HO (FireEye) HO (Linux) HO (Microsoft)

 In ITC's Threat of the Week

Christmas is the season of giving so we thought we would use this week’s blog for not one, not two, but three gift-wrapped goodies for your partied out delectation.

Our first gift comes wrapped in paper emblazoned with a somewhat soggy, extinguished eye gazing upon a Humble Crumble.

Inside we discover that the very clever Tavis Ormandy of Google’s Project Zero team unearthed a vulnerability in FireEye technology that would enable compromise of an Enterprise network just by sending an email to someone on the inside, which would not even have to be read! (NB – ONLY if you have FireEye installed in case you skim read this through your hangover and have a panic attack!).

All credit to them, the boys and girls of FireEye relit their fire and released an automatic remediation within 6 hours that will be extended to ‘out of contract’ customers.

If you are a FireEye customer it is imperative that you are running content release 427.334 or later.

Our second pressie comes shabbily covered in the pages of a free newspaper, which appears to be illustrated with a dying grub of some sort.

What could it be you ask? Well joy of joys, it is the eye watering news that Linux systems which use the GRUB2 boot loader (err, wouldn’t that be most of them? Oh yes it would)! Can be totally compromised by nothing trickier than pressing the backspace key 28 times during boot up.  This takes you to a rescue shell and unauthenticated access to the system, enabling you to get to work on loading another system or rootkit and get mediaeval on their OS.

There is a fix, which Unix Sysadmins can apply. Consider it the ultimate geek Christmas card, Peruse its glory here.

Before you all start shouting at us about this being just like a boot into single user mode thing, yes we know, but it is interesting nonetheless, especially for people who have added ‘su:S:wait:/sbin/sulogin’ to their inittab files to enforce a password check for access to runlevel 1, or similar.

Now is the time for our Secret Santa. When we first read the shrieking headlines about this week’s Microsoft Kerberos vulnerability announcement, our bells jingled, about 30 calls in 3 minutes!

The story is that the snappily named security researcher dfirblog (like d for dog, gettit?) has made an announcement about a major problem in the Microsoft implementation of Kerberos which involves a disabled account, installed by default (it is called: krbtgt).

By using this account, internal secret keys can be manipulated to allow total world domination and according to deefer (presumably his nickname) this cannot be mitigated.

Like most Secret Santas, this story looked like a copy of something we had seen before, like a Bangkok T-Shirt. Sure enough it is another version of the now ages old Golden Ticket and Pass-the-Hash technique which we reported on a long time ago.

We think that most people can breathe easy – but would urge Microsoft Sysadmins to review Microsoft’s enthralling videos on the subject here.

You Windows guys didn’t think we would leave you out did you?

There is also a great CERT article on the subject from July 2014 here.

That’s probably enough gifts from us for this week. Please recycle the wrapping paper and remember an unpatched vulnerability is for life, not just Christmas.

Will Santa bring us anything special for Christmas week? Time will tell. In the meantime in the absence of snow, enjoy the change freeze.

Author: Kevin Whelan

Recent Posts

Leave a Comment

Tel:
+44 (0) 20 7517 3900

 

Contact ITC Secure

If you have a question, request, comment or requirement, please send us an email now and we will get back to you by return