Security Bulletin #116 – 30 May 2017
Microsoft silently patched a second critical Malware Protection Engine flaw
Popular RADIUS server exploitable with TLS session caching
Sysadmins with FreeRADIUS need to run in an upgrade, because there's a bug in its TTLS and PEAP implementations. To handle comms interruptions (for example, if someone on a TLS connection moves from one cell tower to another), Free RADIUS skips what's called “inner authentication” – meaning the user isn't asked for a new login. This is a feature but there is a critical catch: the server must never allow resumption of a TLS session until its initial connection gets to the point where inner authentication has been finished successfully. Affected versions of FreeRADIUS fail to reliably prevent resumption of unauthenticated sessions unless the TLS session cache is disabled completely, and allow an attacker (e.g. a malicious supplicant) to elicit EAP Success without sending any valid credentials. The bug affects Free RADIUS 2.2.x (a deprecated version still included in some Linux distributions); all versions before 3.0.14 in the stable branch; and all versions before February in the development branches 3.1.x and 4.0.x. If you can't patch immediately, disable TLS session caching.
FileSystem NTFS Bug Crashes Windows 7 and Windows 8.1
Until Microsoft patches this problem, use Chrome: a slip in file-path handling allows an attacker to crash Windows 7 and Windows 8.1 with a file call. A bug in the way Microsoft handle file-path could be exploited by attackers to crash Windows 7 and Windows 8.1 with a simple file call. The vulnerability is triggered every time a file call includes the Windows’ Master File Table (MFT), for example, if the attackers include $MFT as a link to an image in a website. Every file on an NTFS volume has a reference in the MFT, for this reason, the OS must protect $MFT from user-access. What the researchers discovered is that if you try to access a file like c:$MFToo, the NTFS (NT file system) locks $MFT and doesn't release it: “it will be captured forever. Users who have tested the issue have noticed that the bug cannot be triggered in Chrome because the Google browser will not allow loading images with malformed paths, such as the $MFT exploit. Both Internet Explorer and Firefox, however, are vulnerable.
Current Alerts CERTFR-2017-ALE-008 : Multiples vulnérabilités dans Microsoft Windows XP et Windows Server 2003 (15 mai 2017) Link: http://cert.ssi.gouv.fr/site/CERTFR-2017-ALE-008.pdf CERTFR-2017-ALE-011 : Campagne de messages électroniques non sollicités de type Jaff (14 mai 2017) Link: http://cert.ssi.gouv.fr/site/CERTFR-2017-ALE-011.pdf CERTFR-2017-ALE-010 : Propagation d’un rançongiciel exploitant les vulnérabilités MS17-010 (12 mai 2017) Link: http://cert.ssi.gouv.fr/site/CERTFR-2017-ALE-010.pdf Patches CERTFR-2017-AVI-166 : Multiples vulnérabilités dans SCADA les produits Siemens (29 mai 2017) Link: http://cert.ssi.gouv.fr/site/CERTFR-2017-AVI-166.pdf