Corporate Responsibility

Advisories

Here we publish the descriptions of vulnerabilities that Deutsche Telekom’s pentesters have found in the context of tests of solutions Deutsche Telekom uses. All weaknesses are only published with the consent of the affected parties after the vulnerability has been corrected (Responsible Disclosure). We also publish technical comments and important CERT Advisories.

March 22,  2019

A new critical remote buffer overflow vulnerability (CVE -2019 -8981) in the axTLS library for embedded devices (version 2.1.4, http://axtls.sourceforge.net) was discovered on 2019 February 20 with modern fuzzing methods, which possibly allows remote code executions. A new fixed version (2.1.5) countering this is now available for download.

View the full report (pdf, 258.8 KB)

July 31,  2018

The Now Platform delivers a System of Action for the enterprise. Using a single data model, it’s easy to create contextual workflows and automate any business process. Anyone, from the business user to the professional developer, can easily build applications at lightspeed.

Any application user on the Now Platform can make requests through service catalogs, find information in common knowledge bases, and be notified about the actions and information they care about the most.

View the full report (pdf, 24.8 KB)

Variant of Satori/Mirai detected attacking public available ADB shells

10 July 2018

On the 10th of July at 23:30 UTC we noticed an increased traffic on our blackhole monitoring on TCP port 5555. Upon further analyzation, we saw a big chunk of this traffic coming from China, USA and the Dominican Republic. In total we gathered 246.434 packets from 68.361 unique IPs. Based on the packet details we gathered, we can assume that the packets were generated by a lot of different devices. In addition, the traffic behavior on port 555 matches the typicall scan behavior of botnets.

View the full report (pdf, 24.8 KB)

Dangers of Dynamic Data Exchange (Windows)

11 May 2018

A small feature in MS Office apps can be used to install malware. See Microsoft Security Advisory 4053440 details how to disable DDE completely, or at least how to minimize the effect of malicious documents.

View the full report (pdf, 1.7 MB)

Kaltura Video Platform - Pre-Auth Remote Code Execution (and XSS)

12 Sep 2017

During an interal pentest several critical vulnerabilities could be identified in the latest version of Kaltura Community and Enterprise. The vulnerabilities were fixed in the latest release 13.2.0.
A proof of concept exploit may be released later, giving time for users to patch.

View the full advisory

5 Jan 2018

By misuse of several processor bugs it is possible to break up the separation between the kernel and user space.

Deutsche Telekom CERT Assessment

On Intel CPU driven platforms, it is possible for normal user programs to gather information about protected kernel memory areas (“Meltdown attack”, CVE-2017-5754) [1] [2].  This results in an information leakage between kernel and user space.

This vulnerability affects every Intel CPU produced in the past decade (CPUs since 1995 except Itanium and pre-2013 Atoms). The in [3] listed ARM cores are also affected by this vulnerability.

 A further issue is described in the “Spectre attack” (CVE-2017-5753 and CVE-2017-5715). Spectre allows a user-mode application to extract information from other processes or VMs to access memory of other VMs. This vulnerability affects all listed Intel CPUs, as well as AMD’s Ryzen, FX and Pro families and several ARM Cortex cores listed in [3].

Official disclosure for Spectre and Meltdown took place on 2018-01-04 [10].

To exploit both vulnerabilities an attacker needs to be able to execute code on the target machine.

Thus, up to now network components like routers, switches, firewalls, mobiles or CPEs don’t provide enough attack surface for exploitation even if they are affected. On most network components it is very difficult to run attacker crafted code because they’ve never been designed to run custom code.

Recommendations

  • Apply patches as soon as they are available from the respective supplier
    (for Microsoft desktop systems check availability with AV vendors [13])
  • Top priority should be patching of (see timeline below)
    o   hypervisors of cloud systems
    o   operating systems of desktop clients and virtual/remote desktop systems
    o   operating systems of hosting platforms
  • On XEN hypervisors:
    o   Enable “supervisor mode execute protection” if possible
    o   Evaluate if XEN VMs can be run in HVM or PVM mode (only PV hosting hypervisors are affected)
  • For network components
    o   Even if an attack is unlikely ask your vendor if your device is vulnerable and needs patching

Patch Prioritization

In general high priority patching is advised for every machine which runs untrusted code from third parties. On shared and exclusive private clouds there is less risk because these platforms are dedicated to trusted customers. On all other servers it is unlikely that an attacker is able to run arbitrary code. Patch your system based on local patch cycles.

Due to the complexity of the attack it is unlikely that smartphones get exploited.

Patch Availability

  • Microsoft Windows 7 SP1, 8.1, 10 [5]
    o   McAfee is now patch compatible [12]
    o   Further AV vendors can be found in [13]
    o   A registry key has to be set. Without the key the client doesn’t fetch the update. See [5].
  • Microsoft Windows Server 2008 R2, Server 2012 R2, Server 2016, Server Version 1709 Attention: The mitigation has to be enabled via registry [6]
  • Mac OS X 10.13.1 (10.13.2 isn’t vulnerable)
  • Several Suse Linux and RHEL distributions [7] [8]
  • VMware ESXi 5.5 to 6.5, Workstation 12.X and 14.X, Fusion 8.X [9]
  • Android (patchlevel 2018-01-05)
  • iOS (patchlevel 11.2) 

Linux Kernel patches will be most probably available on 2018-01-09.

IBM AIX patches will be most probably available on 2018-01-12 [11].

There is no announcement for a SOLARIS patch, we are in touch with Oracle.

Further Information

References:

[1] https://www.theregister.co.uk/2018/01/02/intel_cpu_design_flaw/

[2] http://www.cs.vu.nl/~herbertb/download/papers/anc_ndss17.pdf

[3] https://developer.arm.com/support/security-update

[4] https://xenbits.xen.org/xsa/advisory-254.html

[5] https://support.microsoft.com/en-us/help/4073119/windows-client-guidance-for-it-pros-to-protect-against-speculative-exe

[6] https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution-s

[7] https://www.suse.com/de-de/security/cve/CVE-2017-5754/

[8] https://access.redhat.com/security/vulnerabilities/speculativeexecution

[9] https://www.vmware.com/us/security/advisories/VMSA-2018-0002.html

[10] https://spectreattack.com/

[11] https://www.ibm.com/blogs/psirt/potential-impact-processors-power-family/

[12] https://kc.mcafee.com/corporate/index?page=content&id=KB90167

[13]https://docs.google.com/spreadsheets/d/184wcDt9I9TUNFFbsAVLpzAtckQxYiuirADzf3cL42FQ/htmlview?usp=sharing&sle=true


About Telekom Security: Telekom Security is the security provider for Deutsche Telekom and Deutsche Telekom customers.
https://security.telekom.com
https://telekomsecurity.github.io
http://www.sicherheitstacho.eu

FAQ