In our weekly roundup of InfoSec happenings, we start, as has often been the case this year, with concerning Meltdown / Spectre news â this time involving Microsoft â and also touch on a password hack at Under Armour, a WannaCry infection at Boeing, and a severe Drupal vulnerability.
In an instance of the cure possibly being worse than the disease, a Microsoft patch for Meltdown released in January created a gaping security hole in certain systems in which it was installed.
It took Microsoft two tries to fix the issue, which affects Windows 7 (x64) and Windows Server 2008 R2 (x64) systems. The company thought it had solved the vulnerability (CVE-2018-1038) with a scheduled patch last Tuesday, but then had to rush out an emergency fix two days later.
Security researcher Ulf Frisk, who discovered the vulnerability, called it âway worseâ than Meltdown because it âallowed any process to read the complete memory contents at gigabytes per secondâ and made it possible to write to arbitrary memory as well.
âNo fancy exploits were needed. Windows 7 already did the hard work of mapping in the required memory into every running process,â Frisk wrote. âExploitation was just a matter of read and write to already mapped in-process virtual memory. No fancy APIs or syscalls required â just standard read and write.â
As Qualysâ Director of Product Management for Patch Management Gill Langston wrote in this blog, there are no current active attacks against this vulnerability but there is proof-of-concept code. âOpportunistic actors could weaponize this exploit by using a multi-stage attack to gain access to an affected asset,â he warned.
Langston recommends that organizations install Thursdayâs out-of-band patch if they installed any of the security updates in January of this year or later. âAlso ensure that other layers of protection (anti-malware, email security, web filtering) are up to date to minimize your risk profile,â he wrote.
Qualys created QID 91440 in Vulnerability Management. Detection requires authenticated scanning or a Qualys Cloud Agent installed on the asset.
Cyber thieves stole usernames, email addresses, and hashed passwords from 150 million accounts of Under Armourâs MyFitnessPal app at some point during February. Those affected must change their MyFitnessPal app passwords immediately, and should do the same on any other online account in which theyâve used that same password.
They also should be vigilant about suspicious activity on all their other online accounts, and about unsolicited requests to provide personal information, visit webpages, click on email links or download attachments.
Under Armour, a sports apparel maker, made no mention in its breach notice of how the hackers were able to access the data. The company discovered the hack last week.
Over at Sophosâ Naked Security blog, Mark Stockley points out that the hackers had at least a month âto send targeted MyFitnessPal phishing emails, to crack the stolen password hashes, and to try any cracked passwords on other services (such as social media accounts).â
âSince the information at risk can be used to log in to your MyFitnessPal account, all the data you see when you log in to your account is also at risk,â he added.
Writing in Wired, Lily Hay Newman makes a thorough analysis of the hack, and of what Under Armour did well (quick disclosure, system segmentation, use of âbcryptâ hashing function) and not so well (use of SHA-1 hashing function).
If you thought WannaCry was oh so 2017, think again. The notorious ransomware grabbed headlines again last week when news broke that it had cropped up at giant airplane manufacturer Boeing.
When it was first detected, Boeing leaders feared the worst, including manufacturing process disruptions, but when the dust cleared it seems the damage was quickly contained and pretty limited.
âWeâve done a final assessment,â Linda Mills, the head of communications for Boeing Commercial Airplanes, told The Seattle Times. âThe vulnerability was limited to a few machines. We deployed software patches. There was no interruption to the 777 jet program or any of our programs.â
Still, the incident serves as a good reminder that WannaCry â formal name WanaCrypt0r 2.0 â spreads using an exploit called EternalBlue for Windows OS vulnerabilities that Microsoft patched in March 2017, so more than a year ago now.
The vulnerabilities, in Windowsâ SMB (Server Message Block) protocol and described in security bulletin MS17-010, were rated âCriticalâ at the time by Microsoft due to the potential for attackers to execute remote code in affected systems.
Writing in Sophosâ Naked Security blog, John E. Dunn suggests that systems remain unpatched for WannaCry because remediating these vulnerabilities isnât always straightforward.
âOne reason for this persistence is that WannaCry doesnât just affect regular desktops, laptops and servers, but also spreads to and from unpatched Windows 7 systems of the sort widely used in manufacturing as Windows Embedded,â Dunn wrote.
Hereâs more information on how to detect and address the MS17-010 vulnerabilities with Qualys products.
Other WannaCry resources from Qualys include:
As it had recently promised, Drupal last week released a patch for a remote code execution vulnerability it rated as âhighly criticalâ that affects multiple subsystems of Drupal 7.x and 8.x.
âThis potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised,â Drupal warned in its advisory.
In a companion FAQ, the Drupal security team pegged the scope of affected systems at 9% of sites using its CMS (content management system) platform, or more than 1 million sites.
While Drupal has no knowledge of successful exploits of this vulnerability, it nonetheless recommends immediate remediation because âsite owners should anticipate that exploits may be developed and should therefore update their sites immediately.â
The solution: Upgrade to the most recent version of Drupal 7 or 8 core.
Specifically, those running 7.x should upgrade to Drupal 7.58, or alternatively apply this patch on systems that canât be immediately upgraded. Meanwhile, those running 8.5.x should upgrade to Drupal 8.5.1, or apply this patch on systems that canât be immediately upgraded. The FAQ states that Drupal 6 is also affected and points users of that version to its long term support page.
Writing in the Qualys Community site, Dave Ferguson, Director of Product Management for Web Application Scanning at Qualys, called the vulnerability (CVE-2018-7600) âvery dangerous.â
According to Ferguson, customers using Qualys Web Application Scanning (WAS) to scan all their websites on a regular basis can quickly find out if theyâre running a vulnerable Drupal version without having to run additional scans.
âSimply open WAS and go to Detections. In the search field, enter â150183â (this is the WAS QID reported when Drupal CMS is detected). If WAS has identified any web apps running Drupal, you will see QID 150183 listed in the detections. Open each detection and look at the Results section to see the version of Drupal running on that site. If necessary, start the patching process,â Ferguson wrote.