Microsoft fixes under-attack Windows zero-day Follina
Plus: Intel, AMD react to Hertzbleed data-leaking holes in CPUs
Patch Tuesday Microsoft claims to have finally fixed the Follina zero-day flaw in Windows as part of its June Patch Tuesday batch, which included security updates to address 55 vulnerabilities.
Follina, eventually acknowledged by Redmond in a security advisory last month, is the most significant of the bunch as it has already been exploited in the wild.
Criminals and snoops can abuse the remote code execution (RCE) bug, tracked as CVE-2022-30190, by crafting a file, such as a Word document, so that when opened it calls out to the Microsoft Windows Support Diagnostic Tool, which is then exploited to run malicious code, such spyware and ransomware. Disabling macros in, say, Word won't stop this from happening.
Since May, malware operators, including state-sponsored gangs, have used Follina to menace or compromise organizations, including US and European government agencies; to spread the data-stealing Qbot malware; and to delete data and install banking trojans, among other illicit activities.
"The update for this vulnerability is in the June 2022 cumulative Windows Updates," Redmond said in today's Follina security update.
"Microsoft strongly recommends that customers install the updates to be fully protected from the vulnerability. Customers whose systems are configured to receive automatic updates do not need to take any further action."
In addition to mitigating Follina, Microsoft plugged three critical RCE flaws and said none of them have been exploited.
The most severe of the three (CVE-2022-30136), which received a 9.8 out of 10 CVSS rating, affects the Windows Network File System (NFS). Microsoft noted exploitation is "more likely" for this bug, and said that can occur if a miscreant, who is already on the network, makes an unauthenticated, specially crafted call to an NFS service to execute remote code.
"With a score of 9.8, if you're sharing files and file systems over a network with NFS, this should be high on the list to patch," Immersive Labs' Kev Breen, director of cyber threat research, warned.
However, if you can't patch right away, Remond suggested disabling NFSV4.1. "This could adversely affect your ecosystem and should only be used as a temporary mitigation," it cautioned, adding a bolded warning: "You should NOT apply this mitigation unless you have installed the May 2022 Windows security updates." These fix CVE-2022-26937, another critical vuln in NFS.
The next critical RCE, CVE-2022-30163, is in the Windows Hyper-V hypervisor. It received a CVSS score of 8.5, and it would be a fairly complex attack to pull off (a miscreant would have to win an unidentified race condition from an application). But if exploited it could be used to move from a guest virtual machine (VM) to the host where potentially a lot of damage or snooping can be done.
The third critical RCE is CVE-2022-30139 in Windows Lightweight Directory Access Protocol (LDAP) code, though by default systems should not be exploitable.
And while CVE-2022-30147, a Windows Installer elevation of privilege vulnerability with a CVSS score of 7.8 doesn't rank as high, severity wise, as some of the others, "this kind of vulnerability is almost always seen during a cyber attack," Breen noted. Microsoft also marked this bug as more likely to be exploited.
After gaining initial access, an intruder can escalate privileges to the level of an administrator and then disable security tools. "In the case of ransomware attacks, this leverages access to more sensitive data before encrypting the files," Breen told The Register.
As always, there's a summary of Microsoft's patches here by the ZDI.
Hertzbleed hits Intel, AMD CPUs
Intel joined in the Patch Tuesday fun with three security advisories addressing six medium-severity bugs.
One of these, CVE-2022-24436, was named Hertzbleed and reported to Intel by university researchers. "In the worst case, these attacks can allow an attacker to extract cryptographic keys from remote servers that were previously believed to be secure," the boffins warned.
Hertzbleed is a type of side-channel attack that takes advantage of dynamic frequency scaling and affects all Intel processors along with several of AMD's desktop, mobile and server chips, according to that company.
The researchers said they have notified other processor vendors, such as Arm, and haven't confirmed if they are affected by Hertzbleed.
- Azure issues not adequately fixed for months, complain bug hunters
- Atlassian: Unpatched years-old flaw under attack right now to hijack Confluence
- Patch now: Zoom chat messages can infect PCs, Macs, phones with malware
- Google Chrome, Microsoft Edge patched in race against exploitation
Essentially all modern CPUs use frequency scaling, which is an energy management technique that auto-adjusts the CPU core clock frequency depending on the actual processing taking place. A clever attacker could monitor this scaling to infer exactly what data is being processed – using the core frequency to leak the content of data being handled by code – and steal, for instance, cryptographic keys being handled by the processor. All by paying close attention to exactly how long some code completes, which is affected by the frequency scaling.
As the academics put it: "Hertzbleed takes advantage of our experiments showing that, under certain circumstances, the dynamic frequency scaling of modern x86 processors depends on the data being processed."
It's a very smart and very fiddly timing attack, and slow – like tens of bits per second leaked – and may be exploitable depending on your circumstances. Like with Meltdown and Spectre, there are easier bugs (see above) for miscreants to target to steal data. But it's interesting research. The uni team stated:
First, Hertzbleed shows that on modern x86 CPUs, power side-channel attacks can be turned into (even remote!) timing attacks — lifting the need for any power measurement interface. The cause is that, under certain circumstances, periodic CPU frequency adjustments depend on the current CPU power consumption, and these adjustments directly translate to execution time differences (as 1 hertz = 1 cycle per second).
Second, Hertzbleed shows that, even when implemented correctly as constant time, cryptographic code can still leak via remote timing analysis. The result is that current industry guidelines for how to write constant-time code (such as Intel's one) are insufficient to guarantee constant-time execution on modern processors.
Intel, for its part, provided software guidance for cryptographic code writers, which the chip giant says will help harden libraries and apps against leaking sensitive information. In another security advisory, it basically described Hertzbleed as a fun topic of discussion for geeks at cocktail parties, and no microcode fixes will be coming.
"While this issue is interesting from a research perspective, we do not believe this attack to be practical outside of a lab environment," wrote Jerry Bryant, Intel's senior director of security communications and incident response. "Also note that cryptographic implementations that are hardened against power side-channel attacks are not vulnerable to this issue."
AMD also suggested developers put in place countermeasures in their code.
Google fixes critical Android, Chrome bugs
Meanwhile, Google issued seven security fixes for Chrome and 41 for Android this month.
Four of the Android vulnerabilities are critical, and the "most severe," according to the June security bulletin, "could lead to remote code execution with no additional execution privileges needed."
In its Chrome advisory, the cloud giant highlighted four high-severity flaws found by external bug hunters. CISA has also warned that miscreants could exploit the bugs to take control of affected systems and urged folks to update now.
One of flaws, tracked as CVE-2022-2007, affects an unknown function of the WebGPU component in Google's Chrome browser and is a memory corruption vulnerability, according to VulDB.
While Google didn't provide much detail about the bug, the vulnerability database reports that it's easy to exploit without any form of authentication. Luckily, no technical details nor an exploit are publicly available.
Google paid David Manouchehri, the security researcher who found the vuln, $10,000 back in May. Meanwhile, an exploit would likely cost between $5,000 and $25,000, although VulnDB expects the price tag to increase "in the near future."
SAP scores a mention in CISA's exploited vuln catalog
SAP released 17 security patches this month. This includes HotNews note 2622660, which covers the latest Chromium release, 101.0.4951.54.
SAP also advised customers to fix a couple of improper access control issues in its products. One, detailed in High Priority note 3158375 affects SAP NetWeaver and ABAP Platform and received a CVSS score of 8.6.
"A permissive configuration of the route permission table may allow an unauthenticated attacker to bypass the protection to execute administration commands on the systems connected to the SAPRouter, compromising the availability of the systems," Onapsis explained.
The second, detailed in High Priority note note 3147498 affects SAP NetWeaver AS Java and received a CVSS score of 8.2.
In addition to SAP's June security updates, Onapsis researchers said they detected miscreants exploiting three vulnerabilities that SAP already patched: CVE-2021-38163, CVE-2016-2386, and CVE-2016-2388.
Earlier this month CISA updated updated its Catalog of Known Exploited Vulnerabilities to include all three.
Adobe fixes 40 critical flaws
Adobe closed 46 holes in its enterprise products for its June Patch Tuesday, and a whopping 40 of these are critical, according to the software maker. All of these except one affect Adobe products running on both Windows and macOS, and Adobe issued security hotfix for that one outlier, RoboHelp Server.
This flaw only hits RoboHelp running Windows machines. And while it's rated moderate, if exploited it could allow users to manipulate API requests and elevate their account privileges to that of a server administrator.
All of the other products included in the June patchapalooza have at least one critical vuln, and this includes an out-of-bounds-write vulnerability in Adobe Animate that affects 22.0.5 and earlier versions running on Windows and MacOS. Adobe publishes very little detail about any of these vulnerabilities, but admits that this one could lead to remote code execution.
Adobe Bridge requires patches for 12 flaws, 11 of them deemed critical and one important. A criminal could exploit these to execute malicious code or modify files on a system.
Adobe Illustrator comes in at 13 critical, three important and one moderate flaw that could lead to arbitrary code execution and memory leaks.
And finally Adobe InCopy and Adobe InDesign have a combined 15 critical bugs, which could all lead to arbitrary code execution.
Cisco rolls out more Spring Framework patches
Closing out the June patch-a-thon, Cisco clocked 10 security updates this month, including a new fix for the critical Spring Framework vulnerability disclosed back in March.
The networking firm also patched a denial of service vulnerability in the software-based SSL/TLS message handler of Cisco Firepower Threat Defense (FTD) Software. This high-severity flaw could be exploited by an unauthenticated, remote attacker by sending a crafted SSL/TLS message through an affected device, thus crashing the process and triggering a reload of the device, according to Cisco. ®