Author: mangakiko

August Patch Tuesday clicks off the week of hacker summer camp in Las Vegas this year, so it’s basically a code cracker’s holiday too.

Let’s start off with Microsoft’s 121 security holes, which are the most interesting of the ever-growing, second-Tuesday patch party. Plus, they include one that Redmond lists as under active attack and a second that it says is also publicly known.

Of the 121 Microsoft bugs, 17 are considered critical. Both of the bugs listed as publicly known are ranked as “important” holes to fix. But since they pose the greatest risk to orgs, which are now basically in a race to patch versus cybercriminals, we suggest starting with these two.

First, CVE-2022-34713, a remote code execution vulnerability in Microsoft Windows Support Diagnostic Tool (MSDT) that’s under active attack. It received a 7.8 CVSS severity score and it has a low attack complexity, so it’s safe to assume other miscreants will find and exploit this hole in the near future.

To exploit this bug, an attacker would need to trick a victim into opening a specially crafted file, likely either via a phishing email or malicious website that contains a file designed to exploit the vulnerability.

“An attacker would have no way to force users to visit the website,” Microsoft explained. “Instead, an attacker would have to convince users to click a link.”

However, as we’ve witnessed with the recent Twilio breach and others, this doesn’t normally require a whole lot of convincing on the part of these wily criminals.

After convincing users to click a malicious file, such as a Word document, the application calls MSDT using the URL protocol, and can then run arbitrary code on the victim’s machine with the privileges of the calling application.

“The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights,” Microsoft noted in a blog about an earlier MSDT flaw.

And yes, this issue of MSDT bugs under active exploit has been an ongoing issue for the software giant.

“It’s not clear if this vulnerability is the result of a failed patch or something new,” the Zero Day Initiative’s Dustin Childs noted. “Either way, test and deploy this fix quickly.”

The second Microsoft vulnerability listed as publicly known, tracked as CVE-2022-30134, is an information disclosure bug in Microsoft Exchange. It received a 7.6 CVSS score.

An exploit would require convincing a user with an affected version of Exchange Server to access a malicious server, which would then allow the attacker to read targeted email messages.

According to Redmond, turning on Extended Protection for Exchange Server prevents this attack.

Meanwhile two critical bugs in this month’s roundup, both remote code execution flaws in Windows Point-to-Point Protocol, received near-perfect 9.8 out of 10 severity scores. However, both CVE-2022-30133 and CVE-2022-35744 can only be exploited by communicating via Port 1723, according to Microsoft.

This means blocking traffic through this port works as a temporary workaround. However, “disabling Port 1723 could affect communications over your network,” Redmond warned.

There’s also a trio of critical Exchange Server escalation of privilege bugs, CVE-2022-21980, CVE-2022-24516 and CVE-2022-24477, that, according to Immersive Labs’ Director of Cyber ​​Threat Research Kev Breen “warrant an urgent patch “if your company runs local exchange servers.

All three received an 8.0 CVSS score and could allow unauthenticated users to take over all of the mailboxes on the server.

“Exchanges can be treasure troves of information, making them valuable targets for attackers,” Breen told The Register.

“With CVE-2022-24477, for example, an attacker can gain initial access to a user’s host and could take over the mailboxes for all exchange users, sending and reading emails and documents,” he explained. “For attackers focused on business email compromise this kind of vulnerability can be extremely damaging.”

Enabling Extended Protection also protects against these flaws.

Adobe issues five fixes for 25 bugs

Adobe issued five fixes for 25 vulnerabilities today that affect both Windows and macOS users.

We’d suggest starting with the security update that addresses three critical and four important bugs in Acrobat and Reader. “Successful exploitation could lead to arbitrary code execution and memory leak,” the software provider warned.

Additionally, Illustrator’s four critical and important vulnerabilities and FrameMaker’s six critical and important bugs could lead to arbitrary code execution and memory leak if left unpatched.

One critical bug in Premiere Elements could allow an unauthorized user to escalate privileges.

And finally, the vendor released patches for Commerce and Magento Open Source that fix seven critical, important and moderate vulnerabilities. Miscreants could use these bugs to execute arbitrary code on victims’ machines, escalate privileges and bypass security features.

According to Adobe, none of these flaws have been exploited in the wild.

Intel fixes secret-spilling CPU bug

Intel, a more recent entrant to the second-tuesday patchapalooza, today released 27 advisories to fix 59 vulnerabilities.

One of these addresses an architectural error in certain recent Intel CPUs that can be abused to expose SGX enclave data like private encryption keys.

Dubbed “ÆPIC Leak” by the six researchers who found the hardware bug, CVE-2022-21233 affects the memory-mapped registers of the local Advanced Programmable Interrupt Controller (APIC), which helps the CPU handle interrupt requests from various sources to facilitate multiprocessing .

Intel recommends that anyone using a buggy processor update to the latest version firmware, and said it will soon release SGX software development kit updates, too.

Additionally, chipzilla released microcode updates for affected CPUs supported on the public github repository.

SAP updates to ‘hot-news’ Chromium hole

For its Security Patch Day today, SAP released five new security notes and two updates to previously issued alerts.

This includes one “hot-news” priority bug, which received a 10 out of 10 CVSS score, along with one high priority and five medium-priority fixes.

The most pressing hot-news item is an update to an April SAP Security Note that addressed 52 Chromium fixes for SAP Business Client customers.

Additionally, a high-priority information disclosure vulnerability tracked as CVE-2022-32245 in the vendor’s Business Objects Business Intelligence Platform deserves prompt patching.

It received a CVSS score of 8.2, and relates to the Open Document web app within the BI platform. If left unpatched, it could allow an unauthenticated user to exfiltrate sensitive information in plain text over the network, according to the SAP security researchers at Onapsis.

“This includes any data available for business users,” they added. “The vulnerability could also be exploited to put load on the application, by an automated attack, so data is transferred permanently over the network.”

Hopefully you patched this VMware bug last week

VMware, meanwhile, issued three new security updates today and warned that a critical authentication bypass bug disclosed last week has since been exploited in the wild.

As for the virtualization giant’s new updates: one addresses four “important” bugs in vRealize Operations. The most serious of these, CVE-2022-31672, which received a 7.2 CVSS score would allow a user with administrative network access to escalate privileges to root.

Two others, CVE-2022-31674 and CVE-2022-31673, are information disclosure vulnerabilities. The fourth, CVE-2022-31675, is an authentication bypass bug.

Google fixed RCE over Bluetooth

Finally, rounding out the August patch party, Google patched 37 vulnerabilities affecting Android devices.

“The most severe of these issues is a critical security vulnerability in the System component that could lead to remote code execution over Bluetooth with no additional execution privileges needed,” according to the security bulletin. ®

A component of computer processors that connects different parts of the chip can be exploited by malicious agents who seek to steal secret information from programs running on the computer, MIT researchers have found.

Modern computer processors contain many computing units, called cores, which share the same hardware resources. The on-chip interconnect is the component that enables these cores to communicate with each other. But when programs on multiple cores run simultaneously, there is a chance they can delay one another when they use the interconnect to send data across the chip at the same time.

By monitoring and measuring these delays, a malicious agent could conduct what is known as a “side-channel attack” and reconstruct secret information that is stored in a program, such as a cryptographic key or password.

MIT researchers reverse-engineered the on-chip interconnect to study how this kind of attack would be possible. Drawing on their discoveries, they built an analytical model of how traffic flows between the cores on a processor, which they used to design and launch surprisingly effective side-channel attacks. Then they developed two mitigation strategies that enable a user to improve security without making any physical changes to the computer chip.

“A lot of current side-channel defenses are ad hoc – we see a little bit of leakage here and we patch it. We hope our approach with this analytical model pushes more systematic and robust defenses that eliminate whole classes of attacks at the same time,” says co-lead author Miles Dai, MEng ’21.

Dai wrote the paper with co-lead author Riccardo Paccagnella, a graduate student at the University of Illinois at Urbana-Champaign; Miguel Gomez-Garcia ’22; John McCalpin, a research scientist at the Texas Advanced Computing Center; and senior author Mengjia Yan, the Homer A. Burnell Career Development Assistant Professor of Electrical Engineering and Computer Science (EECS) and a member of the Computer Science and Artificial Intelligence Laboratory (CSAIL). The research is being presented at the USENIX Security Conference.

Probing processors

A modern processor is like a two-dimensional grid, with multiple cores laid out in rows and columns. Each core has its own cache where data are stored, and there is also a larger cache that is shared across the entire processor. When a program located on one core needs to access data in a cache that is on another core or in the shared cache, it must use the on-chip interconnect to send this request and retrieve the data.

Though it is a large component of the processor, the on-chip interconnect remains understudied because it is difficult to attack, Dai explains. A hacker needs to launch the attack when traffic from two cores is actually interfering with each other, but since traffic spends so little time in the interconnect, it is difficult to time the attack just right. The interconnect is also complex, and there are multiple paths traffic can take between cores.

To study how traffic flows on the interconnect, the MIT researchers created programs that would intentionally access memory caches located outside their local cores.

“By testing out different situations, trying different placements, and swapping out locations of these programs on the processor, we can understand what the rules are behind traffic flows on the interconnect,” Dai says.

They discovered that the interconnect is like a highway, with multiple lanes going in every direction. When two traffic flows collide, the interconnect uses a priority arbitration policy to decide which traffic flow gets to go first. More “important” requests take precedence, like those from programs that are critical to a computer’s operations.

Using this information, the researchers built an analytical model of the processor that summarizes how traffic can flow on the interconnect. The model shows which cores would be most vulnerable to a side-channel attack. A core would be more vulnerable if it can be accessed through many different lanes. An attacker could use this information to select the best core to monitor to steal information from a victim program.

“If the attacker understands how the interconnect works, they can set themselves up so the execution of some sensitive code would be observable through interconnect contention. Then they can extract, bit by bit, some secret information, like a cryptographic key,” Paccagnella explains.

Effective attacks

When the researchers used this model to launch side-channel attacks, they were surprised by how quickly the attacks worked. They were able to recover full cryptographic keys from two different victim programs.

After studying these attacks, they used their analytical model to design two mitigation mechanisms.

In the first strategy, the system administrator would use the model to identify which cores are most vulnerable to attacks and then schedule sensitive software to run on less vulnerable cores. For the second mitigation strategy, the administrator could reserve cores located around a susceptible program and run only trusted software on those cores.

The researchers found that both mitigation strategies were able to significantly reduce the accuracy of side-channel attacks. Neither requires the user to make any changes to the physical hardware, so the mitigations would be relatively easy to implement, Dai says.

Ultimately, they hope their work inspires more researchers to study the security of on-chip interconnects, Paccagnella says.

“We hope this work highlights how the on-chip interconnect, which is such a large component of computer processors, remains an overlooked attack surface. In the future, as we build systems that have stronger isolation properties, we should not ignore the interconnect,” he adds.

This work was funded, in part, by the National Science Foundation and the Air Force Office of Scientific Research.