Monthly Archives: July 2019

When vulnerability disclosure goes wrong

4 weeks ago saw the report of a new critical vulnerability in the widely used VideoLAN VLC Media Player. At the time no fix was available.

Earlier today; key developers from VideoLAN analysed the bug report and found that the exploit simply causes a memory leak which does not always crash the player. At no time was this behaviour exploitable by an attacker; it was simply a non-security code issue.

After further analysis it was determined the issue lay within a 3rd party library, libebml. Version 1.3.6 resolves the issue reported and was shipped with VLC version 3.0.3 (in May 2018). The release notes from that time state “Numerous 3rd party libraries updated, fixing security issues”

The above bug report was interesting since numerous technology news websites and even CERTs had incorrectly warned of the vulnerability and that a fix was 60% complete (unknown how that figure was obtained).

It demonstrates how quickly the report of an issue can spread long before anyone has worked on it and verified its legitimacy. After analysis by key VLC developers; there wasn’t an issue at all in updated versions of VLC.

This is really unfair to VideoLAN. They received a lot of negative press for an issue that wasn’t their fault. The truth of the matter is; nobody checked the claims of the person disclosing it before going to the media and the original reporter of the vulnerability disclosed it on a public forum rather than a private disclosure to VideoLAN.

Today demonstrates how NOT to disclose a vulnerability.

Please find the link to the bug report below and the full details provided by VideoLAN on their Twitter account as well further background information:

https://trac.videolan.org/vlc/ticket/22474

https://twitter.com/videolan/status/1153963312981389312

https://portswigger.net/daily-swig/vlc-developer-debunks-reports-of-critical-security-issue-in-open-source-media-player

Thank you.

Logitech Unifying Receiver Vulnerabilities

====================
Update: 12th August 2019
====================
When the updates from Logitech are available; the links will be placed within the following forum thread:

https://support.logi.com/hc/en-001/community/posts/360033207154-Logitech-Unifying-Receiver-Update

====================
Original Post
====================
Earlier this week a security researcher responsibly disclosed 4 new vulnerabilities within Logitech products that use the USB Unifying receiver (a small black dongle with an orange star on it).

====================
TL DR:
An attacker would need to be within range of the Unifying receiver (approx. 30 metres) to exploit some of these vulnerabilities. Others require physical access. Due to compatibility reasons; Logitech will only be patching 2 of these vulnerabilities in August 2019. To remain secure, you will need to physically secure (see the FAQ linked to below for specifics) the presentation clicker, mouse or keyboard from an attacker or use a wired keyboard or mouse.
====================

Why should these vulnerabilities be considered important?
Before discussing the results of successfully exploiting these vulnerabilities; for an attacker to exploit these vulnerabilities they first either need to be nearby (approximately 30 metres) or to have physical access to your Logitech Unifying receiver (sometimes for a very short time) and preferably the device connected to it too.

The researchers GitHub page discusses all of the vulnerabilities (numbered 1 to 7).

Vulnerability 1 and vulnerability 7 don’t require physical access to the Logitech receiver or device but would require that the attacker is nearby (approximately 30 metres).

Vulnerability 4 needs physical access for some of the exploit to work. Using these vulnerabilities an attacker could inject arbitrary keystrokes into an affected receiver (leading to remote code execution), decrypt keyboard input and force a new device of the attacker’s choice to enter keystrokes which are sent to your system.

====================

Affects of exploiting:

Vulnerability 1: keystroke injection

Vulnerability 2: keystroke injection Patched in 2016 (see my original post on this)

Vulnerability 3: keystroke injection

Vulnerability 4: keystroke injection and disclosure of the per-device link-encryption keys (the attacker could decrypt the data being sent between the receiver and the device)

Vulnerability 5: same as 4

Vulnerability 6: smaller scale keystroke injection and disclosure of link encryption keys of all paired devices

Vulnerability 7: Forced pairing of a device of the attacker’s choice to use for keystroke injection

====================

How can I protect my organisation or myself from these vulnerabilities?
If your device offers a Bluetooth connection, switch to using it rather using the USB dongle. However this workaround is not without potential drawbacks. Nothing is ever totally secure but Bluetooth has had some notable vulnerabilities in recent years (BlueBorne, side channel attacks (defined) and BleedingBit).

If you have not already done so; check if an update is available for your Logitech Unifying receiver (the USB dongle) that were released in 2016. My post written back in 2016 provides all of the details to update affected devices.

Of the 4 remaining vulnerabilities disclosed this week; only 2 will be patched by Logitech. If they were to fix all 4 this would result in compatibility issues between the device and the receivers.

Please refer to the security researchers GitHub page frequently as further details and notifications of updates will be placed there.

According to Heise.de (a German website); I have Google Translated the section detailing how to physically secure your Logitech devices to protect against this:

====================
“The necessary protective measures make it particularly difficult to work in a professional environment, as it can often not be guaranteed that no unauthorized persons can access the USB receiver, which is usually located in the back of the computer. An attacker only needs an unobserved moment and a few seconds to access the receiver in order to permanently attack the radio connection from a distance. If you want to be on the safe side, you should better take the Unifying receiver off the computer and take it with you. Basically one should ask yourself the question, if it has to be a wireless keyboard or mouse at all. Because the safest thing is still a cable connection.”

Copyright © 2019 Heise Media
====================

My sincere thanks to Heise for this very useful explanation.

The other remaining and possibly the easiest method to remain fully secure is to use a wired keyboard and mouse but I realise for laptop users or those who use presentation clickers this really isn’t an option.

I own a lot of Logitech wireless mice; all with the Unifying receiver. I patched them all back in 2016. I will be patching them again as soon as possible and taking the receivers with me when away from my systems (not sure how I will tell which is which but I will come up with some means of telling them apart).

Thank you.

July 2019 Update Summary

As predicted; earlier today Adobe and Microsoft made available their usual monthly security updates addressing 5 and 77 vulnerabilities (respectively) more formally known as CVEs (defined):

====================
Adobe Bridge CC: 1x Priority 3 vulnerability resolved (Important severity)

Adobe Dreamweaver: 1x Priority 3 vulnerability resolved (Important severity)

Adobe Experience Manager: 3x Priority 2 vulnerabilities : 2x Important, 1x Moderate severity resolved

If you use any of these Adobe products, please apply the necessary updates as soon as possible.

====================
This month’s list of Known Issues from Microsoft is available within their monthly summary page and applies to all currently supported operating systems. Not all issues have workarounds at this time. Just like last month; Windows 7 SP1, Windows Server 2008 R2 SP1 and Windows 8.1 and Windows Server 2012 R2 list known issues with McAfee products and should refer to the guidance linked to by Microsoft within the above linked to attempt to workaround these issues:

4493730                Servicing stack update for Windows Server 2008 SP2

4507434                Internet Explorer 11

4507435                Windows 10, version 1803

4507448                Windows 8.1, Windows Server 2012 R2 (Monthly Rollup)

4507449                Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1 (Monthly Rollup)

4507450                Windows 10, version 1703

4507453                Windows 10, version 1903, Windows Server version 1903

4507455                Windows 10, version 1709

4507457                Windows 8.1, Windows Server 2012 R2 (Security-only update)

4507458                Windows 10

4507460                Windows 10 1607 and Windows Server 2016

4507462                Windows Server 2012 (Monthly Rollup)

4507464                Windows Server 2012 (Security-only update)

4507469                Windows 10, version 1809, Windows Server 2019

====================
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates.

News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

====================
For this month’s Microsoft updates, I will prioritize the order of installation below:
====================

Zero-day (defined) vulnerabilities:
CVE-2019-1132 – Win32k Elevation of Privilege Vulnerability

CVE-2019-0880 – Microsoft splwow64 Elevation of Privilege Vulnerability

====================
Critical
====================
CVE-2019-0785  Windows DHCP Server Remote Code Execution Vulnerability

CVE-2019-1072  Azure DevOps Server and Team Foundation Server Remote Code Execution Vulnerability

CVE-2019-1056  Scripting Engine

CVE-2019-1106  Scripting Engine

CVE-2019-1092  Scripting Engine

CVE-2019-1103  Scripting Engine

CVE-2019-1107  Scripting Engine

CVE-2019-1062  Scripting Engine

CVE-2019-1004  Scripting Engine

CVE-2019-1001  Scripting Engine

CVE-2019-1063  Internet Explorer Memory Corruption Vulnerability

CVE-2019-1104  Microsoft Browser Memory Corruption Vulnerability

CVE-2019-1102  GDI+ Remote Code Execution Vulnerability

CVE-2019-1113  .NET Framework Remote Code Execution Vulnerability

Servicing Stack Update

====================

Please install the remaining updates at your earliest convenience.

As per standard best practice; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

I have provided further details of updates available for other commonly used applications below.

Thank you.

=======================
Mozilla Firefox
=======================
Today, Mozilla released Firefox 68.0 to address the following vulnerabilities and to introduce new features:

Firefox 68.0: Resolves 2x critical CVEs (defined), 3x high CVEs, 10x moderate and 4x low CVEs

Firefox 60.8 ESR (Extended Support Release): Resolves 1x critical CVE, 4x high CVEs and 5x moderate CVEs

Firefox now also includes cryptomining protection and fingerprinting protections and improved add-on security (my thanks to Softpedia for this information, more details on other security features are here).

Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to benefit from the above changes.

=======================
VMware ESXi
=======================
Earlier today VMware made available an update for ESXi version 6.5. Version 6.0 is unaffected and a patch for 6.7 is pending. This update resolves a denial of service vulnerability.

If you use VMware ESXi, please update when you can.

Thank you.