WD Releases My Cloud NAS Firmware Updates

In the first half of 2017 I posted about vulnerabilities being publically (defined) within Western Digital (WD) My Cloud NAS devices. This vulnerability was designated as CVE-2018-17153 (defined).

Why should this vulnerability be considered important?
The vulnerability is relativity easy for an attacker to exploit without them needing to authenticate/login to the device. They need only to set the username=admin’ cookie to obtain admin/privileged access to the device due to a network CGI (defined) module containing a command that begins an administrative session tied to the IP address of the device but the attacker must first set bind the admin session to the IP address. They only then need to call the remote system and authenticate using the cookie with the value set (as detailed above).

Of even more concern than above; an attacker could leverage this vulnerability using a CSRF (CSRF, defined here and here)) attack within a malvertising (malicious adverts) (defined) campaign allowing them to compromise WD devices which are not connected to the internet. Separately; there was more than security researcher who discovered this vulnerability; I previously mentioned a researcher by the name of Zenofex; who not only contacted WD but the company refused to acknowledge r fix the issues raised. The group Zenofex is part of disclosed the vulnerability (along with other security concerns) during the Def Con security conference in 2017 and created a Metasploit module (defined). In mid-September it was estimated that there were more than 1,800 vulnerable WD devices visible online.

How can I protect myself from this vulnerability (and the other security concerns raised)?
If you own any of the devices listed below; please follow the links below to download and install updated firmware using the steps that WD provides:

• My Cloud FW 2.30.196
• My Cloud Mirror Gen2 FW 2.30.196
• My Cloud EX2 Ultra FW 2.30.196
• My Cloud EX2100 FW 2.30.196
• My Cloud EX4100 FW 2.30.196
• My Cloud DL2100 FW 2.30.196
• My Cloud DL4100 FW 2.30.196
• My Cloud PR2100 FW 2.30.196
• My Cloud PR4100 FW 2.30.196

Many thanks to BleepingComputer.com for these convenient links.

=======================

The firmware updates resolve many than the vulnerability discussed above (the updated OpenSSL, OpenSSH, jQuery and libupnp will also have significant security improvements). For example, please find below the list for the “My Cloud FW 2.31.149”:

Security Fixes

• Resolved multiple command injection vulnerabilities including CVE-2016-10108 and CVE 2016-10107.
• Resolved multiple cross site request forgery (CSRF) vulnerabilities.
• Resolved a Linux kernel Dirty Cow vulnerability (CVE-2016-5195).
• Resolved multiple denial-of-service vulnerabilities.
• Improved security by disabling SSH shadow information.
• Resolved a buffer overflow issue that could lead to unauthenticated access.
• Resolved a click-jacking vulnerability in the web interface.
• Resolved multiple security issues in the Webfile viewer on-device app.
• Improved the security of volume mount options.
• Resolved leakage of debug messages in the web interface.
• Improved credential handling for the remote MyCloud-to-MyCloud backup feature.
• Improved credential handling for upload-logs-to-support option.

Components Updated

• Apache – v2.4.34
• PHP – v5.4.45
• OpenSSH – v7.5p1
• OpenSSL – v1.0.1u
• libupnp – v1.6.25 (CVE-2012-5958)
• jQuery – v3.3.1 (CVE-2010-5312)

=======================

If firmware is not yet present for your WD My Cloud NAS device, please follow the recommended steps from my previous post on WD My Cloud devices. Protecting these devices is especially important since NAS devices are often used for backups and to store precious/valuable data. Please also contact WD Customer Service to enquire about an update becoming available for your device.

Thank you.

Pwn2Own 2018 Results

Earlier this month the annual Pwn2Own white hat (defined) hacking contest took place, shortened from 3 days to 2 days.

This year’s competition was also impacted by a recent regulatory change meaning that Chinese participants were unable to attend. This is unfortunate since previous yeas competitions have been excellent and this had a real impact on the success of this year’s competition; perhaps next years will be better? Further details of the regulatory change are detailed here.

The following products were successfully exploited this year resulting in USD$267k being awarded. Exploits which could not be completed in the allocated time of 30 minutes were also purchased; which is fair in my opinion since they could still be a threat and the researchers more than deserve the credit for the time and effort they invest.

Similar to previous years; kernel (defined) exploits were used each time to exploit the web browsers due to the sandboxing (defined) technology used to security harden them.

As noted in this article (and my previous blog posts) kernels are becoming even more complex and can easily consist of millions of lines of code. My previous advice of static analysis/auditing/fuzzing (defined here and here) still applies. These won’t detect every vulnerability but will significantly reduce them. As before writing more secure code using the development practices discussed in last year’s Pwn2Own post will reduce the vulnerability count even further; both now and into the future.

Just like last year Mozilla updated Firefox very quickly; this time in less than a day to version 59.0.1 and 52.7.2 ESR.

The full list of products exploited is provided below. Thank you.

=======================
Apple Safari (2 attempts were successful using macOS kernel elevation of privilege (defined) vulnerabilities

Microsoft Edge

Mozilla Firefox

Oracle VirtualBox
=======================

“DoubleAgent” Vulnerability Disclosure: What you need to know

In late March a security vulnerability was disclosed by the Israeli security firm Cybellum. However this was no ordinary public disclosure as I will explain below. Apologies for the untimely nature of this blog post due to other commitments:

What made this disclosure different?
At first glance this disclosure appeared very serious. It discussed the use of the Microsoft Application Verifier present within Windows XP up to and including Windows 10. They detail the leveraging of this tool to add a customised verifier DLL (defined) to hijack any legitimate process (defined) within Windows.

They demonstrated this attack against anti-malware software specifically Norton Security (by Symantec) resulting in a rogue DLL being injected (defined here and here) into the Norton process (ns.exe as demonstrated within their YouTube video). Despite claims by Cybellum security firms such as Avira and Comodo have reported this attack cannot bypass the self-protection features within their products. The full list of capabilities this attack provides is within this news article.

Windows Internals expert; Alex Ionescu later revealed the researchers from Cybellum used his work concerning protected processes to create this exploit and this was already a known issue. As was pointed out in the Twitter timelines linked to below once an attacker has administrative control over your system they could simply uninstall your security software rather than trying to bypass rendering the threat of this exploit far less important/relevant.

Twitter Timeline 1
Twitter Timeline 2
Twitter Timeline 3
Twitter Timeline 4
Twitter Timeline 5

Does this disclosure only affect security software?
It’s important to note this attack potential affects all software on Windows rather than just security software. In addition the proof of concept (PoC) exploit requires no changes for any application you choose to attack. Security software was chosen since almost all systems have anti-malware software installed and their process names are trusted (and allowed within application white listed (defined) environments).

How can I protect myself from this exploit?
Since this attack requires administrative privileges (defined) on Windows to have the intended effect, using a standard user account for everyday use will mitigate this attack.

From the various statements issued by the affected anti-malware vendors (listed below) please ensure your anti-malware software is the latest version available to ensure this attack is ineffective.

Traditional defences such patching your operating system, your web browser and being cautious of the attachments you open will also reduce the risk posed by this attack.

NetworkWorld Anti-Malware Vendor Responses

Malwarebytes Anti-malware

Symantec Endpoint Protection

Symantec Endpoint Protection Affected Versions

Thank you.

Pwn2Own 2017 Results

The final day of competition within Pwn2Own 2017 took place on Friday, 17th March. Full details of how the individual teams performed and how many exploits were successful are available here , here and here.

In summary the following products were successfully exploited:

Adobe Flash
Adobe Reader
Apple Safari
Apple macOS (mostly the macOS kernel)(defined)
Microsoft Edge
Microsoft Windows kernel
Mozilla Firefox
Ubuntu Linux
VMware Workstation

The contest saw 51 vulnerabilities used and a total of USD$833,000 awarded to the contestants (a very large increase over last year’s USD$460K). As I noted last year, many vulnerabilities once again were present within the macOS and Windows kernels specifically:

Apple macOS kernel:
race condition (defined)
information disclosures (defined)
out of bounds (OOB) bug (defined)

Microsoft Windows kernel:
integer overflows (defined)
buffer overflows (defined)
uninitialised buffers (discussed here)
use-after-free (defined here and here)
information disclosures
out of bounds (OOB) bug
race condition

As before Microsoft and Apple need to do more thorough static analysis/auditing/fuzzing (defined here and here) of the kernel to find and resolve vulnerabilities before they are exploited. It is a surprise this year again highlights this short coming which secure coding practices e.g. Microsoft’s SDL and Adobe’s SPLC (among others) were intended to reduce.

Of note is; Mozilla Firefox released Firefox 52.0.1 to resolve an integer flow vulnerability in less than 1 day after it’s disclosure during Pwn2Own; a fantastic response time.

=======================
Update: 28th March 2017:
=======================
On the 28th of March, VMware made available security updates to address the vulnerabilities discovered during Pwn2Own.

Apple have also made available updates (listed in this post) to resolve the vulnerabilities discovered in Pwn2Own 2017. It is unclear if all vulnerabilities are now addressed.

=======================
Update: 11th April 2017:
=======================
In late March, the Linux kernel vulnerability disclosed during Pwn2Own was resolved very quickly with Ubuntu also releasing their fix for this issue.

Adobe have released updates for Flash and Acrobat/Reader to address what appears to be 5 vulnerabilities in Flash and 6  in Acrobat/Reader (assuming near sequential CVEs and the team names attributed top them) disclosed during Pwn2Own.

We can again look forward to these vulnerabilities being addressed over the coming months; helping to make our products more secure.

Thank you.

WD My Cloud NAS Vulnerabilities

=======================
Update: 12th April 2017:
=======================
Western Digital have made available firmware updates to their My Cloud EX2100 and EX4100 models. The updates are available from this page.

They resolve some of the critical vulnerabilities identified in these products. Steps to update the firmware are available in this Softpedia article.

Thank you.

=======================
Update: 22nd March 2017:
=======================
Western Digital have made available firmware updates to My Cloud Mirror, EX2 and EX4 models. The updates are available from http://support.wdc.com/downloads.aspx

They resolve some of the critical vulnerabilities identified in these products. Steps to update the firmware are available in this Softpedia article.

Thank you.

=======================
Original Post:
=======================
Earlier this month a freelance security researcher known as Zenofex publically disclosed (defined) a total of 85 security vulnerabilities within the Western Digital (WD) MyCloud Network Attached Storage (NAS)(defined) devices

The vulnerabilities consist of authentication bypasses and code execution (carrying out instructions/steps of an attacker’s choice) and the upload/download of the data the device contains. Since the researcher did not receive cooperation with addressing previously communicated vulnerabilities from WD in the past they chose not to responsibly disclose (defined) these vulnerabilities.

After this disclosure, SEC Consult Vulnerability Lab (SCVL) provided further details of these vulnerabilities to the wider security community. For some of the 85 issues disclosed they had contacted WD in January 2017 and disclosed some of the details on the 20th of February. These vulnerabilities range from : command injection vulnerabilities, a stack-based buffer overflow (defined) bug and a cross-site request forgery flaw (defined)

In December 2016 WD issued fixes for some of the vulnerabilities discovered but created further vulnerabilities which resulted in the very same outcome they were trying to address.

How can I protect myself from these vulnerabilities?
Unfortunately, due to the very large number of vulnerabilities disclosed it will take a significant duration of time to resolve them all (especially if inadvertently; further vulnerabilities become evident; as has happened before).

If you use this NAS device; the data it contains will be at elevated risk of compromise while WD works to resolve these vulnerabilities. I would recommend ensuring these devices are not accessible to the external internet. Shodan may be of assistance to you in determining this. More information on Shodan is available in a previous blog post.

Please create backups of the data these NAS devices contain and store them on other devices until these vulnerabilities are resolved. Monitor WD’s website and install new firmware releases as they become available.

While Western Digital issued fixes for some of the vulnerabilities in December 2016, the independent security researcher found the fixes created another vulnerability with the same results they intended to resolve.

In addition, within this ThreatPost article WD recommends:

“My Cloud users contact our Customer Service team if they have further questions; find firmware updates; and ensure their My Cloud devices are set to enable automatic firmware updates.”

I will update this post as new information on the relevant updates becomes available.

Thank you.

F5 Firewalls and Load Balancers Vulnerable to “Ticketbleed”

In the latter half of last week security researcher Filippo Valsorda responsibly disclosed a high severity information disclosure vulnerability within F5’s firewalls and load balancers.

Why should this vulnerability be considered important?
Approximately 1000 of the top 1 million websites are vulnerable. This vulnerability while similar to the well-known OpenSSL Heartbleed vulnerability from April 2014 (both are buffer over read vulnerabilities (defined below)). This new vulnerability allows an attacker who sends specifically crafted data packets to a vulnerable website to obtain small pieces of data (possibly cryptographic keys or other key data used to secure encrypted connections) residing within the memory of the web servers connected to the F5 devices.

This vulnerability now named “Ticketbleed” exists in the code F5 used to implement a feature of Transport Layer Security (TLS) known as session tickets. They improve performance by allowing previously established encrypted connections to resume without having to re-setup (renegotiate) the connection again.

How can I protect myself from this vulnerability?
System administrators who are responsible for/administer F5 firewalls and load balancers should verify affected devices have applied the necessary mitigations listed in this F5 security advisory. At this time, no patch/update is available.

Thank you.

=======================
Aside:
=======================
What is a buffer over read vulnerability?
When code/instructions within a computer programming language e.g. C attempt to read data from a buffer (defined) than that buffer contains; this can lead to information disclosure.

Pwn2Own 2017 Contest Announced (Tenth Anniversary)

=======================
Update: 19th March 2017:
=======================
A more recent blog post discusses the results of the 2017 Pwn2Own contest.

Thank you.

=======================
Original Post:
=======================
With the month of March not too far away, I’m looking forward to the annual Pwn2Own contest taking place in Vancouver, Canada. Regular readers of this blog will know of the benefits it brings and why I look forward to it each year.

This year sees the return of Adobe Reader to the competition; a good decision due to the large numbers of vulnerabilities still being patched. I applaud the decision of Mozilla Firefox returning too since a zero day (defined) exploit was seen in recent times. It’s also in the top 3 in terms of usage. With a 64 bit version now available it should increase usage/competitiveness even further.

The full list of products that will be in the competition is here.

Just some of the interesting new additions are Ubuntu, Microsoft Hyper-V and Microsoft Office applications, which have never been present before. With vulnerabilities being patched routinely for all three of categories (especially for Microsoft Office), their inclusion should help us all when vulnerabilities are exploited and the researchers rewarded for their excellent work.

With the rise of malware for Apple Mac OS X and Linux it’s great to see them both in the contest this year. Previously only Mac OS was present.

Since the contest is celebrating its 10th anniversary it’s great to see other additions such as the Apache web servers and Ubuntu servers too. I often see servers installed and patched very little, if at all. This leads to situations where servers continue to have vulnerabilities long after they have been patched (more on that in this blog post). As for web servers, cross site scripting and CSRF remain consistent threats.

With extra points awarded for root access (defined) for Mac OS X or System level (defined) access for Windows this year’s contest is bigger than ever. With the more vulnerabilities that are found by the researchers the more they are awarded and the more everyone benefits by the vulnerabilities being responsibly disclosed (defined) to their vendors.

I will write another post when the results of this year’s contest are available and will discuss any highlights and how they will benefit us as users of these products.

Thank you.

Apple Ends of Support for Quicktime for Windows

Last week Apple indirectly announced that it would be no longer providing support or security updates for their QuickTime player when installed on Microsoft Windows. Please note that QuickTime for Mac OS X is not affected by this change.

Why Should This Change Be Considered Important?
The recent public disclosure of 2 critical security vulnerabilities (detailed here and here) means that QuickTime is currently vulnerable to these issues and will remain that way. These issues were originally responsibly disclosed (defined) to Apple in late 2015. Apple after carrying out a decision making process has concluded that security updates and support for QuickTime on Windows should now be withdrawn. This appears to be due their decision to withdraw this product from their future roadmap (as shown in the ZDI security advisories linked to above).

How Can I Protect Myself From These Newly Disclosed Issues and in the Future?
As recommend by US-CERT as well as Trend Micro and within this InfoWorld article the only certain way to protect yourself from these newly disclosed vulnerabilities is to uninstall QuickTime for Windows.

The above recommendation will also serve to protect you going forward since software that you don’t have installed cannot be exploited (provided there are no remnants/leftovers after uninstalling).

I use QuickTime for Windows for Essential Workflows or Business Purposes, What Can I Use Going Forward?
As detailed in the previously linked to Trend Micro blog post, alternatives such as K-Lite Media Codec pack, QT Lite and Media Player Classic are available as alternatives. If you use QuickTime as a media player only, you could consider the open-source (defined: the source code (human readable code) is free to view and edit by the wider IT community) VideoLAN VLC Player.

Alternatively if none of the above QuickTime substitutes meet your specific needs you could consider installing the most recent version of QuickTime (version 7.7.9) onto a supported version of Windows and then air-gapping that PC. The concept of air-gapping is discussed in-depth in a previous blog post. But as discussed in that post, this approach is not without disadvantages and isn’t 100% safe.

If These Issues Are So Serious Why Is Apple QuickTime For Windows Still Available To Download?
As discussed above QuickTime has many varied uses and simply withdrawing it from the download page would have been even more inconvenient.

In addition, Apple did not publish a timeline in advance for phasing out QuickTime and possibly for this reason it remains available so as not to inconvenience existing users. This also allows anybody using any version prior to 7.7.9 to update to the most recent version to protect against previously resolved vulnerabilities.

==========
I hope that this information is useful to you as you gradually transition from QuickTime for Windows in order to avoid possible exposure to the above mentioned vulnerabilities as well as future vulnerabilities that may be discovered.

Thank you.

Badlock: What You Need to Know

Yesterday as scheduled the Samba project and Microsoft made available their security updates to resolve the issue that was previously announced and named “Badlock.”

Why Should These Issues Be Considered Important?
While this issue is important (it affects a lot of Windows version from Server 2008/Vista up to and including Windows Server 2016/Windows 10), it’s severity was exaggerated in it’s announcement last month. Microsoft have assigned it an important severity rather than critical. They have done so since it is an elevation of privilege (EoP) (defined) issue that would allow an attacker to increase their privileges (which would allow them to cause even more harm) once they have already exploited another vulnerability to become present on your device in the first instance.

This vulnerability could allow an attacker to listen/analyse the traffic on your network; this technique is known as a man-in-the-middle-attack (MITM, defined). If your login credentials happened to be within the traffic the attacker gathers and analyzes there is a possibility they could obtain the unencrypted username and password used to access your device/account upon that device (even though your sensitive information is encrypted). Further discussion of this issue is available here.

How Can I Protect Myself from These Issues?
Updates from the Samba project and Microsoft are available to resolve this security issue. Please download and install them as soon as possible if you are affected by this issue.

=======================
Update: 13th April 2016:
Further information and advice for mitigating the Badlock issue is provided by US CERT in this vulnerability note. The Samba project also discusses its updated software releases in this release news post.
=======================

While there are no known issues with these updates at this time, as always I would recommend backing up the data on any device for which you are installing updates in order to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

Pre-Announcement of Samba (SMB/CIFS) Security Update

=======================
Update: 13th April 2016:

Further details as well as updates to resolve the Badlock issue are discussed in a more recent blog post.

Thank you.

=======================
Original Post:
=======================
Earlier this week an announcement was made by SerNet (a Samba consulting company who set up the Badlock website) that a critical security update would be made available on the 12th of April to address a vulnerability in the SMB/CIFs protocol (defined below) that is the basis of the open source Samba project. The 12th of April is the well-known second Tuesday of the month known as Update Tuesday (or Patch Tuesday) when Adobe, Microsoft and others commonly make available security updates on a scheduled basis.

Some advice that you can follow to better prepare for this update being made available is described in this SANS blog post as well as this very informative and practical InfoWorld article. Further background on this announcement can be found here.

I will publish another blog post on or very soon after the 12th of April to provide the appropriate information for you to address this vulnerability in a timely manner.

Thank you.

=====================
Aside:
=====================
What is the SMB/CIFS protocol?
The Server Message Block (SMB) protocol is also referred to as the Common Internet File System (CIFS) is an application layer (layer 7 of the OSI model) protocol that allows the sharing of printers but mainly provides file access/transfer in a Microsoft network using mapped network drives. Further features of SMB/CIFS are detailed in this Sophos blog post.

Samba is an open source (the source code (human readable code) is free to view and edit by the wider IT community) application that provides the above mentioned network services across Linux/Unix and Microsoft servers/clients.