TOP MIDDLE EAST CYBER THREATS- 19 NOVEMBER 2018
At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.
In this blog, I share the top cybersecurity threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead:
1) Symantec Legacy PKI causes certificate woes with Google Chrome
Google has recently launched Chrome 70 to the Stable channel, due to which users will start to observe labels such as “insecure page” and “invalid certificate” on sites which use certificates issued by Symantec Legacy PKI. Site operators or site admins receiving error reports from users must take corrective actions by replacing their website(s) certificates as soon as possible.
This distrust is the outcome of consensus of cross-browser efforts to maintain a trusted and a secure web. This phased distrust of the PKI has been implemented as follows:
| Release | Description of Changes |
| Chrome 65 | Remove trust in certificates issued after December 1, 2017, effectively stopping trust in new issuance from the Legacy Symantec PKI. |
| Chrome 66 | Remove trust in certificates issued from the Legacy Symantec PKI before June 01, 2016, which were the most at-risk certificates based on the numerous issues identified by the Browser and Web PKI communities. |
| Chrome 70 | Remove trust in all certificates issued from the Legacy Symantec PKI. Trust will be removed via a staged rollout. |
In order to verify your organizations’ certificate status, you can use the following web-based tool to check whether any action is required for your GeoTrust, RapidSSL, Symantec, or Thawte certificate.
https://www.websecurity.symantec.com/support/ssl-checker
Please refer to the below link and navigate to the “Resolution” section for further assistance on the same:
https://knowledge.digicert.com/alerts/ALERT2566.html
2) Cisco Denial of Service Vulnerability
Security researchers at Cisco have revealed the existence of a zero-day vulnerability (CVE-2018-15454) affecting products that run the Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software.
Cisco encountered and discovered the vulnerability while analyzing support cases. This vulnerability affects Cisco ASA Software Release 9.4 and later, and Cisco FTD Software Release 6.0 and later only if Session Initiation Protocol (SIP) inspection is enabled and the software is running.
This vulnerability could allow an unauthenticated remote attacker to reload or trigger high CPU on affected devices, resulting in a denial of service (DoS) condition.
Vulnerability Description:
The vulnerability resides in the SIP inspection engine of ASA and FTD software and has occurred due to improper handling of the SIP traffic. An attacker could exploit this vulnerability by sending multiple SIP requests, designed to specifically trigger this issue, at a high rate across an affected device.
While the vulnerability described is being actively exploited, the output of “show connection” on port 5060 will show a large number of incomplete SIP connections and the output of “show processes” CPU-usage non-zero sorted will show high CPU utilization.
Successful exploitation of this vulnerability can also result in the affected device crashing and reloading. After the device boots up again, the output of the show crashinfo command will display an unknown abort of the DATAPATH thread. Customer should reach out to Cisco TAC with this information to determine whether the particular crash was related to exploitation of this vulnerability.
Remediation/Mitigation Options:
Option 1:
Block traffic from the specific source IP address seen in the connection table using an access control list (ACL). After applying the ACL, make sure to clear existing connections for that source using the clear conn address <ip_address> command in EXEC mode. Alternatively, the offending host can be shunned using the shun <ip_address> command in EXEC mode. This will block all packets from that source IP without the need for a configuration change. However, please be aware that shunning does not persist across the reboot.
Option 2:
Disabling SIP inspection will completely close the attack vector for this vulnerability. However, it may not be suitable for all customers. In particular, disabling SIP inspection would break SIP connections if either NAT is applied to SIP traffic or if not all ports required for SIP communication are opened via ACL.
To disable SIP inspection, configure the following:
- Cisco ASA Software and Cisco FTD Software Releases 6.2 and later (in FTD 6.2 and later use Cisco FMC to add the following via FlexConfig policy):
policy-map global_policy class inspection_default no inspect sip
- Cisco FTD Software Releases prior to 6.2:
configure inspection sip disable
Option 3:
In many cases, the offending traffic has been found to have the Sent-by Address set to the invalid value of 0.0.0.0. If an administrator confirms that the offending traffic shows the same pattern in their environment (e.g. confirmed via packet capture), the following configuration can be applied to prevent the crash:
regex VIAHEADER "0.0.0.0" policy-map type inspect sip P1 parameters match message-path regex VIAHEADER drop policy-map global_policy class inspection_default no inspect sip inspect sip P1
In FTD 6.2 and later, use Cisco FMC to add this configuration via FlexConfig policy.
3) Windows Zero-Day Vulnerability
The zero-day, known as CVE-2018-8589, exploits the Windows Win32k component. Microsoft classifies the issue as a “Privilege Escalation” vulnerability. This vulnerability requires that before an attacker can use this zero-day to gain elevated privileges, they will need to find a way to infect a system and run malicious code(s) on it using other exploits.
An attacker who successfully exploits this vulnerability could install programs, view, change, delete data, or create new accounts on the affected system(s) with complete user rights.
Highlights of the Latest Microsoft Tuesday Patch
Microsoft fixed 64 vulnerabilities with the release of its security updates for November, of which 12 were labelled as “Critical”. During the previous month, Microsoft patched CVE-2018-8453, a zero-day that had been used by a state-backed cyber-espionage group known as FruityArmor.
The first vulnerability, CVE-2018-8584, is an Elevation of Privilege vulnerability involving Advanced Local Procedure Call. Another public vulnerability (CVE-2018-8566) is a BitLocker Security Feature Bypass vulnerability which requires the attacker gaining physical access to the target system.
Microsoft’s Chakra JavaScript engine, which is generally used in Microsoft Edge web browser, also had its own updates, where eight critical vulnerabilities were addressed, including CVE-2018-8588, a Chakra Scripting Engine Memory Corruption bug.
Recommendations:
- Install patches and updates for devices via the recommended path, as recommended by the vendor.
- Run software/tools with least privileges while still maintaining functionality.
- Avoid handling files from unknown sources.
- Block external access to the network perimeter unless required.
As always, at Help AG, we’re here to help you protect against these any other cyber threats so please reach out to us for all your cyber security needs.
Blog By:
Shaikh Azhar, Cyber Security Analyst at Help AG
