ZombieLoad Vulnerability: SPARC Solaris Immune

[ ZombieLoad Logo, courtesy ZombieLoadAttack.com ]

ZombieLoad Vulnerability: SPARC Solaris Immune

Abstract:

Computing platforms have long had issues with MalWare, dating back to the MS-DOS days. Windows systems had been targeted, due to their ubiquity as well as the ability to install software with no user interaction into the system using pre-bundled keys. For the most part, UNIX Systems have been immune to most malware. A new classification of malware had become apparent, using CPU vulnerabilities, normally related to the Intel processor (leaving SPARC processors immune.) The latest vulnerability is ZomieLoad, affecting Intel processors and non-UNIX platforms such as Linux and Windows.

What is ZombieLoad

A new family of vulnerabilities on the Intel Processor have become apparent in Mid-May 2019. As an aggregate, they are referred to as "Microarchitectural Data Sampling" or MDS vulnerabilities. ZombieLoad is one of these vulnerabilities. Oracle provided a nice list of CVE's with summary details: CVE-2019-11091, CVE-2018-12126, CVE-2018-12130, and CVE-2018-12127

CVE-2019-11091: Microarchitectural Data Sampling Uncacheable Memory (MDSUM)

CVE-2018-12126: Microarchitectural Store Buffer Data Sampling (MSBDS) 

CVE-2018-12127: Microarchitectural Load Port Data Sampling (MLPDS)

CVE-2018-12130: Microarchitectural Fill Buffer Data Sampling (MFBDS)

How does it affect SPARC Solaris?

If you return back t the Oracle provided CVE's above, you will notice the following 2x lines:

Oracle Hardware

•Oracle has determined that Oracle SPARC servers are not affected by these MDS vulnerabilities.

 

Oracle Operating Systems (… Solaris) and Virtualization:

•Oracle has determined that Oracle Solaris on SPARC is not affected by these MDS vulnerabilities.

Conclusions:

If you are fortunate enough to be running SPARC Solaris, you are immune again. If you are not on SPARC Solaris, but on a less secure Intel based Windows or Linux platform - well, you will be needing to supply your operating system vendor's CPU microarchitecture patch and probably reboot. Let's hope you are not having to roll-your-own fix.

Security: SuperFish and HeartBleed Vulnerabilities

Some Nice Security Testers...

There has been a lot of security discussion lately, regarding SSL. Both SuperFish corporation and HeartBleed vulnerability have been in the cross-hairs.

[Dead Fish on Beach, courtesy Wikipedia]

Detecting a SuperFish Issue...

While SuperFish is not strictly a vulnerability, the poor security policy can allow for the bypass SSL security.

Filippo.IO was kind enough to assemble a SuperFish vulnerability tester - go and test your PC here!

Detect a Bleeding Heart...
If you have a web site you commonly use, Filippo.IO also offers a HeartBleed vulnerability tester.

DefenseCode: Linksys 0 Day Vulnerability

DefenseCode: Linksys 0 Day Vulnerability

Security professionals DefenseCode identified a security vulnerability in Linksys router software, which allows people to achieve privileged command line access without authentication. There is no known patch, at this point, to thwart the exploit.

Whose Talking:
The exploit has been reported inTech/Science news like The Register and Slash-Dot and Net-Security and
It appears the exploit.

A Register User quotes DefenseCode CEO Leon Juranicvor regarding internet vulnerability:

We're still investigating some tricks to exploit this vulnerability from the internet, but for now, yes - it seems safe from the outside of the network. Of course, unless services are available from the internet

Cisco has responded to The Register:

"Linksys takes the security of our products and customers’ home networks very seriously. Although we can confirm contact with DefenseCode, we have no new vulnerability information to share with customers – for our WRT54GL or other home routers. We will continue to review new information that comes to light and will provide customer updates as appropriate."

Cisco has responded, according to Net-Security:

After the researchers posted their findings online, Cisco finally got in touch again. They are expected to release a fix in time for the full advisory, which should see the light of day in about 10 days.

There is a vulnerability, a patch is coming, and everyone knows about it.

Implications: If you are a Network Operations Center, keep an eye out for the patches coming from Cisco/Linksys and get ready for a huge patch software automation. If you do not have Network Management service with a vendor, you should consider such a service for times such as these.

Zero-Day Exploit: WICD under Linux

This has been a bad week for computing systems.

• Oracle Java exploit under Apple MacOSX, open and shut case.


• Microsoft Zero-Day Exploit in nearly all applications, still somewhat open.


• Adobe Acrobat Reader (Windows, MacOSX and Linux), open and shut case.


• Now a Linux Security issue, open and shut case.

WICD Linux Exploit

As published in the patch description.

Backtrack 5 R2 (the latest version) allowed the student to overwrite settings to gain a root shell. The flaw was found in wicd (the Wireless
Interface Connection Daemon)

What is WICD?

A network connection manager that aims to simplify wired and wireless networking in Linux.

If you are a wireless Linux user of WICD, get your patch.

Windows: Security Issues Again

Zero-Day Flaw in Windows Apps Since Early 2000's

Zero-Day Exploit:

A Zero-Day Exploit means that you turn-on or install software - you are vulnerable. Most PC's shipped applications bundled like MS Office on PC's, right out of the factory. Microsoft posted a security bulletin in April regarding some vulnerabilities.

Exploit Description:

The Register writes:

One of the four critical patches in the batch – MS12-027 – addresses an Active X issue that impacts numerous application and creates a mechanism to drop malware onto vulnerable Windows systems.

Microsoft warned of attacks in the wild against the zero-day flaw, which affects an unusually wide range of Microsoft products and Microsoft users. Applications affected include Office 2003 through 2010 on Windows; SQL Server 2000 through 2008 R2; BizTalk Server 2002; Commerce Server 2002 through 2009 R2; Visual FoxPro 8; and Visual Basic 6 Runtime.

And quotes:

"Attackers have been embedding the exploit for the underlying vulnerability CVE-2012-0158 into an RTF document and enticing the target into opening the file, most commonly by attaching it to an email," Wolfgang Kandek CTO at security services firm Qualys explains. "Another possible vector is through web browsing..."

Scope:

Basically, if you have a MS Windows platform with any Microsoft Application (i.e. Works, Office, Internet Explorer, etc.) - you are vulnerable... and Microsoft is warning users that attacks will begin to surge in the next 30 days, while people have not yet patched their system.

This thing has been around a decade, a facility provided by the OS, and embedded into applications on nearly every Windows based server and/or desktop on the internet. A patch is available now, but another issue recently uncovered will not be fixed until next month.

By the way, If you are a Windows, Apple, or Linux user - Adobe Acrobat Reader needs some patching, too.

If you are a Solaris client user, your system should be fine.


Nightmare Scenario:

We just discussed several days back about an Apple vulnerability due to a third-party Java exploit. This one is due to a competing Microsoft Technology called "Active-X".

Welcome to the proverbial nightmare scenario for network managers - every system, everywhere, must be patched immediately, because of OS based issues with nearly every business and consumer application. Don't delay!

Inevitable: Apple MacOSX Infected Via Java on Web

Inevitable: Apple MacOSX Infected via Java on Web

Abstract:
Desktop and Server based systems based upon Microsoft Windows platform have long been the most vulnerable platforms on the internet, providing the most efficient platform for malware writers to steal computing and network cycles from owners around the world. Various other open platforms (i.e. UNIX based systems), which serves much of the internet traffic, have long tried to keep from being infected, by applying more rigorous security rules at the OS level. Apple, being one such vendor who migrated to a UNIX platform, had been successful in keeping their clients secure - but finally a single Java based vulnerability has been discovered (and leveraged) to exploit some systems.

Virus Buster:
A virus vendor located in Russia recently published a short research article on a particular threat, which has been closed by Apple.

Doctor Web—the Russian anti-virus vendor—conducted a research to determine the scale of spreading of Trojan BackDoor.Flashback that infects computers running Mac OS X. Now BackDoor.Flashback botnet encompasses more than 550 000 infected machines, most of which are located in the United States and Canada. This once again refutes claims by some experts that there are no cyber-threats to Mac OS X.

While very uncommon, MacOSX based Apple Macintosh computers occasionally have third-party based software (i.e. Flash, Java, etc.) which can offer some level of vulnerability to all platforms, including MacOS, Windows, UNIX, etc.

The Origin:

The virus research company explains how computers get infected.

According to some sources, links to more than four million compromised web-pages could be found on a Google SERP at the end of March. In addition, some posts on Apple user forums described cases of infection by BackDoor.Flashback.39 when visiting dlink.com.

The Morphing:
Companies started working on a solution, but before Apple released a patch, there was an attempt to diversify the virus, so they might be able to survive once it was closed.

Attackers began to exploit CVE-2011-3544 and CVE-2008-5353 vulnerabilities to spread malware in February 2012, and after March 16 they switched to another exploit (CVE-2012-0507).

Security, At Last:
While this vulnerability has been "in the wild" on the internet for awhile, this particular virus was exterminated.

The vulnerability has been closed by Apple only on April 3, 2012.

Protecting Yourself:
This particular threat is not unique to Apple, but also other systems like Windows. Apple released a security patch, to close this vulnerability - it would be well advised that you regularly download updates from Apple to apply these patches whenever possible.

A general rule of thumb: STAY AWAY FROM IMMORAL (i.e. pornography) AND ILLEGAL (i.e. copyrighted material like music, videos, software, etc.) DOWNLOADS - NEVER VIEW OR DOWNLOAD SOFTWARE OFF OF THE INTERNET, UNLESS IT IS A WELL KNOWN SITE - NO MATTER WHAT COMPUTER YOU ARE ON... these sites notoriously try to download viruses to your computer!

IBM: Sun Best in OS Vulnerabilites Reporting and Patching

IBM: Sun Best in OS Vulnerabilities Reporting and Patching - 2009-1H

I know what you are thinking, IBM thinks Sun outperformed the rest of the market in regards to OS security?

Apparently, in the 1st half of 2009, IBM commends Sun for security above all other competitors, even their own coders and product partners!

Sun is the best at sharing information about its operating system's vulnerabilities and patching them, reports IBM's "X-Force 2009 Mid-Year Trend and Risk Report." This analysis of various online threats and vulnerabilities examined statistics for the first half of 2009.

By what metrics did IBM measure?

Solaris had only 26 percent of the total number of OS vulnerabilities... Microsoft had the most ... with 39 percent of the total.

But this was not the only metric...

Sun's patch rate also was deemed impressive with only four percent left unpatched. "For the vast number of disclosures Sun makes, they have an impressive patch rate (only four percent left unpatched)"... The average patch rate within the industry is 49 percent. Sun's four percent rate tops Apple's 18 percent and Microsoft's 17 percent.

This is fairly eye opening to the industry - Sun clearly is better controlling their own destiny with Solaris than the competitors.

Microsoft IIS Vulnerabilities Across Releases

Microsoft IIS Vulnerabilities Across Releases

New IIS attacks (greatly) expand number of vulnerable servers

The Register published a short article of concern for those of us in the Network Management industry, where we customer or internet facing platforms for reporting delivery.

Microsoft continues to say that IIS5 running on Windows 2000 appears to be the only version that is vulnerable to attacks that can remotely execute malicious code on an underlying server. But it's now clear that hackers can target every version of IIS to cause denial-of-service attacks.

If you have a current or legacy IIS server - this may place your installation at risk. This is an piece of old code, meaning that historical code that you have not touched for awhile will be at risk. The risk centers around industry standard FTP protocol, one of the backbone protocols of the internet.

If Microsoft is not releasing patches for your old release of IIS, time to think about replacing that old portal.

Microsoft rejects call to fix SQL password-exposure risk

Microsoft rejects call to fix SQL password-exposure risk



Abstract

Most serious Managed Services Element Management Platforms, which depend on external databases, traditionally do not depend on databases such as Microsoft SQL. This article illustrates one of the reasons: security.

The Problem

"Applications go to great lengths to obfuscate passwords when they are needed within the software, and should not store passwords as 'clear text,' either in memory (as is the case with this vulnerability) or on disk," Sentrigo's advisory stated.

Microsoft has rejected the company's calls to change the way the software handles passwords, saying people with administrative rights already have complete control of the system anyway.

The Response

"Microsoft has thoroughly investigated claims of vulnerabilities in SQL Server and found that these are not product vulnerabilities requiring Microsoft to issue a security update," a spokesman wrote in an email. "An attacker who has administrative rights already has complete control of the system and can install programs; view, change, or delete data; or create new accounts with full user rights."

What this means to Network Management

The problem with passwords being stored in the clear is not that an infected system could have data destroyed on it, but rather other systems what work with that infected system could be infected!

Of course, behaviors like this are rampant with Day-0 Exploits, Microsoft SQL Worms, Microsoft Windows Viruses, etc. Another place to get passwords by malware is just another reason not to implement such a system in an area where customer managed devices are routable.

If a system is storing passwords for thousands of managed systems in the clear, an infection of a central system could be disastrous for the managed customer edge devices.

A developer in a company may have the option to secure passwords or not - but if the developer in a company ever has to meet a PCI audit and the vendor does not offer that option, then the company providing the managed services is placed in tremendous risk.