Category Archives: Security Vulnerabilities

Posts that discuss security vulnerabilities (for both software and hardware) and how best to respond to them.

May 2020 Update Summary

I hope this posts finds you doing well in these difficult times.

I’m writing this post early to highlight the availability of 2 important updates, for Mozilla Firefox and Google Chrome. I’ll update the post when Adobe and Microsoft release their expected security updates.

Thank you and please stay safe.

====================
Update: 19th May 2020
====================
Sorry for not updating this post sooner.

As scheduled both Adobe and Microsoft released their monthly security updates addressing 36 vulnerabilities and 111 vulnerabilities (respectively). These vulnerabilities are more formally known as CVEs (defined).

Adobe’s updates for this month are as following:

Adobe Acrobat and Reader: 24x Priority 2 CVEs resolved (12x Critical and 12x Important severity)

Adobe DNG Software Development Kit (SDK): 12x Priority 3 CVEs resolved (4x Critical and 8x Important severity)

If you use the above Adobe products, please install these updates as soon as possible since both resolve multiple critical vulnerabilities. Similar to January, March and April no updates for Adobe Flash were released.

====================
A further useful source of update related information is the US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

====================
As always for this month’s Microsoft updates, I will prioritize the order of installation below:
====================
Windows Graphics Component: CVE-2020-1135

Visual Studio Code Python Extension: CVE-2020-1058, CVE-2020-1060, CVE-2020-1171 , CVE-2020-1192

Microsoft Internet Explorer: CVE-2020-1062

VBScript Remote Code Execution Vulnerability: CVE-2020-1035

Microsoft Edge CVE-2020-1056 , CVE-2020-1059 , CVE-2020-1096

Microsoft SharePoint: CVE-2020-1023 , CVE-2020-1024, CVE-2020-1102

Windows kernel: CVE-2020-1054CVE-2020-1143

Windows Media Foundation: CVE-2020-1126

Microsoft Color Management: CVE-2020-1117

Windows Print Spooler: CVE-2020-1048

Microsoft Windows Transport Layer Security Denial of Service Vulnerability: CVE-2020-1118

Please install the remaining updates at your earliest convenience.

As per standard best practice, I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

I have also provided further details of updates available for other commonly used applications and devices below.

To all of my readers and your families, I hope you are staying safe during these challenging times. Thank you.

====================
Mozilla Firefox
====================
In the first week of May, Mozilla released Firefox 76 and Firefox ESR (Extended Support Release) 68.8 to resolve the following vulnerabilities:

Firefox 76.0: Addresses 3x critical severity CVEs, 2x high severity CVEs, 4x moderate CVEs and 1x low CVE

Firefox 68.8 ESR: Addresses 3x critical severity CVEs, 2x high severity CVEs and 2x moderate severity CVEs

Firefox 76 introduces a new password manager (with the ability to generate difficult to guess passwords) which includes a means of detecting if a password was part of a password breach and now requires changing or the use of the same password on multiple websites.

An improved picture in picture experience is also included. Firefox 76.0.1 has since been released resolving non-security issues such as crashing add-ons e.g. the Amazon Assistant extension and crashing with Nvidia GPU drivers on Windows 7 32 bit (my thanks to Bogdan Popa of Softpedia.com and Mozilla for this information).

====================
Google Chrome
====================
Early last week, Google released Chrome version 81.0.4044.138 for Linux, Mac and Windows to resolve 3 security vulnerabilities with the most severe 2 issues being of high severity.

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 vertically stacked dots) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect.

====================
VMware
====================
VMware have a single security advisory so far this month for the following product:

====================
Advisory 1: Severity: Critical
vRealize Operations Application Remote Collector (ARC)
====================
If you use the above VMware product, please review the above advisory and install the applicable security updates as soon as possible.

Citrix Patches Critical FileShare Vulnerabilities

====================
TL;DR
If you manage a non-cloud version of Citrix ShareFile, please make certain you are using a non-vulnerable version of the ShareFile storage zones Controller. Please refer to the following Citrix security bulletin for the appropriate guidance: https://support.citrix.com/article/CTX269106
====================
Adding to the challenges of current remote working, I wanted to provide awareness that Citrix has released a security bulletin to address 3 critical information disclosure vulnerabilities in their ShareFile content collaboration and file sharing tool:

Why should these vulnerabilities be considered important?
Given the high severity of these vulnerabilities they may allow a threat actor who has not authenticated with the tool to access the contents of the files stored within the tool. The good news is that at this time these vulnerabilities are not yet being exploited.

What versions are affected?
From the Citrix security bulletin:

Customer-managed storage zones created using the following versions of the storage zones controller are affected:

• ShareFile storage zones Controller 5.9.0
• ShareFile storage zones Controller 5.8.0
• ShareFile storage zones Controller 5.7.0
• ShareFile StorageZones Controller 5.6.0
• ShareFile StorageZones Controller 5.5.0
• All earlier versions of ShareFile StorageZones Controller

Please also note that “Storage zones created using a vulnerable version of the storage zones controller are at risk even if the storage zones controller has been subsequently updated”.

How can I protect my organisation’s or my installation of this Citrix tool?
The good news is that Citrix is notifying customers and channel partners with customer-managed storage zone controllers about these security issues.

However, if for any reason they don’t notify your organisation, but you are using this Citrix tool, please apply the storage zone migration tool as soon as possible to the storage zone controllers managing each impacted storage zone by following the guidance within Citrix’s bulletin.

Microsoft security employee Nate Warfield has shared a Shodan (defined) query which may be of assistance if the countries your organisation operates within are vulnerable to these issues.

Dimitri van de Giessen; an ethical hacker and a system engineer has shared a means of checking if your Citrix ShareFile server is vulnerable (please substitute your Citrix ShareFile URL with the template he provides)

Thank you.

====================
My thanks to BleepingComputer for the initial notification of these vulnerabilities and their compilation of useful resources.

Pre-installed HP Support Assistant Vulnerabilities

====================
TL;DR
====================
If your corporate or personal Windows HP systems have HP Support Assistant installed, uninstall the software to fully mitigate these un-patched local elevation of privilege vulnerabilities. Alternatively continue to check for and install updates to the software until all vulnerabilities are patched.

====================
Background
In early April, security researcher Bill Demirkapi publicly disclosed (defined) details of 10 vulnerabilities he had discovered within HP’s Support Assistant software. He had reported these vulnerabilities in May 2019. HP issued an updated version in December 2019, but it does not resolve 4 local elevation of privilege vulnerabilities.

How serious are these vulnerabilities?
If an attacker had already compromised your system, they could exploit the remaining 4 vulnerabilities to escalate their privileges up to System (defined) level privileges. This will completely compromise a Windows system. Exploiting the other less serious vulnerabilities will provide administrative access (defined).

How widespread is this software?
This software is installed on all HP systems sold after October 2012. These systems have Windows 7, Windows 8.1 and Windows 10 installed.

How can I protect my organisation or myself from these vulnerabilities?
Its first important to realise a threat actor would first need to have already compromised your Windows system. To fully protect against these vulnerabilities, please uninstall the HP’s Support Assistant software. You will need to uninstall the HP Support Assistant and the HP Support Solutions Framework. Alternatively, continue to check for and install updates to the software until all vulnerabilities are patched.

According to the researcher, “by default, HP Support Assistant does not have automatic updating by default unless you explicitly opt-in (HP claims otherwise)”.

“There are two ways to update the application, the recommended method is by opening “HP Support Assistant” from the Start menu, click “About” in the top right, and pressing “Check for latest version”. Another method of updating is to install the latest version from HP’s website here”.

Thank you and please stay safe.

April 2020 Update Summary

=======================
Update: 27th April 2020
=======================
Late last week, Microsoft issued a security advisory for Microsoft Office 2019, 365 ProPlus and Paint 3D (available within Windows 10).

These correct 4 remote code execution (an attacker can carry out any action of their choice on a compromised system) and 2 denial of service (in this instance the affected application will become unresponsive) vulnerabilities. These vulnerabilities also affect the following Autodesk products:

FBX-SDK
Maya
Motion Builder
Mudbox
3ds Max
Fusion
Revit
Flame
Infraworks
Navisworks
Autodesk AutoCAD

Please make certain your versions of the affected Autodesk products, Office 2019 or 365 ProPlus and Paint3D are up to date. The steps detailed in this linked to BleepingComputer article will guide you through doing so. The Paint3D app should have already installed the update automatically. However you can manually check for updates with these steps.

The necessary details to update the affected Autodesk products are available in the above linked to Autodesk security advisory. Details for verifying if Paint3D and Microsoft Office have been updated are provided in Microsoft’s advisory. Please see the questions titled: “I am running Office 2019 or Office 365 ProPlus. How do I tell if the security update for this vulnerability is included in my version of Office?” and “I have Paint 3D or 3D Viewer installed. How do I know if I have the security update installed?” Further details of the potential impact of these vulnerabilities as well as a recommended mitigation step are provided in this Sophos blog post.

Thank you.

=======================
Update: 15th April 2020
=======================
Yesterday Microsoft  released their scheduled updates to resolve 113 CVEs (defined). Similarly Adobe released 3 security bulletins.

Microsoft’s monthly summary; lists Known Issues for 43 Microsoft products but all have workarounds or resolution steps listed.

To begin with, let’s look at Adobe’s updates:
Adobe After Effects: 1x Priority 3 CVE resolved (1x Important severity)
Adobe ColdFusion: 3x Priority 2 CVEs resolved (3x Important severity)
Adobe Digital Editions: 1x Priority 3 CVE resolved (1x Important severity)

Adobe later issued further updates:
Adobe Bridge: 17x Priority 3 CVEs resolved (14x Critical severity, 3x Important severity)
Adobe Illustrator: 5x Priority 3 CVEs resolved (5x Critical severity)

If you use the above Adobe products, please install these updates (especially in the case of the above critical vulnerabilities within Bridge and Illustrator).

====================
A further useful source of update related information is the US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

====================
As always for this month’s Microsoft updates, I will prioritize the order of installation below:
====================
Following disclosure last month, the Adobe Type Manager (ATM) vulnerabilities have been patched in addition to the following zero day vulnerabilities and a further publicly disclosed vulnerability;

Zero Days (defined):
Microsoft Adobe Type Manager: CVE-2020-0938 and CVE-2020-1020
Microsoft Scripting Engine: CVE-2020-0968
Windows Kernel: CVE-2020-1027

Publicly disclosed:
Microsoft OneDrive: CVE-2020-0935

====================
Microsoft Scripting Engine: CVE-2020-0970
Microsoft Chakra Scripting Engine: CVE-2020-0969
Microsoft Graphics: CVE-2020-0687
Microsoft Graphics Components: CVE-2020-0907
Windows DNS: CVE-2020-0993
Windows Hyper-V: CVE-2020-0910
Windows Codecs: CVE-2020-0965
Windows Media Foundation: CVE-2020-0948 , CVE-2020-0949 , CVE-2020-0950
Microsoft SharePoint: CVE-2020-0929 , CVE-2020-0931 , CVE-2020-0932, CVE-2020-0974
Microsoft Office SharePoint XSS: CVE-2020-0927
Microsoft Dynamics: CVE-2020-1022

====================

Please install the remaining updates at your earliest convenience.

As per standard best practice, I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

I have also provided further details of updates available for other commonly used applications and devices below.

To all of my readers and your families, please stay safe during these challenging times. Thank you.

====================
Mozilla Firefox
====================
On the 7th of April, Mozilla released Firefox 75 and Firefox ESR (Extended Support Release) 68.7 to resolve the following vulnerabilities:

Firefox 75.0: Addresses 3x high severity CVEs, 3x moderate severity CVEs

Firefox 68.7 ESR: Addresses 4x high severity CVEs (1 of which only affects Firefox for Android) and 1x moderate severity CVE

Firefox 75 and the previous 74.0.1 reverse the removal of support for TLs 1.0 and TLS 1.1. due to the current COVID-19 situation. It offers improved performance when installed on systems powered by Intel GPUs (defined), is available in the Flatpak distribution format for Linux and offers improved performance by “locally cache all trusted Web PKI Certificate Authority certificates that Mozilla knows, improving security and HTTPS compatibility with misconfigured web servers as a direct result”. Moreover, an improved address bar is now present in Firefox 75. Its improvements are detailed in Firefox’s release notes. Please also be aware of the new telemetry Mozilla has begun to collect with Firefox 75, you may or may not wish to turn this off.

Firefox 74.0.1 and Firefox ESR 68.6.1 were released on the 3rd of April to resolve the following zero day (defined) vulnerabilities actively being exploited in targeted attacks:

Firefox 74.0.1 and Firefox 68.6.1 ESR: Addresses 2x critical severity CVEs

Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to benefit from the above changes.

====================
VMware
====================
VMware released 3 security advisories to resolve vulnerabilities within the following products:

VMware vCenter Server
VMware vRealize Log Insight
VMware ESXi 6.5 up to and including 7.0

====================
Advisory 1: Severity: Critical:
VMware vCenter Server

Advisory 2: Severity: Important
VMware vRealize Log Insight

Advisory 3: Severity: Important:
VMware ESXi 6.5 up to and including 7.0
====================

If you use either of the above products, please review the above advisories and install the applicable security updates as soon as possible.

=======================
Oracle:
=======================
Oracle issued updates to resolve 405 vulnerabilities this month. Further details and installation steps are available here. 15 vulnerabilities affect the Java runtime; all of which are remotely exploitable without an attacker needing to obtain a user’s username and password (their credentials).

Separately Oracle has issued a notice that attacks are being detected attempting to exploit a patched vulnerability (CVE-2020-2883) in Oracle Web Logic server. They strongly suggest installing this month’s update for that product to protect against these attacks.

If you use any of the Oracle products listed here, please install the appropriate security updates as soon as possible.

====================
OpenSSL
====================
On the 21st April the OpenSSL Foundation issued OpenSSL 1.1.1g which includes a high severity security fix.

FTP mirrors to obtain the necessary downloads are available from here. Downloadable Tarballs (compressed/packaged code made for distribution) are available from here.

It should also be possible to use the package manager of a Linux/Unix operating system to update your OpenSSL installation as mentioned within the section titled “Installing updates for Linux distributions” on the “Protecting Your PC” page of this blog.

=======================
WinSCP:
=======================
In early April WinSCP version 5.17.3 was made available upgrading its version of OpenSSL to 1.1.1f (from the previous version of 1.1.1d). This update resolves 1x Low severity vulnerability.

On the 24th of April, WinSCP was upgraded to version 5.17.4 which also upgrades its version of OpenSSL to version 1.1.1g resolving a high severity vulnerability. Please install this update if you use WinSCP.

====================
VideoLAN VLC
====================
On the 28th of April, VideoLAN released version 3.0.10 resolving multiple security issues (version 3.2.12 for Android and version 3.2.7 for iOS were also released) assigned to 7 CVEs (various DOSes (Denial of Services) in the microDNS service discovery). 1 CVE has been rated as critical with the other 6 being of high severity. The most recent versions can be downloaded from:

http://www.videolan.org/vlc/

Thank you and please stay safe.

Zoom Begins to Address Security Concerns

====================
TL;DR
====================
Zoom have now published a best practice guide for securing virtual classrooms (most of which apply to standard meetings too).

I hope the above-mentioned best practice guide is useful for securing the next Zoom meeting you organise. You may also wish to view my previous post with further guidance.
====================
I hope everyone is doing well.

While these best practices have been made available, I realise some may question how much at risk their Zoom meetings/links really are? Kreb’s on Security recently wrote about why corporate meetings should be secured by a password.

Zoom is also pledging to improve the security and privacy of their platform. To do this they have sought outside help from a panel of CISOs from companies such as Netflix, VMware, HSBC and others. An external advisor Alex Stamos, former Chief Security Officer of Facebook and Adjunct Professor at Stanford’s Freeman-Spogli Institute, has also been requested to undertake a security review of Zoom’s platform. These form just some aspects of their 90 day plan (detailed here) which seeks to “dedicat[e] the resources needed to better identify, address, and fix issues proactively”.

While adding a password to a meeting is still optional, the waiting room feature from the 31st March is now mandatory for new meetings.

The above measures are welcome, but users need to be more security aware if they intend to share Zoom meeting links publicly (or their exists a strong possibility the link could be shared by others).

Thank you and please stay safe.

Recent Shodan Scan Reveals Increase in Risky Exposed RDP Access

====================
TL;DR
====================
With working from home being the new normal during the COVID-19 crisis, it is still important to secure Microsoft Remote Desktop Protocol (RDP) if your organisation uses it. Keep your installation of RDP updated, protect it with a strong password, strongly consider enabling Network Level Authentication (NLA), accessing it via firewall, by using a VPN, enable 2 factor authentication and restricting access to only those that use it.

====================

Late last month the online search engine, Shodan provided details of one the online activity changes they witnessed when lockdown in many countries took effect around the world. The number of Remote Desktop Protocol (RDP)(defined) connections being exposed to the internet rose as more people sought to work from home while still accessing their companies’ systems:

====================

Other notable findings were:

  1. Shodan’s operators also noticed that some organisations were attempting to hide the presence of exposed RDP connections by using port 3388 rather than the default well known port 3389. This provides a false sense of security since it will not stop a determined attacker from locating an exposed RDP connection.
  2. 8% of the systems with RDP ports exposed across the world were still vulnerable to the critical vulnerability known as BlueKeep (CVE-2019-0708) (patched in May 2019). Others were vulnerable to DejaBlue (CVE-2019-1181 and CVE-2019-1182)(patched along with other vulnerabilities in August 2019).
  3. Industrial Control Systems (ICS)(defined) were among the systems exposed on the internet.

====================
How can I protect my organisation if they (or I) need to use RDP for remote access during the lockdown period?
====================
Essential:
Strongly consider increasing the strength of your RDP access password to 12 characters or more.

Keep your RDP installation up to date (please see the above links for the necessary patches to BlueKeep and DejaBlue).
====================

Strongly consider at least one of the following safeguards (2 or more recommended):

For ICS systems only:
Managing Remote Access Best Practices (PDF)
====================

  1. Enable network level authentication (NLA)
  2. Place a hardware or software firewall between your Remote Desktop Gateway Server and the internet. (firewall: defined)
  3. Set up RDP to use a VPN(VPN: defined)
  4. Enable 2 factor authentication (also called multi-factor authentication)(usually paid for commercial solutions).
  5. Restrict RDP to the users to only those that need it.

====================

Thank you and stay safe.

Special thanks to Solarwinds and Pieter Arntz of Malwarebytes for their useful references which inspired this post.

Better Securing Your Zoom Meetings (and other advice)

With many of us attending virtual meetings both inside and outside of work; I wanted to share the following best practice article with you.

Attackers are taking advantage of the Zoom platform. Here is how you can better secure the next Zoom meeting you organise or better inform a person you know who does organise them:

https://www.bleepingcomputer.com/news/software/how-to-secure-your-zoom-meetings-from-zoom-bombing-attacks/

=====================
Many thanks to Lawrence Abrams of Bleepingcomputer for this.
=====================

Please also be aware of the following un-patched vulnerability in Zoom (mitigations are discussed and provided in the link below):

https://www.bleepingcomputer.com/news/security/zoom-lets-attackers-steal-windows-credentials-via-unc-links/

Other privacy limitations of Zoom are the following (with one being partially mitigated):
Zoom Meetings Aren’t End-To-End Encrypted, Despite Misleading Marketing (partially mitigated)

Zoom is Leaking Peoples’ Email Addresses and Photos to Strangers

The above guide can be used to supplement Zoom’s own best practice guide.

Thank you and please stay safe both outside and in cyberspace.