Tag Archives: denial of service

May 2018 Update Summary

====================
Update: 18th May 2018:
====================
Other updates made available by Microsoft for the Spectre Variant 2 vulnerability are:

kb4100347

This update was not offered to my Windows laptop running Version 1803. As you know it contains an Intel Core i7 6500U CPU. I downloaded the version 1803 update from the Microsoft Catalog and it installed successfully. My system is showing the full green result when the PowerShell command Get-SpeculationConntrolSetting is run. It results in the final screenshot shown with this article. Further tips on running this useful command are provided in this Microsoft support article, please see the headings “PowerShell Verification using the PowerShell Gallery (Windows Server 2016 or WMF 5.0/5.1)” or “PowerShell Verification using a download from Technet (earlier operating system versions and earlier WMF versions)” depending on your version of Windows.

Microsoft have also issued an update for Windows version 1709 to resolve a vulnerability again introduced by their previous patch. This resolution was provided in update kb4103727. Further details are available in Alex Ionescu’s tweet (a security architect with CrowdStrike and Windows Internals expert). Previous Spectre V2 patches were kb4091666 and kb4078407

This issue was already addressed in version 1803 of Windows.

If any of the above updates apply for your version of Windows, please install them. If the updates are already present or are not required; the installation will not proceed when you manually attempt it.

Thank you.

====================
Update: 17th May 2018:
====================
Adobe have since issued further updates to resolve critical vulnerabilities within Adobe Acrobat DC, Adobe Reader DC and Photoshop. Further details of the zero day (defined) vulnerabilities addressed in Adobe Acrobat/Reader are available here and here.

Adobe Acrobat and Reader (priority 1, 47 CVEs)

Adobe Photoshop CC 2018 and 2017 (priority 3, 1 CVE).

Further updates are listed at the end of this post. Thank you.

====================
Update: 10th May 2018:
====================
Further details have emerged of another zero day (defined) vulnerability affecting Windows Server 2008 R2 and Windows 7.

CVE-2018-8120 is an elevation of privilege (defined) vulnerability but can only be exploited if the attacker has already compromised the user account of the system allowing the attacker to log in when they choose. Upon logging in the attacker could obtain kernel level access/permissions (defined) by elevating their privileges to carry out any action they choose.

The prioritised list below has been updated to reflect this. Thank you.
====================

====================
Original Post:
====================

====================
Apologies for only posting an update summary last month. Other commitments meant I didn’t have the bandwidth to contribute more. I’ll try to make more time this month. Thanks.
====================

Earlier today Microsoft released their scheduled monthly security updates resolving 67 vulnerabilities. Notably Windows 10 Version 1803 receives it’s first update this month. Windows Server 2016 Version 1803 remains in testing in advance of it’s upcoming release. As always Microsoft have provided further details are provided within their Security Updates Guide.

There are 4 knowledge base articles detailing potential issues (all of which are pending resolutions) you may experience upon installing these updates. They are listed below for your reference:

4103712

4103718

4103723

4103727

====================

Separately, Adobe released updates for 3 of their products, namely:

Adobe Creative Cloud Desktop Application (priority 2 (overall), 3x CVEs)

Adobe Connect (priority 2, 1x CVE)

Adobe Flash Player (priority 2, 1x CVE)

Non-Microsoft browsers should update automatically e.g. Google Chrome should release a browser update in the coming days or will use their component update feature (the update was not available at the time of writing). Like last month; Microsoft issued a security advisory containing details of their updates

As always; you can monitor the availability of security updates for most your software from the following websites (among others) or use one of the utilities presented on this page (since Secunia PSI was phased out on the 20th of April):
—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates. News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

====================
For this month’s Microsoft updates, I will prioritize the order of installation below. A useful list of all CVEs for this month is present here:
====================

Windows VBScript Engine Remote Code Execution Vulnerability (a zero day (defined) vulnerability)

Win32k Elevation of Privilege Vulnerability

Microsoft Edge and Internet Explorer (similar to last month multiple versions of Edge and IE affected with many of the CVEs affecting the Microsoft Scripting Engine))

Microsoft Hyper-V (Update 1 and Update 2)

Microsoft Office (detailed list available here)
====================
Please install the remaining updates at your earliest convenience.

One of the vulnerabilities addressed by Microsoft this month, namely CVE-2081-8897: Windows Kernel Elevation of Privilege Vulnerability arose due to the misinterpretation of documentation from Intel regarding how a CPU (defined) raise a debug (defined) exception to transfer control to debugging software (usually used by a software developer). The specific instructions were the assembly language instructions (defined) MOV to SS and POP to SS.

As usual; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues. I have provided further details of updates available for other commonly used applications below.

Thank you.

=======================
Malwarebytes Anti-Malware
=======================
Last week Malwarebytes updated their anti-malware product to version 3.5.1. The full list of improvements is available here but it also updated their include 7-Zip to version 18.05. I verified this manually since the above release notes did not reference to it. Further details of the 7-Zip update are available in my April blog post.

Moreover; Directory Opus updated their product to version 12.8.1. Beta adding new DLLs (defined) for 7-Zip and UnRAR once again to address the vulnerabilities found within the UnRAR DLL also used by 7-Zip.

=======================
Mozilla Firefox:
=======================
This month Mozilla made available security updates for Firefox and Firefox ESR (Extended Support Release):

9th May: Firefox 60.0: Resolves 2x critical CVEs, 6x high, 14 moderate CVEs and  4x low severity CVEs

9th May: Firefox ESR 52.8: Resolves 2x critical, 5x high, 3x moderate CVEs

Further details of the security issues resolved by these updates are available in the links above. Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to resolve these security issues.

=======================
Google Chrome:
=======================
Google released Google Chrome version 66.0.3359.170 to address 4 number of vulnerabilities and to include a newer version of Adobe Flash Player.

One of the four vulnerabilities addressed relates to how Chrome handles browser extensions resolving a privilege escalation issue (defined). Further details are availability here.

=======================
USB Denial of Service (DoS) Will not Receive a Fix
=======================
In other vulnerability related news; a denial of service issue (defined) privately/responsibly disclosed (defined) by a security researcher Marius Tivadar will not fixed by Microsoft with a security update since the vulnerability requires physical access to the target system or social engineering (defined) and does not result an attacker being able to execute code of their choice on the affected system.

In my opinion; this is justified since if an attacker can obtain physical access to your system it significantly enhances the damage they can do. This statement also forms part of Microsoft’s 10 Immutable Laws of Security.

WordPress Security Updates Roundup (June 2016)

Last weekend WordPress made available a security update to their popular self-hosted blogging tool/content management system (CMS, defined) bringing it to version 4.5.3.

Why Should These Issues Be Considered Important?
WordPress recommends installing this update as soon as possible due to the severity of the issues that it resolves. It isn’t immediately clear but 24 security issues were addressed in this update. Please find below a summary of those issues:

  • A redirect bypass in the customizer (which could be used by an attacker to redirect to websites to perform attacks such as watering hole attacks (defined))
  • 2x cross site scripting (XSS) vulnerabilities (defined) as a result of attachment names
  • Revision history information disclosure
  • A denial of service issue (defined)
  • some less secure sanitize_file_name edge cases
  • unauthorized category removal from a post
  • password change via stolen cookie (defined)

Previously in early May this year WordPress made available version 4.5.2. This was also an important security update that addressed 2 security vulnerabilities. The first relates to a Same Origin Method Execution (SOME) (defined) vulnerability. This vulnerability is similar to a cross site scripting (XSS) vulnerability since it abuses JSON (defined) callbacks.

The second issue addressed is a more traditional cross site scripting (XSS) vulnerability within a 3rd party library, namely MediaElement.js.

Separately in early June WordPress removed a plugin named WP Mobile Detector from their plugin website when attacks begin exploiting a trivially exploitable zero-day vulnerability (defined) within it.

Researchers at the security firm Sucuri were able to determine that the attacks for this vulnerability began on the 27th of May. The vulnerability was then disclosed on the Plugin Vulnerabilities website. The vulnerability allows an attacker to upload a file of their choice to a WordPress website.

Finally, and as above in late May the security firm Sucuri discovered a critical (due to the ease of exploitation) cross site scripting (XSS) vulnerability in the popular WordPress Jetpack plugin. This issue affected more than 1 million WordPress websites.

How Can I Protect Myself from These Issues?
As always; WordPress users can update their CMS manually (access your WordPress dashboard and choose Updates -> Update Now). Since version 3.7 of WordPress an automatic updater (thanks to Sophos for this useful piece of information) will install the above mentioned update in the background. WordPress.com hosted blogs such as the one you are reading now automatically receive such security updates.

For the WP Mobile Detector; it was later updated to version 3.6 to address this vulnerability. However as noted by Sucuri in their advisory the vulnerability was not fully addressed by this new version and they are working with them to address this further shortcoming.

If you use the WP Mobile Detector plugin, please ensure that you are using the most recent version. While the vulnerability is difficult to exploit since it requires the allow_url_fopen API (defined) to be enabled. US CERT recommends disabling this API (defined) call if it is not needed for your website as a defence in depth (defined)(PDF) measure.

Lastly for the JetPack plugin, please update to version 4.0.3 or later to resolve the above mentioned critical XSS issue. Updates were also made available for all 21 code branches of the plugin if you are not already using the newest code branch. The developers of the plugin have also provided an FAQ for this update as well as the steps to install it.

Thank you.

NTP Project Releases Security Update (June 2016)

In early June the NTP project; the team behind the Network Time Protocol (NTP)(defined) issued a security update to address 5 security issues (more formally known as CVEs (defined)), one of which has been classified as high severity. This update brings NTP to version 4.2.8p8

Why Should These Issues Be Considered Important?
The most severe issue involves a denial of service (defined) vulnerability caused by the processing of Crypto-NAK responses (these responses are sent by NTP servers when a client and server do not agree on a message authentication code (MAC)(defined)).

The other four issues were classified as low severity, one of which relates to the above crypto-NAK vulnerability. That low severity vulnerability if exploited could lead to the demobilization of an association between the server and the client (where mobilization means that an NTP server is cryptographically authenticated to a client).

How Can I Protect Myself from These Issues?
NTP is available for most operating systems primarily Linux and Mac OS X (however versions for Windows also exist). In addition, almost any device can request the correct time from an NTP server and thus could be affected by these issues even if NTP is not installed on the device (but would need to be installed on the server).

Full details of these issues are provided by the NTP project on this page (see the June 2016 entry).

Updated versions of NTP are available from this page. For Linux systems the relevant updates can also be obtained via the Package Manager bundled with your Linux distribution (see this link(Debian) and this link (Ubuntu) that should assist you in using the package manager for your distribution of Linux). Apple usually update NTP via their App Store and Software Update, details are available on this page.

Moreover, please see each of the following NTP bug entries since each contains mitigations (defined) for each vulnerability that may be of assistance to you:

NTP Bug 3042 (low severity)
NTP Bug 3043 (low severity)
NTP Bug 3044 (low severity)
NTP Bug 3045 (low severity)
NTP Bug 3046 (high severity)

Thank you.

Ubuntu Issues Security Updates for April 2016

In the first week of April Ubuntu issued security updates to address vulnerabilities responsibly disclosed (defined) in the Ubuntu kernel (defined). Each vulnerability addressed was assigned a separate CVE identifier (defined).

Why Should These Issues Be Considered Important?
While no severities were assigned by Ubuntu to these issues any issue within the kernel can be consider high to critical severity (if it is remotely exploitable) since if control of the kernel can be obtained an attacker can then use that control to carry out any action of their choice. Ubuntu does however mention that the most severe of these issues can potential lead to remote code execution (the ability for an attacker to remotely carry out any action of their choice on your Ubuntu device) while the remainder can lead to denial of service conditions (defined).

The types of vulnerabilities addressed are varied and range from use-after-free (defined) vulnerabilities to timing side channel attacks (defined, in this case exploiting the timing within the Linux Extended Verification Module (EVM)) to a buffer overflow (defined) and incorrect file descriptor handling (defined).

How Can I Protect Myself From These Issues?
Within Ubuntu’s security advisory they provide the steps to download the appropriate updates for the version of Ubuntu that you are using. In addition, a system reboot is required for these updates to take effect.

In addition, 3 recent security advisories listed below were also made by available by Ubuntu, please ensure that you have followed the steps within each to ensure that you are protected from these vulnerabilities:

USN-2917-3: Firefox regressions: Addresses 34x CVEs
USN-2951-1: OptiPNG vulnerabilities: Addresses 5x CVEs
USN-2950-1: Samba vulnerabilities: Addresses 8 CVEs (among them the Badlock issue)

Thank you.

ISC Releases Security Updates for BIND (March 2016)

Last week the Internet Systems Consortium (ISC) released 3 security updates to address 3 high severity denial of service issues (defined) found within their BIND DNS software.

Separately ISC has released a security advisory for ISC DHCP concerning a denial of service issue that has not yet been resolved using a patch/update. Workarounds for this issue are available within that advisory. I will update this post when these updates become available. This issue affects the following versions of ISC DHCP: 4.1.0->4.1-ESV-R12-P1, 4.2.0->4.2.8, 4.3.0->4.3.3-P1

=======================
Update 25th June 2016
=======================
At this time as I mentioned below in my previous update; the updates to address the issue mentioned above within ISC DHCP have not yet been released. I will continue to monitor the security advisory until these updates are made available.

Thank you.
=======================
Update 26th April 2016
=======================
At this time, the updates to address the issue mentioned above within ISC DHCP have not yet been released. I will continue to monitor the security advisory until these updates are made available.

Thank you.

Why Should These Issues Be Considered Important?
These issues affect a large number of versions (listed below) of BIND making these issues ever more important to address as soon as possible:

=======================
Advisory 1: 9.10.0 -> 9.10.3-P3
Advisory 2: 9.2.0 -> 9.8.8, 9.9.0->9.9.8-P3, 9.9.3-S1->9.9.8-S5, 9.10.0->9.10.3-P3
Advisory 3: 9.0.0 -> 9.8.8, 9.9.0 -> 9.9.8-P3, 9.9.3-S1 -> 9.9.8-S5, 9.10.0 -> 9.10.3-P3
=======================

The first security issue involves an error in the implementation for preliminary support for DNS cookies. If an attacker sends a malformed packet containing multiple cookie options, the named control channel will exit with an INSIST assertion (defined) meaning that the DNS server is no longer available to process user requests (a denial of service).

If you cannot deploy the patch for this issue immediately, a workaround is provided by ISC within this security advisory which you can use until the patch is installed.

The second security issue involves the incorrect parsing (analyzing data in a structured manner in order to create meaning from it) of a malformed packet deliberately sent to the server by a remote attacker. This description from ISC seems a little misleading since you cannot correctly parse an incorrectly formed packet, what I expect they mean is that an unexpected/inappropriate action is taken by the named control channel when it encounters a malformed packet which results in a security issue. In this instance an assertion failure results in the named control channel exiting as before resulting in a a denial of service.

If you cannot deploy the patch for this issue immediately, a workaround is provided by ISC within this security advisory which you can use until the patch is installed.

The third and final security issues addressed by the issued security updates involves an error in the parsing of DNAME (defined here and here) DNS records. Once again this results in an assertion causing an exit and a resulting denial of service issue. No workaround is available for this issue.

How Can I Protect Myself from These Issues?
If you use BIND (it is included with Linux distributions e.g. Redhat, Ubuntu etc.) to provide any DNS services within your company/organization or you know anybody who may be affected by these issues, please follow the advice within ISC’s security advisories to install the necessary updates to resolve these issues as soon as possible:

CVE-2016-2088: A response containing multiple DNS cookies causes servers with cookie support enabled to exit with an assertion failure
CVE-2016-1285: An error parsing input received by the rndc control channel can cause an assertion failure in sexpr.c or alist.c
CVE-2016-1286: A problem parsing resource record signatures for DNAME resource records can lead to an assertion failure in resolver.c or db.c

Thank you.

ISC Releases Security Updates for BIND (January 2016)

On the 19th of January Internet Systems Consortium (ISC) released 2 security updates to address critical and medium severity denial of service issues (defined) within their BIND DNS software.

Why Should These Issues Be Considered Important?
This critical severity remotely exploitable vulnerability is caused by a buffer overflow (defined) within a guard feature intended to prevent such an overflow. If an overflow occurred, it could cause BIND to exit. Examples of possible ways (not an exhaustive list) for this vulnerability to be exploited are provided by ISC within their first security advisory for these issues. For the remaining medium severity remotely exploitable issue an error in how BIND interprets specifically formatted text could cause an assertion (defined) again resulting in the possible exiting of BIND.

These issues affect a large number of versions (listed below) of BIND making them ever more important to address:

=======================
Critical Severity Issue: 9.3.0->9.8.8, 9.9.0->9.9.8-P2, 9.9.3-S1->9.9.8-S3, 9.10.0->9.10.3-P2
Medium Severity Issue: 9.10.0->9.10.3-P2
=======================

In addition, as mentioned by ISC, versions 9.3 to 9.8 of BIND are considered end of life and will not be receiving updates to address the critical issue. Currently supported versions of BIND are listed here.

Moreover, according to ISC, the critical issue has no workarounds or known mitigations. The medium severity issue can be mitigated by disabling debug logging (but only as a temporary measure until the appropriate update can be applied).

How Can I Protect Myself from These Issues?
If you use BIND (it is included with Linux distributions e.g. Redhat, Ubuntu etc.) to provide any DNS services within your company/organization or you know anybody who may be affected by these issues, please follow the advice within ISC’s security advisories to install the necessary updates to resolve these issues:

CVE-2015-8704: Specific APL data could trigger an INSIST in apl_42.c
CVE-2015-8705: Problems converting OPT resource records and ECS options to text format can cause BIND to terminate.

Thank you.

ISC Releases Security Updates for BIND (December 2015)

Earlier this month the Internet Systems Consortium (ISC) released a security update to address a critical denial of service issue (defined) within their BIND DNS software.

This vulnerability is caused by an error in the parsing (analyzing data in a structured manner in order to create meaning from it) of incoming responses allowing records within those responses to have incorrect classes causing them to be accepted rather than rejected. If the parsing was carried out correctly the incorrect class would be detected. A single specifically crafted packet sent to BIND will cause it to trigger a REQUIRE assertion failure which will cause BIND to exit.

Why Is This Issue Considered Critical?
A single specifically crafted response sent to BIND will cause it to trigger a REQUIRE assertion failure when the records within that response are later cached. An attacker could exploit this issue to cause BIND to exit resulting in a denial of service for the legitimate clients of the BIND server. Recursive DNS (defined) BIND servers are at high risk to this issue.

This issue affects a large number of versions (listed below) of BIND making this issue ever more important to address:
9.0.x -> 9.9.8
9.10.0 -> 9.10.3

Moreover, according to ISC, this issue has no workarounds or known mitigations. The only solution is to install the updates to BIND as mentioned in this security advisory.

How Can I Protect Myself From This Issue?
If you use BIND (it is included with Linux distributions e.g. Redhat, Ubuntu etc.) to provide any DNS services within your company/organization or you know anybody who may be affected by this issue, please follow the advice within ISC’s security advisory to install the necessary update to resolve this issue:

CVE-2015-8000: Responses with a malformed class attribute can trigger an assertion failure in db.c

Thank you.