CIS CYBER SECURITY ADVISORY
MS-ISAC ADVISORY NUMBER:
2014-014
DATE(S) ISSUED:
02/20/2014
SUBJECT:
Multiple Vulnerabilities in Google Chrome Could Allow Remote Code Execution
EXECUTIVE SUMMARY:
Multiple vulnerabilities have been discovered in Google Chrome that could result in several issues including remote code execution. Google Chrome is a web browser used to access the Internet. These vulnerabilities can be exploited if a user visits, or is redirected to, a specially crafted web page.
Successful exploitation of these vulnerabilities could result in an attacker gaining the same privileges as the affected application. Depending on the privileges associated with the application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
THREAT INTELLIGENCE:
At this time, there is no known proof-of-concept code available.
SYSTEMS AFFECTED:
· Google Chrome Prior to 33.0.1750.117
RISK:
Government:
· Large and medium government entities: High
· Small government entities: High
Businesses:
· Large and medium business entities: High
· Small business entities: High
Home users: High
TECHNICAL SUMMARY:
Eight vulnerabilities have been reported in Google Chrome. Details of the vulnerabilities are as follows:
- A security vulnerability exists with relative paths in Windows sandbox named pipe policy. [CVE-2013-6652]
- A use-after-free issue related to web contents. [CVE-2013-6653]
- A security vulnerability exists due to Bad cast in SVG. [CVE-2013-6654]
- Multiple use-after-free issues exist in layout. [CVE-2013-6655, CVE-2013-6658]
- Multiple information-disclosure issues exist in XSS auditor. [CVE-2013-6656, CVE-2013-6657]
- A security-bypass vulnerability exists with certificates validation in TLS handshake. [CVE-2013-6659]
- An information-disclosure issue exists in drag and drop. [CVE-2013-6660]
- Multiple unspecified issues affect the application. [CVE-2013-6661]
Successful exploitation could result in an attacker gaining the same privileges as the affected application. Depending on the privileges associated with the application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Failed exploit attempts will likely cause denial-of-service conditions.
RECOMMENDATIONS:
We recommend the following actions be taken:
- Update vulnerable Google Chrome products immediately after appropriate testing by following the steps outlined by Google.
- Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
- Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
- Do not open email attachments or click on URLs from unknown or un-trusted sources.
CIS CYBER SECURITY ADVISORY
CIS ADVISORY NUMBER:
2014-009
DATE(S) ISSUED:
02/11/2014
SUBJECT:
Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution (MS14-011)
EXECUTIVE SUMMARY:
A vulnerability has been discovered in the VBScript scripting engine in Microsoft Windows. VBScript (Visual Basic Script) is an interpreted, object-based scripting language that is often used to make websites more flexible or interactive. This vulnerability can be exploited if a user visits a website with specially crafted content designed to take advantage of this vulnerability. Successful exploitation could result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Failed exploit attempts may result in a denial-of-service condition.
THREAT INTELLIGENCE
At this time this vulnerability is not publicly disclosed and there is no known proof-of-concept code available.
SYSTEMS AFFECTED:
· VBScript version 5.6 through 5.8
RISK:
Government:
· Large and medium government entities: High
· Small government entities: High
Businesses:
· Large and medium business entities: High
· Small business entities: High
Home users: High
TECHNICAL SUMMARY:
A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
To exploit this vulnerability an attacker hosts a specially crafted website and gets the user to visit the page. When the attacker’s script is decoded, it can cause a memory corruption error in Internet Explorer, which will result in either a crash or the execution of remote code.
Successful exploitation could result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Failed exploit attempts may result in a denial-of-service condition.
By default, Internet Explorer on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 runs in a restricted mode that is known as Enhanced Security Configuration. This mitigates the risk of this vulnerability.
RECOMMENDATIONS:
We recommend the following actions be taken:
· Apply the appropriate patch provided by Microsoft to vulnerable systems immediately after appropriate testing.
· Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
· Remind users not to visit untrusted websites or follow links provided by unknown or untrusted sources.
· Configure Internet Explorer to prompt before running ActiveX Controls and Active Scripting in all zones.
UDP-based Amplification Attacks
Systems Affected
Certain UDP protocols have been identified as potential attack vectors:
- DNS
- NTP
- SNMPv2
- NetBIOS
- SSDP
- CharGEN
- QOTD
- BitTorrent
- Kad
- Quake Network Protocol
- Steam Protocol
Overview
A Distributed Reflective Denial of Service (DRDoS) attack is an emerging form of Distributed Denial of Service (DDoS) that relies on the use of publicly accessible UDP servers, as well as bandwidth amplification factors, to overwhelm a victim system with UDP traffic.
Description
UDP, by design, is a connection-less protocol that does not validate source IP addresses. Unless the application-layer protocol uses countermeasures such as session initiation, it is very easy to forge the IP packet datagram to include an arbitrary source IP address [7]. When many UDP packets have their source IP address forged to a single address, the server responds to that victim, creating a reflected Denial of Service (DoS) Attack.
Recently, certain UDP protocols have been found to have particular responses to certain commands that are much larger than the initial request. Where before, attackers were limited linearly by the number of packets directly sent to the target to conduct a DoS attack, now a single packet can generate tens or hundreds of times the bandwidth in its response. This is called an amplification attack, and when combined with a reflective DoS attack on a large scale it makes it relatively easy to conduct DDoS attacks.
To measure the potential effect of an amplification attack, we use a metric called the bandwidth amplification factor (BAF). BAF can be calculated as the number of UDP payload bytes that an amplifier sends to answer a request, compared to the number of UDP payload bytes of the request.
The list of known protocols, and their associated bandwidth amplification factors, is listed below. US-CERT would like to offer thanks to Christian Rossow for providing this information to us.
| Protocol | Bandwidth Amplification Factor | Vulnerable Command |
|---|---|---|
| DNS | 28 to 54 | see: TA13-088A [1] |
| NTP | 556.9 | see: TA14-013A [2] |
| SNMPv2 | 6.3 | GetBulk request |
| NetBIOS | 3.8 | Name resolution |
| SSDP | 30.8 | SEARCH request |
| CharGEN | 358.8 | Character generation request |
| QOTD | 140.3 | Quote request |
| BitTorrent | 3.8 | File search |
| Kad | 16.3 | Peer list exchange |
| Quake Network Protocol | 63.9 | Server info exchange |
| Steam Protocol | 5.5 | Server info exchange |
Impact
Attackers can utilize the bandwidth and relative trust of large servers that provide the above UDP protocols to flood victims with unwanted traffic, a DDoS attack.
Solution
DETECTION
Detection of DRDoS attacks is not easy, due to their use of large, trusted servers that provide UDP services. As a victim, traditional DoS mitigation techniques may apply.
As a network operator of one of these exploitable services, look for abnormally large responses to a particular IP address. This may indicate that an attacker is using your service to conduct a DRDoS attack.
MITIGATION
Source IP Verification
Because the UDP requests being sent by the attacker-controlled clients must have a source IP address spoofed to appear as the victim’s IP, the first step to reducing the effectiveness of UDP amplification is for Internet Service Providers to reject any UDP traffic with spoofed addresses. The Network Working Group of the Internet Engineering Task Force (IETF) released Best Current Practice 38 document in May 2000 and Best Current Practice 84 in March 2004 that describes how an Internet Service Provider can filter network traffic on their network to reject packets with source addresses not reachable via the actual packet’s path [3][4]. The changes recommended in these documents would cause a routing device to evaluate whether it is possible to reach the source IP address of the packet via the interface that transmitted the packet. If it is not possible, then the packet most likely has a spoofed source IP address. This configuration change would substantially reduce the potential for most popular types of DDoS attacks. As such, we highly recommend to all network operators to perform network ingress filtering if possible. Note that it will not explicitly protect a UDP service provider from being exploited in a DRDoS (all network providers must use ingress filtering in order to completely eliminate the threat).
To verify your network has implemented ingress filtering, download the open source tools from the Spoofer Project [5].
Traffic Shaping
Limiting responses to UDP requests is another potential mitigation to this issue. This may require testing to discover the optimal limit that does not interfere with legitimate traffic. The IETF released Request for Comment 2475 and Request for Comment 3260 that describes some methods to shape and control traffic [6] [8]. Most network devices today provide these functions in their software.
CIS CYBER SECURITY ADVISORY
CIS ADVISORY NUMBER:
2014-007
DATE(S) ISSUED:
02/04/2014
SUBJECT:
Multiple Vulnerabilities in Mozilla Products Could Allow Remote Code Execution
EXECUTIVE SUMMARY:
Multiple vulnerabilities have been discovered in Mozilla Firefox, Thunderbird, and SeaMonkey applications, which could allow remote code execution. Mozilla Firefox is a web browser used to access the Internet. Mozilla Thunderbird is an email client. Mozilla SeaMonkey is a cross platform Internet suite of tools ranging from a web browser to an email client. Successful exploitation of these vulnerabilities could result in either an attacker gaining the same privileges as the logged on user, or gaining session authentication credentials. Depending on the privileges associated with the user, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights.
THREAT INTELLIGENCE:
At this time, there are no known proof-of-concept exploits. Updating to the latest version of the affected software will remediate the issues.
SYSTEMS AFFECTED:
· Firefox versions prior to 27.0
· Firefox Extended Support Release (ESR) versions prior to 24.3
· Thunderbird versions prior to 24.3
· SeaMonkey versions prior to 2.24
RISK:
Government:
Large and medium government entities: High
Small government entities: High
Businesses:
Large and medium business entities: High
Small business entities: High
National Cyber Awareness System:
02/04/2014 10:20 AM EST
Whether traveling to Sochi, Russia for the XXII Olympic Winter Games, or viewing the games from locations abroad, there are several cyber-related risks to consider. As with many international level media events, hacktivists may attempt to take advantage of the large audience to spread their own message. Additionally, cyber criminals may use the games as a lure in spam, phishing or drive-by-download campaigns to gain personally identifiable information or harvest credentials for financial gain. Lastly, those physically attending the games should be cognizant that their communications will likely be monitored.
Hacktivists
A number of hacktivist campaigns may attach themselves to the upcoming Olympics simply to take advantage of the on-looking audience. For example, the hacktivist group, Anonymous Caucasus, has launched what appears to be a threat against any company that finances or supports the winter games. This group states the Sochi games infrastructure was built on the graves of 1 million innocent Caucasians who were murdered by the Russians in 1864. According to Trusted Third Party analysis, the group has been linked to distributed denial of service (DDoS) attacks on Russian banks in October 2013. Therefore, the group is likely capable of waging similar attacks on the websites of organizations they believe financed Olympic related activities; however, no specific threat or target has been identified at the time of this report.
CIS CYBER SECURITY ADVISORY
CIS ADVISORY NUMBER:
2014-004
DATE(S) ISSUED:
1/15/2014
SUBJECT:
Multiple Vulnerabilities in Google Chrome Could Allow Remote Code Execution
EXECUTIVE SUMMARY:
Multiple vulnerabilities have been discovered in Google Chrome that could result in several issues including remote code execution. Google Chrome is a web browser used to access the Internet. These vulnerabilities can be exploited if a user visits, or is redirected to, a specially crafted web page. Successful exploitation of these vulnerabilities could result in an attacker gaining the same privileges as the affected application. Depending on the privileges associated with the application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
THREAT INTELLIGENCE
At this time these vulnerabilities are not publicly disclosed and there is no known proof-of-concept code available.
SYSTEMS AFFECTED:
Google Chrome Prior to 32.0.1700.76
RISK:
Government:
· Large and medium government entities: High
· Small government entities: High
Businesses:
· Large and medium business entities: High
· Small business entities: High
Home users: High
Web Application Security Vulnerabilities
Brute Force Attack – Any website which requires authentication is a high-value target for this attack. Hackers can launch these types of attacks by using widely available tools which use wordlists to guess passwords. Brute-Force attacks try every possible combination, alpha-numeric & symbols until the correct combination is found. User accounts are at risk and can flood the site with unnecessary traffic.
Cross-Site Request Forgery | CSRF – This attack tricks victims into visiting a page which contains a malicious request as it inherits the identity of the victim to perform a nefarious act. If currently authenticated to a website, the web server will be unable to determine if the request is genuine.
Cross-Site Scripting | CSS or XSS – This type enables attackers to inject client-side scripts (JavaScript, ActiveX, HTML, Flash, VBScript) into web pages. Attackers can use this type of attack to bypass technical controls. Any website which passes parameters to a database can be vulnerable to this technique which are present in login pages and forgot my password form. The use of XSS may compromise PII, steal session cookies and can execute malicious code on a local system.
SQL Injection – Attackers can use this technique to steal data from a website and is one of the most common application layer attacks used. Poor web application coding can take advantage of SQL Injections by using SQL commands into a login form which allows hackers to access sensitive data stored in a database. A specially crafted SQL command can bypass the login form to peek into the treasure trove of data found in the database. The scripting languages vulnerable to this attack are ASP.NET, PHP, JSP & CGI.
File Inclusion – This allows a hacker to include a remote file by modifying the script into the URL. This can lead to displaying the contents of the file or executing malicious code on the server or client side. Denial of Service and data manipulation can also result from this type of vulnerability. This is typically found in PHP. As described in the lab, the content of the server user account file was displayed on the screen.
File Upload – Allows an attacker to send a malicious file to the web server and then get the code executed on the target system. The consequences of this type of an attack can be detrimental to any server ranging from complete takeover to complete denial of service. The hacker can then browse and manipulate system files, exploit vulnerabilities and possibly attack other servers.
Command Execution – Allows a hacker to execute Operating System commands. For example, using PING, the attacker can see that the host is on and also determine what files and folders on the directory of the actual website using the LS command (typically on Linux). In addition to OS commands, BASH commands can also be used. Windows is also vulnerable to this type of attack.