Tag Archives: DoS

WordPress Security Updates Roundup (June 2016)

Last weekend WordPress made available a security update to their popular self-hosted blogging tool/content management system (CMS, defined) bringing it to version 4.5.3.

Why Should These Issues Be Considered Important?
WordPress recommends installing this update as soon as possible due to the severity of the issues that it resolves. It isn’t immediately clear but 24 security issues were addressed in this update. Please find below a summary of those issues:

  • A redirect bypass in the customizer (which could be used by an attacker to redirect to websites to perform attacks such as watering hole attacks (defined))
  • 2x cross site scripting (XSS) vulnerabilities (defined) as a result of attachment names
  • Revision history information disclosure
  • A denial of service issue (defined)
  • some less secure sanitize_file_name edge cases
  • unauthorized category removal from a post
  • password change via stolen cookie (defined)

Previously in early May this year WordPress made available version 4.5.2. This was also an important security update that addressed 2 security vulnerabilities. The first relates to a Same Origin Method Execution (SOME) (defined) vulnerability. This vulnerability is similar to a cross site scripting (XSS) vulnerability since it abuses JSON (defined) callbacks.

The second issue addressed is a more traditional cross site scripting (XSS) vulnerability within a 3rd party library, namely MediaElement.js.

Separately in early June WordPress removed a plugin named WP Mobile Detector from their plugin website when attacks begin exploiting a trivially exploitable zero-day vulnerability (defined) within it.

Researchers at the security firm Sucuri were able to determine that the attacks for this vulnerability began on the 27th of May. The vulnerability was then disclosed on the Plugin Vulnerabilities website. The vulnerability allows an attacker to upload a file of their choice to a WordPress website.

Finally, and as above in late May the security firm Sucuri discovered a critical (due to the ease of exploitation) cross site scripting (XSS) vulnerability in the popular WordPress Jetpack plugin. This issue affected more than 1 million WordPress websites.

How Can I Protect Myself from These Issues?
As always; WordPress users can update their CMS manually (access your WordPress dashboard and choose Updates -> Update Now). Since version 3.7 of WordPress an automatic updater (thanks to Sophos for this useful piece of information) will install the above mentioned update in the background. WordPress.com hosted blogs such as the one you are reading now automatically receive such security updates.

For the WP Mobile Detector; it was later updated to version 3.6 to address this vulnerability. However as noted by Sucuri in their advisory the vulnerability was not fully addressed by this new version and they are working with them to address this further shortcoming.

If you use the WP Mobile Detector plugin, please ensure that you are using the most recent version. While the vulnerability is difficult to exploit since it requires the allow_url_fopen API (defined) to be enabled. US CERT recommends disabling this API (defined) call if it is not needed for your website as a defence in depth (defined)(PDF) measure.

Lastly for the JetPack plugin, please update to version 4.0.3 or later to resolve the above mentioned critical XSS issue. Updates were also made available for all 21 code branches of the plugin if you are not already using the newest code branch. The developers of the plugin have also provided an FAQ for this update as well as the steps to install it.

Thank you.

NTP Project Releases Security Update (June 2016)

In early June the NTP project; the team behind the Network Time Protocol (NTP)(defined) issued a security update to address 5 security issues (more formally known as CVEs (defined)), one of which has been classified as high severity. This update brings NTP to version 4.2.8p8

Why Should These Issues Be Considered Important?
The most severe issue involves a denial of service (defined) vulnerability caused by the processing of Crypto-NAK responses (these responses are sent by NTP servers when a client and server do not agree on a message authentication code (MAC)(defined)).

The other four issues were classified as low severity, one of which relates to the above crypto-NAK vulnerability. That low severity vulnerability if exploited could lead to the demobilization of an association between the server and the client (where mobilization means that an NTP server is cryptographically authenticated to a client).

How Can I Protect Myself from These Issues?
NTP is available for most operating systems primarily Linux and Mac OS X (however versions for Windows also exist). In addition, almost any device can request the correct time from an NTP server and thus could be affected by these issues even if NTP is not installed on the device (but would need to be installed on the server).

Full details of these issues are provided by the NTP project on this page (see the June 2016 entry).

Updated versions of NTP are available from this page. For Linux systems the relevant updates can also be obtained via the Package Manager bundled with your Linux distribution (see this link(Debian) and this link (Ubuntu) that should assist you in using the package manager for your distribution of Linux). Apple usually update NTP via their App Store and Software Update, details are available on this page.

Moreover, please see each of the following NTP bug entries since each contains mitigations (defined) for each vulnerability that may be of assistance to you:

NTP Bug 3042 (low severity)
NTP Bug 3043 (low severity)
NTP Bug 3044 (low severity)
NTP Bug 3045 (low severity)
NTP Bug 3046 (high severity)

Thank you.

Linux GRUB Security Vulnerability Swiftly Patched

Earlier this month a pair of security researchers within the Cybersecurity Group at Universitat Politècnica de València discovered an integer underflow (defined) vulnerability within the Linux GRUB bootloader (defined, my thanks to Lucian Constantin, IDG News Service for providing an excellent summary of the purpose/function of the GRUB bootloader within that article). The researchers responsibly disclosed (defined) this issue to the main distributors of Linux in order to protect their users. My thanks to everyone involved for so quickly addressing this vulnerability.

Why Should This Issue Be Considered Important?
This issue is very easy for an attacker to exploit namely that they only need to have physical access (be in front of the system) for a short time in order to exploit it. With this access, they simply press the backspace key (just above the main Enter/Carriage return) key 28 times in order to exploit this vulnerability. They could easily obtain this physical access by breaking into the premises where such a system is located.

Moreover, systems with defences such as disabled CR-ROM drives (otherwise known as optical drives), disabled USB ports, restricted network boot options, password protected BIOS/UEFI firmware (defined), password protected GRUB edit mode and where the hard disk/SSD (solid state drive (defined)) is encrypted can all be bypassed by exploiting this vulnerability.

The researchers in their description of this vulnerability bypass the encryption of the hard disk/SSD by infecting the system (by means of this vulnerability) and allowing the user to decrypt the data (information disclosure) for the attackers by having the legitimate user enter the correct password as they log on normally to the system (an elevation of privilege attack (defined); since the attackers would not normally have this level of access). A denial of service attack (DoS)(the concept of DoS is defined here) can also be carried out by the attacker by corrupting the encrypted data and/or the GRUB leaving the legitimate user unable to access their own data.

Before bypassing the encryption however, they also describe patching (modifying the genuine/legitimate GRUB loader) so that it always authenticates the logged on user rather than asking for a password (bypassing the password protected edit mode of GRUB mentioned above).

Next they describe using the patched GRUB loader to load a Linux kernel so that they can then install malware of their choice. This also has the advantage that logging of their actions is not recorded since the syslog daemon (defined) is not running (carrying out it’s purpose) since the bash (Bourne-Again SHell)(defined) is the first process to run.

With that shell (defined) running on the system the researchers next describe how they illustrated a proof of their concept by installing a modified library (the general concept of a code library is defined here, only Windows systems use DLLs (defined) and so are not relevant for this discussion of Linux systems) belonging to Mozilla Firefox so that when Firefox is active, code (instructions) of their choice are also carried out. This code uses Netcat (defined) to set up a reverse shell (defined) allowing them to control the victim system as if they were in front of it (in this case the researchers show the reverse shell being able to access the private data folders belonging to the logged in user).

How Can I Protect Myself From This Issue?
Debian, Ubuntu and Red Hat (among others) have released updates to GRUB to address this vulnerability. For Linux systems the relevant updates can also be obtained via the Package Manager bundled with your Linux distribution (see this link(Debian) and this link (Ubuntu) that should assist you in using the package manager for your distribution of Linux).

Thank you.

Cisco Issues Web Security Appliance Security Updates

In early November Cisco made available security updates to resolve 3 CVEs (defined)(1x critical and 2x high severity) within their Web Security Appliances (WSA).

Why Should These Issues Be Considered Important?
The first and most serious vulnerability could allow an authenticated user (a user already with some level of access to your Cisco appliance) if they pass specific commands as arguments (parameters, defined) to the system scripts used to create certificates that will result in them obtaining root level access (defined) to your security appliance.

The remaining 2 high severity issues could result in a denial of service (DoS, defined) condition when exploited by a remote unauthenticated attacker (i.e. someone with no initial access to your security appliance). These issues are caused by failures to free (make available for use) memory during “opening multiple connections that request file ranges” and retrieving “data from the proxy server cache to terminate a TCP connection.” The result of these denial of service attacks would be your security appliance being temporarily unavailable to carry out it’s role within your organization.

The most severe security issue has no available workaround but the high severity issues have workarounds and indicators of compromise (IOC)(defined) to detect if attacks using these issues have occurred. At this time, the Cisco Product Security Incident Response Team (PSIRT) is not aware of any of these issues being used to attack its customers.

The affected appliances are as follows:

  • Critical issue: Cisco AsyncOS for the WSA versions 8.0 and later, both virtual and hardware versions
  • High severity issues: Cisco AsyncOS versions 8.0 through 8.8 for Cisco WSA on both virtual and hardware appliances.

Steps to determine if your appliances are affected are provided in the 3 Cisco security advisories mentioned below.

How Can I Protect Myself From These Issues?
If your organization uses any of the above mentioned Cisco Web Security Appliances please follow the directions within the 3 Cisco security advisories mentioned below to install the necessary security updates:

Cisco Web Security Appliance Certificate Generation Command Injection Vulnerability
Cisco Web Security Appliance Range Request Denial of Service Vulnerability Advisory 1
Cisco Web Security Appliance Range Request Denial of Service Vulnerability Advisory 2

Thank you.

NTP Project Releases Security Update

In late October the NTP Project; the maintainers of the Network Time Protocol (NTP)(defined) issued a security update to resolve 13 medium and low CVEs (defined) in this commonly used protocol. This update brings the version of NTP to 4.2.8p4.

Why Should These Issues Be Considered Important?
3 of the issues addressed by this security update were discovered and responsibly disclosed (defined) to NTP by 4 researchers from Boston University. Their research is described in this paper.

The first issue involves the use of a Kiss-of-Death packet that is normally used to prevent a client device (e.g. a desktop or laptop computer etc.) from repeatedly requesting the correct time from an NTP server when the client device may be experiencing technical issues. This prevents the NTP server becoming inadvertently overloaded. An attacker can exploit this issue by sending a Kiss-Of-Death packet to a victim device from any location (what is known as an off-path attack). This packet depending on the poll value within it has the potential to prevent that victim device from correctly setting it’s clock for a year or more.

The second issue resolved is very similar but involves the attacker sending a large number of queries requesting the correct time to the NTP server. These queries have been spoofed to look like they came from the victim device. The server then responds to the victim device with the above mentioned Kiss-Of-Death packet again disabling the victim devices means of updating it’s clock. This issue could be exploited if the first issue mentioned above has already been patched on the time server. This results in the victim device experiencing a denial of service issue (defined) since it can no longer set it’s clock due to no fault of it’s own.

The third and final issue requires that the attacker be positioned in a man-in-the-middle (defined) position between the client and the server which could allow the attacker to roll back the time on the victim device that bypasses the 16-minute threshold that is usually imposed to prevent a server from setting a client devices clock more than 16 minutes from the actual correct time.

If a device has its clock set to an inaccurate time that differs too much from the correct time it can cause that device to no longer be able to carry out actions that primarily use correct time to function properly. The use of timestamps is primarily employed in cryptography to prevent replay attacks (defined) or to determine if a digital certificate is still valid (among other purposes). For the full details of how features such as TLS (defined here and here), DNSSEC (defined), DNS (defined) (among others) as well as the online cryptocurrency Bitcoin can be affected as a result of these issues please refer to page 2 and 3 of the above mentioned paper.

Since the above features (among others) rely on a device having an accurately set clock and given that an attacker can exploit these 3 issues relatively easily these issues should be patched as soon as possible.

How Can I Protect Myself from These Issues?
NTP is available for most operating systems primarily Linux and Mac OS X (however versions for Windows also exist). In addition, almost any device can request the correct time from an NTP server and thus could be affected by these issues even if NTP is not installed on the device (but would need to be installed on the server).

Full details of these issues are provided by the NTP project on this page (see the October 2015 entry). Updated versions of NTP are available from this page. For Linux systems the relevant updates can also be obtained via the Package Manager bundled with your Linux distribution (see this link (Debian) and this link (Ubuntu) that should assist you in using the package manager for your distribution of Linux). Apple usually update NTP via their App Store and Software Update, details are available on this page.

In addition, recommendations to more thoroughly protect against all of the flaws discussed in the above mentioned research paper are provided on this page.

Thank you.

Cisco Releases Adaptive Security Appliance (ASA) Security Updates

In late October Cisco released a series of 4 security advisories to resolve 4 high severity CVEs (defined) that could result in a denial of service (DoS)(defined) condition for the affected Cisco networking Adaptive Security Appliance (ASA) software.

Why Should These Issues Be Considered Important?
If you make use of Cisco ASA software an unauthenticated remote attacker (namely an attacker that does not have any prior access to your Cisco software) could potentially prevent that software from performing it’s job by causing that software to reload (stop functioning and then restart).

Reloading could be called a denial of service (DoS) condition since while your software is reloading it’s not doing what it was intended to do within your organization. The attacker would only need to send the software a specifically crafted DHCPv6 (see Aside below for a definition) or UDP (defined) packets (when exploiting the VPN ISAKMP issue which involves IKE (Internet Key Exchange (IKE)) v1; see Aside 3 below for a definition) to exploit these issues.

In the case of the first 2 advisories concerning how the ASA software processes DNS requests (see this post for a non-technical explanation and see Aside 2 below for a more formal definition of DNS) the attacker would only need to send the ASA software specifically crafted packets that will cause the software to generate a DNS request packet.

The above means of attack makes it reasonable easy for an attacker to take advantage of these issues to interrupt the normal operation of your ASA software. Finally, there are no workarounds available for these issues (apart from disabling the affected components, which is not really an option if you make use of them).

How Can I Protect Myself From These Issues?
At this time the Cisco Product Security Incident Response Team (PSIRT) is not aware of any of these issues being exploited by attackers since these issues were discovered during internal security testing.

If your organization uses any of the above mentioned Cisco ASA software please follow the directions within the four Cisco security advisories mentioned below to install the necessary security updates:

Cisco ASA Software DNS Denial of Service Vulnerability Advisory 1
Cisco ASA Software DNS Denial of Service Vulnerability Advisory 2
Cisco ASA Software DHCPv6 Relay Denial of Service Vulnerability
Cisco ASA Software VPN ISAKMP Denial of Service Vulnerability

Thank you.

=======================
Aside:
What is DHCP?

Dynamic Host Configuration Protocol (DHCP) is a protocol that automatically assigns an IP address (defined) to a computing device to enable it to communicate with other devices on that network.

The IP addresses provided can be static (fixed) or dynamic (temporary; these addresses exist for a time known as the leasing time, when the lease expires the device can choose to renew the lease for another lease period e.g. 12 hours). The IP address assigned by DHCP comes from a pool (collection) of free address available for use on that network. The process of being automatically assigned an IP address is similar to being given a phone number so that you can call other phone numbers to speak to other people.

DHCP can also provide other information such as the IP address of the DNS server to a device enabling it to access websites on the internet when a person types a website address into their web browser address bar (DNS is explained in more detail below).

Finally DHCP provides the newly established device on that network with the IP address of the default gateway of that network enabling the device to communicate with other networks (e.g. the wider internet). The default gateway acts as a bridging point from one network to another (usually networks using different protocols e.g. ATM (defined) or Frame Relay (defined)). For example, in your home your wireless router acts as both your default gateway and your DNS server (unless you decide to use custom DNS settings). This router connects your devices (which are part of your Local Network (LAN) to the internet (a Wide Area Network, WAN)).

Please note that DHCPv6 is the IPv6 (defined) equivalent of DHCP (which is used with current generation IPv4 networks).
=======================

=======================
Aside 2:
What is DNS?

DNS (Domain Name Service) works very much like looking a phone number up in a phone book. By doing so it translates website names e.g. www.google.com into an IP address (defined) allowing for example your web browser to connect to Google’s server to display Google’s homepage. However this communication between computers could also be used for any other desired purpose.

DNS can also be used with email services to locate a mail server for you to send a message from your computer to that domain e.g. to bob@example.com An MX (mail exchange record) maps that domain name (example.com) to a list of mail transfer agents (MTA) for that domain. MTAs transfer a message using SMTP (defined) from MTA to MTA until it reaches the MTA for the messages destination.

DNS usually uses UDP (defined) port 53 to communicate with other DNS servers to find the IP address for the website name that you entered. DNS servers also communicate/synchronize with one another to stay up to date with the appropriate domain name to IP address translations using a process known as DNS zone (defined) transfers.
=======================

=======================
Aside 2:
What is Internet Key Exchange (IKE)?

Internet Key Exchange is part of a wider security feature known as IPSec.

IPSec (Internet Protocol Security) is a set of protocols that provide a means of setting up a secure channel of communication between 2 computing devices. Many VPNs (Virtual Private Networks)(defined) used by employees to access data and computers (usually servers) when outside of the office use IPSec to secure the connection between the employee’s device and their corporate office.

IPSec is a framework (recommended means of accomplishing something) and thus it does not stipulate specific hashing algorithms (e.g. SHA-1) or encryption algorithms e.g. RSA or ECC to use when creating a secure channel between 2 devices. Moreover, how the 2 devices exchange public keys are not specified.

A commonly used key exchange mechanism used when IPSec is securing a channel is Internet Key Exchange (IKE)(defined within RFC 2828). This standard is made up of ISAKMP (Internet Security Association and Key Management Protocol (ISAKMP)) and OAKLEY protocols. ISAKMP provides the necessary means of exchanging the encryption keys while OAKLEY actually carries out the exchange.

The establishment of the secure channel happens in two phases described in detail within this Cisco article. The Diffie-Hellman algorithm is used to agree on the public encryption for use within this secure channel within phase 1.

IKE is used with IPSec to provide the following benefits:

  • Removes the need to manually set the IPSec security parameters while establishing the connection between two devices.
  • Protects against replay attacks (summarized details of such are provided in this thread (this is a long thread, I would advise searching for the keyword “session” within that page)).
  • Provides the ability to set a limited lifetime for the IPSec communication channel which takes advantage of the capability for encryption keys to change during an individual IPSec session (essentially providing the capabilities and extra security of a temporary session key.

=======================

Cisco Releases Scheduled Security Updates For IOS and IOS XE

Earlier this week Cisco released security updates to address authentication bypass and denial of service (defined) security vulnerabilities within Cisco IOS and IOS XE.

Why Should These Issues Be Considered Important?
The SSHv2 RSA authentication bypass vulnerability could allow an unauthenticated remote attacker to obtain the access privileges of the logged in user or the privileges of the Virtual Teletype (VTY) line which could be admin privileges. The attacker would however need to know a valid user name and possess a specifically crafted private key. The only workaround to this issue is to disable RSA based SSHv2 authentication.

Meanwhile a vulnerability in the processing of IPv4 packets that require Network Address Translation (NAT) and Multiprotocol Label Switching (MPLS) services could allow an unauthenticated remote attacker to cause your Cisco IOS XE device to stop functioning (namely a denial of service attack. The attacker would only need to send the device a specifically crafted IPv4 (defined) packet.

This flaws affects the following products:

  • Cisco ASR 1000 Series
  • Cisco ISR 4300 Series
  • Cisco ISR 4400 Series
  • Cisco Cloud Services 1000v Series Routers

Separately 2 vulnerabilities in the IPv6 snooping feature from the first-hop security features in Cisco IOS and IOS XE Software could also cause a denial of service issue. For an attacker to exploit the insufficient validation of IPv6 ND packets they would only need to send it a malformed IPv6 packet. For the second flaw, the insufficient Control Plane Protection (CPPr) against specific IPv6 ND packets an attacker would need to send a large amount of specifically crafted IPv6 ND packets to a vulnerable device.

For the vulnerabilities involving the processing of IPv4 and IPv6 (defined) packets, no workarounds are available (apart from disabling the IPv6 snooping feature) to mitigate the 2x IPv6 flaws until the appropriate security updates are installed.

The remaining vulnerabilities affect any Cisco device running IOS and/or IOS XE. As you can see, only the access bypass issue is likely to pose a challenge to a determined adversary, all other issues discussed above could potentially be easily exploited.

How Can I Protect Myself From These Issues?
Within the Cisco security advisory you can use the link provided to access the Cisco IOS Software Checker to determine if your Cisco IOS device is vulnerable to these issues. This security advisory also provides the links to the individual advisories for each vulnerability which contain the steps to install the appropriate updates.

Thank you.