CERT-SEI

Exim is an open source mail server or message transfer agent(MTA)that is used on Unix-like operating systems. Versions 4.8.0 up to and including 4.92.1 of Exim fail to properly handle peer DN and SNI during a TLS negotiation. The SMTP delivery process is vulnerable to a buffer overflow that can be exploited in the default runtime configuration with specially crafted SNI data. In other configurations,can be exploited with a crafted client TLS certificate. This could allow a local or remote attacker to execute arbitrary code with root privileges. Exim servers that accept TLS connections are vulnerable.

Bluetooth is a short-range wireless technology based off of a core specification that defines six different core configurations,including the Bluetooth Basic Rate/Enhanced Data Rate Core Configurations. Bluetooth BR/EDR is used for low-power short-range communications. To establish an encrypted connection,two Bluetooth devices must pair with each other and establish a link key that is used to generate the encryption key. For example,assume that there are two controllers attempting to establish a connection:Alice and Bob. After authenticating the link key,Alice proposes that she and Bob use 16 bytes of entropy. This number,N,could be between 1 and 16 bytes. Bob can either accept this,reject this and abort the negotiation,or propose a smaller value. Bob may wish to propose a smaller N value because he(the controller)does not support the larger amount of bytes proposed by Alice. After proposing a smaller amount,Alice can accept it and request to activate link-layer encryption with Bob,which Bob can accept. An attacker,Charlie,could force Alice and Bob to use a smaller N by intercepting Alice's proposal request to Bob and changing N. Charlie could lower N to as low as 1 byte,which Bob would subsequently accept since Bob supports 1 byte of entropy and it is within the range of the compliant values. Charlie could then intercept Bob's acceptance message to Alice and change the entropy proposal to 1 byte,which Alice would likely accept,because she may believe that Bob cannot support a larger N. Thus,both Alice and Bob would accept N and inform the Bluetooth hosts that encryption is active,without acknowledging or realizing that N is lower than either of them initially intended it to be.

The Security Considerations section of RFC7540 discusses some of the considerations needed for HTTP/2 connections as they demand more resources to operate than HTTP/1.1 connections. While it generally covers expected behavior considerations,how to mitigate abnormal behavior is left to the implementer which can leave it open to the following weaknesses. CVE-2019-9511,also known as Data Dribble The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued,this can consume excess CPU,memory,or both,potentially leading to a denial of service. CVE-2019-9512,also known as Ping Flood The attacker sends continual pings to an HTTP/2 peer,causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued,this can consume excess CPU,memory,or both,potentially leading to a denial of service. CVE-2019-9513,also known as Resource Loop The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU,potentially leading to a denial of service. CVE-2019-9514,also known as Reset Flood The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames,this can consume excess memory,CPU,or both,potentially leading to a denial of service. CVE-2019-9515,also known as Settings Flood The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame,an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued,this can consume excess CPU,memory,or both,potentially leading to a denial of service. CVE-2019-9516,also known as 0-Length Headers Leak The attacker sends a stream of headers with a 0-length header name and 0-length header value,optionally Huffman encoded into 1-byte or greater headers. Some implementations allocate memory for these headers and keep the allocation alive until the session dies. This can consume excess memory,potentially leading to a denial of service. CVE-2019-9517,also known as Internal Data Buffering The attacker opens the HTTP/2 window so the peer can send without constraint; however,they leave the TCP window closed so the peer cannot actually write(many of)the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the servers queue the responses,this can consume excess memory,CPU,or both,potentially leading to a denial of service. CVE-2019-9518,also known as Empty Frame Flooding The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA,HEADERS,CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandwidth. This can consume excess CPU,potentially leading to a denial of service.

Cylance PROTECT is an endpoint protection system. It contains an antivirus functionality that uses a machine learning algorithm(specifically,a neural network)to classify executables as malicious or benign. Security researchers isolated properties of the machine learning algorithm allowing them to change most known-malicious files in simple ways that cause the Cylance product to misclassify the file as benign. Several common malware families,such as Dridex,Gh0stRAT,and Zeus,were reported as successfully modified to bypass the Cylance product in this way. The success rate of the bypass is reported as approximately 85%of malicious files tested. Cylance reports a 50%bypass creation success rate based on internal testing. Either way,attacker effort to find a successful bypass would be low. Unsophisticated attackers can leverage this flaw to change any executable to which they have access; the defense evasion does not require rewriting the malware,just appending strings to it. The specific attack reported by Skylight Cyber relies on a particular set of strings used by the Cylance product. Although Cylance used an ensemble model that made some uncommon model design choices to achieve a white-listing functionality,this over-reliance on specific details when classifying a file is an instance of a common weakness in machine learning algorithms. For a comprehensive discussion of attacks on machine learning systems,see Papernot N,McDaniel P,Sinha A,Wellman MP. SoK:Security and privacy in machine learning. IEEE EuroS&P 2018. Because this flaw is an instance of a broader category of weaknesses in machine learning algorithms,we do not expect an easy solution. Cylance describes their response as"three-fold:First,we have added anti-tampering controls to the parser in order to detect feature manipulation and prevent them from impacting the model score. Second,we have strengthened the model itself to detect when certain features become proportionally overweight. Lastly,we have removed the features in the model that were most susceptible to tampering."This patch should stop the specific keywords used by the Skylight Cyber researchers from allowing an attacker to bypass detection and increase attacker effort required to find similar bypass techniques. However,the method described by the Skylight Cyber researchers to find and recover the features of the Cylance product is likely to enable the recovery of manipulable features from other security products that rely on machine learning. Although Cylance has removed features"most susceptible to tampering,"our understanding of adversarial manipulation of machine learning classifiers in other domains suggests that the remaining features almost certainly provide adequate freedom for tampering. This inference is based on the structural similarity of the Cylance machine learning model(a neural network)to models that have been successfully deceived in the domains of,for example,facial recognition or visual recognition in self-driving cars. There is some evidence that deception remains relatively easy despite the structure of computer network traffic; we are unaware of public evidence as to whether file structure carries the same limitations. This environment is the context behind and likely driver of Cylance's statement that"AI and machine learning models are,by nature,living models. They are designed to evolve and do require periodic retraining and field servicing when appropriate."

The process file system(/proc)in Oracle Solaris 11 and Solaris 10 provides a self/alias that refers to the current executing process's PID subdirectory with state information about the process. Protection mechanisms for/proc in Solaris 11/10 did not properly restrict the current(self)process from modifying itself via/proc. For services strictly providing file IO this lack of restriction allows an attacker to modify the process providing the file IO and execute arbitrary code.

The Stack Protection feature provided in the LLVM Arm backend protects against buffer overflows by adding a cookie value between local variables and the stack frame return address. The compiler stores this value in memory and checks the cookie with the LocalStackSlotAllocation function to ensure that it has not changed or been overwritten. If the value has changed,then the function will terminate. Since it currently pre-allocates the stack protector before the local variables in the stack,it's possible that a new stack protector can be allocated later in the process. If that happens,it leaves the stack protection ineffective as the new stack protector slot appears after the local variables that it is meant to protect.

Microsoft Exchange supports a API called Exchange Web Services(EWS). One of the EWS API functions is called PushSubscriptionRequest,which can be used to cause the Exchange server to connect to an arbitrary website. Connections made using the PushSubscriptionRequest function will attempt to negotiate with the arbitrary web server using NTLM authentication. Starting with Microsoft Exchange 2013,the NTLM authentication over HTTP fails to set the NTLM Sign and Seal flags. The lack of signing makes this authentication attempt vulnerable to NTLM relay attacks. Microsoft Exchange is by default configured with extensive privileges with respect to the Domain object in Active Directory. Because the Exchange Windows Permissions group has WriteDacl access to the Domain object,this means that the Exchange server privileges obtained using this vulnerability can be used to gain Domain Admin privileges for the domain that contains the vulnerable Exchange server.

CVE-2019-11477:SACK Panic(Linux>=2.6.29). A sequence of specifically crafted selective acknowledgements(SACK)may trigger an integer overflow,leading to a denial of service or possible kernel failure(panic). CVE-2019-11478:SACK Slowness(Linux<4.15)or Excess Resource Usage(all Linux versions). A sequence of specifically crafted selective acknowledgements(SACK)may cause a fragmented TCP queue,with a potential result in slowness or denial of service. CVE-2019-5599:SACK Slowness(FreeBSD 12 using the RACK TCP Stack). The TCP loss detection algorithm,Recent ACKnowledgment(RACK),uses time and packet or sequence counts to detect losses. RACK uses linked lists to track and identify missing packets. A sequence of specifically crafted acknowledgements may cause the linked lists to grow very large,thus consuming CPU or network resources,resulting in slowness or denial of service. CVE-2019-11479:Excess Resource Consumption Due to Low MSS Values(all Linux versions). The default maximum segment size(MSS)is hard-coded to 48 bytes which may cause an increase of fragmented packets. This vulnerability may create a resource consumption problem in both the CPU and network interface,resulting in slowness or denial of service. For detailed descriptions of these vulnerabilities,see: https://github.com/Netflix/security-bulletins/blob/master/advisories/third- party/2019-001.md

Task Scheduler is a set of Microsoft Windows components that allows for the execution of scheduled tasks. The front-end components of Task Scheduler,such as schtasks.exe,are interfaces that allow for users to view,create,and modify scheduled tasks. The back-end part of Task Scheduler is a Windows service that runs with SYSTEM privileges. One of the libraries used by the Task Scheduler service,schedsvc.dll,has a function called tsched::SetJobFileSecurityByName(),which sets permissions of job files. The permissions of the job file in the%Windir%\system32\tasks directory are modified to give the calling user full permissions to the job file that they have created. At the point where the SetSecurityInfo()function is called,the Task Scheduler service has the NT Authority\SYSTEM security token. This means that the Task Scheduler service can give full user access permissions to files that may only be controlled by the SYSTEM or other privileged accounts. Public proof-of-concept exploit code leverages the legacy schtasks.exe and schedsvc.dll code from Windows XP to take advantage of these high privilege levels when setting file permissions. Versions of Windows prior to Vista used job files in the%Windir%\tasks directory. Legacy versions of schtasks.exe will cause these jobs to be migrated to the%Windir%\system32\tasks directory when those program versions are executed on modern Windows platforms. In conjunction with the SYSTEM security token used by the Task Scheduler service,this migration behavior can be used along with hard links to grant full permissions of protected files to any user on a Windows system. We have confirmed that the public exploit code functions reliably on 32- and 64-bit Windows 10 platforms,as well as Windows Server 2016 and Windows Server 2019. While Windows 8 still contains this vulnerability,exploitation using the publicly-described technique is limited to files where the current user has write access,in our testing. As such,the impact on Windows 8 systems using the technique used by the public exploit appears to be negligible. We have not been able to demonstrate the vulnerability on Windows 7 systems.

CERT continues to review the WPA3 protocol in support of this body of research. The root cause of the numerous"implementation"vulnerabilities may involve modifying the protocol. WPA3 uses Simultaneous Authentication of Equals(SAE),also known as Dragonfly Key Exchange,as the initial key exchange protocol,replacing WPA2's Pre-Shared Key(PSK)protocol. hostapd is a daemon for access point and authentication servers used by WPA3 authentication. wpa_supplicant is a wireless supplicant that implements key negotiation with the WPA Authenticator and supports WPA3. Both of these components,as implemented with Extensible Authentication Protocol Password(EAP-PWD)and SAE,are vulnerable as follows: CVE-2019-9494:SAE cache attack against ECC groups(SAE side-channel attacks)- CWE-208 and CWE-524 The implementations of SAE in hostapd and wpa_supplicant are vulnerable to side channel attacks as a result of observable timing differences and cache access patterns. CVE-2019-9495:EAP-PWD cache attack against ECC groups(EAP-PWD side-channel attack)- CWE-524 The implementations of EAP-PWD in hostapd and wpa_supplicant are vulnerable to side channel attacks as a result of cache access patterns. Versions of hostapd and wpa_supplicant versions 2.7 and earlier,with EAP-PWD support are vulnerable. CVE-2019-9496:SAE confirm missing state validation - CWE-642 An invalid authentication sequence could result in the hostapd process terminating due to missing state validation steps when processing the SAE confirm message when in hostapd/AP mode. All version of hostapd with SAE support are vulnerable. CVE-2019-9497:EAP-PWD reflection attack(EAP-PWD missing commit validation)- CWE-301 The implementations of EAP-PWD in hostapd EAP Server and wpa_supplicant EAP Peer do not validate the scalar and element values in EAP-pwd-Commit. CVE-2019-9498:EAP-PWD server missing commit validation for scalar/element - CWE-346 The implementations of EAP-PWD in hostapd EAP Server,when built against a crypto library missing explicit validation on imported elements,do not validate the scalar and element values in EAP-pwd-Commit. CVE-2019-9499:EAP-PWD peer missing commit validation for scalar/element - CWE-346 The implementations of EAP-PWD in wpa_supplicant EAP Peer,when built against a crypto library missing explicit validation on imported elements,do not validate the scalar and element values in EAP-pwd-Commit.

Microsoft Windows Remote Desktop supports a feature called Network Level Authentication(NLA),which moves the authentication aspect of a remote session from the RDP layer to the network-layer. The use of NLA is recommended to reduce the attack surface of systems exposed using the RDP protocol. In Windows a session can be locked,which presents the user with a screen that requires authentication to continue using the session. Session locking can happen over RDP in the same way that a local session can be locked. CWE-288:Authentication Bypass Using an Alternate Path or Channel(CVE-2019-9510) Starting with Windows 10 1803 and Windows Server 2019,Windows RDP handling of NLA-based RDP sessions has changed in a way that can cause unexpected behavior with respect to session locking. If a network anomaly triggers a temporary RDP disconnect,upon automatic reconnection the RDP session will be restored to an unlocked state,regardless of how the remote system was left. For example,consider the following steps: User connects to remote Windows 10 1803 or Server 2019 or newer system using RDP. User locks remote desktop session. User leaves the physical vicinity of the system being used as an RDP client At this point,an attacker can interrupt the network connectivity of the RDP client system,which will result in the session with the remote system being unlocked without requiring any credentials. Two-factor authentication systems that integrate with the Windows login screen,such as Duo Security MFA,are also bypassed using this mechanism. Any login banners enforced by an organization will also be bypassed.

CVE-2018-5404:The Dell Kace K1000 Appliance allows an authenticated,remote attacker with least privileges('User Console Only' role)to potentially exploit multiple Blind SQL Injection vulnerabilities to retrieve sensitive information from the database or copy the entire database. (CWE-89) CVE-2018-5405:The Dell Kace K1000 Appliance allows an authenticated least privileged user with‘User Console Only’rights to potentially inject arbitrary JavaScript code on the tickets page. Script execution could allow a malicious user of the system to steal session cookies of other users including Administrator and take over their session. This can further be exploited to launch other attacks. The software also does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. (CWE-79) CVE-2018-5406:The Dell Kace K1000 Appliance allows a remote attacker to exploit the misconfigured Cross-Origin Resource Sharing(CORS)mechanism. An unauthenticated,remote attacker could exploit this vulnerability to perform sensitive actions such as adding a new administrator account or changing the appliance’s settings. A malicious internal user could also gain administrator privileges of this appliance and use it to visit a malicious link that exploits this vulnerability. This could cause the application to perform sensitive actions such as adding a new administrator account or changing the appliance’s settings. (CWE-284)