Category

Security News

ALERT: Foreshadow and Foreshadow NG

By | Security News

On 15 August 2018, information was released regarding three new Intel CPU vulnerabilities that may be exploited to steal data from computers.

  • CVE-2018-3615 (SGX, SMM – Foreshadow)
  • CVE-2018-3646 (VMM – Foreshadow NG)
  • CVE-2018-3620 (OS – Foreshadow NG)

Much like the Meltdown and Spectre vulnerabilities revealed earlier in the year, these new vulnerabilities take advantage of performance optimisation techniques to bypass security mechanisms built into the chips. The Foreshadow vulnerabilities target a different optimisation technique, potentially allowing access to a broader scope of data than Meltdown and Spectre, including data from other virtual machines in a virtualised environment.

Successful exploitation of these vulnerabilities would require an attacker to run malicious code on a targeted system. There are currently no known exploits being used against these vulnerabilities and researches have not yet released proof of concept code for the vulnerabilities.

We recommend that all clients assess their risk and appropriately patch systems to protect their environments against these vulnerabilities.  Care should be taken to read all patching instructions and release notes as well as perform thorough testing to avoid unexpected outages or performance impacts. Vendors have indicated that some performance impact should be expected for certain workloads.

Mitigation steps may involve processor microcode updates in addition to OS and virtualisation vendor updates, and in some cases may involve configuration options, including enabling new technologies and disabling HyperThreading.  Please refer to vendor guidance around opt-in steps, which will include guidance around scenarios where it is recommended and not recommended to disable HyperThreading, for example.

Processor microcode previously released by Intel in Q2 includes updates that address these new vulnerabilities.   We recommend that clients test and apply the latest microcode updates to all affected systems.

CCL’s Polaris Platform
CCL is programmatically addressing the identified vulnerabilities at the hypervisor levels.  Clients are responsible for patching their Operating Systems residing on the platform unless these are managed by CCL.  Additional information will be provided through standard change control notifications or directly from your Client Relationship Manager.

Public Cloud Platforms
All major public cloud providers have actively patched their environments and have taken steps to protect workloads:

https://cloud.google.com/blog/products/gcp/protecting-against-the-new-l1tf-speculative-vulnerabilities

https://aws.amazon.com/security/security-bulletins/AWS-2018-019/

https://docs.microsoft.com/en-us/azure/virtual-machines/windows/mitigate-se

Client Dedicated Virtual Platforms, On-premise Private Cloud and On-premise Infrastructure
For dedicated virtualisation platforms, patching may be required at the hardware microcode and operating system level in addition to the hypervisor and may also require additional configuration changes depending on what features and products are being used.  Please refer to applicable vendor guidance for detailed mitigation requirements.  Links for the major vendors are included below.

In some cases, mitigation steps may have performance impacts.  We recommend thorough testing as part of the standard patching process.

 If you have any questions or concerns, please do not hesitate to contact your Client Relationship Manager or the CCL Service Desk on 0800 225 737 or support@concepts.co.nz.

Additional Information:

https://foreshadowattack.eu/

https://software.intel.com/security-software-guidance/software-guidance/l1-terminal-fault

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00161.html

https://kb.vmware.com/s/article/55636

https://kb.vmware.com/s/article/55806

https://www.vmware.com/security/advisories/VMSA-2018-0020.html

https://www.vmware.com/security/advisories/VMSA-2018-0021.html

https://blogs.technet.microsoft.com/srd/2018/08/10/analysis-and-mitigation-of-l1-terminal-fault-l1tf/

https://support.microsoft.com/en-us/help/4457951/windows-server-guidance-to-protect-against-l1-terminal-fault

https://blogs.technet.microsoft.com/virtualization/2018/08/14/hyper-v-hyperclear/

https://blogs.oracle.com/oraclesecurity/intel-l1tf

ALERT: Email Phishing Attack

By | Security News

Over the last couple of days, we have noticed a spike in email phishing attacks in our clients’ environments.  The emails are coming into a client’s environment from well-known and trusted companies.

The phishing email requests users to open a pdf attachment that contains an image of DocuSign that has an embedded link to a fake website (in this case, it resembles Microsoft Office365).   It prompts users to enter their credentials.

The email has a PDF attachment which when opened looks like this:

And browsing to the “REVIEW DOCUMENTS” link will present a login screen that looks like this, where “compromisedsite.com” could be any number of different sites that are being used in the attack:

As you know, phishing emails can catch anyone out at any time and are one of the top methods cyber criminals use to gain access to a company’s network.  This is a timely reminder to always be vigilant.

Here are some useful tips to help spot a phishing email:

  • You aren’t expecting the email
  • The email urges immediate action
  • The email requests personal information
  • Links in the email lead to websites that ask for passwords
  • The email may contain a generic greeting rather than a name, e.g. Dear Sir/Madam
  • The email contains incorrect spelling or grammar
  • The email could include an attachment
  • The sender’s name and address does not match the sender or are spelt incorrectly
  • The link(s) in the email do not match the URL it redirects to
  • The URL does not match the company website or is not using SSL Encryption, e.g. https://

Meltdown & Spectre

By | Security News | No Comments

Meltdown and Spectre
Over the past week the IT community has been working hard to mitigate two widespread vulnerabilities, Meltdown and Spectre, identified by researchers.  These vulnerabilities are notable for the widespread and near universal impact on devices with processors, resulting in a significant number of patches being released and planned.  CCL has taken the necessary steps to secure our shared infrastructure platforms and we are actively assisting clients with advice and services to secure on-premise and cloud based environments.

We recommend that all clients assess and protect their environments against these vulnerabilities and ensure that systems are bought up to date and secured.  Care should be taken to follow patching instructions, as outages have occurred as a result of not following the prescribed steps.  Finally, Microsoft and other vendors have identified that some performance impact should be anticipated for certain workloads – estimates range from 5-30% decline in performance – older devices are more likely to be effected.

CCL IaaS platforms
CCL is programmatically addressing the identified vulnerabilities at the hardware and hypervisor levels.  Clients are responsible for patching their Operating Systems and applications residing on the platform unless these are managed by CCL.

Additional information will be provided through standard change control notifications or directly from your CRM.

Public Cloud platforms
All major public cloud providers have actively patched their environments and have taken steps to protect workloads. Similar to CCL, further patching may occur and we recommend monitoring each providers advisories.

Client dedicated virtual platforms, on-premise private cloud
For dedicated virtualisation platforms running earlier versions of VMware ESXi (ESXi 5.x) we are recommending a migration to ESXi 6.x, then patching to secure the hypervisor.  Patching is also required at the hardware firmware layer (microcode), operating system and application level in addition to the Hypervisor.  VMware has provided patches for ESXi which include microcode updates for popular CPUs.  vCenter patches are required and Virtual Hardware Version and VMware tools updates may also be necessary.  Outages will be required to complete patching including power cycling VM guest machines and guest OS server reboots.

Clients running Microsoft Hyper-V will need to apply updates at both the host and guest level.

On-premise infrastructure
Servers, desktops, and mobile phones are all impacted by these vulnerabilities and associated security patches are being released.  Patching will impact some workloads and performance may degrade as a result.  CCL recommends that clients follow standard patching processes including appropriate testing before release of patches to production systems.

Please note that anti-virus patches / registry key changes are required before the Microsoft patch can be successfully applied.  For CCL managed AV / Endpoint Security clients, the registry key has been deployed.

Patching will need to occur at a hardware firmware layer, operating system and application level in addition to the Hypervisor across multiple platforms to provide comprehensive protection against these vulnerabilities.  CCL has developed a guide for our engineering team to provide a best practice approach to managing the patching for Meltdown and Spectre.

If you would like more information or would like to discuss the potential performance impact to your workloads, then please contact support@concepts.co.nz or 0800 225 468

Additional information
The official Graz University of Technology research site containing information about the vulnerabilities and major vendor responses:

https://meltdownattack.com/

Additional vendor information:

https://kb.vmware.com/s/article/52245
https://support.microsoft.com/en-us/help/4073757/protect-your-devices-against-spectre-meltdown

Browser protections:

https://www.chromium.org/Home/chromium-security/ssca
https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/
https://blogs.windows.com/msedgedev/2018/01/03/speculative-execution-mitigations-microsoft-edge-internet-explorer/

Performance impacts:

https://cloudblogs.microsoft.com/microsoftsecure/2018/01/09/understanding-the-performance-impact-of-spectre-and-meltdown-mitigations-on-windows-systems/
https://access.redhat.com/articles/3307751

Please contact CCL if you have any questions or concerns.