The Scottish Business Resilience Centre Cyber Team would like to inform its members and partners of some recent vulnerabilities highlighted as critical by Microsoft, the National Cyber Security Centre (NCSC) and security vendors. Patching your systems is advised immediately.
- Remote Desktop Services Remote Code Execution Vulnerability CVE – 2019-0708
Microsoft is urging computer users to patch their systems now against a critical vulnerability that could be exploited by a fast-moving worm. The vulnerability (CVE-2019-0708) is in Remote Desktop Services (formerly known as Terminal Services), and although Microsoft says it has not yet seen any malicious hackers exploiting the flaw it believes that it is “highly likely” it will be incorporated into malware.
And that, potentially, is a big problem because of the rapid speed with which a worm can spread. As Microsoft’s advisory explains: “This vulnerability is pre-authentication and requires no user interaction. In other words, the vulnerability is ‘wormable’, meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017.”
Vulnerable versions of Windows include Windows 7, Windows Server 2008 R2, and Windows Server 2008 – all of which are still officially supported by Microsoft, and for which security patches are available.
- SharePoint Vulnerability – (CVE-2019-0604),
On Friday 17th May the NCSC released an Alert on its website relating to a SharePoint vulnerability. NCSC have also previously pushed this out via CiSP ( Cyber Information Sharing partnership. The Alert can be accessed here: https://www.ncsc.gov.uk/news/alert-microsoft-sharepoint-remote-code-vulnerability
Microsoft published details of this vulnerability CVE-2019-0604, which allows an attacker to run arbitrary code by uploading a specifically crafted SharePoint application package. Successful exploitation of the vulnerability could allow an attacker to gain access to sensitive data, enable lateral movement within a network and potentially use the access to target an organisation’s customers and suppliers.
NCSC say they are seeing a concerning level of large organisations falling victim to this vulnerability from a wide range of sectors. NCSC have seen this vulnerability enable deep lateral movements within large networks.
- Adobe Vulnerabilities Along with the Windows vulnerabilities,
Adobe also disclosed vulnerabilities and protected against others in a recent patch. Within Acrobat and Reader DC, two of Adobe’s most popular programs, there were 84 vulnerabilities that were classed as critical[1]. This software is often used to read or edit PDF files, one of the most common formats used to send and receive various documents such as reports, invoices etc. There are simply too many vulnerabilities to cover here but many of them allow access to data that it shouldn’t or allow attackers to execute malicious code on a remote system by loading a malicious PDF file.
The fix for this is a simple update that can be downloaded from Adobe directly. The link will most likely be presented to a user upon using the software. However, if unsure, it is best to just download the latest version from their website[2] and uninstall the old version (often automatic when downloading a new version).
[2]https://acrobat.adobe.com/uk/en/acrobat/
- Intel Vulnerabilities
Intel published 3 vulnerabilities that leverage speculative execution similar to that described by Spectre and Meltdown, huge exploits that were disclosed last year. The attack can occur both on normal computers that house Intel chipsets as well as cloud computing services. These have been dubbed the Microarchitectural Data Sampling (MDS) vulnerabilities.
The first is called RIDL (Rogue In-Flight Data Load) The way it works is simple, an attacker pulls data from temporary storage on the processor chip before it is stored in RAM or loaded into the processor. It can access this information whether the exploit is being run through the internet via JavaScript, in the cloud or from operating system kernels.
Secondly, Fallout is used to bypass memory address randomisation that protects computers against memory corruption. By doing so, it can access a small piece of memory called the Store Buffer that can hold any type of information. Finally, ZombieLoad works similarly to RIDL and is also used to steal data from the processor.
Mitigations
The mitigations proposed for these vulnerabilities are simple to implement. On newer processors, users only need to patch with an update issued from Vendors. For older processors, it may be necessary to deactivate hyper-threading if it equipped on the processor.
These mitigations will limit the performance of the processor of a system and thus computing power and efficiency will be lost. They restrict the processor’s ability to access and store memory and thus to fix it removes the ability to do this or slows it down with validation procedures. The article at [3] describes how various vendors have had performance hits. Thus, it is up to your discretion on whether or not you want to risk a significant performance hit on your devices.