Tag Archives: Vulnerability Disclosure

WD Releases My Cloud NAS Firmware Updates

In the first half of 2017 I posted about vulnerabilities being publically (defined) within Western Digital (WD) My Cloud NAS devices. This vulnerability was designated as CVE-2018-17153 (defined).

Why should this vulnerability be considered important?
The vulnerability is relativity easy for an attacker to exploit without them needing to authenticate/login to the device. They need only to set the username=admin’ cookie to obtain admin/privileged access to the device due to a network CGI (defined) module containing a command that begins an administrative session tied to the IP address of the device but the attacker must first set bind the admin session to the IP address. They only then need to call the remote system and authenticate using the cookie with the value set (as detailed above).

Of even more concern than above; an attacker could leverage this vulnerability using a CSRF (CSRF, defined here and here)) attack within a malvertising (malicious adverts) (defined) campaign allowing them to compromise WD devices which are not connected to the internet. Separately; there was more than security researcher who discovered this vulnerability; I previously mentioned a researcher by the name of Zenofex; who not only contacted WD but the company refused to acknowledge r fix the issues raised. The group Zenofex is part of disclosed the vulnerability (along with other security concerns) during the Def Con security conference in 2017 and created a Metasploit module (defined). In mid-September it was estimated that there were more than 1,800 vulnerable WD devices visible online.

How can I protect myself from this vulnerability (and the other security concerns raised)?
If you own any of the devices listed below; please follow the links below to download and install updated firmware using the steps that WD provides:

Many thanks to BleepingComputer.com for these convenient links.

=======================

The firmware updates resolve many than the vulnerability discussed above (the updated OpenSSL, OpenSSH, jQuery and libupnp will also have significant security improvements). For example, please find below the list for the “My Cloud FW 2.31.149”:

Security Fixes

  • Resolved multiple command injection vulnerabilities including CVE-2016-10108 and CVE 2016-10107.
  • Resolved multiple cross site request forgery (CSRF) vulnerabilities.
  • Resolved a Linux kernel Dirty Cow vulnerability (CVE-2016-5195).
  • Resolved multiple denial-of-service vulnerabilities.
  • Improved security by disabling SSH shadow information.
  • Resolved a buffer overflow issue that could lead to unauthenticated access.
  • Resolved a click-jacking vulnerability in the web interface.
  • Resolved multiple security issues in the Webfile viewer on-device app.
  • Improved the security of volume mount options.
  • Resolved leakage of debug messages in the web interface.
  • Improved credential handling for the remote MyCloud-to-MyCloud backup feature.
  • Improved credential handling for upload-logs-to-support option.

Components Updated

  • Apache – v2.4.34
  • PHP – v5.4.45
  • OpenSSH – v7.5p1
  • OpenSSL – v1.0.1u
  • libupnp – v1.6.25 (CVE-2012-5958)
  • jQuery – v3.3.1 (CVE-2010-5312)

=======================

If firmware is not yet present for your WD My Cloud NAS device, please follow the recommended steps from my previous post on WD My Cloud devices. Protecting these devices is especially important since NAS devices are often used for backups and to store precious/valuable data. Please also contact WD Customer Service to enquire about an update becoming available for your device.

Thank you.

Pwn2Own 2018 Results

Earlier this month the annual Pwn2Own white hat (defined) hacking contest took place, shortened from 3 days to 2 days.

This year’s competition was also impacted by a recent regulatory change meaning that Chinese participants were unable to attend. This is unfortunate since previous yeas competitions have been excellent and this had a real impact on the success of this year’s competition; perhaps next years will be better? Further details of the regulatory change are detailed here.

The following products were successfully exploited this year resulting in USD$267k being awarded. Exploits which could not be completed in the allocated time of 30 minutes were also purchased; which is fair in my opinion since they could still be a threat and the researchers more than deserve the credit for the time and effort they invest.

Similar to previous years; kernel (defined) exploits were used each time to exploit the web browsers due to the sandboxing (defined) technology used to security harden them.

As noted in this article (and my previous blog posts) kernels are becoming even more complex and can easily consist of millions of lines of code. My previous advice of static analysis/auditing/fuzzing (defined here and here) still applies. These won’t detect every vulnerability but will significantly reduce them. As before writing more secure code using the development practices discussed in last year’s Pwn2Own post will reduce the vulnerability count even further; both now into the future.

Just like last year Mozilla updated Firefox very quickly; this time in less than a day to version 59.0.1 and 52.7.2 ESR.

I’ll update this post as the vulnerabilities disclosed during the contest are addressed. The full list of products exploited is provided below. Thank you.

=======================
Apple Safari (2 attempts were successful using macOS kernel elevation of privilege (defined) vulnerabilities

Microsoft Edge

Mozilla Firefox

Oracle VirtualBox
=======================

“DoubleAgent” Vulnerability Disclosure: What you need to know

In late March a security vulnerability was disclosed by the Israeli security firm Cybellum. However this was no ordinary public disclosure as I will explain below. Apologies for the untimely nature of this blog post due to other commitments:

What made this disclosure different?
At first glance this disclosure appeared very serious. It discussed the use of the Microsoft Application Verifier present within Windows XP up to and including Windows 10. They detail the leveraging of this tool to add a customised verifier DLL (defined) to hijack any legitimate process (defined) within Windows.

They demonstrated this attack against anti-malware software specifically Norton Security (by Symantec) resulting in a rogue DLL being injected (defined here and here) into the Norton process (ns.exe as demonstrated within their YouTube video). Despite claims by Cybellum security firms such as Avira and Comodo have reported this attack cannot bypass the self-protection features within their products. The full list of capabilities this attack provides is within this news article.

Windows Internals expert; Alex Ionescu later revealed the researchers from Cybellum used his work concerning protected processes to create this exploit and this was already a known issue. As was pointed out in the Twitter timelines linked to below once an attacker has administrative control over your system they could simply uninstall your security software rather than trying to bypass rendering the threat of this exploit far less important/relevant.

Twitter Timeline 1
Twitter Timeline 2
Twitter Timeline 3
Twitter Timeline 4
Twitter Timeline 5

Does this disclosure only affect security software?
It’s important to note this attack potential affects all software on Windows rather than just security software. In addition the proof of concept (PoC) exploit requires no changes for any application you choose to attack. Security software was chosen since almost all systems have anti-malware software installed and their process names are trusted (and allowed within application white listed (defined) environments).

How can I protect myself from this exploit?
Since this attack requires administrative privileges (defined) on Windows to have the intended effect, using a standard user account for everyday use will mitigate this attack.

From the various statements issued by the affected anti-malware vendors (listed below) please ensure your anti-malware software is the latest version available to ensure this attack is ineffective.

Traditional defences such patching your operating system, your web browser and being cautious of the attachments you open will also reduce the risk posed by this attack.

NetworkWorld Anti-Malware Vendor Responses

Malwarebytes Anti-malware

Symantec Endpoint Protection

Symantec Endpoint Protection Affected Versions

Thank you.

Pwn2Own 2017 Results

The final day of competition within Pwn2Own 2017 took place on Friday, 17th March. Full details of how the individual teams performed and how many exploits were successful are available here , here and here.

In summary the following products were successfully exploited:

Adobe Flash
Adobe Reader
Apple Safari
Apple macOS (mostly the macOS kernel)(defined)
Microsoft Edge
Microsoft Windows kernel
Mozilla Firefox
Ubuntu Linux
VMware Workstation

The contest saw 51 vulnerabilities used and a total of USD$833,000 awarded to the contestants (a very large increase over last year’s USD$460K). As I noted last year, many vulnerabilities once again were present within the macOS and Windows kernels specifically:

Apple macOS kernel:
race condition (defined)
information disclosures (defined)
out of bounds (OOB) bug (defined)

Microsoft Windows kernel:
integer overflows (defined)
buffer overflows (defined)
uninitialised buffers (discussed here)
use-after-free (defined here and here)
information disclosures
out of bounds (OOB) bug
race condition

As before Microsoft and Apple need to do more thorough static analysis/auditing/fuzzing (defined here and here) of the kernel to find and resolve vulnerabilities before they are exploited. It is a surprise this year again highlights this short coming which secure coding practices e.g. Microsoft’s SDL and Adobe’s SPLC (among others) were intended to reduce.

Of note is; Mozilla Firefox released Firefox 52.0.1 to resolve an integer flow vulnerability in less than 1 day after it’s disclosure during Pwn2Own; a fantastic response time.

=======================
Update: 28th March 2017:
=======================
On the 28th of March, VMware made available security updates to address the vulnerabilities discovered during Pwn2Own.

Apple have also made available updates (listed in this post) to resolve the vulnerabilities discovered in Pwn2Own 2017. It is unclear if all vulnerabilities are now addressed.

=======================
Update: 11th April 2017:
=======================
In late March, the Linux kernel vulnerability disclosed during Pwn2Own was resolved very quickly with Ubuntu also releasing their fix for this issue.

Adobe have released updates for Flash and Acrobat/Reader to address what appears to be 5 vulnerabilities in Flash and 6  in Acrobat/Reader (assuming near sequential CVEs and the team names attributed top them) disclosed during Pwn2Own.

We can again look forward to these vulnerabilities being addressed over the coming months; helping to make our products more secure.

Thank you.

WD My Cloud NAS Vulnerabilities

=======================
Update: 12th April 2017:
=======================
Western Digital have made available firmware updates to their My Cloud EX2100 and EX4100 models. The updates are available from this page.

They resolve some of the critical vulnerabilities identified in these products. Steps to update the firmware are available in this Softpedia article.

Thank you.

=======================
Update: 22nd March 2017:
=======================
Western Digital have made available firmware updates to My Cloud Mirror, EX2 and EX4 models. The updates are available from http://support.wdc.com/downloads.aspx

They resolve some of the critical vulnerabilities identified in these products. Steps to update the firmware are available in this Softpedia article.

Thank you.

=======================
Original Post:
=======================
Earlier this month a freelance security researcher known as Zenofex publically disclosed (defined) a total of 85 security vulnerabilities within the Western Digital (WD) MyCloud Network Attached Storage (NAS)(defined) devices

The vulnerabilities consist of authentication bypasses and code execution (carrying out instructions/steps of an attacker’s choice) and the upload/download of the data the device contains. Since the researcher did not receive cooperation with addressing previously communicated vulnerabilities from WD in the past they chose not to responsibly disclose (defined) these vulnerabilities.

After this disclosure, SEC Consult Vulnerability Lab (SCVL) provided further details of these vulnerabilities to the wider security community. For some of the 85 issues disclosed they had contacted WD in January 2017 and disclosed some of the details on the 20th of February. These vulnerabilities range from : command injection vulnerabilities, a stack-based buffer overflow (defined) bug and a cross-site request forgery flaw (defined)

In December 2016 WD issued fixes for some of the vulnerabilities discovered but created further vulnerabilities which resulted in the very same outcome they were trying to address.

How can I protect myself from these vulnerabilities?
Unfortunately, due to the very large number of vulnerabilities disclosed it will take a significant duration of time to resolve them all (especially if inadvertently; further vulnerabilities become evident; as has happened before).

If you use this NAS device; the data it contains will be at elevated risk of compromise while WD works to resolve these vulnerabilities. I would recommend ensuring these devices are not accessible to the external internet. Shodan may be of assistance to you in determining this. More information on Shodan is available in a previous blog post.

Please create backups of the data these NAS devices contain and store them on other devices until these vulnerabilities are resolved. Monitor WD’s website and install new firmware releases as they become available.

While Western Digital issued fixes for some of the vulnerabilities in December 2016, the independent security researcher found the fixes created another vulnerability with the same results they intended to resolve.

In addition, within this ThreatPost article WD recommends:

“My Cloud users contact our Customer Service team if they have further questions; find firmware updates; and ensure their My Cloud devices are set to enable automatic firmware updates.”

I will update this post as new information on the relevant updates becomes available.

Thank you.

F5 Firewalls and Load Balancers Vulnerable to “Ticketbleed”

In the latter half of last week security researcher Filippo Valsorda responsibly disclosed a high severity information disclosure vulnerability within F5’s firewalls and load balancers.

Why should this vulnerability be considered important?
Approximately 1000 of the top 1 million websites are vulnerable. This vulnerability while similar to the well-known OpenSSL Heartbleed vulnerability from April 2014 (both are buffer over read vulnerabilities (defined below)). This new vulnerability allows an attacker who sends specifically crafted data packets to a vulnerable website to obtain small pieces of data (possibly cryptographic keys or other key data used to secure encrypted connections) residing within the memory of the web servers connected to the F5 devices.

This vulnerability now named “Ticketbleed” exists in the code F5 used to implement a feature of Transport Layer Security (TLS) known as session tickets. They improve performance by allowing previously established encrypted connections to resume without having to re-setup (renegotiate) the connection again.

How can I protect myself from this vulnerability?
System administrators who are responsible for/administer F5 firewalls and load balancers should verify affected devices have applied the necessary mitigations listed in this F5 security advisory. At this time, no patch/update is available.

Thank you.

=======================
Aside:
=======================
What is a buffer over read vulnerability?
When code/instructions within a computer programming language e.g. C attempt to read data from a buffer (defined) than that buffer contains; this can lead to information disclosure.

Pwn2Own 2017 Contest Announced (Tenth Anniversary)

=======================
Update: 19th March 2017:
=======================
A more recent blog post discusses the results of the 2017 Pwn2Own contest.

Thank you.

=======================
Original Post:
=======================
With the month of March not too far away, I’m looking forward to the annual Pwn2Own contest taking place in Vancouver, Canada. Regular readers of this blog will know of the benefits it brings and why I look forward to it each year.

This year sees the return of Adobe Reader to the competition; a good decision due to the large numbers of vulnerabilities still being patched. I applaud the decision of Mozilla Firefox returning too since a zero day (defined) exploit was seen in recent times. It’s also in the top 3 in terms of usage. With a 64 bit version now available it should increase usage/competitiveness even further.

The full list of products that will be in the competition is here.

Just some of the interesting new additions are Ubuntu, Microsoft Hyper-V and Microsoft Office applications, which have never been present before. With vulnerabilities being patched routinely for all three of categories (especially for Microsoft Office), their inclusion should help us all when vulnerabilities are exploited and the researchers rewarded for their excellent work.

With the rise of malware for Apple Mac OS X and Linux it’s great to see them both in the contest this year. Previously only Mac OS was present.

Since the contest is celebrating its 10th anniversary it’s great to see other additions such as the Apache web servers and Ubuntu servers too. I often see servers installed and patched very little, if at all. This leads to situations where servers continue to have vulnerabilities long after they have been patched (more on that in this blog post). As for web servers, cross site scripting and CSRF remain consistent threats.

With extra points awarded for root access (defined) for Mac OS X or System level (defined) access for Windows this year’s contest is bigger than ever. With the more vulnerabilities that are found by the researchers the more they are awarded and the more everyone benefits by the vulnerabilities being responsibly disclosed (defined) to their vendors.

I will write another post when the results of this year’s contest are available and will discuss any highlights and how they will benefit us as users of these products.

Thank you.