//Blogs - 01 February 2019

AusCERT Week in Review for 1st February 2019

Greetings,

This week featured some very high-profile vulnerabilities, tech companies abusing each others' trust, and a great upheaval in name-resolution - leaving unorthodox DNS servers out in the cold.

A pass-the-hash vulnerability in Exchange was made public, which allows any user with a mailbox to elevate themselves to the Exchange user, which unsurprisingly, often runs with Domain Admin privileges. Microsoft have not released a patch, but mitigations are available.

Apple was forced to suspend group chat functionality in FaceTime, after a teenager discovered its espionage potential. Calling a contact via FaceTime, and then adding yourself as an additional contact to the group would hot-mic the unsuspecting victim, before they had answered the call. Rather than let this capability fall into the hands of pranksters and nation states, Apple wisely disabled the function until a patch is ready.

Apple was also forced to suspend Facebook and Google's enterprise certificates, causing chaos internally as non-public applications (and development versions of their public app suites) would now refuse to run on iOS. This was a result of the companies using the intra-company certificate to bypass Apple's privacy requirements on the app store, having created data-harvesting apps that lured users in with the promise of gift-cards. Apple has since worked to reinstate certificates for the companies, presumably satisfied that it had made its point.

(On or around) February 1st is DNS Flag Day, and authoritative DNS servers that stray from the RFCs and fail to implement the EDNS extension will find themselves receiving the cold-shoulder from upstream servers. If you run such a non-compliant server after Flag Day, then your services had better have memorable IP addresses.

Here's a summary (including excerpts) of some of the more interesting stories we've seen this week:

Cyber Alert: DNS Flag Day
January 30 2019
Author: Center for Internet Security
Excerpt: "On Friday, February 1, 2019, major Domain Name Systems (DNS) software and service providers will remove DNS workarounds that allow users to bypass the Extension Mechanisms Protocol for DNS (EDNS). EDNS is a set of extension mechanisms to expand the size of the DNS message as it goes through its query, which allows more information to be included in the communication between each host in the DNS resolution process.

On Friday, several DNS resolver operators, including PowerDNS, Internet System Consortium, and Google, will release updates that implement stricter EDNS handling. This update will speed up the DNS process by forcing everyone to implement the EDNS protocol. Furthermore, the update will simplify the deployment of new features in the future. Consequently, if the update is not implemented on DNS servers, there will be no DNS response to any recursive servers' request."

------

Severe vulnerability in Apple FaceTime found by Fortnite player
January 30 2019
Author: Charlie Osborne
Excerpt: "Before the so-called Apple "Facepalm" bug hit the headlines, the mother of a 14-year-old boy from Arizona had been trying to warn the tech giant about the vulnerability for over a week.

A FaceTime call made on 19 January by Michele Thompson's son, as reported by sister site CNET, began the chain of events. The teenager added a friend to the group conversation and despite the fact that the friend had not yet picked up the phone, he was able to listen in to conversations taking place in the iPhone's environment."

------

Furious Apple revokes Facebook's enty app cert after Zuck's crew abused it to slurp private data
January 30 2019
Author: Kieren McCarthy
Excerpt: "The enterprise cert allows Facebook to sign iOS applications so they can be installed for internal use only, without having to go through the official App Store. It's useful for intranet applications and in-house software development work.

Facebook, though, used the certificate to sign a market research iPhone application that folks could install it on their devices. The app was previously kicked out of the official App Store for breaking Apple's rules on privacy: Facebook had to use the cert to skirt Cupertino's ban."

------

Microsoft Exchange vulnerable to 'PrivExchange' zero-day
January 29 2019
Author: Catalin Cimpanu
Excerpt: "Microsoft Exchange 2013 and newer are vulnerable to a zero-day named "PrivExchange" that allows a remote attacker with just the credentials of a single lowly Exchange mailbox user to gain Domain Controller admin privileges with the help of a simple Python tool.

...

According to the researcher, the zero-day isn't one single flaw, but a combination of three (default) settings and mechanisms that an attacker can abuse to escalate his access from a hacked email account to the admin of the company's internal domain controller (a server that handles security authentication requests within a Windows domain)."

------

Here are this week's noteworthy security bulletins:

1) ESB-2019.0285 - ALERT [Win] Microsoft Exchange Server: Increased privileges - Existing account

Exchange pass-the-hash vulnerability, often leading to Domain Admin.

2) ASB-2019.0042 - [Win][UNIX/Linux] Mozilla Firefox: Multiple vulnerabilities

Your usual suite of vulnerabilities for a browser update - RCE, DoS, increased privileges etc.

3) ASB-2019.0044 - [Win][UNIX/Linux] Google Chrome: Multiple vulnerabilities

Not to be outdone, Chrome has also fixed your usual culprits in its latest release.


Stay safe, stay patched and have a good weekend!

Tim