Security Bulletin

Security Bulletin #116 – 30 May 2017

  • Text Hover
2017 / 05 / 30

  • Text Hover

Microsoft silently patched a second critical Malware Protection Engine flaw

Microsoft has patched the critical vulnerability in its Malware Protection Engine that was discovered on May 12 by the researchers at the Google’s Project Zero team. The vulnerability could be exploited by an attacker that has crafted an executable that when processed by the Malware Protection Engine’s emulator could trigger the RCE flaw. On May 9, Google’s Project Zero discovered another flaw, tracked as CVE-2017-0290, which was fixed with an emergency patch released just three days after its disclosure. According to the Project Zero researcher Tavis Ormandy, unlike the CVE-2017-0290 vulnerability, this bug was a silent fix. The vulnerability recently patched is tied to the way the emulator processes files, meanwhile, the previous one was affecting the MsMpEng’s JavaScript interpreter. The vulnerability is difficult to exploit, even if MsMpEng isn’t sandboxed, this implies that the attacker needs to evade the sandbox to trigger the issue. According to Ormandy, the emulator component emulates the client’s CPU, but Microsoft has given it an extra instruction that allows API calls. Microsoft did not publish any security advisory for this vulnerability.

Popular RADIUS server exploitable with TLS session caching

Sysadmins with FreeRADIUS need to run in an upgrade, because there's a bug in its TTLS and PEAP implementations. To handle comms interruptions (for example, if someone on a TLS connection moves from one cell tower to another), Free RADIUS skips what's called “inner authentication” – meaning the user isn't asked for a new login. This is a feature but there is a critical catch: the server must never allow resumption of a TLS session until its initial connection gets to the point where inner authentication has been finished successfully. Affected versions of FreeRADIUS fail to reliably prevent resumption of unauthenticated sessions unless the TLS session cache is disabled completely, and allow an attacker (e.g. a malicious supplicant) to elicit EAP Success without sending any valid credentials. The bug affects Free RADIUS 2.2.x (a deprecated version still included in some Linux distributions); all versions before 3.0.14 in the stable branch; and all versions before February in the development branches 3.1.x and 4.0.x. If you can't patch immediately, disable TLS session caching.

  • Text Hover

FileSystem NTFS Bug Crashes Windows 7 and Windows 8.1

Until Microsoft patches this problem, use Chrome: a slip in file-path handling allows an attacker to crash Windows 7 and Windows 8.1 with a file call. A bug in the way Microsoft handle file-path could be exploited by attackers to crash Windows 7 and Windows 8.1 with a simple file call. The vulnerability is triggered every time a file call includes the Windows’ Master File Table (MFT), for example, if the attackers include $MFT as a link to an image in a website. Every file on an NTFS volume has a reference in the MFT, for this reason, the OS must protect $MFT from user-access. What the researchers discovered is that if you try to access a file like c:$MFT oo, the NTFS (NT file system) locks $MFT and doesn't release it: “it will be captured forever. Users who have tested the issue have noticed that the bug cannot be triggered in Chrome because the Google browser will not allow loading images with malformed paths, such as the $MFT exploit. Both Internet Explorer and Firefox, however, are vulnerable.

CERT-FR Weekly News Alert

Current Alerts CERTFR-2017-ALE-008           : Multiples vulnérabilités dans Microsoft Windows XP et Windows Server 2003 (15 mai 2017) Link: CERTFR-2017-ALE-011           : Campagne de messages électroniques non sollicités de type Jaff (14 mai 2017) Link: CERTFR-2017-ALE-010           : Propagation d’un rançongiciel exploitant les vulnérabilités MS17-010 (12 mai 2017) Link: Patches CERTFR-2017-AVI-166           : Multiples vulnérabilités dans SCADA les produits Siemens (29 mai 2017) Link: