PlunderVolt: A new Vulnerability found in Intel Processors

PlunderVolt: A new Vulnerability found in Intel Processors

Academics from three universities across Europe have disclosed today a new attack that impacts the integrity of data stored inside Intel SGX, a highly-secured area of Intel CPUs.

It was reported by three academics from three different universities across Europe that a new attack was re that affects the integrity of data stored in the highly-secured area of Intel CPUs called the Intel SGX.  The attack exploits an interface which is in charge of controlling the voltage regulation of the Intel processor, this interface is something that many gamers will recognize as it is the same one that is used to overclock their CPUs.  The attack is aptly named, Plundervolt.

How it works

Plundervolt only targets Intel Software Guard eXtensions (SGX). The Intel SGX, for those unfamiliar with it, is a powerful security feature that is found on all modern Intel CPUs that keeps very sensitive data for applications to ensure that other applications are unable to access it.

By using the CPU’s energy management interface, it is able cause some changes in the SGX data just by altering the electrical voltage and frequency of the SGX memory cells. This causes bugs and faults appear within the data and operations which SGX handles.  Meaning, instead of destroying, Plundervolt sabotages output to weaken the encryption of SGX and even cause errors within apps that might have not been there before to exploit and steal data.

However, unlike other attacks, Plundervolt cannot be exploited remotely like luring users into a website and then being able to execute the attack.  Plundervolt needs to run from an app of an infected hosts with root or admin privileges.  So getting a successful attack may be harder compared to other attacks but once they are able to get in your system, they will be able to exploit your system much faster than most other attacks.

What Intel CPUs are infected and where can we get a fix?

According to Intel, the following CPU series are vulnerable to Plundervolt attacks:

Intel® 6th, 7th, 8 th, 9th & 10th generation CoreTM processors

Intel® Xeon® Processor E3 v5 & v6

Intel® Xeon® Processor E-2100 & E-2200 families

Plundervolt is nothing that end-users should worry about. It’s an attack vector that is of little interest for malware authors since it’s hard to automate at scale. It is, however, an attack vector that could be weaponized in targeted attacks, against specially selected targets. If Plundervolt is a serious threat depends on each user’s threat matrix.

For those who are looking for the update to fix this vulnerability, you may refer to the microcode and BIOS update here.

For any inquiries with regards to this vulnerability or any other security questions, you may call us at 8893-9515 and we would be happy to help you!

Security Advisory: Microsoft Alerts Customers to Patch BlueKeep Vulnerability ASAP

Security Advisory: Microsoft Alerts Customers to Patch BlueKeep Vulnerability ASAP

In case you didn’t hear, another big vulnerability was reported by Microsoft on May 14, 2019 known as “BlueKeep” which takes advantage vulnerabilities of Remote Desktop Services (RDS), Remote Code Execution (RCE), and Remote Desktop Protocol (RDP).  However, BlueKeep only affects older version of Windows, so users of Windows 10 and 8 can rest easy.  The severity of the vulnerability though has forced the hand of Microsoft and they have actually made and released a security patch for its unsupported versions.  They have classified this vulnerability as a critical level threat.

This is why as of June 4, 2019, Microsoft once again urged its customers to apply the patch as soon as possible as more than 1 million devices are still vulnerable to the attack.  This is to avoid another widescale malware attacks like those of the WannaCry ransomware attack back in 2017.  Many companies were affected by the attack and caused many business operations to stop, more notably hospital operations.

What can you do to avoid being affected?

Microsoft has already provided the solution to BlueKeep, make sure you download the latest security patch for your corresponding OS (you can find the patches here).  You may need to reboot your servers to ensure the patch is running properly.

For those who are Trend Micro users, specifically those who use Deep Security, if you are unable to apply the patch due to other reasons, such as being unable to reboot your servers, please make sure that you apply the correct policy for the virtual patching of Deep Security to ensure the security of your servers.  Below is the Deep Packet Inspection (DPI) rule:

  • 1009749 – Microsoft Windows Remote Desktop Services Remote Code Execution Vulnerability

You can view the official Trend Micro article on it here.

For those who are looking into a longer-term solution, you can consider solutions such as Citrix Gateway and Virtual Apps to secure your remote connections to Windows servers.

To learn more about these solutions, you can contact us at 893-9515 and we will help introduce you to different options that you have to help prevent these kinds of vulnerabilities!

Security Vulnerabilities: A Closer look at a Cyber Criminal’s Window to your System

Security Vulnerabilities: A Closer look at a Cyber Criminal’s Window to your System

You may be hearing more and more these days of new security vulnerabilities being discovered in the news and may be wondering what exactly it may imply?  Simply, a vulnerability represents the ideal opportunity for cyber criminals to infiltrate your system to compromise your data or to perform data theft.

According to current data now, we can see that these vulnerabilities will be popping up more often as 2017 had a record-breaking year for reported exploitable vulnerabilities, with almost 20,000 security flaws reported over the year.   For the year 2018, the data is still being tallied however, a report from RiskBased Security has already noted that more than 10,000 vulnerabilities have been reported in which 3,000 potential flaws which enterprises have failed to patch.

To better understand vulnerabilities, our friends from Trend Micro has segregated them into types in which to classify them:

Traditional vulnerability – is a programming error or other type of software issue that hackers can use to sidestep password protection or security measures and gain unauthorized access to legitimate systems. These are the most rampant types of security vulnerabilities.

Zero-days – are brand new software issues that have only just been identified and have not yet been patched by vendors.  As Trend Micro explained, “that’s because the vendor essentially has zero days to fix the issue or has chosen not to fix it.”

Undisclosed vulnerability – these are flaws that have been identified and reported, but are not yet disclosed to public users, giving vendors time to patch the issue.

So, what can you do to help address these vulnerabilities?

To help keep your enterprise safe from these vulnerabilities, Trend Micro suggests that you pay attention to current security research so that you can apply the necessary findings to help keep your business safe.  Another would be to make sure that you keep yourself up to date with updates and patches.  However, with the number of vendors and patches, it can sometimes be too much for your IT to patch immediately due to the volume.  Trend suggests the following patching prioritization scheme to help ease the load of your IT team:

  • The severity of the patched issue. Microsoft and other vendors will rate vulnerabilities according to how critical they are to overall risk. More critical patches should be applied as soon as possible, whereas less critical updates can represent a lower priority.
  • Vulnerabilities impacting your enterprise’s particular key software. Similarly, updates for software systems that are used on a daily basis within the enterprise and provide essential functionality should be prioritized over other updates. A patch for a software that is only intermittently used, or only impacts a small number of users in a single department of the company, for instance, can be put on the back burner.
  • Those currently being exploited. It’s important to prioritize patches for vulnerabilities that hackers are currently using to mount attacks.

To learn more, you may visit the original Trend Micro article here, visit our product page here, or you can also contact us directly at 893-9515 and we will be happy to answer your inquiries!

Security Advisory: Meltdown & Spectre Vulnerabilities

Security Advisory: Meltdown & Spectre Vulnerabilities

Over the past few days, you may have heard of the new vulnerabilities that has been uncovered, Meltdown and Spectre.  These vulnerabilities affect all modern processors, meaning your business machines and even personal gadgets that use processors are affected which puts you in risk of potential attacks.  Below is a brief explanation of what exactly Meltdown and Spectre are:

Meltdown

Meltdown is a hardware vulnerability in processors (Intel x86 microprocessors and some ARM based microprocessors) which allows attackers to use programs to access your computer’s memory.  With this access, they are able to gain sensitive data from your other applications within your system.

Spectre

Spectre is a hardware vulnerability in modern processors, which attackers can use to trick error-free programs, which follow best practices, into leaking their secrets.  Safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre.

However, since the vulnerability has been announced it means that so have the solutions.  Below are the steps in which you need to take fix these vulnerabilities:

1. Update your Processor Firmware

Processor manufacturers have already released firmware updates to fix these vulnerabilities, however they said that they would only be releasing updates for processors within the last 5 years.  Below are the current firmware updates you will need per vendor (note that we will be placing more updates as they come):

HPE

For ProLiant Gen10 products (except for the ProLiant DL385 Gen10), update to System ROM Version 1.28.

For the ProLiant DL385 Gen10 server, update to System ROM Version 1.04.

For ProLiant Gen9 series servers, update to System ROM Version 2.54 (except for the ProLiant DL20 Gen9 or ML30 Gen9)

For the ProLiant DL20 Gen9 or ProLiant ML30 Gen9 server, update to System ROM Version 2.52.

For ProLiant Gen8 series servers, update to a System ROM version dated 12/12/2017.

For the ProLiant m710x server cartridge, update to System ROM Version 1.60

For the ProLiant m710p server cartridges update to the System ROM version dated 12/12/2017.

Click here and place your HPE product to find the firmware patch you need.

Cisco

Below is a table of known Cisco products affected by the vulnerabilities, to download the update, you will need to click on the Cisco Bug ID and log in to your Cisco account to access it.  We will be updating this table when updates are available.

Product Cisco Bug ID Fixed Release Availability
Routing and Switching – Enterprise and Service Provider
Cisco ASR 9000 XR 64-bit Series Routers CSCvh32429
Cisco 800 Industrial Integrated Services Routers CSCvh31418
Cisco NCS 1000 Series Routers CSCvh32429
Cisco NCS 5000 Series Routers CSCvh32429
Cisco NCS 5500 Series Routers CSCvh32429
Cisco XRv 9000 Series Routers CSCvh32429
Unified Computing
Cisco UCS B-Series M2 Blade Servers CSCvh31576 Fix pending
Cisco UCS B-Series M3 Blade Servers CSCvg97965 (18-Feb-2018)
Cisco UCS B-Series M4 Blade Servers (except B260 and B460) CSCvg97979 (18-Feb-2018)
Cisco UCS B-Series M5 Blade Servers CSCvh31577 (18-Feb-2018)
Cisco UCS B260 M4 Blade Server CSCvg98015 (18-Feb-2018)
Cisco UCS B460 M4 Blade Server CSCvg98015 (18-Feb-2018)
Cisco UCS C-Series M2 Rack Servers CSCvh31576 Fix pending
Cisco UCS C-Series M3 Rack Servers CSCvg97965 (18-Feb-2018)
Cisco UCS C-Series M4 Rack Servers (except C460) CSCvg97979 (18-Feb-2018)
Cisco UCS C-Series M5 Rack Servers CSCvh31577 (18-Feb-2018)
Cisco UCS C460 M4 Rack Server CSCvg98015 (18-Feb-2018)

Dell

BIOS updates for PowerEdge Server Products

Generation Models BIOS version
14G R740, R740XD, R640 1.2.71
R540, R440, T440 1.2.71
T640 1.2.71
C6420 1.2.71
FC640, M640, M640P 1.2.71
C4140 1.0.2
R940 1.2.81
T30 1.0.12
Generation Models BIOS version
13G R830 1.7.0
T130, R230, T330, R330 2.4.1
R930 2.5.0
R730, R730XD, R630 2.7.0
C4130 2.7.0
M630, M630P, FC630 2.7.0
FC430 2.7.0
M830, M830P, FC830 2.7.0
T630 2.7.0
R530, R430, T430 2.7.0
C6320 2.7.0

BIOS update for Dell Datacenter Scalable Solutions (DSS)

Models BIOS Version
DSS9600, DSS9620, DSS9630 1.2.71
DSS1500, DSS1510, DSS2500 2.7.0
DSS7500 2.7.0

2. Checking if your registry is compatible with your OS updates (Windows)

There are some third party anti-virus software that are currently incompatible with the latest patch updates from Windows.  If you are unable to update your OS due to this reason, it is recommended that you modify your registry to fix this.  However we highly recommend that you also backup your registry before you manually edit it as using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system.  Below is the registry key to be set:

Key=”HKEY_LOCAL_MACHINE”

Subkey=”SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat” Value=”cadca5fe-87d3-4b96-b7fb-a231484277cc”

Type=”REG_DWORD”

Data=”0x00000000”

For Trend Micro users, there has been a patch release for their products in which enables the ALLOW REGKEY (the above code) automatically.  This however is not the fix to the vulnerabilities and you have to update your OS as this patch will not update your OS but allow you to update.

Additionally, note that per Microsoft, even clients that do not have active anti-malware or security software installed may still be required to apply the specific registry key before the security patches can be obtained from Windows Update.

Product Updated version Notes Platform
OfficeScan XG (all versions including SP1) – CP 1825-4430 Readme Windows
11.0 SP1 – CP 6496 Readme Windows
Deep Security Deep Security Agent 10.0.0-2649 for Windows (U6) Readme Windows
Deep Security Agent 9.6.2-8288 for Windows Readme Windows
Worry-Free Business Security 9.5 CP 1447 Readme Windows

3. Updating your OS (Operating System)

Below are the updates that are currently out for Windows OS for both Servers and Desktop (this will be updated as more updates are released):

Product

Article

Download

Windows Server, version 1709 (Server Core Installation) 4056892 Security Update
Windows Server 2016 (Server Core installation) 4056890 Security Update
Windows Server 2016 4056890 Security Update
Windows Server 2012 R2 (Server Core installation) 4056898 Security Only
Windows Server 2012 R2 4056898 Security Only
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) 4056894 Monthly Rollup
4056897 Security Only
Windows Server 2008 R2 for x64-based Systems Service Pack 1 4056894 Monthly Rollup
4056897 Security Only
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 4056894 Monthly Rollup
4056897 Security Only
Windows 8.1 for x64-based systems 4056898 Security Only
Windows 8.1 for 32-bit systems 4056898 Security Only
Windows 7 for x64-based Systems Service Pack 1 4056894 Monthly Rollup
4056897 Security Only
Windows 7 for 32-bit Systems Service Pack 1 4056894 Monthly Rollup
4056897 Security Only
Windows 10 Version 1709 for 64-based Systems 4056892 Security Update
Windows 10 Version 1709 for 32-bit Systems 4056892 Security Update
Windows 10 Version 1703 for x64-based Systems 4056891 Security Update
Windows 10 Version 1703 for 32-bit Systems 4056891 Security Update
Windows 10 Version 1607 for x64-based Systems 4056890 Security Update
Windows 10 Version 1607 for 32-bit Systems 4056890 Security Update
Windows 10 Version 1511 for x64-based Systems 4056888 Security Update
Windows 10 Version 1511 for 32-bit Systems 4056888 Security Update
Windows 10 for x64-based Systems 4056893 Security Update
Windows 10 for 32-bit Systems 4056893 Security Update
Microsoft SQL Server 2017 for x64-based Systems (CU) 4058562 Security Update
Microsoft SQL Server 2017 for x64-based Systems 4057122 Security Update
Microsoft SQL Server 2016 for x64-based Systems Service Pack 1 (CU) 4058561 Security Update
Microsoft SQL Server 2016 for x64-based Systems Service Pack 1 4057118 Security Update

4. Updating your browsers

The last step would be to make sure that your internet browser is patched to the latest version.  Below are a few of the most used browsers and the versions they need to be updated to:

Mozilla – Firefox 57.0.4

Internet Explorer/Microsoft Edge – Included in the latest security update of Windows KB4056890 (OS Build 14393.2007)


Again more updates will be posted as soon as the fixes are released by the respective vendors.  If you need more details or help in implementing the said solutions from vendors, please do contact us at 893-9515 and we will do our utmost to help!