Patch Overview

February 2015

Wolfgang Kandek, Qualys, Inc

February 12, 2014

February Patches• Adobe Flash under direct Attack in January/February

• Normal = 1 update per month. Current = 4

• January 13 – APSB14-01 – 9 critical vulnerabilities

February Patches• Adobe Flash under direct Attack in January/February

• Normal = 1 update per month. Current = 4

• January 13 – APSB14-01 – 9 critical vulnerabilities

February Patches• Adobe Flash under direct Attack in January/February

• Normal = 1 update per month. Current = 4

• January 13 – APSB14-01 – 9 critical vulnerabilities

• January 21 - @Kafeine detects 0-day CVE-2015-0311

• Angler Exploit Kit

February Patches• Adobe Flash under direct Attack in January/February

• Normal = 1 update per month. Current = 4

• January 13 – APSB14-01 – 9 critical vulnerabilities

• January 21 - @Kafeine detects 0-day CVE-2015-0311

• Angler Exploit Kit

• January 22 – APSB14-02 for CVE-2015-0310 (no typo)

• Under attack in the wild (0-day)

• Mentions CVE-2015-0311 (sort of)

• Credits 3 Researchers, including @Kafeine

February Patches• Adobe Flash under direct Attack in January/February

• Normal = 1 update per month. Current = 4

• January 13 – APSB14-01 – 9 critical vulnerabilities

• January 21 - @Kafeine detects 0-day CVE-2015-0311

• Angler Exploit Kit

• January 22 – APSB14-02 for CVE-2015-0310 (no typo)

• Under attack in the wild (0-day)

• Mentions CVE-2015-0311 (sort of)

• Credits 3 Researchers, including @Kafeine

• January 27 – APSB14-03 for CVE-2015-0311/12

• Credits 3 different Researchers, including @Kafeine

February Patches - 2• Flash Attack continues in February

• February 2 - Trend Micro detects 0-day – CVE-2015-0313

February Patches - 3• Flash Attack continues in February

• February 2 - Trend Micro detects 0-day – CVE-2015-0313

February Patches - 3• Flash Attack continues in February

• February 2 - Trend Micro detects 0-day – CVE-2015-0313

February Patches - 2• Flash Attack continues in February

• February 2 - Trend Micro detects 0-day

• February 5 – APSB14-04 – 18 critical vulnerabilities

• Including 0-day CVE-2015-0313

February Patches - 2• Flash Attack continues in February

• February 2 - Trend Micro detects 0-day

• February 5 – APSB14-04 – 18 critical vulnerabilities

• Including 0-day CVE-2015-0313

• All versions of Windows attacked under IE and Firefox

February Patches - 2• Flash Attack continues in February

• February 2 - Trend Micro detects 0-day

• February 5 – APSB14-04 – 18 critical vulnerabilities

• Including 0-day CVE-2015-0313

• All versions of Windows attacked under IE and Firefox

• Flash under Google Chrome not attacked

• Malwarebytes Anti Exploit neutralizes CVE-2014-310

• EMET prevents CVE-2015-0311

• Trend Micro Browser Exploit Prevention: CVE-2015-0313

February Patches - 3• Microsoft February, 10: 9 bulletins – MS15-009-MS15-017

• IE, Windows, Office – 4 x Remote Code Execution

• 5 x Important, Privilege Escalation, DoS, SFP

February Patches - 3• Microsoft February, 10: 9 bulletins – MS15-009-MS15-017

• IE, Windows, Office – 4 x Remote Code Execution

• 5 x Important, Privilege Escalation, DoS, SFP

• Priority 1: MS15-009 – Internet Explorer

• 41 vulnerabilities – January Rollup

• 1 publicly disclosed – ZDI 120 day limit

February Patches - 3• Microsoft February, 10: 9 bulletins – MS15-009-MS15-017

• IE, Windows, Office – 4 x Remote Code Execution

• 5 x Important, Privilege Escalation, DoS, SFP

• Priority 1: MS15-009 – Internet Explorer

• 41 vulnerabilities – January Rollup

• 1 publicly disclosed – ZDI 120 day limit

• Priority 2: MS15-012 – Office (Excel/Word)

February Patches - 3• Microsoft February, 10: 9 bulletins – MS15-009-MS15-017

• IE, Windows, Office – 4 x Remote Code Execution

• 5 x Important, Privilege Escalation, DoS, SFP

• Priority 1: MS15-009 – Internet Explorer

• 41 vulnerabilities – January Rollup

• 1 publicly disclosed – ZDI 120 day limit

• Priority 2: MS15-012 – Office (Excel/Word)

• Priority 3: MS15-010 – Windows

• 1 publicly disclosed - Google Project Zero 90 day limit

February Patches - 3• Microsoft February, 10: 9 bulletins – MS15-009-MS15-017

• IE, Windows, Office – 4 x Remote Code Execution

• 5 x Important, Privilege Escalation, DoS, SFP

• Priority 1: MS15-009 – Internet Explorer

• 41 vulnerabilities – January Rollup

• 1 publicly disclosed – ZDI 120 day limit

• Priority 2: MS15-012 – Office (Excel/Word)

• Priority 3: MS15-010 – Windows

• 1 publicly disclosed - Google Project Zero 90 day limit

• Interesting: MS15-011 - GPO

GHOST• January 27 - Qualys disclosed CVE-2015-0235 in Linux/glibc

• January 13 (first contact), January 18 (CVE)

• Critical vulnerability, about 2 months to find and exploit

GHOST• January 27 - Qualys disclosed CVE-2015-0235 in Linux/glibc

• January 13 (first contact), January 18 (CVE)

• Critical vulnerability, about 2 months to find and exploit

• GHOST similar to Heartbleed and Shellshock

• GHOST = GetHOSTbyname (vulnerable function)

• Newest glibc (2.18) not vulnerable, but not very common

• Ubuntu 14.04, Fedora 20/21, SUSE 12/13, Gentoo

• glibc 2.2-2.17 vulnerable in use in many distros

• RedHat 6/7 (CentOS 6/7), SUSE Enterprise, Ubuntu 12.04

GHOST• January 27 - Qualys disclosed CVE-2015-0235 in Linux/glibc

• January 13 (first contact), January 18 (CVE)

• Critical vulnerability, about 2 months to find and exploit

• GHOST similar to Heartbleed and Shellshock

• GHOST = GetHOSTbyname (vulnerable function)

• Newest glibc (2.18) not vulnerable, but not very common

• Ubuntu 14.04, Fedora 20/21, SUSE 12/13, Gentoo

• glibc 2.2-2.17 vulnerable in use in many distros

• RedHat 6/7 (CentOS 6/7), SUSE Enterprise, Ubuntu 12.04

• Verification program, source in the advisory

• Vulnerability scanner

GHOST - Exploitablity• Buffer Overflow in gethostbyname()

• Hostname

• Needs to be digits and dots

• Longer than 1 KB

GHOST - Exploitablity• Buffer Overflow in gethostbyname()

• Hostname

• Needs to be digits and dots

• Longer than 1 KB

• Mitigations

• Hostname can only be 255 characters long (RFC1123)

• Gethostname deprecated

GHOST - Exploitablity• Buffer Overflow in gethostbyname()

• Hostname

• Needs to be digits and dots

• Longer than 1 KB

• Mitigations

• Hostname can only be 255 characters long (RFC1123)

• Gethostname deprecated

• Examples:

• ping, arping, mtr, mount.nfs – not vulnerable

• clockdiff, procmail, pppd, exim – vulnerable

• exim – (remote!) exploit POC exists

GHOST - Reality• How exploitable is it really?

GHOST - Reality• How exploitable is it really?

• Opinions vary

GHOST - Reality• How exploitable is it really?

• Opinions vary

GHOST - Reality• How exploitable is it really?

• Opinions vary

• Michael Zalewski – Yup, that is the real thing, nothing to add

GHOST - Reality• How exploitable is it really?

• Opinions vary

• Michael Zalewski – Yup, that is the real thing, nothing to add

GHOST - Reality• How exploitable is it really?

• Opinions vary

• Michael Zalewski – Yup, that is the real thing, nothing to add

• Robert Graham – Yes, but…

GHOST - Reality• How exploitable is it really?

• Opinions vary

• Michael Zalewski – Yup, that is the real thing, nothing to add

• Robert Graham – Yes, but…

• Many – PR Stunt

GHOST - Reality• How exploitable is it really?

• Opinions vary

• Michael Zalewski – Yup, that is the real thing, nothing to add

• Robert Graham – Yes, but…

• Many – PR Stunt

GHOST - Reality• How exploitable is it really?

• Opinions vary

• Michael Zalewski – Yup, that is the real thing, nothing to add

• Robert Graham – Yes, but…

• Many – PR Stunt

• Sucuri – there is a problem in Wordpress/PHP - pingback

GHOST - Reality• How exploitable is it really?

• Opinions vary

• Michael Zalewski – Yup, that is the real thing, nothing to add

• Robert Graham – Yes, but…

• Many – PR Stunt

• Sucuri – there is a problem in Wordpress/PHP – pingback

• Now a Metasploit check

• Veracode – there are problems in many enterprise apps

• 202 enterprise apps – 25% use gethostbyname

• 72% C/C++, 28% Java, .NET, PHP

• 64/32 bit are vulnerable – our exploit works against both 64 and 32 bit exim for example

GHOST – beyond Linux• Juniper

GHOST – beyond Linux• Juniper

GHOST – beyond Linux• Juniper

• Cisco

GHOST – beyond Linux• Juniper

• Cisco

GHOST – beyond Linux• Juniper

• Cisco

GHOST – beyond Linux• Juniper

• Cisco

• NetApp

• McAfee

• F-Secure

• BlueCoat

• RiverBed

• …..

Resources• Microsoft - https://technet.microsoft.com/library/security/ms15-feb

• Adobe - http://blogs.adobe.com/psirt

• GHOST - http://www.openwall.com/lists/oss-security/2015/01/27/9

• Sucuri - http://blog.sucuri.net/2015/01/critical-ghost-vulnerability-released.html

• VERACODE - https://www.sans.org/webcasts/99642?ref=174212

• Metasploit - https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/wordpress_ghost_scanner.rb

• Juniper -http://kb.juniper.net/InfoCenter/indexid=JSA10671&page=content

Resources 2• Cisco –

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150128-ghost

• McAfee-https://kc.mcafee.com/corporate/index?page=content&id=SB10100

• NetApp -https://kb.netapp.com/support/index?page=content&id=9010027

• F-Secure - https://www.f-secure.com/en/web/labs_global/fsc-2015-1

• Blue Coat - https://bto.bluecoat.com/security-advisory/sa90

• Riverbed -https://supportkb.riverbed.com/support/index?page=content&id=S25833

Thank YouWolfgang Kandek

wkandek@qualys.com

http://laws.qualys.com