Meltdown and Spectre: Breakdown of The recent CPU Security Bug




Much like how Icarus flew too close to the sun.In trying to catch up with Moors law the CPU's manufacturers have left open a serious vulnerability that will haunt us for years to come.

Whats the cause for the vulnerability ?

Almost all modern CPU's have a feature called "Speculative execution" which increases speed by predicting the path of a branch which is most likely to be taken, and will speculatively continue execution down that path even before the branch is completed.

What is Meltdown and Spectre?

Both exploits abuse speculative execution to access "privileged memory" and allows a lower privilege user process to read them.

So why is this a big issue ?

One of the core security mechanisms is isolation of programs. Most programs run in an isolated space and they can only access their own data and information. This stops malicious programs from reading/modifying others. This vulnerability breaks this core security principle and since the vulnerability is in the hardware level any software patch is limited in capacity.

Essentially almost all the rules that protect programs in a computer from each other are now null and void.

How does this affect me ?

This would allow for any process in user memory.  For example, JavaScript running on a browser to read sensitive information in memory eg: sessions, passwords etc. This would also allow programs running in lower privileges to read kernel memory. Cloud service providers who heavily rely on isolation are also affected.

There are innumerable combinations of attacks possible due to this vulnerability. We will be seeing many more "exploits" that make use of this vulnerability for specific systems and programs in the future.
POC:







How are they different ?


Meltdown breaks the mechanism that keeps applications from accessing arbitrary system memory. Consequently, applications can access system memory. Spectre tricks other applications into accessing arbitrary locations in their memory. Both attacks use side channels to obtain the information from the accessed memory location.
Spectre is easier to fix than Meltdown.

Why is it called Meltdown?

The bug basically melts security boundaries which are normally enforced by the hardware.

Why is it called Spectre?

The name is based on the root cause, speculative execution. As it is not easy to fix, it will haunt us for quite some time.

How do I know if I am vulnerable ?

Almost all Intel processor made since 1995 are vulnerable to Meltdown.

Almost all devices Desktops,Laptops,Smartphones etc are affected by Spectre. Vulnerability has been verified on AMD, Intel and ARM processors.

How do I patch ?

Please have a look at this great list that gizmodo provides:

https://gizmodo.com/check-this-list-to-see-if-you-re-still-vulnerable-to-me-1821780843

System Admins Please have a look at:
https://support.microsoft.com/en-us/help/4073119/protect-against-speculative-execution-side-channel-vulnerabilities-in (Requires powershell v5)

Verify that your AV is compatible with the patches:
https://docs.google.com/spreadsheets/d/184wcDt9I9TUNFFbsAVLpzAtckQxYiuirADzf3cL42FQ/htmlview?sle=true#gid=0

There have been reports that the patches have cause 10 - 30% reduction in speeds of systems (Which Intel Denies). We might to wait and watch for at least a week to get clarity on this issue.


A note to the security community:

It would be easy to blame the chipset manufacturers and point fingers at them. But we really dropped the ball on this one. What should have been found much much earlier has taken decades to come to light and now it is gonna affect us for years.

Why is that ?

Have all of us been too concentrated on OS,Application,Networking and Web level vulnerabilities that we have completely forgotten to check the base they all run on ?

I think all of us (Including me) should start to looking into how we can help to identify such vulnerabilities in the future.


We should also have a serious look into disclosure time-lines and practices . Who decides how to approach disclosure of such high impact vulnerabilities ? Yes I understand the logic that the "bigger" tech companies are given first priority so that majority of users are patched. But such a long drawn out time-line (This bug was found in June 2017, 6 months ago) seriously puts the small guys at risk as it increases the chances of one rouge person exploiting such vulnerabilities silently.

While the US CERT might have been aware of this vulnerability.Were regional CERT's like CERT-IN informed ? Why not ?

From reading the first set of advisories I can see that only "WESTERN" companies seems to have been aware of this vulnerability before Jan3rd. Why is that ? Does our industry have a bias ? Think on this.

https://meltdownattack.com/#faq-advisory


This also brings in ethically gray issues like this:
https://www.businessinsider.in/intel-was-aware-of-the-chip-vulnerability-when-its-ceo-sold-off-24-million-in-company-stock/articleshow/62359605.cms

Should our CIOS , CTO's and CEO's be allowed to sell company stock once they know that there is security breach or a vulnerability ? Who watches them and ensures compliance ? Are the current laws against insider trading enough ? All such questions that need to answered sooner or later. ..


References:
https://en.wikipedia.org/wiki/Speculative_execution
https://meltdownattack.com/meltdown.pdf
https://spectreattack.com/spectre.pdf
https://meltdownattack.com/
https://googleprojectzero.blogspot.in/2018/01/reading-privileged-memory-with-side.html
http://blog.cyberus-technology.de/posts/2018-01-03-meltdown.html


Outpost24 researchers find major flaws in Sauter SCADA systems

Flaws in Sauter’s moduWEB Vision SCADA product can be exploited by remote attackers to take full control of the product. The flaw was identified by researchers at vulnerability Management Company, Outpost24.

Sauter is a Switzerland-based company that specializes in building automation and system integration products. moduWEB Vision is a web-based visualization solution designed to allow users to operate and monitor building technologies remotely.

One of the flaw in the product is that though Sauter tells its users to change the password of the administrator account but there are other default accounts which are not covered in the vendor’s documentation thus making them vulnerable to the attackers.

The attackers then can reset the system to its default configuration, change the configuration or disable devices, and modify all passwords.

The attackers do not need to crack the hash to access the admin account, instead they can use it directly to authenticate on the system.

The researcher team found that some of the passwords are transmitted in clear text (CVE-2015-7915) when populating the password field in cases where the “keep me logged in” feature is enabled, but this feature is only enabled in newer versions of the SCADA system.

In addition, the attacker can also leverage a persistent cross-site scripting vulnerability found in the user and events management panels to elevate privileges and execute commands on behalf of an administrator.

The installations of the product are exposed to the internet which makes it easy to find its flaws because the product runs on web server that has specific header information.

The vendor has released 1.6.0 of the firmware to address the issues but Outpost 24 alleges that some of the vulnerabilities are still left untouched.

The vulnerabilities were reported to the company last year in April.

Google researchers discover another security flaw in FireEye

Security Company FireEye is not new to vulnerabilities that are found in their products. This time, FireEye has rushed to Google’s Project Zero researchers Tavis Ormandy and Natalie Silvanovich to patch a remote code execution (RCE) vulnerability affecting Malware Protection System (MPS).

FireEye told that the RCE vulnerability affected the company’s Network Security (NX), Email Security (EX), Malware Analysis (AX), and File Content Security (FX) products.

Researchers have earlier also found vulnerabilities in FireEye’s products. In September, FireEye patched vulnerabilities reported by Kristian Erik Hermansen and Ron Perris. Hermansen claimed that he had disclosed the details of a flaw 18 months prior to its public disclosure and before FireEye could release a fix.

In September, five other vulnerabilities were reported by German security firm ERNW. The issues including command injection, code execution, privilege escalation and memory corruption vulnerabilities affected NX, EX, AX, FX, HX (Endpoint Security) and CM (Central Management) products.

FireEye spokesman Kyrksen Storer said that due to the vulnerability’s severity, the company had released an automated remediation to customers just 6 hours after its notification.

“We are thankful for the opportunity to support the Google team in this process, will continue to support their efforts, and fully support the broader security research community’s efforts to test and improve our products,” Storer added.

Disable Java in your browsers, if installed as researchers spotted new Java based Zero-day Exploit


Researchers from Trend Micro have found out suspicious URLs that hosted a newly discovered Zero-day exploit, which refers to a hole in software that is exploited by hackers before the vendor becomes aware of it, in Java.

Brooks Li, a threat analyst and Feike Hacquebord, a senior threat researcher, who spotted this exploit, said that this was the first time in nearly two years that a new Java zero-day vulnerability was reported.

The researchers came to know about this exploit after receiving a feedback in their  Smart Protection Network.

According to the report, this new zero-day Java Exploit is being used in spear-phishing attacks targeting a certain forces of NATO country and a US Defence Organization
This zero-day bug affects only the latest Java version 1.8.0.45 not the older versions, Java 1.6 and 1.7.
The vulnerability is still not patched by the company concerned.

According to the report, the URLs hosting the new Java zero-day exploit are similar to the URLs seen in the attack launched by the threat actors behind Pawn Storm that targeted North Atlantic Treaty Organization (NATO) members and White House last April 2015.

The researchers have asked the users to disable Java in browsers if installed due to an application.

Drupal Vulnerabilities: Update your installations as soon as possible


Drupal, an open source content management system which is used by several organizations including the White House, the Prince of Wales, British Council EAL and Amnesty International, has urged its users who are using either Drupal 6 or Drupal 7 to upgrade their websites versions immediately.

Drupal 6 users are requested to upgrade it to version 6.36 and Drupal 7 users to version 7.38.

The Drupal Security Team has released critical software updates in order to stop the flaws that leave numerous businesses and government organizations open to attack.

“A vulnerability was found in the OpenID module that allows a malicious user to log in as other users on the site, including administrators, and hijack their accounts,” the company’s advisory reads.

“This vulnerability is mitigated by the fact that the victim must have an account with an associated OpenID identity from a particular set of OpenID providers (including, but not limited to, Verisign, LiveJournal, or StackExchange),” the advisory explains.

The vulnerability could allow the attackers to impersonate other users, including all-powerful administrators, and thereby gain control of an unpatched website.

“The Field UI module uses a "destinations" query string parameter in URLs to redirect users to new destinations after completing an action on a few administration pages. Under certain circumstances, malicious users can use this parameter to construct a URL that will trick users into being redirected to a 3rd party website, thereby exposing the users to potential social engineering attacks,” the advisory reads.

“Similarly, the overlay module displays administrative pages as a layer over the current page (using JavaScript), rather than replacing the page in the browser window. The Overlay module does not sufficiently validate URLs prior to displaying their contents, leading to an open redirect vulnerability,” the advisory explains.

The vulnerability is mitigated by the fact that it can only be used against site users who have the "Access the administrative overlay" permission, and that the Overlay module must be enabled.

Researcher discloses a flaw in Samsung Keyboard leaves 600m Android devices vulnerable to hacking attack

A flaw has been disclosed by a security researcher in Samsung's Android, including the recently released Galaxy S6, keyboard installed on over 600 million Samsung mobile device users that could allow hackers to take full control over the smartphones or tablet.

Ryan Welton, a mobile security researcher at NowSecure, who discovered the vulnerability, wrote in the blog, “A remote attacker capable of controlling a user’s network traffic can manipulate the keyboard update mechanism on Samsung phones and execute code as a privileged (system) user on the target’s phone. The Swift keyboard comes pre-installed on Samsung devices and cannot be disabled or uninstalled. Even when it is not used as the default keyboard, it can still be exploited.”

Researcher said that the vulnerability was discovered last year. Samsung was notified in December 2014. However, Samsung asked NowSecure not to disclose the flaw until it could fix the problem.

NowSecure also notified CERT who assigned CVE-2015-2865, and also informed the Google Android security team.

 The researcher pointed out the flaw could attacker to do:

-         - Access sensors and resources like GPS, camera and microphone.
-         -  Secretly install malicious app(s) without the user knowing.
-          - Tamper with how other apps work or how the phone works.
-          - Eavesdrop on incoming/outgoing messages or voice calls.
-          - Attempt to access sensitive personal data like pictures and text messages.

According to the researcher, the defected keyboard application can’t be uninstalled. Similarly, it is not easy for the Samsung mobile device user to tell if the carrier has patched the problem with a software update.

“However, in order to reduce the risk, avoid insecure Wi-Fi networks, use a different mobile device and contact your carrier for patch information and timing,” the researcher added.

Zomato fixed a Security bug that allowed hackers to access Personal data of 62 Million users


Zomato, an online restaurant search and discovery service providing information on home delivery, dining-out, cafés and nightlife to various cities across India and 21 other countries, has fixed a bug which could allow an attacker to gain access to personal information of million users.

Anand Prakash, discovered Insecure Direct Object Reference(IDOR) vulnerability in the Zomato website.

IDOR occurs when an application provides direct access to objects based on user-supplied input. The vulnerability allows the attackers to bypass authorization and access resources in the system directly by modifying the value of a parameter used to directly point to an object, for example database records or files.

One of the API calls used for retrieving the users information is insecurely coded.  It gets the information only based on the "browser_id" parameter passed in a HTTP GET request and fails to verify the user is authorized to access the requested data.

By sequentially changing the 'browser_id' value, an attacker is able to access the users' personal information, such as Names, Email addresses, phone numbers, Date of birth.

"The data leaked also had Instagram access token which could be used to see private photos on Instagram of respective Zomato users,” Prakash wrote in his blog.

Prakash reported the vulnerability to Deepinder Goyal, CEO of Zomato, On June 1. And the next day (June 2), the flaw was fixed by Gunjan Patidar along with his engineering team.

You can also check the Proof of concept Video:



Google fixes comment cloning vulnerability in Youtube


Google has fixed a flaw in Youtube, which was discovered by an Egyptian security researcher. The vulnerability allowed anyone to move or copy comments from one video to another without any user-interaction.

On April 15, Ahmed Aboul-Ela wrote on his blog that he and his friend, Ibrahim Mosaad, discovered the flaw that allowed them to duplicate or copy any comments from one video on YouTube to other.

Aboul-Ela wrote, while they were testing the features of reviewing comments, they found it.
These two researchers mainly focused on the setting which allows the user to hold the comments for review before they get published. They found that if that feature is enabled, then the comments will be listed in a control panel labeled “held for review.”

If anyone comments on a Youtube video, it shows the comment_id and video_id in the post parameters. Now, if anyone changes the video_id to any other video id, he/she will get an error. However, if he/she does not touch the video_id and change only the comment_id to any other comment-id on any Youtube video, the request will get accepted and that comment will be copied and appear on his/her own video.

“The author of the comment does not get notified that his comment is copied onto another video nor the original comment from the original video doesn’t get removed,” Aboul-Ela wrote.

According to him, the flaw could be used to make a good video unpopular. And it could have been used to copy any celebrity or public figure’s comment and paste it on their videos.

Aboul-Ela wrote that Google decided to give $3,133.7 reward which is the maximum payment for disclosing vulnerabilities in normal Google applications.

Android users worldwide exposed to Malware risks

Network security company, Palo Alto Networks, has confirmed that they have discovered a vulnerability in Google's Android OS application installation procedure, that can leave its users potentially exposed to malware that can seek control of the whole device. They have named the vulnerability, 'Android Installer Hijacking'.

The vulnerability called Time-of-Check to Time-of-Use (TOCTTOU) was discovered by Palo Alto in January last year. In simple words, it hijacks your device while the installation of an application and installs malware instead of the application.

The malware has been linked to people who frequent and download often from third party application stores that download an application you want to install, in the local storage area of your phone, rather than the protected area where the Play Store downloads and installs its applications from.

Google's security team was informed of the vulnerability a month after it was found by Palo Alto. It can be used by hackers to exploit an android running device in various manners, with credit card information of users also being at risk.

The vulnerability has existed for an year according to Palo Alto's Disclosure Timeline and measures like vulnerability scanners have been put in place to mitigate this vulnerability.

Flaw in Sync photos feature on Facebook mobile app


A new flaw has been detected by a hacker in Facebook, which allows any malicious application to view your synced mobile photos.

Sync photos feature allow users to sync their mobile photos with their Facebook account, and it remains private until you publish it. But by default this feature is turned on  in many mobile phones.

Laxman Muthiyah, found that "vaultimages" endpoint of Facebook Graph API is handling these synced photos, and this endpoint is vulnerable.

Facebook app would  retrieve the synced photos using a top level access token making  an HTTP GET request to a specific URL enabling a malicious app to read all your private photos in seconds.

Laxman Muthiyah, reported this flaw to Facebook Security Team, they pushed a fix in less than 30 minutes, and rewarded him $10,000 USD as a part of their bug bounty program.

Microsoft SharePoint vulnerable to Exception Handling Web Vulnerability

The Vulnerability Laboratory Research Team discovered a persistent web vulnerability in the official Microsoft Sharepoint Online (cloud-based) application.

The vulnerability allows remote attackers to inject own malicious script code to a vulnerable module on application-side (persistent).

The vulnerability is located in the `Sharepoint Online Cloud 2013 Service` section when processing to request the `Berechtigungen für
den Metadatenspeicher festlegen` module with manipulated ms-descriptionText > ctl00_PlaceHolderDialogBodySection_
PlaceHolderDialogBodyMainSection_ValSummary parameters. The persistent injected script code execution occurs in the main
`invalid BDC Übereinstimmung` web application exception-handling

The vulnerability can be exploited with a low (restricted) privileged application user account and low or medium required user interaction.
Successful exploitation of the vulnerability result in persistent session hijacking, persistent phishing, stable external redirect, stable
external malware loads and persistent vulnerable module context manipulation.

The vulnerability is fixed .


Secunia and VLC get into Fight over Vulnerability report


Secunia and VLC Team got into a hot argument after Secunia set the patch status of their VLC vulnerability report to "UnPatched".

At the end of last year, Secunia team reported a vulnerability(SA51464) in VLC version 2.x. The root cause of the vulnerability lies in the underlying FFmpeg library, which VLC statically links to. It was reported that the vulnerability was caused due to a buffer overflow issue when parsing SWF files, which was incorrect. (as Secunia Reports)

When the VLC team came to know about the issue they tried to fix it but they missed the root cause and didnot solve the core problem. They released the next VLC version and claimed it to be safe but this was not the case as said by Secunia team. The VLC team kept on releasing the version from 2.0.5 to 2.0.7 and claimed that the vulnerability was fixed.

When after the release of version 2.0.6 Secunia team still reported the vulnerability unpatched , VLC approached Secunia and threatened to take legal action, as the Secunia team says- " On May 21st, 2013, the VLC team contacted us after office hours and threatened us with legal action if we did not update Secunia Advisory SA51464 and changed its patch status within 24 hours of sending the email."

Secunia team did not sit down hand in hand even after that. The team says-"We conducted further analysis after we updated our advisory and concluded that the issue is exploitable even in the newly released version 2.0.7. We have therefore updated our advisory and set the patch status of Secunia Advisory SA51464 to unpatched. Any future legal action from the VLC team will be dealt with accordingly. "

Later he vulnerability was fixed in the version 2.1.0. One of the member of VLC commented on REDDIT-"Of course there was a bug! Thanks for reporting. The issue has been properly fixed in 2.1.0. If the backport hasn't been done to 2.0 it's my responsibility, since it was late, I procrastinated it and then it slipped out of my mind due to real life contingencies. For that I apologize to our users and the rest of the team that has to deal with this drama."

Well the vulnerability is reported to be fixed in the version 2.1.0 as reported by the VLC as well as Secunia team but this seemed to be a good session of arguments.

Author: Shalini Bhushan