SANS NewsBites

Update All Firmware Using Realtek SDK and Monitor for Exploits; Update macOS Devices to Minimize Process Injection Risk; Push All Software Vendors to Improve Vulnerability Notice Processes and Patch Quality

August 16, 2022  |  Volume XXIV - Issue #63

Top of the News


2022-08-15

Realtek SDK Vulnerability Exposes Routers to Simple Exploit

A vulnerability in the SIP application layer gateway (ALG) included in Realtek's software development kit for its RTL819xD system on a chip devices exposes routers to a simple stack based buffer overflow. Patches are available from Realtek but have not yet been included by all vendors in updated firmware images. This vulnerability is exploitable via a single UDP packet sent to the router even if the web based administrative interface is not exposed.

Editor's Note

This was probably the most important issue revealed at DefCon/BlackHat this year, and so far it has not been reported on much. It highlights a supply chain issue that organizations have a hard time handling. Affected devices are not typically found in enterprises, but in homes and small businesses. I do not know of an enterprise able of managing or even inventorying routers employees use when working from home, and users have a notoriously hard time finding and applying firmware upgrades to routers.

Johannes Ullrich
Johannes Ullrich

The vulnerable code is part of the networking stack, so attackers just need to send a specially crafted SIP packet to achieve device takeover. You can mitigate the risk by blocking UDP packets at your perimeter. Use caution to not block any critical services actively using UDP. VoIP and gaming services are the most likely affected by this approach; make sure that your VoIP provider is on the allow list. Keep an eye out for updates from your vendor, particularly if they reference CVE-2022-27255 or Realtek SDK update.

Lee Neely
Lee Neely

SANS Internet Storm Center info and guidance at https://isc.sans.edu/diary/Realtek+SDK+SIP+ALG+Vulnerability%3A+A+Big+Deal%2C+but+not+much+you+can+do+about+it.+CVE+2022-27255/28940

John Pescatore
John Pescatore

2022-08-12

Black Hat: macOS Process Injection Vulnerability

Apple has released updates to address a vulnerability that could be exploited by a process injection attack to break multiple levels of Apple security. The issue was discovered by Thijs Alkemade, a researcher from the cybersecurity firm Computest.

Editor's Note

Apple will have a hard time eliminating these process injection vulnerabilities. This problem reminds me of deserialization vulnerabilities in web applications. Note also that this week’s Zoom update for MacOS addresses this issue.

Johannes Ullrich
Johannes Ullrich

Apple’s update is only for macOS 12 (Monterey). With the pending release of macOS 13 (Ventura), which should include this fix, it’s time to get your users up to Monterey. While Apple holds their support model tightly, I have found that support for current plus one OS revision back is their sweet spot. Expect a similar model this fall when iOS/iPadOS support shifts from versions 14 & 15 to 15 & 16.

Lee Neely
Lee Neely

2022-08-12

Black Hat: Zero-Day Initiative’s Recommendations for Improving ”Systemic Problems with Security Patches”

In a briefing at Black Hat Brian Gorenc and Dustin Childs of Trend Micro Zero Day Initiative discussed the declining quality of patches and increasingly vague language in security advisories they have observed. Gorenc and Childs also “proposed methods to incentivize vendors to improve their servicing habits, including alternative disclosure timelines for failed patches.”

Editor's Note

The key line in this excellent presentation is “Spend your money wisely. Vote with your wallet.” Realistically, there is NOT going to be legislation any time soon that addresses this complex problem in any meaningful way. The market has shown that security of software is important – over 20 years ago that is what drove then Microsoft CEO Bill Gates to make the company focus on security, since Microsoft was losing the World Wide Web race to Netscape and others. Make sure all procurements/RFPs include at least questions on testing of software and patch timeliness/quality statistics from all software (including SaaS) vendors.

John Pescatore
John Pescatore

The dream has been to be able to categorize and prioritize patches, focusing on the most exploitable and critical issues. Vendor trends, which include putting advisories behind paywalls, and reducing the exploitability information with the intent of providing more time for users to apply patches while making reverse engineering the flaw more difficult. Leverage services to auto-patch commodity systems and applications (typically desktops and standard servers) rapidly allowing staff to focus on regression testing for servers and other mission essential applications. You may also be able to leverage cloud or outsource solutions for common applications such as ERP, CRM which are already continuously patching and updating.

Lee Neely
Lee Neely

This week one colleague suggested that responding to the Microsoft patch Tuesday constituted “unplanned” activity. Patching is now mandatory and routine, hardly unplanned. The number of patches is a measure of quality. This observer continues to be amazed at the tolerance of this industry for poor quality. Addressing it will require new incentives, tools, methods, processes, and procedures. Those we are using are clearly not working.

William Hugh Murray
William Hugh Murray

The Rest of the Week's News


2022-08-12

Palo Alto Networks: Updates for PAN-OS Vulnerability Will be Released This Week

A high severity vulnerability in Palo Alto Networks’ PAN-OS is being actively exploited to conduct reflected and amplified TCP denial-of-service attacks. The URL filtering policy misconfiguration flaw affects six versions of PAN-OS; a fix is available for one of the versions; Palo Alto Networks says it will release updates for the remaining versions of PAN-OS this week.

Editor's Note

According to Palo Alto, this vulnerability can be mitigated by adjusting your configuration. Vulnerable configurations are unlikely and according to Palo Alto usually applied by mistake.

Johannes Ullrich
Johannes Ullrich

While the complexity of this attack is low, it is dependent on a misconfiguration of a URL filtering policy. In short, the URL filter profile has to have one or more security categories assigned to a source zone that has an external facing interface. Normally these would be assigned to internal interfaces. Rather than wait for the patch, scan your filtering profiles, and correct this. Apply the patch, when available, as part of your boundary protection update protocols

Lee Neely
Lee Neely

2022-08-15

Manual Update Available for Zoom for macOS

Users of Zoom for Mac are being urged to conduct a manual update of the video conferencing software to fix a vulnerability in the auto-update process, which is enabled by default. While the Zoom installer needs a password for installation and uninstallation, the auto-update function does not require a password. The flaw could be exploited to gain elevated privileges.

Editor's Note

This update addresses a vulnerability related to the "process injection vulnerability" discussed at Blackhat. Also see macOS Process Injection story above.

Johannes Ullrich
Johannes Ullrich

The fix is in Zoom 5.11.5 (9788) or later. You probably want to push this update rather than waiting for your users to either go to the “check for updates” menu or wait for the release of a Zoom auto-update.

Lee Neely
Lee Neely

2022-08-12

Black Hat: Eclypsium Identifies Bootloader Vulnerabilities

Researchers at Eclypsium “have identified three new bootloader vulnerabilities which affect the vast majority of devices released over the past 10 years including x86-64 and ARM-based devices.” All three are signed by the Microsoft UEFI Third Party Certificate Authority. Eclypsium notes that “Unlike a traditional vulnerability that can simply be patched and resolved, addressing these bootloader vulnerabilities requires multiple parties. In addition to updates from Microsoft, the affected suppliers will also need to remediate and publish updates for their code.”

Editor's Note

Mitigation takes some manual steps. First, you need to determine if you're running a vulnerable bootloader. This is done by checking the EFI System Partition (/boot/efi on linux, mountvol DRIVE: /S on windows). If it’s vulnerable, you’ll need to apply the updated bootloader from your vendor. Second, you need to apply updates to the Secure Boot Forbidden Signature Database (DBX) which prevents unauthorized UEFI modules from loading. DO NOT make these updates unless you have a known non-vulnerable EFI bootloader. Read https://support.microsoft.com/en-us/topic/kb4535680-security-update-for-secure-boot-dbx-january-12-2021-f08c6b00-a850-e595-6147-d0c32ead81e2

Lee Neely
Lee Neely

2022-08-16

Cyble: Virtual Network Computing Servers Exposed

VNC is very useful for remote controlling and accessing systems if done right. Exposing a password-less VNC to the Internet is much like when users connected PCAnywhere to a modem, except with a tool like Shodan it’s far easier to find. When setting up VNC, ensure a password is used and don’t expose the service directly to the Internet, use a VPN or other secure gateway. Make sure that the communication is over an encrypted channel to prevent both eavesdropping and MitM scenarios.

Editor's Note

VNC is very useful for remote controlling and accessing systems if done right. Exposing a password-less VNC to the Internet is much like when users connected PCAnywhere to a modem, except with a tool like Shodan it’s far easier to find. When setting up VNC, ensure a password is used and don’t expose the service directly to the Internet, use a VPN or other secure gateway. Make sure that the communication is over an encrypted channel to prevent both eavesdropping and MitM scenarios.

Lee Neely
Lee Neely

2022-08-15

Legislators Ask HHS Secretary for Healthcare Cybersecurity Briefing

Two US legislators have written a letter to the US Secretary of Health and Human Services (HHS) Xavier Becerra “requesting a briefing from [his] office on the status of efforts to strengthen the department’s capabilities as the SRMA and to operationalize collaboration with the organizations throughout the sector.” Former co-chairs of the Cyberspace Solarium Commission, and authors of the Sector Risk Management Agency (SRMA) legislation, Senator Angus King (I-Maine) and US Representative Mike Gallagher (R-Wisconsin) expressed concern “about the lack of robust and timely sharing of actionable threat information with industry partners and the need to dramatically scale up the Department’s capabilities and resources.”

Editor's Note

One hopes this briefing provides enough information to support both legislation and funding to help improve overall healthcare cybersecurity, to include sharing of resources, incident and threat information needed to prepare and respond to the changing environment.

Lee Neely
Lee Neely

2022-08-15

Phishing Scheme Targets Healthcare Providers

The US Department of Health and Human Services Health Sector Cybersecurity Coordination Center (HC3) says a phishing scheme is targeting healthcare providers in the hopes of stealing their account access credentials. The messages lead the recipient to a maliciously crafted Evernote webpage tailored to the recipient’s organization. The malicious webpage contains an HTML download that delivers a phishing Trojan.

Editor's Note

In phishing assessments, click rates are always above 0%. Orgs need technical controls to throw warnings, reduce damage, and alert security when someone does click. We also need users who are trained and comfortable coming to security immediately when they realize something's gone wrong. This means no “three strike” rules!

Christopher Elgee
Christopher Elgee

The problem has been exacerbated by a high turnover of healthcare workers, to include many new workers; where the time to complete cybersecurity training has been (understandably) eclipsed by medical events of late. On the human side, make sure that your training requirements are intact, that you’re tracking completions as well as barriers to find alternate ways to deliver the needed training. From an IT perspective, make sure you've got services enabled to block and tag suspect emails. If using a quarantine, make sure that there is active tuning and monitoring of requests for retrieval to minimize impact of miscategorized messages.

Lee Neely
Lee Neely

2022-08-15

US July Healthcare Sector Breaches

In July 2022, the US Department of Health and Human Services office for Civil Rights (HHS OCR) added 60 breaches to its Cases Currently Under Investigation portal, bringing the total number of breaches posted so far this year to roughly 420. The breaches added in July affect a total of 2.5 million individuals. The three largest attacks reported last month all involved ransomware; in two of the three cases, the ransomware attacks involved providers or vendors.

Editor's Note

From 2007 to 2015 or so, retail breaches dominated the news, as Target, TJX, Hannaford, Home Depot and others had breaches that compromised close to 200 million retail customers. Retail had a complicated mix of IT and distributed point of sale/OT systems, and the processing of credit cards was a lucrative target. No coincidence that over that same period the Payment Card Industry Data Security Standards program evolved from PCI 1.0 to PCI 3.0. Healthcare has the same risk profile and an even more complex OT world, but the healthcare world has not had a “Healthcare Industry” kind of program with the power of the payment channel behind it. Without that, it really is time for government funding to healthcare to start being tied in some way to protection of health care data.

John Pescatore
John Pescatore

Healthcare data continues to be a big target as studies show it has a greater illicit market value than credit-cards or sensitive PII. Business parties are a big factor in these incidents. Make sure that your business partners are maintaining an appropriate security posture that requires both active (documented) agreement and continuous monitoring. Doubly so if they have a direct connection to your systems.

Lee Neely
Lee Neely

From retail, hospitality and card fraud to healthcare and ransomware; crime goes where the money is. EMV and PCI DSS, have helped in reducing card fraud. We clearly need both new tech, convenient strong authentication, and new standards of due care, cybersecurity, in healthcare.

William Hugh Murray
William Hugh Murray

Internet Storm Center Tech Corner

Realtek eCOS SDK SIP ALG Vulnerability CVE-2022-27255 Followup (snort signature and presentation)

https://isc.sans.edu/diary/Realtek+SDK+SIP+ALG+Vulnerability%3A+A+Big+Deal%2C+but+not+much+you+can+do+about+it.+CVE+2022-27255/28940


Phishing HTML Attachment as Voicemail Audio Transcription

https://isc.sans.edu/diary/Phishing+HTML+Attachment+as+Voicemail+Audio+Transcription/28938


CVE-2022-0028 PAN-OS: Reflected Amplification Denial-of-Service Vulnerability

https://security.paloaltonetworks.com/CVE-2022-0028


MacOS Privilege Escalation

https://sector7.computest.nl/post/2022-08-process-injection-breaking-all-macos-security-layers-with-a-single-vulnerability/


Zoom Update

https://explore.zoom.us/en/trust/security/security-bulletin/


Microsoft Block Vulnerable Bootloaders

https://eclypsium.com/2022/08/11/vulnerable-bootloaders-2022/


HPE Integrated Lights Out 5 Vulnerabilities

https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=emr_na-hpesbhf04333en_us