Tag Archives: Information Disclosure

Cloudflare addresses data leak

For 5 days within February this year; an information disclosure issue affected Cloudflare’s infrastructure. This led to their systems inadvertently leaking private session keys, website cookies, encryption keys and passwords.

Why should this vulnerability be considered important?

The scale of the issue was large, affecting an estimated 2 million websites. This flaw was due to a coding error within a parser (defined) (undetected at the time) used to modify HTML webpages and related to how the memory containing buffers (defined) of their NGINX (defined) web server functioned. Google Project Zero vulnerability researcher Tavis Ormandy contacted Cloudflare over Twitter who mitigated the issue in 47 minutes and completed their work in less than 7 hours; an incredibly swift resolution. Cloudflare later noted it would usually take 3 months to resolve an issue similar to this.

How can I protect myself from this vulnerability?

Cloudflare documented their findings of this incident within this blog post. Their analysis shows no evidence of attackers using the leaked information for malicious account access, accessing sensitive information or fraudulent purchases (in the case of exposed credit card numbers).

Cloudflare is continuing to review the leaked information and working to remove it from third party caches. They have committed to a review (both internal and with the assistance of external auditor Veracode) of the parser code which inadvertently lead to this information leakage.

As a precaution I would recommend monitoring any affected accounts for unwanted activity and change passwords and enable 2 factor authentication should any unwanted activity take place. The list of affected websites is here.

Further discussion of the impact of this issue is available from this SANS forum post and this Softpedia news article.

Thank you.

FTP Handling Vulnerabilities Disclosed in Java and Python

Last month security researchers Alexander Klink and Blindspot Security Researcher Timothy Morgan publicly disclosed information disclosure and low-privilege code execution vulnerabilities affecting Oracle Java and Oracle Java/Python respectively. Alexander Klink’s vulnerability relates to XXE (XML External Entity) processing specifically crafted XML files leading to information disclosure. Timothy Morgan’s vulnerabilities involve adding Carriage Return (CR) and Line Feed (LF) characters to the TCP stream (a structured sequence of data) to the FTP processing code within Java and Python. The researchers notified the affected vendors over a year ago but the vendors did not address these issues. Timothy Morgan’s vulnerability also causes firewalls to open a port to temporarily allow an FTP connection.

How can I protect myself from these vulnerabilities?
Fortunately exploitation of these vulnerabilities is not trivial since the first FTP vulnerability requires an attacker to already have already compromised an organizations internal email server. The second vulnerability requires an attacker to know the victims internal IP address and for the FTP packets to be in alignment.

System administrators responsible for network infrastructure should monitor communications to email servers for suspicious activity and ensure internal computer systems are not accessible from the external internet (for example using Shodan). Apply vendor software updates when made available for these issues. The blog posts from the researchers here and here provide further detailed recommendations to mitigate these vulnerabilities.

Thank you.

Wifi Devices Leak Potentially Sensitive Information

While I was at a security conference late last year it was demonstrated using the Airodump tool for Linux; the association requests visible for all Wifi devices present within the conference room. The command used was:

airodump-ng wlan0mon -w scan.ams --showack --wps -U -M -e -g

Where scan.ams was the name of a previously gathered packet capture.

I realise this is how Wifi was designed and it is working as intended. I also realise that this issue is not new and may not be of assistance to everyone for that reason.

I was fortunate that my phone had Wifi turned off at the time, especially since I was near the front of the room. The association requests display the SSID (defined) of any previous Wifi access point a device has successfully connected to/has credentials for. These requests were shown to be constantly being sent from the devices present in the room.

Using this list of SSIDs, you can input an SSID into the Wigle website and see where in the world that wireless network is located. If you have a unique SSID that website can show the address of where you work or live.

Further information on the Airodump tool is located in the links below:

Airodump-ng

Aircrack-ng Newbie Guide for Linux

airodump-ng(1) – Linux man page

More information on association requests is available here.

Good advice to prevent this type of information disclosure from the Wifi devices that you carry with you is to turn off Wifi if you are not using it (sorry if that is very obvious). If you administer Wifi access points, set the SSID to something that won’t attract attention and choose a non-unique SSID if you can (this way the exact location of a network will be harder to find).

Thank you.

Apple Releases Security Update for iBooks Author App

Yesterday Apple made available a security update for their iBooks Author App bringing it to version 2.4.1. Full details of this update are available from Apple’s support page for this update. The update addresses an information disclosure issue (in this instance revealing details of the logged in user) that could be exploited by an attacker if you open a specifically crafted iBook Author file.

Since this app is available from Apple’s App Store you should receive a notification to update this app as discussed here. The App Store also offers the ability to automatically install updates (as detailed at the end of the page just linked to). Alternatively, the updated app is available from this page.

If you use and/or have this app installed, please install the update mentioned above to address this security issue as soon as possible.

Thank you.

Linux GRUB Security Vulnerability Swiftly Patched

Earlier this month a pair of security researchers within the Cybersecurity Group at Universitat Politècnica de València discovered an integer underflow (defined) vulnerability within the Linux GRUB bootloader (defined, my thanks to Lucian Constantin, IDG News Service for providing an excellent summary of the purpose/function of the GRUB bootloader within that article). The researchers responsibly disclosed (defined) this issue to the main distributors of Linux in order to protect their users. My thanks to everyone involved for so quickly addressing this vulnerability.

Why Should This Issue Be Considered Important?
This issue is very easy for an attacker to exploit namely that they only need to have physical access (be in front of the system) for a short time in order to exploit it. With this access, they simply press the backspace key (just above the main Enter/Carriage return) key 28 times in order to exploit this vulnerability. They could easily obtain this physical access by breaking into the premises where such a system is located.

Moreover, systems with defences such as disabled CR-ROM drives (otherwise known as optical drives), disabled USB ports, restricted network boot options, password protected BIOS/UEFI firmware (defined), password protected GRUB edit mode and where the hard disk/SSD (solid state drive (defined)) is encrypted can all be bypassed by exploiting this vulnerability.

The researchers in their description of this vulnerability bypass the encryption of the hard disk/SSD by infecting the system (by means of this vulnerability) and allowing the user to decrypt the data (information disclosure) for the attackers by having the legitimate user enter the correct password as they log on normally to the system (an elevation of privilege attack (defined); since the attackers would not normally have this level of access). A denial of service attack (DoS)(the concept of DoS is defined here) can also be carried out by the attacker by corrupting the encrypted data and/or the GRUB leaving the legitimate user unable to access their own data.

Before bypassing the encryption however, they also describe patching (modifying the genuine/legitimate GRUB loader) so that it always authenticates the logged on user rather than asking for a password (bypassing the password protected edit mode of GRUB mentioned above).

Next they describe using the patched GRUB loader to load a Linux kernel so that they can then install malware of their choice. This also has the advantage that logging of their actions is not recorded since the syslog daemon (defined) is not running (carrying out it’s purpose) since the bash (Bourne-Again SHell)(defined) is the first process to run.

With that shell (defined) running on the system the researchers next describe how they illustrated a proof of their concept by installing a modified library (the general concept of a code library is defined here, only Windows systems use DLLs (defined) and so are not relevant for this discussion of Linux systems) belonging to Mozilla Firefox so that when Firefox is active, code (instructions) of their choice are also carried out. This code uses Netcat (defined) to set up a reverse shell (defined) allowing them to control the victim system as if they were in front of it (in this case the researchers show the reverse shell being able to access the private data folders belonging to the logged in user).

How Can I Protect Myself From This Issue?
Debian, Ubuntu and Red Hat (among others) have released updates to GRUB to address this vulnerability. For Linux systems the relevant updates can also be obtained via the Package Manager bundled with your Linux distribution (see this link(Debian) and this link (Ubuntu) that should assist you in using the package manager for your distribution of Linux).

Thank you.

Cisco Issues Security Update to WebEx Android App

Last week Cisco issued a security update for their WebEx Meetings Android App to resolve a severe permissions issue.

Why Should This Issue Be Considered Important?

This is a serious security issue that could lead to information disclosure and an elevation of privilege (defined) attack. It’s present in all versions of the app that are older than version 8.5.1. As Cisco discusses in it’s security advisory this issue could be exploited by a remote attacker with no previous access to the app by tricking the user of the smartphone into downloading another app that exploits this issue within the WebEx app. If this were to happen any information and permissions/access that the WebEx app has will be then available to the malicious app.

In addition, there are no workarounds for this issue. At this time Cisco has not seen any evidence to show that this issue has been used by attackers.

How Can I Protect Myself From This Issue?
Cisco have released an updated version of the WebEx app to address this issue. The updated app is available from this link (Google Play Store). Graham Cluley’s blog post also contains one piece of further important advice to stay safe when downloading apps or app updates.

Thank you.