Intel AMT Back in the News

The release of new research from F-Secure spells more trouble for Intel’s Active Management Technology (AMT). AMT is used for remote access monitoring and maintenance in corporate environments. Previously, in 2017, researchers discovered a critical vulnerability with AMT that made headlines. The previous vulnerability was a wide-reaching privilege escalation vulnerability (INTEL-SA-00075, CVE-2017-5689). Now, AMT is in the news again this week, as another serious security issue has been disclosed. The issue was discovered by a security researcher with the Finnish security company F-Secure. It could allow an attacker who has physical access to an affected device to enable the technology’s remote access features, letting them take complete control of a machine while on the same network segment. Details The F-Secure advisory explains that an attacker who has physical access to the device can simply reboot the machine and press CTRL+P during bootup to access the Intel Management Engine BIOS Extension (MEBx) login. If Intel AMT hasn’t already been provisioned by the device owner or corporate IT, the MEBx login is only protected by a default password of admin. By accessing the MEBx configuration, an attacker could enable remote access and set AMT’s user opt-in to...
Read more

The First Major Security Logos of 2018: Spectre and Meltdown Vulnerabilities

A major flaw in the way modern CPUs access cache memory could allow one program to access data from another program. The latest security vulnerability affects a majority of systems, if not all, used today. The vulnerabilities are named Spectre and Meltdown and also have a dedicated website. According to the security advisory, Spectre breaks the isolation between different applications and allows an attacker to expose data once thought to be secure. Meltdown breaks the most fundamental isolation between user applications and the operating system. Both attacks are independent of the operating system and do not rely on any software vulnerabilities. To reduce the risk of compromise, users must apply software patches as quickly as possible. Side channel attacks The new bugs are considered side channel attacks since they use side channels to obtain the information from the accessed memory location. Spectre allows an application to force another application to access arbitrary portions of its memory, which can then be read through a side channel. This unique side channel attack is done by speculative execution, a technique used by high-speed processors in order to increase performance by guessing likely future execution paths and preemptively executing the instructions in them. Spectre...
Read more

Detecting macOS High Sierra root account vulnerability (CVE-2017-13872)

On November 28, 2017 a software developer (Lemi Orhan Ergin) reported a critical flaw in macOS High Sierra which allows any local user to log in as root without a password after multiple attempts. The vulnerability was originally thought to only be exploitable if you had physical access to the computer, but our researchers have been able to exploit this vulnerability to elevate privileges over an authenticated Secure Shell (SSH) session using a lower privileged account and remotely using Virtual Network Computing (VNC) if screen sharing is enabled. Understanding the Root Cause Patrick Wardle provides a very in-depth discussion on the root cause (no pun intended) of the issue. When a person (authorized or unauthorized) tries to login to a macOS High Sierra system and the account is not enabled (i.e. root), a new account is created with the password supplied to the GUI. Even if the password is empty, a new account will be created with a blank password. Regardless of attempting to log in over the keyboard, VNC, or over an authenticated SSH session, the new account is created on the first attempt, and...
Read more

Mr. Robot Cleaning House at E-Corp

The second episode of Mr. Robot finds Elliot starting his new job at E-Corp. As he joins his new team and is looking to find a way to delay the shipment of all the paper data to New York facility, Elliott runs into the normal corporate middle management delays. He quickly realizes his first obstacle, William the Technology Manager, is up to no good and is deploying Rootkits on phones and selling the personal data collected. To circumvent this first obstacle, Elliot breaks out a good tool called theHarvester, and then promptly calls the feds. Watch out Evil Corp, Elliot is cleaning house, while trying to delay the stage two attack. theHarvester During a pentest, the security professionals go through a reconnaissance phase where data on the target is collected. Having used theHarvester a few times myself, I found that time spent collecting subdomains, email and SHODAN results helps to really understand vantage points into the target for exploitation. In  this episode, Elliot uses the tail command to view the results of theHarvester and get his manager's password. He reads the email and identifies that his manager is using rootkits on the mobile devices. Elliot promptly notifies the...
Read more

Detecting Bad Rabbit Ransomware

A new ransomware dubbed Bad Rabbit has hit several targets and began spreading across Russia and Eastern Europe on Tuesday, October 24, 2017. The ransomware exploits the same vulnerabilities exploited by the WannaCry and Petya ransomware that wreaked havoc in the past few months. As new versions of ransomware using Shadow Brokers exploits run wild, Tenable.io Vulnerability Management (VM) users are equipped with tools to stay ahead of the game. What is Bad Rabbit and what does it do? According to early reports, Bad Rabbit Ransomware uses a fake Flash update to lure unsuspecting users into installing the ransomware, resulting in the encryption of their data. Whether the attackers honor the payment or just keep asking for more money, the best approach is to patch your systems today and avoid the issue altogether. Identifying Vulnerable Assets Tenable.io users are ahead of the game. By using active scanning and agent-based scanning, customers will be able to easily identify the vulnerable assets across the exposed attack surface. Existing Petya and WannaCry plugins will display systems that are vulnerable to MS17-010, and these assets should be patched immediately. Tenable.io™ Vulnerability Management has the following two plugins, released earlier this year,...
Read more

Understanding Exploitability

Tenable.io Advanced FiltersVulnerability exploits have been in headlines around the world in recent months for being a leading source of cyber risk. As a result, your organization’s leadership may have started  to ask whether your network is vulnerable to exploitation. The answer to that question often lies in the relationship between vulnerability and exploitability. All exploitable vulnerabilities are, of course, vulnerabilities. But when a vulnerability isn’t “exploitable,” what does that mean? The most accurate answer would be that an exploitation hasn’t been discovered yet, but the vulnerability still has the potential to be exploited. In Tenable.io™, nine unique advanced filters allow you to isolate the vulnerabilities or assets in your network that may be vulnerable to a particular type of exploit, providing you increased visibility into your organization’s Cyber Exposure. Exploits The term exploit is commonly used to describe software that has been developed to attack a computer system or asset by taking advantage of a vulnerability. The objective of many exploits is to gain control of an asset. For example, a successful exploit of a database vulnerability can provide an attacker with the means to collect or exfiltrate all the records from that database, resulting in a data...
Read more

Is the Devil’s Ivy in your Network?

Over the past several years, Tenable has discussed the growing concerns around Internet of Things (IoT) security. With the static nature of IoT devices such as cameras, door sensors, and many more, the ability to correct flaws in third-party libraries becomes increasingly difficult. Yesterday, the researchers at Senrio discovered a serious flaw in the gSOAP library found in many IoT devices, such as the AXIS M3004. Tenable.io and SecurityCenter use active and passive detection methods to identify these vulnerable systems by enumerating the operating systems and detecting versions of vulnerable third-party libraries. Many manufacturers recommend customers or installers use segmentation strategies when deploying IoT devices to address potential security vulnerabilities. While segmentation is a good plan when deployed correctly, often the installer and IT organizations do not fully test access control methods. For example, the IoT device might be placed in separate Virtual Local Area Networks (VLAN), but the Access Control Lists (ACL) are not fully implemented and tested. I often ran into these issues when performing security assessments and pen-tests. I would go into a network as a normal user and use Nessus to discover all of the live devices on the network. After...
Read more