Category Archives: Security Vulnerabilities

Posts that discuss security vulnerabilities (for both software and hardware) and how best to respond to them.

December 2018 Update Summary

Earlier today Microsoft and Adobe made available monthly updates addressing 39 vulnerabilities and 88 vulnerabilities (more formally known as CVEs (defined)) respectively. As always; more information is available from Microsoft’s monthly summary page and Adobe’s blog post.

While Adobe’s update addresses a large number of vulnerabilities; Microsoft’s released updates are fewer in overall vulnerabilities and should be considered light when compared to some months this year. If you use Adobe Flash Player, if you have not already done so; please ensure it is up to date (version 32.0.0.101). They addressed a zero day (defined) vulnerability with that update earlier this month which was in use by an APT group (defined in this context it is an organised group making use of zero day vulnerabilities).

Unfortunately; Microsoft’s updates also come with a list of Known Issues that will be resolved in future updates. They are listed below for your reference:

KB4471318: Windows 7 SP1 and Windows Server 2008 R2 SP1 : Workaround provided

KB4471321 : Windows 10, Version 1607Windows Server 2016 : resolutions are in progress

KB4471324 Windows 10, Version 1803 : resolution in progress

KB4471327 : Windows 10, Version 1703 : resolution in progress

KB4471329 Windows 10, Version 1709 : resolution in progress

As briefly mentioned above Adobe issued updates for Adobe Acrobat and Reader:

Adobe Acrobat and ReaderPriority 2: Resolves 40x Critical CVEs ands 48x Important CVEs

If you use Adobe Acrobat or Reader, please update it as soon as possible especially given the large number of critical vulnerabilities that were patched.

You can monitor the availability of security updates for most your software from the following websites (among others) or use one of the utilities presented on this page:

====================
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates.

News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

====================
For this month’s Microsoft updates, I will prioritize the order of installation below:
====================
Microsoft Edge and Internet Explorer (multiple versions of Edge and IE affected)

CVE-2018-8611 : Windows Kernel (defined) (this vulnerability is already being exploited)

====================
Please install the remaining updates at your earliest convenience.

As usual; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues. I have provided further details of updates available for other commonly used applications below.

Please find below summaries of other notable updates released this month.

Thank you.

=======================
Mozilla Firefox
=======================
Also earlier today Mozilla made available security updates for Firefox and Firefox ESR (Extended Support Release):

Firefox 64: Resolves 2x critical CVEs (defined), 5x high CVEs, 3x moderate CVEs and 1x low CVE

Firefox ESR 60.4: Resolves 1x critical CVE, 4x high CVEs and 1x low CVE.

Further details of the security issues resolved by these updates are available in the links above. Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to resolve these security issues.

=======================
Google Chrome:
=======================
Google released Google Chrome version 71.0.3578.80 to address 43 vulnerabilities.

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 stacked small horizontal lines, sometimes called a “hamburger” button) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect.

Oracle VirtualBox Zero Day Disclosed

In early November a security researcher publicly disclosed (defined) a zero day (defined) vulnerability within Oracle’s VirtualBox virtualisation software.

How severe is this vulnerability?
In summary; this vulnerability is serious but it could have been worse. In order to exploit it, an attacker would first need to have obtained elevated privileges on your system; root (defined) in the case of Linux and administrator (defined) in the case of Windows. Using this privilege the attacker can leverage the exploit to escape from the confines of the virtual machine (VM)(defined) into the system which hosts the virtual machine (in other words; the system which houses the virtual machine within its physical infrastructure). Once outside of the virtual machine the attacker must then elevate their privileges again since breaking out of the VM only gives them user level/standard privileges and not elevated privileges in the physical system. Thus the attacker would then need to use a separate exploit for another vulnerability (not related to this VirtualBox flaw) to elevate their privileges again to become root/admin within the physical system.

Obviously; the consequences of exploiting this vulnerability on a shared service/cloud infrastructure system would be more serious since multiple users would be affected all at once and the further exploitation of the resulting host systems could potentially provide the attacker with control over all the virtual machines.

How can an attacker exploit this vulnerability?
VirtualBox makes use of the Intel Pro/1000 MT Desktop (82540EM) network adapter to provide an internet connection to the virtual machines it manages. The attacker must first turn off this adapter in the guest (virtualised) operating system. Once complete they can then load a custom Linux kernel module (LKM)(defined) (this does not require a reboot of the system). That custom LKM contains the exploit derived from the technical write up provided. That new LKM loads its own custom version of the Intel network adapter. Next the LKM exploits a buffer overflow (defined) vulnerability within the virtualised adapter to escape the guest operating system. The attack must then unload the custom LKM to re-enable the real Intel adapter to resume their access to the internet.

How can I protect myself from this vulnerability?
While this is a complex vulnerability to exploit (an attacker would need to chain exploits together in order to elevate their privilege on the host system after escaping the VM), the source code needed to do so is available in full from the researcher’s disclosure; increasing the risk of it being used by attackers.

At the time of writing; this vulnerability has not yet been patched by VirtualBox. It affects versions 5.2.20 and earlier when installed on Ubuntu version 16.04 and 18.04 x86-64 guests (Windows is believed to be affected too). While a patch is pending; you can change the network card type to PCnet or Para virtualised Network. If this isn’t an option available or convenient for you; you can an alternative to the NAT mode of operation for the network card.

Thank you.

November 2018 Update Summary

Yesterday Microsoft and Adobe published their routine monthly updates resolving 62 and 3 vulnerabilities (more formally known as CVEs (defined)) respectively. More information is available from Microsoft’s monthly summary page and Adobe’s blog post.

Microsoft’s updates also come with a list of Known Issues that will be resolved in future updates. They are listed below for your reference:

KB4467691

KB4467696

KB4467686

KB4467702 (file type association issue to be resolved later in November 2018)

KB4467107

As summarized above; Adobe issued 3 updates for the following products:

Adobe Acrobat and Reader: Priority 1: Resolves 1x Important CVE (see also this page for a Windows 10 additional mitigation)

Adobe Flash Player: Priority 2: Resolves 1x Important CVE

Adobe Photoshop CC: Priority 3: Resolves 1x Important CVE

As per standard practice if you use any of the above Adobe software, please update it as soon as possible especially in the case of Acrobat DC and Reader DC due to the public proof of concept code released.

You can monitor the availability of security updates for most your software from the following websites (among others) or use one of the utilities presented on this page:

====================
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates.

News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

====================
For this month’s Microsoft updates, I will prioritize the order of installation below:
====================
Microsoft Edge and Internet Explorer (multiple versions of Edge and IE affected)

Windows Kernel (a zero day (defined) vulnerability in Windows Server 2008, Server 2008 R2 and Windows 7)

Microsoft Dynamics 365

Windows Deployment Services (if used within your organization)

Microsoft Office (11x CVEs + 3x further CVEs in Office SharePoint)

Windows VBScript

Microsoft Graphics Component

Microsoft Bitlocker

====================
Please install the remaining updates at your earliest convenience.

As usual; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues. I have provided further details of updates available for other commonly used applications below.

Please find below summaries of other notable updates released this month.

Thank you.

=======================
Nvidia Graphics Drivers:
=======================
A low severity vulnerability (this is a local rather than a remotely exploitable vulnerability) with a CVSS V3 (defined) base score 2.2 had been found within Nvidia’s graphics card drivers (defined). At the time of writing no fix is yet available but will address it in a future driver release. Please monitor their security advisory for further updates.

Retpoline To Improve Windows 10 Performance Following Spectre Vulnerability

Alex Ionescu, a Windows Internals expert and Security Architect with CrowdStrike in mid-October provided new insight into performance improvements coming to the next update of Windows, namely 19H1 or Version 1903:

With performance decreases estimated to be up to 30% in the worst-case scenarios while mitigating the Spectre vulnerabilities earlier this year; the upcoming version of Windows will add Google’s Retpoline instructions to improve performance:

Such instructions are already present in Red Hat, SUSE and Oracle Linux 6 and 7. Ionescu revealed that performance was significantly improved while trusting the newer version of Windows 10. Moreover; Spectre variant 2 (CVE-2017-5715) will now be fully mitigated even if your hardware was not updated to support indirect branch restricted speculation (IBRS); making it more secure. In his words “On systems without IBRS, Windows won’t flush the BPB on kernel->user transitions. This opens up a potential security issue for CPUs without microcode that implements IBRS”.

He also confirmed that Retpoline is enabled on systems with indirect branch prediction barrier (IBPB). This will protect such systems from kernel to user transitions where currently no protection exists. Finally he asked that Retpoline be back ported earlier (but currently supported) versions of Windows since systems without IBRS are “sitting ducks”:

These changes were also announced by a Microsoft engineer, Mehmet Iyigun working within the Windows and Azure kernel team.

In April 2019 we can look forward to a more secure and faster version of Windows. I’m particularly pleased to learn this since my water cooled Intel processor; an 18 core (36 thread) Core i9 7980XE has received full protection from Spectre in the form of IBRS and IBPB from the motherboard vendor. Performance impact has been minimal but any increase in performance is welcomed for my donations to Stanford’s Folding@Home project.

More info on IBRS and IBPB is available from this link. Thank you.

Windows Data Sharing Service Zero Day Disclosed

In late October, a new Windows zero day vulnerability (defined) was publicly disclosed (defined) by the security researcher SandboxEscaper (the same researcher who disclosed the Task Scheduler zero day in early September. This vulnerability affects a Windows service; Data Sharing Service (dssvc.dll) present in Windows 10 and its Server equivalents 2016 and 2019. Windows 8.1 and Windows 7 (and their Server equivalents (Windows Server 2008 R2, Windows Server 2012 R2) are not affected.

How severe is this vulnerability and what is its impact?
Similar to the Task Scheduler vulnerability; this vulnerability is not remotely exploitable by an attacker (more on this below). This vulnerability should be considered medium but not critical severity. When exploited it can allow an attacker to delete any files they choose since they will inherit the same level of permission (privilege escalation)(defined) as the Data Sharing Service namely LocalSystem privileges (the highest level of privilege)(defined) but they cannot initiate this automatically/remotely. They must socially engineer a potential victim into opening an attachment (most likely sent over email or via instant messaging etc.).

As with the Task Scheduler vulnerability; this vulnerability may be leveraged in the wild before it is patched by Microsoft; this is my reason for advising exercising caution with email and clicking unexpected links.

While security researchers such as Will Dorman (mentioned above) and Kevin Beaumont were successful in verifying the proof of concept code worked. They class the vulnerability difficult to exploit. This was verified by Acros Security CEO Mitja Kolsek noting he could not find a “generic way to exploit this for arbitrary code execution.” Indeed, SandboxEscaper described the vulnerability as a low quality bug (making it a “pain” to exploit). Tom Parson’s from Tenable (the vendor of the Nessus vulnerability scanner) summed it nicely stating “to put the threat into perspective, an attacker would already need access to the system or to combine it with a remote exploit to leverage the vulnerability”.

The vulnerability may allow the attacker to perform DLL hijacking (defined) by deleting key system DLLs (defined) and then replacing them with malicious versions (by writing those malicious files to a folder they have now have access to). Alternatively this functionality could be used to make a system unbootable by for example deleting the pci.sys driver. This has earned the vulnerability the name “Deletebug.”

How can I protect my organization/myself from this vulnerability?
As before with the Task Scheduler vulnerability; please continue to exercise standard vigilance in particular when using email; e.g. don’t click on suspicious links received within emails, social media, via chat applications etc. Don’t open attachments you weren’t expecting within an email (even if you know the person; since their email account or device they access their email from may have been compromised) and download updates for your software and devices from trusted sources e.g. the software/device vendors. This US-CERT advisory also provides advice for safely handling emails.

If you choose to; the firm 0patch has issued a micro-patch for this vulnerability. They developed the fix within 7 hours of the vulnerabilities disclosure. It blocks the exploit by adding impersonation to the DeleteFileW call. This was the same firm who micro-patched the recent Windows Task Scheduler vulnerability and JET vulnerabilities. Moreover; this vulnerability may be patched tomorrow when Microsoft releases their November 2018 updates.

As with the above mitigations; if you wish to deploy this micropatch please test how well it works in your environment thoroughly BEFORE deployment.

It can be obtained by installing and registering 0patch Agent from https://0patch.com Such micropatches usually install and need no further action when Microsoft officially patches the vulnerability since the micropatch is only active when a vulnerable version of the affected file is used; once patched the micropatch has no further effect (it is then unnecessary).

Thank you.

TLS 1.0 and 1.1 Upcoming End of Support Announced

Early last week saw a coordinated effort from almost major browser vendor to follow the guidelines of the PCI-DSS standard and to end support for TLS 1.0 and 1.1

Why should this change be considered relevant?
Each of the browser vendors have worked together to create a definite timeline (starting in 2020 and complete by July 2020) for the end of support of these now obsolete security protocols. TLS 1.0 is almost 20 years old and is no longer PCI-DSS compliant.  Separately TLS 1.1 is more than 10 years old. They both contain known vulnerabilities e.g. BEAST (an attack), DROWN or FREAK (both downgrade attacks) etc. use insecure hash functions (e.g. MD5 and SHA-1) and receive very little use today:

0.4% from Apple Safari (<0.36% for all connections) (Source: WebKit)

0.5% for Google Chrome (Source: Google)

1.2% of Firefox Beta 62 during the time August-September 2018 (Source: Mozilla)

0.72% for Microsoft Edge (Source: Microsoft)

More modern standard e.g. TLS 1.2 offers improved performance when used with HTTP/2 and are PCI-DSS compliant. Moreover, it doesn’t suffer from all of the vulnerabilities affecting prior versions and includes stronger alternatives to older hash functions e.g. ECDHE_RSA_WITH_AES_128_GCM_SHA256 .

What does the future hold?
Following the recent deprecation of any standard of TLS older than 1.2 on the 30th of June this year due to the mandate set by the PCI Security Standard Council has steadily seen the increase of the recently ratified TLS 1.3 (in April 2018) but defined within (Request for Comments) RFC 8446 in August. This is in part due to a change by Mozilla to Firefox in April and the adoption of the newest standard by some popular websites e.g.:

Google’s Gmail (although the newer standard isn’t always enabled)

https://www.bleepingcomputer.com/

https://www.securityweek.com/

https://nakedsecurity.sophos.com

https://www.theregister.co.uk/

https://www.wordpress.com (which also includes this blog you are reading!)

The OpenSSL Foundation added full TLS 1.3 support to their popular cryptographic library OpenSSL with the release of version 1.1.1 in September 2018. OpenSSL are further driving adoption of the newest standard by ending support for the current long term support (LTS) version 1.0.2 by the end of 2019 (with it only receiving security updates after the 31st December 2018).

The increase in traffic is best illustrated by Mozilla showing approaching 6% usage for Firefox Beta 62 during the time August-September 2018. Such an increase is really good news for the security of the Internet specifically any online service that requests personal information and e-commerce websites in particular.

For more information on which web browsers support TLS 1.3, please see this link with a table from Salesforce illustrating browser support for TLS 1.2 here.

Thank you.

WD Releases My Cloud NAS Firmware Updates

In the first half of 2017 I posted about vulnerabilities being publically (defined) within Western Digital (WD) My Cloud NAS devices. This vulnerability was designated as CVE-2018-17153 (defined).

Why should this vulnerability be considered important?
The vulnerability is relativity easy for an attacker to exploit without them needing to authenticate/login to the device. They need only to set the username=admin’ cookie to obtain admin/privileged access to the device due to a network CGI (defined) module containing a command that begins an administrative session tied to the IP address of the device but the attacker must first set bind the admin session to the IP address. They only then need to call the remote system and authenticate using the cookie with the value set (as detailed above).

Of even more concern than above; an attacker could leverage this vulnerability using a CSRF (CSRF, defined here and here)) attack within a malvertising (malicious adverts) (defined) campaign allowing them to compromise WD devices which are not connected to the internet. Separately; there was more than security researcher who discovered this vulnerability; I previously mentioned a researcher by the name of Zenofex; who not only contacted WD but the company refused to acknowledge r fix the issues raised. The group Zenofex is part of disclosed the vulnerability (along with other security concerns) during the Def Con security conference in 2017 and created a Metasploit module (defined). In mid-September it was estimated that there were more than 1,800 vulnerable WD devices visible online.

How can I protect myself from this vulnerability (and the other security concerns raised)?
If you own any of the devices listed below; please follow the links below to download and install updated firmware using the steps that WD provides:

Many thanks to BleepingComputer.com for these convenient links.

=======================

The firmware updates resolve many than the vulnerability discussed above (the updated OpenSSL, OpenSSH, jQuery and libupnp will also have significant security improvements). For example, please find below the list for the “My Cloud FW 2.31.149”:

Security Fixes

  • Resolved multiple command injection vulnerabilities including CVE-2016-10108 and CVE 2016-10107.
  • Resolved multiple cross site request forgery (CSRF) vulnerabilities.
  • Resolved a Linux kernel Dirty Cow vulnerability (CVE-2016-5195).
  • Resolved multiple denial-of-service vulnerabilities.
  • Improved security by disabling SSH shadow information.
  • Resolved a buffer overflow issue that could lead to unauthenticated access.
  • Resolved a click-jacking vulnerability in the web interface.
  • Resolved multiple security issues in the Webfile viewer on-device app.
  • Improved the security of volume mount options.
  • Resolved leakage of debug messages in the web interface.
  • Improved credential handling for the remote MyCloud-to-MyCloud backup feature.
  • Improved credential handling for upload-logs-to-support option.

Components Updated

  • Apache – v2.4.34
  • PHP – v5.4.45
  • OpenSSH – v7.5p1
  • OpenSSL – v1.0.1u
  • libupnp – v1.6.25 (CVE-2012-5958)
  • jQuery – v3.3.1 (CVE-2010-5312)

=======================

If firmware is not yet present for your WD My Cloud NAS device, please follow the recommended steps from my previous post on WD My Cloud devices. Protecting these devices is especially important since NAS devices are often used for backups and to store precious/valuable data. Please also contact WD Customer Service to enquire about an update becoming available for your device.

Thank you.