Category Archives: Security Vulnerabilities

Posts that discuss security vulnerabilities (for both software and hardware) and how best to respond to them.

Pwn2Own 2017 Results

The final day of competition within Pwn2Own 2017 took place on Friday, 17th March. Full details of how the individual teams performed and how many exploits were successful are available here , here and here.

In summary the following products were successfully exploited:

Adobe Flash
Adobe Reader
Apple Safari
Apple macOS (mostly the macOS kernel)(defined)
Microsoft Edge
Microsoft Windows kernel
Mozilla Firefox
Ubuntu Linux
VMware Workstation

The contest saw 51 vulnerabilities used and a total of USD$833,000 awarded to the contestants (a very large increase over last year’s USD$460K). As I noted last year, many vulnerabilities once again were present within the macOS and Windows kernels specifically:

Apple macOS kernel:
race condition (defined)
information disclosures (defined)
out of bounds (OOB) bug (defined)

Microsoft Windows kernel:
integer overflows (defined)
buffer overflows (defined)
uninitialised buffers (discussed here)
use-after-free (defined here and here)
information disclosures
out of bounds (OOB) bug
race condition

As before Microsoft and Apple need to do more thorough static analysis/auditing/fuzzing (defined here and here) of the kernel to find and resolve vulnerabilities before they are exploited. It is a surprise this year again highlights this short coming which secure coding practices e.g. Microsoft’s SDL and Adobe’s SPLC (among others) were intended to reduce.

Of note is; Mozilla Firefox released Firefox 52.0.1 to resolve an integer flow vulnerability in less than 1 day after it’s disclosure during Pwn2Own; a fantastic response time.

We can again look forward to these vulnerabilities being addressed over the coming months; helping to make our products more secure.

Thank you.

March 2017 Security Updates Summary

As you know Microsoft and Adobe released their scheduled monthly security updates. For Microsoft this release was anticipated especially since last month’s set was delayed.

Within the above linked to post I predicted Microsoft would make a large number of updates and they did just that. 17 bulletins in total are now available. These updates address 138 vulnerabilities listed within Microsoft’s new Security Update Guide. These vulnerabilities are more formally known as CVEs (defined).

Once again; there are no Known Issues listed within their March summary page. At the time of writing the IT Pro Patch Tuesday blog does not list any Known Issues. However, please check it before deploying your security updates just to be sure. As always, if any issues do arise, those pages should be your first places to check for solutions.
====================
Adobe issued two security bulletins today. One affecting Adobe Flash and the other for Adobe Shockwave Player. The Flash Player bulletin resolves 7x priority 1 vulnerabilities. While the Shockwave bulletin resolves 1x priority 2 vulnerability. These priority rating are explained in the previous link.
Depending on which version of Flash Player you have, please review the Adobe security bulletin or Microsoft bulletin as appropriate and apply the recommended updates. Google Chrome users will have the updated installed automatically alongside the updated version of Google Chrome which made available last week.

If you use Flash or Adobe Shockwave, please review the security bulletins linked to above and apply the necessary updates. The Flash update should be installed as soon as possible since exploit kits (defined) tend to take advantage of newly disclosed vulnerabilities very quickly.

You can monitor the availability of security updates for most your software from the following websites (among others) or use Secunia PSI:

—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates. News/announcements of updates in the categories of General Software, Security Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.
—————
If you use any of the above software, please install the appropriate updates as soon as possible. Steps for installing updates for Windows are provided on the “Protecting Your PC” page.

=======================
Update: 22nd March 2017:
=======================
I wish to provide information on other notable updates from this month which I would recommend you install if you use these software products:

Notepad++ version 7.3.3

VideoLAN VLC Media version 2.2.5 (release currently in progress)

Malwarebytes Anti-malware version 3.0.6 CU3 (with Component package version: 1.0.75):
It is unknown how many vulnerabilities this addresses but this forum post mentions their resolution.

More details of the vulnerabilities resolved by Malwarebytes 3.0.6 CU3 have emerged. Researchers responsibly disclosed a technique which uses Microsoft’s Application Verifier to hijack an anti-malware application. More details of this vulnerability are available here and here.

Mozilla Firefox 52.0.1 (more details in this post on Pwn2Own 2017)

VMware Workstation 12.5.4 (relevant security advisories are here and here)

Wireshark 2.2.5 and 2.0.11

Putty 0.68 (while released in February; it contains important security changes)

=======================

For the 17 Microsoft bulletins this month, I will prioritize the order of updates for you below:

====================
Critical severity:
Windows Graphics Component

Windows SMB Server

Microsoft Edge

Internet Explorer

Windows Hyper-V

Windows PDF

====================
Important Severity
====================
The update for Microsoft Office should be installed next due to it’s criticality. With the follow updates after it:

Microsoft Exchange

Microsoft IIS

Active Directory Federation Server

As always you can find detailed information on the contents of each security bulletin is published each month within ComputerWorld’s Patch Tuesday Debugged column.

Another security pre-caution that you may wish to take if you have Microsoft EMET (please ensure your version of EMET is the most recent version 5.52) installed is to use it to protect you from Adobe Flash being used to exploit vulnerabilities when you open a Microsoft Office document or Adobe PDF file. I provide recommendations of how to do this at the end of the July 2015 Update Summary.
Please note that Microsoft EMET will be out of support on the 31st of July 2018.

As is my standard practice, I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

WD My Cloud NAS Vulnerabilities

=======================
Update: 22nd March 2017:
=======================
Western Digital have made available firmware updates to My Cloud Mirror, EX2 and EX4 models. The updates are available from http://support.wdc.com/downloads.aspx

They resolve some of the critical vulnerabilities identified in these products. Steps to update the firmware are available in this Softpedia article.

Thank you.

=======================
Original Post:
=======================
Earlier this month a freelance security researcher known as Zenofex publically disclosed (defined) a total of 85 security vulnerabilities within the Western Digital (WD) MyCloud Network Attached Storage (NAS)(defined) devices

The vulnerabilities consist of authentication bypasses and code execution (carrying out instructions/steps of an attacker’s choice) and the upload/download of the data the device contains. Since the researcher did not receive cooperation with addressing previously communicated vulnerabilities from WD in the past they chose not to responsibly disclose (defined) these vulnerabilities.

After this disclosure, SEC Consult Vulnerability Lab (SCVL) provided further details of these vulnerabilities to the wider security community. For some of the 85 issues disclosed they had contacted WD in January 2017 and disclosed some of the details on the 20th of February. These vulnerabilities range from : command injection vulnerabilities, a stack-based buffer overflow (defined) bug and a cross-site request forgery flaw (defined)

In December 2016 WD issued fixes for some of the vulnerabilities discovered but created further vulnerabilities which resulted in the very same outcome they were trying to address.

How can I protect myself from these vulnerabilities?
Unfortunately, due to the very large number of vulnerabilities disclosed it will take a significant duration of time to resolve them all (especially if inadvertently; further vulnerabilities become evident; as has happened before).

If you use this NAS device; the data it contains will be at elevated risk of compromise while WD works to resolve these vulnerabilities. I would recommend ensuring these devices are not accessible to the external internet. Shodan may be of assistance to you in determining this. More information on Shodan is available in a previous blog post.

Please create backups of the data these NAS devices contain and store them on other devices until these vulnerabilities are resolved. Monitor WD’s website and install new firmware releases as they become available.

While Western Digital issued fixes for some of the vulnerabilities in December 2016, the independent security researcher found the fixes created another vulnerability with the same results they intended to resolve.

In addition, within this ThreatPost article WD recommends:

“My Cloud users contact our Customer Service team if they have further questions; find firmware updates; and ensure their My Cloud devices are set to enable automatic firmware updates.”

I will update this post as new information on the relevant updates becomes available.

Thank you.

Cloudflare addresses data leak

For 5 days within February this year; an information disclosure issue affected Cloudflare’s infrastructure. This led to their systems inadvertently leaking private session keys, website cookies, encryption keys and passwords.

Why should this vulnerability be considered important?

The scale of the issue was large, affecting an estimated 2 million websites. This flaw was due to a coding error within a parser (defined) (undetected at the time) used to modify HTML webpages and related to how the memory containing buffers (defined) of their NGINX (defined) web server functioned. Google Project Zero vulnerability researcher Tavis Ormandy contacted Cloudflare over Twitter who mitigated the issue in 47 minutes and completed their work in less than 7 hours; an incredibly swift resolution. Cloudflare later noted it would usually take 3 months to resolve an issue similar to this.

How can I protect myself from this vulnerability?

Cloudflare documented their findings of this incident within this blog post. Their analysis shows no evidence of attackers using the leaked information for malicious account access, accessing sensitive information or fraudulent purchases (in the case of exposed credit card numbers).

Cloudflare is continuing to review the leaked information and working to remove it from third party caches. They have committed to a review (both internal and with the assistance of external auditor Veracode) of the parser code which inadvertently lead to this information leakage.

As a precaution I would recommend monitoring any affected accounts for unwanted activity and change passwords and enable 2 factor authentication should any unwanted activity take place. The list of affected websites is here.

Further discussion of the impact of this issue is available from this SANS forum post and this Softpedia news article.

Thank you.

FTP Handling Vulnerabilities Disclosed in Java and Python

Last month security researchers Alexander Klink and Blindspot Security Researcher Timothy Morgan publicly disclosed information disclosure and low-privilege code execution vulnerabilities affecting Oracle Java and Oracle Java/Python respectively. Alexander Klink’s vulnerability relates to XXE (XML External Entity) processing specifically crafted XML files leading to information disclosure. Timothy Morgan’s vulnerabilities involve adding Carriage Return (CR) and Line Feed (LF) characters to the TCP stream (a structured sequence of data) to the FTP processing code within Java and Python. The researchers notified the affected vendors over a year ago but the vendors did not address these issues. Timothy Morgan’s vulnerability also causes firewalls to open a port to temporarily allow an FTP connection.

How can I protect myself from these vulnerabilities?
Fortunately exploitation of these vulnerabilities is not trivial since the first FTP vulnerability requires an attacker to already have already compromised an organizations internal email server. The second vulnerability requires an attacker to know the victims internal IP address and for the FTP packets to be in alignment.

System administrators responsible for network infrastructure should monitor communications to email servers for suspicious activity and ensure internal computer systems are not accessible from the external internet (for example using Shodan). Apply vendor software updates when made available for these issues. The blog posts from the researchers here and here provide further detailed recommendations to mitigate these vulnerabilities.

Thank you.

SHA-1 collision attack took two years to complete

Google security researchers Elie Bursztein, Ange Albertini, and Yarik Markov and researchers from Cryptology Group at Centrum Wiskunde and Informatica (CWI) in Amsterdam, Marc Stevens and Pierre Karpman last month detailed the results of two years of work to create a collision attack against the Secure Hash Algorithm (SHA)-1 (defined) algorithm.

They focused on an attack allowing the SHA-1 hash of one Adobe Portable Document Format (PDF) file to match the hash of a second PDF. The researchers divided the work into two phases; phase one used 6,500 years of Central Processing Unit (CPU)(defined) computation while phase 2 consumed 110 years of Graphics Processing Unit (GPU)(defined) computation time. The work appears to have cost between USD$75,000 and USD $120,000 to complete.

Theoretical attacks against SHA-1 have existed since 2005 with 2016 showcasing work estimating an attack could take as little as three months; this new attack marks the first practical attack. I previously detailed why you should migrate your website and code-signing certificates to SHA-2.

How can I protect myself from this vulnerability?
If you are responsible for website signing certificates and/or software signing certificates making use of SHA-1 algorithm you should continue your planned migration to SHA-2 signing certificates. Use of updated web browsers will correctly assign less trust to websites using SHA-1 certificates. While I agree with Linus Torvalds about the “sky not falling” with regard to SHA-1, use of a more secure hashing algorithm will be more important as time goes on. For example, the interruption of service of the WebKit SVN would not have occurred if SHA-2 was in use.

Thank you.

Malware can manipulate blinking hard drive LEDs to steal data from secured systems

In February this year, University of Israel security researchers released their findings of a new type of attack to steal data from secured systems. Secured systems are frequently air-gapped (defined) to mitigate attacks from the internet. To steal data, the attacker can deploy custom malware onto the target system which causes its hard drive activity LED lights to blink at very rapid intervals; to a human eye the lights may appear to stay on rather than switch on and off.

With this activity taking place, the light can stay turned on to represent the binary computer numbering system digit 1 and turn off to represent a 0 (zero). The researchers found blue LEDs gave the best results for their purposes. A recording of a video of this flickering light can represent entire files (smaller files are preferred). The malwares primary purpose is to steal encryption keys, user credentials (username and passwords) as well as logged keystrokes stored on the system. Video cameras suitable for this attack are airborne drones with cameras, CCTV cameras or existing cameras within cell phones.

This attack is particularly successful and innovative; but it does not pose as severe a risk as may initially appear. While an airborne drone could observe a secured system from outside the building, the system must be visible from the outside; many secured rooms/locations do not have externally visible windows.

In addition, for the data stealing to take place the attackers need to pre-compromise the system with custom malware to enable the LED activity lights to flash in a pre-defined ways to steal data. However of note, this attack does not require administrator rights on the secured system in order to be successful.

How can I protect myself from this threat?
If you administer secured systems (air-gapped or otherwise) you should ensure they are stored in locations not visible from outside of the building.

Other countermeasures include permanently disabling the LEDs activity lights or covering the lights, physically securing the USB ports of the system to prevent installation of malware or the use of application whitelisting e.g. AppLocker for Windows. Integrity verification of the contents of secured systems is also achievable by comparing hashes of those systems with known secure systems.

Thank you.