A Month In Breaches: March

This is an initiative by our Security Operations Centre team who have their eyes on the prize 24/7 and are proactively observing breaches and critical security trends.

Part of protecting our clients is also promoting good security practices and raising awareness of current security trends. We hope this will give some extra boost to your overall understanding of security breaches happening in the expansive and scary internet.

Critical Windows Zero Day Flaw

Microsoft has warned against a critical Zero Day Flaw that could potentially allow Remote Code Execution (RCE) on windows devices. The unpatched flaws are being exploited by attackers in “limited, targeted” attacks, the company said. Vulnerabilities is found in Adobe Type Manager. This is a font management tool that is used in both Mac and Windows devices, but the issue persists in the windows version as it improperly handles a specially crafted multi-master font (called the Adobe Type 1 PostScript format). Microsoft has indicated that there are multiple ways in which the exploitation is possible. An adversary could convince a user to open a specially crafted document or view it in the Windows Preview pane through which RCE is performed. All currently supported versions of Windows are affected, including Windows 10, as well as versions of Windows 7, Windows 8.1, Windows RT, Windows Server 2008, Windows Server 2012, Windows Server 2016 and Windows Server 2019.

As it is a Zero Day vulnerability there is no patch available as on 24th March 2020 but there are a few recommendations from Microsoft. It is advised to disable preview pane and details pane. This will not allow the file explorer to display OpenType fonts automatically. In addition, disable WebClient service. Microsoft said that disabling this service blocks the Web Distributed Authoring and Versioning (WebDAV) client service, which is a “likely remote attack vector”. In addition, renaming ATMFD.DLL (the file name of Adobe Type Manager Font Driver) can be helpful. CTRL Group recommends updating the systems as soon Microsoft releases its patch (expected 14th April).

 

KrØØk WiFi Vulnerability Exploit Released

Researchers have demonstrated the proof-of-concept for a recently discovered KrØØk WiFi vulnerability. Tracked as CVE-2019-15126, this serious flaw affects both WPA2-Personal and WPA2-Enterprise protocols, with AES-CCMP encryption. According to details shared by ESET researchers, the flaw causes vulnerable devices to use an all-zero encryption key to encrypt part of the user’s communication. In a successful attack, the vulnerability allows an adversary to decrypt some wireless network packets transmitted by a vulnerable device. Some of the affected devices include Amazon (Echo, Kindle), Apple (iPhone, iPad, MacBook), Google (Nexus), Samsung (Galaxy), Raspberry (Pi 3), and Xiaomi (Redmi).

The exploitation of the flaw is done by a python script called r00kie-kr00kie.py. The script is used to force a device to disassociate from the network. Later, any data packets left in the device’s Wi-Fi chips are encrypted with all zeros so that the attackers can flush them out and read them. Broadcom and Cypress have subsequently released updates. Additionally, patches for devices by major manufacturers have been released by now. To protect from being affected by the vulnerability, users should ensure that their systems including phones, tablets, and laptops are applied with the latest updates.

 

VMware Fixes High Severity Privilege Escalation Bug in Fusion

VMware released security updates to address high severity privilege escalation and denial-of-service (DoS) in the VMware Workstation, Fusion, VMware Remote Console and Horizon Client. The two security flaws currently tracked as CVE-2020-3950 and CVE-2020-3951 are due to the improper use of setuid binaries and a heap-overflow issue in Cortado Thinprint. CVE-2020-3950 was rated by VMware with a CVSSv3 base score of 7.3 and it was evaluated to be in the Important severity range. This flaw impacts the VMware Fusion (11.x before 11.5.2), VMware Remote Console for Mac (11.x and prior before 11.0.1) and Horizon Client for Mac (5.x and prior before 5.4.0) macOS app.

When it comes to prevention against this attack, AWS SGs provide a robust boundary firewall for the EC2 instances. It is however to be noted that this firewall does not eliminate the need for all external facing services fully patched. Following a strong patch management is also highly regarded. This helps all endpoints stay updated on existing patches and also verify if certain devices are falling behind on updates. Any unpatched device on the network is an invite for the attacker to break in.

 

– CTRL GROUP SECURITY OPERATIONS CENTRE ANALYSTS, M-Singh & V-MSK