Les Bell
Blog entry by Les Bell
News Stories
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
Intel APIC Vulnerability Breaks Crypto
A couple of security students from Rome and Graz, Austria, have discovered a vulnerability in Intel's SGX security archicture which will leak information via uninitialized memory reads - a variation on the classic Time of Check/Time of Use class of vulnerabilities.
The SGX architecture is intended to protect sensitive data such as encryption keys in memory by the creation of secure memory blocks called enclaves. The proof-of-concept exploit uses a vulnerability in the Advanced Programmable Interrupt Controller to access stale data in registers and thereby break SGX, obtaining a 128-bit AES key in 1.35 seconds with 94% success rate. It can alse extract a 1024-bit RSA key (but who uses those?) in an average of 81 seconds with a 74% success rate.
The lesson here? The complexity of modern CPU's is making it impossible to make guarantees about security. For some years, the use of formal methods in hardware design had made the possible, but for the last 5 years or so, we have seen the growth of CPU vulnerabilities like Spectre, Meltdown and others which created sidechannel attacks, and now ÆPIC. As we have long known, the enemy of security is complexity.
Goodin, Dan, SGX, Intel's supposedly impregnable data fortress, has been breached yet again, Ars Technica, 10 August 2022. Available online at https://arstechnica.com/information-technology/2022/08/architectural-bug-in-some-intel-cpus-is-more-bad-news-for-sgx-users/.
WIndows 11 Crypto Bug Corrupts Data
A newly-discovered bug in Windows 11 affects systems using AES-XTS and AES-GCM encryption modes on Intel Ice Lake, Tiger Lake, Rocket Lake and Alder Lake processors. Let's break this down.
AES-XTS is XEX-based tweaked codebook mode with ciphertext stealing (I won't delve further into this, but it's something I cover in a forthcoming course on crypto for developers), and is primarily used for encrypted filesystems such as Bitlocker, Veracrypt, etc. AES-CGM is much more common - it's the Galois Counter Mode used by the majority of TLS connections on the web.
The processor architectures listed cover some of Intel's 10th-generation laptop processors, as well as all their 11th- and 12th-geeration Core CPU's. AMD's as yet un-released Zen 4 processors will also support the VAES (Vector AES) instructions which underlie the problem.
Microsoft introduced a patch for the problem in the June 2022 security update package for Windows 11 and Windows Server 2022. If you have deployed this patch, you will not be hit with the data corruption problem - but systems running before this may have as-yet-undetected corrupted data - most likely in encrypted filesystems. Clearly, the fix should be applied ASAP. The first version of the patch caused performance degradation, probably because it disabled hardware crypto acceleration. The July 2022 version should remedy this, however.
Unattributed, KB5017259 - Windows devices that have the newest supported processors might be susceptible to data damage, Microsoft Windows support, August 2022. Available online at https://support.microsoft.com/en-us/topic/kb5017259-windows-devices-that-have-the-newest-supported-processors-might-be-susceptible-to-data-damage-d5e7c0cb-6e0a-4865-81ed-c82e91657a24.
Cisco Small Business Routers - Update Urgently
Cisco has disclosed multiple vulnerabilities in their Small Business RV160, RV260, RV340 and RV345 series routers, which can allow a remote code execution (RCE) by an unauthenticated remote threat attacker, or simply trigger a denial of service. There are no workarounds - the only fix is a software update.
You know what to do.
Uncredited, Cisco Small Business RV Series Routers Vulnerabilities, Cisco Security Advisory, 3 August 2022. Available online at https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sb-mult-vuln-CbVp4SUR.
A New Form of Steganography
The classic approach to steganography was the use of milk, urine and other substances as an invisible ink which would reveal a message when heated over a candle. Now, scientists at the University of Texas at Austin have put a twist on this by storing a 256-bit encryption key into a polymer material made up of sequence-defined polymers - basically long chains of polymers, each of which corresponds to one of 16 different symbols, which they then incorporated into a special ink.
Ouelette, Jennifer, Scientists hid encryption key for Wizard of Oz text in plastic molecules, Ars Technica, 9 August 2022. Available online at https://arstechnica.com/science/2022/08/scientists-encoded-the-wizard-of-oz-in-the-chemical-structure-of-ink/.
Customer Engagement Firm Twilio Breached
Twilio, which provides mass marketing, email and customer communications services, had several employees fall victim to a smishing attack, which gained an as-yet-unidentified threat actor access to some of the company's internal systems. The SMS messages looked credible, taking employees to what looked like Twilio's SSO sign-in page hosted at fake domains.
This illustrates a weakness in using federated identity management systems hosted by external providers - they take the employee out of the company domain to one they don't really take notice of, in order to sign in. The best additional layer of defence is multi-factor authentication - and a text-message-based mTAN is emphatically not the right approach here!
Uncredited, Incident Report: Employee and Customer Account Compromise - August 4, 2022, Twilio Security Blog, 7 August 2022. Available online at https://www.twilio.com/blog/august-2022-social-engineering-attack.
Nice Doggy - Now Roll Over
A few weeks ago, a video of a robot dog firing a machine gun went viral:
If this has been giving you sleepless nights, take comfort from the fact that the robot killer canine is just as vulnerable as your garage door opener - a kill signal sent over a 433 MHz channel will instantly disable the dog. You can use any of many devices, such as a Flipper Zero, to send the signal; if you aren't familiar with these, ask your friendly local car thief.
Gault, Matthew, Hacker Finds Kill Switch for Submachine Gun-Wielding Robot Dog, Vice, 8 August 2022. Available online at https://www.vice.com/en/article/akeexk/hacker-finds-kill-switch-for-submachine-gun-wielding-robot-dog.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.