Infosec roundup #5
2017 was a busy year , and one week into 2018 we have already seen some stunning new attack vectors take shape. I hope you all had a good break, because it’s already shaping up to be a busy year for defending your digital turf.
So without further ado, lets get into 2018 and pull apart the first week.
CVE(s) of the Week
There is so much comment and hyperbole available via the usual channels that I feel no need to harp on about it here.
I will say though, that I’ve been impressed at the cooperation of public organizations, individuals, and private enterprises to work around this issue.
With such a big, juicy, technically alluring set of bugs to play with this week though, it is easy to miss the forest for the trees.
So, here are my picks of the 199 other disclosures you might have missed over the holidays…
- The IOHIDEOUS zero day was fully disclosed by an independent researcher in the last hours of 2017 — which allows a local unprivileged attacker to read and write to kernel space. The author demonstrates a KALSR bypass, with source and ultimately gains a root shell. It is a comprehensive write up.
- IBM’s X-Force Ethical Hacking Team discovered that some versions of their Tivoli Key Lifecycle Manager (TKLM) is both vulnerable to CSRF and also found to be storing secrets with weak crypto.
- Microsoft Edge browser saw 15 reports, some self identified, some via external research. One such example involves an escalation of privilege while identifying incorrect Cross Origin Policy enforcement.
- 2 VMWare Workstation vulnerabilities: one allowing execution on locked workstations, the other allowing guest privilege escalation to SYSTEM
Your card data is important
Thankfully, it has been a relatively small week for breaches, however some interesting revelations were aired late 2017 with Forever 21 confirming that they had found some of their POS terminals with malware, allowing attackers to ‘switch off’ encryption (probably turning off drive encryption) and walk away with credit card track data.
Additionally, Forever 21 stores have a device that keeps a log of completed payment card transaction authorizations. When encryption was off, payment card data was being stored in this log.
It is common to have centralised transaction authorisation logs in stores with many POS terminals. Having such logs are an important part of traceability in dispute scenarios, and for forensic teams in fraud or theft cases such as this.
However, the PCI Data Security Standard is very strict about encrypting or obfuscating PAN data at rest, as well as operational auditing. So this is not a great scenario to have played out. I really feel for all involved here.
With KPTI, KAISER, KASLR, Kernel rewrites and the causative Intel, AMD and ARM chip issues out there — I was saved from repeating myself in this section, with this tweet from LiveOverflow today:
For the uninitiated, an FPGA is a type of integrated circuit that allows ‘field reprogramming’. They are chips, that are capable of becoming any circuit, restricted only by how many logic blocks are available on chip to satisfy the circuit design. Clearly its useful, but for what?
One of the areas in which chips that can be told to redesign themselves are very useful is in accelerating activities like machine learning, or high frequency financial trading systems.
The researchers pick apart side channel information yielded by the Spartan 6 FPGA to ultimately show that it is possible to quietly integrate Trojans into them. I’ll leave it to your imagination what that ultimately means in shared computing environments.
This opens a new door to integrate hardware Trojans in applications where the FPGA is remotely accessible and FPGA-based multi-user platforms where the reconfigurable resources are shared among different users
The research paper is not for the feint of heart, but if you’re into the physics of microelectronic engineering — you might like a read.
I’ll leave it there for this week, thanks for reading! I sincerely hope your 2018 is filled with fun and enjoyment.
Before I go, I’ll leave you with my favourite quote from the linux kernel mailing list this week
“And yes, paravirtualization is evil.” — Linus Torvalds