Each month, Nebula Consulting posts vulnerability notes from CERT’s vulnerability database. Check back often for updates! 02 Oct 2017 - VU#973527 - Dnsmasq versions 2.77 and earlier contains multiple vulnerabilities

Dnsmasq is a widely used piece of open-source software. These vulnerabilities can be triggered remotely via DNS and DHCP protocols and can lead to remote code execution, information exposure, and denial of service. In some cases an attacker would need to induce one or more DNS requests.

Please see the Google Security blog post for additional information.

Solution: Apply an update. Dnsmasq version 2.78 has been released to address these vulnerabilities.

12 Oct 2017 - VU#590639 - NXP Semiconductors MQX RTOS contains multiple vulnerabilities

The NXP Semiconductors MQX RTOS prior to version 5.1 contains a buffer overflow in the DHCP client, which may lead to memory corruption allowing an attacker to execute arbitrary code, as well as an out of bounds read in the DNS client which may lead to a denial of service.

A remote, unauthenticated attacker may be able to send crafted DHCP or DNS packets to cause a buffer overflow and/or corrupt memory, leading to denial of service or code execution on the device.

The NXP Semiconductors MQX real-time operating system (RTOS) prior to version 5.1 is vulnerable to the following: CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') - CVE-2017-12718 CWE-125: Out-of-bounds Read - CVE-2017-12722

Solution: Apply an update. CVE-2017-12722 only affects MQX version 4.1 or prior. Affected users are encouraged to update to version 4.2 or later as soon as possible.

16 Oct 2017 - VU#228519 - Wi-Fi Protected Access (WPA) handshake traffic can be manipulated to induce nonce and session key reuse

Wi-Fi Protected Access II (WPA2) handshake traffic can be manipulated to induce nonce and session key reuse, resulting in key reinstallation by a victim wireless access point (AP) or client. After establishing a man-in-the-middle position between an AP and client, an attacker can selectively manipulate the timing and transmission of messages in the WPA2 Four-way, Group Key, Fast Basic Service Set (BSS) Transition, PeerKey, Tunneled Direct-Link Setup (TDLS) PeerKey (TPK), or Wireless Network Management (WNM) Sleep Mode handshakes, resulting in out-of-sequence reception or retransmission of messages. Depending on the data confidentiality protocols in use (e.g. TKIP, CCMP, and GCMP) and situational factors, the effect of these manipulations is to reset nonces and replay counters and ultimately to reinstall session keys. Key reuse facilitates arbitrary packet decryption and injection, TCP connection hijacking, HTTP content injection, or the replay of unicast, broadcast, and multicast frames.

An attacker within the wireless communications range of an affected AP and client may leverage these vulnerabilities to conduct attacks that are dependent on the data confidentiality protocol being used. Impacts may include arbitrary packet decryption and injection, TCP connection hijacking, HTTP content injection, or the replay of unicast, broadcast, and multicast frames.

Solution: Install updates. The WPA2 protocol is ubiquitous in wireless networking. The vulnerabilities described here are in the standard itself as opposed to individual implementations thereof; as such, any correct implementation is likely affected. Users are encouraged to install updates to affected products and hosts as they are available. For information about a specific vendor or product, check the Vendor Information section of this document or contact the vendor directly. Note that the vendor list below is not exhaustive.

16 Oct 2017 - VU#307015 - Infineon RSA library does not properly generate RSA key pairs

The Infineon RSA library version 1.02.013 does not properly generate RSA key pairs. As a result, the keyspace required for a brute force search is lessened such that it is feasible to factorize keys under at least 2048 bits and obtain the RSA private key. The attacker needs only access to the victim's RSA public key generated by this library in order to calculate the private key.

CWE-310: Cryptographic Issues - CVE-2017-15361

Note that only RSA key generation is impacted. ECC is unaffected. RSA keys generated by other devices/libraries may also be used safely with this library.

Trusted Platform Modules (TPM) or smartcards may use this RSA library in their products. Infineon has provided a partial list of impacted vendors in a security advisory. Please see our list of impacted vendors below.

The researcher has released a summary of the work. Full details are expected at the ACM CCS conference in November 2017.

A remote attacker may be able recover the RSA private key from a victim's public key, if it was generated by the Infineon RSA library.

Solution: Apply an update. Check with your device manufacturer for information on firmware updates.

A security flaw in the WPA2 protocol was found and published by Belgian researchers on the morning of October 16th 2017. The protocol – normally used for securing modern Wi-Fi networks – has been broken to expose wireless internet traffic to potential eavesdropping and attacks. This vulnerability puts million of devices connected to Wi-Fi at risk for attacks. What has happened

In short, a combination of vulnerabilities in the WPA2 specification and its implementation was published. This combination allows an attacker to listen in on the data transmitted through Wi-Fi connections and potentially even inject data packets into them. This affects everything from Linux, Windows, iOS, Android, BSD and most likely some other platforms. Some sources claim that iOS and Windows are not affected, but according to the report written by the researcher behind these vulnerabilities, this is not true. It is possible to attack the access point directly which indirectly affects any device connected to it.

The vulnerability opens up for three attacks. The first attacks broadcast messages. While this is bad in itself, it’s not as devastating as the other two that have the potential to attack any message. The second attack targets an issue in the client. This affects Linux and Android according to the research paper, but could affect other systems as well. The third attack targets the access points. This means that any client connected could be attacked indirectly. Both of the latter attacks mean that an attacker can listen in on the traffic and could potentially even inject malicious content.

How do I know if I am affected?

If you are using Wi-Fi and have not received a security patch for this vulnerability, then you are most likely vulnerable. Unfortunately, the attack can be performed by just simulating background noise so there is not any reliable way to know if you are affected.

What to do?

• Look for updates for your OS. Most vendors should already be releasing security patches for these vulnerabilities (when reading the patch notes, keep an eye out for “KRACK attack” or “WPA2 nonce reuse”).
• If possible, use a cabled connection instead of Wi-Fi for your computer until a patch is out.
• Turn off Wi-Fi on your phone until you’ve patched your device.
• If possible, turn off the 802.11r feature in your router or device. Contact your access point vendor for information on how to disable this for your particular access point. In Linux you can remove this support in wpa_supplicant by removing FT-PSK and FT-EAP from your accepted protocols in wpa_supplicant.conf. (Note that Linux, Android and possibly other systems can be attacked through other means than the 802.11r feature.)
• Use application-level security like HTTPS, SSL, VPN etc.
• Be extra vigilant for anything that implies a broken trust chain, for example broken certificate warnings on websites or a missing lock in the address bar of your browser.

How do you patch your software?

• Your first priority should be to patch your clients (your phone and computer).
• Check with your router/access point vendor for patches to your router/APs firmware. Make sure to download them over a secure connection if you’re still on Wi-Fi.

Worth knowing for companies out there

• The attack requires the attacker to be in proximity to the Wi-Fi they are attacking. This means some locations will be reasonably safe.
• Mobile devices will be most vulnerable since they move from Wi-Fi to Wi-Fi automatically. Make sure these are patched or have their Wi-Fi turned off until that is possible.

How can this vulnerability be used by a hacker?

This vulnerability can let an attacker listen in on your network traffic and in some cases send fake network traffic. This opens up a very wide attack surface. An attacker could steal sensitive information or inject malicious data to infect the device it is attacking.

Sometimes the best thing to say about a wireless router in your house is that once it's set it, you forget it exists. As long as the devices that need the Wi-Fi connection can get on and function, that's all that matters, right?

Maybe, but we also live in the age of leaks, wiki and otherwise. If you're worried about the security of your home and by extension your personal data—especially from hackers who could casually sit in a car outside and get access to your systems—then you need to put a padlock on that wireless. You may also want to prevent others from using your network, and freeloaders alike.

So what do you do? Follow these tips and you'll be well ahead of most home Wi-Fi users. Nothing will make you 1,000 percent safe against a truly dedicated hack. Crafty social engineering schemes are tough to beat. But don't make it easy on them; protect yourself with these steps.

Change Your Router Admin Username and Password Every router comes with a generic username and password—if they come with a password at all. You need it the first time you access the router. After that, change them both. Immediately. The generic usernames are a matter of public record for just about every router in existence; not changing them makes it incredibly easy for someone who gets physical access to your router to mess with the settings.

If you forget the new username/password, you should probably stick to pencil and paper, but you can reset a router to its factory settings to get in with the original admin generic info.

Change the Network Name The service set identifier (SSID) is the name that's broadcast from your Wi-Fi to the outside world so people can find the network. While you probably want to make the SSID public, using the generic network name/SSID generally gives it away. For example, routers from Linksys usually say "Linksys" in the name; some list the maker and model number ("NetgearR6700"). That makes it easier for others to ID your router type. Give your network a more personalized moniker.

It's annoying, but rotating the SSID(s) on the network means that even if someone had previous access—like a noisy neighbor—you can boot them off with regular changes. It's usually a moot point if you have encryption in place, but just because you're paranoid doesn't mean they're not out to use your bandwidth. (Just remember, if you change the SSID and don't broadcast the SSID, it's on you to remember the new name all the time and reconnect ALL your devices—computers, phones, tablets, game consoles, talking robots, cameras, smart home devices, etc.

Activate Encryption This is the ultimate Wi-Fi no-brainer; no router in the last 10 years has come without encryption. It's the single most important thing you must do to lock down your wireless network. Navigate to your router's settings (here's how) and look for security options. Each router brand will likely differ; if you're stumped, head to your router maker's support site.

Once there, turn on WPA2 Personal (it may show as WPA2-PSK); if that's not an option use WPA Personal (but if you can't get WPA2, be smart: go get a modern router). Set the encryption type to AES (avoid TKIP if that's an option). You'll need to enter a password, also known as a network key, for the encrypted Wi-Fi.

This is NOT the same password you used for the router—this is what you enter on every single device when you connect via Wi-Fi. So make it a long nonsense word or phrase no one can guess, yet something easy enough to type into every weird device you've got that uses wireless. Using a mix of upper- and lowercase letters, numbers, and special characters to make it truly strong, but you have to balance that with ease and memorability.

Double Up on Firewalls The router has a firewall built in that should protect your internal network against outside attacks. Activate it if it's not automatic. It might say SPI (stateful packet inspection) or NAT (network address translation), but either way, turn it on as an extra layer of protection.

For full-bore protection—like making sure your own software doesn't send stuff out over the network or Internet without your permission—install a firewall software on your PC as well. Our top choice: Check Point ZoneAlarm PRO Firewall 2017; there a free version and a $40 pro version, which has extras like phishing and antivirus protection. At the very least, turn on the firewall that comes with Windows 8 and 10.

Turn Off Guest Networks It's nice and convenient to provide guests with a network that doesn't have an encryption password, but what if you can't trust them? Or the neighbors? Or the people parked out front? If they're close enough to be on your Wi-Fi, they should be close enough to you that you'd give them the password. (Remember—you can always change your Wi-Fi encryption password later.)

Use a VPN A virtual private network (VPN) connection makes a tunnel between your device and the Internet through a third-party server—it can help mask your identity or make it look like you're in another country, preventing snoops from seeing your Internet traffic. Some even block ads. A VPN is a smart bet for all Internet users, even if you're not on Wi-Fi. As some say, you need a VPN or you're screwed. Check our list of the Best VPN services.

Update Router Firmware Just like with your operating system and browsers and other software, people find security holes in routers all the time to exploit. When the router manufacturers know about these exploits, they plug the holes by issuing new software for the router, called firmware. Go into your router settings every month or so and do a quick check to see if you need an update, then run their upgrade. New firmware may also come with new features for the router, so it's a win-win.

If you're feeling particularly techie—and have the right kind of router that supports it—you can upgrade to custom third-party firmware like Tomato, DD-WRT or OpenWrt. These programs completely erase the manufacturer's firmware on the router but can provide a slew of new features or even better speeds compared to the original firmware. Don't take this step unless you're feeling pretty secure in your networking knowledge.

Turn Off WPS Wi-Fi Protected Setup, or WPS, is the function by which devices can be easily paired with the router even when encryption is turned because you push a button on the router and the device in question. Voila, they're talking. It's not that hard to crack, and means anyone with quick physical access to your router can instantly pair their equipment with it. Unless your router is locked away tight, this is a potential opening to the network you may not have considered.

4G LTE Internet is an under-utilized asset for your company’s network… and your sanity. As someone who’s owned a business telecom, Internet, and cloud brokerage, I’ve had my share of drama surrounding circuits taking too long to install. Whether it’s fiber taking a year to get built-out, or a T1 taking 6 weeks to install (when our customer’s business was relocating in 4), being at the mercy of an ISP’s unexplainable, bureaucratic timeline has been the most stressful part of my job.

Not far behind those bad experiences are the times I’ve had customers call me (in a panic), telling me their Internet circuit is completely down and they either do not have a backup or they have a ridiculously slow backup. And again, we are at the mercy of the ISP’s timeline, as the customer and I wait (as minutes seem like hours), for the Internet circuit to be restored.

Enter 4G LTE wireless Internet for business.

Here is why 4G is a great backup solution for your Internet circuit...

High bandwidth

Typical 4G LTE Internet speed ranges from 5-15M download and 1-5M upload. That’s decent speed but did you know you can bond multiple connections (via a Peplink or similar device), to get even faster speed?

Furthermore, if 4G XLTE is available in your company’s neighborhood, your business can typically get double the bandwidth (i.e. 40M/10M). Bond a second connection and you just created 80M download speed.

Inexpensive

A typical 4G LTE Wireless Internet connection is only going to cost your company between $50–$100/month. It’s about the same price as business-class cable, which is about as inexpensive as you’ll find these days for a high-bandwidth business Internet connection.

Availability

How many places have you been where the little “LTE” symbol on your phone disappears and it says “1x.” Not many. Maybe in the panic room you recently installed in your house— or in Yosemite — or a few other extremely remote areas.

4G is available almost everywhere a business could be. On top of that, there are ISP’s who specialize in 4G and can sell your company a 4G LTE Internet connection from the best-available provider servicing your company’s exact address.

Fast installation

4G LTE can be installed in a couple of days.

Out-of-Band Management

When your company’s remote site’s Internet goes down, are you “flying blind” trying to call an on-site employee and have them make changes to the router? Or maybe you’ve experienced the lightening-fast speed of using a POTS line to access a router, remotely?

If your company has 4G LTE for a backup — but you lose your primary Internet connection — not only is the Internet still “up,” but you also have high-speed access into the router for troubleshooting your primary circuit.

You should have the best security technology you can possibly have, and your organization should have the most effective security policies it can create. But ultimately, the most powerful way to protect the organization is to create a culture of security. Whatever your place of business — whether it’s a large or small organization, healthcare provider, academic institution or government agency – creating a culture of cybersecurity from the break room to the boardroom is essential. Why is a culture of security so important? Think of the employees as the company’s first firewall. Staff stand between an organization’s information assets and the thieves who want to plunder them. Intrusions that are based entirely on technology are rare. Most intrusions result from fraud that takes advantage of employee carelessness, lack of judgment or even criminal intent.

Think of your company as a community. Most observers say there are three primary factors that help ensure law and order in a community.

1. Risk Perception

Members of the community can only act to prevent or report crime if they know what it looks like and have a certain level of fear about it. This is why the police departments in some communities work so hard to establish trust in their communities, and it’s the origin of the byword, “See something, say something.” In a company, you can take advantage of risk perception with user awareness training. Teach all employees what cybercrime looks like and how it is likely to affect them.

2. Social Norms and Conformity

Most human beings behave well because of social norms — informal understandings about the proper way to behave. Most of us go through our everyday lives with a sense of these informal understandings. Yes, the laws are there, but the opinions of our neighbors are keeping us in line. Just like every community, every organization has a culture that includes social norms, often ones we aren’t even aware of. Finding ways to incorporate security into those norms will go a long way toward protecting your organization’s assets. Here’s how you incorporate security into your organization’s social norms. First, make sure the leadership of the organization stresses the value of security and backs up these values by modeling appropriate behaviors. A CEO who talks about the importance of security and then writes his or her password on a sticky note on the computer monitor will harm more than help the culture of security.

Second, provide more advanced user training that teaches skills in addition to awareness. Give it a positive value. The Logical Operations CyberSAFE program, for example, culminates in certification so that those who successfully complete it have credentials providing tangible evidence of their value to the organization.

3. Routine Monitoring

Studies show that companies with skilled incident response teams suffer fewer catastrophic data breaches and lower average cost when data breaches do occur. This is because incident response teams reduce the “dwell time” of criminals that manage to invade your network. But incident response teams themselves also contribute to the culture of security, because their presence reminds employees of the importance of security.

My advice is that you designate, train and support an incident response team and promote their visibility within the organization. You may even want to consider ways to enhance the team’s prestige: stage a competition among candidates to join it, regularly report on it in the company newsletter and have its members visit and give presentations on security to other departments. Promoting the importance of the incident response team can contribute both to establishing social norms and conformity and the reassurance that contributes to a sense of stability that allows people get on with their work. The Logical Operations’ CyberSec First Responder program is an example of a way to train and certify an elite incident response team.

It’s not all about technology and law enforcement. You need to find as many ways as possible to support your employees’ adherence to security policies, exercise of good judgment and recognition of fraud. Risk perception, social norms and routine monitoring can only help.