Introduction

SonicWall recently disclosed that its firewall appliances contain vulnerabilities within the code utilized for remote management.

Technical Information

To exploit the vulnerability an attacker would need access to the remote management interface of the firewall.  Tier1Net’s standard supported configuration mitigates against this vulnerability by blocking all public access to a firewall’s management interface.  Furthermore, SonicWall has stated that it has not received any reports of this vulnerability being actively exploited.

Steps Taken by Tier1Net

Tier1Net has identified all impacted firewalls within its customer and cloud networks and will be deploying patches once internal testing is complete.

Further Information

To view SonicWall’s vulnerability notification please visit: https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2019-0009

Google recently announced a zero-day vulnerability within its Chrome web browser and released a notification that the vulnerability is actively being exploited in the wild.  At this time they have provided very limited technical details on the exact nature of the vulnerability but reports indicate that if successfully exploited an attacker could remotely run arbitrary code on a PC.

As a result, Tier1Net has executed a script to update all instances of Google Chrome running on Tier1Net managed PCs which are susceptible to this vulnerability.

Regardless, it is highly recommended to verify that your PC’s instance of Google Chrome is running version 72.0.3626.121.

For more information on checking Google Chrome’s version and updating it please click here

Introduction

Details of a critical vulnerability impacting Microsoft’s Exchange 2013 and 2016 servers were recently discovered and made public.  If successfully exploited this vulnerability would allow an attacker to gain Domain Admin permissions within a company’s Active Directory infrastructure allowing nearly unrestricted access to a compromised server.  At this time Microsoft has not released a patch for this vulnerability.  Tier1Net customer’s which have implemented Tier1Net’s Cisco Umbrella Secure DNS and/or Duo Authentication services have their exposure to this vulnerability greatly reduced.

Technical Information

In order to successfully exploit this vulnerability an attacker would first need to gain the credentials to any existing mailbox on a targeted Exchange server.  This can be accomplished via phishing attacks or credential stuffing where an attacker uses breached credentials from one service to gain access to another service.  Once an attacker has access to a mailbox on the Exchange server they can then combine three known vulnerabilities to elevate the compromised account’s permissions to that of a Domain Admin.   A Domain Admin has full access to an Exchange server and can perform such tasks as resetting password, creating mailboxes, deleting mailboxes, etc.

Steps Being Taken by Tier1Net

Due to Tier1Net’s expertise and emphasis on cybersecurity, many of its customers are already protected from this latest vulnerability.  Furthermore, Tier1Net deploys multiple security layers to both its own internal and hosted infrastructures as well as client supported networks to greatly reduce the exploit risk of any single vulnerability.  To further reduce customer exposure to this vulnerability Tier1Net will be deploying a Microsoft supported mitigation tool to all managed and hosted Exchange servers.

Additional Information

https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin/
https://nakedsecurity.sophos.com/2019/01/30/privilege-escalation-vulnerability-uncovered-in-microsoft-exchange/
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8581

A vulnerability in the WiFi WPA2 security protocol which was discovered several months ago was made public earlier today.  The vulnerability named KRACK impacts the underlying WiFi WPA2 security protocol itself so all devices that interact with a WiFi network are potentially vulnerable.  This includes mobile phones, laptops and IoT devices (e.g., Alexa, Nest, etc).  To exploit the vulnerability a 3rd party would need to be within range of the wireless network to which a device is connected.  If exploited the vulnerability would allow a 3rd party to intercept and read traffic originating from a device and potentially inject malicious code into that traffic.  However, the 3rd party would NOT be able to read or inject code into any traffic that was sent over an encrypted session such as a HTTPS secured website or a VPN connection.  Furthermore, though the vulnerability has been made public, the code in which to exploit it has not been made public so there is little risk of widespread attacks.

Vendors were alerted of this vulnerability when it was first discovered in August and some have already released patches.  Apple and Microsoft devices are much less likely to be exploited due to the way in which they implement the WPA2 protocol.  Both have also issued statements that they have already patched the issue within their respective Operating Systems.  Google has acknowledged its aware of the issue but will not have a patch for its Android OS for several weeks.  Tier1Net is currently working with its WiFi vendor partners to obtain and deploy patches to Wireless Access Points as they become available.

In the meantime, Tier1Net recommends avoiding public WiFi hotspots unless your respective device is running the latest version of its Operating System with all appropriate security patches installed.  For a full list of vendors and their patch release dates please see: http://www.kb.cert.org/vuls/id/228519

For more information or assistance please contact Tier1Net Support at 781-935-8050 or at HELP@TIER1NET.NET.

Apple has recently discontinued support for Quicktime for Windows.  Starting mid April, Apple will no longer be releasing critical security updates for this software.

Unsupported software is vulnerable to outside threats and poses a significant security risk as illustrated by the discovery of two critical vulnerabilities affecting Quicktime for Windows which will not be patched by Apple.

To address these critical vulnerabilities Tier1Net will be proactively uninstalling Quicktime for Windows on all PCs within our clients’ networks in accordance with cybersecurity best practices.

Affected clients have already been notified of this pending action.

To learn more about Apple’s discontinued support for Quicktime for Windows, please click here https://www.us-cert.gov/ncas/alerts/TA16-105A.

If you have any questions, please contact our office at (781)935-8050.

On Tuesday, February 16th, Google posted a blog outlining a vulnerability in glibc (the GNU C library) which is used in many products and leaves those products vulnerable to remote exploitation. The vulnerability, identified as CVE-2015-7547, is similar to Heartbleed and Shellshock in terms of the scope of affected systems, but is not as serious as it is significantly more difficult to exploit.

Successful exploitation of the vulnerability relies on the potential victim communicating with a hostile/malicious DNS server or to be subject to a man-in-the-middle attack. Nevertheless, the vulnerability is considered to be critical by the industry since it can lead to remote exploitation of the client system.

This vulnerability is being seen across the industry and Dell SonicWALL is working quickly to provide a hot-fix and patch to ensure continued protection with Dell SonicWALL SRA/SMA Series.

For Tier1net customers using Dell SonicWALL SSLVPN SRA Appliances:

•  All SRA firmware versions prior to 8.1.0.1-11sv for SRA 4600/1600/Virtual Appliance and 8.0.0.4-25sv for SRA 4200/1200 are affected.
•  Action: Tier1net will open trouble tickets for all impacted customers and install the Dell SonicWALL patch to resolve this vulnerability

If you also have Dell SonicWALL firewalls deployed, please note: The Dell SonicWALL threat research team successfully published an Intrusion Prevention Service (IPS) signature on Tuesday, February 16th that automatically updated all customer systems running IPS worldwide, protecting networks behind our firewalls within 12 hours of identification. Dell SonicWALL firewalls are not susceptible to the glibc buffer overflow vulnerability.

Full details about the vulnerability and protection can be found in this SonicAlert article.

Read How Dell SonicWALL Guards Against the Glibc Vulnerability blog by Ken Dang from SonicWALL.

 

 

Dell recently notified Tier1net of a security vulnerability within its Dell Foundation Services that run on Dell PCs and laptops.  This could allow for a man in the middle attack to decrypt sensitive data transmitted from a PC or laptop running the Dell Foundation Services software.

As part of Tier1Net’s standard pre-configuration process, the Dell Foundation Services are removed by default so Tier1net customer’s risk of exposure should be minimal.  For the few client machines which have still have the software installed, Tier1Net will be running a tool to remove the vulnerability.

Dell has issued a statement apologizing for the oversight and will not be installing this certificate on any future machines.

For more on Dell’s statement, read below:

“Today we became aware that a certificate (eDellRoot), installed by our Dell Foundation Services application on our PCs, unintentionally introduced a security vulnerability. The certificate was implemented as part of a support tool and intended to make it faster and easier for our customers to service their system.  The certificate is not malware or adware. Rather, it was intended to provide the system service tag to Dell online support allowing us to quickly identify the computer model, making it easier and faster to service our customers. This certificate is not being used to collect personal customer information. It’s also important to note that the certificate will not reinstall itself once it is properly removed using the recommended Dell process. We have posted instructions to permanently remove the certificate from your system here. We will also push a software update starting on November 24 that will check for the certificate, and if detected remove it. Commercial customers who reimaged their systems without Dell Foundation Services are not affected by this issue. Additionally, the certificate will be removed from all Dell systems moving forward.”

Read more here: http://en.community.dell.com/dell-blogs/direct2dell/b/direct2dell/archive/2015/11/23/response-to-concerns-regarding-edellroot-certificate

 

A cyberattack against JPMorgan Chase last summer, which affected 76 million households, could have been prevented by a simple security fix, experts say.

Had JPMorgan Chase implemented TWO-FACTOR AUTHENTICATION on all of their servers, the breach would likely not have occurred.  From Dealbook at the New York Times:

“Most big banks use a double authentication scheme, known as two-factor authentication, which requires a second one-time password to gain access to a protected system. But JPMorgan’s security team had apparently neglected to upgrade one of its network servers with the dual password scheme, the people briefed on the matter said. That left the bank vulnerable to intrusion.”

Two-factor authentication adds a second layer of authentication to login procedures, beyond the username/password combination.  This second layer of authentication makes it increasingly difficult for hackers to remotely access your data.

Two-factor authentication can be established many ways, but the basic principle is to combine 1. SOMETHING YOU KNOW (like a username/password combination) with 2. SOMETHING YOU HAVE (like a key fob, mobile phone, or biometric fingerprint.)

Tier1Net recommends implementing two-factor authentication on all publicly accessible remote access portals.  The Sonicwall SRA appliance leveraged by many Tier1net customers has this capability bundled into its standard operating system.  This feature known as ONE-TIME PASSWORD or OTP works by challenging an authenticated user with a request for a second password.  The second password is sent from the device to the user via text message.  Upon each subsequent login, the user will receive a different one-time password for access.

Recently Tier1Net has been implementing all new Sonicwall SRAs with this secure configuration by default, and strongly recommends enabling it for all production appliances currently configured for single factor authentication.

Thanks and Happy Holidays!

Tier1Net

 

Read More: http://dealbook.nytimes.com/2014/12/22/entry-point-of-jpmorgan-data-breach-is-identified/

 

The POODLE vulnerability, or “Padding Oracle On Downgraded Legacy Encryption”, is a new security threat found within existing, though outdated, encryption technology.

This vulnerability is not as threatening as Heartbleed or Shellshock which could both be exploited via direct attack vectors. The POODLE vulnerability requires a man in the middle attack vector in order to be exploited.

Unfortunately this vulnerability does not have a specific solution or patch but rather multiple methods of reducing risk to exposure.  Experts at Google, Microsoft, Mozilla, and others, have all posted possible methods to mitigate against the POODLE vulnerability.

Tier1Net is actively following all POODLE developments and will release a more detailed notice with information regarding the vulnerability and steps that can be taken to reduce exposure.

This vulnerability is not as threatening as Heartbleed or Shellshock

POODLE exposes a vulnerability in an outdated – but still used – web encryption technology SSL 3.0.  Modern web browsers are designed to prefer the newer TLS encryption protocol when accessing a service secured via SSL.  But most browsers will still accommodate SSL 3.0 traffic, if the host or client demands it.  SSL 3.0 traffic, however, exposes a unique vulnerability for attackers to decrypt data sent between the client and server.

The conditions that are required for the attack to be applicable are hard to obtain.

It would not be easy to exploit this vulnerability however.  “The conditions that are required for the attack to be applicable are hard to obtain.” said Itsik Mantin, director of security research at Imperva. “In particular, the attacker needs to become a man-in-the-middle between the attacked client and server, and to generate, block and modify client messages to the server and vice versa.”  An attacker could then theoretically force the host/client connection to “fallback” to SSL 3.0, where the attacker could then potentially access data.  An attack such as this would most likely occur on an unsecured public network, such as a Wi-Fi network at an airport.

In order to safeguard against POODLE, SSL 3.0 fallback must be blocked on all levels.  Due to the scope and complexity of possible SSL 3.0 usage, a permanent blocking solution is not yet agreed upon.  Blocking SSL 3.0 prematurely could break many existing websites: potentially blocking users from accessing a client’s own site, and also blocking employee’s from accessing business critical sites.

Tier1Net is actively following all recommendations and will keep its clients apprised of new developments.

 

https://www.openssl.org/news/secadv_20141015.txt

https://threatpost.com/new-poodle-ssl-3-0-attack-exploits-protocol-fallback-issue/108844

http://www.pcworld.com/article/2834015/security-experts-warn-of-poodle-attack-against-ssl-30.html

 

 

Dell SonicWALL has identified multiple LDAP authentication protocol vulnerabilities exposed when SonicOS is configured to use Microsoft Active Directory / LDAP for authentication of AD/LDAP usernames who are members of SonicWALL Administrator groups.   Tier1Net’s infrastructure is not exposed to this vulnerability.  However, to mitigate against possible future exposure, Tier1Net will be performing firmware updates on all Dell SonicWALL firewalls within its network infrastructure.

If you have questions or concerns about this matter, please contact Tier1Net.