Monthly Archives: June 2019

EA Resolves Origin Login Vulnerablities

Last Thursday, security firms CheckPoint Software and CyberInt disclosed details of a collection of vulnerabilities found within the login process of the Origin online gaming platform operated by Electronic Arts. They worked with EA to resolve them.

TL DR: EA Origin users should enable 2 factor authentication (see this link for details) and only use the official Origin website to download or purchase games. Also, please make certain the version of the Origin client you are using is the most up to date; version 10.5.38 for PC adds additional security measures. Finally; always be cautious when receiving links from unknown sources:

How could have attackers exploited these vulnerabilities?
EA use Microsoft’s Azure to provide global access to for players to games, allowing the purchase of games and to access their Origin social network. The chain of vulnerabilities did not require the user to hand over any login details but instead made use of authentication tokens, oAuth single sign-on (SSO) and the TRUST mechanism used during the login process. Definitions of these terms are provided in the glossary below.

Various services offered by EA are each present on a separate sub-domain e.g. But the researchers found one which no longer pointed to the correct DNS record With an empty domain name now known the researchers purchased it.

Due to some issues discovered by the researchers within the TRUST login mechanism; they re-directed where the SSO token pointed to; namely their newly acquired domain. With this accomplished the researchers could access an Origin account of their choice and the data it contains and could buy games but charge the original user of the account for these purchases.

What can we learn from this disclosure?
For online accounts operated by corporations; they need to carry out validation checks on the login pages their users interact with. The domains used by their services should also be checked to make certain they don’t contain now unused domains.

For the users of these services; enabling two-factor authentication will mean new devices accessing an account will be prompted for a security code an attacker will not have access to. Parents and children should be aware that cyber criminals will attempt to trick them with legitimate looking links. Please only access the official pages by typing the address into your browsers address bar (or make use of a saved known safe bookmark).

Thank you.

Authentication Token:
After a user logs in using their username and password; the current logged in user and various attributes of your account e.g. what type of content they can access are stored within a token (e.g. a JSON web token) in encrypted form and then sent to the client (the device the user is accessing the service from). The token (similar to ID/access card) is stored on the client device and can be presented at any time to the server replacing the need to enter a username and password to verify the user’s identity. The server will validate the token before granting the user access to the requested service.

Single sign-on:
When a user logs onto a device or service; their identity can be validated using a username and password and possibly another factor of authentication e.g. a code sent to their phone or email address. Once validated; the user is provided with a token which can be shared with a central user authentication service known as single sign-on. This service can then act on the user’s behalf authenticating them to multiple services or applications without the need to request further usernames or passwords. Online examples would Google or Facebook accounts used to log into other accounts/services using the same already entered credentials.


Linux TCP SACK Vulnerabilities June 2019

Earlier this week; Netflix’s Cybersecurity team disclosed 3 denial of service vulnerabilities within the Linux kernels (defined) affecting Amazon AWS, Debian, Red Hat, FreeBSD (only 1 vulnerability affects FreeBSD), SUSE and Ubuntu distributions.

If you use Amazon AWS, Debian FreeBSD, Red Hat, SUSE or Ubuntu, please install the relevant vendor updates or implement the workarounds both linked to below.

Why should these vulnerabilities be considered important?
All of these vulnerabilities are remotely exploitable. The most serious of which has been given the name “SACK Panic” (CVE-2019-11477) is most likely to be present/enabled in web servers used to run both large and small business or personal websites. Exploiting this issue will lead to your server crashing/becoming unresponsive. It has a CVSS 3 base score of 7.5 (high severity) and with a low complexity for an attacker to leverage.

The second vulnerability CVE-2019-11478 which can cause “SACK Slowness” is also remotely exploitable but is of moderate severity. If an attacker were to create and send a series of SACK packets it can cause the affected Linux systems to use too much resources (both memory and CPU). FreeBSD is vulnerable to a variation of this CVE-2019-5599.

The third and final vulnerability CVE-2019-11479 is again moderate severity causing high resource usage. In this instance; when an attacker would need to set the maximum segment size (MSS) of a TCP connection to it’s smallest limit of 48 bytes and then send a sequence of specially crafted SACK packets.

The name SACK is derived from TCP Selective Acknowledgement (SACK) packets used to speed up TCP re-transmits by informing a sender (in a two-way data transfer) of which data packets have been already been received successfully.


How can I protect my organisation or myself from these vulnerabilities?
The affected vendors have released updates or workarounds for these vulnerabilities; links to their advisories and recommended actions are provided below.

At this time, it is not known if Apple macOS (which originated from FreeBSD) is affected. It is not mentioned in any of the advisories. Should an advisory be released it will be available from Apple’s dedicated security page.


Amazon AWS:






Updated: 9th July 2019
On the 2nd of July 2019; VMware issued some updates for this set of vulnerabilities that affects it’s products. Further updates are pending. If you use any of the following VMware products, please review this security advisory and apply the updates as they become available:

Container Service Extension
Enterprise PKS
Horizon DaaS
Hybrid Cloud Extension
Identity Manager
Integrated OpenStack
NSX for vSphere
NSX-T Data Center
Pulse Console
SD-WAN Edge by VeloCloud
SD-WAN Gateway by VeloCloud
SD-WAN Orchestrator by VeloCloud
Skyline Collector
Unified Access Gateway
vCenter Server Appliance
vCloud Availability Appliance
vCloud Director For Service Providers
vCloud Usage Meter
vRealize Automation
vRealize Business for Cloud
vRealize Code Stream
vRealize Log Insight
vRealize Network Insight
vRealize Operations Manager
vRealize Orchestrator Appliance
vRealize Suite Lifecycle Manager
vSphere Data Protection
vSphere Integrated Containers
vSphere Replication

Thank you.

RAMBleed: What you need to know

Yesterday; security researchers disclosed a vulnerability relating to how data is accessed after it is stored within computer memory modules eventually leading to partial data disclosure

This is a low severity (CVSS Base Score: 3.8) but notable vulnerability which cannot be exploited remotely. For organisations and customers; no action is required. It is up to software developers to use trusted execution environments (TEE) e.g. AMD SEV, ARM TrustZone or Intel SGX to protect important data or clear such data from memory after use. Some DDR4 modules are not vulnerable to Rowhammer.

How does this attack take place?
An attacker would first need to compromise your system and persuade you to run an application. Due to the physical effects of creating memory modules which are smaller and smaller the space between memory cells used to store data are subject to electrical interference. This can be exploited by an attacker by reading the data from a memory address of interest over and over again which eventually leads to data corruption causes the binary contents (0 or 1) used to store data to change/”flip” from 0 to 1 or vice versa.

This effect has been seen before in an attack dubbed “Rowhammer” in 2014. That attack can be mitigated by the use of memory modules that use ECC (Error Correction Code). However, this new technique RAMBleed cannot be mitigated by ECC (defined).

What must an attacker do to exploit this vulnerability?
An attacker must first map the memory which contains the data they wish to acquire. They can then work to control data each side in memory of the target data. Accessing this data over and over “hammers” the row with the data within it. If the data is 0, it will flip to 1 and if 1 becomes a zero (0). The attacker can then proceed to repeat this for one column down in the memory segment to obtain the next piece of target data. Researchers were able to obtain 3 to 4 bits (either 0 or 1) per second.

Researchers used this technique to obtain a 2048 bit OpenSSH key from the memory of a server. They did so by first using a technique they named “Frame Feng-Shui” that allows them to place the target data within a physical memory frame (area) of their choice in. The speed was 0.3 bits per second with an accuracy of 82%. By only obtaining some of the data and using a variant of the technique documented within the Heninger-Shacham algorithm they succeeded in obtaining the remainder of the key.

How can an organisation or a consumer/end-user defend against this attack?
Encrypted memory achieved by the use of trusted execution environments (TEEs) e.g. AMD Secure Encrypted Virtualization (SEV), ARM TrustZone or Intel Software Guard Extensions (SGX) will mitigate this attack since the attackers will obtain encrypted rather than ready to use/plain text data.

Alternatively; software developers can clear encryption keys or other sensitive data from memory after using it. Intel recommends it’s guidelines for resisting side-channel and timing side channel attackers:

A lesser known mitigation is the use of DDR4 memory modules that should disrupt the success of the Rowhammer attack. The Maximum Activation Count (MAC) of a memory row is not vulnerable to Rowhammer when the MAC has a value of “unlimited”.

This field exists within the SPD (Serial Presence Detect) technique of accessing memory. From the following page, many but not all of the examined DDR4 modules feature this setting. For example, my 4x 16 GB (64GB) Corsair Dominator Platinum PC4-21300 (CMX64GX4M4A2666C15) modules feature this setting and so appear not to be vulnerable to the Rowhammer technique. You can see this from the first attached screenshot (denoted by the value “Unlimited MAC”):

These screenshots were obtained from the RAMMon application available from PassMark.

Thank you.

Mitigating Microsoft’s June 2019 NTLM Vulnerabilities

Microsoft issued an update yesterday to resolve 2 vulnerabilities within Windows that can be used to allow an attacker to authenticate and run code remotely.

TL DR: Install the updates for CVE-2019-1019 and CVE-2019-1040 and follow the recommend guidelines in Preempt’s blog post:

If attackers exploited these issues; what would the result be?
Preempt responsibly disclosed 2 vulnerabilities as a result of 3 logic flaws in NTLM to Microsoft. As a result of previous disclosures Microsoft added the Message Integrity Code (MIC) field designed to guarantee that attackers cannot tamper with NTLM messages in any way. Preempt bypassed this allowing them to change NTLM authentication fields, reducing security.

Next; Server Message Block (SMB) Session Signing was bypassed by Preempt allowing attackers to relay NTLM authentication messages and establish SMB and DCE/RPC sessions. Enhanced Protection for Authentication (EPA) was bypassed allowing the altering of “NTLM messages to generate legitimate channel binding information.” Finally, their bypasses could allow “attackers to relay NTLM authentication requests to any server in the domain, including domain controllers, while establishing a signed session to perform remote code execution.” This potentially could lead to the entire Active Directory domain becoming compromised by moving laterally from system to system.

How can an organisation or a consumer/end-user defend against these attacks/bypasses?
Install the updates for CVE-2019-1019 and CVE-2019-1040:

Moreover; Preempt’s blog post provides the necessary recommendations to fully mitigate these issues.


For reference I have linked to how to enable the following mitigations:

Enforce SMB Signing

Block NTLMv1
Part 1

Further information link

Enforce LDAP Signing

Enforce EPA:
Part 1

Part 2


Thank you.

June 2019 Update Summary

With yesterday being the second Tuesday of the month; it means it’s Update Tuesday again. Microsoft resolved 88 vulnerabilities  (more formally known as CVEs (defined) with Adobe addressing 11 vulnerabilities of their own.

Adobe Campaign: 7x Priority 3 vulnerabilities (1x Critical, 3x Important, 3x Moderate)

Adobe ColdFusion: 3x Priority 2 vulnerabilities (3x Critical)

Adobe Flash Player: 1x Priority 1 vulnerability (1x Critical)

If you use Adobe ColdFusion, please apply the necessary updates as soon as possible. For that product, as per Adobe’s advisory, please make certain the Java JDK/JRE in use on the server is fully up to date in order to fully secure it. Please install the remaining updates for Campaign and Flash Player as soon as possible since they also resolve critical vulnerabilities.

For Microsoft; this month’s list of Known Issues is available within their monthly summary page and applies to all currently supported operating systems. Not all issues have workarounds at this time. Windows 7 SP1, Windows Server 2008 R2 SP1 and Windows 8.1 and Windows Server 2012 R2 list known issues with McAfee products and should refer to the guidance linked to by Microsoft within the above linked to attempt to workaround these issues:

4493730                Windows Server 2008 Service Pack 2 Servicing stack update

4503027                Exchange Server 2019, Exchange Server 2016

4503028                Exchange Server 2010 Service Pack 3, Exchange Server 2013

4503263                Windows Server 2012 (Security-only update)

4503267                Windows 10, version 1607, Windows Server 2016

4503276                Windows 8.1, Windows Server 2012 R2 (Monthly Rollup)

4503279                Windows 10, version 1703

4503284                Windows 10, version 1709

4503285                Windows Server 2012 (Monthly Rollup)

4503286                Windows 10, version 1803

4503290                Windows 8.1 Windows Server 2012 R2 (Security-only update)

4503291                Windows 10

4503292                Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1 (Security-only update)

4503293                Windows 10, version 1903

4503327                Windows 10, version 1809, Windows Server 2019

US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

A further useful source of update related information is the Calendar of Updates.

News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

For this month’s Microsoft updates, I will prioritize the order of installation below:
Microsoft Edge and Internet Explorer: CVE-2019-1038

Microsoft Speech API Remote Code Execution Vulnerability: CVE-2019-0985

Microsoft Scripting Engine:















Windows Hyper-V Remote Code Execution Vulnerability: CVE-2019-0709 , CVE-2019-0722 , CVE-2019-0620

ActiveX Data Objects (ADO) Remote Code Execution Vulnerability: CVE-2019-0888

Windows Task Scheduler: CVE-2019-1069 (disclosed by SandboxEscaper)

Windows AppX Deployment Service (AppXSVC): CVE-2019-1064 (disclosed by SandboxEscaper)

Windows Shell: CVE-2019-1053 (disclosed by SandboxEscaper)

Windows Installer: CVE-2019-0973 (disclosed by SandboxEscaper)

Please install the remaining updates at your earliest convenience.

As per standard best practice; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

I have provided further details of updates available for other commonly used applications below.

Thank you.

A new version of VLC is available for Apple macOS, Linux, Windows (desktop and Windows Store), Google Android and Apple iOS with some great performance improvements and resolving 33 security vulnerabilities (2 of which are high severity) as a result of the EU-FOSSA bug bounty programme which opened in January this year.

Further details are below:

Version has since been released to resolve other non-security issues. The most recent version can be downloaded from:

Mozilla Firefox
Yesterday (11th June), Mozilla released Firefox 67.0.2 to address a single moderate severity vulnerability.

Further to the above updates, on the 18th and the 20th June; Mozilla issued 2 updates for Firefox version 67.0.3 (ESR (Extended Support Release) 60.7.1) and 67.0.4 (ESR 60.7.2) to resolve 2x critical zero day (defined) vulnerabilities actively being exploited in the wild.

Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to benefit from the above changes.

Google Chrome:
Google released Google Chrome version 75.0.3770.80 to address 42 vulnerabilities in early June.

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 stacked small horizontal lines, sometimes called a “hamburger” button) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect.

Earlier this month VMware published a security advisory to address a single Important severity vulnerability in VMware Tools for Linux and Windows.

If you use VMware Tools on Linux or Windows, please review the security advisory and apply the necessary updates.

The retro gaming and legacy software emulator DOSBox in late June released an update to correct vulnerabilities discovered during a small code audit.

2 CVEs (CVE-2019-7165 and CVE-2019-12594) were assigned (that resolve critical vulnerabilities with CVSS 3.0 (defined) base scores of 9.8) but more out of bound access and buffer overflows (defined) were also resolved. Further details are available in their news post dated, 26th June 2019.

If you use DOSBox, please consider upgrading to version 0.74-3 which also includes many fixes for non-security bugs. The new version is available from here.

Thank you.

Microsoft re-issues warning to patch BlueKeep Vulnerability

Update: 12th November 2019
Exploitation of the BlueKeep vulnerability has recently began. Please make certain your systems are updated. More details are available in my follow up post.

Thank you.

Update: 11th September 2019
Late last week Metasploit released a public exploit for the BlueKeep vulnerability. While this is a significant development in easing its use for a more widespread audience it was deliberately created with a safeguard of “The exploit does not currently support automatic targeting; it requires the user to manually specify target details before it will attempt further exploitation”

This means that the exploit cannot propagate on a large scale upon successfully exploiting a system within a wider network. The exploit was only created with the intention of identifying the affected operating system and whether that system is likely to be vulnerable.

How can I protect my organisation or myself from this vulnerability?
The BinaryEdge team is currently detecting more than 1 million un-patched systems on the internet. As per previous advice below, please make certain your Windows based servers and client/workstation systems are up to date (download links are provided in the original post below).

Thank you.

Update: 19th August 2019
In late July the Watchbog malware incorporated a scanning module to detect the presence of the BlueKeep vulnerability. In addition, an exploit for the vulnerability was added to a high value commercial penetration (pen) testing tool.

These indications continue to keep BlueKeep in the spotlight continuing to emphasise the need to patch or mitigate it as soon as possible. Advice for scanning a corporate network for the presence of this vulnerability is available from this SANS forum thread.

Thank you.

Update: 30th June 2019
A Microsoft employee (Raviv Tamir, Group Program Manager, Microsoft Threat Protection) has provided an update on the global status of patching the BlueKeep vulnerability. The most recent update is from 20th June; at 83.4% coverage an increase from 72.4% on 5th June and 57% on May 30th.

Keep up the great work. Thank you.

Update: 21st June 2019
The current situation with the BlueKeep vulnerability continues to increase in scope with Windows 2000 and it’s server variants (Windows 2000 Server, Advanced Server and Datacentre Server) now confirmed as vulnerable after the Department of Homeland Security (DHS) created a working BlueKeep exploit. Given that Windows Server 2003 and XP share much of their codebase with Windows 2000; this announcement isn’t entirely surprising. Microsoft separately confirmed there are no plans to issue updates for Windows 2000.

For any business or consumer still using Windows 2000; they have much more than just this vulnerability to be concerned about given that there have been no security updates since July 2010. The advice is as always to upgrade to supported version of Windows:

Thank you.

A BlueKeep short story:
Separately; last weekend I had the opportunity to “practice what I preach” when a friend came to me with a Windows XP laptop dating back to 2008. Surprisingly it was in almost new condition and was remarkably fast to use given it’s age. It had an Intel Core Solo CPU and 2 GB of RAM.

He no longer uses it online preferring an iPad Pro instead but needs to keep it online within his home network to administer his security single CCTV camera using an application (strangely the camera isn’t administered via a web browser). He had heard about BlueKeep and wondered could I patch it for him?

The laptop was connected via Ethernet to his router. I had asked him to send me a photo of the installed programs on the computer to see what I was going to deal with. I found the system had Windows XP SP3 (but no further updates), Office 2007, Adobe Reader 10 and VLC 1.1.5.

The Windows firewall was enabled and set to default settings. I verified using Nmap that port 3389 and other commonly exploitable ports like 445 (SMB) and Telnet (23); weren’t open.

Installed almost 150 updates for Windows XP using Microsoft Update ( , installed SP3 for Office 2007 and a further 37 updates for it after SP3.

Next, I installed Adobe Reader 11.0.10 and VLC I also installed the 13 updates from Microsoft for Windows XP in 2017 (resolving DoublePulsar and EternalBlue; among others) and finally the BlueKeep security update. In less than 2 hours of me just reviewing the results of update checks and some very quick update installs his system was patched and continued to work perfectly.

From past experience of manually removing malware from really old systems this laptop was far better than expected. All of the updates installed quickly and with no errors. I estimate more than 1000 CVEs were resolved by the updates I installed.

He easily committed to continue not using it for website or email access since his iPad Pro fulfills that role and is faster. He was impressed that the laptop continues to work perfectly despite the vast number of updates it received.

Finally; yes I realize I should suggest upgrading from Windows XP but he doesn’t use the system for online use; just inside his network. His router is adequately protecting his network with it’s settings and most recent firmware updates installed. Given this use case and surrounding infrastructure; I see the risk as minimal. Plus he also told the system doesn’t have important data on it; he just wanted it patched in order to keep using it uninterrupted.

A really good outcome; case closed 😊

Update: 12th June 2019
Install the RDP patch (links below) if you have not already done so. Use the paid-for micropatch if you can’t take a system offline to reboot it. If you can’t do either of these follow Microsoft’s or the NSA’s advice to mitigate the vulnerability.

Microsoft on the 31st of May re-iterated it’s warning to patch vulnerable systems as soon as possible.

Meanwhile; multiple proof of concepts of who to exploit the vulnerability have been developed by security researchers:

This story continues with another security researcher creating a proof of concept Metasploit exploit for this vulnerability. The exploit works on Windows XP, Windows 7, Server 2008 and Server 2008 R2. Windows Server 2003 has the RDP vulnerability but the vulnerability couldn’t be exploited.

The NSA have since issued an advisory in addition to the two notifications from Microsoft linked to above.

For systems which cannot spare the down-time needed to reboot after installing the Microsoft patch, a micropatch from 0Patch is available for their Pro version subscribers:

As a proof of concept of how long it may take to patch a system; I used a VMware snapshot taken from a test Windows XP SP3 system I used back in 2012. The installation had no updates apart from SP3. After 40 minutes; all missing patches (2008 – 2014), the updates from 2017 (resolving EternalBlue; amongst others) and this year’s RDP update were installed. Patching the RDP vulnerability took less than a minute (including the restart and start-up of the system).

I repeated the above using the Automatic Updates feature of Windows XP. I was able to full patch the system in 30 minutes.

Systems which are better maintained than this would easily take less time (even if patched manually like I did); especially if tools such as WSUS or SCCM are used where vast number of systems can be patched very quickly.

Thank you.

Original Post: 4th June
Earlier this month Microsoft issued an update to resolve a critical vulnerability in Remote Desktop Services making use of the RDP protocol, port 3389.

TL DR: If you use Windows 7, Windows Server 2008 R2 or Windows Server 2008, if you have not done so already, please install this update. For Windows XP (all versions), Server 2003 (all versions) and Windows Vista; the necessary updates are available here.

Why should this vulnerability be considered important?
As Microsoft reminded us when issuing the patch; this vulnerability requires no authentication or user interaction. It has the potential to spread just like the WannaCry and NotPetya infections did in 2017. Windows 8.1 and Windows 10 (and their Server equivalents) are NOT vulnerable.

Robert Graham from Errata Security on the 28th of May issued a report of the scan results from a widespread scan of the internet. He found approximately 950,000 vulnerable systems.

How can I protect my organisation or myself from this vulnerability?
The easiest method is to install the update available from Microsoft.

For Windows Server 2003, Windows XP and Windows Vista; the update must be manually downloaded and installed from this link below since this update was not made available by the previous automatic mechanisms these versions of Windows had namely, Microsoft Update, Automatic Updates and Windows Update.

If you cannot install this security update; you can protect from this vulnerability by following the Workarounds listed in this link. Further explanation from Microsoft is also available from this link.

Microsoft on the 30th and 31st of May re-iterated it’s warning to patch vulnerable systems as soon as possible. Meanwhile; at least proof of concepts of who to exploit the vulnerability have been developed by at least 3 security researchers.

Thank you.

NoScript Extension Made Available for Google Chrome

In early April the very well-known Firefox extension NoScript became available for Google Chrome. This extension should still be considered beta as detailed in this ZDNet article but it’s fast approaching a stable status expected later this month.

This extension helps to reduce the attack surface of your web browser by only executing (allowing to run) JavaScript (defined) for the websites that you have allowed. This reduces the possibility of exploitation of vulnerabilities and reduces/eliminated online adverts. Unfortunately, due to limitations within Chrome; the anti-XSS (cross site scripting)(defined) filter of NoScript cannot be implemented at this time). Further background on NoScript is available from here.

Thank you.