Original release date: November 13, 2013 | Last revised: November 16, 2013
Windows Operating System and Components
Select Microsoft software products contain multiple vulnerabilities. Microsoft has released updates to address these vulnerabilities.
The Microsoft Security Bulletin Summary for November 2013 describes multiple vulnerabilities in Microsoft software. Microsoft has released updates to address these vulnerabilities. The November Security Bulletin includes a patch for the new “watering hole” campaign which utilizes a US-based website that specializes in domestic and international security policy.
These vulnerabilities could allow remote code execution, elevation of privilege, information disclosure or denial of service.
Original release date: November 05, 2013 | Last revised: November 18, 2013
Microsoft Windows systems running Windows 8, Windows 7, Vista, and XP operating systems
US-CERT is aware of a malware campaign that surfaced in 2013 and is associated with an increasing number of ransomware infections. CryptoLocker is a new variant of ransomware that restricts access to infected computers and demands the victim provide a payment to the attackers in order to decrypt and recover their files. As of this time, the primary means of infection appears to be phishing emails containing malicious attachments.
CryptoLocker appears to have been spreading through fake emails designed to mimic the look of legitimate businesses and through phony FedEx and UPS tracking notices. In addition, there have been reports that some victims saw the malware appear following after a previous infection from one of several botnets frequently leveraged in the cyber-criminal underground.
The malware has the ability to find and encrypt files located within shared network drives, USB drives, external hard drives, network file shares and even some cloud storage drives. If one computer on a network becomes infected, mapped network drives could also become infected. CryptoLocker then connects to the attackers’ command and control (C2) server to deposit the asymmetric private encryption key out of the victim’s reach.
Victim files are encrypted using asymmetric encryption. Asymmetric encryption uses two different keys for encrypting and decrypting messages. Asymmetric encryption is a more secure form of encryption as only one party is aware of the private key, while both sides know the public key.
While victims are told they have three days to pay the attacker through a third-party payment method (MoneyPak, Bitcoin), some victims have claimed online that they paid the attackers and did not receive the promised decryption key. US-CERT and DHS encourage users and administrators experiencing a ransomware infection to report the incident to the FBI at the Internet Crime Complaint Center (IC3).
US-CERT recommends users and administrators take the following preventative measures to protect their computer networks from a CryptoLocker infection:
Conduct routine backups of important files, keeping the backups stored offline.
Maintain up-to-date anti-virus software.
Keep your operating system and software up-to-date with the latest patches.
Original release date: July 26, 2013 | Last revised: October 04, 2013
Any system connected to the internet running the Intelligent Platform Management Interface (IPMI) may be affected. IPMI is resident on many server platforms, and provides low-level access to a system that can override operating system controls.
Attackers can easily identify and access systems that run IPMI and are connected to the Internet. It is important to restrict IPMI access to specific management IP addresses within an organization and preferably separated into a separate LAN segment.
What is the Intelligent Platform Management Interface (IPMI)?
IPMI is a low level interface specification that has been adopted by many hardware vendors. It allows a system administrator to remotely manage servers at the hardware level. IPMI runs on the Baseboard Management Controller (BMC) and provides access to the BIOS, disks, and other hardware. It also supports remote booting from a CD or through the network, and monitoring of the server environment. The BMC itself also runs a limited set of network services to facilitate management and communications amongst systems.
What Is the Risk?
Attackers can use IPMI to essentially gain physical-level access to the server. An attacker can reboot the system, install a new operating system, or compromise data, bypassing any operating system controls. Some issues identified by Dan Farmer:
Passwords for IPMI authentication are saved in clear text.
Knowledge of one IPMI password gives you the password for all computers in the IPMI managed group.
Root access on an IPMI system grants complete control over hardware, software, firmware on the system.
BMCs often run excess and older network services that may be vulnerable.
IPMI access may also grant remote console access to the system, resulting in access to the BIOS.
There are few, if any, monitoring tools available to detect if the BMC is compromised.
Certain types of traffic to and from the BMC are not encrypted.
Unclear documentation on how to sanitize IPMI passwords without destruction of the motherboard.
Attackers can easily search and identify internet-connected target systems, and IPMI is no exception.
An attacker with knowledge of IPMI can search for, and find, open management interfaces. Many of these interfaces utilize default or no passwords, or weak encryption. Further consequences depend on the type and use of the compromised system. At the very least, an attacker can compromise confidentiality, integrity, and availability of the server once gaining access to the BMC.
Restrict IPMI to Internal Networks
Restrict IPMI traffic to trusted internal networks. Traffic from IPMI (usually UDP port 623) should be restricted to a management VLAN segment with strong network controls. Scan for IPMI usage outside of the trusted network and monitor the trusted network for abnormal activity.
Enable encryption on IPMI interfaces, if possible. Check your manufacturer manual for details on how to set up encryption.
"cipher 0" is an option enabled by default on many IPMI enabled devices that allows authentication to be bypassed. Disable "cipher 0" to prevent attackers from bypassing authentication and sending arbitrary IPMI commands. Anonymous logins should also be disabled.
Sanitize Flash Memory at End of Life
Follow manufacturer recommendations for sanitizing passwords. If none exists, destroy the flash chip, motherboard, or other areas the IPMI password may be stored.
Identify Affected Products
Most server products
HP Integrated Lights Out
IBM Remote Supervisor Adapter
Dell has provided the following information related to this Technical Alert: