Microsoft and Adobe Patching Advisory for May 2019

This month security patches from Microsoft have gained attention from the media as well as the information security community. Microsoft has pushed patches to address 79 vulnerabilities with 23 rated critical, 2 reported as publicly known, and 1 as being actively exploited in the wild but rated as Important. Here are the main highlights: 

1. Windows Remote Desktop Services (RDP) Remote Code Execution Vulnerability (CVE-2019-0708): This is the most critical vulnerability that poses a high risk on organizations. The vulnerability could provide an attacker full privileged access by sending a specially crafted request to the target systems Remote Desktop Service via RDP. It doesn’t require any user interaction to be exploited. This vulnerability is a Remote Code Execution (RCE) and is a ‘wormable’ vulnerability. The affected versions are Win7, Win2008, Win2008 R2. Microsoft has also issued patches for the Out-of-Support versions WinXP and Win2003. Affected versions with port 3389 open should install the patch ASAP. Some workarounds can be enabling NLA and blocking port 3389 at the edge router. Patches for the Out-of-Support version are available in a separate page (https://support.microsoft.com/en-us/help/4500705/customer-guidance-for-cve-2019-0708)

2. Windows DHCP Server Remote Code Execution Vulnerability (CVE-2019-0725): similar to the previous months of 2019, DHCP is being under scrutiny by security researchers. The Remote Code Execution (RCE) vulnerability in DHCP Server could allow a remote unauthenticated attacker to execute arbitrary code by sending a specially crafted packet. Similar to the RDP vulnerability above, it doesn’t require user interaction to be exploited. There’s no publicly known exploit, however, this vulnerability is likely to be weaponized. 

3. Windows Error Reporting Elevation of Privilege Vulnerability (CVE-2019-0863): this is an Elevation of Privilege (EoP) vulnerability that exists in one of the Windows components. It could allow an attacker to execute arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Though, the attacker would need to log on to the system first.

4. Microsoft Guidance to Mitigate Microarchitectural Data Sampling (MDS) Vulnerabilities (ADV190013): this has been dubbed “ZombieLoad”. It is a subclass of the speculative execution vulnerabilities. It joins the CPU vulnerabilities Foreshadow, Meltdown, Spectre. There is currently no patches for this vulnerability. However, the MDS Vulnerabilities have been classified as low to medium severity. Also, there are no reports of any real world exploits of these vulnerabilities. The likelihood is low since exploiting the MDS vulnerabilities outside the controlled conditions of a research environment is a complex undertaking. 

The rest of the vulnerabilities could be new attack vectors for social engineering. We rate the MS patches for this month as “Patch as Scheduled” except for the RDP and DHCP which have been designated as “Patch Now”. The rest of the month’s vulnerabilities should be mitigated by user-education, and email and web-proxy hygiene in order to prevent users handling files or links from unknown or questionable sources.

Links:

·   https://portal.msrc.microsoft.com/en-us/security-guidance

·   https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/e5989c8b-7046-e911-a98e-000d3a33a34d 

·   CVE-2019-0708 | Remote Desktop Services Remote Code Execution Vulnerability

·   CVE-2019-0725 | Windows DHCP Server Remote Code Execution Vulnerability

·   CVE-2019-0863 | Windows Error Reporting Elevation of Privilege Vulnerability

·   ADV190013 |Microsoft Guidance to mitigate Microarchitectural Data Sampling vulnerabilities

·   MDS | https://www.intel.com/content/www/us/en/architecture-and-technology/mds.html 

·   ZombieLoad | https://zombieloadattack.com/

 

Adobe: 

Adobe released patches to address vulnerabilities in Acrobat and Reader, Flash, and Adobe Media Encoder. In order to exploit the vulnerabilities, an attacker would need to convince the victim to click on a malicious link

The Adobe vulnerabilities receive the “Patch as Scheduled” designation.

·   https://helpx.adobe.com/security.html

 

---

 Meltdown/Spectre/ZombieLoad:

As mentioned above, Microsoft has released an Advisory for the Microarchitectural Data Sampling (MDS) Vulnerabilities (ADV190013) dubbed “ZombieLoad”. The guidance from InfoSec continues to fall into the broad outline of:

·   Consult with your vendors

·   Test aggressively (especially around the MS Reg-hack)

·   Patch and update your firmware

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV180002

Please always remember the rules of safe patching:

·   Deploy to test/dev environment before production

·   Deploy to a pilot/test group before the whole organization

·   Have a plan to roll back if something doesn’t work

·   Test, test, and test! 

 

Should you have any questions, please feel free to leave a comment. Also make sure you (Follow) if you would like to be aware of what Microsoft and Adobe release for patching security vulnerabilities regularly. 

 

Patch Tuesday January 2019 – on a post note –

Summary: The January MS Security update bundle is categorized as “Patch as Scheduled”, except for the DHCP client patch in Win10 version 1803 which is categorized as “Patch Now”. Adobe Flash is “Patch as Scheduled”.

*******

Microsoft: MS addressed 48 vulnerabilities with 7 rated critical, 1 publicly disclosed, and none are reported as being actively exploited. There is a particular vulnerability discovered affecting the DHCP client in Win10 and Server version 1803 (CVE-2019-0547). This DHCP Client vulnerability is considered a “wormable” bug because the code execution will happen through a widely available listening service. Given the expected impact, the patch should be prioritized. On the other hand, the publicly disclosed vulnerability is (CVE-2019-0579) Jet Database Engine Remote Code Execution Vulnerability.

The vulnerabilities could be new attack vectors for social engineering. However, there are no exploits currently in the wild for the publicly disclosed vulnerability. We rate the January MS patches as “Patch as Scheduled” except for the DHCP Client patch. This month’s vulnerabilities should be mitigated by user-education, email and web-proxy hygiene in order to prevent users handling files or links from unknown or questionable sources.

Links:

• https://portal.msrc.microsoft.com/en-us/security-guidance
• https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/b4384b95-e6d2-e811-a983-000d3a33c573
• CVE-2019-0547 | Windows DHCP Client Remote Code Execution Vulnerability

 Known Issues:

• SqlConnection instantiation exception on .NET 4.6
• Network Interface may stop working

 

Adobe: In addition to the unscheduled patch released on Jan 3^rd for Acrobat reader, Adobe released additional security patches for Flash, Connect, and Adobe Digital Editions. The Flash patch does not address any security bugs but only provides bug fixes. The Connect patch addresses a single CVE correcting a security token exposure. Similarly, the patch for Digital Editions patches a single CVE fixing an out of bounds read. None of these issues are listed as being publicly known or under active attack at the time of release. The Adobe vulnerabilities receive the “Patch as Scheduled” designation.

• https://helpx.adobe.com/security.html
• https://helpx.adobe.com/security/products/flash-player/apsb19-01.html
• https://helpx.adobe.com/security/products/acrobat/apsb19-02.html

 

Meltdown/Spectre: The guidance from InfoSec continues to fall into the broad outline of:

• Consult with your vendors
• Test aggressively (especially around the MS Reg-hack)
• Patch everything

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV180002

******

Please always remember the rules of safe patching:

• Deploy to test/dev environment before production
• Deploy to a pilot/test group before the whole organization
• Have a plan to roll back if something doesn’t work
• Test, test, and test!

 

Press:

• SANS 
• PTD
• KREBS
• BLEEPINGCOMPUTER
• COMPUTER WORLD
• ZDI
• REDDIT r/sysadmin

 

Legend:

• Patch Now: 1-2 weeks
• Patch as scheduled: 4-6 weeks

Add DNS (A) record for a sub-domain in Google Domains

It’s always good to have a one-stop-shop when you try to host a website or application online. But, that might not be the best bang for your buck. So, you will end up hosting the application with a vendor, having your domain managed by a different one, and maybe you’re using G-suite or O-365 as your email system; and this is my case to pick and choose the best options depending on business requirements and potential growth. So, I’ve decided to use https://domains.google to be my domain registrar for a client that I worked with. Though, it comes with challenges sometimes.

Google domains provide cheap, lightning-fast, and intuitive service as compared to other service providers. It cost me $12 a year per domain. You get all features offered by other registrars plus 2-factor authentication to protect your dashboard.

One of the challenges would be the need to create manually MX records based on your service provider, create A records for your domain as well as sub-domains. When you create a sub-domain from cPanel, you need to create a record to point to the newly created folder (sub-domain). To do so, follow the steps below:

1. Login to https://domains.google
2. Go to DNS
3. Scroll down until you get Custom records
4. In the first box type the name of the sub-domain (in my case, the sub-domain is “test.mysite.com” so you should type test)
5. In the second box select the record type which is (A record)
6. In the third box, you can leave the default value (1H)
7. In the fourth box, type in the IP address of the server (this should be the same as the IP address in www and @)
8. Now, save and test by going to the link from a browser (http://test.mysite.com). It should work like a charm!

Windows XP Write-Protection with USB Devices

One cheap and easy way for a disk acquisition without the need to buy an expensive physical write-blocker is using a USB external drive or a cable-connecting device (USB IDE/SATA external connector) along with changing the Windows Registry key to enable write-protection.

To update the registry, there are 3 tasks:

1. Backup the Registry in case something fails while modifying the keys.
2. Modify the Registry key to enable the write-protection feature.
   1.   Go to (\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet)
   2. Right-Click the Control Key -> New -> Key
   3. Type in the Key Name: StorageDevicePolicies
   4. Press Enter
   5. Right-Click the newly created key called StorageDevicePolicies -> New -> DWORD Value
   6. Type at the right side, WriteProtect
   7. Press Enter
   8. Right-Click the newly created Dword value and click on Modify
   9. Change the value from 0 to 1
   10. Click OK

NOTE: you can export the key and save it for future uses to simplify the process of updating the Registry Key and also to minimize error every time you need to write-block a USB device.

1. Save the exported Registry Files for future uses.

 

For more information, search for “USB Registry write-blocker”

 

 

Source: GCFI, ed4, Ch4

Contingency Planning for Image Acquisition

Dealing with digital evidence falls under the Murhpy’s Law: “If anything can go wrong, it will go wrong!” Therefore, investigators need to take precautions to protect the evidence. Investigators should make a duplicate of the disk-to-image file and keep the original image intact for emergencies in case if something go wrong. It is the most common and time-consuming technique for preserving an evidence.

So, the standard practice is to make at least 2 images of the collected evidence. It is also advised to create each image with a different imaging tool, if possible, such as ProDiscover, FTK, or X-Ways Forensics. If there’s only one imaging tool, it is suggested to create an image with compression and another with no compressions with tools like EnCase or ProDiscover.

Keep in mind, there are many acquisition tools that don’t copy data in the Host Protected Area (HPA) unless using a hardware acquisition tool that can access the drive at the BIOS level like ProDiscover with the NoWrite FPU write-blocker, ImageMASSter Solo, or X-Ways Replica. 

 

Source: GCFI, 4th ed, Ch4

Determining the Best Acquisition Method

In digital Forensics, there are 2 types of acquisitions: 

1. Static Acquisition: which is the preferred way to collect a digital evidence when a computer seized during police raid.
2. Live Acquisition: is the way to collect digital evidence when a computer is powered on and the suspect has been logged on to. This type is preferred when the hard disk is encrypted with a password. 

For both types, there are 4 methods of collecting data: 

1. 1.    Creating a disk-to-image file: the most common method to collect data. It allows the investigator to create on or many bit-for-bit replications of the original drive. By using this method, we can use any of the forensics tools such as ProDiscover, EnCase, FTK, X-ways, ILook, SMART, and Sleuth Kit to read the different types of disk-to-image files.
2. 2.    Creating a disk-to-disk copy: is used when disk-to-image faces hardware of software errors due to incompatibilities. It copies the entire disk to a newer disk by using any of the forensics tools such as EnCase and SafeBack. These tools can adjust the target disk’s geometry to match the original drive.
3. 3.    Creating a logical disk-to-disk or disk-to-data file: this is the preferred method with large data storage such as RAID servers. This method captures only specific files or file types of interest to the case. It is used when time is limited.
4. 4.    Creating a sparse copy of a folder or file: this method is similar to creating a logical acquisition but it also collects deleted data (unallocated). Also this method is used when an investigator doesn’t need to examine the whole drive.

To determine the appropriate acquisition method, the investigator must consider the following:

1. The size of the source disk.
2. Can you retain the source disk as an evident or must you return it to the owner?
3. Time to do perform the acquisition.
4. Location of the evidence

 

Source: GCFI, 4th ed, Ch4

Installing and compiling Python 2.7 on Centos 6.3

I would recommend python 2.7 on all local machines

I suspect everyone is already ok?

[root@apu etc]# python2.7 -V
Python 2.7.3

Instructions for python 2.7 install on windows 7, ubuntu, mac will be on another page.

Because of centos 6.3 on the cluster machines, we need both 2.6 and 2.7 to coexist there. hopefully only there.

Centos relies on python 2.6 for yum

if you install python 2.7 in any way other than the following you will destroy the system and make yum inoperable

zlib failure message may be from internal python scripts doing uncompression and they may be referring to python module files, rather than looking at links directly. Not sure.

I believe only the x86_64 zlib is needed. i.e. you don’t need 32-bit and 64-bit, but just follow these instructions. They worked on apu.0xdata.loc (192.168.1.160) on 9/28/2012

to check centos version

[root@apu etc]# cat /etc/redhat-release
CentOS release 6.3 (Final)

How to install Python 2.7.3 on CentOS 6.2 (worked for 6.3 which is 0xdata install version)

stolen from Daniel Eriksson. Thanks Daniel!

http://toomuchdata.com/2012/06/25/how-to-install-python-2-7-3-on-centos-6-2/

Posted on 2012/06/25

CentOS 6.2 ships with Python 2.6.6 and depends on that specific version. Be careful not to replace it or bad things will happen. If you need access to a newer version of Python you must compile it yourself and install it side-by-side with the system version.

Here are the steps necessary to install Python 2.7.3. The procedure is exactly the same for installing Python 3.2.3, just make sure you use the command “python3.2 setup.py install” when you install distribute.

Execute all the commands below as root. Either log in as root temporarily or use sudo.

Install development tools

In order to compile Python you must first install the development tools:

yum groupinstall "Development tools"

You also need a few extra libs installed before compiling Python or else you will run into problems later when trying to install various packages:

yum install zlib-devel
yum install bzip2-devel
yum install openssl-devel
yum install ncurses-devel

Download, compile and install Python

cd /opt
wget http://www.python.org/ftp/python/2.7.3/Python-2.7.3.tar.bz2
tar xf Python-2.7.3.tar.bz2
cd Python-2.7.3
./configure --prefix=/usr/local
make && make altinstall

It is important to use altinstall instead of install, otherwise you will end up with two different versions of Python in the filesystem both named python.

After running the commands above your newly installed Python 2.7.3 interpreter will be available as /usr/local/bin/python2.7 and the system version of Python 2.6.6 will be available as /usr/bin/python and /usr/bin/python2.6.

you can create a symbolic link in /usr/local/bin and things should be fine be careful here:

cd /usr/local/bin
ls -ltr python*
ln -s /usr/local/bin/python2.7 /usr/local/bin/python

Installing and configuring distribute (setuptools)

After installing Python 2.7.3 you also need to install distribute (setuptools) so you can easily install new packages in the right location.

cd /opt
wget http://pypi.python.org/packages/source/d/distribute/distribute-0.6.27.tar.gz
tar xf distribute-0.6.27.tar.gz
cd distribute-0.6.27
python2.7 setup.py install

The commands above will generate the script /usr/local/bin/easy_install-2.7. Use this script to install packages for your new Python version. You should be able to use “easy_install” if “which easy_install” points to the correct 2.7 versions

which easy_install
ls -ltr /usr/local/bin/easy_install*


easy_install-2.7 requests
easy_install-2.7 psutil
easy_install-2.7 paramiko

(easy_install should work too, if your PATH gets /usr/local/bin first)

etc

 

Source: https://github.com/0xdata/h2o.wiki.git