Tag Archives: Linux

WPA2 KRACK Vulnerability: What you need to know

Last Sunday, the early signs of a vulnerability disclosure affecting the extensively used Wi-Fi protected access (WPA2) protocol were evident. The next day, disclosure of the vulnerability lead to more details. The vulnerability was discovered by  two researchers Mathy Vanhoef and Frank Piessens of the Katholieke Universiteit Leuven (KU Leuven) while examining OpenBSD’s implementation of the WPA2 four way handshake.

Why should this vulnerability be considered important?
On Monday 16th October, the KRACK (key re-installation attacks) vulnerability was disclosed. This vulnerability was found within the implementation of the WPA2 protocol rather than any single device making it’s impact much more widespread. For example, vulnerable devices include Windows, OpenBSD (if not already patched against it), Linux, Apple iOS, Apple macOS and Google Android.

If exploited this vulnerability could allow decryption, packet replay, TCP connection hijacking and if WPA-TKIP (defined) or GCMP (explained) are used; the attacker can inject packets (defined) into a victim’s data, forging web traffic.

How can an attacker exploit this vulnerability?
To exploit the vulnerability an attacker must be within range of a vulnerable Wi-Fi network in order to perform a man in the middle attack (MiTM)(defined). This means that this vulnerability cannot be exploited over the Internet.

This vulnerability occurs since the initial four way handshake is used to generate a strong and unique key to encrypt the traffic between wireless devices. A handshake is used to authenticate two entities (in this example a wireless router and a wireless device wishing to connect to it) and to establish the a new key used to communicate.

The attacker needs to manipulate the key exchange (described below) by replaying cryptographic handshake messages (which blocks the message reaching the client device) causing it to be re-sent during the third step of the four way handshake. This is allowed since wireless communication is not 100% reliable e.g. a data packet could be lost or dropped and the router will re-send the third part of the handshake. This is allowed to occur multiple times if necessary. Each time the handshake is re-sent the attacker can use it to gather how cryptographic nonces (defined here and here) are created (since replay counters and nonces are reset) and use this to undermine the entire encryption scheme.

How can I protect myself from this vulnerability?
AS described in this CERT knowledge base article.; updates from vendors will be released in the coming days and weeks. Apple (currently a beta update) and Microsoft already have updates available. OpenBSD also resolved this issue before the disclosure this week.

Microsoft within the information they published for the vulnerability discusses how when a Windows device enters a low power state the vulnerable functionality of the wireless connection is passed to the underlying Wi-Fi hardware. For this reason they recommend contacting the vendor of that Wi-Fi hardware to request updated drivers (defined).

Links to affected hardware vendors are available from this ICASI Multi-Vendor Vulnerability Disclosure statement. Intel’ security advisory with relevant driver updates is here. The wireless vendor, Edimax also posted a statement with further updates to follow. A detailed but easy to use list of many vendors responses is here. Since I use an Asus router, the best response I could locate is here.

======
Update: 21st October 2017:
Cisco have published a security advisory relating to the KRACK vulnerability for its wireless products. At the time of writing no patches were available but the advisory does contain a workaround for some of the affected products.
======

The above updates are software fixes but updates will also be made available for devices in the form of firmware updates e.g. for wireless routers, smartphones and Internet of Things (IoT)(defined) devices. For any wireless devices you own, please check with the manufacturer/vendor for available updates with the above CERT article and vendor response list detailing many of the common vendors.

Thank you.

BlueBorne : Bluetooth Vulnerability Explained

Researchers from the security firm Armis have discovered a set of eight security vulnerabilities within the Bluetooth (defined) communications technology and responsibly disclosed (defined) them to affected device manufacturers. These are not present in the protocol layer of Bluetooth but within the implementation layer of Bluetooth which “bypasses the various authentication mechanisms, and enabling a complete takeover of the target device” (source). An estimated 5.3 billion devices are thought to be vulnerable ranging from computers tablets, smartphone, TVs, watches to Internet of Things (IoT) (defined) medical devices. This set of vulnerabilities is known as “BlueBorne”.

What is BlueBorne and why is it important?
Exploitation of the BlueBorne vulnerabilities allows the complete compromise of the vulnerable device and does not require the vulnerable device be paired (defined) with the attacking device.

Once exploited the vulnerabilities allow the attacker to conduct remote code execution (defined: the ability for an attacker to remotely carry out any action of their choice on your device)) and man in the middle attacks (defined). To begin the attack, the attacker does not need for the user of the vulnerable device to have taken any action.

These vulnerabilities are particularly severe since Bluetooth is less secured on a corporate network than for example, the proxy server (defined) providing internet access making spreading from advice to device in a worm (defined) like fashion (theoretically) possible. The Bluetooth protocol often runs with high privilege on devices and is not usually considered a potential entry point into a network. Air gapped systems (defined) are also potentially vulnerable.

How can I protect myself from these issues?
Software updates for some devices are listed here (for Google, Linux and Microsoft devices). Recent Apple devices were found not to be vulnerable. A full list of affected devices and the software updates to protect them are listed here and will be updated by Armis.

For users of Google Android devices, they can check if their device is vulnerable by downloading the BlueBorne Android app. Disabling Bluetooth if you are not using it and only leaving it enabled for the time you are using it are also good security practices. Once your devices are updated, you should be able to resume normal Bluetooth usage. Please not that not all devices will or can be updated due to end of support lifecycles, newer products and product limitations. It is estimated approximately 2 billion devices will not receive software updates to resolve these issues.

Thank you.

Malware Uses Linux Systems as Proxies

A Trojan horse (defined) is compromising Linux systems by exploiting poorly implemented SSH (Secure Shell)(defined) remote access. Many are already compromised systems first have a new account created with a notification to the Trojans authors providing the details of the system enabling a remote connection. The Trojan then installs the Satanic Socks Server utility to set up proxy server (defined) for use by the attackers or any individual they chose to connect to your system (very likely for a fee). More information on this threat is available here and here.


How Can I Protect Myself from This Threat?

If you are an administrator of Linux servers/workstations you should ensure remote SSH access uses a strong authentication mechanism. If this access is not required, strongly consider disabling SSH access.

To check if your Linux system has already been compromised, you can list the user accounts from a Linux system using the commands below. If you locate any suspicious accounts, you can delete them. I will also provide other useful commands below:

cat /etc/passwd
: this will list the name of user accounts
grep :0: /etc/passwd : will find accounts with the string “”:0″” within them (accounts with root privileges)

crontab -l -u root : display cron jobs (defined) scheduled by root and any other UID 0 accounts

Attackers often schedule jobs that include backdoors on the machine guaranteeing the attacker return access to the system.

The above commands are particularly useful if you already know the outputs of these commands when your system is working fine/as expected. You can then compare those known good outputs to the current output to more easily determine if your system has been compromised.

If you find a rogue/unknown user account; you can delete it using the following command:

userdel -r [account name]

where [account name] is the name of the user account that you wish to delete.

I hope that the above information is useful to you in protecting your Linux systems against this threat.

Thank you.

Pwn2Own 2017 Contest Announced (Tenth Anniversary)

=======================
Update: 19th March 2017:
=======================
A more recent blog post discusses the results of the 2017 Pwn2Own contest.

Thank you.

=======================
Original Post:
=======================
With the month of March not too far away, I’m looking forward to the annual Pwn2Own contest taking place in Vancouver, Canada. Regular readers of this blog will know of the benefits it brings and why I look forward to it each year.

This year sees the return of Adobe Reader to the competition; a good decision due to the large numbers of vulnerabilities still being patched. I applaud the decision of Mozilla Firefox returning too since a zero day (defined) exploit was seen in recent times. It’s also in the top 3 in terms of usage. With a 64 bit version now available it should increase usage/competitiveness even further.

The full list of products that will be in the competition is here.

Just some of the interesting new additions are Ubuntu, Microsoft Hyper-V and Microsoft Office applications, which have never been present before. With vulnerabilities being patched routinely for all three of categories (especially for Microsoft Office), their inclusion should help us all when vulnerabilities are exploited and the researchers rewarded for their excellent work.

With the rise of malware for Apple Mac OS X and Linux it’s great to see them both in the contest this year. Previously only Mac OS was present.

Since the contest is celebrating its 10th anniversary it’s great to see other additions such as the Apache web servers and Ubuntu servers too. I often see servers installed and patched very little, if at all. This leads to situations where servers continue to have vulnerabilities long after they have been patched (more on that in this blog post). As for web servers, cross site scripting and CSRF remain consistent threats.

With extra points awarded for root access (defined) for Mac OS X or System level (defined) access for Windows this year’s contest is bigger than ever. With the more vulnerabilities that are found by the researchers the more they are awarded and the more everyone benefits by the vulnerabilities being responsibly disclosed (defined) to their vendors.

I will write another post when the results of this year’s contest are available and will discuss any highlights and how they will benefit us as users of these products.

Thank you.

Encrypted Linux Systems Affected By Boot Process Vulnerability

Early last week a potentially serious vulnerability (assigned CVE-2016-4484 (defined)) within the Linux boot sequence was disclosed by security researchers at the DeepSec conference in Vienna.

Why Should This Issue Be Considered Important?
This is an elevation of privilege (defined) vulnerability that when exploited can result in an attacker obtaining root (defined) level access over your Linux system. It can be exploited by continually pressing the Enter key at the LUKS (Linux Unified Key Setup) password prompt. According to the researchers Hector Marco & Ismael Ripoll after approximately 70 seconds a new root shell (defined) will appear.

With this shell the attacker can delete all of information on the encrypted disks the LUKS prompt is designed to protect. This could also be used to copy the encrypted information to another location to attempt to brute force (defined) it. This also applies to any unencrypted information on the disk. Finally it could be used to elevate privileges from a standard user by storing an executable file with the SetUID bit enabled.

Interestingly this issue can only occur if the system partition is encrypted. At least Debian and Ubuntu distributions are vulnerable to this issue. Others may be too but the researchers have not exhaustively tested them.

Further details of this issue are provided within the researcher’s blog post.

How Can I Protect Myself From This Issue?
The researchers have provided a workaround and have proposed a more permanent fix within their blog post. It involves editing the cryptroot file so that the computer simply reboots when the number of password guesses reaches the limit.

If you are a Linux system administrator or know someone who is, this issue and it’s fix may be of interest. Thank you.

Ubuntu Issues Security Updates for April 2016

In the first week of April Ubuntu issued security updates to address vulnerabilities responsibly disclosed (defined) in the Ubuntu kernel (defined). Each vulnerability addressed was assigned a separate CVE identifier (defined).

Why Should These Issues Be Considered Important?
While no severities were assigned by Ubuntu to these issues any issue within the kernel can be consider high to critical severity (if it is remotely exploitable) since if control of the kernel can be obtained an attacker can then use that control to carry out any action of their choice. Ubuntu does however mention that the most severe of these issues can potential lead to remote code execution (the ability for an attacker to remotely carry out any action of their choice on your Ubuntu device) while the remainder can lead to denial of service conditions (defined).

The types of vulnerabilities addressed are varied and range from use-after-free (defined) vulnerabilities to timing side channel attacks (defined, in this case exploiting the timing within the Linux Extended Verification Module (EVM)) to a buffer overflow (defined) and incorrect file descriptor handling (defined).

How Can I Protect Myself From These Issues?
Within Ubuntu’s security advisory they provide the steps to download the appropriate updates for the version of Ubuntu that you are using. In addition, a system reboot is required for these updates to take effect.

In addition, 3 recent security advisories listed below were also made by available by Ubuntu, please ensure that you have followed the steps within each to ensure that you are protected from these vulnerabilities:

USN-2917-3: Firefox regressions: Addresses 34x CVEs
USN-2951-1: OptiPNG vulnerabilities: Addresses 5x CVEs
USN-2950-1: Samba vulnerabilities: Addresses 8 CVEs (among them the Badlock issue)

Thank you.

glibc Security Vulnerability Patched

In late February security researchers announced the discovery of a critical a security vulnerability in the GNU C library (glibc). This is the same library in which the Ghost vulnerability was found last year.

Why Should This Issue Be Considered Important?
This issue is a stack based buffer overflow (defined) vulnerability of critical severity that affects a large number of Linux systems e.g.:

  • RedHat Enterprise Linux 6 (glibc version 2.12)
  • RedHat Enterprise Linux 7 (glibc version 2.17)
  • Debian squeeze (glibc version 2.11)
  • Debian wheezy (glibc version 2.13)
  • Debian Jessie (glibc version 2.19)

A complete list is available from this US-CERT vulnerability note.

As with the Ghost vulnerability the getaddrinfo() function (defined) is the source of the vulnerability. This newer vulnerability could allow an attacker to gain control over vulnerable systems as they connect to a DNS server under the control of an attacker.

Google researchers in their responsible disclosure (defined) of this vulnerability state that this flaw can exploited using sudo, curl and ssh (among others). Man-in-the-middle attacks (defined) and attacker controlled domain names are also mentioned as a means of exploiting this vulnerability within Google’s security advisory.

Since this is a stack based buffer overflow this overflows can be triggered using oversized UDP (defined) or TCP (defined) responses (larger than 2048 bytes) which are then immediately followed by a response which overflows the stack.

The above overflow could (for instance) be triggered by an attacker by having the target system perform a DNS (defined) lookup for a website domain under the control of the attacker. Further technical details exploiting this flaw are available from this message located on the glibc project mailing list.

Mitigating factors for this vulnerability include ASLR (defined), Moreover an option to use until you can apply the necessary security patch is limiting the response sizes accepted by the DNS resolver locally to 1024 bytes thus preventing the stack be based buffer overflows. Further mitigations are mentioned by Google (see the heading: Issue Summary) in their security advisory and by the glibc developers in their patch announcement for this vulnerability. A further defence in-depth (defined)(PDF) mitigation is provided by SANS Institute’s Johannes B. Ullrich in this forum thread.

How Can I Protect Myself from This Issue?

If your Linux device is found to be vulnerable continue to check for updates until one becomes available that resolves this issue. You can check for updates for your Linux device by using the Package Manager bundled with your Linux distribution (see this link (Debian) and this link (Ubuntu) that should assist you in using the package manager for your distribution of Linux).

Specific information for some of the affected versions of Linux are provided below:

RedHat also highlights the need to patch/update containers (defined e.g. Docker containers) as well as verifying the fixes are installed across the containers running within large organizations.

Once the update is installed you will need to restart/reboot the Linux device to have the update take effect.

Update: 20th March 2016:
The glibc vulnerability affected VMware’s ESXi version 5.5 and 6.0 products (among the other products listed in this post). In order to address these issues, please refer to VMware’s security advisory to download the necessary updates.

Thank you.

=======================
Aside:
What is a library (when used in the context of computing)?
The general concept of a code library is defined here, only Windows systems use DLLs (defined) and so are not relevant for this discussion of Linux systems.
=======================