Shellshock – WSWiR Episode 123

Serious Bash Flaw affects *nix, Mac OS X, and IoT

Normally, my weekly video covers a number of important information and network security stories, in order to keep you informed of the latest threats. However, this week one story is so important I give it the primary focus.

Today’s show covers the critical “Shellshock” vulnerability in Bash. If you use Unix, Linux, or Mac systems, or any other embedded device that might run Linux, you’ll want to watch this episode to learn how this flaw affects you. Click play for more details.

Oh, and don’t forget WatchGuard appliances aren’t affected, and our IPS can protect you. Enjoy your weekend!

(Episode Runtime: 9:23)

Direct YouTube Link: https://www.youtube.com/watch?v=f6X5-bxj-Mw

Episode References:

• US-CERT alert on Bash flaw – US-CERT
• WatchGuard post on Shellshock – WGSC
• Everything you wanted to know about Shellshock – Troy Hunt
• Great proof of concept example, including exploiting Apache server – Oleass blog
• Shellshock DHPC server PoC – TrustedSec

Extras:

I’m skipping the extra stories this week so you focus on taking care of the Bash flaw.

— Corey Nachreiner, CISSP (@SecAdept)

Bash or “Shellshock” vulnerability

Summary
News is breaking about a major new high severity vulnerability, CVE-2014-6271, with widespread impact. Gnu Bourne again shell (Bash) is a UNIX like command shell that is included in most distributions of Linux and also Apple OS X. The vulnerability allows an attacker to create environment variables that include malicious code before the system calls the Bash shell. The nature of the exposure can vary depending on how Bash is used, but it can lead to arbitrary command execution on affected systems. There are reports that is has already been exploited in the wild.

Are WatchGuard products affected?
All Firebox and XTM models are not affected. The Fireware operating system is hardened to remove any unnecessary features, and does not include a Bash shell. WatchGuard Wireless Access Points, SSL 100 and 560, XCS, and  QMS also do not include or install Bash. They are not vulnerable.

The Linux distribution included in WatchGuard Dimension includes bash, but the exposure to this vulnerability is low since Dimension does not use AcceptEnv or CGI. Nevertheless Dimension automatically downloads security updates for its Linux components. Just make sure that you don’t have any upstream firewall that blocks access to security.ubuntu.com and archive.ubuntu.com.

Solution Path
Download and deploy patches from your vendors immediately.

For WatchGuard Users
The WatchGuard IPS signature team has developed and released a signature to identify exploits of the Bash vulnerability. It is included in signature set 4.454. If your Firebox and XTM appliances are configured to receive automatic updates, you will get the new signature.

We’ll keep this post updated as more news is available.

References:

Security Blog – Redhat
Concerns over Bash vulnerability grow – Ars Technica

Printer Doom Hack – WSWiR Episode 122

Apple Patches, Kindle XSS, and Doom Printer Hack

If you want to stay current with the Internet “threatscape,” our weekly video can help. It summarizes each week’s top information and network security news in one convenient place. Subscribe today!

Today’s episode covers, Apple and Adobe security updates, a cross-site scripting flaw that affects Kindle users, and an interesting printer hack that allowed an attacker to run doom on a printer. Watch the video for details and see the Reference section below for more info.

Enjoy your weekend!

(Episode Runtime: 5:39

Direct YouTube Link: https://www.youtube.com/watch?v=aZ7-LdlMYHc

Episode References:

• Software Updates:
  • Lots of Apple security updates in September– Apple Security Page
  • Adobe releases Reader update to fix eight flaw – ZDNet
  • Microsoft pulls the Lync update – ZDNet
• XSS flaw in Kindle Library can compromise your Amazon account – F17.de
• Hacker’s run Doom on Canon Pixma printers – Ars Technica
  • Blog post about Doom printer hack – Contextis

Extras:

• FBI targeting Tor users and hacking suspects – The Register
• Home Depot numbers are in; 56m credit cards – The Guardian
• A couple of Android pick-pocketing Russian hackers arrested – IB-Group blog
• Next version of Android will encrypt your data by default – Business Insider
• More malicious advertising via Zido and Google’s Ads – PC World
• CryptoWall hits Australia hard (XTM GAV can catch it) – PC Advisor
• Recently phishing campaigns using Apple hype as a lure –  ZDNet
• Latest U.S government report blames China for more hacking – Phys.org
• “Bitcoin Jesus” offers bounties for Bitcoin hackers – Wired
• NATO says we all face a high “cyber threat” level for the next decade – Computer Weekly
• Some iPhone eBay listings contain XSS attacks –  Tamebay
• Hacker breached Goodwill for 18 months – Computer World
• Audible security flaw lets pirates steal audiobooks – Gizmodo
• One researcher says Home Depot malware was different than BlackPoS/Backoff – SC Magazine

— Corey Nachreiner, CISSP (@SecAdept)

Old Gmail Leak – WSWiR Episode 121

Patch Day, Home Depot Update, and Gmail Leak

Why go searching for all the week’s information security (infosec) news when you can find it in one convenient place. This weekly vlog summarizes the important security updates, hacks, and threats so you can protect yourself.

This week’s episode arrives a bit late due to my business travel in Europe. Today’s show covers the week’s Microsoft and Adobe patches, the latest news on the Home Depot breach, and a story about a potentially new (but likely old) Gmail credential leak. Watch the video for the details, and check the references below for more info and some extra stories.

I will be continuing my business travel next week as well. So my weekly post may arrive earlier or later than normal. Have a great day!

(Episode Runtime: 4:53)

Direct YouTube Link: https://www.youtube.com/watch?v=I1GZpvQV6dQ

Episode References:

• Software Updates:
  • Microsoft September Patch Day summary post – WGSC
  • Microsoft September IE alert – WGSC
  • Lync and .NET DoS vulnerabilities – WGSC
  • Windows elevation of privilege flaw update – WGSC
  • Adobe patches 12 Flash vulnerabilities – WGSC
• Home Depot update; 70M credits cards stolen – UberGizmo
• Five million gmail accounts hijacked (15M with others) – Neowin
• Check if your gmail account is leaked – Isleaked
  • Note: many recommend you don’t share your email with 3rd parties.

Extras:

• Ransomware still thrives despite recents take downs – Ars Technica
• SandroRAT masquarades as Android antivirus program – International Business Times
• F-Secure finds 25 new threats targeting Macs – v3.co.uk
• Apple promises new breach notifications for iCloud attacks – Tech Week
• Goodwill credit card breach affects almost 1M cards – Forbes
• New trojan (Dyreze) targets SalesForce users – Beta News
  • SalesForce warns about new trojan – SalesForce
• Targeted spear phishing campaign in UK installs Peter Pan malware – Belfast Telegraph
• Hacker claims to have hacked and doxed Bitcoin creator; Now extorting – Vice
• Heathcare.gov hacked. DDoS malware uploaded to CMS – Computer World
• Malware found on Twitch tries to steal Steam credentials – Redorbit

— Corey Nachreiner, CISSP (@SecAdept)

Adobe Patches Flash but Delays Reader Update

Summary:

• This vulnerability affects: Adobe Flash Player running on all platforms and Adobe Air
• How an attacker exploits it: By enticing users to visit a website containing malicious Flash content
• Impact: In the worst case, an attacker can execute code on the user’s computer, potentially gaining control of it
• What to do: Download and install the latest version of Adobe Flash Player for your platform

Exposure:

Adobe Flash Player displays interactive, animated web content called Flash. Although Flash is optional, 99% of PC users download and install it to view multimedia web content. It runs on many operating systems, including mobile operating systems like Android.

In a security bulletin released this week during Patch Day, Adobe released an update that fixes a dozen security vulnerabilities affecting Flash Player running on any platform. The bulletin doesn’t describe the flaws in much technical detail, but does say most of them consist of various types of memory corruption flaws. If an attacker can entice one of your users to visit a malicious website containing specially crafted Flash content, he could exploit many of these vulnerabilities to execute code on that user’s computer, with that user’s privileges. If your Windows users have local administrator privileges, an attacker could exploit this flaw to gain full control of their PCs.

Though attackers aren’t exploiting these flaws in the wild yet, Adobe rates them as a “Priority 1” issues for Windows, Mac, and Linux users, and recommends you apply the updates within 72 hours. These vulnerabilities also affect other platforms as well, though not as severely. I recommend you update any Flash capable device as soon as you can.

As an aside, though Adobe promised a Reader update this month, they seem to have delayed it for some reason. You may want to keep an eye on Adobe’s Security page for more updates.

Solution Path

Adobe has released new versions of Flash Player to fix these issues. If you allow Adobe Flash in your network, you should download and install the new versions immediately. If you’ve enabled Flash Player’s recent “silent update” option, you will receive this update automatically.

You can download Flash for your computer at the link provided below. See the bulletin’s “Affected Software” section for more details on getting Flash updates for other platforms:

Keep in mind, if you use Google Chrome or Internet Explorer 10 or 11 you’ll have to update it separately.

For All WatchGuard Users:

If you choose, you can configure the HTTP proxy on your XTM appliance to block Flash content. Keep in mind, doing so blocks all Flash content, whether legitimate or malicious.

Our proxies offer many ways for you to block files and content, including by file extension, MIME type, or by using very specific hexidecimal patterns found in the body of a message – a technique sometimes referred to as Magic Byte detection. Below I list the various ways you can identify various Flash files:

File Extension:

• .flv –  Adobe Flash file (file typically used on websites)
• .fla – Flash movie file
• .f4v – Flash video file
• .f4p – Protected Flash video file
• .f4a – Flash audio file
• .f4b – Flash audiobook file

MIME types:

• video/x-flv
• video/mp4 (used for more than just Flash)
• audio/mp4 (used for more than just Flash)

FILExt.com reported Magic Byte Pattern:

• Hex FLV: 46 4C 56 01
• ASCII FLV: FLV
• Hex FLA:  D0 CF 11 E0 A1 B1 1A E1 00

(Keep in mind, not all the Hex and ASCII patterns shared here are appropriate for content blocking. If the pattern is too short, or not unique enough, blocking with them could result in many false positives) 

If you decide you want to block Flash files, the links below contain instructions that will help you configure your Firebox proxy’s content blocking features using the file and MIME information listed above.

• XTM Appliance with WSM 11.x
  • How do I block files with the FTP proxy?
  • How do I block files with the HTTP proxy?
  • How do I block files with the POP3 proxy?
  • How do I block files with the SMTP Proxy?

• Firebox X Edge running 10.x
  • How do I block files with the FTP proxy?
  • How do I block files with the HTTP proxy?
  • How do I block files with the POP3 proxy?
  • How do I block files with the SMTP proxy

• Firebox X Core and X Peak running Fireware 10.x
  • How do I block files with the FTP proxy?
  • How do I block files with the HTTP proxy?
  • How do I block files with the POP3 proxy?
  • How do I block files with the SMTP proxy?

Status:

Adobe has released updates to fix these Flash vulnerabilities.

References:

• September 2014 Adobe Flash Security Bulletin

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept)

Windows 8.x and Server 2012 Suffer From Local EoP Vulnerability

Severity: Medium

Summary:

• These vulnerabilities affect: Windows 8.x, Server 2012, and RT
• How an attacker exploits it: By running a specially crafted application
• Impact: A local low privileged attacker can gain SYSTEM privileges on your Windows computers
• What to do: Deploy the appropriate update at your convenience, or let Windows Automatic Update do it for you

Exposure:

In a security bulletin released as part of Patch Day, Microsoft described an Elevation of Privilege (EoP) vulnerability that affects the latest versions of Windows—specifically, Windows 8.x, Server 2012, and RT.

The flaw lies in the Windows Task Scheduler, a service that allows you to automate the execution of tasks at certain times. Microsoft doesn’t describe the vulnerability in much detail, only saying the Task Scheduler does not properly check the integrity of tasks. By running a specially crafted application, an underprivileged local attacker could take advantage of this to execute programs with full SYSTEM privileges. Of course, the local attacker would have to log into a vulnerable system using valid credentials, which significantly lower the impact of this flaw.

Solution Path:

You should download, test, and deploy the appropriate Windows update immediately, or let Windows Automatic Update do it for you. You can find links to the updates in the “Affected and Non-Affected Software” section of Microsoft’s Windows security bulletin.

For All WatchGuard Users:

This is a local vulnerability. We recommend you install Microsoft’s updated to completely protect yourself from this flaw.

Status:

Microsoft has released patches to fix this vulnerability.

References:

• MS Security Bulletin MS14-054

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

Microsoft Corrects Lync Server and .NET Framework DoS Flaws

Severity: Medium

Summary:

• These vulnerabilities affect: Lync Server and .NET Framework
• How an attacker exploits them: Various, including by sending maliciously crafted packets or launching specially crafted calls
• Impact: An attacker could slow down or disrupt connections to the server, or stop it from responding at all.
• What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you.

Exposure:

Today, Microsoft released two security bulletins that fix a pair of Denial of Service (DoS) vulnerabilities in two of their products; Lync Server and the .NET Framework. If you used either of these products, you should update them as soon as you can. We summarize the two DoS bulletins below:

• MS13-053: .NET Framework DoS Vulnerability

The .NET Framework is a software framework used by developers to create custom Windows and web applications. Though it only ships by default with Windows Vista, you’ll find it on many Windows computers. It suffers from a DoS vulnerability involving the way it handles communications that are hashed. In short, if a remote attacker sends a small amount of specially crafted packets to a server that uses .NET Framework ASP applications, he can cause the server to slow down, and eventually stop responding. If you have any public servers or web applications that use .NET, you should download and install the update as soon as possible.

Microsoft rating: Important

• MS13-055: Lync DoS Vulnerability

 Lync is a unified communications tool that combines voice, IM, audio, video, and web-based communication into one interface. It’s essentially the replacement for Microsoft Communicator. It suffers from three vulnerabilities, including a DoS flaw involving the way it handles specially crafted calls. By sending a malicious call to your Lync server, a remote attacker can exploit the DoS flaw to cause the Lync Server to stop responding. If you rely on Lync for communications, you should patch your servers as soon as you can.

Microsoft rating: Important

Solution Path:

Microsoft has released patches that correct both these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network as soon as possible. If you choose, you can also let Windows Update automatically download and install these updates for you.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find all of Microsoft’s update links:

• MS13-053
• MS13-055

For All WatchGuard Users:

Though you can use your XTM appliance to block the ports necessary for Lync, or use application control to restrict it, this would prevent you from using it externally at all. Right now, Microsoft’s patch are your best solution to these issues.

Status:

Microsoft has released patches correcting these issues.

References:

• Microsoft Security Bulletin MS13-053
• Microsoft Security Bulletin MS13-055

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

---

What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

Mega IE Update Corrects 37 Vulnerabilities; Including Zero Day

Summary:

• These vulnerabilities affect: All current versions of Internet Explorer
• How an attacker exploits it: By enticing one of your users to visit a web page containing malicious content
• Impact: Various, in the worst case an attacker can execute code on your user’s computer, potentially gaining complete control of it
• What to do: Deploy the appropriate Internet Explorer patches immediately, or let Windows Automatic Update do it for you

Exposure:

In a security bulletin released as part of Patch Day, Microsoft posted an update that fixes a 37 new vulnerabilities in all current versions of Internet Explorer (IE). Microsoft rates the aggregate severity of these new flaws as Critical.

All but one of the vulnerabilities described in this alert are memory corruption vulnerabilities, which share the same general scope and impact. If an attacker can lure you to a web page containing malicious web code, he can exploit these flaws to execute code on your computer, inheriting your privileges. If you have local administrative privileges, which most Windows users do, the attack could potentially gain full control of your computer.

These types of memory corruption vulnerabilities are ideal for attackers launching drive-by download attacks—a class of attack where malicious code hidden on a web page can silently install malware on your computer. Today’s attackers often hijack legitimate web pages and booby-trap them with malicious code. Typically, they do this via hosted web ads or through SQL injection and cross-site scripting (XSS) attacks. Even recognizable and authentic websites could pose a risk to your users if hijacked in this way. In fact, one of today’s fixes closes a zero day vulnerability that attackers have exploited in the wild. I highly recommend you install this update immediately

Solution Path:

You should download, test, and deploy the appropriate IE updates immediately, or let Windows Automatic Update do it for you. You can find links to the various IE updates in the “Affected and Non-Affected Software” section of Microsoft’s April IE security bulletin.

For All WatchGuard Users:

Good News! WatchGuard’s Gateway Antivirus and Intrusion Prevention services can often prevent these sorts of attacks, or the malware they try to distribute. For instance, our IPS signature team has developed signatures that can detect and block some of the memory corruption vulnerabilities described in Microsoft’s alert:

• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4095)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4094)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability -1 (CVE-2014-4092)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability -2 (CVE-2014-4092)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4089)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4082)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4081)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4086)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4087)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4088)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4084)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4065)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4080)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-2799)

Your XTM appliance should get this new IPS signature update shortly.

Furthermore, our Reputation Enabled Defense (RED) and WebBlocker services can often prevent your users from accidentally visiting malicious (or legitimate but booby-trapped) web sites that contain these sorts of attacks. Nonetheless, we still recommend you install Microsoft’s updates to completely protect yourself from all of these flaws.

Status:

Microsoft has released patches to fix these vulnerabilities.

References:

• MS Security Bulletin MS14-052

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

Microsoft Black Tuesday: Windows, IE, Lync, and .NET Patches

As you may know, today was Microsoft Patch Day. If you manage a Windows-based network, it’s time to get the latest updates.

According to Microsoft’s summary post, the Redmond-based software company released four security bulletins fixing 41 vulnerabilities in many of their popular products. The affected software includes, Windows, Internet Explorer (IE), Lync Server, and the .NET Framework. Microsoft rates the IE update as Critical, and the rest as Important.

As you might guess from the severity ratings, the IE update is the most important. It fixes over 37 security flaws in the popular browser, many of which attackers could use in drive-by download attacks (where just visiting a web site results in malware on your computer). Furthermore, one of the fixes closes a zero day vulnerability that attackers have exploited in the wild. If you use IE, I recommend you apply its update as quickly as your can. You should also install the other updates as well, however, their mitigating factors lessen their risk, so you can install them at your convenience.

In summary, if you use any of the affected products, download, test, and deploy these updates as quickly as you can or let Windows’ Automatic Update do it for you. For the server related updates, I highly recommend you test them before installing them on production servers, as Microsoft has released a few problem causing updates recently. You can find more information about these bulletins and updates in Microsoft’s September Summary advisory.

Also note today is Adobe’s Patch Day as well, and they released one security update fixing 12 vulnerabilities in Flash Player. If you use Flash, you should update it quickly. Adobe also pre-announced a Reader update earlier this month. However, it appears they have had to delay the update for some reason.

I’ll share more details about today’s patches on the blog throughout the day. However, I am traveling internationally, so the updates may not arrive as regularly as usual. If you are in a hurry to patch, I recommend you visit the links above, and start now.  — Corey Nachreiner, CISSP (@SecAdept).

Celeb Selfie Hack – WSWiR Episode 120

Software Patches, Home Depot Breach, and Celebrity Selfie Hack

If you need a quick source for all your information security (infosec) news, you’ve come to the right place. I summarize the most important infosec news in this weekly video, and provide links to other security stories as well.

Unfortunately, today’s episode includes a pretty creepy hack. The show covers next week’s upcoming software patches, another credit card leak that seems to come from Home Depot, and a gross story about hackers stealing hundreds of celebrities’ most private pictures. Find the details in the video below and see what you can learn from these unfortunate cyber attacks.

As always, check the Reference section if you are interested in other stories that I didn’t cover in the video. Also, I will be traveling the next few weeks, which means I may not be able to post this video as regularly as usual. Expect the video to turn up at irregular times, otherwise I may post a written version of the weekly summary instead. Have a great weekend, and stay safe online!

(Episode Runtime: 13:17)

Direct YouTube Link: https://www.youtube.com/watch?v=-mRjltM-tc0&

Episode References:

• Software Updates:
  • Latest Firefox update fixes vulns and supports public-key pinning – Threatpost
  • Microsoft pre-announces next week’s Patch Day – Microsoft
  • Adobe to release critical Reader update next Tuesday – Computer World
• Home Depot suffers major credit card data breach – Krebs on Security
  • All Home Depot stores likely affected – Krebs on Security
• Celebrity Photo Hacking:
  • iCloud hacked to steal private celebrity pictures – The Telegraph
  • Researcher’s iBrute iCloud brute force tool – GitHub
  • Law enforcement use the same tool as iCloud hackers – The Next Web
  • How to set up Apple’s two factor authentication – Mac World
  • How to bypass Apple two-factor authentication – Gizmodo
  • Dan Kaminsky’s fantastically expressed thoughts on the celeb hacking – Dan Kaminsky Blog
  • Well documented notes on how the hack happened – Nikcub
  • Apple’s latest response to fix problems – Tech Radar

Extras:

• Latest on the LizardSquad Drama – The Register
• Mysterious lorem ipsum Google Translate hack? – Krebs on Security
• What’s the best Mac AV software? – PC Magazine
• Twitter introduces a bug bounty program for vulnerabilities – Hackerone.com
• Angler exploit kit now capable of fileless infection – MDNC Blog
• XSS and CSRF vulnerabilities plague some WordPress plugins – ThreatPost
• CERT shares which Android apps don’t use SSL correctly – Google Docs
• Vulnerability disclosures trending up, but Microsoft ones down – Microsoft
• Akamai warns of Linux iptables infections used for DDoS – Help Net Security
• Semalt botnet practices Blackhat SEO – Help Net Security
• Researchers find more problems with WiFi WPS (Don’t use it) – Naked Security
• Cyber attacks on hospitals are rising – MIT Technology Review
• 90% of healthcare cloud services are risky – Forbes
• NATO adopts new cyber defense policy; all for one – Computer Weekly
• Namecheap hosts says Cybervor is hijacking user accounts – The Register
• HP research highlights North Korea’s Cyber attack capability [PDF] – HP
• Hackers use VirusTotal too  – Wired
• Research paper on hackers using VirusTotal – Google Docs
• A new piece of Mac malware converted from Windows threat – FireEye
• Botnet sat on HealthCare.gov server for over a month – PC World

— Corey Nachreiner, CISSP (@SecAdept)