In September 2020, Cisco patched four Jabber vulnerabilities (including one wormable RCE flaw), but as it turns out, three of four have not been sufficiently mitigated.
The incompleteness of the patches was discovered by Watchcom researchers – who discovered and disclosed the batch of vulnerabilities made public in September – after one of their clients requested they verify the effectiveness of Cisco’s patches.
A wormable Jabber RCE and more
“Cisco released a patch that fixed the injection points we reported, but the underlying problem has not been fixed. As such, we were able to find new injection points that could be used to exploit the vulnerabilities,” the researchers explained.
The three old/new vulnerabilities received new CVEs (but have the same impact as the original ones):
- CVE-2020-26085: Cisco Jabber Cross-Site Scripting leading to RCE
- CVE-2020-27132: Cisco Jabber Password Hash Stealing Information Disclosure
- CVE-2020-27127: Cisco Jabber Custom Protocol Handler Command Injection
Of these, the first one is the most critical and duly received a CVSS score of 9.9, as it can be used by an unauthenticated attacker to achieve RCE, requires no user interaction, is wormable, and can be exploited by sending an instant message.
The other two may allow the collection of NTLM password hashes from unsuspecting users (also via an instant message) and command injection. More technical information about each can be found here.
Cisco has also, in the meantime, discovered two other vulnerabilities that has patched along with these: CVE-2020-27134, a message handling script injection flaw, and CVE-2020-27133, a custom protocol handler command injection vulnerability.
“The vulnerabilities are not dependent on one another. Exploitation of one of the vulnerabilities is not required to exploit another vulnerability,” Cisco explained.
Cisco Jabber is a popular video conferencing and instant messaging application that’s often used within enterprises for internal communication and collaboration.
Cisco has pushed out security updates for for the Windows, macOS, Android and iOS clients/apps, and is urging users to implement them as there are no workarounds available.
The good news is that there is no indication these are currently being exploited in the wild, though there are tantalizing targets that use it:
I trust that European officials had Cisco Jabber’s videoconferencing software swiftly updated by the IT management, automatically. Less clear is what happens with personal devices. Almost every EU official has or had this stuff installed on personal devices, esp. due to Covid. https://t.co/JX5wVma2Qb
— Lukasz Olejnik (@lukOlejnik) December 12, 2020
“The continued existence of these vulnerabilities, even after the first patch, highlight the complexity of modern software and the challenges developers face when trying to secure it. When choosing to use frameworks such as CEF, it is important to consider their security implications. Security should also be considered in every step of the development process, both in the initial planning stages as well as during implementation and maintenance,” Watchcom researchers pointed out.
“This also serves as a reminder that software acquired from external vendors also pose a risk to organizations’ IT-security. It is important to be aware of these risks and take steps to mitigate them. Watchcom recommends regular audits of third-party software for security vulnerabilities.”
The final Patch Tuesday of the year is upon us and what a year it has been. Forcing many changes this year, the pandemic has impacted the way we conduct both security and IT operations. But even with the need to support remote operations and new applications that enable coordinated communication, one important aspect has not changed – the need to focus on security risk.
It’s easy to get consumed with troubleshooting performance issues, updating applications to provide the latest features, and other similar day-to-day activities, which can result in losing track of maintaining security of our systems.
In this monthly column, I focus on Microsoft updates and some of the more commonly used applications that require frequent security releases such as Adobe Reader, Google Chrome, Mozilla Firefox, etc. But we need to keep in mind that periodic updates are being released for all the applications we use and many of those updates include critical security fixes for vulnerabilities that are being exploited.
Very few (if any) of us are in a position to instantly update all the systems in our organizations, so we need to prioritize what needs to be updated first, and that should be driven by risk.
Risk is an interesting concept, because determining if one system is at a higher security risk than another can depend on many factors, which vary not only from company to company, but may change across departments within the same company.
We think about risk in general terms with regards to the importance of the system to the company’s business, the vulnerability state of the system, and the threat to the system. Each of these can be further broken down into factors of importance for the company. For example, we think of vulnerability state in relationship to factors such as patch state, configuration state, password compliance, user privileges, etc. These are just a few of the factors in one small area that can be used for risk determination.
Many companies and tools are available to help you, or maybe you have your own process already in place to determine risk and prioritize system updates.
Coming back to vulnerabilities in software and the need to patch, I’d like to point out a recent report from the NSA which itemizes a series of vulnerabilities being actively exploited. You’ll notice a wide range of vulnerabilities. Several like the Netlogon, have been in the news.
A wide range of impacted software, operating systems, VPNs and other security products are included as well. Please review and carefully consider this information as part of your next risk assessment as you prioritize your December updates.
December 2020 Patch Tuesday forecast
- Expect a smaller but standard set of Microsoft operating system updates this month. We should see the usual monthly rollup and security-only patches for the older operating systems, including the extended security updates (ESU) for Windows 7 and Server 2008. Windows 10 will include the latest 20H2 update. These updates should be smaller, in terms of CVEs, because we had the Thanksgiving holiday here in the US limiting development time. Office, Microsoft 365, and the associated SharePoint server updates will be included as well.
- Adobe released updates for Acrobat and Reader as part of APSB20-67 this week, so there shouldn’t be anything new next week. We may see a final update to Adobe Flash Player as it reaches end-of-life. Be on the lookout if you require Flash in your environment.
- Nothing is expected from Apple next week. A security update for iTunes was released mid-November and an iCloud update was issued this week. We could see a security update for macOS Big Sur later this month in advance of the holidays, the last update was in mid-November.
- Google Chrome was updated to 87.0.4280.88 for Windows, Mac and Linux this week, but we should always expect new updates each week.
- Mozilla Thunderbird was updated this week, so a Firefox and Firefox ESR update will be coming soon.
It looks like a light December Patch Tuesday to wrap up the year. If you’ve been struggling to keep up, you may want to reassess your prioritization and make sure you have characterized your risk properly.
New research into what happens after a new software vulnerability is discovered provides an unprecedented window into the outcomes and effectiveness of responsible vulnerability disclosure and exploit development.
The analysis of 473 publicly exploited vulnerabilities challenges long-held assumptions of the security space – namely, disclosure of exploits before a patch is available does not create a sense of urgency among companies to fix the problem.
The research was conducted by Kenna Security and the Cyentia Institute. It examines how the common practices among security researchers impact the overall security of corporate IT networks.
The importance of timing
The analysis found that when exploit code is made public prior to the release of a patch, cybercriminals get a critical head start. At the same time, when exploits are released before patches, it takes security teams more time to address the problem, even after the patch is released.
“The debate over responsible disclosure has existed for decades, but this data provides an objective correlation between vulnerability discovery, disclosure, and patch delivery for the first time ever,” said Ed Bellis, CTO of Kenna Security.
“However, the results raise several questions about responsible exposure, demonstrating that the timing of exploit code release can shift the balance in favor of attackers or defenders.”
Whether exploit code is released first or a patch is released first, the research found that there are periods of time when attackers have the momentum and when defenders have momentum – a reflection of the fact that no matter when a patch is released, some companies simply don’t or can’t install it before attackers make their move.
For approximately nine of the 15 months studied in this analysis, attackers were able to exploit vulnerabilities at a higher rate than defenders were patching, while defenders had the upper hand for six months.
The vulnerability disclosure practice
At the heart of the vulnerability disclosure practice is a mix of competing incentives for software publishers, IT teams, and the independent security researchers that find software vulnerabilities.
When a vulnerability is found, researchers disclose its existence and the relevant code they used to exploit the application. The publisher sets about creating a patch and pushing the patch to its user base. Occasionally, however, software publishers don’t engage, declining to create a patch or notify users of a vulnerability.
In these cases, researchers will publicly disclose the vulnerability to warn the larger community and spur the publisher to take action. Google, for example, tells software publishers that it will release details of the vulnerabilities it discovers within 90 days of notification, except in a few scenarios.
- When exploit code is publicly released before a patch, attackers get, on average, a 47 day head start
- Only 6% of those exploits were detected by more than 1/100 organizations
- Exploit code was already available for over 50% of the vulnerabilities in our sample by the time they were published to the CVE List
- In great news for defenders, over 80% of exploited vulnerabilities have a patch available prior to, or along with, CVE publication
- About one-third of vulnerabilities have exploit code published before a patch is made available
- About 7% of vulnerabilities are exploited before a CVE is published, a patch is available, and exploit code is released
“For decision-makers and researchers across the cybersecurity community, this research provides a vital, never before seen window into the lifecycle of vulnerabilities and exploitations,” said Jay Jacobs, partner, Cyentia Institute.
“These findings offer prominent paths for future research that could ultimately make the IT infrastructure more secure.”
Despite the strong relationship between disclosure of exploitation code and weaponization, the research requires some caveats. It’s possible that release of exploit code doesn’t facilitate exploitation, but detection of exploits in the wild, because the release of the code enabled faster creation of anti-virus signatures.
“This new report reignites the conversation on responsible disclosure. More research will help draw more definitive conclusions, but for now, we can say that where there’s smoke, there’s fire,” said Wade Baker, partner and co-founder of Cyentia Institute. “Release of exploit code before a patch seems to have a negative effect on corporate security.”
SAP has issued patches to fix a critical vulnerability (CVE-2020-6287) that can lead to total compromise of vulnerable SAP installations by a remote, unauthenticated attacker.
The flaw affects a variety of SAP business solutions, including SAP Enterprise Resource Planning (ERP), SAP Supply Chain Management (SCM), SAP HR Portal, and others.
About the vulnerability (CVE-2020-6287)
Discovered and reported by Onapsis researchers and dubbed RECON, CVE-2020-6287 is due to the lack of authentication in a web component (LM Configuration Wizard) of the SAP NetWeaver AS for Java versions 7.30 to 7.50. The vulnerability can be exploited through an HTTP interface – typically exposed to end users and often to the internet.
“If successfully exploited, a remote, unauthenticated attacker can obtain unrestricted access to SAP systems through the creation of high-privileged users and the execution of arbitrary operating system commands with the privileges of the SAP service user account (adm), which has unrestricted access to the SAP database and is able to perform application maintenance activities, such as shutting down federated SAP applications. The confidentiality, integrity, and availability of the data and processes hosted by the SAP application are at risk by this vulnerability,” the US Cybersecurity and Infrastructure Security Agency (CISA) explained.
Onapsis is set to release a report with more information about the flaw, but the CVSS base score it received (10.0) defines it as being easily remotely exploitable without prior authentication and without user interaction.
The vulnerable component is used in many of SAP’s solutions: SAP S/4HANA, SAP Enterprise Resource Planning (ERP), SAP Enterprise Resource Planning (PLM), SAP Customer Relationship Management (CRM), SAP Supply Chain Management (SCM), SAP Enterprise Portal, SAP Solution Manager, and many others.
“Due to the criticality of this vulnerability, the attack surface this vulnerability represents, and the importance of SAP’s business applications, the Cybersecurity and Infrastructure Security Agency (CISA) strongly recommends organizations immediately apply patches. CISA recommends organizations prioritize patching internet-facing systems, and then internal systems,” the agency noted.
“Organizations that are unable to immediately patch should mitigate the vulnerability by disabling the LM Configuration Wizard service (see SAP Security Note #2939665). Should these options be unavailable or if the actions will take more than 24 hours to complete, CISA strongly recommends closely monitoring your SAP NetWeaver AS for anomalous activity.
Onapsis researchers say that a scan they performed showed 2,500 vulnerable SAP systems exposed to the internet.
Microsoft has averaged roughly 90 common vulnerabilities and exposures (CVE) fixes per month over the past five months. With everyone working from home and apparently focused on bug fixes, I expect this large CVE fixing trend to continue. Despite these record CVE numbers, the actual number of updates have been down; we haven’t seen Exchange or SQL Server updates in a while.
The hot topic of conversation over the last two weeks has been the release of out-of-band security updates for CVE-2020-1425 and CVE-2020-1427, both of which address a memory issue within the Microsoft Windows Codecs Library.
While Microsoft does security updates out-of-band from time to time, the points of contention were these updates were only available from the Microsoft Store and were released with very limited information. The fact that CVE-2020-1425 is rated critical with limited availability through the store has many people wondering why this is the case. This is an unusual release for Microsoft. Keep your eyes open on Tuesday to see if these CVEs show up in the cumulative monthly update.
We’ll see another set of updates for Windows 10 version 2004 and Windows Server version 2004. It’s now been over a full month since the May 27 release of this ‘new’ operating system. As with all operating system releases you’ll want to stay on top of these updates because a larger number of security fixes, as well as important stability updates, are made over the first couple of months.
If you are experiencing any particular issues as you roll out this new operating system you should check out the known issues page for the latest information. You may find a fix is already available or will soon be on the way.
Continue to be diligent with your vulnerability management and system updates as we move deeper into the summer. It’s been kind of quiet in the news regarding new publicly reported exploits, but old vulnerabilities remain and new variants on ransomware and other malicious software continue to surface – Try2Cry being a good example. Here’s what’s been released recently and what to expect next week.
July 2020 Patch Tuesday forecast
- Expect to see a larger number of Microsoft updates this month. We are due for a new set of .NET updates and, as I mentioned above, we are overdue for a SQL server or Exchange server update.
- Servicing stack updates (SSUs) and Extended Security Updates (ESUs) for Windows 7 and Server 2008/2008 R2 are expected in the group release as usual.
- The Oracle Critical Product Update (CPU) aligns with patch Tuesday once again this quarter. Don’t forget your Java update and other OpenJDK-based products such as Amazon Correto, AdoptOpenJDK, and others which will follow close behind.
- After the surprise Adobe Flash release last month, could we see another? Unlikely, but be on the lookout. The last major security update for Acrobat and Reader was in early May so look for a security release this week.
- Apple released their security updates for iTunes and iCloud back in late May and have been releasing roughly every other month. We may not see a release on Tuesday but be on the lookout later this month.
- Google released a security update for Chrome 84 this week.
- Mozilla provided minor security updates this week for Firefox 78, and major updates for Firefox ESR 68 and Thunderbird 68 the last week of June. We may see a minor update for these applications next week.
The US Cybersecurity and Infrastructure Security Agency (CISA) is urging organizations to patch a slew of old and new software vulnerabilities that are routinely exploited by foreign cyber actors and cyber criminals.
“Foreign cyber actors continue to exploit publicly known—and often dated—software vulnerabilities against broad target sets, including public and private sector organizations. Exploitation of these vulnerabilities often requires fewer resources as compared with zero-day exploits for which no patches are available,” the agency noted.
“A concerted campaign to patch these vulnerabilities would introduce friction into foreign adversaries’ operational tradecraft and force them to develop or acquire exploits that are more costly and less widely effective. A concerted patching campaign would also bolster network security by focusing scarce defensive resources on the observed activities of foreign adversaries.”
The most often exploited CVE-numbered vulnerabilities
The list of the ten most often exploited flaws between 2016 and 2019 includes seven affecting Microsoft offerings (Office, Windows, SharePoint, .NET Framework), one affecting Apache Struts, one Adobe Flash Player, and one Drupal.
They are as follows:
IT security professionals are advised to use this list alongside a similar one recently compiled by Recorded Future, which focuses on the ten most exploited vulnerabilities by cybercriminals in 2019.
In addition to all these flaws, CISA points to several others that have been under heavy exploitation in 2020:
Additional warnings and help
CISA has also warned organizations to check for oversights in their Microsoft O365 security configurations (and to implement these recommendations and to start fixing organizational cybersecurity weaknesses they might have.
“March 2020 brought an abrupt shift to work-from-home that necessitated, for many organizations, rapid deployment of cloud collaboration services, such as Microsoft Office 365. Malicious cyber actors are targeting organizations whose hasty deployment of Microsoft O365 may have led to oversights in security configurations and vulnerable to attack,” they noted.
Organizations can apply for CISA’s help in scanning internet-facing systems and web applications for vulnerabilities and misconfigurations – the agency offers free scanning and testing services (more info in the alert).
Sophos has released an emergency hotfix for an actively exploited zero-day SQL injection vulnerability in its XG Firewalls, and has rolled it out to all units with the auto-update option enabled.
Aside from plugging the security hole, the hotfix detects if the firewall was hit by attackers and, if it was, stops it from accessing any attacker infrastructure, cleans up remnants from the attack, and notifies administrators about it so that they can perform additional remediation steps.
About the vulnerability and the attack
The flaw, which has yet to be assigned a CVE identification number, was previously unknown to Sophos and turned out to be a pre-auth SQL injection vulnerability that was exploited for remote code execution.
The zero-day affects all versions of XG Firewall firmware on both physical and virtual Sophos firewalls.
“Sophos received a report on April 22, 2020, at 20:29 UTC regarding an XG Firewall with a suspicious field value visible in the management interface. Sophos commenced an investigation and the incident was determined to be an attack against physical and virtual XG Firewall units,” the company shared.
“The attack affected systems configured with either the administration interface (HTTPS admin service) or the user portal exposed on the WAN zone. In addition, firewalls manually configured to expose a firewall service (e.g. SSL VPN) to the WAN zone that shares the same port as the admin or User Portal were also affected.”
The company says that the attack used a chain of Linux shell scripts that eventually downloaded ELF binary executable malware compiled for SFOS, the Sophos Firewall Operating System (i.e., the firmware).
The goal of the attack was to deliver malware that is able to collect information such as:
- The firewall’s public IP address
- Its license key
- The email addresses of user accounts that were stored on the device as well as that of the administrator account
- Firewall users’ names, usernames, the encrypted form of the passwords, and the salted SHA256 hash of the administrator account’s password
- A list of the user IDs permitted to use the firewall for SSL VPN and accounts that were permitted to use a “clientless” VPN connection
- Additional information about the firewall (e.g., firmware version, CPU type, etc.)
- A list of the IP address allocation permissions for the users of the firewall
All this information was written in a file, which was compressed, encrypted, and uploaded to a remote machine controlled by the attacker(s).
Those admins that have disabled the (default) auto-update option are advised to implement the hotfix.
The admins whose firewalls have been compromised should reset device administrator accounts, reboot the affected device(s), reset passwords for all local user accounts and for any accounts where the XG credentials might have been reused.
Sophos also advises admins to reduce attack surface by disabling HTTPS Admin Services and User Portal access on the WAN interface (if possible).
“While customers should always conduct their own internal investigation, at this point Sophos is not aware of any subsequent remote access attempts to impacted XG devices using the stolen credentials,” the company added.
A week after the April 2020 Patch Tuesday, Microsoft has released out-of-band security updates for its Office suite, to fix a handful of vulnerabilities that attackers could exploit to achieve remote code execution.
At the same time, a security update has also been released for Paint 3D, the company’s free app for creating 3D models, because the source of the fixed vulnerabilities is something that both Office and Paint 3D have in common: the Autodesk FBX library.
About the vulnerabilities
Autodesk – the company behind the popular AutoCAD software but also a variety of other specialized apps used by architects, engineers, digital media creators, manufacturers, etc. – fixed six vulnerabilities (CVE-2020-7080 through CVE-2020-7085) in its FBX Software Developer Kit (SDK).
All can be triggered if a user is tricked into opening a specially crafted, malicious FBX file, and can either create a DoS condition or make the application run arbitrary code on the underlying system.
Since the Autodesk FBX library is integrated into MS Office apps and the Paint 3D app, them processing specially crafted 3D content may lead to remote code execution.
“An attacker who successfully exploited these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights,” Microsoft explained.
What to do?
To exploit the vulnerabilities, an attacker must send a specially crafted file containing 3D content to a user and convince them to open it. (Just viewing it through the Preview Pane is not enough to trigger the exploitation.)
The fact that exploitation requires user interaction makes the vulnerabilities important but not critical. Nevertheless, tricking users into opening random files is, unfortunately, something that attackers know how to do well.
There are no mitigating factors or workarounds for the flaws, so users and admins are urged to implement the provided updates, especially if they often deal with FBX files.
The developments in the area of cybersecurity are alarming. As the number of smart devices in private households increase, so do the opportunities for cybercriminals to attack, according to TÜV Rheinland.
Key cybersecurity trends for 2020
Uncontrolled access to personal data undermines confidence in the digital society. The logistics industry and private vehicles are increasingly being targeted by hackers. Experts view these key cybersecurity trends as critical to understand in 2020.
“From our point of view, it is particularly serious that cybercrime is increasingly affecting our personal security and the stability of society as a whole,” explains Petr Láhner, Business Executive Vice President for the business stream Industry Service & Cybersecurity at TÜV Rheinland.
“One of the reasons for this is that digital systems are finding their way into more and more areas of our daily lives. Digitalization offers many advantages – but it is important that these systems and thus the people are safe from attacks.”
Uncontrolled access to personal data could destabilize the digital society
In 2017, Frenchwoman Judith Duportail asked a dating app company to send her any personal information they had about her. In response, she received an 800-page document containing her Facebook likes and dislikes, the age of the men she had expressed interest in, and every single online conversation she had had with all 870 matching contacts since 2013.
The fact that Judith Duportail received so much personal data after several years of using a single app underscores the fact that data protection is now very challenging. In addition, this example shows how little transparency there is about securing and processing data that can be used to gain an accurate picture of an individual’s interests and behavior.
Smart consumer devices are spreading faster than they can be secured
Smart speakers, fitness trackers, smart watches, thermostats, energy meters, smart home security cameras, smart locks and lights are the best-known examples of the seemingly unstoppable democratization of the “Internet of many Things”.
Smart devices are no longer just toys or technological innovations. The number and performance of individual “smart” devices is increasing every year, as these types of device are quickly becoming an integral part of everyday life.
It is easy to see a future in which the economy and society will become dependent on them, making them a very attractive target for cybercriminals. Until now, the challenge for cybersecurity has been to protect one billion servers and PCs. With the proliferation of smart devices, the attack surface could quickly increase hundreds or thousands of times.
Owning a medical device increases the risk of an internet health crisis
Over the past ten years, personal medical devices such as insulin pumps, heart and glucose monitors, defibrillators and pacemakers have been connected to the internet as part of the “Internet of Medical Things” (IoMT).
At the same time, researchers have identified a growing number of software vulnerabilities and demonstrated the feasibility of attacks on these products. This can lead to targeted attacks on both individuals and entire product classes.
In some cases, the health information generated by the devices can also be intercepted. So far, the healthcare industry has struggled to respond to the problem – especially when the official life of the equipment has expired.
As with so many IoT devices of this generation, networking was more important than the need for cybersecurity. The complex task of maintaining and repairing equipment is badly organized, inadequate or completely absent.
New targets for cyber attacks: Vehicles and transport infrastructure
Through the development of software and hardware platforms, vehicles and transport infrastructure are increasingly connected. These applications offer drivers more flexibility and functionality, potentially more road safety, and seem inevitable given the development of self-propelled vehicles.
The disadvantage is the increasing number of vulnerabilities that attackers could exploit – some with direct security implications. Broad cyberattacks targeting transport could affect not only the safety of individual road users, but could also lead to widespread disruption of traffic and urban safety.
Supply chains under attack
With the goal of greater efficiency and lower costs, smart supply chains leverage IoT automation, robotics and big data management – those within a company and with their suppliers.
Smart supply chains increasingly represent virtual warehousing, where the warehouse is no longer just a physical building, but any place where a product or its components can be located at any time. Nevertheless, there is a growing realization that this business model considerably increases the financial risks, even with only relatively minor disruptions.
Smart supply chains are dynamic and efficient, but are also prone to disruptions in processes. Cyberattacks can manipulate information about deposits. Thus, components would not be where they are supposed to be.
Threats to shipping are now reality
In 2017, goods with an estimated weight of around 10.7 billion tons were transported by sea. Despite current geopolitical and trade tensions, trade is generally expected to continue to grow.
There is ample evidence that states are experimenting with direct attacks on ship navigation systems. At the same time, attacks on the computer networks of ships used to extort ransom have been reported. Port logistics offers a second, overlapping area of vulnerability.
Many aspects to shipping that can be vulnerability to attack such as ship navigation, port logistics and ship computer network. Attacks can originate from states and activist groups. This makes monitoring and understanding a key factor in modern maritime cybersecurity.
Vulnerabilities in real-time operating systems could herald the end of the patch age
It is estimated that by 2025 there will be over 75 billion networked devices on the Internet of Things, each using its own software package. This, in turn, contains many outsourced and potentially endangered components. In 2019, Armis Labs discovered eleven serious vulnerabilities (called “Urgent/11“) in the real-time operating system (RTOS) Wind River VxWorks.
Six of these flaws exposed an estimated 200 million IoT devices to the risk of remote code execution (RCE) attacks. This level of weakness is a major challenge as it is often deeply hidden in a large number of products.
Organizations may not even notice that these vulnerabilities exist. In view of this, the procedure of always installing the latest security updates will no longer be effective.
Computer scientists at KU Leuven have once again exposed a security flaw in Intel processors. Jo Van Bulck, Frank Piessens, and their colleagues in Austria, the United States, and Australia gave the manufacturer one year’s time to fix the problem.
Load Value Injection
Plundervolt, Zombieload, Foreshadow: in the past couple of years, Intel has had to issue quite a few patches for vulnerabilities that computer scientists at KU Leuven have helped to expose. “All measures that Intel has taken so far to boost the security of its processors have been necessary, but they were not enough to ward off our new attack,” says Jo Van Bulck from the Department of Computer Science at KU Leuven.
Like the previous attacks, the new technique – dubbed Load Value Injection – targets the ‘vault’ of computer systems with Intel processors: SGX enclaves.
“To a certain extent, this attack picks up where our Foreshadow attack of 2018 left off. A particularly dangerous version of this attack exploited the vulnerability of SGX enclaves, so that the victim’s passwords, medical information, or other sensitive information was leaked to the attacker.
“Load Value Injection uses that same vulnerability, but in the opposite direction: the attacker’s data are smuggled – ‘injected’ – into a software program that the victim is running on their computer. Once that is done, the attacker can take over the entire program and acquire sensitive information, such as the victim’s fingerprints or passwords.”
Giving Intel enough time to fix the problem
The vulnerability was already discovered on 4 April 2019. Nevertheless, the researchers and Intel agreed to keep it a secret for almost a year. Responsible disclosure embargoes are not unusual when it comes to cybersecurity, although they usually lift after a shorter period of time.
“We wanted to give Intel enough time to fix the problem. In certain scenarios, the vulnerability we exposed is very dangerous and extremely difficult to deal with because, this time, the problem did not just pertain to the hardware: the solution also had to take software into account. Therefore, hardware updates like the ones issued to resolve the previous flaws were no longer enough. This is why we agreed upon an exceptionally long embargo period with the manufacturer.”
“Intel ended up taking extensive measures that force the developers of SGX enclave software to update their applications. However, Intel has notified them in time. End-users of the software have nothing to worry about: they only need to install the recommended updates.”
“Our findings show, however, that the measures taken by Intel make SGX enclave software up to 2 to even 19 times slower.”
What are SGX enclaves?
Computer systems are made up of different layers, making them very complex. Every layer also contains millions of lines of computer code. As this code is still written manually, the risk for errors is significant.
If such an error occurs, the entire computer system is left vulnerable to attacks. You can compare it to a skyscraper: if one of the floors becomes damaged, the entire building might collapse.
Viruses exploit such errors to gain access to sensitive or personal information on the computer, from holiday pictures and passwords to business secrets.
In order to protect their processors against this kind of intrusions, IT company Intel introduced an innovative technology in 2015: Intel Software Guard eXtensions (Intel SGX). This technology creates isolated environments in the computer’s memory, so-called enclaves, where data and programs can be used securely.
“If you look at a computer system as a skyscraper, the enclaves form a vault”, researcher Jo Van Bulck explains. “Even when the building collapses the vault should still guard its secrets – including passwords or medical data.”
The technology seemed watertight until August 2018, when researchers at KU Leuven discovered a breach. Their attack was dubbed Foreshadow. In 2019, the Plundervolt attack revealed another vulnerability. Intel has released updates to resolves both flaws.
Which ten software vulnerabilities should you patch as soon as possible (if you haven’t already)?
Table of top exploited CVEs between 2016 and 2019 (repeats are noted by color)
Recorded Future researchers have analyzed code repositories, underground forum postings, dark web sites, closed source reports and data sets comprising of submissions to popular malware repositories to compile a list of the ten most exploited vulnerabilities by cybercriminals in 2019.
The list is comprised of two vulnerabilities in Adobe Flash Player, four vulnerabilities affecting Microsoft’s Internet Explorer browser, three MS Office flaws and one WinRAR bug:
Most have been flagged and patched in the last few years – as can be seen by their CVE numbers – but one of them dates as far back as 2012.
The researchers put the popularity of Microsoft vulnerabilities (as compared to Flash bugs) down to a combination of better patching and Flash Player’s impending demise in 2020, and noted the importance of patching Microsoft products in a timely manner.
Among other, more recently patched flaws that made the top 20 list are CVE-2019-0841, a privilege escalation vulnerability in the Windows AppX Deployment Service and CVE-2019-3396, a server-side template injection vulnerability in the Atlassian Confluence Server and Data Center Widget Connector that could be used for remote code execution.
With all of this in mind, they advise admins to prioritize the patching of Microsoft products (and all the aforementioned vulnerabilities), automatically disable Flash Player wherever possible, remove affected software if it’s not needed, and install browser ad-blockers to prevent exploitation via malvertising.
Cisco has released another batch of security updates and patches for a variety of its offerings, including many of its security solutions.
Security fixes for security solutions
Among the security holes plugged is CVE-2019-16028, a critical authentication bypass vulnerability affecting the Cisco Firepower Management Center – a device that provides visibility into an organization’s network and allows admis to centrally manage critical Cisco network security solutions.
“The vulnerability is due to improper handling of Lightweight Directory Access Protocol (LDAP) authentication responses from an external authentication server. An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow the attacker to gain administrative access to the web-based management interface of the affected device,” Cisco explained.
Unlike many of the flaw patched in this batch, this vulnerability was discovered and flagged by outside security researchers. The good news is that there is no indication it is being exploited in attacks in the wild. Admins are advised to upgrade to a fixed release or to apply a hotfix.
“Customers who cannot immediately apply a software fix may evaluate the possibility of disabling LDAP authentication for FMC access and using other authentication methods until a software fix can be applied,” Cisco noted.
Cisco Email Security, Web Security and Content Security Management Appliances also sport a few flaws, all medium-risk and most found during internal security testing.
Among these is CVE-2020-3133, a vulnerability that could allow an unauthenticated, remote attacker to bypass configured filters on a Cisco Email Security Appliance.
Cisco ESAs should be upgraded to v13.0 and later, Cisco WSAs to v11.8.0-382 and later, and Cisco SMAs to v13.0.0.-187 and later.
High-risk vulnerabilities fixed in this bundle include several denial of service bugs affecting Cisco Smart Software Manager On-Prem and the Cisco IOS XR Software (the OS used on Cisco’s carrier-grade routers).
Finally, devices running Cisco IOS XE SD-WAN Software – software that provides them with SD-WAN capabilities – should be updated to release 16.12.1 to remove a set of default credentials within the default configuration.
“An attacker who has access to an affected device could log in with elevated privileges. A successful exploit could allow the attacker to take complete control of the device,” Cisco noted.
Security advisories for all of the fixed flaws can be found here.
ACROS Security has released a micropatch that implements the workaround for a recently revealed actively exploited zero-day RCE flaw affecting Internet Explorer (CVE-2020-0674).
Remote code execution vulnerability affecting IE
Last Friday, Microsoft released an out-of-band security advisory notifying Internet Explorer users of a remote code execution vulnerability affecting IE 11, 10 and 9 on various versions od Windows and Windows Server, which they know is being exploited in “limited targeted attacks”.
Flagged by researchers from Qihoo 360 and Google’s Threat Analysis Group, the flaw has been filed under CVE-2020-0674, but no fix was released.
“Microsoft is aware of this vulnerability and working on a fix. Our standard policy is to release security updates on Update Tuesday, the second Tuesday of each month. This predictable schedule allows for partner quality assurance and IT planning, which helps maintain the Windows ecosystem as a reliable, secure choice for our customers,” the company explained, and offered information on mitigations and a temporary workaround.
Microsoft advised admins to implement the offered mitigation steps only if there is indication that the systems they are administrating are under elevated risk.
“If you implement the workaround, you will need to revert the mitigation steps before installing any future updates to continue to be protected,” the company pointed out.
Also, the workaround changes the ownership of the vulnerable JScript.dll, which has to be reverted again when the workaround is undone (before patching).
“This workaround has an expected negative side effect that if you’re using a web application that employs legacy JScript (and can as such only be used with Internet Explorer), this application will no longer work in your browser,” explained Mitja Kolsek, CEO of Acros Security and co-founder at 0patch, a solution that aims to provide fixes for zero-days, unpatched vulnerabilities, end-of-life and unsupported products, legacy operating systems, vulnerable third-party components and customized software.
Since the February Patch Tuesday is quite a while away and since Windows 7 and Windows Server 2008 R2 users without Extended Security Updates might not get the patch at all, ACROS Security decided to provide a micropatch that simulates the offered workaround (restricts access to the vulnerable JScript.dll) without its negative side effects (reduced functionality for components or features that rely on that particular .dll).
The company has ported the micropatch to Windows 7, Windows 10, Windows Server 2008 R2 and Windows Server 2019 (both 32-bit and 64-bit).
Those who already use 0patch can implement the micropatch immediately and remove it easily when Microsoft finally provides a patch (although, Microsoft’s patch will have precedence over the micropatch, so even removing it is not actually required).
Here is a video of the micropatch:
As attackers continue to hit vulnerable Citrix (formerly Netscaler) ADC and Gateway installations, Citrix has released permanent fixes for some versions and has promised to provide them for other versions and for two older versions of SD-WAN WANOP by January 24.
A short timeline before the situation update
CVE-2019-19781, a critical vulnerability affecting Citrix ADC and Gateway that may allow unauthenticated attackers to achieve remote code execution and obtain direct access to an organization’s local network from the internet, was responsibly disclosed last December.
At the time, Citrix only offered mitigations advice instead of fixes, but both security researchers and hackers eventually used them to discern the nature of the flaw and create exploits for it.
The number of publicly available exploits quickly rose in the coming days and they began to be deployed by attackers. At the same time, scans revealed tens of thousands of (still) vulnerable installations.
Citrix CISO Fermin J. Serna then announced that the first available fixes will land on January 20.
The current situation
Several days after rising attacks, FireEye researchers flagged a threat actor gaining access to vulnerable Citrix installations and removing known cryptocurrency miners from them.
Simultaneously, the threat actor downloads and deploys a utility (NOTROBIN) that block exploitation attempts against the CVE-2019-19781 vulnerability, as well as effectively setting up a backdoor that can only be used if one knows the right password (hardcoded key).
“Across multiple investigations, FireEye observed actors deploying NOTROBIN with unique keys. For example, we’ve recovered nearly 100 keys from different binaries,” the researchers noted.
“FireEye believes that the actor behind NOTROBIN has been opportunistically compromising NetScaler devices, possibly to prepare for an upcoming campaign.”
A similar attack, delivering partial fixes, was spotted recently by SANS ISC, as it was used on their honeypots.
In the meantime, Citrix confirmed that some SD-WAN WANOP versions (v10.2.6 and 11.0.3) are also vulnerable to CVE-2019-19781 as they include Citrix ADC as a load balancer, and that the offered mitigation steps will work on them.
Finally, on Sunday, the company released fixes for CVE-2019-19781 for ADC versions 11.1 and 12.0.
“These fixes also apply to Citrix ADC and Citrix Gateway Virtual Appliances (VPX) hosted on any of ESX, Hyper-V, KVM, XenServer, Azure, AWS, GCP or on a Citrix ADC Service Delivery Appliance (SDX). SVM on SDX does not need to be updated,” Serna pointed out.
He also said that the remaining fixes – for ADC version 12.1, 13, 10.5, and SD-WAN WANOP 10.2.6 and 11.0.3 – are scheduled to be released on January 24.
He also warned that the offered fixes can be used only on the indicated versions. “If you have multiple ADC versions in production, you must apply the correct version fix to each system,” he advised.
In the meantime, mitigations should be implemented and admins should check whether they’ve been successfully applied. Citrix has provided a tool that will help them do that.
By the way: CISA has released last week a utility that enables users and administrators to test whether their Citrix ADC and Citrix Gateway firmware is susceptible to the CVE-2019-19781 vulnerability. It’s available here.
Also: TrustedSec provided instructions for checking whether your Citrix endpoints have already been compromised through CVE-2019-19781.
IT teams appreciate it when vendors or security researchers discover new vulnerabilities and develop patches for them. So do attackers. The same information that lets IT teams know where they may be vulnerable so they can take action, also lets attackers know where the weaknesses are – providing an opportunity and a map to guide them so they can develop an exploit.
That means that once a vulnerability is disclosed, the clock starts ticking and it becomes a race for organizations to patch or mitigate vulnerable systems before they can be compromised.
While zero day attacks capture media attention with exciting headlines, the reality is that most attacks target known vulnerabilities for which patches or updates exist. According to the 2019 Verizon Data Breach Investigations Report, the average IT team patches fewer than 40% of affected systems within 30 days of discovering a vulnerability. However, cybercriminals can often develop an exploit for a publicly disclosed vulnerability within a matter of weeks or even days.
The gap between a working exploit being developed and the necessary patch being applied is a period of heightened—and avoidable – exposure to risk. One of the primary problems is that there is a disconnect between the priorities of IT and security teams. Where security teams take a proactive approach, the IT teams responsible for implementing patches tend to take a more reactive approach, potentially hindering the patch management program overall.
Reactive patch management
IT teams are busy. Patching vulnerable systems and applications is just one part of a very long list of tasks the IT team is responsible for. Everything is important on some level and it all needs to get done, so it’s understandable that patching may not always be the highest priority.
The problem is that if everything is a priority, then nothing is. Frequently, IT teams find themselves in a vicious cycle of constantly putting out fires – running from urgent issue to urgent issue because they never make the time to approach the situation proactively.
Risk assessment and context
The reality is that not every vulnerability is urgent – and that even the urgent ones aren’t necessarily a top priority for every vulnerable system or application. You need to have the right context to understand your exposure to risk.
You might have 100 systems affected by a vulnerability rated as “Critical”. If 84 of those systems don’t contain sensitive data and are not directly connected to other vulnerable or sensitive systems, they aren’t a top priority. Of the remaining 16, if 5 of those are systems that are public facing and you have other mitigating security controls in place, they also don’t need to be a top priority. The remaining 11 – the ones that are vulnerable, contain sensitive data or critical business functions, and are connected to the public internet – are the systems you should focus on first.
11 is a much more manageable number than 100. If you address just these 11 systems, though, you greatly reduce your attack surface and your exposure to risk. Having context enables you to prioritize effectively.
Proactive patch management
In an ideal world, all of your vulnerable systems would be patched, but in the real world you don’t have to patch every vulnerability right now. Proactive patch management is focused on protecting the systems and applications that are most important from a business perspective and reducing the overall attack surface.
You must at least be aware of the vulnerabilities in the first place, though. You need to have an accurate IT asset inventory and comprehensive visibility so you know where all of your systems and applications are, and what they’re connected to. Armed with that information, you can prioritize your efforts based on context and potential impact, and be proactive about patching and updating the systems that need it the most.
The most recent Windows patch, released April 9, seems to have done something (still to be determined) that’s causing problems with anti-malware software. Over the last few days, Microsoft has been adding more and more antivirus scanners to its list of known issues. As of publication time, client-side antivirus software from Sophos, Avira, ArcaBit, Avast, and most recently McAfee are all showing problems with the patch.
Affected machines seem to be fine until an attempt is made to log in, at which point the system grinds to a halt. It’s not immediately clear if systems are freezing altogether or just going extraordinarily slowly. Some users have reported that they can log in, but the process takes ten or more hours. Logging in to Windows 7, 8.1, Server 2008 R2, Server 2012, and Server 2012 R2 are all affected.
Booting into safe mode is unaffected, and the current advice is to use this method to disable the antivirus applications and allow the machines to boot normally. Sophos additionally reports that adding the antivirus software’s own directory to the list of excluded locations also serves as a fix, which is a little strange.
Microsoft is currently blocking the update for Sophos, Avira, and ArcaBit users, with McAfee still under investigation. ArcaBit and Avast have published updates that address the problem. Avast recommends leaving systems at the login screen for about 15 minutes and then rebooting; the antivirus software should then update itself automatically in the background.
Avast and McAfee also provide a hint at the root cause: it appears that Microsoft has made a change to CSRSS (“client/server runtime subsystem”), a core component of Windows that coordinates and manages Win32 applications. This is reportedly making the antivirus software deadlock. The antivirus applications are trying to get access to some resource, but they’re blocked from doing so because they have already taken exclusive access to the resource.
Given that patches have appeared from antivirus vendors rather than an update from Microsoft, it suggests (though does not guarantee) that whatever change Microsoft made to CSRSS is revealing latent bugs in the antivirus software. On the other hand, it’s possible that CSRSS is now doing something that Microsoft previously promised wouldn’t happen.