Security and Update Advisories

oO.o · August 8, 2018, 5:03pm

Most of us who manage servers or are generally interested in cyber security are subscribed to various lists, feeds, etc. in an effort to stay up to date. Unfortunately those resources are often either disjointed, incomplete, or ridiculously verbose.

This thread is intended to be a curated list of vulnerabilities, updates and security advisories.

If you see an advisory that you think is relevant to this community, please post it here.

This thread is not intended to be for lengthy discussion. If you want to discuss at length, please link the post into a new topic.

Please provide citations.

General Resources

https://cve.mitre.org/

https://www.us-cert.gov/ncas/bulletins

https://twitter.com/cvenew?lang=en

Misc Resources

https://xenbits.xen.org/xsa/

If you have any others, post them below and I’ll add them to the list.

oO.o · August 8, 2018, 5:04pm

Samba vulnerability and updates coming next week:

Hi,

this is a heads-up that there will be Samba security updates on
Tuesday, August 14th (~ 8-11am UTC). Please make sure that your Samba
servers will be updated soon after the release!

Impacted components:

AD DC (CVSS 7.5, High)

client (CVSS 5.9, Medium)

file server / classic DC (CVSS 6.8 Medium)

https://lists.samba.org/mailman/listinfo/samba-announce

oO.o · August 8, 2018, 5:38pm

Various VMware (from yesterday):

ESXi

2016-08-07 VMSA-2015-0007.7
Updated security advisory to add that patches for ESXi 6.0, 6.5 and 6.7
now address CVE-2015-5177.

Horizon

Advisory ID: VMSA-2018-0019
Severity: Important
Synopsis: Horizon 6, 7, and Horizon Client for Windows updates
address an out-of-bounds read vulnerability
Issue date: 2018-08-07
Updated on: 2018-08-07 (Initial Advisory)
CVE number: CVE-2018-6970

https://lists.vmware.com/mailman/listinfo/security-announce

catsay · August 8, 2018, 7:26pm

CVE-2018-14526

New attack on WPA/WPA2 using PMKID

Currently ongoing thread:
https://hashcat.net/forum/thread-7717.html

Unauthenticated EAPOL-Key decryption in wpa_supplicant

wpa_supplicant

http://seclists.org/oss-sec/2018/q3/84

Main details:
https://w1.fi/security/2018-1/unauthenticated-eapol-key-decryption.txt

Paper
https://papers.mathyvanhoef.com/woot2018.pdf

Is going to affect everything under the sun that’s got WiFi.

Possible mitigation steps

Remove TKIP as an allowed pairwise cipher in RSN/WPA2 networks. This can be done also on the AP side.

Merge the patches to wpa_supplicant and rebuild:
WPA: Ignore unauthenticated encrypted EAPOL-Key data

This patch is available from https://w1.fi/security/2018-1/

Update to wpa_supplicant v2.7 or newer, once available

POC/Test Code

catsay · August 8, 2018, 7:56pm

A non-CVE advisory

200,000 MikroTik Routers infected With Crypto Malware injector

Original story

https://www.trustwave.com/Resources/SpiderLabs-Blog/Mass-MikroTik-Router-Infection-–-First-we-cryptojack-Brazil,-then-we-take-the-World-/

Advice:

Patch Mikrotik devices
Secure devices with new credentials
Tighten up firewalls
Monitor network traffic

catsay · August 8, 2018, 8:00pm

WhatsApp flaw allows others to modify group messages and usernames

In essence what this allows:

Abuse the ‘quote’ feature in a group chats to change the identity of the sender, even if that person is not a member of the group.
Alter the text of someone else’s reply.
Send a private message to another group participant that is disguised as a public message for all, so when the targeted individual responds, it’s visible to everyone in the conversation.

If you’re one of those that manually updates Apps:

Update yo Apps!
Be wary of group message texts that suddenly change.

oO.o · August 10, 2018, 11:45pm

Hardware backdoor found in a debug feature of “VIA C3 Nehemiah chips made in 2003”.

Discussion here:

https://forum.level1techs.com/t/hacker-finds-hidden-god-mode-on-old-x86-cpus/

oO.o · August 13, 2018, 4:43pm

Something to keep an eye on if you run pfSense or other exposed FreeBSD system.

https://nvd.nist.gov/vuln/detail/CVE-2018-6922

comfreak · August 13, 2018, 5:13pm

Is this really a security advisory, if all you can do as an attacker is degrading performance?

oO.o · August 13, 2018, 6:24pm

It sounds like you could effectively ddos the target without needing access to a huge amount of bandwidth (like a botnet). It’s not critical, but I thought it was relevant because of how many people here run pfsense. If it was a Fedora issue or something, I probably wouldn’t post it.

oO.o · August 14, 2018, 2:24pm

Addressed in versions 4.8.4, 4.7.9 and 4.6.16.

o CVE-2018-1139:
Vulnerability that allows authentication via NTLMv1 even if disabled.

o CVE-2018-1140:
Missing null pointer checks may crash the Samba AD DC, both over
DNS and LDAP.

o CVE-2018-10858:
A malicious server could return a directory entry that could corrupt
libsmbclient memory.

o CVE-2018-10918:
Missing null pointer checks may crash the Samba AD DC, over the
authenticated DRSUAPI RPC service.

o CVE-2018-10919:
Missing access control checks allow discovery of confidential attribute
values via authenticated LDAP search expressions.

https://lists.samba.org/mailman/listinfo/samba-announce

oO.o · August 14, 2018, 7:45pm

New Intel Speculative Execution Vulnerability: Foreshadow

| CVE-2018-3615 | CVE-2018-3620 | CVE-2018-3646 |

Affected Processors

The following Intel-based platforms are potentially impacted by these issues. Intel may modify this list at a later time.

Intel® Core™ i3 processor (45nm and 32nm)
Intel® Core™ i5 processor (45nm and 32nm)
Intel® Core™ i7 processor (45nm and 32nm)
Intel® Core™ M processor family (45nm and 32nm)
2nd generation Intel® Core™ processors
3rd generation Intel® Core™ processors
4th generation Intel® Core™ processors
5th generation Intel® Core™ processors
6th generation Intel® Core™ processors **
7th generation Intel® Core™ processors **
8th generation Intel® Core™ processors **
Intel® Core™ X-series Processor Family for Intel® X99 platforms
Intel® Core™ X-series Processor Family for Intel® X299 platforms
Intel® Xeon® processor 3400 series
Intel® Xeon® processor 3600 series
Intel® Xeon® processor 5500 series
Intel® Xeon® processor 5600 series
Intel® Xeon® processor 6500 series
Intel® Xeon® processor 7500 series
Intel® Xeon® Processor E3 Family
Intel® Xeon® Processor E3 v2 Family
Intel® Xeon® Processor E3 v3 Family
Intel® Xeon® Processor E3 v4 Family
Intel® Xeon® Processor E3 v5 Family **
Intel® Xeon® Processor E3 v6 Family **
Intel® Xeon® Processor E5 Family
Intel® Xeon® Processor E5 v2 Family
Intel® Xeon® Processor E5 v3 Family
Intel® Xeon® Processor E5 v4 Family
Intel® Xeon® Processor E7 Family
Intel® Xeon® Processor E7 v2 Family
Intel® Xeon® Processor E7 v3 Family
Intel® Xeon® Processor E7 v4 Family
Intel® Xeon® Processor Scalable Family
Intel® Xeon® Processor D (1500, 2100)
** indicates Intel microprocessors affected by CVE-2018-3615 - L1 Terminal Fault: SGX

KenPC · August 14, 2018, 7:53pm

I really don’t see this as a vulnerability. It’s just eliminating the need to de-auth someone who is connected and watching the 4 way handshake.

You’d still need to use a wordlist, rainbowtables, or brute-force to find the key.

Mitigation is just using a strong password or using Radius

oO.o · August 14, 2018, 8:10pm

I’ll let @catsay address your concerns in detail, but as far as this thread goes, the posts don’t all need to be vulnerabilities. Any security-related advisories and update advisories that are relevant to the L1T community are fine.

catsay · August 14, 2018, 8:13pm

(Common Vulnerabilities and Exposures)
CVE-2018-14526

https://nvd.nist.gov/vuln/detail/CVE-2018-14526

It’s most certainly a vulnerability of the WPA2 implementation.

catsay · August 14, 2018, 8:21pm

CVE-2018-14424

use-after-free of disposed transient displays

Impact

allows unprivileged user to trigger denial of service or remote code execution in Gnome GDM

It’s been patched in git upstream.

catsay · August 14, 2018, 8:27pm

Official XEN L1 Terminal Fault Advisory XSA-273

https://xenbits.xen.org/xsa/advisory-273.html

Further prior issue as part of the recent XEN X86 security advisories

https://xenbits.xen.org/xsa/advisory-269.html

ISSUE DESCRIPTION

The DEBUGCTL MSR contains several debugging features, some of which virtualise
cleanly, but some do not. In particular, Branch Trace Store is not
virtualised by the processor, and software has to be careful to configure it
suitably not to lock up the core. As a result, it must only be available to
fully trusted guests.

Unfortunately, in the case that vPMU is disabled, all value checking was
skipped, allowing the guest to chose any MSR_DEBUGCTL setting it likes.

IMPACT

A malicious or buggy guest administrator can lock up the entire host, causing
a Denial of Service.

VULNERABLE SYSTEMS

Xen versions 4.6 and later are vulnerable.

Only systems using Intel CPUs are affected. ARM and AMD systems are
unaffected.

Only x86 HVM or PVH guests can exploit the vulnerability. x86 PV guests
cannot exploit the vulnerability.

Running only x86 PV guests avoids the vulnerability.

catsay · August 14, 2018, 8:28pm

@oO.o and others

List of public Xen Security Advisories for future reference:

https://xenbits.xen.org/xsa/

Also I’m skipping over a bunch of stuff from the recent Xen project advisories because it’s simply too much.

oO.o · August 14, 2018, 8:30pm

Foreshadow might warrant it’s own thread beyond just announcing it here.

I’ll add that to OP.

catsay · August 14, 2018, 8:33pm

BTRFS also found a cute bug that allows dead easy shell code injection.

https://bugzilla.suse.com/show_bug.cgi?id=1102721

Mounting btrfs images with a label including shell injection characters could cause the cron jobs (running as root) to execute the included shellcode.

For example, bad image can be created with:

	`mkfs.btrfs --label "`/evil/command`' /dev/sdx