SegmentSmack

vSOC SPOT Report: SegmentSmack

Overview

On August 6, 2018, security researcher Juha-Matti Tilli of Nokia Bell Labs disclosed a denial of service condition in the Linux kernel’s networking code. This condition, known as SegmentSmack or CVE-2018-5390, has the potential to exist in a large variety of devices, including production Linux servers but also other devices, such as load balancers and routers.

Vendors of potentially vulnerable products received notifications on July 23, 2018 and kernel developer David S. Miller quickly developed a patch. Although this vulnerability was introduced in version 4.9 of the Linux kernel, some Linux distributors backported the vulnerable code to earlier releases since the code contains notable performance enhancements.

Technical Overview

A set of specially crafted TCP packets to any open port can force the kernel to call two CPU-intensive functions, tcp_collapse_ofo_queue() and tcp_prune_ofo_queue(), forcing resource exhaustion. An attacker can stall an affected device with as few as 2,000 packets per second. Researchers at the Linux vendor Red Hat were able to completely saturate four CPU cores using four streams on a vulnerable system.

The patch limits the amount of CPU usage this condition can utilize, rendering the attack ineffective.

To exploit the vulnerability, an attacker needs inbound TCP access to the server. The vulnerability does not allow remote code execution. As of the publication of this SPOT report, there is no proof of concept for the exploit available.

Potential Impact

A malicious attacker can use this vulnerability to send a small number of specially crafted packets to a server to increase CPU utilization to 100% and cause a denial of service condition by limiting the amount of CPU resources available for legitimate tasks.

Linux distributions confirmed to to be vulnerable to SegmentSmack include:

  • Red Hat Enterprise Linux 6
  • Red Hat Enterprise Linux 7
  • Oracle Enterprise Linux 7
  • SuSE Linux Enterprise Server 15
  • Ubuntu 18.04 LTS
  • Amazon Linux AMI version 2017.03
  • Amazon Linux AMI version 2017.09
  • Amazon Linux AMI version 2018.03

This is not an exhaustive list. Many Linux distributors backported the vulnerable code to older kernel versions. Systems can also be upgraded to newer kernels in the field by an experienced system administrator.

What You Should Do

Scan your network for CVE-2018-5390 using a reputable vulnerability scanner to build an inventory of affected systems, starting with your cloud-based infrastructure and your DMZ. Alternatively, you can sign into systems and issue the command uname -a to capture the kernel version. However, this check is not fully reliable as some Linux vendors backported kernel 4.9 networking code to earlier kernels.

When scanning your DMZ and internal network, do not limit your scope simply to name-brand Linux systems, as this vulnerability can affect embedded systems and appliances as well, such as F5 load balancers. Use authenticated scans if at all possible to increase accuracy. Since this vulnerability exists in very specific Linux kernel versions, authentication makes it much easier to correctly identify vulnerable systems.

Patch affected systems as soon as possible, especially publicly facing systems. Retain the old kernel long enough to verify the system still functions, then remove the old kernel to keep someone from rebooting the system with the old kernel and reintroducing the vulnerability. Kernel updates normally require a reboot to fully take effect, so this patch will require a small amount of downtime.

Since this attack involves specially crafted packets that can be sent to legitimate ports, there is no practical way to mitigate this attack in bulk using firewalls or other common compensating controls. However, the nature of the vulnerability prevents an attacker from using a spoofed IP address. This means a system under attack could be protected temporarily on a case-by-case basis with a local iptables rule blocking traffic from the source of the attack.

Issuing this command on an affected system will block traffic from a specific IP address:

iptables -A INPUT -s 192.168.1.1 -j DROP

Substitute the public IP address the attack is coming from for 192.168.1.1.

To remove the rule, either reboot the system or issue the following sequence of commands:

iptables -L

This prints the local firewall rules. Identify the rule line blocking the traffic you want to delete, then issue this command:

iptables -D INPUT 1

Supporting Information

Contributing Authors

  • Dave Farquhar – vSOC Program Manager
Oracle WebLogic Exploit

vSOC SPOT Report: Oracle WebLogic

Overview

On July 18, 2018, Oracle released a routine patch for an Oracle WebLogic Server remote code execution vulnerability (CVE-2018-2893). This WebLogic vulnerability can allow an unauthenticated attacker to remotely compromise and take over the Oracle WebLogic server. CVE-2018-2893 received a “critical” rating and a 9.8 out of 10 CVSSv3 score because of the ease of exploitation by a remote unauthenticated attacker. Within three days of announcing the vulnerability publicly and releasing the patch, proof of concept code was available online to exploit the vulnerability. A sharp uptick in scanning and exploitation attempts has been observed by many security research teams as different threat actors modify their campaigns to use the newly public exploit code.

Technical Overview

Details about the vulnerability were not made public until after Oracle released patches for the bug on July 18, 2018, but due to several Proof-Of-Concept (POC) exploits that were posted to various websites shortly after the patch was released, the automation of the vulnerability became widespread.

There are currently two groups being monitored that have automated exploits and are utilizing them at scale in order to gain control of unpatched WebLogic servers. The exploit allows an unauthenticated attacker to gain access to the server, typically over port 7001, in order to drop and execute a .jar file which unpacks and executes code to begin dropping additional files onto the system including Bill Gates DDOS malware, crypto-miner XMRig Monero, and other backdoors.

Versions of Oracle WebLogic that are affected by this vulnerability are:

  • 10.3.6.0
  • 12.1.3.0
  • 12.2.1.2
  • 12.2.1.3

Oracle has not confirmed whether older unsupported versions are affected but they should be assumed vulnerable.

Potential Impact

The most common result of the exploitation of this vulnerability, like several other recently identified vulnerabilities in Oracle WebLogic, is to install cryptocurrency miners on the exploited servers. Attackers use the exploited server’s CPU resources to mine cryptocurrency unbeknownst to the owners. However, data theft is also a very real possibility since this exploitation allows the attacker to take over the Oracle WebLogic server.

What You Should Do

If you have an affected version of Oracle WebLogic running in your environment, you should immediately apply the newly released patch for this vulnerability (Oracle July 2018 CPU) which was released July 18, 2018. It is also recommended that you block external traffic on port 7001 until you are able to deploy the update. This port has been identified with several active exploitation campaigns. Deploying the Oracle WebLogic patch is the most complete fix for this vulnerability.

If you are running earlier, unsupported versions of Oracle WebLogic, upgrading to a current, supported version that is receiving updates is a best practice to protect against this and future vulnerabilities. While Oracle has not confirmed any end-of-life versions of WebLogic are vulnerable, it is safest to assume earlier versions are also affected.

Known IOCs

  • 121.18.238.56 AS4837 CHINA UNICOM China169 Backbone
  • 103.99.115.220 AS21859 Zenlayer Inc
  • 5.8.54.27 Petersburg Internet Network ltd
  • 185.159.128.200 IT Outsourcing LLC
  • luoxkexp.com
  • md5 hash – 2f7df3baefb1cdcd7e7de38cc964c9dc

Supporting Information

ERP

vSOC Threat Advisory – ERP Attacks on the Rise

US-CERT released an advisory July 25, 2018 regarding an uptick of activity by attackers exploiting Enterprise Resource Planning (ERP) applications. This advisory was in response to a recently released Digital Shadows report titled, ERP Applications Under Fire: How cyberattackers target the crown jewels. In their report, Digital Shadows in partnership with Onapsis, provides new research and intelligence about the motives and techniques used by nation-state and hacktivist attackers against ERP systems.

ERP systems include the following platforms and typically hold the most sensitive information, or “crown jewels” that an organization has.

  • Human Capital Management (HCM)
  • Supply Chain Management (SCM)
  • Customer Relationship Management (CRM)
  • Product Lifecycle Management (PLM)
  • Supplier Relationship Management (SRM)
  • Process Integration (PI)
  • Manufacturing & Operations (MO)
  • Asset Lifecycle Management (ALM)
  • Business Intelligence (BI)

The key findings from the Digital Shadows report are:

  • Hacktivist groups are actively attacking ERP systems to infiltrate and disrupt target organizations.
  • Cybercriminals have more sophisticated attacks that target “behind-the-firewall” ERP applications.
  • Nation-state actors are exploiting ERP systems to access sensitive or classified information.
  • Over the last 3 years, there has been a 160% increase in interest in exploits for SAP and SAP HANA applications in dark web and cybercriminal forums.
  • Most modern ERP attacks are leveraging unpatched and misconfigured applications.
  • Prevalence of cloud and mobile solutions has increased the organization’s attack surface. Digital Shadows has identified more than 17,000 SAP and Oracle ERP applications directly connected to the Internet.
  • Leaked information is also a major issue, with more than 500 SAP configuration files identified on insecure repositories accessible from the Internet.

The complexities of ERP software platforms often leads to customers that struggle to apply security patches in a timely manner. Some of the main characteristics are:

  • Complex system architecture
  • Customized functionality
  • High number of interfaces and integrations
  • Proprietary protocols
  • Detailed and fine-grained access controls
  • No tolerance for downtime
  • Lack of knowledge and processes for ERP security
  • Reliance on third parties to support ERP platforms

The bottom line with ERP exploits and security is there are 7 main areas that customers need to focus on to improve their security posture.

  1. Identification and categorization of your business systems: It is essential to understand which systems are critical to your organization. Criticality, however, is more than just the amount of downtime you can tolerate from the system. It also includes the value of the system and the value of the data the system processes or stores.
  2. Vulnerability Management: This is not just conducting scans. Vulnerability management is the cyclical processes and procedures of identifying, categorizing, prioritizing, and remediating vulnerabilities in your software.
  3. Trained Resources: It is imperative that you employ (or contract) trained security resources that know your ERP and SAP platforms and are responsible for configuring, monitoring, and modifying the security parameters of each system.
  4. Architecture: Thousands of ERP and SAP applications are internet-accessible. Evaluate your architecture to identify which systems need this level of access to the Internet and which do not. Reducing your footprint will result in a smaller attack surface for the bad guys.
  5. Situational Awareness: Researchers have identified the inadvertent exposure of technical details and credentials for ERP and SAP systems by employees, contractors, and other third-parties who use insecure cloud-based platforms to share information.
  6. It Can Happen to You: Regardless of your industry, your size, your location, or how important you think you are to attackers, hackers, and activists, you probably are a target and just don’t know it yet. Realize that many attacks are not targeted by organization and are simply a function of opportunistic ability to monetize your data or systems. Cybercriminals and dark web forums are brimming with interest in ERP and SAP platforms to disrupt, steal, and exploit organizations of all sizes. Realize your organization’s data and systems have value, regardless of brand name, and implement a security program that corresponds to your organization’s risk posture.
  7. Your Mistake is Their Payday: Poor password hygiene, misconfigurations, lack of established processes and procedures all lead to mistakes that give attackers opportunities. Your mistakes allow them to steal and sell your sensitive data or compromise your systems for abuse. Examples that can be costly and overlook include crypto miner attacks on your servers, utilizing your CPU resources and power to mine crypto-coins for themselves.

Resources

EFail

vSOC SPOT Report: EFAIL – Encryption Technology OpenPGP and S/MIME

Overview

On May 14th, 2018, a group of German security researchers, lead by Sebastian Schinzel, disclosed a vulnerability believed to be in the PGP and S/MIME encryption for email. The vulnerability appears when an attacker has gained access or intercepted encrypted emails and manipulates the HTML content of the message, such as images or styles, and then sends the maliciously crafted email to a recipient. Upon opening the message in an email client it is decrypted, along with the external maliciously altered content, allowing the attacker to gain access to any plaintext within the email. The majority of mail clients in use today are impacted by this vulnerability, including Outlook, Gmail, and iOS Mail.  A specific list is provided at the end of this document.

Attack Details

There are two separate attacks in which the attacker is required to have exfiltration channels in place in order to obtain the encrypted emails and these channels can be set up by having access to a client’s system, server, network traffic, or compromising email accounts directly.

The first attack is called “Direct Exfiltration” in which an attacker utilizes Apple Mail, iOS Mail, or Mozilla Thunderbird to view the encrypted emails in plaintext. The attack requires the attacker to send an email that contains three parts with the first part containing the HTML content-type within it, the second part is an image src attribute that contains the ciphertext of the PGP or S/MIME encryption, the third section would then close the image src attribute. Once this email is sent to the victim is opened, it allows the external content to be loaded in plain text within emails is then exfiltrated to the attackers to view.

The second attack takes advantage of the ability to attack encrypted messages if you know any of the plaintext. Since most encrypted messages start with “Content-type: multipart/signed,” it is possible to generate an encrypted gadget derived from this known plaintext containing HTML tags and inject it into existing messages. Then, when the reader opens the message, the client sends the plaintext back to the attacker.

Potential Impact

An attacker who is able to inject the required HTML content into an encrypted message in transit can use the HTML payload to recover the plaintext of the encrypted message.

The attacker will have to get in between the sender and the recipient in order to inject the payload or get onto the system containing an encrypted mailbox. Getting into position to carry out either attack is difficult.

What You Should Do

Since the attack scenarios rely on HTML formatted email, disabling HTML rendering in your mail client is advisable and disallow external links to be loaded within email clients. While not a foolproof mitigation in all mail clients, until vendors release patches, it is the only mitigation. When patches are released for your mail client, deploy them as soon as possible. Mozilla promised updates by the end of the week, while Apple said it will have patches “soon.” Microsoft has not yet stated its plans. In the meantime, be careful about sending sensitive information over email.

For a list of impacted mail clients please refer to the list below provided by EFAIL researchers:

EFAIL Table

Table from, “Efail: Breaking S/MIME and OpenPGP Email Encryption using Exfiltration Channels (draft 0.9.0)” by Damian Poddebniak, Christian Dresen, Jens Muller, Fabian Ising, Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, and Jorg Schwenk

 

Exim MTA

vSOC SPOT Report: Exim Remote Code Execution Vulnerability

Overview

On March 6th, 2018, a security researcher by the name of Meh Chang of Devcore, a Taiwanese security consulting firm, published a remote code execution vulnerability that is present in the mail transfer agent, Exim. Exim is a mail transfer agent (MTA for short) for Unix servers that was developed at the University of Cambridge. Its use is very widespread, estimated to be used on hundreds of thousands of different servers, and it is the default mail transfer agent on some popular web control panels, such as cPanel. It is also the default mail transfer agent in the Debian and Ubuntu Linux distributions. Due to the widespread use of Exim, we believe this vulnerability is particularly dangerous. The vulnerability was first disclosed to Exim on February 2nd, 2018, and a patch was published on February 10th to resolve this issue. This vulnerability is currently being tracked under CVE-2018-6789.

Attack Details

The attack exploits the Base64 decode function of the Exim MTA. The AUTH function of Exim, in most cases, uses Base64 encoding to communicate with the client. Exim uses a buffer to store the decoded Base64 data. Chang found that it was possible to use a certain invalid Base64 string to cause Exim to allocate less space for the buffer than it consumed, creating a buffer overflow. Normally this buffer overflow is harmless, but it is possible to craft the Base64 string to a certain length to overwrite critical data.

Remote execution is possible depending on the use of the Access Control List (ACL) strings in Exim. Chang found that it was possible to overwrite the ACL strings, and then initiate an ACL Check using the ‘MAIL FROM’ SMTP command. When an ACL Check is performed, any code in these strings will be executed if it encounters ${run{cmd}}.

Potential Impact

There have been no known active exploits or proofs of concept of this vulnerability, but this is expected to change in the days following the disclosure due to the ease of exploiting it. Also, the estimated number of machines affected by this vulnerability is very high. A successful exploit of this vulnerability could allow the attacker to gain full access to the mail server. This could then be used to compromise privileged information through the use of reading emails, or the copying, modifying, sending, or deleting of email. This server can then be used as a launching point for further attacks within your network. Even if you are not using Exim within your environment for mail, you could still be vulnerable if Exim is installed and there are open SMTP ports that allow incoming mail.

What You Should Do

Exim has already published Exim 40.9.1 to fix this vulnerability. ALL versions of Exim prior to 40.9.1 are vulnerable to this. Patches are available for Debian, Fedora, SuSE, and Ubuntu Linux distributions as standard packages. Some vulnerability scanners have already added checks for this vulnerability, such as Qualys, Rapid7 and Tenable. We would recommend you review your environment for any indication of vulnerable mail servers and ensure these are updated

GuidePoint’s vSOC will provide additional information as it is made public to help protect our clients.

Supporting Information

Firefox

vSOC SPOT Report: Mozilla Firefox Arbitrary Code Execution Vulnerability

Overview

On January 29th, Mozilla developer Johann Hofmann reported that there was a major Arbitrary Code Execution vulnerability (CVE-2018-5124) within the browser’s user interface (UI) that allows a remote attacker to execute specially crafted code by exploitation of the unsanitized HTML output in the browser’s “Chrome” component. The UI vulnerability has received a CVSS score of 8.8 out of 10 due to the ability for it to be easily exploited without the user’s knowledge.

Technical Overview

The attacker hides unsanitized HTML code within the Firefox “Chrome” component, which does not run separately from the HTML present on a web page. If the attacker hides unsanitized HTML inside the browser’s UI code, the execution chain can be broken away from Firefox’s UI component and allow commands to be run on the computer. The code itself runs with whatever the current user’s privileges are. For example, if the user is an administrator then the code can run SYSTEM level commands. Due to the fact CVE-2018-5124 relies on running untrusted code, it has the ability to be hidden within an iframe, loaded-off screen, or loaded via a drive-by download without the user’s knowledge.

Potential Impact

Exploit kit developers are expected to jump on this vulnerability and add CVE-2018-5124 to their arsenal of targeted vulnerabilities in order to load malware on users’ machines. The biggest impact would come from exploitation of this flaw involving a user with administrative privileges and could allow an attacker to gain a foothold due to the factors involving this vulnerability by running SYSTEM level commands on the compromised system. This security flaw allows an attacker to easily deliver malware and potentially gain control over the user’s machine. This vulnerability is not currently known to affect Firefox for Android and Firefox 52 ESR.

What You Should Do

It is recommended that users update their version of Mozilla Firefox if it is one of the following versions:

  • Mozilla Firefox 56.x
  • Mozilla Firefox 57.x
  • Mozilla Firefox 58.0.0

Mozilla has fixed the flaw by sanitizing the code executed by its chrome UI component, and this is included as part of the new patch released for the vulnerable versions.

Supporting Information

ATM

vSOC SPOT Report: Ploutus-D ATM Malware

Overview

On Friday, January 26th, vendor Diebold Nixdorf released a statement to customers housing their front load ATM appliances of an attack being leveraged against them. The Ploutus-D malware, which has previously been seen in Latin America, has been observed in several regions of the United States including the Pacific Northwest, Texas, and several locations across the Southeast. The attack is coined “Jackpotting” due to the ability to make the ATM device unload all of its funds.

Attack Details

In order for an attacker to gain access to implant the malicious binary, they must have physical access to the device. They must open the top hat of the ATM via a clone key, picking, forcing the lock or any other method. Once they gain physical access, the attacker will attach a USB or PS/2 keyboard and either load the malicious binary via USB drive or other removable media or will replace the hard drive of the system with one preloaded with the malicious operating system and program files. Once complete, this will allow the attacker to “jackpot” the ATM directly via command line or remotely via SMS text message.

Recognizing Jackpotting Attacks

Physical access is necessary to perform this attack as well as potential damage to the device. Routine sweeps should be made by the device administrator to ensure there is no damage to the locking mechanism, top hat, or casing indicating that the device has been tampered with. Additionally, if the device has a built-in tamper alarm to the opening of the top hat, it should be enabled.

ATM

Image 1: Hole drilled into ATM for endoscope – Courtesy of EuroPol

Keyboard Attached to ATM

Image 2: Top hat removed and Keyboard attached – Courtesy of FireEye

How Jackpotting Works

The attacker gains physical access to the computer inside the ATM either via forcing the top hat, or in the case of embedded systems, via social engineering their way into the maintenance area for the devices. They then load the Ploutus-D Configuration utility (AgilisConfigurationUtility.exe) along with software dependencies onto the system which permits the attacker control. Once the applications are installed, the malware hooks into the keyboard and permits the use of the “F” function keys (typically at the top of the keyboard, as in the above image) as well as the number keys to provide input. At this point, the attacker can press the “F3” key and distribute funds from the device without authorization or can close everything back up and create a cash drop where they are able to distribute funds at their leisure.

In order for this particular attack to be successful, the attacker MUST have the 8 digit activation code, which is only valid for 24 hours.

Attack Detection and Prevention

To detect and prevent this attack, the best starting point is to reinforce the device’s physical security. Additional security controls for ATM maintenance and stronger access control are critical. Additional options to reduce the attack surface are:

  • Many of the ATMs in circulation use the same keys. Replacing the top hat lock with a different lock will reduce the instances of this crime.
  • Have a technician physically inspect the device at regular intervals to ensure it has not been tampered with.
  • Use appropriate locking mechanisms to secure the head compartment of the ATM.
  • Control access to areas used by personnel to service the ATM.
  • Implement access control for service technicians based on two-factor authentication.
  • Use firmware with the latest security functionality.
  • Use the most secure configuration of encrypted communications including physical authentication:
    • Agilis® XFS for Opteva®
    • Advanced Function Dispenser (AFD) Version 4.1.41 incl.AFD Application Firmware Version – 6.0.1.0 (or later)
    • Agilis® XFS for Opteva®, Core Version 4.1.59 (or later)
    • Optional – OSD+/DSST 3.3.30 (or later)
  • Investigate suspicious activities such as deviating or non-consistent transaction or event patterns, which are caused by an interrupted connection to the dispenser.
  • Have a plan in place for what to do if someone has physically tampered with the ATM.
    • Who is the point of contact?
    • Who is your local law enforcement agency?
    • Do you have a regular contact there?
  • Running regular updates and ensuring that your operating system is still supported (Many of these attacks are made far easier due to the ATM running Windows XP).
  • Implementation of full disk encryption and encrypt the connection between the ATM and the dispenser.

Affected Systems

  • Diebold Nixdorf Front-load Opteva terminals with the Advanced Function Dispenser (AFD).
    • Opteva 500 and 700
  • Other terminals and ATM vendors without physical authentication could be affected.

IOCs

The following IOCs are available to detect the instance of the attacker:

FileSystem:
  • [D-Z]:\Data\P.bin
  • C:\Diebold\EDC\edclocal.dat

The following files should be found at the same place where the service Diebold.exe is located:

  • Log.txt
  • Log2.txt
  • P.bin – Mac address of the system, plus string: “PLOUTUS-MADE-IN-LATIN-AMERICA-XD”
  • PDLL.bin – Encoded version of P.bin
Mutex names:
  • Ploutos
  • DIEBOLDPL
  • KaligniteAPP
Services:
  • Service Name: DIEBOLDP
Registry:

\\HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit=”Diebold.exe,%system32%/userinit.exe”

Additional Resources

Cisco Logo

vSOC SPOT Report: Cisco Adaptive Security Appliance RCE & Denial of Service Vulnerability

Update (2018-01-31): SNORT Signatures

After further research, vSOC has located Snort signatures published by the fox-srt team, which can detect exploitation of this vulnerability.

# IDS signatures for https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180129-asa1:

alert udp any any -> any 500 (msg:"FOX-SRT - Suspicious - Possible Fragmented Cisco IKE/isakmp Packet HeapSpray (CVE-2018-0101)"; flow:to_server; content:"|84|"; offset:16; depth:1; content:"|02 08 |"; distance:1; within:2; fast_pattern; byte_test:4,>,5000,4,relative; byte_test:2,>,5000,10,relative; byte_extract:4,36,fragment_match; byte_test:4,=,fragment_match,52,relative; byte_test:4,=,fragment_match,136,relative; byte_test:4,=,fragment_match,236,relative; threshold:type limit, track by_dst, count 1, seconds 600; classtype:attempted-admin; sid:21002339; rev:4;)

alert udp any any -> any 500 (msg:"FOX-SRT - Exploit - Possible Shellcode in Cisco IKE/isakmp - tcp/CONNECT/"; content:"tcp/CONNECT/"; fast_pattern:only; threshold:type limit, track by_src, count 1, seconds 600; priority:1; classtype:attempted-admin; sid:21002340; rev:2;)

These alerts have been provided by fox-srt and can be found at their GitHub site: https://gist.github.com/fox-srt/09401dfdfc15652b22956b9cc59f71cb

Overview

On Monday January 29th, Cisco released a statement to customers that they had identified a vulnerability (CVE-2018-0101) affecting Cisco ASA (Adaptive Security Appliance) and Cisco Firepower Threat Defense Appliances via the Secure Sockets Layer (SSL) VPN functionality of the devices which could allow an unauthenticated remote attacker to create a denial of service condition by reloading the device to remotely execute specially crafted malicious code. The vulnerability is due to an attempt to double free a region of memory when the webvpn feature is turned on for the Cisco ASA device.

Attack Details

The vulnerability makes this very easy to exploit and as a result, it was rated a 10 out of 10 on the CVSS (Common Vulnerability Scoring System). The attack involves an attacker sending multiple crafted malformed XML packets to the Cisco ASA devices and Cisco Firepower software. If the exploit is successful, the attacker will then have the ability to execute unauthorized code on the devices. Depending on the nature of the code, the attacker can gain full control over the device. This attack does not require physical access and can be carried out remotely. The ASA device(s) are only vulnerable if they have the webvpn feature enabled within the OS settings.

Attack Detection and Prevention

Attack patterns will vary once exploits are developed and used in the wild. Some possible detection methods include monitoring XML packets sent to Cisco ASA hosts via packet capture, or to monitor for sudden regular spikes in traffic sent to Cisco ASA hosts, as these spikes would likely be an attempt to force constant restarts on the device. To determine whether the webvpn service is enabled, administrators can use the command show running-config webvpn at the command line. Additionally, the show version command can be run to verify which version of Cisco ASA Software is running on the device. The Cisco Adaptive Security Device Manager (ASDM) can also show the software release in the table that appears by the login window, or in the upper-left corner of the ASDM interface.

The show version command will also show the release version for Cisco Firepower Threat Defense (FTD) devices. Version 6.2.2 of FTD devices are vulnerable because it incorporates code from both Firepower and ASA devices, as it was the first release that supported the Remote Access VPN feature.

Affected Systems

  • 3000 Series Industrial Security Appliance (ISA)
  • ASA 5500 Series Adaptive Security Appliances
  • ASA 5500-X Series Next-Generation Firewalls
  • ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
  • ASA 1000V Cloud Firewall
  • Adaptive Security Virtual Appliance (ASAv)
  • Firepower 2100 Series Security Appliance
  • Firepower 4110 Security Appliance
  • Firepower 9300 ASA Security Module
  • Firepower Threat Defense Software

Recommendations

Cisco has released several tables showing the versions to update to and the original ASA major release. It is recommended to ensure both the ASA devices and FTD software is updated to the version released to counteract the vulnerability.

Cisco ASA Major Releases

[1] Cisco ASA Major release table (Cisco, 2018)

Cisco FTD Major Relases[1] Cisco FTD Major release table (Cisco, 2018)

Workarounds

There are no workarounds for this vulnerability. However, Cisco has already released updates that address this vulnerability. Versions that include this fix are listed in the ASA Major release table above.

Additional Resouces

Intel AMT

vSOC SPOT Report – Intel AMT Vulnerability

Overview

On Friday, January 12th, 2018 researchers at F-Secure disclosed a vulnerability involving Intel’s Active Management Technology (AMT) firmware. The vulnerability can allow an attacker with physical access for as little as 30 seconds to gain full remote access to the machine.

This bypasses operating system logins, BIOS, TPM, BitLocker and local firewall credentials. Mitigation primarily involves disabling AMT or changing the AMT default credentials, which are different from that of the BIOS and the OS.

Technical Overview

Intel’s Active Management Technology (AMT) is a feature built into Intel processors that use vPro, as well as in machines using processors from their Xeon line. This limits the effect primarily to enterprise-grade workstations and servers.

The vulnerability was discovered in July of 2017 by F-Secure’s Harry Sintonen, however, it was not disclosed until the morning of January 12th, 2018. A timeline of events between discovery and disclosure can be found on his website.

Attackers can access the machine by pressing ctrl-p during the machine’s boot-up sequence to access the boot menu. From there all that’s required is to navigate to and select  “Intel(R) Management Engine BIOS Extension (MEBx)”, select “MEBx” login and type in the default password of “admin”.  Additionally, if USB provisioning has not been disabled it’s also possible to carry out the attack automatically with a properly setup and configured flash drive.

Once MEBx has been entered via the boot menu, the intruder can then change the default password and enable remote access. While ethernet access will be available “right out of the box,” wifi access is not enabled by default. However, this can be easily set with a few changes to the wireless management once ethernet access has been established. Configuring the machine to reach out on it’s own is also possible via Client Initiated Remote Access (CIRA). This means that the system can still be accessed from any network on which the client can send outbound data through the firewall.

Potential Impact

All Intel processors that utilize vPro software or possess an Intel Xeon processor are potentially vulnerable. The exception to this seems to be Asus laptops or those that have been specifically configured to request a BIOS password before allowing access to the AMT MEBx extension.

A list of all vPro systems and manufacturers is available from Intel’s website here: https://msp.intel.com/find-a-vpro-system. Unfortunately, there does not seem to be an equivalent resource for those machines containing Xeon processors.

What You Should Do

Mitigation primarily involves one of two aspects, the first of which being to disable AMT altogether, however, this is not possible in some business contexts depending upon how reliant the organization is on AMT facilitated services.

The second method of mitigation is to go in and manually set a password for AMT. This provides some measure of protection, however, it can still be bypassed by performing a CMOS reset. This is generally done by removing and replacing the CMOS battery, or shorting a jumper on the motherboard, which essentially turns the CMOS memory “off and back on again”. Simply turning off the host does not affect the CMOS.

This is still recommended if AMT cannot be disabled as it significantly increases the amount of time and difficulty for an attacker to successfully carry out the attack, reducing the likelihood of a successful compromise happening unnoticed in a public place, such as through the proverbial “evil maid” attack.

It’s also worth noting that some vulnerability and system management tools also often collect data and statistics such as hardware information. This could be useful for identifying how many and which machines may be vulnerable to the attack.

GuidePoint’s vSOC will provide additional information as it is made public to help protect our clients.

Supporting Information

vSOC SPOT Report – Spectre and Meltdown

Overview

On January 1st, 2018 Intel disclosed a critical alert around a large variety of Intel CPUs that allows an attacker to read memory belonging to other processes. Further details from Google Project Zero, Cyberus Technology private researcher Paul Kocher, and various universities surfaced January 3, including white papers. The vulnerabilities are named Spectre and Meltdown. Numerous other names also circulated in the press and on social media, including Meldown [sic], KAISER, KPTI, and FUCKWIT [sic].

Spectre has been assigned CVEs CVE-2017-5753 and CVE-2017-5715. Meltdown has been assigned CVE CVE-2017-5754. Some elements of Spectre, at least for the moment, cannot be mitigated in software.

The flaws affect Intel CPUs produced after the original Pentium (P5 architecture), with the exception of Itanium and pre-2013 Atom CPUs, on all operating systems that run on the x86 and x86-64 architecture, including but not limited to Microsoft Windows, Linux, Mac OS X, and embedded systems using Intel CPUs.

AMD states its CPUs are immune to Meltdown but some researchers report Spectre works on AMD CPUs. AMD CPUs achieved a degree of acceptance in the 2005-2010 timeframe in enterprises but are much less common in enterprise environments than Intel.

Additionally, ARM has stated its high-end Cortex CPUs are vulnerable to Spectre. Apple uses ARM-based CPUs in its iPhone and iPad products but has not released a statement regarding their vulnerability or immunity to this flaw. Devices based on Google Android and Chrome OS also use ARM. Google has released patches but in some cases the patch has to be released by the device manufacturer and/or the carrier.

Linux vendor Red Hat states a the Spectre condition exists in IBM System Z, Power 8, and Power 9 CPUs.

This vulnerability was privately disclosed to Intel and operating system vendors, but security researchers working independently have developed proof of concept code. In a statement released on January 3, Intel stated it is working with AMD and ARM, as well as with major operating system vendors, on fixes.

Microsoft released emergency patches for supported versions of Windows on January 3, and is patching Azure on an accelerated schedule. Microsoft has not stated if end-of-life systems such as Windows Vista, Windows XP, and Windows Server 2003 will be included. Apple included fixes in macOS 10.13.2, and plans more fixes in macOS 10.13.3 by the end of the month. Google addressed the issue on Android and Chrome OS in its January 2018 security patch.

Patches for Linux are in work. Amazon has released patches for Amazon Linux. Customers can roll the patch to existing AMIs; new AMIs automatically have the patch in place. Red Hat has released patches for some versions of Red Hat Enterprise Linux, with patches for the other supported versions in work. Intel’s initial recommendation regarding Linux was incomplete.

Security researcher Erik Bosman released proof of concept code on Twitter on January 3. The original researchers will release their proof of concept code after security patches are released, including code that demonstrates stealing passwords.

Technical Overview

KPTI (Kernel Page Table Isolation) is a technique to isolate kernel code from userspace, so that the code is accessible, but only indirectly. It is a key security feature in modern CPUs and operating systems. Userspace is able to make calls to the kernel even though it does not know where it exists in memory. KAISER refers to a flaw that permits an attacker to defeat these measures and jump from CPU ring 3 (where user applications run) to ring 0 (where the kernel runs).

The exploit works by taking advantage of speculative execution. When faced with a branch in program flow, modern Intel CPUs will execute both possibilities, so it has the results ready ahead of time, and simply discard the result it didn’t need. Under some conditions, such speculative code runs with fewer security measures than normal code. The exploits take advantage of this unusual condition to bypass the CPU’s normal security measures. There are three conditions under which this can occur, not all of which are present in all affected CPUs.

Early reports had suggested this was a way to overwrite code. Intel has stated it only makes it possible for a process to read memory belonging to a different process.

Potential Impact

This vulnerability can be potentially exploited to defeat ASLR and KPTI on affected systems and read memory contents belonging to other processes running on the machine. At this point, the most useful scenario for an attacker would be to use it to steal passwords, credit card numbers, or other sensitive but succinct data from memory. On desktops and laptops, it can be exploited remotely via JavaScript residing on a web page. It could also be used in cloud environments to cross over into other virtual machines and steal data belonging to other customers.

The patches for this flaw may prove to be unpopular due to early reports stating to expect performance hits ranging from 5-30 percent. Reports from the field indicate 20% is a more common worst-case scenario on database and web servers. On desktops, the performance impact generally is minimal.

What Should You Do

Having a complete inventory of IT systems is critical for addressing vulnerabilities such as this one, including hardware make and model, CPU architecture, and operating system.

Scan your network for CVE-2017-5753, CVE-2017-5715, and CVE-2017-5754. Apply any applicable patches. Keep in mind some fixes will not be available until later in the month. If your vulnerability management solution permits, scan your Mobile Device Management platform to ensure you are running post-January 2018 versions of Android. Workstations and virtual machines in cloud environments, which have the greatest exposure to the outside world, should have the highest priority when deploying patches. Servers running on virtual infrastructure under your control will be harder to exploit.

There are some caveats to patching Windows for this vulnerability. A Microsoft article on compatibility issues between this patch and certain third-party antivirus solutions is included in the Supporting Information section at the end of this document. GuidePoint recommends you confirm with your antivirus vendor that its solution is compatible with Microsoft’s update for Spectre and Meltdown. As GuidePoint learns more regarding antivirus compatibility or lack thereof, we will post updates on our blog at https://www.guidepointsecurity.com/blog/.

Furthermore, under some conditions, the update for Windows 10 can throw a false error message stating that it failed when it succeeded. Follow up patching efforts with scanning from your vulnerability management solution to validate that patches actually did apply and are no longer vulnerable.

Slowdowns, although initially overstated, still have the potential to occur. The effect on workstations will be minimal. Servers that perform heavy I/O, such as web servers and databases, will incur more significant performance hits. GuidePoint recommends testing any applicable patches for performance impact before upgrading web farms. Be prepared to update software such as Apache that may need revisions to work around performance issues introduced by these security updates.

GuidePoint also recommends you advise your employees to update their personal computers and devices, with the caveat that your IT department is not responsible for providing support. Microsoft provides free support for home users of Windows who experience difficulty related to applying security patches.

References