large number of versions (listed below) of BIND making this issue ever more important to address:
9.0.x -> 9.9.8
9.10.0 -> 9.10.3

Moreover, according to ISC, this issue has no workarounds or known mitigations. The only solution is to install the updates to BIND as mentioned in this security advisory.

How Can I Protect Myself From This Issue?
If you use BIND (it is included with Linux distributions e.g. Redhat, Ubuntu etc.) to provide any DNS services within your company/organization or you know anybody who may be affected by this issue, please follow the advice within ISC’s security advisory to install the necessary update to resolve this issue:

CVE-2015-8000: Responses with a malformed class attribute can trigger an assertion failure in db.c

Thank you.

Symantec Addresses Information Disclosure Issue within Endpoint Encryption Products

Earlier this month made available a security update to address a medium severity information disclosure issue (which was assigned one CVE (defined) number) within their Endpoint Encryption product (version 11.0 and earlier).

Why Should This Issue Be Considered Important?
The Symantec Endpoint Encryption (SEE) client (which would be installed on servers, workstations and laptops) was found to be vulnerable to a forced memory dump issue within the SEE Framework Service, (EACommunicatorSrv.exe). If an authorized but unprivileged user has access to a system with the vulnerable version of Endpoint Encryption installed, they could potentially obtain from the forced memory dump Domain user credentials of the SEE Management Server (SEEMS). Using these credentials, they could obtain unauthorized access to further systems using the management server.

How Can I Protect Myself From This Issue?
Symantec issued a security advisory which contains details of the necessary update to address this issue which was responsibly disclosed (defined) to Symantec. Please note the download link for this update requires the serial number of your Symantec product in order to proceed.

Moreover, Symantec provides further best practice advise to minimize the impact of this issue within their advisory.

If you are using the affected Symantec corporate encryption product within your organization, please install the relevant update as soon as possible.

Thank you.

Adobe Releases Emergency Flash Security Updates

Yesterday Adobe released their January 2016 Flash Player and Adobe AIR (its application runtime) security updates ahead of schedule to address a critical zero-day (defined) security vulnerability designated as CVE-2015-8651.

The updates address 19 security vulnerabilities (more formally known as CVEs (defined). At the time of writing neither Google nor Microsoft have made available the relevant updates for Google Chrome (v47.0.2526.106, Stable 64 bit has not received this update) and Microsoft Edge/Internet Explorer (respectively). This is most likely due to the holiday period. Microsoft should announce the availability of their Flash update by updating this security advisory for users of Microsoft Edge for Windows 10 and Internet Explorer 10 and 11 installed on Windows 8.0 and 8.1 (respectively).
=======================
Update 1: 29th December 2015:
Microsoft have now updated their security advisory. Update kb3132372 (no active web site link yet) is now available for Windows 10, 8.1 and 8.0 users.

Update 2: 31st December 2015:
Google updated Chrome (v47.0.2526.106)(Stable, 64 bit) to Flash Player v20.0.0.267 within hours of the above mentioned update from Microsoft. Apologies for not updating this post sooner.

I’m very impressed that they both made available the appropriate updates so quickly especially during the holiday period.
=======================

Adobe and Symantec have stated that limited targeted attacks are exploiting the above mentioned zero-day vulnerability. SecurityWeek elaborates on these attacks stating that they are spear phishing attacks (defined).

Flash Player updates for Linux, Apple Mac OS X and Windows are available from this link (which can be used if you don’t have automatic updating enabled or simply wish to install the update as soon as possible). The use of this alternative link is now deprecated and will be decommissioned by Adobe on the 22nd of January 2016.

As always I would recommend that if you have Flash Player installed to install the necessary updates as soon as possible. You can check if you have Flash Player installed using this page.

In addition, please follow my recommendation to enable the ASR mitigation of Microsoft EMET as detailed in this post in order to mitigate against Flash based vulnerabilities being exploited in applications that can open Microsoft Office documents and/or Adobe PDF files.

Thank you.

Linux GRUB Security Vulnerability Swiftly Patched

Earlier this month a pair of security researchers within the Cybersecurity Group at Universitat Politècnica de València discovered an integer underflow (defined) vulnerability within the Linux GRUB bootloader (defined, my thanks to Lucian Constantin, IDG News Service for providing an excellent summary of the purpose/function of the GRUB bootloader within that article). The researchers responsibly disclosed (defined) this issue to the main distributors of Linux in order to protect their users. My thanks to everyone involved for so quickly addressing this vulnerability.

Why Should This Issue Be Considered Important?
This issue is very easy for an attacker to exploit namely that they only need to have physical access (be in front of the system) for a short time in order to exploit it. With this access, they simply press the backspace key (just above the main Enter/Carriage return) key 28 times in order to exploit this vulnerability. They could easily obtain this physical access by breaking into the premises where such a system is located.

Moreover, systems with defences such as disabled CR-ROM drives (otherwise known as optical drives), disabled USB ports, restricted network boot options, password protected BIOS/UEFI firmware (defined), password protected GRUB edit mode and where the hard disk/SSD (solid state drive (defined)) is encrypted can all be bypassed by exploiting this vulnerability.

The researchers in their description of this vulnerability bypass the encryption of the hard disk/SSD by infecting the system (by means of this vulnerability) and allowing the user to decrypt the data (information disclosure) for the attackers by having the legitimate user enter the correct password as they log on normally to the system (an elevation of privilege attack (defined); since the attackers would not normally have this level of access). A denial of service attack (DoS)(the concept of DoS is defined here) can also be carried out by the attacker by corrupting the encrypted data and/or the GRUB leaving the legitimate user unable to access their own data.

Before bypassing the encryption however, they also describe patching (modifying the genuine/legitimate GRUB loader) so that it always authenticates the logged on user rather than asking for a password (bypassing the password protected edit mode of GRUB mentioned above).

Next they describe using the patched GRUB loader to load a Linux kernel so that they can then install malware of their choice. This also has the advantage that logging of their actions is not recorded since the syslog daemon (defined) is not running (carrying out it’s purpose) since the bash (Bourne-Again SHell)(defined) is the first process to run.

With that shell (defined) running on the system the researchers next describe how they illustrated a proof of their concept by installing a modified library (the general concept of a code library is defined here, only Windows systems use DLLs (defined) and so are not relevant for this discussion of Linux systems) belonging to Mozilla Firefox so that when Firefox is active, code (instructions) of their choice are also carried out. This code uses Netcat (defined) to set up a reverse shell (defined) allowing them to control the victim system as if they were in front of it (in this case the researchers show the reverse shell being able to access the private data folders belonging to the logged in user).

How Can I Protect Myself From This Issue?
Debian, Ubuntu and Red Hat (among others) have released updates to GRUB to address this vulnerability. For Linux systems the relevant updates can also be obtained via the Package Manager bundled with your Linux distribution (see this link(Debian) and this link (Ubuntu) that should assist you in using the package manager for your distribution of Linux).

Thank you.

Blog Post Shout Out December 2015

Earlier this year CloudFlare published an informative blog post detailing how malicious JavaScript (defined) can be used to cause a distributed denial of service attack (DDos)(which is defined within CloudFlare’s post linked to below).

As a preventative measure they also provide a recommendation to enable HTTPS for your website (which CloudFlare also provide as an option). If you are using a self-hosted WordPress installation (namely where WordPress is installed on a server that you manage/administer), this blog post may be of assistance in enabling HTTPS by default (by using HSTS (discussed/defined at length within a previous blog post of mine)).

Given the severity of DDoS attacks I wanted to provide a respectful shout-out to following CloudFlare blog post:

An introduction to JavaScript-based DDoS by Nick Sullivan (CloudFlare)

=======================
In addition, earlier this month US-CERT created a useful security alert containing a list of tips for securing your home broadband/fibre optic router/wireless access point. In addition, their alert also links to an updated list of routers with known security vulnerabilities with advice on addressing them:

Securing Home and Small Business Routers (US-CERT)
=======================

I hope that the above mentioned blog posts and resources are of assistance to you in defending your website from becoming part of such DDoS attacks and securing your home router/access point against malicious use.

Thank you.

Juniper Issues Emergency Security Updates For VPN Devices

On the 17th of December Juniper Networks released a security advisory which detailed 2 critical security issues (these have been assigned 2x CVE numbers (defined) within their NetScreen devices which offer VPN (Virtual Private Networks) (defined) access. Juniper have released emergency security updates to address these issues.

Why Should These Issues Be Considered Important?
The first issue assigned CVE-2015-7755 could allow an attacker to remotely access your Juniper VPN device using SSH or telnet. They could do so by accessing your device using either of these protocols. They will then receive a logon prompt however due to this issue they can enter any username and since the password has been publically disclosed they would then obtain access to your device with the highest privileges available. This is an extremely serious backdoor (defined) that an attacker can easily exploit.

The second vulnerability designated CVE-2015-7756 could allow an attacker who can capture your VPN network traffic to decrypt that encrypted traffic and read all of it’s contents. In addition, there is no means of detecting if this second vulnerability has been exploited.

Juniper NetScreen devices using the operating system versions mentioned below have been confirmed to have been affected by these issues:

=======================
The first issue mentioned above (the administrative access issue) affects the following versions of ScreenOS (the operating system that powers these Juniper devices):

ScreenOS 6.3.0r17 through 6.3.0r20
=======================

=======================
The VPN decryption issues affects ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20
=======================

Finally, there are theories with compelling evidence of how this backdoor code came to be present within Juniper’s products in the first instance. The definitive answer does not appear to be completely clear at this time. If you wish to read more on this aspect of these security issues, please find below further references:

Juniper Finds Backdoor That Decrypts VPN Traffic by Michael Mimoso (Kaspersky ThreatPost)
Juniper Backdoor Password Goes Public by Michael Mimoso (Kaspersky ThreatPost)
Juniper Backdoor Picture Getting Clearer by Michael Mimoso (Kaspersky ThreatPost)
On the Juniper backdoor by Matthew Green (John Hopkins University)
Who were the attackers and how did they get in? by Jeremy Kirk (IDG News Service)
CVE-2015-7755: Juniper ScreenOS Authentication Backdoor by H. D. Moore (Rapid7)
“Unauthorised code” on Juniper firewalls gives attackers admin access, decrypts VPN traffic by Graham Cluley (writing on behalf of BitDefender)

How Can I Protect Myself From These Issues?
As directed within Juniper’s security advisory if you are using the affected Juniper devices within your corporation or small business, please apply the necessary updates as soon as possible since these issues are very serious. Download links for these updates are provided within the above mentioned security advisory. Juniper also supplies additional best practice within that advisory.

SNORT IDS/IPS (defined) and Sagan (an open source log analysis engine) rules to detect the first issue (administrative access) being exploited are provided in Rapid7’s blog post. That blog post also contains advice if you are having an issue installing the updates to address these issues.

Thank you.

=======================
Note: I am currently working on more upcoming content for this blog. Since this will be my final post before the 25th of December I wanted to wish you and yours a safe and very Merry Christmas / Happy Holidays. I will return later this week with more blog posts.

Thanks again.

Very Large Number of Routers/Modems/Internet Gateways Contain Non Unique X509 Certificate and SSH Keys

In the late November the security firm SEC Consult released details within a blog post of their findings after they had conducted scans of many thousands of embedded devices from almost 70 manufacturers. These devices were found to contain X.509 certificates (defined) and SSH (Secure Shell, defined) private keys (from the public/private key pairs namely Asymmetric Encryption (defined)) which were shared among other similar devices from other manufacturers.

Why Should These Issues Be Considered Important?

If an attacker was located within the same network as one of these embedded devices they could perform a man-in-the-middle attack (MITM, defined) allowing them access to any sensitive information e.g. passwords that are being transmitted on the network at that time.

SEC Consult found that approximately 4 million devices are affected by this issue.

A remote attack (i.e. from an attacker not located within your network namely the wider Internet) is far more difficult to conduct and would require the capabilities discussed within the paragraph titled “What is the impact of the vulnerability?” of SEC Consult’s blog post.

For the full list of affected manufacturers of these devices, please see the paragraph titled “Which vendors/products are affected?” of SEC Consult’s blog post and the “Vendor Information” section of this US CERT article. Finally, for affected Cisco devices, a list of affected device models is provided here.

How Can I Protect Myself From These Issues?
For the end users (consumers) who have purchased or have been provided these devices by their ISP’s (Internet Service Providers) there is no action that can be taken to resolve these issues. Since the vulnerable keys are embedded within the firmware of these devices they cannot easily be updated. In some instances however, an update is possible.

If you own a device manufactured by one of the affected vendors (obtained from the lists linked to above) I would follow US CERT’s advice of contacting the vendor to ask if an update for your device will be made available. You can link to SEC Consult’s blog post and US CERT’s advice if the vendor wishes to seek clarification on the issue/vulnerability you are referring to.

For anyone affected by this issue I hope that the above information is of assistance to you. Thank you.