Daily Archives: January 8, 2019

January 2019 Update Summary

====================
Updated: 9th January 2019
====================
Happy New Year to all of my readers. Thanks very much.

Today Microsoft made available monthly updates resolving 47 vulnerabilities (more formally known as CVEs (defined)) respectively. Further details are available from Microsoft’s monthly summary page.

Separately Adobe released out of band (unscheduled) updates last week for Acrobat 2017 and Acrobat DC/Acrobat DC. These updates address 2x critical CVEs.

Other updates released today are as follows:
Adobe Connect: 1x priority 3 CVE resolved
Adobe Digital Editions: 1x priority 3 CVE resolved
Adobe Flash Player: reliability/performance update only

While the Flash Player update is a non-security update it’s likely Adobe chose to release it via the usual channels since it’s what people are familiar with and it helps to get updates out sooner.

Similar to last month; Microsoft’s updates come with a long list of Known Issues that will be resolved in future updates. They are listed below for your reference:

KB4468742
KB4471389
KB4480116
KB4480961
KB4480962
KB4480963
KB4480966
KB4480970
KB4480973
KB4480975
KB4480978

You can monitor the availability of security updates for most your software from the following websites (among others) or use one of the utilities presented on this page:

====================
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates.

News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

====================
For this month’s Microsoft updates, I will prioritize the order of installation below:
====================
Windows DHCP Client (Further details here)

Microsoft Edge and Internet Explorer (multiple versions of Edge and IE affected)(please also remember last months’s Internet Explorer update).

Microsoft Hyper-V (CVE-2019-0550 and CVE-2019-0551)

Microsoft Exchange (CVE-2019-0586)(Further details here)
====================
Please install the remaining updates at your earliest convenience.

As usual; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues. I have provided further details of updates available for other commonly used applications below.

Please find below summaries of other notable updates released this month.

Thank you.

====================
Intel Security Advisories:
====================
Intel have released a series of security advisories so far this month. Of highest priority is the advisory for their Intel PROSet/Wireless WiFi Software to resolve a high severity CVSS Base Score 7.8 vulnerability. The security advisory affects many of their WiFi adapters.

Further important updates for their System Support Utility and Intel SGX SDK and Intel SGX Platform Software were also made available. Meanwhile lower severity issues were addressed in Intel’s SSD data-center tool for Windows, Intel NUC Firmware and Intel Optane SSD DC P4800:

If you use any of the affected software or products, please update them as soon as possible especially in the case of the PROSet/Wireless WiFi Software.

=======================
Mozilla Firefox
=======================
In the final week of January; Mozilla made available Firefox 65 and Firefox ESR (Extended Support Release) 60.5:

Firefox 65: Resolves 3x critical, 2x high and 2x moderate CVEs (defined)

Firefox 60.5: Resolves 2x critical and 1x high CVEs

Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to benefit from the most recent improvements by Mozilla.

=======================
Wireshark 2.4.12 and 2.6.6
=======================
v2.4.12: 6 security advisories

v2.6.6: 4 security advisories

As per standard process Linux distributions can obtain this update using the operating systems standard package manager (if the latest version is not installed automatically using the package manager you can instead compile the source code (v2.6.6 or v2.4.12). This forum thread and this forum thread may also be helpful to you with installing Wireshark on your Linux based system.

For Mac OS X and Windows, the update is available within the downloads section of the Wireshark website. In addition, a detailed FAQ for Wireshark is available here.

Thank you.

Asus and Gigabyte Software Flaws Unresolved

=======================
Update: 31st January 2019
=======================
In a follow up to this post; I realized that software installed within my Windows 10 Pro for Workstations system (Version 1803) may be vulnerable to similar issues as the Asus and Gigabyte software.

The software; Creative Sound Blaster Connect for Windows v2.0.0.28)(June 2018) is installed on my system and controls (among other features) the LED lights of my dedicated sound card Sound BlasterX AE-5 Pure edition. The lights are installed on the card and via an extended magnetic chain of 40 LED lights.

This software has the ability to connect to the internet in order to install updates from Creative. In an effort to check if this functionality could be abused to access the software; I took the basic steps of scanning the ports listed within the attached document using Nmap (using another system located on my local network (LAN)). I also checked if these ports were accessible via the internet from outside of my network by probing specific ports (User Specified Custom Port Probe) using the free ShieldsUp service from Grc.com):

The Nmap scans were only the following basic scans:

=======================
TCP Connect Scan:
nmap -sT
=======================
Stealth Scan (TCP SYN Scan):
nmap -sS
=======================
UDP Scan (where applicable):
-sU
=======================
TCP ACK Scan:
nmap -sA
=======================

The results were; none of the ports were accessible via my local network or via the internet thanks to the software firewall (bundled with my anti-malware software). The firewall gracefully handled each scan and blocked it while only logging the event rather than displaying a notification.

To further harden the Creative software from possible attack I chose to enable Microsoft’s Windows Defender Exploit Guard. I have attached a table (see link “Creative Processes and Ports” below) of the necessary running processes of the Creative software and which of the memory protections I was able to turn on; in short almost all of them. Windows Defender Exploit Guard is the successor to EMET (originally made available by Microsoft in 2010. Support ended for EMET on the 31st July 2018:

Since my Windows 10 system is fully up to date and I don’t link on links within emails or open suspicious attachments (in addition to using application white listing). Moreover; the software can’t be accessed via the internet or via my local network and now has many layers of in memory defenses enabled the likelihood of any vulnerabilities within the Creative software being exploited is minimized. If a rogue update is downloaded via the internet; it can’t run since only updates digitally signed by Creative are enabled to run (due to the whitelisting mentioned earlier).

While all of the above may be considered an “overreaction”; while exploits against such software are still yet to be seen in the wild; it never hurts to be prepared for the future. In addition, I don’t wish for the seemingly innocuous technology of LED lights being used to compromise my system.

Thank you.

Creative Processes and Ports

=======================
Original Post:
=======================
In mid-December security researchers from SecureAuth disclosed local elevation of privilege and code execution vulnerabilities within software and drivers (defined) from hardware vendors Asus and Gigabyte.

What is the severity and impact of these vulnerabilities?
=======================
ASUS Aura Sync v1.07.22 and previous versions:
=======================
For the Asus Aura Sync software; two vulnerable drivers are installed and have the potential to allow local code execution by an attacker.

There are three vulnerabilities within this software:

CVE-2018-18535: affects the Asusgio driver by leaving an exposed read/write method available for model specific registers (MSRs)(defined). This weakness can be leveraged to execute arbitrary code with System level (defined)(ring 0) privileges. Diego Juarez, the security researcher who discovered these vulnerabilities; created proof of concept code to allow insecure access to the MSRs via a stray kernel (defined) function pointer (defined) allowing the bypass of kernel address space layout randomization (KASLR)(defined) which results in a denial of service (DoS) condition in the form of a Blue Screen of Death (BSoD). This would have medium to high impact depending on the criticality of the system that is rendered temporarily unavailable by the BSoD.

CVE-2018-18536: the proof of concept for this vulnerability results in the system rebooting. This was achieved by utilizing the ability to read and write data to IO ports using the GLCKIo and Asusgion drivers. This ability can be used to run code of your choice with elevated privileges. This would have a high to critical severity since any code of the attackers choice could be leveraged for a purpose of their choosing.

CVE-2018-18537: can be used to trigger a system crash. This is achieved by writing 32 bits of data (DWORD)(explanation) to an address of an attackers choice. This can corrupt data and lead to unexpected behavior such as a crash. This would have a low to high depending upon the type of data that became corrupted.

=======================
Gigabyte App Center v1.05.21 and previous
Aorus Graphics Engine v1.33 and previous
Xtreme Gaming Engine v1.25 and previous
OC Guru II v2.08
=======================
CVE-2018-19320: has the potential to grant the attacker full access to the affected system and is thus medium to high in severity. The proof of concept for this is the same as for CVE-2018-18537 (above). CVE-2018-19322 is very similar to CVE-2018-18636 described above. CVE-2018-19323 is again very similar to CVE-2018-18535 already described above.

Finally CVE-2018-19321 could place an attacker in complete control of the victim system upon exploiting drivers within the Gigabyte App Center; Aorus Graphics Engine, Xtreme Gaming Engine or OC Guru (version numbers listed above). The proof of concept provided crashed the system but would be of medium to high severity due to the potential for further malicious action.

How can I protect my organization or myself from these vulnerabilities?
As per the Asus and Gigabyte advisories; only Asus fixed one of the disclosed vulnerabilities. If you use any of the above affected software, please update it to the most recent version available. In addition; exercise standard caution regarding handling emails, email attachments and the clicking of links (no matter in what form you receive such links). These vulnerabilities are all locally exploitable and thus require you to take an action out of the ordinary to harm your system.

The fact that neither company responded effectively is a concern; especially given how widely used these software applications are across the many hardware products both vendors sell to organisations and individuals.

The relevant advisories from SecureAuth are linked to here (Asus) and here (Gigabyte).

Why am I highlighting the vulnerabilities in these software packages?
I am highlighting these vulnerabilities since they re-demonstrate that any software installed on a system can contain vulnerabilities not just internet facing or widely used applications (making these Asus and Gigabyte applications a lot less likely to be updated by end-users). While this software may be considered innocuous (since it does not directly access the internet (except in the case to check for updates)) and is not used to open files/documents; given the low-level drivers the software uses; they still have the potential to provide an attacker with a means for malicious action.

I am aware of the availability of the Asus Aura Sync software since it is offered as a download for my Asus Rampage VI motherboard. I have not installed it since the motherboard LEDs already work (due to the UEFI firmware controlling them) to my satisfaction without software. Thus I chose not to install the software since I didn’t need it. While my system isn’t affected since the Asus software is not installed; it’s a concern that widely used applications are not being patched.

While I can acknowledge Gigabyte stating it is a hardware company; clearly the drivers and software it distributes to use and optimize/customize those products requires some maintenance from time to time; especially in the case where a vulnerability notification is provided. While Asus resolved one vulnerability it did not resolve the remaining two even when it too was provided with the necessary technical details.

Thank you.