Tag Archives: Responsible Disclosure

Pwn2Own 2019 Results

TL DR: With popular products such as the Tesla Model 3, Apple Safari, Mozilla Firefox, Oracle VirtualBox, VMware Workstation Pro and Microsoft Edge being successfully exploited; please install the necessary updates when they become available.

The annual white hat hacking contest known as Pwn2Own took place last week. Detailed results from all 3 days are available from this link.

Day 3 saw initially two teams attempting to exploit a Tesla Model 3 before one withdrew. The team Fluoroacetate made up of both Richard Zhu and Amat Cama successfully exploited the infotainment system of the Tesla earning them a further $35,000 and the car itself. They earned $375k in total and became the Master of Pwn for 2019. The contest overall distributed $545k for 19 vulnerabilities.

In contrast to previous years the researchers have targeted vulnerabilities other than those within the operating system kernel (defined) to obtain a total system compromise. Only 3 times were exploits on the OS kernel used this year (one exploit was used in conjunction when exploiting each of the web browsers Apple Safari, Microsoft Edge and Mozilla Firefox).

We can expect updates for each of the exploited products over the coming weeks and months (the vendors have up to 120 days to resolve the vulnerabilities before public disclosure). Mozilla released Firefox 66.0.1 and 60.6.1 to resolve the 2 Firefox CVEs (defined) disclosed during the contest.

If you use the affected products, please keep current with the necessary updates. Thank you.

Notepad++ Update Results from Bug Bounty / 7-Zip Updates

====================
Updated: 11th March 2019
====================
Notepad++ 7.6.4 was released on the 6th of March resolving 8 security issues. If you use Notepad++, please update to the newest version to benefit from these security fixes.

Thank you.

====================
Original Post:
====================
On Sunday, 27th January; a new version of Notepad++ was released to address 7 vulnerabilities found by the EU-Free and Open Source Software Auditing (EU-FOSSA). Given that one of the vulnerabilities is potentially remotely exploitable and that Notepad++ is in such wide use both across the world and within the EU; we should update to version 7.6.3 to benefit from the remediation of these vulnerabilities.

TL DR: If you use Notepad++ or 7-Zip, please consider updating them (even if exploits for these vulnerabilities are rare or do not exist):

Other widely used software participating this bug bounty program are listed here (highlights include VLC, Putty, Apache Kafka, KeePass, Drupal, glibc and FileZilla). As I have previously discussed on this blog; if you use a 64 bit version of Windows, please consider using the 64 bit version of Notepad++; here’s why:

Please note, the 64 bit version of Notepad++ became available in September 2016. It allows the opening of larger files and includes High Entropy ASLR (Address Space Layout Randomization (defined)) on a 64 bit version of Windows. I have discussed HEASLR on this blog before and it’s an excellent security measure/control/mitigation (defined). Further information on HEASLR can be found on Alex Ionescu’s blog.

=======================
7-Zip Ranked as Number 5 in outdated software present on systems
=======================
On a separate but related note, earlier this month Avast made available a report that listed the most out of date software typically installed on systems. It was found that 7-Zip ranked number 5 with 92% of installs being out of date:

If you use 7-Zip, please consider upgrading it to version 18.06. I have previously provided descriptions of the vulnerabilities found in 7-Zip in 2018 and 2016 below. In addition; there have been several performance improvements in recent versions making the tool faster than before:

Updating 7-Zip is very easy. You should only download it from its official website. Installing the new version over an existing version takes only seconds.

Thank you.

Adobe Issues Further Security Updates

Early last week Adobe made available a further un-scheduled emergency security update available for download affecting Creative Cloud Desktop Application version 4.6.0 and earlier. This vulnerability impacts both Apple macOS and Windows systems.

If an attacker were to exploit this they could elevate their privileges (defined). As with the previous security update the vulnerability was responsibly disclosed (defined) to Adobe by Chi Chou of AntFinancial LightYear Labs.

Please follow the steps within this security bulletin to check if the version of Creative Cloud Desktop Application you are using is impacted and if so; follow the steps to install the relevant update.

Thank you.

Adobe Issues Critical Photoshop CC Security Updates

On Wednesday Adobe made available an out of band (un-scheduled) emergency update available for Photoshop CC for both Apple macOS and Windows systems.

Photoshop CC 2018 (versions 19.1.5 and earlier) and Photoshop 2017 (versions 18.1.5 and earlier) are affected by two critical memory corruption vulnerabilities. If an attacker were to exploit these they could achieve remote code execution (defined: the ability for an attacker to remotely carry out any action of their choice on your device). The vulnerabilities were responsibly disclosed (defined) by Kushal Arvind Shah of Fortinet’s FortiGuard Labs to Adobe.

Please follow the steps within Adobe’s security bulletin to install the applicable updates as soon as possible if you use these products.

Thank you.

Apache Foundation Patches Critical Struts Vulnerability

Earlier this week the Apache Software Foundation made available patches for Apache Struts (a web application framework (defined)) bringing the applications active development branches to version 2.3.35 and 2.5.17. These versions addresses a remote code execution vulnerability (defined: the ability for an attacker to remotely carry out any action of their choice on your device) known as CVE-2018-11776. This vulnerability was responsibly disclosed (defined) by the security researcher; Man Yue Mo.

Why should this vulnerability be considered important?
A data breach at the credit rating agency Equifax last year occurred in part due to their lack of patching their affected web servers. The vulnerability resolved this week can be exploited by an attacker simply by visiting specifically crafted URL (defined) on the affected web server (defined). Once exploited the server can be completely under the attacker’s control.

Typically within days of a vulnerability being disclosed; attackers begin to target and exploit it. Compromised are web servers (which are already public facing and can be located using Shodan) can be used as an entry point into other areas of your corporate network. Any application making use of the Struts framework is vulnerable regardless if those applications use plugins.

How to tell if your installation of Apache Struts is vulnerable?
Your Apache Struts is vulnerable if both of the conditions listed below are true (my thanks to this Semmle blog post for this information):

=====================

  1. The alwaysSelectFullNamespace flag is set to true in the Struts configuration. Note that this is automatically the case if your application uses the popular Struts Convention plugin.
  2. Your application uses actions that are configured without specifying a namespace, or with a wildcard namespace (e.g. “/*”). This applies to actions and namespaces specified in the Struts configuration file (e.g. <action namespace=”main”>), but also to actions and namespaces specified in Java code if you are using the Struts Convention plugin.

=====================

How can I protect my web servers from this vulnerability?
Depending upon which version of Apache Struts your web server is using; please upgrade to version 2.3.35 or 2.5.17 as soon as possible.

Thank you.

Vendors Respond to Spectre NG Vulnerabilities

====================
Update: 24th July 2018
====================
I have updated the list of vendor responses below to include further Red Hat versions and CentOS:

Red Hat Enterprise Linux 7:
https://access.redhat.com/errata/RHSA-2018:1629

CentOS 6:
https://lists.centos.org/pipermail/centos-announce/2018-July/022968.html

CentOS 7:
https://lists.centos.org/pipermail/centos-announce/2018-May/022843.html
====================

====================
Update: 19th June 2018
====================
Last Wednesday, the security news and troubleshooting website BleepingComputer published a table detailing the complete list of updates required to mitigate the Meltdown, Spectre and SpectreNG (also known as Spectre variant 4) vulnerabilities for all recent versions of Windows. This is very useful because I realise my previous blog post on Meltdown and Spectre was at times hard to follow (it has a lot of info within it).

As of Tuesday, 12th June Microsoft have released updates to address SpectreNG. While you can install these updates Microsoft have advised their security protections will not be enabled unless you choose to do so. This is due to the lower risk of SpectreNG and also given that enabling the security enhancements of these updates can lead to a performance penalty of up to 8% (as I detailed below).

Microsoft provide step by step advice and guidance if you wish to enable these updates within this security advisory. It is likely other OS vendors will take a similar approach e.g. Red Hat may also choose to distribute these updates but not enable them so as to work around the performance penalty.

For more information on the semi-related Intel Lazy Floating point vulnerability, please see my separate post.

Thank you.

====================
Original Post
====================
On Monday more details of these vulnerabilities were made available by affected vendors among them Red Hat, Google, Intel, IBM and Microsoft. There are two new vulnerabilities named:

Rogue System Register Read (Spectre Variant 3a) (CVE-2018-3640)

Speculative Store Bypass (SSB) (Spectre Variant 4) (CVE-2018-3639)

Why should these vulnerabilities be considered important?

Rogue System Register Read cannot be leveraged by an external attacker; they must instead log onto a vulnerable system and carry out further steps to exploit it. Once exploited the attacker may be able to obtain sensitive information by reading system parameters via side-channel analysis.

For Windows; successful exploitation of this vulnerability will bypass Kernel Address Space Layout Randomization (KASLR) protections. I have talked about ASLR (defined) before but provides this link more detail on kernel ASLR.

Google Project Zero’s Jann Horn and Microsoft’s Ken Johnson first reported Speculative Store Bypass. It can possibly be used by attacker externally (from the internet). I use the term “possibly” since the mitigations added to web browsers following Spectre variant 2 earlier this year will make it more difficult for an attacker to do so. Indeed, Intel rates the risk as “moderate.” This is a more serious vulnerability which may allow an attacker access to read privileged memory areas. An example would be a script running in one browser tab being able to read data from another browser tab.

Red Hat have made available a video more clearly explaining the Speculative Store Bypass (SSB) vulnerability.

How can I protect myself from these vulnerabilities?
At this time microcode updates are being developed by Red Hat, AMD, ARM, Intel, IBM and Microsoft. The affected products from many popular vendors are available from the following links. These vulnerabilities will not be addressed via software fixes but hardware fixes instead.

It is recommended to follow the best practice advice for these vulnerabilities as per the US-CERT namely:

1. Please refer to and monitor the links below for the updates from affected vendors.
2. Test these updates before deploying them widely
3. Ensure the performance impact (anticipated to be between 2 – 8%) is acceptable for the systems you manage/use.

These updates will ship with the mitigations disabled and if appropriate/acceptable for an affected system; the protection (along with its performance impact) can be enabled.

These updates are scheduled to be made available before the end of May. Cloud vendors (e.g. Amazon AWS, Microsoft Azure etc.) will also update their systems once the performance impact is determined and if deemed acceptable.

Thank you.

====================
AMD:
https://www.amd.com/en/corporate/security-updates

ARM:
https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability

Cisco:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180521-cpusidechannel

IBM:
https://www.ibm.com/blogs/psirt/potential-impact-processors-power-family/

Intel:
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00115.html

Microsoft (full impact yet to be determined):
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180012

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV180013

Red Hat:
https://access.redhat.com/security/cve/cve-2018-3639

Oracle:
https://blogs.oracle.com/oraclesecurity/processor-vulnerabilities-cve-2018-3640-and-cve-2018-3639

SUSE:
https://www.suse.com/de-de/support/kb/doc/?id=7022937

Ubuntu:
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/Variant4

VMware ESXI, Fusion/Fusion Pro, Workstation/Workstation Pro and vCenter Server:
https://www.vmware.com/security/advisories/VMSA-2018-0012.html

https://kb.vmware.com/s/article/54951

https://kb.vmware.com/s/article/55111
====================

Details of Spectre Next Generation (NG) Vulnerabilities Emerging

====================
Update: 23rd May 2018:
====================
Please refer to the new blog post I have added to document and provide information on these new vulnerabilities.

Thank you.

====================
Original Post:
====================
Separate to my previous in-depth discussion of the Meltdown and Spectre vulnerabilities; I located this news article announcing the discovery of new vulnerabilities affecting Intel CPUs (and possibly ARM CPUs too). Few details are available; apart from that the vulnerabilities also affect Intel’s SGX (Software Guard Extensions)(defined) instructions and can be exploited within a virtual machine (defined) to gain access to the host (physical system).

It is likely further microcode updates from Microsoft and firmware update from Intel will be made available in the coming weeks. It is unknown if these new vulnerabilities dubbed Spectre Next Generation (NG) will be as serious as the original Meltdown and Spectre (Variants 1 and 2) disclosed in January.

On a related note (and discussed in another post); Microsoft resolved a regression in their Windows 10 Meltdown patch that was found by Windows Internals and security researcher Alex Ionescu. The fix was already included in Windows 10 Version 1803 (the April Update) and was provided to Version 1709 this month.

Thank you.