The Biggest Vulnerabilities of 2020 Have Already Happened
A brand new year, so full of promise! A new decade even, certainly we are past the point of vendors shipping software and hardware full of vulnerabilities! Such hope is in vain however. Here we are, a mere two months in, and some huge security vulnerabilities have already dropped. You don't have to be a white hat to have heard about these three big vulnerabilities:
Windows RDP Bug
Citrix VPN Bug
Maybe they'll go down as the biggest of the year. Only time will tell. Let's do a quick roundup of what's happened already and how you can keep your systems safe.
Cable Haunt: A Major Cable Modem Vulnerability
The year started with a bang with the announcement of a cable modem vulnerability. Cable modems are typically provided by your ISP when you sign up for cable internet at your home or business. The modem is connected to your coax jack, then you plug your router into the modem. One important detail to note there: The modem is in front of your router, so there's no firewall between it and the internet. Routers have had their own issues in the past, but that's a different story.
This usually isn't an issue as the modem is typically managed by the ISP, with little or no access available to the customer, and the ISP needs full access to push firmware updates and config changes as needed.
Of course, things like this aren't an issue until they are, and in this case it is a HUGE issue. Researchers in Denmark publicly disclosed Cable Haunt in early January, which is what they have dubbed a vulnerability discovered on certain cable modems using Broadcom chipsets. The vulnerability involves a spectrum analyzer service running on the modem, which is used to see interference on the modem's connection to the internet (helpful for tech support when you call about slow service). This server is accessible from the internet and commonly is secured with a default set of credentials, such as username "spectrum" and password "spectrum." The researchers were able to access some modems however with no authentication required. D'oh.
What Does Cable Haunt Do?
What good does taking over a modem do? Quite a bit actually. With the Crash Haunt vulnerability, malicious actors can rewrite DNS requests to create man-in-the-middle attacks. They can even capture any unsecured data coming in or out of the network. Or one of our favorites: joining your modem to a botnet bent on world domination — or just some spam emailing and Bitcoin mining. So yeah, lots of nefarious possibilities.
We mentioned Broadcom, and this is where the responsibility for patching starts becoming grey. The exploit was originally found in Broadcom's reference code. The researchers say they contacted Broadcom to report the vulnerability and Broadcom replied some months later saying the issue had been fixed. At that point though it was up to the modem manufacturers to release firmware updates based on Broadcom's new code, AND THEN it's up to the ISPs to do their own testing and push of the firmware to customer modems. Good luck seeing this completely fixed in the wild any time soon.
How to Protect Yourself From Cable Haunt
Start with your modem's make and model. Only certain ones are affected, the researchers maintain a list on their site (scroll down to FAQ, expand the "Am I Affected?" section, then scroll down to "Vulnerable Modems.") If you are affected, there's little reason your ISP should require you to use their modem. Any modem that meets or exceeds the version of DOCSIS they are using to provide you service should work, but you might need to call in to tech support to get it configured correctly.
Windows RDP: Unauthenticated Access for All
A vulnerability in Windows is hardly newsworthy, it's more like reporting on the week starting yet again with another Monday. A vulnerability in Windows' Remote Desktop Protocol labeled by Microsoft labeled as critical is a little more interesting. However that same vulnerability allowing for unauthenticated access to Windows 10 and Windows Server machines is worthy of a spot in the top 10 vulns of the year.
What Does This RDP Bug Do?
This bug allows an attacker to run arbitrary code by connecting to RDP and sending specifically formatted requests. (For a full rundown on RDP, you can watch the Remote Management video in our 70-698 training.) Normally RDP requires authentication to allow a user to connect and get app or desktop access, however no authentication is needed in this case. While "arbitrary code" seems like a wide open playing field for how to pwn the server in question, a simple one-two punch of "net user /add" and "net localgroup administrators" is all that's required to grant yourself admin access. Since we are talking RDP here, all that's left to do is log in. If this server doesn't have anything too interesting, just install a network scanner, look for other more interesting machines on the LAN and proceed from there.
How to Protect Your Windows Machines
So how do you secure your servers? The obvious answer is update Windows. Microsoft released a patch at the same time as announcing the vuln, so the fix is ready for installing. A better answer might involve a change in your network infrastructure. Having RDP open to the internet is not really best practice, even if the machine is fully patched. While it's convenient for admins to work from outside the network, you're opening yourself up to brute force attacks against the machine from all kinds of bad actors. Even if your users have super-secure passwords, these attacks can slow down or crash servers if the traffic gets heavy enough. So get a VPN setup for remote access and close up RDP.
Another fun issue announced at the same time was a bug related to certificate validation. Windows has a cryptography library that validates X.509 certificates, basically confirming that they were issued by a source that the OS trusts and not some hax0r in his mom's basement.
Here's a video from the Cisco CCNA Cyber Ops 210-250 course about how X.509 digital certificates work:
This is important with certs not just to maintain the confidentiality of HTTPS websites, but also integrity in validating software-signing (helpful to identify malware) and encrypted emails and files (was the PGP signed email from the boss asking you to send $1 million to a Nigerian prince legit?). The fix, as announced by the NSA: "Rapid adoption of the patch is the only known mitigation at this time and should be the primary focus for all network owners." Only a government agency could make "GO UPDATE NOW!" sound so official.
Citrix VPN: Hold My Beer
So we can only imagine that Citrix heard about those Windows RDP vulns and had a "hold my beer" moment, because only days later they announced updates for a very similar set of bugs with their Citrix Application Delivery Controller and Citrix Gateway products.
What Does This Citrix VPN Bug Do?
Citrix Gateway in particular is of interest, because that product is used to provide VPN access into networks. Like with Microsoft, the bugs allow unauthenticated remote code execution on the publicly exposed servers. Again, once an attacker has a foothold on a single server, it's trivial to pivot and access the rest of the network.
Of particular note from the stories associated with this vulnerability was the number of Citrix VPN servers in use by local, state, and federal government agencies in the US, including the U.S. Army. Reportedly, researchers still found thousands of unpatched servers on the internet in the days after the patch's release. Exfiltrating data, stealing plain text credentials from config files, holding encrypting data for random, we can't overemphasis how destructive a remote code execution bug can be for any organization. And don't think that this is some sophisticated attack that can only be performed by elite hackers. PoC code for the exploit is freely available, published by security researchers on GitHub.
How to Protect Yourself From Everything
The fix for just about all of these? It's nothing fancy. Patch early and patch often. Especially with any service exposed to the internet, it is so critical that those systems must be monitored and updated, otherwise you might just be rolling out the red carpet for bad actors across the interwebs. Stay safe out there and keep those systems secure!