Wednesday August 14th 2019
This week we’re focusing heavily on Windows. We have some new vulnerabilities, device driver design flaws, and a malspam campaign leveraging Office documents. Let’s get this party started.
According to a Microsoft advisory published yesterday, August 13, 2019, seven new vulnerabilities have been disclosed with patches released – three of which are rated as ‘important’ and four are rated as ‘critical.’ Exploits have been developed by researchers so we should expect to see exploits for these vulnerabilities running wild soon.
CVE-2019-1181, CVE-2019-1182, and CVE-2019-1222 are all remote desktop services remote code execution vulnerabilities and were each given a critical risk score higher than 9 (9.7, 9.7, and 9.8 respectively).
All three affect every version of Windows, including Windows 10, 2012, 2016, and 2019. Microsoft notes, ‘exploitation [is] likely’ for all of these.
CVE-2019-1223 is a denial of service vulnerability in remote desktop protocol, affects all versions, and is rated as ‘important.’
CVE-2019-1224 is an information disclosure of memory vulnerability and is rated as ‘important.’
CVE-2019-1225 allows authenticated disclosure of memory and is also rated as ‘important.’
CVE-2019-1226 allows for pre-authentication remote code execution in remote desktop protocol on every version of Windows, including Windows 10, 2012, 2016, and 2019. Being pre-authentication, it requires no user interaction, and is rated as ‘critical.’
Current mitigation recommendations include downloading the most recent software update. Users are also advised to consider enabling network level authentication (NLA) and leaving it enabled for all and internal systems. Doing so raises exploitation requirements to needing credentials for some of the issues.
Users are advised to note that some of these vulnerabilities are not exploitable on Windows 7 and 2008 if enabled; RDP 8+ is not enabled, aka RemoteFX (these are available by default in later versions of Windows).
A recently discovered design flaw in device drivers allows attackers to escalate privileges and quietly persist on host machines. According to recent research performed by Eclypsium, drivers affected are those that provide access to system BIOS or system components for the purposes of updating firmware, running diagnostics, or customizing options on the component.
The flaw reportedly impacts more than 40 drivers from at least 20 different vendors, including every major BIOS vendor, as well as hardware vendors like ASUS, Toshiba, NIVIDA, and Huawei. All vulnerable drivers are also certified by Microsoft.
The flaw allows the driver to act as a proxy to perform highly privileged access to the hardware resources, such as read and write access to processor and chipset I/O space, Model Specific Registers (MSR), Control Registers (CR), Debug Registers (DR), physical memory, and kernel virtual memory. This is a privilege escalation as it can move an attacker from user mode (Ring 3) to OS kernel mode (Ring 0). Even Administrators operate at Ring 3 (and no deeper), alongside other users. Access to the kernel can not only give an attacker the most privileged access available to the operating system, it can also grant access to the hardware and firmware interfaces with even higher privileges such as the system BIOS firmware.
A vulnerable driver installed on a machine could also allow an application running with user privileges to escalate to kernel privileges and abuse the functionality of the driver. This means that any malware running in the user space could scan for a vulnerable driver on the victim machine and then use it to gain full control over the system and potentially the underlying firmware.
However, if a vulnerable driver is not already on a system, administrator privilege would be required to install a vulnerable driver. A vulnerable driver could also give an attacker access to the ‘negative’ firmware rings that lie beneath the operating system.
At the time of this writing, no patches have been released. The following is a list of affected vendors:
A new Ursnif variant has been spotted in the wild that targets vulnerable systems by using malicious Microsoft Word attachments in an attempt to steal financial details and other credentials.
Ursnif new variant uses some anti-analysis techniques to make it harder to analyze. In addition, it appears to have been compiled on July 25, 2019, and is spreading through phishing emails with malicious VBA code. Once the victim opens the malicious content, it will prompt a security message to protect users from malicious macros to trick potential targets.
After the set of macro permissions is granted, the malware launches a malicious Visual Basic for Applications code which then downloads the main payload to the victim’s computer. It also generates several “iexplore.exe” in the task manager that appears and disappears from time to time in an attempt to send out the harvested data from the infected system back to the attacker’s command-and-control server.
To evade detection, Ursnif command-and-control server contains a list of security companies to deceive researchers who capture and analyze the traffic. Users and organizations best defense is to consider adopting security solutions which can track malicious related activities to prevent any potential attacks.
The following indicators of compromise were released with this report.
Steam game client for Windows was impacted by a privilege escalation vulnerability which allows attackers to gain administrator rights on the compromised machine.
The software has reportedly over 100 million registered users that could be abused by attackers to perform a variety of malicious activities since its developer. Valve has not released a security patch yet. The researcher who discovered the vulnerability has reached out to Valve, however, the company responded that the flaw was not applicable and that they would fix it.
In addition, while analyzing the Steam Client Service with administrative privileges on the Windows machine, it shows that the service could be started and stopped by the user group which allows anyone to log onto the computer.