Tag Archives: Update

Cisco Routers Need Patching – Daily Security Byte EP.54

This week, Cisco released an advisory telling IOS device users to patch. The latest IOS update fixes three vulnerabilities, which specifically affect administrators who use Cisco’s Autonomic Networking Infrastructure (ANI). Watch today’s video to learn more about these flaws, especially if you have ANI enabled.

 

(Episode Runtime: 1:21)

Direct YouTube Link: https://www.youtube.com/watch?v=PMOESrmT8qU

EPISODE REFERENCES:

— Corey Nachreiner, CISSP (@SecAdept)

OpenSSL DoS – Daily Security Byte EP.48

This week the information security (InfoSec) community was abuzz about an upcoming critical OpenSSL update. Would it fix the next FREAK or Heartbleed? Nope. It was much less severe than expected. Nonetheless, watch today’s video to learn how quickly you should patch.

 

(Episode Runtime: 1:55)

Direct YouTube Link: https://www.youtube.com/watch?v=UkehIk0KDaw

EPISODE REFERENCES:

— Corey Nachreiner, CISSP (@SecAdept)

New Releases: Fireware and WSM version 11.9.5

red-wedge_smart-securityWatchGuard is pleased to announce the release of Fireware 11.9.5 and WSM 11.9.5. These maintenance releases provide many bug fixes, with full details outlined in the Release Notes and the  What’s New in 11.9.5 presentation.

Dimension 1.3 Update 2

Application Control information was not correctly logged from proxy policies in version 11.9.4. Along with the new Fireware release, we have also released Dimension 1.3 Update 2, which is also required to correct this issue.

Does This Release Pertain to Me?

The Fireware release applies to all Firebox and XTM appliances, except XTM 21/21-W, 22/22-W, or 23/23-W appliances.

Software Download Center

Firebox and XTM appliance owners with active LiveSecurity can obtain this update without additional charge by downloading the applicable packages from the new and improved WatchGuard Software Download Center. Please read the Release Notes before you upgrade to understand what’s involved. Known Issues are now listed in the Knowledge Base when logged in at the WatchGuard website. Note that there is also a Beta version of 11.10 available to try out at the software download center.

Contact Information

For Sales or Support questions, you can find phone numbers for your region online. If you contact WatchGuard Technical Support, please have your registered appliance Serial Number or Partner ID available.

Don’t have an active LiveSecurity subscription for your appliance? It’s easy to renew. Contact your WatchGuard reseller today. Find a Partner.

— Brendan Patterson 

Don’t Be ‘fraid of No GHOST; Glibc Vulnerability

GHOST VulnerabilityDuring the blog downtime, observant security practitioners probably read about a serious new vulnerabilities called GHOST, which affects all Linux-based systems to some extent. I actually covered GHOST already, in one of my Daily Security Bytes, but you may have missed it during the downtime. Let me recap the issue here.

GHOST is the name Qualys gave to a newly reported security vulnerability in the very common glibc component that ships with almost all Linux-based software and hardware. If you haven’t heard of glibc, it’s the common GNU C library which contains functions that many Linux program rely on to do common task (such as looking up IP addresses). In a routine audit, Qualys researchers found that part of the gethostbyname() function suffers from a buffer overflow flaw that attackers can use to execute code on your Linux systems.

Because many different Linux application may (or may not) use this glibc function to look up IP addresses, this flaw might get exposed through almost any network service or package. Qualys specifically designed a Proof-of-Concept (PoC) exploit against the Exim email server, which attackers can exploit just by sending email, but they warn that many other Linux packages use the vulnerable function. Some potentially affected packages include:

  • apache
  • cups
  • dovecot
  • gnupg
  • isc-dhcp
  • lighttpd
  • mariadb/mysql
  • nfs-utils
  • nginx
  • nodejs
  • openldap
  • openssh
  • postfix
  • proftpd
  • pure-ftpd
  • rsyslog
  • samba
  • sendmail
  • sysklogd
  • syslog-ng
  • tcp_wrappers
  • vsftpd
  • xinetd
  • WordPress

That said, the  size of the buffer being overwritten is very limited; at only four to eight bytes. This makes it very challenging to actually exploit this flaw in many cases. So while quite a few packages may use the vulnerable function, not all of them actually pose a real-world risk.

It turns out that this particular glibc flaw was discovered and patched over two years ago. If you have glibc 2.18 or higher, you’re not affected. However, at the time it was patched the flaw was considered a bug rather than a security vulnerability, so many Linux distributions didn’t port the glibc update to their distro.

A quick way to check the glibc version on your Linux systems is to type the following command:

ldd --version

If that reports a version lower than 2.18, you need to upgrade. If you’re interested, this blog post has a lot more good information about testing for the flaw. The good news is every major Linux distribution has since updated. If you run Linux systems (especially public servers), I recommend you get your distro’s latest updates to fix this vulnerability.

Also, keep in mind that many hardware devices (often known as the Internet of Things) are actually embedded linux systems, which may need updates as well. Not to mention, some administrators may run Linux software ports on Windows and OS X systems as well. In these cases, it’s possible you might have vulnerable versions of glibc on those non-Linux systems.

Does GHOST Affect WatchGuard Products?

You may know that many WatchGuard product are Linux-based systems, and wonder how this flaw affects them. For the most part, this flaw has little to no impact to most of our products, with a few exceptions. Here are the details:

  • WatchGuard XCS appliances – Not Affected.
  • WatchGuard Wireless Access Points – Not Affected.
  • Dimension v1.3 and higher – Not Affected.
  • Dimension v1.2 and lower – Affected, but Dimension should have already auto-updated. The version of Ubuntu shipping with Dimension v1.2 does use a vulnerable glibc package. However, Dimension auto-updates, and downloads Ubuntu’s latest patches. Since Ubuntu released a patch long ago, your Dimension server should already be patched (as long as you didn’t disable auto-updates).
  • WatchGuard XTM appliances – Affected, but not likely exploitable. XTM Fireware does contain the vulnerable version of glibc. HOWEVER, you are only vulnerable to this issue if a Linux service uses the gethostbyname() funtion. For better security, and IPv6 interoperability, our engineers use the newer getaddrinfo() to resolve hostnames, which is not affected by this vulnerability. We have not found any packages using the vulnerable function, so we believe this flaw has little to no real-world impact on our XTM devices. That said, we have already patched our glibc library, and XTM owners will receive this update in the next scheduled Fireware release. If you’d like to know more about the difference between these functions, I recommend you read this post.
  • WatchGuard SSL VPN appliances - AffectedOur SSL VPN appliance does use the vulnerable library, and is affected by this flaw. We have already patched the flaw internally, and are currently scheduling a release vehicle for the update. I’ll update this post when we know a solid date.

So to summarize. If you use Linux systems, be sure to patch them as soon as you can. Most WatchGuard products aren’t really impacted by this flaw, but we recommend you install firmware updates when we release them. If you want to know more about this interesting and wide-spread issue, I’ve included a few references below. — Corey Nachreiner, CISSP (@SecAdept)

GHOST Vulnerability References:

New Releases: Fireware XTM 11.9.4 and WSM 11.9.4

Fireware OS 11.9.4 and WSM 11.9.4 are now available. This maintenance release includes many bug fixes and several new enhancements. The Release Notes list all resolved issues and new enhancements in the software.

Key Highlights:

  • New Guest Services capability enables the creation of temporary accounts for hotspot access. Ideal for hotels and retail stores to provide internet access for their visitors and customers. A new guest administrator role and user interface enable front line staff to manage and create the accounts.
  • Selective inspection or bypass of encrypted web traffic (HTTPS DPI) via domain name or web category. Administrators now have more flexibility, allowing them to bypass DPI inspection of known good sites that need to remain private, such as online banking or financial applications.
  • Diagnostic report output of Branch Office VPN configurations helps with quick troubleshooting and repair of any tunnel issues.
  • SSLv3 is disabled by default to protect against man in the middle attacks that could exploit the Poodle vulnerability (CVE-2014-3566).
  • Many bug fixes to improve the scalability and reliability of Single Sign-On.
  • Support for /31 and /32 subnets on external interfaces, which are commonly used in regions with shortages of IPv4 IP addresses.
  • WSM support for the new Firebox M400 and M500 models.

Full details of all changes including screenshots of new user interface are provided in the What’s New in 11.9.4 presentation [PPT].

Does this Release Pertain to Me?

This release applies to all Firebox and XTM appliances, except XTM 21/21-W, 22/22-W, or 23/23-W appliances.

New Software Download Center!

Firebox and XTM appliance owners can obtain this update without additional charge by downloading the applicable packages from the new and improved WatchGuard Software Download Center. No login is required to download the software, but you must have active LiveSecurity on the appliance to apply the upgrade. Please read the Release Notes before you upgrade, to understand what’s involved. Known issues are now listed in the Knowledge Base when accessed through the WatchGuard Portal. You must log in to see Known Issues.

If you need support, please enter a support incident online or call our support staff directly. (When you contact Technical Support, please have your registered Product Serial Number or Partner ID available.)

  • U.S. End Users: 877.232.3531
  • Authorized WatchGuard Resellers: 206.521.8375
  • International End Users: +1.206.613.0456

#OpKKK – WSWiR Episode 130

Emergency Windows Patch, Malware Vs. Passwords, and #OpKKK

Nowadays, researchers, hackers, and the media bombard us with tons of information security (InfoSec) news each week. There’s so much, it’s hard to keep upespecially when it’s not your primary job. However, I believe everyone needs to be aware of the latest InfoSec threats. If you want to protect your network, follow our weekly video so I can quickly get you up to speed every Friday.

Today’s episode covers a critical out-of-cycle Microsoft patch, talks about the latest updates to a nasty piece of mobile malware, and explores the ethical issues surrounding a recent Anonymous attack campaign, Operation KKK. Press play for the details, and see the references below for more stories.

As an aside, after shooting this week’s video, I learned attackers may have stolen a bunch of passwords from many popular online services. It may be a hoax, but if you use Windows Live, PSN, or 2K Games, you should probably change you password… just to be safe. Have a great weekend!

(Episode Runtime: 10:44)

Direct YouTube Link: https://www.youtube.com/watch?v=XUsqxsHvVZc

EPISODE REFERENCES:

EXTRAS:

— Corey Nachreiner, CISSP (@SecAdept)

Grab Microsoft’s Out-of-Cycle Kerberos Patch

During last week’s Microsoft Patch Day, I pointed out that Microsoft had delayed two of the expected bulletins. This week, they released one of those delayed updates, and rate it as a Critical issue.

According to the MS14-068 Security Bulletin, Kerberos suffers from a local privilege elevation flaw that could allow attackers to gain full control of your entire domain. Kerberos is one of the authentication protocols used by Windows Servers. Kerberos Key Distribution Center (KDC) is the network service that supplies kerberos “tickets.” Unfortunately, Windows Servers suffers from a KDC vulnerability that allows local users to gain full domain administrator privileges simply by sending maliciously forged tickets to your KDC server. The good news is, an attacker needs valid domain login credentials, and local network access to leverage this flaw. The bad news is, if they can exploit the flaw, they basically gain access to ALL your Windows machines easily. This is a great flaw for advanced attackers. If they can pwn even one of your least privileged users, they can leverage it to gain full control of Windows networks, and easily move laterally throughout your network. I consider this a pretty serious issue.

I recommend you patch your Windows Servers, especially your Active Directory controller, as soon as possible. Check out the Affected Software section of Microsoft’s bulletin for patch details. Though I recommend you update quickly, your Authentication server is a critical network component. I highly recommend you test this update on a non-production server first, to make sure it doesn’t cause and unexpected problems. — Corey Nachreiner, CISSP (@SecAdept)

Latest Flash Update Plugs 18 Security Holes

Do you watch a lot of online video or play interactive web games? Perhaps your organization uses rich, interactive web-based business applications? In either case, you’ve probably installed Adobe Flash, along with the  500 million other device holders who use it. In this case, you better update Flash as soon as you can.

During Microsoft Patch day, Adobe released a security bulletin describing 18 vulnerabilities in the popular rich media web plug-in. There’s no point in covering the flaws individually, as the majority of them share the same scope and impact. In short, most of the flaws involve memory corruption issues that a smart attacker could leverage to execute code on your PC. The attacker would only have to entice you to a web site containing malicious code. In other words, most of them help attackers setup drive-by download attacks.

Though it doesn’t appear attackers are exploiting any of these flaws in the wild yet, Adobe rates there severity a “Priority 1″ for Windows and Mac users. This means you should patch within 72 hours. If you use Flash, go get the latest version, and check out Adobe’s security bulletin if you’d like more details. — Corey Nachreiner, CISSP (@SecAdept)

Adobe Patches Flash but Delays Reader Update

Summary:

  • This vulnerability affects: Adobe Flash Player running on all platforms and Adobe Air
  • How an attacker exploits it: By enticing users to visit a website containing malicious Flash content
  • Impact: In the worst case, an attacker can execute code on the user’s computer, potentially gaining control of it
  • What to do: Download and install the latest version of Adobe Flash Player for your platform

Exposure:

Adobe Flash Player displays interactive, animated web content called Flash. Although Flash is optional, 99% of PC users download and install it to view multimedia web content. It runs on many operating systems, including mobile operating systems like Android.

In a security bulletin released this week during Patch Day, Adobe released an update that fixes a dozen security vulnerabilities affecting Flash Player running on any platform. The bulletin doesn’t describe the flaws in much technical detail, but does say most of them consist of various types of memory corruption flaws. If an attacker can entice one of your users to visit a malicious website containing specially crafted Flash content, he could exploit many of these vulnerabilities to execute code on that user’s computer, with that user’s privileges. If your Windows users have local administrator privileges, an attacker could exploit this flaw to gain full control of their PCs.

Though attackers aren’t exploiting these flaws in the wild yet, Adobe rates them as a “Priority 1” issues for Windows, Mac, and Linux users, and recommends you apply the updates within 72 hours. These vulnerabilities also affect other platforms as well, though not as severely. I recommend you update any Flash capable device as soon as you can.

As an aside, though Adobe promised a Reader update this month, they seem to have delayed it for some reason. You may want to keep an eye on Adobe’s Security page for more updates.

Solution Path

Adobe has released new versions of Flash Player to fix these issues. If you allow Adobe Flash in your network, you should download and install the new versions immediately. If you’ve enabled Flash Player’s recent “silent update” option, you will receive this update automatically.

You can download Flash for your computer at the link provided below. See the bulletin’s “Affected Software” section for more details on getting Flash updates for other platforms:

Keep in mind, if you use Google Chrome or Internet Explorer 10 or 11 you’ll have to update it separately.

For All WatchGuard Users:

If you choose, you can configure the HTTP proxy on your XTM appliance to block Flash content. Keep in mind, doing so blocks all Flash content, whether legitimate or malicious.

Our proxies offer many ways for you to block files and content, including by file extensionMIME type, or by using very specific hexidecimal patterns found in the body of a message – a technique sometimes referred to as Magic Byte detection. Below I list the various ways you can identify various Flash files:

File Extension:

  • .flv –  Adobe Flash file (file typically used on websites)
  • .fla – Flash movie file
  • .f4v – Flash video file
  • .f4p – Protected Flash video file
  • .f4a – Flash audio file
  • .f4b – Flash audiobook file

MIME types:

  • video/x-flv
  • video/mp4 (used for more than just Flash)
  • audio/mp4 (used for more than just Flash)

FILExt.com reported Magic Byte Pattern:

  • Hex FLV: 46 4C 56 01
  • ASCII FLV: FLV
  • Hex FLA:  D0 CF 11 E0 A1 B1 1A E1 00

(Keep in mind, not all the Hex and ASCII patterns shared here are appropriate for content blocking. If the pattern is too short, or not unique enough, blocking with them could result in many false positives) 

If you decide you want to block Flash files, the links below contain instructions that will help you configure your Firebox proxy’s content blocking features using the file and MIME information listed above.

Status:

Adobe has released updates to fix these Flash vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept)

Adobe Patches Rosetta Flash Vulnerability

Summary:

  • This vulnerability affects: Adobe Flash Player  14.0.0.125 and earlier, running on all platforms (and Air)
  • How an attacker exploits it: By enticing you to run specially crafted Flash content (often delivered as a .SWF file)
  • Impact: Varies, but in one case an attacker can leverage this flaw to gain access to sensitive content from other web domains you visit.
  • What to do: Download and install the latest version of Adobe Flash Player (version 14.0.0.145 for computers)

Exposure:

Adobe Flash Player displays interactive, animated web content called Flash. Although Flash is optional, 99% of PC users download and install it to view multimedia web content. It runs on many operating systems, including mobile operating systems like Android.

In a security bulletin released this week, Adobe announced a patch that fixes three vulnerabilities in Adobe Flash Player 14.0.0.125 and earlier, running on all platforms.

Adobe characterizes two of the vulnerabilities as “security bypass” flaws, and states that attackers could exploit at least one of them to take control of the affected system. However, it’s the third vulnerability that is most interesting and is getting media attention.

A security researcher, Michele Spagnuolo, posted a blog article describing a complex, multi-layered vulnerability called the Rosetta Flash flaw, which involves both the Flash vulnerability, but also depends on JSONP-based web applications. If you’re interested in the intricate technical details of the attack, I recommend you check out the Spagnuolo’s blog post, or presentation. The scope of the vulnerability is a little easier to understand. If an attacker can trick your users into running specially crafted Flash content, he can potentially take advantage of this flaw to steal your user’s information from certain third party domains that use JSONP-based applications. When first discovered, this included domains like Ebay, Tumblr, and some Google applications However, these big companies have since modified their web applications to prevent this flaw.

In any case, Adobe rates these issues as a “Priority 1” issues for Windows and Mac, and recommends you apply the updates as soon as possible (within 72 hours).   However, the vulnerability technically affects other platforms as well, so I recommend you update any Flash capable device as soon as you can.

Solution Path

Adobe has released new versions of Flash Player (14.0.0.145 for computers) to fix these issues. If you allow Adobe Flash in your network, you should download and install the new versions immediately. If you’ve enabled Flash Player’s recent “silent update” option, you will receive this update automatically.

  • Download Flash Player for your computer:
NOTE: Chrome and newer versions of IE ship with their own versions of Flash, built-in. If you use them as you web browser, you will also have to update them separately, though both often receive their updates automatically.

For All WatchGuard Users:

If you choose, you can configure the HTTP proxy on your XTM appliance to block Flash (and Shockwave) content. Keep in mind, doing so blocks all Flash content, whether legitimate or malicious.

Finally, our Reputation Enabled Defense (RED) and WebBlocker services can often prevent your users from accidentally visiting malicious (or legitimate but booby-trapped) web sites that contain these sorts of attacks. Nonetheless, we still recommend you install Adobe’s Flash update to completely protect yourself from all of these flaws.

Status:

Adobe has released updates to fix these Flash vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept)

Follow

Get every new post delivered to your Inbox.

Join 7,868 other followers

%d bloggers like this: