Tag Archives: Responsible Disclosure

Highlights from Pwn2Own 2020

====================
TL;DR:

The following products were successfully exploited, please install the necessary updates for them when they become available: Apple Safari, Apple macOS, Ubuntu Desktop, Windows, Oracle VirtualBox and Adobe Reader
====================
As long-time readers of this blog will know, the Pwn2Own security conference with its white hacking contest is my favourite event of the year. Sophisticated vulnerability exploitation is showcased, the contestants receive large sums of money and we as consumers receive safer products to use on a day to day basis. It took place late last week virtually due to the Coronavirus. The results from both days of competition can be found here. The total prize was USD $270,000.

The winners of the competition were Richard Zhu and Amat Cama of Team Fluoroacetate winning the Master of Pwn title and USD $90,000 in prize money.

Returning to the trend of previous years, exploits against the Apple macOS kernel (defined) and Windows kernel were common again. These are high severity vulnerabilities but when addressed will make our systems safer.

The vendors have up to 90 days to resolve the vulnerabilities before public disclosure. Please expect and apply the necessary security updates to the affected as they become available

Thank you.

Responding to the WPA-2 Kr00k Vulnerability

=====================
TL;DR
While this vulnerability degrades the security offered by WPA2 and WPA2-Enterprise the use of HTTPS / TLS on your network will keep your web browsing traffic secure. An attacker would need to be in close proximity to the in-use Wi-Fi to exploit it and could only gather small amounts of information (if it not already secured by TLS) over time. Please check if software or firmware updates are available for your Wi-Fi devices.
=====================

Yesterday at the RSA conference ESET Security researchers disclosed details of a vulnerability affecting very large numbers (more than 1 billion) of Wi-Fi devices. They named the vulnerability Kr00k.

How serious is this vulnerability?
Cisco has classified this vulnerability as medium severity with Apple further adding that “an attacker in Wi-Fi range may be able to view a small amount of network traffic”. It has received a CVSS base score of 3.1 (Low). While there is potential for an attacker to eavesdrop on your Wi-Fi it does not mean your Wi-Fi is completely open to attack. ESET clarifies this “eavesdropping on the communication of an unpatched device is simple enough for most black-hat actors”. In other words, an attacker would have to target your vulnerable network and be within Wi-Fi range to exploit it. With most traffic now secured by TLS (indicated by your web browser as HTTPS) an attacker could NOT view such traffic. An attacker could continuously trigger a disassociation between Wi-Fi devices and each time obtain several kilobytes of sensitive information (provided it isn’t already secured by TLS). Each disassociation could be used to gather a little more information.

How does this vulnerability work?
Affected Broadcom chips which are used in many of today’s Wi-Fi capable devices and Cypress chips used within many Internet of Things (IoT) devices. After disassociation between a device and a client device e.g. your laptop and your Wi-Fi access point, the session key used by the WPA2 encryption protocol to secure the connection which is stored within the Wireless Network Interface Controller’s (WNIC) is cleared (set to zero)(this is design). However, the data frames left within the transmit buffer of the chip are then sent and secured with an all zero key. This small amount of information could be captured by an adversary. If the information is not secured by TLS, the attacker may obtain sensitive information. They could then repeat this process over time.

How can you protect your organisation or yourself from this vulnerability?
This vulnerability was responsibly disclosed to Broadcom and Cypress who have released updates. ESET also worked with the Industry Consortium for Advancement of Security on the Internet (ICASI) to notify other possibly affected Wi-Fi chip manufacturers. For any Wi-Fi capable device, you own, please check if there are software or firmware updates available for it.

The ESET researchers did not test if the newer WPA-3 encryption protocol is vulnerable to this issue, however it is less likely to be.

Apples released updates for their iPod, iPad, iPhone, desktop and laptop systems in late October 2019 (please see the references below). The researchers confirmed the following devices are affected but this is not a definitive list.

A list of vulnerable, under investigation and not vulnerable Cisco devices is also linked to below:

Amazon Echo 2nd gen

Amazon Kindle 8th gen

Apple iPad mini 2

Apple iPhone 6, 6S, 8, XR

Apple MacBook Air Retina 13-inch 2018

Google Nexus 5

Google Nexus 6

Google Nexus 6S

Raspberry Pi 3

Samsung Galaxy S4 GT-I9505

Samsung Galaxy S8

Xiaomi Redmi 3S

Wi-Fi Access Points:

Asus RT-N12 (this access point has been confirmed to date back to early 2010)

Huawei B612S-25d (July 2017)

Huawei EchoLife HG8245H (March 2018)

Huawei E5577Cs-321 (February 2015)

My thanks to the ESET researchers for providing the necessary information to write this post.

References:
https://www.eset.com/int/kr00k/

https://www.welivesecurity.com/2020/02/26/krook-serious-vulnerability-affected-encryption-billion-wifi-devices/

https://www.welivesecurity.com/wp-content/uploads/2020/02/ESET_Kr00k.pdf

https://nvd.nist.gov/vuln/detail/CVE-2019-15126

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200226-wi-fi-info-disclosure

https://www.zdnet.com/google-amp/article/new-kr00k-vulnerability-lets-attackers-decrypt-wifi-packets/

https://support.apple.com/en-ie/HT210721

https://support.apple.com/en-ie/HT210722

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15126

https://threatpost.com/billions-of-devices-wifi-encryption-hack/153267/

Vulnerability Within Philips Hue IoT Devices Disclosed

====================
TL;DR
If you use Philips Hue lightbulbs and/or the Philip Hue bridge, please make certain they are using the most recent firmware available.
====================

While the technological benefits and added convenience of Internet of Things (IoT) (defined) devices are well known, their increasing functionality/complexity is leading security researchers to target them. A recent example is the high severity vulnerability reported to Signify (owner of the Philips brand) within the Philip Hue bulbs and bridge. The vulnerability has been designated CVE-2020-6007 (defined)

How severe is this vulnerability?
While this vulnerability is of high severity it requires significant user interaction and would also require that the affected Philips Hue lightbulb be already compromised by an attacker by installing malicious firmware on it. The Philips Hue app on the victim’s smartphone is used to controls the bulbs, the attacker could then convince the victim to remove and re-add the bulb to the app.

What is the result of exploiting this vulnerability?
While the compromised bulb is being added or “commissioned” the compromised firmware of the bulb is used to exploit the Philips Hue Bridge. Once complete the attacker can then laterally traverse (defined) the victim’s business or home network by exploiting known vulnerabilities of other devices on the network e.g. the Microsoft Windows EternalBlue vulnerability on a Windows system.

How can I protect my organisation or myself from this vulnerability?
If you use Philips Hue lighting with the Hue Bridge, please update both the lighting and bridge to the most recent firmware available. Version Firmware 1935144040 (Bridge V2) and Software version: 1.65.9_hB3217DF4 for lights and later address this vulnerability. Please also strongly consider placing IoT devices such as these on segmented networks e.g. guest wireless networks for WiFi devices and VLANs (defined) for wired devices.

In this instance, the Hue Bridge could be placed on a VLAN to increase security (namely if the device is exploited it cannot be used to traverse further into your network). However, this increased security may result in reduced functionality if not implemented correctly.

Thank you.

====================
References:

The Dark Side of Smart Lighting: Check Point Research Shows How Business and Home Networks Can Be Hacked from a Lightbulb
https://blog.checkpoint.com/2020/02/05/the-dark-side-of-smart-lighting-check-point-research-shows-how-business-and-home-networks-can-be-hacked-from-a-lightbulb/

What are IoT devices?
https://news.sophos.com/en-us/2015/10/26/what-is-the-internet-of-things/

What is EternalBlue?
https://blogs.technet.microsoft.com/msrc/2017/04/14/protecting-customers-and-evaluating-risk/

What is lateral movement (pivoting)?
https://www.fireeye.com/blog/executive-perspective/2015/08/malware_lateral_move.html

What is a VLAN?
https://kb.netgear.com/24720/What-is-a-VLAN

How to isolate a VLAN containing IoT devices
https://community.ui.com/questions/HomeKit-on-Isolated-VLAN/2fd20346-59df-4662-9559-0ecac7ec83cb

Philip Hue Firmware Release Notes
https://www2.meethue.com/en-us/support/release-notes

Researchers Disclose New DMA Attacks

=====================
TL;DR
If you own an affected laptop from Dell (XPS 13 7390) or HP (ProBook 640 G4), please update its BIOS/firmware to the most recent version. For other laptop vendors, check if the most recent BIOS/firmware resolves this or similarly named vulnerabilities. For servers, keep operating systems and software up to date and enforce physical access control.

If you are cautious with the links you click and when processing your email, you will likely not be vulnerable to these flaws. A social engineer might also attempt to exploit this vulnerability using either a closed or open chassis attack.
=====================

=====================
Acknowledgements
My sincere thanks to Eclypsium researchers, Jesse Michael and Mickey Shkatov for their detailed walkthrough of their research within their referenced work (below). I have used this research to provide the extracts below supplementing my write-up of this work below.

=====================

In the second half of last week, security researchers from Eclypsium disclosed a vulnerability present within Dell and HP laptops (however it is likely other vendors are also affected). Servers (especially hosting cloud infrastructure are at increased risk due to the widespread availability of remote DMA (RDMA) (defined) enabled networks.

How serious is this vulnerability?
While the vulnerability is considered high severity due to its CVSS 3 base score of 7.6 (defined) (in the case of CVE-2019-18579 for Dell systems) an attempt to leverage the vulnerability would not be trivial (see also “How can an attacker exploit this vulnerability?” below).

What could an attacker do if they exploited this vulnerability?
According to the researchers “It can allow attackers to bypass hardware-based root-of-trust and chain-of-trust protections such as UEFI Secure Boot, Intel Boot Guard, HP Sure Start and Microsoft Virtualization-Based Security with Device Guard”.

“an attacker can…extend control over the execution of the kernel itself,”. “This can allow an attacker to execute kernel code on the system, insert a wide variety of kernel implants and perform a host of additional activity such as spawning system shells or removing password requirements”.

How can an attacker exploit this vulnerability?
This vulnerability could be exploited remotely or locally. Let’s discuss the remote means first:

Remote attacks
An attacker would first have needed to compromise software within your system and then attempt to exploit the systems firmware (defined) e.g. the network interface card (NIC). The Eclypsium researchers also provide the following example:

“malware on a device could use a vulnerable driver to implant malicious firmware to a DMA capable device such as a NIC. That malicious code could then DMA back into memory during boot to get arbitrary code injection during the boot process. The fundamental ability of DMA attacks to shim attacker code into the boot process makes it useful for almost any type of attacker goal”.

Alternatively an attacker could use the Throwhammer exploit developed by VUSec to compromise a system by sending specifically crafted data packets to a target system. This results in bit flips within the target systems main memory providing an attacker with code execution for an application (which is remote to the attacker).

Local attacks
Closed chassis
The researchers demonstrated a closed chassis attack on a Dell XPS 13 7390 laptop. They did so by connecting to the Thunderbolt port of the laptop and performed a DMA code injection during the boot process of the system.

Separately the researchers were able to compromise a Dell laptop connected to a modified WiGig (information on WiGig) dock which was wirelessly connected to that dock. They were successful in “dump[ing] secrets out of the laptop remotely over the air. In this example the laptop was never touched by the attacker or physically connected to any device but was compromised remotely via DMA”.

Open chassis
Due to the presence of HP SureStart it was necessary for the attackers to open the case of the HP laptop they were testing namely a HP ProBook 640 G4 (which includes HP SureStart Gen4). Upon opening the chassis, they replaced the systems M.2 wireless card with a Xilinx SP605 FPGA development platform, they then performed the following:

“We were able to successfully attack the system and gain control over the device. By using DMA to modify the system RAM during the boot process, we gained arbitrary code execution, thus bypassing the HP Sure Start protections that verify BIOS code integrity before CPU execution starts”.

How can I protect myself or my organisation from this vulnerability?
If your organisation uses either of the affected laptops, please update their BIOS(defined)/firmware to the most recent version. For other laptop vendors, check if the most recent BIOS/firmware resolves this or similarly named vulnerabilities. The update for the Dell XPS 13 7390 laptop is referenced from within their security advisory.

Since an attacker would need to first compromise the software of your systems, please keep your software (especially web browsers, email clients, productivity software, document readers, virtualisation software and media players) and operating system up to date.

Be cautious with the links you click and when processing your email, don’t click on unknown/unexpected links and don’t open unexpected file attachments. While up to date software and operating systems for servers are equally important they are much less likely to be vulnerable to malicious links in emails, IM clients or drive by downloads since only authorised administrators should have access for maintenance/admin and not for day to day work activities.

Social engineers or malicious insiders may seek to exploit this vulnerability in person, verify the identity of any person before allowing them near your IT infrastructure especially in the case of servers. Lock laptops away when not in use. If employees need to leave laptops unattended, use Kensington locks (especially at locations other than your usual office) and consider the use of port blockers (Type C for Thunderbolt) for laptops and servers which will deter casual attackers or less determined thieves.

For servers (especially part of cloud infrastructure), your existing IT security policy should already include regular patching of servers, only having necessary applications and sufficient physical access control. Access control monitoring should also be in place to detect malicious insiders, while your incident management policy should contain how to respond in a timely and decisive manner.

Thank you.

=====================

Aside
While I have used the term “BIOS/firmware” above they are not the same thing. I have done this since the terms are often used interchangeably and I wish for users to still understand the intended meaning. For one user, they may understand updating their laptops firmware but not updating its BIOS and vice versa. My intention is for them to check the vendor website for such updates and if present, to install them.

At the time of writing the HP ProBook 640 G4 did not have a BIOS update available resolving this vulnerability. From the researchers work, the BIOS appears to be still in beta testing. Please regularly check with the HP website and apply the update when it is publicly available.

=====================

References
Eclypsium PDF Report:
https://eclypsium.com/wp-content/uploads/2020/01/DMA-Attacks-A-Walk-Down-Memory-Lane.pdf

Eclypsium Vulnerability Write Up:
https://eclypsium.com/2020/01/30/direct-memory-access-attacks/

Dell Security Advisory:
https://www.dell.com/support/article/SLN319808

=====================

January 2020 Update Summary

====================
Update: 11th February 2020
====================
This Internet Explorer zero day (defined) vulnerability was resolved by the patch released by Microsoft today. If you use Internet Explorer (especially versions 8 or earlier), please install this update as soon as possible.

Thank you.

==============
Update: 27th January 2020
==============
Shortly after the release of Microsoft’s scheduled updates, on the 17th of January they issued a security advisory for a critical zero day (defined) vulnerability being exploited by attackers in targeted attacks.

An out of bound update has not been released by Microsoft since by default all support versions of Internet Explorer by default use Jscript9.dll rather than Jscript.dll However versions earlier then IE 9 face increased risk.

If you use Internet Explorer for day to day work or just general surfing, please consider implementing the workaround described within Microsoft’s security advisory. Please remember to remove the workaround prior to installing the relevant security update in February. Also, please note that this workaround is causing some printers not to print and the Microsoft Print To PDF function not to work. If this is the case, use another browser and disable the workaround or use the micropatch (discussed below).

An alternative which according to ghacks.net is free is to install the micro-patch for IE available from 0Patch. More information on the micropatch and how to install it is available in the previous link above. This micropatch does not come with side effects. A YouTube video of the micropatch in action is available from the following link:

https://youtu.be/ixpBN_a2cHQ

Thank you.

==============
Original Post
==============
Happy New Year to my dedicated readers!

Today Adobe and Microsoft released their first security updates of the year. Adobe resolved 9 vulnerabilities more formally known as CVEs (defined) with Microsoft addressing 50 vulnerabilities.

====================
Adobe
====================
Adobe Experience Manager: 4x Priority 2 CVEs resolved (3x Important severity, 1x Moderate severity)

Adobe Illustrator CC: 5x Priority 3 CVEs resolved (5x Critical severity)

If you use the above Adobe products, please install these updates (especially in the case of the above critical vulnerabilities within Illustrator CC).
====================

Inside Microsoft’s monthly summary; there are Known Issues for 9 Microsoft products but all have workarounds (some workarounds will be replaced by further updates).

====================
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

====================
For this month’s Microsoft updates, I will prioritize the order of installation below:
====================
Windows CryptoAPI Spoofing Vulnerability: CVE-2020-0601 (disclosed by the NSA to Microsoft). Further information on this vulnerability is available from KrebsonSecurity, within this CERT advisory and the detailed NSA PDF.

Windows Remote Desktop Gateway (RD Gateway) Remote Code Execution Vulnerability: CVE-2020-0609

Windows Remote Desktop Gateway (RD Gateway) Remote Code Execution Vulnerability: CVE-2020-0610

Remote Desktop Client Remote Code Execution Vulnerability: CVE-2020-0611

.NET Framework Remote Code Execution Injection Vulnerability: CVE-2020 0605

.NET Framework Remote Code Execution Injection Vulnerability: CVE-2020-0606

.NET Framework Remote Code Execution Injection Vulnerability: CVE-2020-0646

Please install the remaining less severe updates at your earliest convenience.

====================
Microsoft Edge Chromium
====================
Tomorrow, 15th January will mark the release of a new version of Microsoft Edge powered by the Chromium rendering engine. This version will be available for Windows 7, 8.1 and 10. This is especially relevant for Windows 7, Windows Server 2008 and Server 2008 R2 since while Windows itself ends its support lifecycle today, Edge Chromium will continue to be supported for a further 18 months. This matches similar statements from Google regarding Chrome and separately Vivaldi.

For details of which versions of Windows 10 will receive the new Edge via Windows Update and which versions will need to download it separately, please refer to this link. I wish to extend my thanks to Softpedia and Bleepingcomputer.com for these really useful links.

If for any reason, you wish to use the previous version of Edge (which uses the legacy rendering engine, please see this link for details of how to run the older version alongside its modern equivalent).

As per standard best practice; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

I have provided further details of updates available for other commonly used applications below.

Thank you.

====================
Mozilla Firefox
====================
In early January Mozilla released new versions of Firefox to address the following vulnerabilities and to add new user privacy features:

Firefox 72.0: Resolves 5x high severity CVEs (defined), 5x moderate CVEs and 1x low CVE

Firefox ESR 68.4 (Extended Support Release): Resolves 4x high severity CVEs and 2x moderate CVEs

More recently Firefox 72.0.1 was released to address a single critical severity zero day (defined) vulnerability which was responsibly disclosed to Mozilla and fixed very quickly. Finally Firefox 72.0.2  was released on the 20th of January resolving inconsistent playback of full-screen HD videos among non-security other issues.

Highlights from version 72 of Firefox include:
In addition to picture in picture enabled by default for macOS and Linux, it blocks the use of fingerprinting by default (the collection of data from your system e.g. browser version, font size, screen resolution and other unique data. This protection is provided by Disconnect. There are multiple levels of fingerprinting protection provided with the standard level being enabled by default. The strict level however may lead to websites not functioning as expected. Further details are available here.

Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to benefit from the above changes.

====================
Wireshark
====================
In mid-January the following Wireshark updates were released:

v3.2.1: Relating to 1 security advisory

v3.0.8: Relating to 1 security advisory

As per standard process Linux distributions can obtain this update using the operating systems standard package manager (if the latest version is not installed automatically using the package manager you can instead compile the source code (v3.2.1 or v3.0.8). This forum thread and this forum thread may also be helpful to you with installing Wireshark on your Linux based system.

For Mac OS X and Windows, the update is available within the downloads section of the Wireshark website. In addition, a detailed FAQ for Wireshark is available here.

====================
Google Chrome
====================
Google made available two security updates during November; the first resolves 3 vulnerabilities while the second resolves 16 vulnerabilities. The second also provides mitigation for the vulnerability disclosed by the NSA to Microsoft more commonly known as the  Chain of Fools/CurveBall or CVE-2020-0601 This test page from SANS will then show your system is no longer vulnerable after applying the second update. Please still apply the update from Microsoft to provide the most protection, Google’s changes are a mitigation only.

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 vertically stacked dots) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect.

====================
Intel Security Advisories
====================
Intel have released a series of security advisories this month. The advisories are prioritised below. If you use any of these products, software or devices, please update them as soon as possible especially in the case of the high severity advisories:

High
Intel VTune Amplifier for Windows Advisory

Medium
Intel Processors Data Leakage Advisory
Intel Processor Graphics Advisory
Intel RWC 3 for Windows Advisory
Intel Chipset Device Software Advisory
Intel SNMP Subagent Stand-Alone Advisory for Windows

Low
Intel Data Analytics Acceleration Library (DAAL)

====================
VMware
====================
VMware released 2 security advisories in January , the first is of moderate severity with the second being of important severity. The advisories relate to the following products:

Moderate Severity Advisory:

Workspace ONE SDK

Workspace ONE Boxer

Workspace ONE Content

Workspace ONE SDK Plugin for Apache Cordova

Workspace ONE Intelligent Hub

Workspace ONE Notebook

Workspace ONE People

Workspace ONE PIV-D

Workspace ONE Web

Workspace ONE SDK Plugin for Xamarin

Important Severity Advisory:
VMware Tools

If you use the above VMware products, please review the advisories and apply the necessary updates.

=======================
Oracle:
=======================
Oracle issued updates to resolve 334 vulnerabilities in January 2020. Further details and installation steps are available here. 12 vulnerabilities affect the Java runtime; all of which are remotely exploitable without an attacker needing to obtain a user’s username and password (their credentials).

If you use any of the Oracle products listed here, please install the appropriate security updates as soon as possible.

Responding to the recent ZombieLand 2 TSX Vulnerabilities

====================
[TL DR]
====================
These vulnerabilities can only be exploited by attackers who have already compromised a system. Practice standard security precautions and install updates from hardware vendors and for your software (links provided below) when they become available. Resolution for vendors that offer cloud computing will have a more involved decision making process to consider (see below).

Early last week, security researchers disclosed security researchers disclosed further vulnerabilities within Intel’s processors.

How severe are these vulnerabilities?
These vulnerabilities ca be classed as medium severity. An attacker must already have compromised your system in order to exploit these vulnerabilities. This most recent set of vulnerabilities collectively known as ZombieLoad 2 or Transactional Synchronization Extensions (TSX) Asynchronous Abort affect Intel processors produced in the last approx. 2.5 years (August 2017 onwards).

For full technical details of these vulnerabilities, please see this page from Intel and this page from the security researchers. In summary these vulnerabilities according to the researchers allow “a malicious program to exploit internal CPU buffers to get hold of secrets currently processed by other running programs” leading to “these secrets such as browser history, website content, user keys, and passwords, or system-level secrets, such as disk encryption keys” being used by other running programs.

Of particular note are the performance implications for protecting virtual machines. If your organisation is running potentially untrusted code within virtual machines, protecting that environment will incur a performance penalty. You may need to carry out a risk assessment to determine if enabling these performance reducing mitigations outweigh the risk of putting your virtual machines at risk. Nested virtual machines will be most affected by the performance penalty.

How can I protect my organisation and myself from these vulnerabilities?
These most recent vulnerabilities can be mitigated by updating the firmware (defined) of your system. This is sometimes referred to as the UEFI / BIOS (defined) of your system.

They will be made available separately by the manufacturer of your motherboard of your system for servers, desktops and laptops or the motherboard (defined) manufacturer for any custom-built systems you may have. You will have to determine from the updates those vendors issue if they are available for the products that you own.

In addition, operating system vendors and virtualisation software vendors have made patches available (links provided below).

Thank you.

====================

HP Enterprise:
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03968en_us

Fedora (referring to the Xen virtual machine (see also below):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I5WWPW4BSZDDW7VHU427XTVXV7ROOFFW/

Red Hat:
https://access.redhat.com/articles/11258

https://access.redhat.com/errata/RHSA-2019:3838

https://access.redhat.com/errata/RHSA-2019:3839

https://access.redhat.com/errata/RHSA-2019:3840

https://access.redhat.com/errata/RHSA-2019:3841

https://access.redhat.com/errata/RHSA-2019:3842

https://access.redhat.com/errata/RHSA-2019:3843

https://access.redhat.com/errata/RHSA-2019:3844

SUSE:
https://www.suse.com/support/update/announcement/2019/suse-su-201914217-1/

https://www.suse.com/support/update/announcement/2019/suse-su-201914218-1/

Ubuntu:
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/TAA_MCEPSC_i915

Microsoft:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-11135

Xen:
https://xenbits.xen.org/xsa/advisory-305.html

Performance impact to Xen:
https://xenbits.xen.org/xsa/advisory-297.html

VMware:
Security advisory:
https://www.vmware.com/security/advisories/VMSA-2019-0020.html

Further information:
https://kb.vmware.com/s/article/59139

VMware Performance Impact Statement addressing mitigations for Machine Check Exception on Page Size Change (MCEPSC) CVE-2018-12207:
https://kb.vmware.com/s/article/76050

Researching the recent Windows CTF Vulnerabilities

================
TL DR
================
There are no known mitigations for these vulnerabilities. Please see below for a more in-depth explanation.
================

With the release of a security updates by Microsoft in September and August to resolve vulnerabilities in the Windows ALPC and Windows Text Service Framework I wish to provide details on these vulnerabilities.

Why should these vulnerabilities be considered important?
If an attacker were to have ALREADY compromised a vulnerable Windows system, they can then use the exploits made available by Google’s Tavis Ormandy to fully compromise your system. They can obtain the highest level of privilege on it namely NT Authority\System (equivalent to root on a Linux system).

Ormandy found that the running ctfmon.exe of Windows allowed a standard user of Windows to hijack any Windows process even if that process was sandboxed within an AppContainer (a means of isolating sensitive/important processes making them harder to attack). When an attacker does so they can obtain administrative and under some circumstances NT Authority\System level access.

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1162

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-1235

How I can protect my organization and myself from these vulnerabilities?
Apart from installing the above linked to updates, I’m afraid no other mitigations are available. You will need to exercise standard vigilance/caution with opening links. Don’t open attachments you weren’t expecting even from trusted contacts.

This advice is an unfortunate outcome. I had a hypothesis that disabling the ctfmon.exe process (Windows XP, Windows Vista and Windows 7) or the Touch Keyboard and Handwriting Panel service in Windows 8.1 and 10 would mitigate this class of vulnerabilities. This was not the case, Ormandy’s tool worked regardless of whether the ctfmon.exe process was running or not, which now makes sense given how his tool exploits a deeply integrated feature of Windows with a scope much larger than that of the above mentioned process and service.

================
Proof of Concept
================
As a proof of concept on an un-patched version of Windows 10 Version 1903, I can confirm Tavis Ormandy’s CTFTool successfully provides you with both System and Administrative (depending on the type of exploit you run). Only administrative access is available for Windows 7, the tool does not incorporate the System level exploit for Windows 7. Further details of this tool are available at the following links:

https://googleprojectzero.blogspot.com/2019/08/down-rabbit-hole.html

https://github.com/taviso/ctftool

Thank you.