Post on 16-Jul-2015
Patch Overview
February 2015
Wolfgang Kandek, Qualys, Inc
February 12, 2014
February Patches• Adobe Flash under direct Attack in January/February
• Normal = 1 update per month. Current = 4
• January 13 – APSB14-01 – 9 critical vulnerabilities
February Patches• Adobe Flash under direct Attack in January/February
• Normal = 1 update per month. Current = 4
• January 13 – APSB14-01 – 9 critical vulnerabilities
February Patches• Adobe Flash under direct Attack in January/February
• Normal = 1 update per month. Current = 4
• January 13 – APSB14-01 – 9 critical vulnerabilities
• January 21 - @Kafeine detects 0-day CVE-2015-0311
• Angler Exploit Kit
February Patches• Adobe Flash under direct Attack in January/February
• Normal = 1 update per month. Current = 4
• January 13 – APSB14-01 – 9 critical vulnerabilities
• January 21 - @Kafeine detects 0-day CVE-2015-0311
• Angler Exploit Kit
• January 22 – APSB14-02 for CVE-2015-0310 (no typo)
• Under attack in the wild (0-day)
• Mentions CVE-2015-0311 (sort of)
• Credits 3 Researchers, including @Kafeine
February Patches• Adobe Flash under direct Attack in January/February
• Normal = 1 update per month. Current = 4
• January 13 – APSB14-01 – 9 critical vulnerabilities
• January 21 - @Kafeine detects 0-day CVE-2015-0311
• Angler Exploit Kit
• January 22 – APSB14-02 for CVE-2015-0310 (no typo)
• Under attack in the wild (0-day)
• Mentions CVE-2015-0311 (sort of)
• Credits 3 Researchers, including @Kafeine
• January 27 – APSB14-03 for CVE-2015-0311/12
• Credits 3 different Researchers, including @Kafeine
February Patches - 2• Flash Attack continues in February
• February 2 - Trend Micro detects 0-day – CVE-2015-0313
February Patches - 3• Flash Attack continues in February
• February 2 - Trend Micro detects 0-day – CVE-2015-0313
February Patches - 3• Flash Attack continues in February
• February 2 - Trend Micro detects 0-day – CVE-2015-0313
February Patches - 2• Flash Attack continues in February
• February 2 - Trend Micro detects 0-day
• February 5 – APSB14-04 – 18 critical vulnerabilities
• Including 0-day CVE-2015-0313
February Patches - 2• Flash Attack continues in February
• February 2 - Trend Micro detects 0-day
• February 5 – APSB14-04 – 18 critical vulnerabilities
• Including 0-day CVE-2015-0313
• All versions of Windows attacked under IE and Firefox
February Patches - 2• Flash Attack continues in February
• February 2 - Trend Micro detects 0-day
• February 5 – APSB14-04 – 18 critical vulnerabilities
• Including 0-day CVE-2015-0313
• All versions of Windows attacked under IE and Firefox
• Flash under Google Chrome not attacked
• Malwarebytes Anti Exploit neutralizes CVE-2014-310
• EMET prevents CVE-2015-0311
• Trend Micro Browser Exploit Prevention: CVE-2015-0313
February Patches - 3• Microsoft February, 10: 9 bulletins – MS15-009-MS15-017
• IE, Windows, Office – 4 x Remote Code Execution
• 5 x Important, Privilege Escalation, DoS, SFP
February Patches - 3• Microsoft February, 10: 9 bulletins – MS15-009-MS15-017
• IE, Windows, Office – 4 x Remote Code Execution
• 5 x Important, Privilege Escalation, DoS, SFP
• Priority 1: MS15-009 – Internet Explorer
• 41 vulnerabilities – January Rollup
• 1 publicly disclosed – ZDI 120 day limit
February Patches - 3• Microsoft February, 10: 9 bulletins – MS15-009-MS15-017
• IE, Windows, Office – 4 x Remote Code Execution
• 5 x Important, Privilege Escalation, DoS, SFP
• Priority 1: MS15-009 – Internet Explorer
• 41 vulnerabilities – January Rollup
• 1 publicly disclosed – ZDI 120 day limit
• Priority 2: MS15-012 – Office (Excel/Word)
February Patches - 3• Microsoft February, 10: 9 bulletins – MS15-009-MS15-017
• IE, Windows, Office – 4 x Remote Code Execution
• 5 x Important, Privilege Escalation, DoS, SFP
• Priority 1: MS15-009 – Internet Explorer
• 41 vulnerabilities – January Rollup
• 1 publicly disclosed – ZDI 120 day limit
• Priority 2: MS15-012 – Office (Excel/Word)
• Priority 3: MS15-010 – Windows
• 1 publicly disclosed - Google Project Zero 90 day limit
February Patches - 3• Microsoft February, 10: 9 bulletins – MS15-009-MS15-017
• IE, Windows, Office – 4 x Remote Code Execution
• 5 x Important, Privilege Escalation, DoS, SFP
• Priority 1: MS15-009 – Internet Explorer
• 41 vulnerabilities – January Rollup
• 1 publicly disclosed – ZDI 120 day limit
• Priority 2: MS15-012 – Office (Excel/Word)
• Priority 3: MS15-010 – Windows
• 1 publicly disclosed - Google Project Zero 90 day limit
• Interesting: MS15-011 - GPO
GHOST• January 27 - Qualys disclosed CVE-2015-0235 in Linux/glibc
• January 13 (first contact), January 18 (CVE)
• Critical vulnerability, about 2 months to find and exploit
GHOST• January 27 - Qualys disclosed CVE-2015-0235 in Linux/glibc
• January 13 (first contact), January 18 (CVE)
• Critical vulnerability, about 2 months to find and exploit
• GHOST similar to Heartbleed and Shellshock
• GHOST = GetHOSTbyname (vulnerable function)
• Newest glibc (2.18) not vulnerable, but not very common
• Ubuntu 14.04, Fedora 20/21, SUSE 12/13, Gentoo
• glibc 2.2-2.17 vulnerable in use in many distros
• RedHat 6/7 (CentOS 6/7), SUSE Enterprise, Ubuntu 12.04
GHOST• January 27 - Qualys disclosed CVE-2015-0235 in Linux/glibc
• January 13 (first contact), January 18 (CVE)
• Critical vulnerability, about 2 months to find and exploit
• GHOST similar to Heartbleed and Shellshock
• GHOST = GetHOSTbyname (vulnerable function)
• Newest glibc (2.18) not vulnerable, but not very common
• Ubuntu 14.04, Fedora 20/21, SUSE 12/13, Gentoo
• glibc 2.2-2.17 vulnerable in use in many distros
• RedHat 6/7 (CentOS 6/7), SUSE Enterprise, Ubuntu 12.04
• Verification program, source in the advisory
• Vulnerability scanner
GHOST - Exploitablity• Buffer Overflow in gethostbyname()
• Hostname
• Needs to be digits and dots
• Longer than 1 KB
GHOST - Exploitablity• Buffer Overflow in gethostbyname()
• Hostname
• Needs to be digits and dots
• Longer than 1 KB
• Mitigations
• Hostname can only be 255 characters long (RFC1123)
• Gethostname deprecated
GHOST - Exploitablity• Buffer Overflow in gethostbyname()
• Hostname
• Needs to be digits and dots
• Longer than 1 KB
• Mitigations
• Hostname can only be 255 characters long (RFC1123)
• Gethostname deprecated
• Examples:
• ping, arping, mtr, mount.nfs – not vulnerable
• clockdiff, procmail, pppd, exim – vulnerable
• exim – (remote!) exploit POC exists
GHOST - Reality• How exploitable is it really?
GHOST - Reality• How exploitable is it really?
• Opinions vary
GHOST - Reality• How exploitable is it really?
• Opinions vary
GHOST - Reality• How exploitable is it really?
• Opinions vary
• Michael Zalewski – Yup, that is the real thing, nothing to add
GHOST - Reality• How exploitable is it really?
• Opinions vary
• Michael Zalewski – Yup, that is the real thing, nothing to add
GHOST - Reality• How exploitable is it really?
• Opinions vary
• Michael Zalewski – Yup, that is the real thing, nothing to add
• Robert Graham – Yes, but…
GHOST - Reality• How exploitable is it really?
• Opinions vary
• Michael Zalewski – Yup, that is the real thing, nothing to add
• Robert Graham – Yes, but…
• Many – PR Stunt
GHOST - Reality• How exploitable is it really?
• Opinions vary
• Michael Zalewski – Yup, that is the real thing, nothing to add
• Robert Graham – Yes, but…
• Many – PR Stunt
GHOST - Reality• How exploitable is it really?
• Opinions vary
• Michael Zalewski – Yup, that is the real thing, nothing to add
• Robert Graham – Yes, but…
• Many – PR Stunt
• Sucuri – there is a problem in Wordpress/PHP - pingback
GHOST - Reality• How exploitable is it really?
• Opinions vary
• Michael Zalewski – Yup, that is the real thing, nothing to add
• Robert Graham – Yes, but…
• Many – PR Stunt
• Sucuri – there is a problem in Wordpress/PHP – pingback
• Now a Metasploit check
• Veracode – there are problems in many enterprise apps
• 202 enterprise apps – 25% use gethostbyname
• 72% C/C++, 28% Java, .NET, PHP
• 64/32 bit are vulnerable – our exploit works against both 64 and 32 bit exim for example
GHOST – beyond Linux• Juniper
GHOST – beyond Linux• Juniper
GHOST – beyond Linux• Juniper
• Cisco
GHOST – beyond Linux• Juniper
• Cisco
GHOST – beyond Linux• Juniper
• Cisco
GHOST – beyond Linux• Juniper
• Cisco
• NetApp
• McAfee
• F-Secure
• BlueCoat
• RiverBed
• …..
Resources• Microsoft - https://technet.microsoft.com/library/security/ms15-feb
• Adobe - http://blogs.adobe.com/psirt
• GHOST - http://www.openwall.com/lists/oss-security/2015/01/27/9
• Sucuri - http://blog.sucuri.net/2015/01/critical-ghost-vulnerability-released.html
• VERACODE - https://www.sans.org/webcasts/99642?ref=174212
• Metasploit - https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/wordpress_ghost_scanner.rb
• Juniper -http://kb.juniper.net/InfoCenter/indexid=JSA10671&page=content
Resources 2• Cisco –
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150128-ghost
• McAfee-https://kc.mcafee.com/corporate/index?page=content&id=SB10100
• NetApp -https://kb.netapp.com/support/index?page=content&id=9010027
• F-Secure - https://www.f-secure.com/en/web/labs_global/fsc-2015-1
• Blue Coat - https://bto.bluecoat.com/security-advisory/sa90
• Riverbed -https://supportkb.riverbed.com/support/index?page=content&id=S25833
Thank YouWolfgang Kandek
wkandek@qualys.com
http://laws.qualys.com