BIG-IP iControl REST API Authentication Bypass

BIG-IP iControl REST API Authentication Bypass

Credit: Yann Lehmann iControl REST is an evolution of F5 iControl framework. Leveraging this Representational State Transfer (REST) API, an authenticated user can accomplish anything that can be accomplished from the F5 BIG-IP command line. It is an extremely powerful API. On May 04, 2022, F5 disclosed a critical CVE, CVE-2022-1388. It may allow an unauthenticated attacker with network access to the management port or the self IP addresses of the BIG-IP system to leverage the iControl REST component. This is because some requests to iControl REST can directly bypass the authentication mechanism. Due to the capabilities of this component, anyone with network access to the management port or the self IP addresses can execute arbitrary system commands and modify services or files. From the nature of the iControl rest component, this is a control plane vulnerability that does not expose the data plane. For additional details on how to identify what could be your impacted systems, please review the attached advisory. Would you need further assistance, please ask the Cyber Fusion Center by using the MSS Portal or by phone: North America: 1-866-929-3528 EMEA: +41 58 317 77 77 Kind regards, The Cyber Fusion Center
Microsoft Type 1 Font Parsing Critical 0-Day Remote Code Execution Vulnerabilities

Microsoft Type 1 Font Parsing Critical 0-Day Remote Code Execution Vulnerabilities

Summary

On March 23rd, 2020 Microsoft publicly disclosed the existence of two critical 0-Day vulnerabilities in all recent versions of the Microsoft Windows operating system. Microsoft is aware of limited targeted attacks that leverage these 0-Day vulnerabilities and has provided guidance on how to temporarily mitigate the exploitation of these unpatched vulnerabilities. Patches for these vulnerabilities are not expected until April’s “Patch Tuesday” release.

The 2 (two) 0-Day Remote Code Execution (RCE) vulnerabilities exist because of the way the Windows Adobe Type Library improperly handles a specially crafted font file in the “Adobe Type 1 PostScript” format. This Adobe Type Library is included by default in all Windows systems and, as such, all recent Microsoft Windows systems are impacted.

Successful exploitation of this vulnerability requires that attackers trick users into either previewing or opening a maliciously crafted document. Exploitation will likely be in the form of a phishing attempt with a malicious document attached. Attackers could also leverage Web Distributed Authoring and Versioning (WebDAV) based HTTP requests to load previews of the maliciously crafted font files in order to exploit these vulnerabilities.

Systems running Windows 10 are still vulnerable to potential exploitation but built-in mitigations make successful exploitation much more difficult. Windows 10 leverages isolated “App Containers” with limited privileges. The use of these isolated “App Containers” significantly increases the difficulty of successfully compromising a system by exploiting these issues but does not prevent exploitation.

For additional details on how Windows 10 mitigates these types of exploits, review Microsoft’s article on Windows 10’s zero-day exploit mitigation features (including mitigating font parsing vulnerabilities).

The Cyber Fusion Center strongly recommends all clients deploy some mitigations to prevent potential exploitation (especially on non-Windows 10 systems). Mitigation options include:

  • Disabling the Preview Pane and Details Pane in Windows Explorer
  • Disabling the WebClient (for WebDAV) service
  • Renaming the impacted Dynamic Linked Library (DLL) file (ATMFD.DLL)

For additional details on how to successfully mitigate these issues, please review the “Temporary Mitigation” section of this advisory.

Affected software

  • Windows 10 (All versions)
  • Windows 8.1 (All versions)
  • Windows 7 (All versions)
  • Windows Server 2008 / R2 (All versions)
  • Windows Server 2012 / R2 (All versions)
  • Windows Server 2016 (All versions)
  • Windows Server 2019 (All versions)

Impact

Successful exploitation of these vulnerabilities can provide attackers kernel level privileges on impacted Windows systems. Such access enables attackers take complete control of impacted systems.

Temporary Mitigation & Workarounds

The Cyber Fusion Center strongly recommends all clients deploy some mitigations to prevent potential exploitation (Especially on non-Windows 10 systems). Mitigation options include:

  • Disabling the Preview Pane and Details Pane in Windows Explorer
  • Disabling the WebClient (for WebDAV) service
  • Renaming the impacted DLL file (ATMFD.DLL)

The sections below describe how to apply these temporary workarounds to prevent the exploitation of these 0-Day vulnerabilities.

Disabling the Preview Pane and Details Pane in Windows Explorer (Windows Server 2008 (R2), Windows 7, Windows Server 2012 (R2), and Windows 8.1):

Disabling the Preview and Details panes in Windows Explorer prevents the automatic display of OTF fonts in Windows Explorer. While this prevents malicious files from being viewed in Windows Explorer, it does not prevent a local, authenticated user from running a specially crafted program to exploit this vulnerability.

To disable these panes, perform the following steps:

  1. Open Windows Explorer, click Organize, and then click Layout.
  2. Clear both the Details pane and Preview pane menu options.
  3. Click Organize, and then click Folder and search options.
  4. Click the View
  5. Under Advanced settings, check the Always show icons, never thumbnails box.
  6. Close all open instances of Windows Explorer for the change to take effect.

Disabling the Preview Pane and Details Pane in Windows Explorer (Windows Server 2016, Windows 10, and Windows Server 2019):

To disable these panes, perform the following steps:

  1. Open Windows Explorer, click the View
  2. Clear both the Details pane and Preview pane menu options.
  3. Click Options, and then click Change folder and search options.
  4. Click the View
  5. Under Advanced settings, check the Always show icons, never thumbnails box.
  6. Close all open instances of Windows Explorer for the change to take effect.

Disabling the WebDAV WebClient Service

Disabling the WebClient service helps protect affected systems from attempts to exploit this vulnerability by blocking the most likely remote attack vector through the Web Distributed Authoring and Versioning (WebDAV) client service.

Note: Even after disabling the WebClient Service, it is still possible for remote attackers who successfully exploit this vulnerability to cause the system to run programs already installed on the targeted computer or programs which are available via local network file shares. However, this mitigation will now prompt users before running arbitrary software from non-local sources (such as the internet).

To disable the WebClient Service, perform the following steps:

  1. Click Start, click Run (or press the Windows Key and R on the keyboard), type Services.msc and then click OK.
  2. Right-click WebClient service and select Properties.
  3. Change the Startup type to Disabled. If the service is running, click Stop.
  4. Click OK and exit the management application.

Rename the impacted Dynamic Link Library (DLL) ATMFD.DLL on 32-bit systems

  1. Enter the following commands at an administrative command prompt:
cd "%windir%\system32"

takeown.exe /f atmfd.dll

icacls.exe atmfd.dll /save atmfd.dll.acl

icacls.exe atmfd.dll /grant Administrators:(F)

rename atmfd.dll x-atmfd.dll

  1. Restart the system

Rename the impacted Dynamic Link Library (DLL) ATMFD.DLL on 64-bit systems

  1. Enter the following commands at an administrative command prompt:
cd "%windir%\system32"

      takeown.exe /f atmfd.dll

      icacls.exe atmfd.dll /save atmfd.dll.acl

      icacls.exe atmfd.dll /grant Administrators:(F)

      rename atmfd.dll x-atmfd.dll

      cd "%windir%\syswow64"

      takeown.exe /f atmfd.dll

      icacls.exe atmfd.dll /save atmfd.dll.acl

      icacls.exe atmfd.dll /grant Administrators:(F)

      rename atmfd.dll x-atmfd.dll
  1. Restart the system.

Disable the Adobe Type Manager Library via registry on Windows 8.1 or below (not recommended)

It’s possible for Windows administrators to disable the Adobe Type Manager Library by modifying the Windows registry on Windows 8.1 and below.

However, disabling the library in this method may impact applications that rely on embedded font technology Disabling ATMFD.DLL could cause certain applications to stop working properly if they use OpenType fonts. For details on how to disable ATMDF via registry changes please review Microsoft’s Security Advisory.

For details on potential impacts of these workarounds, or details on how to roll back these changes, please review Microsoft’s security advisory.

Sources

Cybersecurity Concerns with COVID-19

Cybersecurity Concerns with COVID-19

We are having increasing numbers of conversations with clients about cybersecurity and business continuity challenges resulting from the rapid adoption of work-from-home scenarios to combat the spread of COVID-19.

Clients are interested in cybersecurity policy updates to improve remote access, and asking for increased employee education around BYOD security, secure WiFi use, basic security hygiene, and COVID-19 phishing attack awareness. And finally, clients are asking how they can maintain security with a dramatic increase in devices and employees accessing sensitive data and systems from remote locations.

Below are some of the frequently asked questions (FAQs) we’re being asked along with the advice we are sharing.  There are likely many approaches, and many other questions. Please join the conversation by posting your point of view. We’re interested to hear how others are solving the challenges.

Technology Concerns:

My corporate VPN will not handle the strain of thousands of telecommuting employees. What should I do?

Most organizations do not have VPN capacity for everyone. If you find your existing VPN infrastructure overwhelmed, it will be challenging to procure physical equipment and increase the capacity of your internet links, in a short time period.

We recommend you start by asking ‘what applications and business processes really require VPN’. Many services your business consumes are now delivered from the Cloud and are accessible directly without a VPN connection. (i.e. Office 365, Salesforce, Netsuite, Workday, etc.)

If you really need to increase VPN capacity, we can suggest a temporary workaround: Open VPN Server via the AWS marketplace. A number of our clients have done this.  You can procure the license and the VM’s in a pay-as-you-go model. This allows you to leverage Amazon’s internet presence, and by establishing a site-to-site VPN back to your internal systems, you can rapidly increase your VPN capabilities while you procure enhancements to your internal infrastructure.  Typically, your existing firewalls can handle more traffic via a site-to-site VPN than from 1000’s of remote users.

What technology should I prioritize to facilitate business continuity in a work-from-home situation?

  • Collaboration licenses. Do you have enough collaboration license for everyone? With meetings shifting online it will likely stretch your collaboration infrastructure. 

We recommend balancing capabilities along with the desire to allow employees and business partners to communicate via both voice and video when it makes sense. Video could become very important to maintaining a cohesive environment over time if people are unable to meet in person for an expended period of time.

  • Password reset infrastructure.

The pressure on password reset infrastructure will become a challenge.

We suggest investing in self-service capabilities, if not already done so.  If you haven’t, you are likely to face problems and potentially have your helpdesk over-run with requests.

Security Concerns

What are the current tactics most commonly employed by attackers to compromise my security?  

Kudelski Security has received many reports from our clients about the following:

  • Fake Users Requesting Remote Access from the HelpDesk. This will continue to grow in frequency

Organizations will need to have a robust method of authenticating their remote employees in order to avoid falling victim to this type of attack. Hopefully, the time you previously invested in having a robust password reset process for your helpdesk will be able to be leveraged to protect against this attack.

  • Fake Users Pretending to be Helpdesk Support. This tactic usually involves the attacker asking employees to install software. This will also continue to grow in frequency.

We recommend you educate your workforce on how to identify a valid helpdesk request.  Technical controls limiting the software employees can install is also a good call at this point.

  • Fake Hardware Purchasing Requests Attackers are attempting to place orders for hardware under the auspices of a newly remotely working employee.

You will be better protected if you authenticate your requestors properly. Having a process in place where your hardware vendors only accept requests from validated sources will help you here.

What are the implications of remote working on my SOC data and operations?

A dramatic increase in remote connections is going to throw off your SOC baselines and will require you to re-baseline your traffic. It could also test your SEIM capacity to process and analyze all the new alerts.

We recommend you refine your threat hunting activities since all of these new remote connections are going to make it much harder to find bad actors.

Many employees work with sensitive data.  How can we facilitate secure business continuity in a remote-office environment?

Many employees are working with sensitive data and may not be used to working with it outside of the office environment.

We recommend you run some compulsory security training to remind employees about good security practice (secure WiFi use, issues around BYOD, shadow cloud/IT, basic security hygiene, and Covid-19 phishing attack awareness).

We also suggest you may need to revamp your process to enable this type of work securely. This extends to having sensitive conversations in an unsecure environment, and will impact your research and development personnel who may be working on unreleased products. What are you going to let them take home? Or will you have to suspend certain projects if you determine you need to close your office?

Staffing & Business Continuity Concerns

What are the best ways to support employees working from home, many of whom are not used to working remotely?

Having a large influx of new remote employees, many of whom are not accustomed to working remotely will place a significant short term strain on your support staff.

Start by looking at additional resources or special incentive plans to mitigate any slack.  Do people have the hardware to be productive?, i.e. printers, multiple monitors, power adaptors, dongles for our Mac people, etc. And while many clients are enabling staff to outfit their home offices with equipment from their primary offices, some cataloging should be done. At some point, many of these folks will likely return to an office. Corporate IT and finance will want to account for all the extra hardware that was either borrowed or purchased during this time to ensure it is returned or inventoried.

How can we keep morale and momentum going, in the medium to long-term? How do I keep revenue-generating employees engaged if the pandemic continues to affect new sales?

Honesty here is key. We also recommend having an open and honest discussion with your employees about the situation as it develops. It’s important that staff are reassured that this situation won’t last forever. Maintaining morale and ‘just checking in’ on your teams through regular phone calls/video calls will go a long way to keeping employees engaged.

See this unprecedented situation as an opportunity for online training. Programs that help skills development for remote working as well as developing industry-relevant knowledge are readily available.

What is the best way to preserve capital?

Preserving capital is an important point for reflection.

We suggest effective action is to right-size your project portfolio. Take the time to determine what projects across the enterprise are business-critical given the new operating environment. It’s likely you have many initiatives that can be postponed so that staff can focus on business-critical ones during this event. Not only does this preserve capital, but it also helps with any future staffing shortages

Need an expert? We can help. Click here.

This is an on-going blog post. Please comment here with anyone questions or concerns you may have and one of our experts will answer. 

Global Cybersecurity Outlook: Andre Kudelski at World Economic Forum

Global Cybersecurity Outlook: Andre Kudelski at World Economic Forum

The annual cost of cyberattacks is expected to reach $6 trillion by 2021. What trends will shape cybersecurity in the near future?

On the Forum Agenda:
– Threats and opportunities for emerging technologies
– New models of public-private information exchange
– Improving organizational management and talent development

Access the Platform for Shaping the Future of Cybersecurity and Digital Trust via TopLink.

Cybercriminalité; La sécurité des réseaux électriques devient vitale

Cybercriminalité; La sécurité des réseaux électriques devient vitale

Kudelski se profile dans la sécurité des infrastructures critiques alors que la Confédération est en train d’étudier la vulnérabilité du système électrique

La cybersécurité est au cœur de la controverse qui oppose l’entreprise chinoise Huawei à l’administration
américaine dans le déploiement de la 5G. La question va immanquablement se poser bientôt dans
l’infrastructure des réseaux électriques dits intelligents. S’ils venaient à être piratés, un hôpital, une ville, voire
un pays pourraient être plongés dans le noir par l’action de personnes mal intentionnées.

Ne pas répéter les mêmes erreurs

À Davos, André Kudelski était l’une des vedettes des panels de discussions organisés par le WEF. À ses
yeux, il ne faut pas répéter la même erreur que celle commise avec le développement d’internet, infesté de
virus et vulnérable aux manipulations.

Faute d’avoir anticipé les risques de cybersécurité, tous les systèmes informatiques classiques doivent
constamment renouveler leur protection dans l’espoir qu’ils pourront contenir une attaque. «Les nouveaux
réseaux électriques intelligents, qui vont monitorer en temps réel les flux d’énergie, relier consommateurs et
producteurs, doivent être conçus dès le départ pour être résilients et non colmatés après coup», explique le
CEO André Kudelski. Le directeur de l’Office fédéral de l’énergie, Benoît Revaz, acquiesce: «Les réseaux
électriques vont comporter des milliers d’accès sensibles. S’ils seront très utiles pour gérer la demande et la
consommation, la vulnérabilité augmentera fortement.

La voiture dans le ravin

L’analogie avec la voiture connectée permet de mieux illustrer le problème que pose la sphère virtuelle quand
elle pilote le monde réel. S’il n’est pas très grave de perdre ses mails ou de devoir interrompre
temporairement l’activité d’une entreprise, une voiture connectée piratée finira, elle, dans le ravin. Dans le
domaine de l’électricité, un réseau peut s’effondrer et, en cascade, déclencher un black-out intégral.

Voilà pourquoi Kudelski a développé des compétences dans la gestion des réseaux d’infrastructures
sensibles, aux États-Unis mais également en Suisse. Certains États, comme le Royaume-Uni ou la Lettonie,
ont déjà essuyé de sérieuses attaques. Dans le cas d’un hôpital anglais, l’enquête a démontré que les pirates
étaient entrés dans son système informatique par l’ordinateur gérant la ventilation.

Conscient de ces dangers, qui vont décupler avec l’arrivée des compteurs intelligents, l’injection de courant
par des milliers de propriétaires d’installations photovoltaïques, l’Office fédéral de l’énergie procède
actuellement à une évaluation des risques et examine le type de réglementation qui sera nécessaire pour
éviter les pannes à répétition qui affectent les réseaux informatiques classiques.

L’OFEN pense qu’il est illusoire de vouloir réguler de manière rigide la sécurité. Il est plus utile de s’adapter
en permanence à la technologie en collaboration avec l’industrie. L’important est de vérifier que des
standards minimaux sont respectés dès le départ dans le déploiement des nouvelles applications.

Partenaires confidentiels

La société Kudelski se profile comme l’un des partenaires des entreprises suisses; elle réalise déjà un chiffre
d’affaires de plusieurs millions de francs par année avec des acteurs qui ne peuvent toutefois pas être
mentionnés pour des questions de confidentialité et de sécurité. Les labos de l’entreprise de Cheseaux lui
permettent d’examiner non seulement la vulnérabilité aux attaques de type virales, mais également la nature
des composants électroniques, les puces et microprocesseurs fabriqués par les usines de semi-conducteurs.

Les ingénieurs vérifient si les puces comportent ou non une porte d’entrée cachée utilisable par des pirates.
C’est précisément ce doute que les États-Unis brandissent pour interdire au fabricant chinois Huawei de
déployer la 5G sur leur territoire. On l’aura compris, si la sécurité dans les réseaux de téléphonie mobile est
critique pour les États, elle va devenir vitale dans le domaine de l’électricité.

Article original par Pierre Veya, est publié dans La Tribune de Genève, 24 jan. 2020