Tuesday, February 6, 2018

Cyber Updates - 6th February 2018

CPU vulnerabilities revealed 

After several days of intense speculation, an embargo was lifted on the disclosure of two classes of processor vulnerabilities, dubbed "Meltdown" (affecting Intel specifically) and "Spectre" (affecting multiple processor manufacturers). These vulnerabilities allow one process to read sensitive data from another process including passwords, session tokens and more. Three of the discovers presented a talk on the vulnerabilities at the BlueHatIL conference here in Israel a few weeks ago. 

As the vulnerabilities reside in the processors themselves, for now all that can be done is to apply patches to mitigate the issues however this process has not proceeded smoothly with Microsoft having to hold off on deploying patches until users updated their anti-virus software and culminating in Intel advising users to stop applying their patches until further notice.

Key takeaways:

  • Apply patches based on vendor advice and be sure to test patches in a staging environment before a mass deployment to production systems. This should be standard practice in any case.
  • These vulnerabilities have gathered a large amount of attention due to their branding and novelty although the CVSS scores of the vulnerabilities are a modest 5.6 due to the need to execute code locally. As such, this should be taken into account when prioritising efforts and there may be more serious issues which should be addressed first (see other items in this post).
  • If you are using antivirus software which no longer updates or a system without any antivirus software at all, it may no longer install any Windows updates due to the issue with antivirus noted above!

Remotely exploitable Cisco vulnerabilities

A much more serious vulnerability was reported in Cisco ASA and Firepower edge devices which could allow a remote authenticated, attacker to execute code on the devices. As these devices are designed to be exposed to the Internet, this merited a CVSS score of 10. As with the previous story, patching was not straightforward with Cisco having to issue an updated patch as the first patch was incomplete as well as complaints that it took Cisco too long to inform customers.

Key takeaways:

  • This issue should be patched as soon as possible on all affected edge devices. 
  • All security controls should be considered to be layers and it would be a worthwhile exercise to consider what would happen if certain controls, e.g. use of network edge protection, were suddenly disabled or bypassed.

Further Weaponisation of MS17-010 vulnerabilities

We have previously spoken about the increased risks of vulnerabilities of easily available exploits. We therefore wanted to highlight the news that a security researcher has ported some of the NSA exploits (EternalRomance/EternalSynergy/EternalChampion) which previously worked on certain Windows versions to run on any version since Windows 2000. These

Key takeaways:

  • If you have any version of Windows (server or desktop) from Windows 2000 onwards and it has not been patched with MS17-010, it can be remotely compromised wherever SMB is enabled.
  • Whilst it appears that MS17-010 can potentially be applied to Windows Server 2003 and Windows XP, it appears that Windows Server 2000 is not patchable.

The potential dangers of package managers  

A well written blog post called "I’m harvesting credit card numbers and passwords from your site. Here’s how." went viral a few weeks back which explained how it is possible to exploit the reliance on package managers in software development to insert malicious code into an application.

Liran Tal wrote an interesting rebuttal to the post where he points out that the premise of the post relies on blindly adding packages without consideration.

Key takeaways:

  • Clearly the scenario in the original post is possible although, as Liran says, this is more of an issue of developer awareness and due diligence with open source code.
  • R&D teams should be aware of the risk and have an inventory of what code libraries they are using and how they can verify where they have come from.

Josh Grossman
Senior Information Security Consultant and Team Leader