Digital Edge Security Advisory
During last month multiple serious security threats were discovered by the security community that affects multiple platforms, technologies and configurations.
Digital Edge is issuing this security advisory to provide more details to clients, friends and colleagues on the threat itself, possible risk and way of remediation.
All Digital Edge clients are safe and we are working with each individual client’s team to plan and roll out solutions appropriate to their unique configurations.
Vulnerabilities details:
SSLv3 vulnerability
Description: This vulnerability allows hackers to be able to decrypt encrypted HTTPS communication between client browser and a secured server. Such encrypted communication is used when users are connecting to their banks, shop on the internet, communicate to their work places remotely etc.
The vulnerability is discovered in SSLv3 encryption protocol. All other available encryption protocols such as TLSv1/TLSv1.1/TLSv1.2 are secured.
Risk: Someone who has access to communication between a browser and a server can decrypt and access information such as banking login, credit card information, Social Security Number and other data. The attacker must be able to capture communication. This will only happen if:
- The attacker hacked into your network or your computer.
- Be a man-in-the-middle, hack and Internet Service Provider equipment and able to listen to all traffic floating through ISPs networks.
- Access your WiFi network and capture all your WiFi traffic.
The vulnerability will not allow an attacker to gain access to your servers, execute a code. The only thing that it allows is to read information that must be secured.
To see if your browser vulnerable: https://www.poodletest.com/
To see if your server is vulnerable: http://www.poodlescan.com/
Remediation: the only correct way to remediate this vulnerability is to disable SSLv3 encryption protocol. When a browser is negotiating with a secreted server on the encryption protocol, it tries to negotiate on highest available and go down to SSLv3 as a last resort.
There is relatively low risk of disabling SSLv3. The only browser that would use SSLv3 is old IE running on Windows XP. And if someone runs that, it is much bigger problem than SSLv3 vulnerability.
All clients should disable SSLv3 on their browsers. Actual method depends on the browser version and the OS.
To disable SSLv3 on web servers, please contact us at: https://www.digitaledge.net/Contact-SendEmail.aspx
All affected Digital Edge’s clients will be contacted and required actions will be discussed, scheduled and performed. If you feel that you need an additional help please contact us at: https://www.digitaledge.net/Contact-SendEmail.aspx
Microsoft Security Bulletin for October
Description: Microsoft issued its standard monthly Security Bulletin. Digital Edge would not bring it to your attention except for multiple serious vulnerabilities with “critical/remote code execution” classification that should be understood and addressed ASAP:
- Microsoft Security Bulletin MS14-056 – Critical:
The most severe of this vulnerability could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user ending up controlling your computer. This vulnerability is affecting end users and their IE browser.
- Vulnerabilities in .NET Framework Could Allow Remote Code Execution (3000414) - Critical
The most severe of the vulnerabilities could allow remote code execution if an attacker sends a specially crafted URI request containing international characters to a .NET web application. Successfully exploited remote execution can create a backdoor to your system and enable hacker to fully control your server. This vulnerability affect web sites running pre-.NET 4.5 code and can cause data lose, service interruption, propagation and elevation of unauthorized access.
- Vulnerabilities in Kernel-Mode Driver Could Allow Remote Code Execution (3000061) – Critical
The more severe of the vulnerabilities could allow remote code execution if an attacker convinces a user to open a specially crafted document or to visit an untrusted website that contains embedded TrueType fonts. In all cases, however, an attacker would have no way to force users to perform these actions. Instead, an attacker would have to persuade users to do so, typically by getting them to click a link in an email message or Instant Messenger message.
Normal attack vector for this vulnerability is an email with a Microsoft Office document attached. When a user opens the document, the exploit can gain full access to your computer.
Risk: This set of vulnerabilities poses serious risk to both, end users and web site owners and must be addressed as soon as possible.
Remediation: Standard Microsoft patching procedure will remediate all mentioned vulnerabilities.
All affected Digital Edge’s clients will be contacted and required actions will be discussed, scheduled and performed. If you feel that you need an additional help please contact us at: https://www.digitaledge.net/Contact-SendEmail.aspx
Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271, CVE-2014-7169)
Description: Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue. This issue affects all products which use the Bash shell and parse values of environment variables. This issue is especially dangerous as there are many possible ways Bash can be called by an application. Quite often if an application executes another binary, Bash is invoked to accomplish this. Because of the pervasive use of the Bash shell, this issue is quite serious and should be treated as such.
Risk: A hacker can exploit multiple ways of how bash is called and gain full access to the server. Bash might be called directly as a processor for CGI page or in many other different ways. This is a very critical vulnerability for clients that have access to their systems through the internet.
Remediation: A security patch for bash packages is available for multiple platforms and implementations.
All affected Digital Edge’s clients will be contacted and required actions will be discussed, scheduled and performed. If you feel that you need an additional help please contact us at: https://www.digitaledge.net/Contact-SendEmail.aspx