Daily Archives: December 24, 2015

Juniper Issues Emergency Security Updates For VPN Devices

On the 17th of December Juniper Networks released a security advisory which detailed 2 critical security issues (these have been assigned 2x CVE numbers (defined) within their NetScreen devices which offer VPN (Virtual Private Networks) (defined) access. Juniper have released emergency security updates to address these issues.

Why Should These Issues Be Considered Important?
The first issue assigned CVE-2015-7755 could allow an attacker to remotely access your Juniper VPN device using SSH or telnet. They could do so by accessing your device using either of these protocols. They will then receive a logon prompt however due to this issue they can enter any username and since the password has been publically disclosed they would then obtain access to your device with the highest privileges available. This is an extremely serious backdoor (defined) that an attacker can easily exploit.

The second vulnerability designated CVE-2015-7756 could allow an attacker who can capture your VPN network traffic to decrypt that encrypted traffic and read all of it’s contents. In addition, there is no means of detecting if this second vulnerability has been exploited.

Juniper NetScreen devices using the operating system versions mentioned below have been confirmed to have been affected by these issues:

=======================
The first issue mentioned above (the administrative access issue) affects the following versions of ScreenOS (the operating system that powers these Juniper devices):

ScreenOS 6.3.0r17 through 6.3.0r20
=======================

=======================
The VPN decryption issues affects ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20
=======================

Finally, there are theories with compelling evidence of how this backdoor code came to be present within Juniper’s products in the first instance. The definitive answer does not appear to be completely clear at this time. If you wish to read more on this aspect of these security issues, please find below further references:

Juniper Finds Backdoor That Decrypts VPN Traffic by Michael Mimoso (Kaspersky ThreatPost)
Juniper Backdoor Password Goes Public by Michael Mimoso (Kaspersky ThreatPost)
Juniper Backdoor Picture Getting Clearer by Michael Mimoso (Kaspersky ThreatPost)
On the Juniper backdoor by Matthew Green (John Hopkins University)
Who were the attackers and how did they get in? by Jeremy Kirk (IDG News Service)
CVE-2015-7755: Juniper ScreenOS Authentication Backdoor by H. D. Moore (Rapid7)
“Unauthorised code” on Juniper firewalls gives attackers admin access, decrypts VPN traffic by Graham Cluley (writing on behalf of BitDefender)

How Can I Protect Myself From These Issues?
As directed within Juniper’s security advisory if you are using the affected Juniper devices within your corporation or small business, please apply the necessary updates as soon as possible since these issues are very serious. Download links for these updates are provided within the above mentioned security advisory. Juniper also supplies additional best practice within that advisory.

SNORT IDS/IPS (defined) and Sagan (an open source log analysis engine) rules to detect the first issue (administrative access) being exploited are provided in Rapid7’s blog post. That blog post also contains advice if you are having an issue installing the updates to address these issues.

Thank you.

=======================
Note: I am currently working on more upcoming content for this blog. Since this will be my final post before the 25th of December I wanted to wish you and yours a safe and very Merry Christmas / Happy Holidays. I will return later this week with more blog posts.

Thanks again.

Very Large Number of Routers/Modems/Internet Gateways Contain Non Unique X509 Certificate and SSH Keys

In the late November the security firm SEC Consult released details within a blog post of their findings after they had conducted scans of many thousands of embedded devices from almost 70 manufacturers. These devices were found to contain X.509 certificates (defined) and SSH (Secure Shell, defined) private keys (from the public/private key pairs namely Asymmetric Encryption (defined)) which were shared among other similar devices from other manufacturers.

Why Should These Issues Be Considered Important?

If an attacker was located within the same network as one of these embedded devices they could perform a man-in-the-middle attack (MITM, defined) allowing them access to any sensitive information e.g. passwords that are being transmitted on the network at that time.

SEC Consult found that approximately 4 million devices are affected by this issue.

A remote attack (i.e. from an attacker not located within your network namely the wider Internet) is far more difficult to conduct and would require the capabilities discussed within the paragraph titled “What is the impact of the vulnerability?” of SEC Consult’s blog post.

For the full list of affected manufacturers of these devices, please see the paragraph titled “Which vendors/products are affected?” of SEC Consult’s blog post and the “Vendor Information” section of this US CERT article. Finally, for affected Cisco devices, a list of affected device models is provided here.

How Can I Protect Myself From These Issues?
For the end users (consumers) who have purchased or have been provided these devices by their ISP’s (Internet Service Providers) there is no action that can be taken to resolve these issues. Since the vulnerable keys are embedded within the firmware of these devices they cannot easily be updated. In some instances however, an update is possible.

If you own a device manufactured by one of the affected vendors (obtained from the lists linked to above) I would follow US CERT’s advice of contacting the vendor to ask if an update for your device will be made available. You can link to SEC Consult’s blog post and US CERT’s advice if the vendor wishes to seek clarification on the issue/vulnerability you are referring to.

For anyone affected by this issue I hope that the above information is of assistance to you. Thank you.

Python 3.4.4 Released

Early this week the Python Foundation followed up it’s previous release earlier this month with version 3.4.4.

=======================

The noteworthy changes in this update are as follows which resolve the issues listed below:

8x buffer overreads
1x buffer overrun (essentially an overflow, defined)
1x reading from a buffer issue
1x integer overflow (defined)
Multiple integer overflows (no exact number given) resolved within the pickle module
1x integer out of bounds issue
1x overflow in _Unpickler_Read
Overflows fixed in timedelta * float, unicodedata module and Windows subprocess creation code
3x use after free issues (defined)
1x arbitrary code execution vulnerability in the dbm.dumb module
OpenSSL upgraded from 1.0.1j to 1.0.2d (for Windows), version 1.0.2e for Mac OS X which resolves 24 CVEs (defined)(see here and here for the CVE references provided by OpenSSL)

=======================
The full changelog is available from this link.

As was the case with the previous updates the buffer overreads, integer overflows and use-after-free issues etc. have not been assigned CVE numbers and are not explicitly reported as security vulnerabilities in this changelog, it is still best practice to patch these bugs if you are using an affected version of Python.

If you have an older release of Python installed e.g. 3.4.3 or older, please consider upgrading to the most recent 3.4.4 update to benefit from the above mentioned fixes.

Advice on porting (adapting) older Python code to newer releases is available here and here.

As a routine precaution I would recommend backing up the data on any device for which you are installing updates in order to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

Apple Releases Security Updates December 2015

On the 8th and 11th of December Apple released numerous security updates for the following products:

=======================

  • Apple iOS 9.2: For iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later
  • Apple tvOS 9.1: For Apple TV (4th generation)
  • Apple OS X: For OS X Mavericks v10.9.5, OS X Yosemite v10.10.5 (2 updates), OS X El Capitan v10.11 and v10.11.1
  • Apple watchOS v2.1: For Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes
  • Apple Safari 9.0.2: For OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, OS X El Capitan v10.11 and v10.11.1
  • Apple Xcode 7.2: For OS X Yosemite v10.10.5 or later
  • Apple iTunes 12.3.2: For Windows 7 and later

=======================

Comprehensive details of all of these updates are provided on Apple’s Security Updates page.

If you wish to prioritize these updates I would suggest beginning with installing the updates for iOS, OS X, watchOS and tvOS as well as Safari due to the number and severity of the issues they address (the most serious resulting in an attacker having the ability to run code of their choice (remote code execution) with kernel or system level privileges).

Noteworthy fixes included are as follows:

Apple iOS 9.2: Resolves 51 CVEs (defined) and includes fixes for AppleMobileFileIntegrity, CoreGraphics, GPUTools Framework, ImageIO, iOS Kernel, libc, MobileStorageMounter, iOS Safari and WebKit (among others)

Apple OS X and Security Update 2015-006 Yosemite: Resolves 55 CVEs which includes fixes for apache_mod_php, AppSandbox, Bluetooth, , CoreGraphics, CoreMedia Playback, EFI, Intel Graphics Driver, OS X kernel, libc, OpenGL, OpenSSH and System Integrity Protection (among others).

Apple tvOS 9.1: Resolves 45 CVEs including security issues within AppleMobileFileIntegrity, CoreGraphics, CoreMedia Playback, ImageIO, tvOS kernel, libc, MobileStorageMounter, OpenGL and WebKit (among others).

Apple watchOS 2.1: Resolves 30 CVEs within components such as AppSandbox, CoreGraphics, CoreMedia Playback, FontParser, GasGauge, ImageIO, watchOS kernel, libc, OpenGL and Sandbox (among others).

Apple Safari 9.0.2: Resolves 12 CVEs all within WebKit (the renderer of Safari).

Apple Xcode 7.2: Resolves 4 CVEs. The most serious of which were present within the otools component of Xcode.

Apple iTunes 12.3.2: Resolves 12 CVEs: all within WebKit. This updates applies to the Windows version of iTunes only.
=======================

If you use any of the above software, please install the appropriate updates as soon as possible.

As a routine precaution I would recommend backing up the data on any device for which you are installing updates (preferably to an external storage device that can easily be accessed by you) in order to prevent data loss in the rare event that any update causes unexpected issues.

Please see these links from Apple for advice on backing up your iPhone and iPad.

For advice on how to install updates for Apple devices, please see the steps detailed at the end of this Sophos blog post as well as this link (from my “Protecting Your PC” page).

Thank you.

Google Releases Further Security Update for Chrome

For the third time this month Google on the 15th of December released a security update for Google Chrome bringing it to version 47.0.2526.106.

This updates resolves 2x security issues (which have been assigned a single CVE (defined). No severity level for these issues was provided.

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 stacked small horizontal lines) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the update to take effect.

As always full details of the update were made available by Google in a blog post. If you use Google Chrome as your web browser, please consider updating it as soon as possible. Thank you.