Daily Archives: April 1, 2018

Blog Post Shout Out: Cisco IOS XE and Drupal Security Updates

I wish to provide a respectful shout to the following security advisories and news articles for their coverage of critical security vulnerabilities within Cisco IOS XE and the Drupal CMS (defined) released on the 28th and 29th of March respectively.

The backdoor (defined) account being remediated within the Cisco IOS XE update could have allowed an unauthenticated attack to remotely access the Cisco router or an affected switch and carry out any action allowed by privilege level 15

Meanwhile the Drupal vulnerability (dubbed “Drupalgeddon2”) is rated as highly critical since the vulnerability is both remotely exploitable and easy for an attacker to leverage allowing the attacker to carry out any action they choose.

Please follow the advice within the below linked to advisories and update any affected installations of these products that your organisation may have:

March 2018 Semi-annual Cisco IOS and IOS XE Software Security Advisory Bundled Publication

Cisco Removes Backdoor Account from IOS XE Software (includes mitigations if patching is not possible) by Catalin Cimpanu (Bleeping Computer)

Drupal core – Highly critical – Remote Code Execution – SA-CORE-2018-002

Drupal Issues Highly Critical Patch: Over 1m Sites Vulnerable by Tom Spring (Kaspersky ThreatPost)

Thank you.

Pwn2Own 2018 Results

Earlier this month the annual Pwn2Own white hat (defined) hacking contest took place, shortened from 3 days to 2 days.

This year’s competition was also impacted by a recent regulatory change meaning that Chinese participants were unable to attend. This is unfortunate since previous yeas competitions have been excellent and this had a real impact on the success of this year’s competition; perhaps next years will be better? Further details of the regulatory change are detailed here.

The following products were successfully exploited this year resulting in USD$267k being awarded. Exploits which could not be completed in the allocated time of 30 minutes were also purchased; which is fair in my opinion since they could still be a threat and the researchers more than deserve the credit for the time and effort they invest.

Similar to previous years; kernel (defined) exploits were used each time to exploit the web browsers due to the sandboxing (defined) technology used to security harden them.

As noted in this article (and my previous blog posts) kernels are becoming even more complex and can easily consist of millions of lines of code. My previous advice of static analysis/auditing/fuzzing (defined here and here) still applies. These won’t detect every vulnerability but will significantly reduce them. As before writing more secure code using the development practices discussed in last year’s Pwn2Own post will reduce the vulnerability count even further; both now and into the future.

Just like last year Mozilla updated Firefox very quickly; this time in less than a day to version 59.0.1 and 52.7.2 ESR.

The full list of products exploited is provided below. Thank you.

=======================
Apple Safari (2 attempts were successful using macOS kernel elevation of privilege (defined) vulnerabilities

Microsoft Edge

Mozilla Firefox

Oracle VirtualBox
=======================

Microsoft Issues Further Security Update on the 29th March

====================
Update: 5th April 2018:
====================
It has been documented that this update is failing to install on a large number of Windows 7 64 bit SP1 and Windows Server 2008 R2 systems. No known issues are listed within Microsoft’s knowledge base article.

At this time; we can only wait for further updates or information to become available. At the time of writing; it is unclear if this update will be combined into next week’s cumulative update.

Thank you.

====================

Earlier this week Microsoft issued an out of band (an update outside of the established second Tuesday of each month) security update to resolve a regression (an un-intentional coding error resulting in a previously working software feature no longer working, alternative definition here) which introduced an additional elevation of privilege (defined) security vulnerability in the kernel (defined) of Windows 7 SP1 64 bit and Windows Server 2008 R2 SP1 64 bit.

While this was thought to have been resolved in March’s Microsoft Update Tuesday; the security researcher, Ulf Frisk who disclosed the issue to Microsoft stated the March updates did not resolve it.

If you maintain any of the above Windows versions in your organisation or at home, please ensure to run Windows Update to install the appropriate update.

Thank you.