Week 12 - Threat of the Week - Apple 'Unicode Bomb of Death 2.0'

Name: CVE-2018-4124

Report Date: 02/14/2018

What does it affect? 
Per the advisory this impacts the following:

• iOS 11.2.6
• watchOS 4.2.3
• tvOS 11.2.6
• macOS 10.13.3

What's the big deal? 

The new bomb of death is triggered by two Unicode symbols that use the Telugu language.  When the characters are displayed on the screen it causes apps to crash. Reports indicate that it impacts basically every application on the device, and in many cases requires the applications to be deleted and reinstalled before the application.  While this is more of a nuisance, it is very easy to spread.  For example you can broadcast a wireless network with the characters, email someone and have that character in the email, tweet it to someone, etc. 

How do we fix it? 

Apple quickly released a patch to fix this issue.  In fact when it was reported the BETA versions did not have the vulnerability, it was only in current stable releases of the OS's that were impacted.  On 2/19/2018 Apple released the new patches that mitigate the vulnerability, and they encourage all users to always stay up to date and install security releases as soon as possible.

https://threatpost.com/apple-rushes-fix-for-latest-text-bomb-bug-as-abuse-spreads/129987/

https://techcrunch.com/2018/02/15/iphone-text-bomb-ios-mac-crash-apple/

https://support.apple.com/en-us/HT201222

Week 10 - Threat of the Week - KRACK

Name: KRACK
CVE-2017-13077
CVE-2017-13078
CVE-2017-13079
CVE-2017-13080
CVE-2017-13081
CVE-2017-13082
CVE-2017-13084
CVE-2017-13086
CVE-2017-13087
CVE-2017-13088

Report Date: 10/17/2017

What does it affect?
Krack impacts Wi-Fi security, so essentially any device supports Wi-Fi could be impacted, although Android, Linux and OpenBSD are more susceptible that macOS and Windows.

What's the big deal? 

The biggest issue with KRACK is that it also impacts WPA2, previously the gold standard in Wi-Fi security. 

How does it work?
Krack works by targeting the four-way handshake that is part of the WPA2 key exchange.  KRACK is short for Key Reinstallation Attacks.  KRACK tricks client devices into installing a previously used key, which forces a reset, and then allows the encryption to be bypassed.   

How do we fix it? 

The good news is patches were quickly released to only allow keys to be installed 1 time, preventing the vulnerability from being exploited.  It is recommended for access points and clients to both be updated with the new firmware and patches as necessary.  Microsoft also suggested updating Wi-Fi device drivers as soon as they were available.    

Week 9 - Threat of the Week - Cisco ASA Remote Code Execution

Now that the STRIDE alphabet has been covered I intend to shift gears just a little bit.  The blog will still focus on the Threat of the Week, however it will no longer go in order of STRIDE.  Each week I'll take a look at newly discovered vulnerabilities, or previously found vulnerabilities that are now under exploit, or for some reason or another have ended up in the news cycle for the week.

This week I'll be taking a look at a Cisco ASA Remote Code Execution Vulnerability.  

Name: CVE-2018/0101

Report Date: 01/29/2018

What does it affect? 
Per the Cisco advisory this vulnerability impacts the following devices running the ASA software.

• 3000 Series Industrial Security Appliance (ISA)
• ASA 5500 Series Adaptive Security Appliances
• ASA 5500-X Series Next-Generation Firewalls
• ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
• ASA 1000V Cloud Firewall
• Adaptive Security Virtual Appliance (ASAv)
• Firepower 2100 Series Security Appliance
• Firepower 4110 Security Appliance
• Firepower 4120 Security Appliance
• Firepower 4140 Security Appliance
• Firepower 4150 Security Appliance
• Firepower 9300 ASA Security Module
• Firepower Threat Defense Software (FTD)
• FTD Virtual

What's the big deal? 

The big deal with this exploit is that sending specially crafted XML packets to an ASA device that is running an SSL VPN allows for device reload or remote code execution that could allow for full control of the device.  This exploit requires no authentication, and based on the typical deployment of an SSL VPN it means that the ASA is looking to accept traffic coming from the outside world.

How do we fix it? 

Currently there are no workarounds for the exploit.  Shortly after the release of the exploit Cisco put out a patch to resolve the issue, and then shortly after that Cisco discovered the patch only prevented a portion of the vulnerabilities.  A new patch has since been released, and Cisco advises immediate updates for all impacted systems. 

https://nvd.nist.gov/vuln/detail/CVE-2018-0101

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180129-asa1

https://arstechnica.com/information-technology/2018/02/that-mega-vulnerability-cisco-dropped-is-now-under-exploit/

https://www.darkreading.com/vulnerabilities---threats/cisco-issues-new-patch-for-critical-asa-vulnerability/d/d-id/1331003?

Week 8 - Threat of the Week - Elevation of Privilege

At some time or another if you work for an organization that utilizes basic security techniques, and runs Windows based workstations you have probably seen a similar message.  The reason that message is coming up is that the corporate IT department has provided users with standard users accounts, or least privileged accounts.  For a bad actor gaining credentials to any account is fantastic, but elevating the privileges of that account is when real damage can occur. 

A common tactic that an external actor will use is a phishing campaign to attempt to compromise low level credentials.  The credentials allow the initial access to the corporate systems, and once inside the bad actor will pivot and move laterally throughout the environment in an attempt to find a dormant admin account, or utilize some kind of pass-the-hash attack to steal hashed credentials.  

Organizations are able to combat EoP with a variety of techniques.  Implementing a policy of least privilege sounds great in theory, but it is often met with a lot of blowback from end users who see this as a hindrance to performing their job duties.  One option an organization can turn to is a Privilege Access/Identity Management system.  Systems like PowerBroker from BeyondTrust allow end users to operate as a standard user, and then when necessary specific applications are elevated.  This allows users to still have the functionality that is required, without having to call the help desk for every task on the PC.  

https://www.beyondtrust.com/

https://www.centrify.com/

https://www.ibm.com/us-en/marketplace/privileged-identity-manager