Category Archives: Advice for SMEs

Critical Wormable Vulnerability CVE-2019-0708 patched. Is the world a safer place now?

19 May 2019

Microsoft released (1) a patch for the critical Remote Code Execution vulnerability CVE-2019-0708 (2) in Remote Desktop Services on May 14th, 2019. The vulnerability is wormable. A malware that exploits the vulnerability can spread from vulnerable computer to vulnerable computer in a way WannaCry did in 2017. Fortunately, only Windows XP, Windows 2003 Server, Windows 7 and Windows 2008 Server are impacted.

How big is the problem?

A Shodan search shows that about 30% of the Windows 2008 server systems directly connected to the internet are impacted. The Windows 2003 problem is much larger although Microsoft stopped the extended support for this version in July 2015.

Table 1: CVE-2019-0708 Impacted Systems. Source: Shodan. Data generated: 5/19/2019 7:30 pm

How to mitigate?

Since CVE-2019-0708 is a remote code execution vulnerability patches or other mitigating measures should be applied directly.

Microsoft provided patches with the May 2019 patch set, even for Windows 2003 Server and Windows XP, to prevent similar effects to that of WannaCry on the global economy. As an immediate step, Microsoft recommends deactivating RDP access to the impacted systems.

Is the world a safer place now?

Far from it. A brief analysis shows that many of the impacted systems provide applications based on a WAMP technology stack (Windows, Apache, MySQL, PHP). And in many cases remote code execution vulnerabilities in Apache or PHP are not patched. With this, the overall security level remains as bad as before Microsoft released the patches.

Without vulnerability and application life cycle management such problems cannot be solved. Apache, MySQL and PHP can be operated on top of an outdated Windows OS, but critical vulnerabilities in these components must be patched directly to avoid a large financial impact in the worst case.

The Equifax data breach from 2017 is just one example. In this case an unpatched remote code execution vulnerability in the Apache Struts framework opened the door for the attackers. Equifax (3) estimates that it has spent $1.4 billion so far to recover from the breach.

Have a great week.


References

  1. MSRC Team. Prevent a worm by updating Remote Desktop Services (CVE-2019-0708) – MSRC [Internet]. 2019 [cited 2019 May 19]. Available from: https://blogs.technet.microsoft.com/msrc/2019/05/14/prevent-a-worm-by-updating-remote-desktop-services-cve-2019-0708/
  2. NIST NVD. NVD – CVE-2019-0708 [Internet]. 2019 [cited 2019 May 19]. Available from: https://nvd.nist.gov/vuln/detail/CVE-2019-0708
  3. Olenick D. Equifax data breach recovery costs pass $1 billion [Internet]. SC Media. 2019 [cited 2019 May 19]. Available from: https://www.scmagazine.com/home/security-news/data-breach/equifax-data-breach-recovery-costs-pass-1-billion/
Advertisements

The Costs of Doing Application Life Cycle Management Not Right

12 May 2019

For the following text, let us assume that we created a fictional application named Our Awesome App (OAA) on the basis of the Microsoft technology stack. OOA runs on top of the Windows 2008 R2 Server OS. Microsoft stops the support for this version in January 2020, thus we may have some migrations to do.

What is application lifecycle management?

Application lifecycle management (ALM) is a continuous process of managing the life of an application through governance, development and maintenance.”(1)

I prefer this brief definition of ALM of 2010 although the current Wikipedia definition(2) is more comprehensive.

It is the restriction to applications that creates the trouble in both definitions because applications are bound to a Web or Technology Stack.(3)

Technology Stack

Technology Stack

Each product in the technology stack has a life cycle, usually independent of the life cycle of the other layers and of OAA. With this, application life cycle management cannot be considered independently from the technology stack. Even if no development takes place on the application layer, changes in the technology stack might demand changes in the application.

Usually, ALM deals with Layers 1 to 4 of the technology stack. Neither the database nor the server is in focus of ALM. For the LAMP (Linux, Apache, MySQL, PHP) stack, this creates no big trouble because the middleware (Apache) and the database (MySQL) are largely immune to changes in the Linux OS.

Microsoft Technology Stack

Microsoft Technology Stack

But in the case of OAA we face some trouble because the Internet Information Server (IIS 7.5) is a component of the Windows 2008 R2 Server OS. A change in the server OS might have a great impact on the application.

What’s the trouble with the Windows 2008 R2 Server end of life?

Every day new vulnerabilities in IT products are published. All layers in the technology stack are impacted. The Windows update service takes care that newly detected vulnerabilities on layers 2 – 5 are automatically patched because we built OAA on top of the Microsoft technology stack. So, the application manager has to deal only with vulnerabilities in OAA.

Microsoft provides no longer patches once a product goes beyond the end of its life. But new vulnerabilities for such products are still discovered and published. This increases the number of unpatched vulnerabilities on the server and middleware layer. With this, the security level of the whole network is lowered because unpatched Windows systems facilitate, in the worst case, the propagation of malware like WannaCry or NotPetya.

What’s the trouble with application life cycle management?

ALM is a tedious and costly task. Getting ALM right requires continuous study of the life cycle of all products on the technology stack and continuous planning, development, integration and testing across all layers of the application stack. Therefore, application managers care often only of the first layer. Developers are responsible for the second, the third and to some extend also for the fourth layer. Someone from IT operations takes care of layers 4 to 6, but no one cares of the entire technology stack.

Eventually, someone realises that some hundred Windows 2008 R2 Servers are still in operation, and only few months left for migration. Migration of applications including the middleware is a lengthy process. Thus, it is obvious to spend some money for extended support, just to buy time to get the migrations done.

What are the costs for extended support?

For the following calculation, let us assume that 20 Windows 2008 R2 servers running the Datacenter Edition and 400 servers running the Standard Edition are still in use. The price for extended on-premise support is at 75% annually of the full license price of the latest Windows server version, provided either software assurance or a subscription is available.(4) Let us assume that the IT team works hard on the migrations and the number of servers to go is reduced every year.

A brief sample calculation based on the regular price sheet(5) shows that a large amount of money is spent just for some security patches.

Sample Windows 2008 Server Extended Support Calculation

Sample Windows 2008 Server Extended Support Calculation

It is very important to note that these expenses are unplanned costs. They reduce the company’s earnings. Fortunately, this cost can be avoided if ALM is extended to the whole technology stack.

How to tackle the application life cycle management challenge?

(1) Move the accountability for ALM to the board.

The board is accountable for revenues and earnings. Since unplanned expenses for ALM lower the earnings the CFO should take control.

(2) Embed ALM in your daily business.

ALM is no project. It is a continuous activity that requires coordinated planning across all stakeholders in the business and IT groups. The application development budget should be extended to cover cost caused by changes in the technology stack.

(3) Start early, at least 2 years before the end of life of a product.

Minimize down times to keep the users happy.

(4) Set up and maintain an asset repository.

The asset repository should provide details on the technology stack of each application and the interfaces between applications. Is the repository up-to-date it takes only few minutes to become an idea of the effort related with the next life cycle change.

(5) Develop a concept for applications that cannot be migrated.

In some application areas, such as manufacturing, it is often not possible to migrate to newer versions in due time, for example due to technical restrictions by the vendor. For these applications, concepts must be developed to ensure secure operations beyond the end of life of tech stack components.

(6) Develop an application design guide to simplify ALM and security operations.

Applications should be developed such that they are to a large extent immune against changes in the technology stack. Procurement should take care that off-the-shelf solutions comply to the guidelines.

(7) Foster the change towards DevOps in the IT organisation.

DevOps teams should be responsible for the entire technology stack. At least the testing process should be automated. This will speed-up the roll out of security patches as well.

By the way, Microsoft announced the end of life of Windows 2012 R2 Server for 2023. This change will also affect the whole technology stack, thus start at least in 2021 with preparations.

Have a great week.


References

1. Appelo J. Agile Application Lifecycle Management (ALM) [Internet]. Business presented at; 2010 Nov 22 [cited 2019 May 7]. Available from: https://de.slideshare.net/jurgenappelo/agile-alm

2. Application lifecycle management. In: Wikipedia [Internet]. 2019 [cited 2019 May 7]. Available from: https://en.wikipedia.org/w/index.php?title=Application_lifecycle_management&oldid=895749396

3. Rouse M. What is Web stack? – Definition from WhatIs.com [Internet]. WhatIs.com. 2012 [cited 2019 Apr 29]. Available from: https://whatis.techtarget.com/definition/Web-stack

4. Microsoft. Extended Security Updates for Windows Server 2008 and SQL Server 2008 End of Service FAQ [Internet]. 2019. Available from: https://download.microsoft.com/download/C/8/5/C851D4E2-ED1F-4F56-AEC0-1561D85AB489/Extended_Security_Updates_for_Windows_Server_2008_and_SQL_Server_2008_End_of_Service_FAQ.pdf

5. Microsoft. Windows Server 2019 Licensing & Pricing | Microsoft [Internet]. Microsoft Cloud-Platform – US (English). [cited 2019 Apr 29]. Available from: https://www.microsoft.com/en-us/cloud-platform/windows-server-pricing

Email Data Breach Exposes Over Two Billion Personal Records – Has Cyber Security failed?

20 April 2019

Scott Ikeda’s report(1) on the Verifications.io data breach makes one thing clear: The incurable disease named cyber-security carelessness that leads inevitably to data breaches caused also this incident.

First of all, the company misjudged the criticality of the data. Although the exposed information is publicly accessible the compilation in few data sets simplifies the job of cyber criminals. Phishing emails are just more credible if high quality data(1) is used.

Secondly, the information in the MongoDB was accessible for everyone with internet access. This is not an isolated case. As of today, about 64,000 MongoDB(2) are visible in the internet, thereof about 18,000 with authentication not enabled.

MongoDB accessible to the internet.

MongoDB accessible to the internet.

The system developers ignored the vendors security advice provided in section ‘Limit Network Exposure’ of the MongoDB security checklist(3):

“Ensure that MongoDB runs in a trusted network environment and limit the interfaces on which MongoDB instances listen for incoming connections. Allow only trusted clients to access the network interfaces and ports on which MongoDB instances are available.”

This is easy to implement, at low cost.

Cyber security is about people, processes and technology. In this case, lack of cyber security awareness and missing security processes caused the incident. Nevertheless, security solution vendors advice(1) to implement new security technology for preventing such incidents:

“Security tools that automatically protect your data such as data loss prevention (DLP) and digital rights management (DRM) help secure your sensitive information. In the event that an important cloud vendor doesn’t have the right data protection, you can wrap their applications with a cloud security broker to provide the necessary cloud security and protection for your data.”

The big question is: Are such solutions effectively mitigating the risk if the system is accessible from the internet, without authentication?

I very much doubt because the number and extent of data breaches is continually growing, despite annually increasing investments into cyber security. Technology does just not cure cyber-security carelessness.

Have a great weekend.


References

  1. Ikeda S. Largest Leak in History: Email Data Breach Exposes Over Two Billion Personal Records [Internet]. CPO Magazine. 2019 [cited 2019 Apr 14]. Available from: https://www.cpomagazine.com/cyber-security/largest-leak-in-history-email-data-breach-exposes-over-two-billion-personal-records/

  2. The Shadowserver Foundation. The Shadowserver Foundation: MongoDB NoSQL Server Scanning Project [Internet]. 2019 [cited 2019 Apr 19]. Available from: https://mongodbscan.shadowserver.org/

  3. mongoDB. Security Checklist — MongoDB Manual [Internet]. https://github.com/mongodb/docs/blob/v4.0/source/administration/security-checklist.txt. [cited 2019 Apr 19]. Available from: https://docs.mongodb.com/manual/administration/security-checklist

SpeakUp – Lateral movement made easy

10 March 2019

A remote command-injection vulnerability dubbed SpeakUp (CVE-2018-20062) (1) in the ThinkPHP development framework was widely reported in the news some weeks ago. Technically, SpeakUp is simply one more command-injection vulnerability with CVSS V3.0 base score Critical that results in full loss of integrity if exploited.

CVE-2018-20062 alike Vulnerabilities 2018

CVE-2018-20062 alike Vulnerabilities 2018

CVE-2018-20062-class vulnerabilities are quite rare. As of 10 March 2019 only 182 of the 16517 vulnerabilities published in 2018 belong to this class. Exploitation of any of these vulnerabilities results in full loss of integrity of the attacked system. In the worst case, the compromised system becomes the new base of operations for the attacker and allows him to compromise further systems.

Tara Seals provides a brief outline (2) on ThreatPost of the initial infection routine. For more details see the Checkpoint Research report (3) about SpeakUp.

Lateral movement in Linux-based networks places special challenges on the attacker. In general, vulnerabilities in applications must be used for propagation. SpeakUp uses an impressive arsenal of old vulnerabilities in application frameworks for propagation. Seals writes:

“To spread, SpeakUp’s propagation code exploits known vulnerabilities in six different Linux distributions, including JBoss Enterprise Application Platform security bypass vulnerabilities (CVE-2012-0874); a JBoss Seam Framework remote code execution (RCE) flaw (CVE-2010-1871); a JBoss AS 3/4/5/6 RCE exploit; a Oracle WebLogic wls-wsat Component Deserialization RCE (CVE-2017-10271); a vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (CVE-2018-2894); a Hadoop YARN ResourceManager command-execution exploit; and an Apache ActiveMQ Fileserver File Upload RCE vulnerability (CVE-2016-3088).”

The table below shows some details of the above mentioned vulnerabilities.

CVE

Application Framework

CVSS Base Score

Attack Vector

CVE-2012-0874

JBoss Enterprise Application Platform (EAP)

6.8 (CVSS v2.0)

V:N/AC:M/Au:N/C:P/I:P/A:P (CVSS v2.0)

CVE-2010-1871

JBoss Enterprise Application Platform (EAP)

6.8 (CVSS v2.0)

(AV:N/AC:M/Au:N/C:P/I:P/A:P) (CVSS v2.0)

CVE-2017-10271

Oracle WebLogic Server

7.5 (CVSS v3.0)

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (CVSS v3.0)

CVE-2018-2894

Oracle WebLogic Server

9.8 (CVSS v3.0)

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (CVSS v3.0)

CVE-2016-3088

Fileserver web application in Apache ActiveMQ

9.8 (CVSS v3.0)

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (CVSS v3.0)

Any of the listed vulnerabilities enables the attacker to create new operations bases. In the worst case, he can jump across network boundaries, e.g. from the DMZ into the company intranet or from the company intranet into the production network.

How to stop this kind of attacks?

From the tactical point of view, vulnerability management is the key to stop this kind of attacks as early as possible. CVE-2018-20062-class vulnerabilities and remote code or script execution vulnerabilities must be patched directly after they show up on the market. At least in the DMZ and on systems on both sides of network boundaries. This will prevent the attacker from lateral movement.

Vulnerability management relies on asset management. And on CI/CD across the entire application stack because without automated testing it is not possible to make sure that the application is still working after the patches have been applied.

From a strategic point of view, measures must be applied to enlarge the resilience of application systems against cyber attacks. This includes e.g. micro segmentation or Web Application Firewalls but also Linux native enhancements like AppArmor or SELinux.

And this holds for both, cloud and on-premise hosted applications.

Have a great week.


References

1. NIST NVD. NVD – CVE-2018-20062 [Internet]. 2018 [cited 2019 Feb 6]. Available from: https://nvd.nist.gov/vuln/detail/CVE-2018-20062

2. Seals T. SpeakUp Linux Backdoor Sets Up for Major Attack [Internet]. threatpost. 2019 [cited 2019 Feb 6]. Available from: https://threatpost.com/speakup-linux-backdoor/141431/

3. Check Point Research. SpeakUp: A New Undetected Backdoor Linux Trojan [Internet]. Check Point Research. 2019 [cited 2019 Feb 6]. Available from: https://research.checkpoint.com/speakup-a-new-undetected-backdoor-linux-trojan/


 

Windows Applocker – The almost forgotten IT security workbench

5 January 2019

Dridex[1], Emotet[2], Locky[3], Destover[4], Petya[5], NotPetya, etc. share one feature: They are droppers[6]. A dropper installs malware to a target system and executes it then.

Droppers are delivered mainly by e-mail through phishing or spear phishing attacks. Since they are continuously refined to undergo malware detection the fight against droppers never stops.

The Achilles heel of droppers is that they are executed in the context of the current user during delivery. With this the dropped malware can only be stored in locations where the user has modify privileges, e.g. the user’s home directory.

Seven Phases Cyber Kill Chain

Seven Phases Cyber Kill Chain

If we can prevent the execution of objects from e.g. the user’s home directory the dropper can never execute the installed malware. With this we can block the malware during the delivery / exploitation phase of the Cyber Kill Chain, before the attacker becomes persistent in our network.

That is the idea behind Windows Applocker[7]. The Applocker default rules allow the execution of programs, scripts and dlls only from trusted directory systems, e.g. c:\Program Files, C:\Progam Files (X86), or c:\Windows. If activated, Applocker stops the execution of programs and scripts outside these trusted directories and thus Dridex, Emotet, Locky, Destover, etc.

But Applocker does more than blocking droppers. DLL injection is prevented if DLL rules are enforced. I strongly recommend to enforce the DLL rules from the start. Drive-by downloads, PuA, PuP  and Adware are blocked. Even the exploitation of zero-days like the latest Adobe pdf security flaw, CVE-2018-16011[8], can be mitigated. The entire network becomes more resilient against cyber attacks.

Applocker is perfectly suited to enhance the resilience against cyber attacks in production networks and critical infrastructures. In particular in GxP regulated industries Applocker is worth to be looked at. Since Applocker is integrated in the Windows OS a validation of a third party white-listing application is not required.

Applocker can be enforced on Windows Enterprise Edition installations (starting with Windows 7) with local group policies. To lower the administrative effort it is recommended to join the computers to a domain and enforce the Applocker rules through group policies.

Unfortunately, Microsoft compromises the Applocker approach by tools like Teams and OneDrive. Both are installed in user context, thus will be blocked by Applocker. Since  Applocker allows the definition of exceptions and their roll out with group policies such applications can be handled with manageable effort.

Besides modern applications at least two cyber security sins reduce the effectiveness of Applocker.

  • Users work with permanent admin privileges.

In this case the dropper can install the malware in trusted directories. Working with permanent admin privileges is one of the IT security deadly sins, thus should be avoided anyway.

  • Users have modify access to trusted directories and files.

Check trusted directories and files with AccessEnum. If objects can be modified by users either change the ACLs or define an Applocker exception for them.

Applocker provides great capabilities to enhance the resilience of organizations against cyber attacks. Just give it a try in 2019.

Have a great weekend.


References

  1. Proofpoint Threat Insight. High-Volume Dridex Banking Trojan Campaigns Return [Internet]. 2017 [cited 2018 Dec 29]. Available from: https://www.proofpoint.com/us/threat-insight/post/high-volume-dridex-campaigns-return
  2. Villaroman BC. Spoofed Banking Emails Arrive with EMOTET Malware [Internet]. TrendMicro Threat Encyclopedia. 2018 [cited 2019 Jan 4]. Available from: http://www.trendmicro.tw/vinfo/tr/threat-encyclopedia/spam/677/spoofed-banking-emails-arrive-with-emotet-malware
  3. Avast Threat Intelligence Team. A closer look at the Locky ransomware [Internet]. Avast Blog. 2016 [cited 2018 Dec 29]. Available from: https://blog.avast.com/a-closer-look-at-the-locky-ransomware
  4. Gallagher S. Inside the “wiper” malware that brought Sony Pictures to its knees [Update] [Internet]. Ars Technica. 2014 [cited 2018 Dec 29]. Available from: https://arstechnica.com/information-technology/2014/12/inside-the-wiper-malware-that-brought-sony-pictures-to-its-knees/
  5. Malwarebytes Labs. Keeping up with the Petyas: Demystifying the malware family [Internet]. Malwarebytes Labs. 2017 [cited 2018 Dec 29]. Available from: https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-demystifying-the-malware-family/
  6. Rouse M. What is dropper? – Definition from WhatIs.com [Internet]. WhatIs.com. 2015 [cited 2019 Jan 5]. Available from: https://whatis.techtarget.com/definition/dropper
  7. Lich B, Poggemeyer L, Justinha. AppLocker (Windows 10) [Internet]. WIidows IT Pro Center. 2017 [cited 2019 Jan 5]. Available from: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview
  8. The Hacker News. Adobe Issues Emergency Patches for Two Critical Flaws in Acrobat and Reader [Internet]. Vulners Database. 2019 [cited 2019 Jan 4]. Available from: https://vulners.com/thn/THN:ADE75E1067458A6BD1C6FB7BD78E697D/

Adobe Flash zero day exploited in the wild. Remote code execution vulnerabilities are hacker’s favorites!

8 December 2018

On December 5th, 2018 Adobe published security bulletin APSB18-41[1] for critical vulnerability CVE-2018-15928 in the widely used Flash Player. Gigamon Applied Threat Research (ATR) reported the vulnerability on November 29th, 2018 to Adobe. They detected the issue some days before while analyzing a malicious word document that was uploaded to VirusTotal from a Ukrainian IP address. For a detailed analysis of the attack and the vulnerability see [2][3].

Successful exploitation of CVE-2018-15928 could lead to Arbitrary Code Execution in the context of the current user. Due to RedHat the CVSS3 Base Metrics is CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H with a CVSS3 Base Score of 8.8.

Zero days are not a rare phenomenon. Between 2013 and 2017[4] about 60% of the exploits were disclosed before the related CVE was published.

For about 20% of vulnerabilities in the NVD exploits are published in the exploit database[5]. Only about 1% of the vulnerabilities are exploited in the wild. Thus CVE-2018-15928 is a really rare event.

Remote code/script execution (RxE) vulnerabilities like CVE-2018-15928 represent about 20% of all vulnerabilities. 43% of the exploits published between 1988 and 2018 are related to RxE vulnerabilities.

Remote Code Execution Vulnerabilities. Data: 1988-2018

RxE Vulnerabilities. Data: 1988-2018

Exploits for Remote Code Execution Vulnerabilities. Data: 1988-2018

Exploits for RxE Vulnerabilities. Data: 1988-2018

About 5% of the RxE vulnerabilities are exploited in the wild.

This means, that RxE vulnerabilities are 5 times more often exploited in the wild then Non-RxE vulnerabilities. They are hacker’s favorites!

What does the mean for our vulnerability management strategy?

  • The remediation process must be started directly upon publication of an RxE vulnerability in the NVD or the disclosure of an exploit for an RxE in the exploit database.
  • In scope for the first remediation wave must be at least all systems facing the internet, e.g. workstations, servers in the DMZ or in public clouds.
  • Gathering intelligence about new vulnerabilities from a plethora of publicly available sources (OSINT) is a time-consuming task. A threat intelligence service can speed-up information gathering and reduces the workload of your IT security staff.
  • In addition, since remediation takes some time, it makes sense to invest in means for enhancing the resilience of application systems.

Expect the worst and be prepared. Or, to echo Hamlet:

To be, or not to be, that is the question:
Whether ’tis nobler in the mind to suffer
The slings and arrows of outrageous fortune,
Or to take arms against a sea of troubles,
And by opposing, end them? To die: to sleep;

Have a good weekend.


  1. Adobe. Security updates available for Flash Player | APSB18-42 [Internet]. 2018 [cited 2018 Dec 8]. Available from: https://helpx.adobe.com/security/products/flash-player/apsb18-42.html

  2. Gigamon Threat Research Team. Adobe Flash Zero-Day Exploited In the Wild [Internet]. Gigamon ATR Blog. 2018 [cited 2018 Dec 8]. Available from: https://atr-blog.gigamon.com/2018/12/05/adobe-flash-zero-day-exploited-in-the-wild/

  3. Qihoo 360 Advanced Threat Response Team. Operation Poison Needles – APT Group Attacked the Polyclinic of the Presidential Administration of Russia, Exploiting a Zero-day [Internet]. 2018 [cited 2018 Dec 8]. Available from: http://blogs.360.cn/post/PoisonNeedles_CVE-2018-15982_EN.html

  4. Jochem K. About 60% of exploits are published before the CVE. What does this mean for your cyber security strategy? [Internet]. IT Security Matters. 2018 [cited 2018 Dec 8]. Available from: https://klausjochem.me/2018/11/04/about-60-of-exploits-are-published-before-the-cve-what-does-this-mean-for-your-cyber-security-strategy/

  5. Offensive Security. Offensive Security’s Exploit Database Archive [Internet]. Exploit Database. [cited 2018 Nov 4]. Available from: https://www.exploit-db.com/

Vulnerabilities in self-encrypting SSDs let cyber criminals bypass BitLocker Full Disk Encryption. Don’t Panic!

25 November 2018

Full disk encryption (FDE) applications like BitLocker represent the final bastion in protection against theft and loss of laptops.

No wonder that post “Flaws in Popular SSD Drives Bypass Hardware Disk Encryption”[1], published by Lawrence Abrams on 11/5/2018 at Bleeping Computer, irritated the security community largely.

I scanned the announcement from Radboud University[2] and the preliminary version of the research paper and found no need to enter panic mode.

Hard Drive Lock by Hello Many from the Noun Project

Hard Drive Lock by Hello Many from the Noun Project

What happened. Researchers from Radboud University in The Netherlands found two critical security weaknesses, CVE-2018-12037 and CVE-2018-12038, in the encryption of some SSDs allowing access to the data without knowledge of any secret. Windows 8/10 BitLocker is able to make use of the hardware encryption capabilities to speed up the encryption process. Thus, BitLocker is compromised.

During normal operating conditions it is hardly possible to exploit these vulnerabilities because a cyber criminal must remove the SSD from the computer and connect a hardware debugger to reach the secrets.

Thus we face an increased risk if the device is left unattended, e.g. evil maid attack[3], lost or stolen. Or, if the device was lost some time ago and kept unchanged for whatever reasons.

Actually, you should have procedures in place to deal with stolen or lost devices. These must be updated now:

  • Users must change their passwords directly after the loss of a device is reported.
  • All certificates, soft and hard tokens used for securing remote access or access to sensitive data and services must be invalidated directly after a loss is reported.
  • The help desk must be notified of the loss and advised to report a security incident in the case of requests regarding the stolen device or the affected user accounts.

In any case, to keep the impact of a loss small the best advice for users is to store as little as possible sensitive data on portable devices.

For details on how to handle this issue please refer to the Microsoft security advisory ADV180028[4], published on 11/6/2018.

The big question is: Who takes care of the self encrypting external usb disks with keypad based on the buggy SSDs?

Have a great week.


  1. Abrams L. Flaws in Popular SSD Drives Bypass Hardware Disk Encryption [Internet]. BleepingComputer. 2018 [cited 2018 Nov 17]. Available from: https://www.bleepingcomputer.com/news/security/flaws-in-popular-ssd-drives-bypass-hardware-disk-encryption/
  2. Radboud University. Radboud University researchers discover security flaws in widely used data storage devices [Internet]. Radboud University. 2018 [cited 2018 Nov 17]. Available from: https://www.ru.nl/english/news-agenda/news/vm/icis/cyber-security/2018/radboud-university-researchers-discover-security/
  3. Rouse M. What is evil maid attack? – Definition from WhatIs.com [Internet]. SearchSecurity. 2018 [cited 2018 Nov 25]. Available from: https://searchsecurity.techtarget.com/definition/evil-maid-attack
  4. MSRC M. ADV180028 | Guidance for configuring BitLocker to enforce software encryption [Internet]. Security TechCenter. 2018 [cited 2018 Nov 17]. Available from: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180028