SECURITY NEWS

Recent Security News at CCL

Intel MDS Vulnerabilities

By | Security News

On 15 May 2019, NZ time, Intel announced a new group of vulnerabilities collectively known as “Microarchitectural Data Sampling”, which are a subset of previously disclosed speculative execution side channel vulnerabilities.

The vulnerabilities have been assigned the following four CVE’s:

•             CVE-2018-12126 – Microarchitectural Store Buffer Data Sampling (CVSSv3 = 6.5)

•             CVE-2018-12130 – Microarchitectural Fill Buffer Data Sampling (CVSSv3 = 6.5)

•             CVE-2018-12127 – Microarchitectural Load Port Data Sampling (CVSSv3 = 6.5)

•             CVE-2019-11091 – Microarchitectural Data Sampling Uncacheable Memory (CVSSv3 = 3.8)

Like the previous Intel chip vulnerabilities, these utilise side channel attacks against speculative performance optimisation techniques to infer data in chip components that are meant to be protected. Attacks against these vulnerabilities could allow attackers to leak private data from internal CPU buffers and Load Ports.

Successful exploitation requires malicious code to be run on a targeted system. Intel is reporting that real-world exploits, outside of controlled conditions is complex, but there are currently demonstration videos and proof of concept code published on the Internet for at least one of the vulnerabilities.

Mitigation will typically involve updates at multiple layers, including microcode, virtualisation and operating system. In some cases, full mitigation may also require additional steps, including disabling Hyper-Threading. Refer to vendor guidance to understand cases where such decisions need to be considered.

Remediation:

CCL Polaris IaaS Platform

CCL is programmatically addressing the identified vulnerabilities at the hardware, hypervisor and management software layers. Clients are responsible for patching non-CCL managed operating systems residing on the platform. Additional information will be provided through our standard change control notifications or directly from your Customer Relationship Manager.

Public Cloud Platforms

All major public cloud providers are indicating that they have taken steps to mitigate the vulnerabilities in their environments:

All major public cloud providers are indicating that they have taken steps to mitigate the vulnerabilities in their environments:

https://support.google.com/faqs/answer/9330250

https://aws.amazon.com/security/security-bulletins/AWS-2019-004/

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190013

Client Dedicated Virtual Platforms, On-premise Private Cloud and On-premise Infrastructure:

For dedicated virtualisation platforms, patching may be required at the hardware microcode and operating system level in addition to the Hypervisor. Please refer to applicable vendor guidance for detailed mitigation requirements. Links for some major vendors are included below.

Recommendations:

CCL recommends that all clients assess their risk and appropriately patch systems. Standard update procedures should be appropriate for most systems. Shared environments that run untrusted code may warrant more urgent, out-of-band update procedures.

Please note that some vendors are indicating system reboots will be required for updates to be applied. Always perform thorough testing to avoid unexpected outages or performance impacts. Vendors have indicated that some performance impact should be expected.

Please contact support@concepts.co.nz or 0800 225 737, if you would like more information.

References:

Note – please hover over and validate hyperlinks prior to clicking

https://www.intel.com/content/www/us/en/architecture-and-technology/mds.html

https://software.intel.com/security-software-guidance/insights/deep-dive-intel-analysis-microarchitectural-data-sampling

https://support.microsoft.com/en-nz/help/4457951/windows-guidance-to-protect-against-speculative-execution-side-channel

https://www.vmware.com/security/advisories/VMSA-2019-0008.html

https://access.redhat.com/security/vulnerabilities/mds

NZ Cert Security Warnings

By | Security News

NZ Cert has released two security advisories this week regarding security vulnerabilities that present a high risk to systems connected to the Internet.

  • The first advisory warns of known active attacks against a previously patched SharePoint vulnerability to compromise corporate websites.
  • The second details a newly patched vulnerability in Microsoft Remote Desktop Services on older operating systems (Windows 7/Server 2008 R2 and earlier). It is expected that exploits will be developed and used against this vulnerability in the near future. Microsoft has also released patches for unsupported software, including Windows XP and Server 2003.

Recommendations

CCL recommends that clients remain diligent about implementing and maintaining strong security controls and practices for all public facing systems. This includes ensuring that the entire software stack, from the OS to third party applications, is kept fully patched against known vulnerabilities.

Specifically, we recommend that security patches for the SharePoint and RDS vulnerabilities are tested and implemented as soon as possible, with priority placed on systems connected to the Internet.

If you have any concerns about potential risks to existing systems or would like to discuss ways CCL can help provide visibility to any exposed systems, please reach out to your Customer Relationship Manager or Service Delivery Manager.

References

https://www.cert.govt.nz/it-specialists/advisories/vulnerability-microsoft-rdp-services/

https://www.cert.govt.nz/it-specialists/advisories/microsoft-sharepoint-vulnerability-being-exploited/

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0604

ALERT: Foreshadow and Foreshadow NG

By | Security News

On 15 August 2018, information was released regarding three new Intel CPU vulnerabilities that may be exploited to steal data from computers.

  • CVE-2018-3615 (SGX, SMM – Foreshadow)
  • CVE-2018-3646 (VMM – Foreshadow NG)
  • CVE-2018-3620 (OS – Foreshadow NG)

Much like the Meltdown and Spectre vulnerabilities revealed earlier in the year, these new vulnerabilities take advantage of performance optimisation techniques to bypass security mechanisms built into the chips. The Foreshadow vulnerabilities target a different optimisation technique, potentially allowing access to a broader scope of data than Meltdown and Spectre, including data from other virtual machines in a virtualised environment.

Successful exploitation of these vulnerabilities would require an attacker to run malicious code on a targeted system. There are currently no known exploits being used against these vulnerabilities and researches have not yet released proof of concept code for the vulnerabilities.

We recommend that all clients assess their risk and appropriately patch systems to protect their environments against these vulnerabilities.  Care should be taken to read all patching instructions and release notes as well as perform thorough testing to avoid unexpected outages or performance impacts. Vendors have indicated that some performance impact should be expected for certain workloads.

Mitigation steps may involve processor microcode updates in addition to OS and virtualisation vendor updates, and in some cases may involve configuration options, including enabling new technologies and disabling HyperThreading.  Please refer to vendor guidance around opt-in steps, which will include guidance around scenarios where it is recommended and not recommended to disable HyperThreading, for example.

Processor microcode previously released by Intel in Q2 includes updates that address these new vulnerabilities.   We recommend that clients test and apply the latest microcode updates to all affected systems.

CCL’s Polaris Platform
CCL is programmatically addressing the identified vulnerabilities at the hypervisor levels.  Clients are responsible for patching their Operating Systems residing on the platform unless these are managed by CCL.  Additional information will be provided through standard change control notifications or directly from your Client Relationship Manager.

Public Cloud Platforms
All major public cloud providers have actively patched their environments and have taken steps to protect workloads:

https://cloud.google.com/blog/products/gcp/protecting-against-the-new-l1tf-speculative-vulnerabilities

https://aws.amazon.com/security/security-bulletins/AWS-2018-019/

https://docs.microsoft.com/en-us/azure/virtual-machines/windows/mitigate-se

Client Dedicated Virtual Platforms, On-premise Private Cloud and On-premise Infrastructure
For dedicated virtualisation platforms, patching may be required at the hardware microcode and operating system level in addition to the hypervisor and may also require additional configuration changes depending on what features and products are being used.  Please refer to applicable vendor guidance for detailed mitigation requirements.  Links for the major vendors are included below.

In some cases, mitigation steps may have performance impacts.  We recommend thorough testing as part of the standard patching process.

 If you have any questions or concerns, please do not hesitate to contact your Client Relationship Manager or the CCL Service Desk on 0800 225 737 or support@concepts.co.nz.

Additional Information:

https://foreshadowattack.eu/

https://software.intel.com/security-software-guidance/software-guidance/l1-terminal-fault

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00161.html

https://kb.vmware.com/s/article/55636

https://kb.vmware.com/s/article/55806

https://www.vmware.com/security/advisories/VMSA-2018-0020.html

https://www.vmware.com/security/advisories/VMSA-2018-0021.html

https://blogs.technet.microsoft.com/srd/2018/08/10/analysis-and-mitigation-of-l1-terminal-fault-l1tf/

https://support.microsoft.com/en-us/help/4457951/windows-server-guidance-to-protect-against-l1-terminal-fault

https://blogs.technet.microsoft.com/virtualization/2018/08/14/hyper-v-hyperclear/

https://blogs.oracle.com/oraclesecurity/intel-l1tf

ALERT: Email Phishing Attack

By | Security News

Over the last couple of days, we have noticed a spike in email phishing attacks in our clients’ environments.  The emails are coming into a client’s environment from well-known and trusted companies.

The phishing email requests users to open a pdf attachment that contains an image of DocuSign that has an embedded link to a fake website (in this case, it resembles Microsoft Office365).   It prompts users to enter their credentials.

The email has a PDF attachment which when opened looks like this:

And browsing to the “REVIEW DOCUMENTS” link will present a login screen that looks like this, where “compromisedsite.com” could be any number of different sites that are being used in the attack:

As you know, phishing emails can catch anyone out at any time and are one of the top methods cyber criminals use to gain access to a company’s network.  This is a timely reminder to always be vigilant.

Here are some useful tips to help spot a phishing email:

  • You aren’t expecting the email
  • The email urges immediate action
  • The email requests personal information
  • Links in the email lead to websites that ask for passwords
  • The email may contain a generic greeting rather than a name, e.g. Dear Sir/Madam
  • The email contains incorrect spelling or grammar
  • The email could include an attachment
  • The sender’s name and address does not match the sender or are spelt incorrectly
  • The link(s) in the email do not match the URL it redirects to
  • The URL does not match the company website or is not using SSL Encryption, e.g. https://

Meltdown & Spectre

By | Security News | No Comments

Meltdown and Spectre
Over the past week the IT community has been working hard to mitigate two widespread vulnerabilities, Meltdown and Spectre, identified by researchers.  These vulnerabilities are notable for the widespread and near universal impact on devices with processors, resulting in a significant number of patches being released and planned.  CCL has taken the necessary steps to secure our shared infrastructure platforms and we are actively assisting clients with advice and services to secure on-premise and cloud based environments.

We recommend that all clients assess and protect their environments against these vulnerabilities and ensure that systems are bought up to date and secured.  Care should be taken to follow patching instructions, as outages have occurred as a result of not following the prescribed steps.  Finally, Microsoft and other vendors have identified that some performance impact should be anticipated for certain workloads – estimates range from 5-30% decline in performance – older devices are more likely to be effected.

CCL IaaS platforms
CCL is programmatically addressing the identified vulnerabilities at the hardware and hypervisor levels.  Clients are responsible for patching their Operating Systems and applications residing on the platform unless these are managed by CCL.

Additional information will be provided through standard change control notifications or directly from your CRM.

Public Cloud platforms
All major public cloud providers have actively patched their environments and have taken steps to protect workloads. Similar to CCL, further patching may occur and we recommend monitoring each providers advisories.

Client dedicated virtual platforms, on-premise private cloud
For dedicated virtualisation platforms running earlier versions of VMware ESXi (ESXi 5.x) we are recommending a migration to ESXi 6.x, then patching to secure the hypervisor.  Patching is also required at the hardware firmware layer (microcode), operating system and application level in addition to the Hypervisor.  VMware has provided patches for ESXi which include microcode updates for popular CPUs.  vCenter patches are required and Virtual Hardware Version and VMware tools updates may also be necessary.  Outages will be required to complete patching including power cycling VM guest machines and guest OS server reboots.

Clients running Microsoft Hyper-V will need to apply updates at both the host and guest level.

On-premise infrastructure
Servers, desktops, and mobile phones are all impacted by these vulnerabilities and associated security patches are being released.  Patching will impact some workloads and performance may degrade as a result.  CCL recommends that clients follow standard patching processes including appropriate testing before release of patches to production systems.

Please note that anti-virus patches / registry key changes are required before the Microsoft patch can be successfully applied.  For CCL managed AV / Endpoint Security clients, the registry key has been deployed.

Patching will need to occur at a hardware firmware layer, operating system and application level in addition to the Hypervisor across multiple platforms to provide comprehensive protection against these vulnerabilities.  CCL has developed a guide for our engineering team to provide a best practice approach to managing the patching for Meltdown and Spectre.

If you would like more information or would like to discuss the potential performance impact to your workloads, then please contact support@concepts.co.nz or 0800 225 468

Additional information
The official Graz University of Technology research site containing information about the vulnerabilities and major vendor responses:

https://meltdownattack.com/

Additional vendor information:

https://kb.vmware.com/s/article/52245
https://support.microsoft.com/en-us/help/4073757/protect-your-devices-against-spectre-meltdown

Browser protections:

https://www.chromium.org/Home/chromium-security/ssca
https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/
https://blogs.windows.com/msedgedev/2018/01/03/speculative-execution-mitigations-microsoft-edge-internet-explorer/

Performance impacts:

https://cloudblogs.microsoft.com/microsoftsecure/2018/01/09/understanding-the-performance-impact-of-spectre-and-meltdown-mitigations-on-windows-systems/
https://access.redhat.com/articles/3307751

Please contact CCL if you have any questions or concerns.