+44 (0)20 86848683

Perpetual IT

Category Archives: News

News

Microsoft patches the Patch Tuesday patch that broke authentication

by

Two of the big-news vulnerabilities in this month’s Patch Tuesday updates from Microsoft were CVE-2022-26923 and CVE-2022-26931, which affected the safety of authentication in Windows.

Even though they were so-called EoP holes rather than RCE bugs (elevation of privilege, instead of the more serious problem of remote code execution), they were neverthless rated Critical, given that the bugs applied to Active Directory (AD) and Windows Domain Controllers (DCs).

The name domain controller means exactly what it says: DCs are servers that look after authentication and access control for users, computers, services and devices for an entire network domain.

An old Latin satirical poem wryly asks, “Quis custodiet ipsos custodes?” (Who will guard the guards themselves?), and in the case of a Windows network, the short answer is that the guard that guards everthing else is your domain controller.

In other words, a authentication bypass against your domain controller could quickly lead to compromise of almost everything else on your network.

Mishandled digital certificates

Simply put, anyone who’s already inside your network, even if they’re logged in with (or have compromised) an account with minimal access rights, could use domain controller EoP bugs of this sort to grant themselves the same sort of power that only your most trusted sysadmins would normally be allowed.

Ironically, the CVE-2022-26923 and CVE-2022-26931 bugs only seem to apply if you’re using digital certificates for added authentication security.

(These are the same sort of digitial certificates that browsers and websites use for securing HTTPS connections, or that apps use to prove to the operating system that they haven’t been tampered with since they were approved for use.)

Apparently, adding a $ sign at the end of a computer name could cause the mis-verification of authentication certificates, as could creating cunningly-crafted certificates that identified the holder of the certificate in two different and inconsistent ways.

Even though these weren’t RCE bugs; even though they weren’t already zero-days known to cybercriminals; and even though attackers would need to break into your network first to be able to exploit them at all…

…you can see why Microsoft would regard them as critical bugs.

A step too far

Unfortunately, the KB5014754 update went a bit too far in some cases, and in making it harder for bogus users and programs to get in where they shouldn’t, Microsoft also locked out some legitimate services as well.

Some Windows services authenticating with digital certificates were looked up incorrectly in the Active Directory database, and were therefore denied acccess when they should have been let in.

Microsoft quickly acknowledged the problem, with Elizabeth Tyler of the Detection and Response team tweeting just two days after Patch Tuesday to say:

There was apparently a workaround, officially explained by Microsoft in its KB5014754 article, but it involved manually updating a database entry entitled altSecurityIdentities in each service’s Active Directory database record.

Elizabeth Taylor retiurned to Twitter today to confirm that this buggy patch has now been patched:

There’s also a knowledgebase article numbered KB5015013 that you can consult for further details.

According to KB5015013, the bugs fixed in this out-of-band patch-for-the-patch:

  • Only apply to Domain Controllers. Other servers and end-users’ computers are not affected.
  • Only affect authentication for some Windows services and protocols, namely Network Policy Server (NPS), Routing and Remote access Service (RRAS), Radius, Extensible Authentication Protocol (EAP), and Protected Extensible Authentication Protocol (PEAP).

Patches-that-need-patches inevitably give our own preferred principle of Patch early, Patch often a bad name…

…but in this case, keep in mind that the original security flaws were rated Critical; that the errant patch didn’t affect all Windows authentication; that there was a workaround for those willing to employ it; and that rolling back this patch (while leaving all the other Patch Tuesday fixes in place) was a viable temporary fix.

And although it’s easy to look back through rose-tinted specatacles and remember a distant past in which security patches hardly ever needed patches, that’s the same distant past where there were hardly any security patches to start with.

(It’s also a distant past where almost any stack buffer overflow discovered in Windows was almost certainly exploitable with almost no effort and with almost immediate effect.)

So we’re still going to say, as we did when we wrote about the latest VMware patches just a few hours ago: Don’t delay – do it today.

News

US Government says: Patch VMware right now, or get off our network

by

On Wednesday this week, virtualisation behemoth VMWare published a security advisory describing two just-patched security holes in its products.

Virtualisation in general, and VMWare’s product set in particular, is widely used to turn individual physical computers into several “virtual computers” that share the same physical hardware.

These virtual computers, known in the jargon as VMs (short for virtual machines), realistically pretend to be independent computers in their own right, each one booting and running an operating system of its own, as a physical computer would.

This means that one physical server, located in an on-site server room or in a cloud data centre, can flexibly be divvied up amongst multiple different users, who could come from separate departments in one organisation, or even from different companies.

Each user gets access to what looks like, feels like, and runs like a computer of all their own, with an operating system and application stack of their own choice.

Each VM, known in the jargon as a guest, has its own virtual hard disks, stored as a regular files on the physical server, known as the host.

This means you can not only divide up one physical disk array into a variety of differently-sized guest disks, to suit the varying needs of the various guest users, but also easily snapshot and archive entire VMs by copying their virtual disk files.

You can even clone an existing VM, and migrate the files that store its content to another physical server, in order to adapt quickly to rising demand for service or to recover from regional outages.

Risks and challenges

As you can imagine, however, this flexibility comes with some significant risks and challenges.

Firstly, the virtualisation software needs to stop guest VMs on the same physical computer from interfering with each other (or, worse, from interfering with the host operating system itself), given that they all share and compete for the same physical RAM and peripherals.

Secondly, given that some networks may have tens of thousands of VMs or more running in data centres across the world at ay moment, the control software that manages this ocean of VMs needs to be especially resilient against attack by unauthorised users.

Ransomware crooks, in particular, love to get access to VM control panels, not least because:

  • If they can inject their malware into thousands of VMs in one go, they can scramble all your VMs “from inside” at the same time, possibly with one button-click from a central console.
  • If they can simultaneously halt all the VMs on a physical server, then the VM virtual disk files in the host operating system will no longer be locked for use by the virtualisation software, so any ransomware launched on the host will simply scramble the virtual disks along with everything else.

Indeed, when the infamous REvil ransomware crime gang put up $1,000,000 in Bitcoin in 2020 as an enticement to attract new network hacking “affiliates” to its underworld business, knowledge of Hyper-V (Microsoft’s virtualisation software) was explicitly listed amonst the necessary “experience and skills”.

Other necessary skills for a “job” with REvil, in case you’re wondering, included experience with backup devices such as NAS and tape, representing another part of your network infrastructure that ransomware criminals like to attack before they launch their file-scrambling denouement. With your VMs disrupted along with all your regular computers, the attackers aim to increase the extent to which they derail your business. With your backups disrupted, ransomware attackers aim to decrease your ability to recover on your own, so that they can squeeze you harder with their blackmail demands for decrypting your scrambled files.

The latest bugs

The latest VMware updates close off two security vulnerabilities in the VM control and management tools that the company provides:

  • CVE-2022-22972. Authentication bypass. Products affected: VMware Workspace ONE Access, Identity Manager and vRealize Automation.

    A cybercriminal who already had a foothold on your network, even if they were only a regular user with limited security entitlements, could launch and access the above management tools as an adminstrative user. Although this wouldn’t give the attacker sysadmin equivalence on the physical network, it could put them instantly in charge of your entire fleet of virtual servers.

  • CVE-2022-22973. Elevation of Privilege (EoP). Products affected: VMware Workspace ONE Access and Identity Manager.

    While the first bug means that an invader could level up to your own sysadmins inside the VM management tools, this bug means that the invader could abuse the VM tools to level up to your sysadmins on the computer where they have their foothold.

Ironically, therefore, these VMware security holes could be combined to give an intruder a leg-up to both physical and virtual root-level powers at the same time.

What the government says

Note that neither of these bugs can be abused from outside your network for what’s known as RCE, short for remote code execution.

As the name suggests, RCE bugs are especially dangerous because they often provide a way for criminals to inject malware into your network in the first place, as the launching point for an intrusion.

Nevertheless, the US government thinks that CVE-2022-22972 and CVE-2022-22973 are sufficiently serious, given their potential for abuse by attackers, that it has issued Emergency Directive 22-03: Mitigate VMware Vulnerabilities.

This document doesn’t just talk about the risks, as we have above, or advise government agencies to get busy with their patching.

If you strip out the offialese and the bureaucratic boilerplace from this Directive, you are left with these very simple but uncompromising instructions:

  • FIND all unpatched copies of all affected products on your network;
  • PATCH them if you can, without delay, or
  • REMOVE them from the network at once if you can’t patch, and do it
  • NOW (deadline 2022-05-23T20:59Z, i.e. before 5pm EDT/2pm PDT next Monday).

And then:

  • REPORT what you did to comply with the first 3 steps (deadline 2022-05-24T15:59Z, i.e. before noon EDT/9am PDT next Tuesday).

In three words: discover, remediate, report.

Or, as we like to say on Naked Security: Don’t delay – do it today!

Not enough time or staff? Learn more about Sophos Managed Threat Response:
Sophos MTR – Expert Led Response  ▶
24/7 threat hunting, detection, and response  ▶

News

S3 Ep83: Cracking passwords, patching Firefox, and Apple vulns [Podcast]

by

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point. You can also listen directly on Soundcloud.

  • [00’22”] Fun Fact. What does the word “non-commensurate” mean?
  • [01’41”] When is cracking passwords legal?
  • [11’08”] Why did Firefox get patched?
  • [15’20”] This Week in Tech. Which computer needed dropping onto the desk?
  • [17’56”] Why wasn’t this 0-day listed in every Apple update?
  • [23’50”] Oh! No! Did Duck get spammed, or was it actually a troll?

With Doug Aamoth and Paul Ducklin.

Intro and outro music by Edith Mudge.

Listen on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher and anywhere that good podcasts are found.
Or simply drop the URL of our RSS feed into your podcatcher.

News

Pwn2Own hacking schedule released – Windows and Linux are top targets

by

The 2022 edition of the famous (or infamous, depending on your viewpoint) Pwn2Own competition kicks off later today in Vancouver, British Columbia.

(Actually, it’s a so-called “hybrid” event this year, so that entrants who can’t or don’t want to travel, whether for coronavirus or environmental reasons, can participate remotely.)

Numerous vendors have put forward monetary prizes for hacking various of their products, with this year’s potential targets being:

  • Virtualisation: Oracle VirtualBox, VMware Workstation, VMware ESXi, Microsoft Hyper-V Client.
  • Browsers: Google Chrome, Microsoft Edge, Apple Safari, Mozilla Firefox.
  • Enterprise Apps: Adobe Reader, Office 365 ProPlus.
  • Servers: Microsoft RDP/RDS, Exchange, SharePoint, Samba.
  • Endpoint OSes: Ubuntu Desktop, Windows 11. (Elevation of Privilege only)
  • Enterprise Communications: Zoom, Microsoft Teams.
  • Automotive: a range of categories based on Tesla 3 vehicles.

Intriguingly, the Servers and Enterprise Apps categories attracted exactly zero hackers each this year.

Browsers and Virtualisation were considered similarly unintersting, it seems, with just one entrant each taking on Firefox and Safari, and a solitary hacker having a go at VirtualBox.

Windows 11 and Ubuntu Linux attracted seven and five entries repesectively; four contestants will take a pop at Teams; and two will have a go at various aspects of the Tesla 3.

A hacking lottery

The rules of Pwn2Own are somewhat strange, given that some entrants may end up not actually competing at all.

The Tesla hackers (two different categories), plus the browser and virtualisation entrants, will all definitely get a turn, because they’re the only competitors in their categories.

Either they’ll succeed in their designated half-hour slot, and claim their prizes, or they’ll fail and go home empty handed.

Everyone else’s participation depends on what’s already happened.

Pwn2Own isn’t like, say, a time-trial sporting event (think downhill skiiing), where even if the first entrant beats the current world record and seems to have set an invincible time, they still have to wait until the very last competitor finishes to find out if their early time was good enough.

In Pwn2Own, in contrast, the first entrant to complete the course wins the prize and closes the category for everyone else – if it were downhill skiing, the first skiier wouldn’t have to break a record to win right away, they’d just need to get to the bottom without falling over or exceeding a pre-specified time limit.

Speed is not entirely unimportant in Pwn2Own. You have a maximum of three attempts to show that your hack actually works, each lasting a maximum of five minutes, and you’ve got 30 minutes in total to complete your three tries. In other words, you need to come fully prepared, with your research properly written up. Pwn2Own is very definitely not a movie-style “hack-it-live-and-see-what-happens” event. You don’t just need to break in, you need to know the intimate details of how and why your attack works, so that it can reliably be fixed. Ironically, the most dramatic entries aren’t those where the competitor finally and frenziedly hacks the system with seconds to spare, which is how it might typically happen in Hollwood. The hacks that get the biggest gasps typically involve spectacularly well-prepared entrants simply walking up to the system, launching their scrupulously well-researched attack with a single click or command, and succeeding right away, with no apparent drama at all.

The downside of popularity

The lottery that determines the order of competition makes a big difference to the competitors.

The seventh entrant drawn in the Windows 11 category, for example, can’t win simply by being the best, or the fastest, or by some other superlative achievement – they can only win if all the previous six entrants fail completely, and then their hack works.

Anyway, watch this space for the results, which will all be known by 14:00 Vancouver time (currently UTC-7) at the latest on Friday 2022-05-20.

The last day could, in fact, be a total washout, because only Teams, Windows and Linux are scheduled for hacking on Friday, and all those prizes may aleady be done and dusted by the end of today!

The order of hacks in Pwn2Own 2022 are as follows:

  • Later today: Teams, VBox, Teams, Firefox, Windows, Linux, Teams, Safari, Linux, Windows
  • Tomorrow: Tesla (infotainment), Windows, Linux, Tesla (diagnostics), Windows, Linux
  • Friday: Teams, Windows, Linux, Windows, Windows

What do you think?

As for this “winner takes it all and everyone else takes their exploits home” approach, what do you think?

Do hacking spectaculars of this sort improve the state of cybersecurity by promoting the discipline needed for complete and well-documented research, so that underlying problems are properly exposed, not merely papered over with patches?

Or do they work against cybersecurity in real life by potentially delaying the early disclosure of partial results that could have been fixed months earlier if only they hadn’t been kept back for competitive purposes?

Have your say in the comments below…

News

Apple patches zero-day kernel hole and much more – update now!

by

Apple’s latest security updates have arrived.

All still-supported flavours of macOS (Monterey, Big Sur and Catalina), as well as all current mobile devices (iPhones, iPads, Apple TVs and Apple Watches), get patches.

Additionally, programmers using Apple’s Xcode development system get an update too.

The details are below.

All the details and bulletin numbers

The bug fixes for iPhones and iPads include remote code execution flaws (RCEs) in components from the kernel itself to Apple’s image rendering library, graphics drivers, video processing modules and more. Several of these bugs warn that “a malicious application may be able to execute arbitrary code with kernel privileges”. That’s the sort of security hole that could lead to a complete device takeover – what’s known in the jargon as a “jailbreak“, because it escapes from Apple’s strict lockdown and app restrictions.

Kernel-level code execution holes could grant an attacker control over the entire system, including the parts that manage the security of the rest of the system.

Other notable bugs include: a flaw that could allow rogue apps to evade their sandbox restrictions (such as accessing files they’re not supposed to see, or using resources such as your camera or microphone that they shouldn’t have access to; a Safari bug that could allow you to be tracked even in Private Mode; and a hole in the Security subsystem that provides a way for sneakily modified apps to bypass the digital signature check by which the operating system is supposed to verify that they haven’t been tampered with.

Lastly, there’s a lock screen bug, whereby someone who picks up your iPhone while you’re not looking (or who steals it, of course) could access your photos without knowing the unlock code.

Macs get patches for many of the same bugs listed above in the iPhone and iPad section. There are several “bonus bugs” that apply only to macOS, notably in laptop/desktop components such as AppleScript, a powerful system automation tool that allows you to launch and control apps, including entering keystrokes, clicking the mouse, configuring devices such as your microphone and webcam, and snapping screenshots.

There’s also a patch for CVE-2022-0778, a cryptographic bug in OpenSSL that was patched by the OpenSSL team nearly two months ago. You may remember that bug – it was what’s known in the jargon as a code smell, a poorly laid out and badly-programmed loop that didn’t check carefully enough whether it had exceeded the maximum time it was supposed to spend verifying a digital certificate.

Intriguingly, OpenBSD’s LibreSSL, a “security enhanced” replacement for OpenSSL that was introduced after the infamous Heartbleed flaw in the OpenSSL code, is listed as having been patched against exactly the same bug. This is a timely reminder not only that software projects with common origins may may share latent bugs for years after development diverges, but also that operating systems often have many different code libraries with similar or overlapping functionality.

Apple macOS, for example, includes at least LibreSSL, OpenSSL and Apple’s own proprietary cryptographic library known as Secure Transport.

Apple’s still-supported but previous version of macOS, Big Sur, includes patches for many of the same bugs as Monterey, with the notable addition of a video decoding bug that gives remote attackers a way to acquire kernel-level powers, presumably via booby-trapped files.

In this case, we say “gives attackers”, not “might or could give attackers”, because this bug, CVE-2022-22675 is what’s known as a zero-day. Cybercriminals found it first and are already exploiting it in the wild.

As we mentioned above, kernel-level remote code execution exploits are often enough for a complete system compromise, making them highly sought after amongst jailbeakers, cybercriminals and the creators of spyware and other surveillance tools.

Whatever you do, don’t miss this update!

Like Big Sur (but unlike iOS, even though tvOS has the same version number as iOS), the latest tvOS update fixes CVE-2022-22675, the in-the-wild kernel-level RCE bug described above.

Despite the significantly different version number from tvOS (8.6 instead of 15.5), Apple Watch users also get a patch for the zero-day video decoding bug CVE-2022-22675.

Catalina, the pre-previous version of macOS, and its oldest currently supported flavour, gets many of the same patches as Big Sur.

However, CVE-2022-22675, the zero-day hole that was fixed in Big Sur, tvOS and watchOS, doesn’t seem to be present here. We’re assuming that the bug was introduced after Catalina was released, thus leaving it immune.

This update fixes two RCE flaws that could be triggered simply by viewing booby-trapped content. Apple isn’t saying what sort of content, but given that the bug is in WebKit, the web rendering engine, rather than one of Apple’s multimedia libraries, we’re guessing the bug relates to the handling of web-specific data such as HTML, CSS or JavaScript.

Note that this update won’t be offered to you unless you have macOS Big Sur or macOS Catalina. In macOS Monterey and all of Apple’s mobile device platforms, these patches are included in the main system update.

Don’t forget, therefore, that if you are a Big Sur or a Catalina user, you will be installing two updates, not just one, with Safari updated separately from the rest of the operating system.

Programmers should get this update, especialy if they use the popular source code management system Git.

According to the brief report on CVE-2022-24765, “on multi-user machines Git users might find themselves unexpectedly in a Git worktree.” This sounds like an authentication bypass of sorts, as though while logged in as user X you might suddenly get access to source code belonging to user Y or to project Z that you’re not working on.

What to do?

Most Apple users have automatic updating turned on these days, and therefore expect to get the latest security fixes pushed to them anyway, without needing to keep track of when updates get published.

Nevertheless, we strongly recommend that you check for updates manually whenever you know that there are fixes on offer, especially if there are kernel-level flaws or zero-day bugs. (Or, as happened here, both at the same time!)

Why risk being behind when you could be ahead?

As the zero trust school of cybersecurity suggests: never assume; always verify, so:

  • On your iPhone or iPad: Settings > General > Software Update
  • On your Mac: Apple menu > About this Mac > Software Update…

Take care out there!

Latest Blog

View All
go top