• S1E2 - RCEs, Election Security, and IoT
    Oct 19 2020

    Bad Neighbor

    Microsoft's October Patch Tuesday was less than a week ago, and we're already seeing a tremendous bump in related exploit activity. Researchers are predicting a surge in exploitation for CVE-2020-16898, a possible RCE entry point involving improperly handled ICMP version 6 Router Advertisements. This vulnerability, now being called Bad Neighbor, affects the Windows TCP/IP stack in many versions of Windows 10 and Windows Server 2019.

    Exploiting this vulnerability could be as simple as sending a carefully crafted packet to a target machine, so representatives from Microsoft are advising anyone using an affected system version patch immediately.

    Election Security

    A new plot line for the vulnerabilty we just can't stop talking about, ZeroLogon, is currently unfolding in our nation's Election support systems. The FBI and CISA have recently published a joint advisory warning concerning the vulnerability's prevalence in election infrastructure. The agencies warn that APT groups are using this vulnerability to gain access to some of the nation's most critical election systems. Their report goes on to explain how attackers are chaining together other vulnerabilities, like gaining a foothold through VPN exploits and then using ZeroLogon for post exploitation. The FBI does not currently believe the integrity of the election is at stake, but warns that critical election systems will likely continue to be targeted through the upcoming November elections.

    BleedingTooth

    Last, but not least, Google and Intel have released details on a new vulnerability with an interesting name, BleedingTooth, which affects Linux Kernel versions prior to 5.9 that support the BlueZ kernel. The vulnerability is currently being investigated as an entry point to IoT devices, but any affected system with a bluetooth interface could be in trouble as well.

    According to a post in Google's security research repo on Github, "A remote attacker in short distance, knowing the victim's bluetooth address can send a malicious L2cap packet and cause denial of service or possible arbitrary code execution with kernel privileges". They go on to say that malicious bluetooth chips can trigger the vulnerability as well.

    Intel, who has recently invested heavily in BlueZ, has urged users to upgrade to a kernel version 5.9 or later. You can check out Google's proof of concept exploit for the BleedingTooth vuln, or read up on CVE 2020-12351 for more information.

    That just about wraps it up for today's attempt at making CISOs cry, please join me again next time for the Daily Vuln.

    This podcast is powered by Pinecast.

    Show More Show Less
    4 mins
  • S1E1 - Breaking Bitlocker, Exchange RCE, and Zerologon
    Oct 16 2020

    Today we’re going to dive into a few interesting vulnerabilities coming from everyone’s favorite punching bag — Microsoft.

    A researcher at Black Hat Asia 2020 revealed a vulnerability with BitLocker that allows a user to bypass Window’s full disk encryption. It does so by exploiting a weakness in how BitLocker handles sleep mode in some edge cases. A video released by the researcher shows the vulnerability being exploited using a tool they developed called bitleaker.

    Basically, after the windows machine is shutdown, an attacker boots into a live USB with the bitleaker tool installed, forces the computer to go into sleep mode, and the tool proceeds to take advantage of the weak handling of the edge case upon waking the machine. This abnormal sleep mode case allows for the Trusted Platform Module onboard the windows machine to be cleared, completely neutralizing it’s security features and allowing for BitLocker’s Virtual Master Key to be unsealed and encryption to be broken. More information on this can be found on the details page for CVE-2020–0526 or by visiting the bitleaker repo on github.

    US Federal agencies are reporting that nearly 250,000 exchange servers remain unpatched from a particularly malicious RCE vulnerability, CVE-2020–0688, effecting nearly every machine with the Exchange control panel component enabled. This component is enabled by default, so you can imagine just how widespread this vulnerability is.

    Microsoft addressed this problem about 8 months ago on February’s patch Tuesday, and companies across the globe have patched it about as quickly as you’d expect. Both the NSA and CISA are urging everyone with an Exchange server to patch this as soon as possible, as multiple Advanced Persistent Threat groups are actively deploying exploits against this vulnerability. Last, but not least, let’s talk about the dangerous elephant in the room. The ZeroLogon vuln disclosed back in August is coming back in full force this week, as DHS warns against a potential wave of exploitation.

    For anyone not familiar with the vulnerability, it allows an attacker to bypass the authentication mechanism in Active Directory’s Netlogon Remote Protocol (MS-NRPC) which allows users to logon using NTLM. It does so by forcing the initialization vector, which should always be a random number, to contain all zeroes, allowing for the encryption to be incredibly predictable and thus breakable. Any attacker gaining control with this attack essentially has the keys to the kingdom, or in the case the Domain Controller. From there, the sky is the limit, an attacker can likely takeover an entire network using this vulnerability as an entry point.

    Ok, there you have it, your daily dose of “oh no, I have to patch something” known as the Daily Vuln.

    This podcast is powered by Pinecast.

    Show More Show Less
    4 mins