Year: 2018

The FBI overstated the issue of accessing Smartphones

Dan Uff May 23, 2018 1

“A programming error led the FBI to vastly overstate the number of cell phones that investigators could not access because of encryption, officials said Wednesday,” The Associated Press reports.

“Director Chris Wray has repeatedly said in speeches that nearly 7,800 mobile devices seized during investigations couldn’t be opened due to digital encryption in fiscal year 2017,” AP reports. “But officials said they have determined that that number is incorrect and a result of ‘significant over-counting’ from three separate databases that the bureau uses.”

“The officials did not provide a more accurate number, but The Washington Post, which first reported the problem, said the actually tally was probably between 1,000 and 2,000,” AP reports. “The FBI says it’s studying the issue and trying to figure out how to correct its methodology.”

Read more in the full article here.

Researchers Say More Spectre-Related CPU Flaws On Horizon

Threatpost Security News May 23, 2018 0

After another speculative execution side channel-related flaw has been disclosed in processors, security experts say that more may be on the horizon.

Researchers on Monday disclosed Variant 4, a new speculative execution side channel category flaw that allows attackers to read privileged data across trust boundaries. Variant 4 is similar to two side channel analysis vulnerabilities, Meltdown and Spectre, that came into the spotlight earlier this year in an array of Intel server and desktop processors.

And that may not be the end. “Everyone thought there would be lots more of these types of vulnerabilities,” Tod Beardsley, principle security research manager of Rapid7, told Threatpost. “I would be shocked if there wasn’t something else out there being discussed under embargo right now.”

Speculative execution has long existed in processors – but researchers say that as the cache that exists on processors grows to keep up with their speed, so to does the risk of exploiting this type of flaw.

“I think people will figure out more ways around this type of vulnerability… it’s a foundational architecture issue,” said Martin Reynolds, VP and Gartner Fellow in an interview with Threatpost. “This is a very broad vulnerability that goes back a long time, but in recent years we’ve seen them grow more vulnerable… The thing that makes it different now is that they’re doing it with such long strings of code now that they’re trying to get in there and send more signals.”

The problem is that to stay faster and perform better, processors use a trick which use speculative execution of memory to read before the addresses of all prior memory writes are known.

The most common form of speculative execution involves a program’s control flow. The processor essentially predicts the control flow using a highly sophisticated set of mechanisms instead of waiting for all branch instructions to resolve to determine which operations are needed to execute.

While this method acts as a buffer so processors can then quickly skip to other processes and stay as optimal as possible, it also enables an attacker with local user access using a side-channel analysis to gain unauthorized disclosure of information.

“So this gap continues to grow, and that’s why in recent years we’ve seen these things grow more vulnerable,” said Reynolds. “Before that, processors didn’t have enough memory, enough speculative execution where you could do anything useful.”

In the case of Variant 4, which is a speculative store bypass method, it takes advantage of a performance feature present in many high- performance processors that “allows loads to speculatively execute even if the address of preceding potentially overlapping store is unknown,” according to Intel.

Speculative execution side-channel attacks are difficult to exploit; but not impossible. Intel for its part said that it is not aware of a successful browser exploit for Variant 4. Furthermore, the risks surrounding Varant 4 do not lead to a mass attack, but narrow customized attacks where someone uses a specific attack for one system.

“Variant 4 is mostly being discussed in a fairly narrow scope: accessing specific unpatched browser’s private data,” said Rob Tate, researcher at WhiteHat Security. “If an attacker has access to run code on a machine, there are already a number of simpler (and more universal) techniques to try before resorting to this, and it’s far from the wide-reaching implications of the original Spectre.”

Patching Problems

While it may be hard to exploit a speculative execution side channel vulnerability, it is also notoriously difficult to patch that type of flaw as well.

“It’s hard to fix these, especially when it impacts an install base that’s so big,” said Reynolds. “You can fix variants in the OS, as Google and Amazon have done for Spectre, to eliminate the problem, or can change the microcode of the microprocessor itself, but that may make the system slower.”

Spectre and Meltdown also infamously faced messy patching efforts across the industry in the wake of the vulnerability disclosure after acknowledging that its patches caused “higher than expected reboots and other unpredictable system behavior.” Variant 4 may be on the same path – Intel said on Monday the fixes for the flaw could also impact performance by between 2 and 8 percent for certain systems.

Another challenge to patching flaws like Spectre, Meltdown and Variant 4 is the immense amount of coordination it takes from an array of vendors, said Beardsley. Already, vendors such as Red Hat, AMD, ARM, IBM and Microsoft have come forward discussing their future approaches to Variant 4.

Intel, for its part, said that the speculative store bypass method mitigation for Variant 4 can be accomplished through modifying the software of impacted code or setting a new Speculative Store Bypass Disable MSR bit through software.

“As speculative store bypass can only occur when a load is able to execute before an older store with an overlapping address computes its address, an LFENCE between that store and the subsequent load is sufficient to prevent this case,” the company said in a white paper about the vulnerability. “Software should be careful to apply this mitigation judiciously to avoid unnecessary performance loss.”

Six Vulnerabilities Found in Dell EMC’s Disaster Recovery System, One Critical

Threatpost Security News May 23, 2018 0

A pen-tester has found six vulnerabilities in Dell EMC RecoverPoint devices, including a critical remote code execution flaw that could allow total system compromise.

EMC RecoverPoint is a disaster recovery tool that can be used to back up local and remote information storage, across data centers and across physical and virtual machines. It continuously, in real time, replicates the data, so in the event a system is compromised or data is lost (from, say, a ransomware attack or a natural disaster), RecoverPoint allows a company to go back in time and recover an exact image of that data from a specific moment in time.

Each of the flaws affect all versions of Dell EMC RecoverPoint prior to 5.1.2 and RecoverPoint for Virtual Machines prior to 5.1.1.3. The vendor has so far patched three of the issues, released Monday in advisory DSA-2018-095 (the non-public advisory is available to registered customers via the vendor’s Product Security Response Center). For two of the additional vulnerabilities, Dell EMC offers remediation instructions, but no specific patch. The additional flaw, according to researchers, is an insecure configuration option which they said also constitutes a vulnerability.

The most serious of the vulnerabilities, and one of the patched bugs, is rated critical (CVE-2018-1235, CVSS 9.8). It allows unauthenticated remote code execution with root privileges – which can pretty much hand over the keys to the kingdom to an attacker.

According to Taylor, a bad actor with visibility of a RecoverPoint device on the network (either remotely or locally) can not only gain complete control over the RecoverPoint device itself, but also the underlying Linux operating system. No credentials are needed to carry out the attack. From there, the perpetrators can pivot to wreak more havoc.

“To show the extent of compromise possible, during the engagement, once Foregenix had complete control of the RecoverPoint devices, it was then possible to exploit some of the other zero-day vulnerabilities discovered in order to pivot and gain control of the Microsoft Active Directory network that the RecoverPoints were integrated with,” he said in a disclosure posting, in particular the aforementioned insecure configuration option.

Dell EMC and Taylor are providing no further details on the critical-rated flaw for fear attackers could use them as a blueprint to exploit the flaw while companies work to apply the fix.

Another patched vulnerability is a medium-severity administrative menu arbitrary file read flaw (CVE-2018-1242, CVSS 6.7). It allows an attacker with local access to the “boxmgmt” administrative menu to read files from the file system, the vendor said. Interestingly, this same system was patched for a different vulnerability back in February, for a privilege escalation issue that could allow a local attacker to run arbitrary commands with root privileges on the targeted system.

The third patched issue is also a medium-severity bug (CVE-2018-1241, CVSS 6.2). Here, LDAP plaintext credentials are leaked into a Tomcat log file if a user logs into an LDAP account via RecoverPoint’s web interface. The problem is that the credentials can remain in the log file indefinitely, and attackers with access to the RecoverPoint file system can hijack them to then compromise the LDAP account.

The two unpatched vulnerabilities involve the fact that RecoverPoint is shipped with a system password hash stored in a world-readable file (i.e., it can be read by any user, according to Taylor); and the use of a hardcoded root password that can only be changed by contacting the vendor.

Dell EMC initially issued a CVE for the first vulnerability, but then revoked it, claiming that the log file was only readable by root. Foregenix’ Taylor however said he was able to read the file following a web application compromise. He added that nonetheless, Dell EMC may have fixed the flaw in the latest upgrade. Threatpost has reached out to Dell EMC for clarification and will update the story once more information becomes available.

As for the hardcoded password, Taylor said that the password at issue is for the root account for RecoverPoint’s underlying Linux OS. Thus, compromising the root password of one device means that an attacker could gain control over all of the devices by logging in at the local console, or gaining console access as an unprivileged user, and changing to root. Dell EMC said that rather than change that approach, it plans to update its documentation to make it clear that the password can only be changed by requesting a dedicated script from its support team.

And finally, the insecure configuration allows LDAP credentials to be sent in clear text, which means they can be intercepted by attackers in a a man-in-the-middle offensive, or by someone who has gained access to the RecoverPoint device using another vulnerability.

Dell EMC said that the RecoverPoint documentation provides a warning about the insecure nature of that particular configuration, so users are setting it up that way at their own risk.

“Foregenix was able to successfully exploit this vulnerability, intercepting credentials sent from the RecoverPoint to compromise a Microsoft Active Directory domain,” Taylor said. “Foregenix would advise all RecoverPoint customers to ensure that if LDAP integration is required, it is configured to bind securely.”

Comcast Patches Router Bug That Leaked Some Wi-Fi Passwords

Threatpost Security News May 23, 2018 0

Comcast patched a bug Monday that under certain conditions leaked customer SSID names and passwords of Xfinity routers. The flaw was accessible via the Comcast website used by customers to activate and manage their Xfinity router. The bug did not affect Comcast customers that used their own private routers.

Researchers Karan Saini and Ryan Stevenson discovered the bug on Monday. Saini told Threatpost after notifying the media of his discovery, Comcast was alerted of the glitch and the bug was quickly patched.

The prerequisite for the website vulnerability was that the researchers needed to have an Xfinity customer’s account number and just the street number (but not the name of the street) of the billing address used at the location of the customer leasing the Xfinity router from Comcast.

With those two pieces of data, Saini discovered a user could access the full address of the Comcast customer’s account, along with the SSID name and password associated with the customer’s Xfinity router. Access also allowed Saini to change the SSID password.

Comcast released a statement on Monday: “Within hours of learning of this issue, we shut it down. We are conducting a thorough investigation and will take all necessary steps to ensure that this doesn’t happen again.”

Attack scenarios range from malicious users interested in logging into a customer’s password-protected Wi-Fi network to snoop on or hack endpoints on the local network. Other possible attack scenarios include performing a man-in-the-middle attack on the shared network or just stealing a neighbor’s Wi-Fi. Lastly, an attacker could lock a customer out of their own Wi-Fi network by constantly changing their SSID password.

“This becomes essentially a backdoor of sorts,” Saini told Threatpost. He pointed out that Comcast customer account information can be plucked from a number of places, including the trash, but also sometimes online. A search of public customer service queries by Comcast customers online revealed that many use their account number to identify themselves to Comcast online customer service agents.

Saini is known for his previous research where he discovered an Uber two-factor bypass bug affecting its customers along with a vulnerability in India’s Aadhaar system, a 12-digit unique identity number. Saini identified a bug that allowed him to extract personal phone numbers linked to Aadhaar numbers.