Hacker

Citrix patches 11 critical bugs

July 8, 2020 By William Knowles

Citrix patches 11 critical bugs

By William Knowles @c4i
Senior Editor
InfoSec News
July 8, 2020

In a breath of fresh air for this week, software vendor Citrix released patches for 11 vulnerabilities, quickly applying the lesson learned six months ago and not wanting a repeat with malicious hackers looking for ways to exploit the vulnerability.

Citrix Chief Information Security Officer, Fermin J. Serna released a bulletin on Tuesday, July 7, which covered a set of vulnerabilities in Citrix’s products— Citrix ADC, Citrix Gateway, and Citrix SD-WAN WANOP edition. Standard procedure for most software companies in advising customers of vulnerabilities is limited to the publication of the bulletin and related CVEs.

Serna took the opportunity to explain the following points as it relates to CTX276688.

The latest patches fully resolve all the issues.
Of the 11 vulnerabilities, there are six possible attack routes; five of those have barriers to exploitation.
We are not aware of any exploitation of these issues.
Citrix-managed Gateway service is not affected.
And finally, these vulnerabilities are not related to CVE-2019-19781.

Barriers to Exploitation

There are barriers to many of these attacks; in particular, for customers where there is no untrustworthy traffic on the management network, the remaining risk reduces to a denial-of-service attack. And in that case, only when Gateway or authentication virtual servers are being used. Other virtual servers, for example, load balancing and content switching virtual servers, are not affected by the issue.

Three of the six possible attacks in CTX276688 occur in the management interface of a vulnerable device. Systems deployed in line with Citrix recommendations will already have this interface separated from the network and protected by a firewall. That configuration greatly diminishes the risk.

Further, while I am not discounting the risk of privilege escalation, two of the remaining three possible attacks additionally require some form of existing access. That effectively means an external malicious actor would first need to gain unauthorized access to a vulnerable device to be able to conduct an attack.

While these barriers reduce the risk of these vulnerabilities, Citrix strongly recommends quick application of the supplied patches.

To help our customers and the industry understand these vulnerabilities, I have included a brief summary of the vulnerabilities, the affected products, and the attack vector in the table form below. The security bulletin and CVEs provide much greater detail and should be used for technical guidance.

CVE-2019-19781

There is no technical link between CVE-2019-19781 and CTX276688. Further, with CVE-2019-19781, we took the unusual step of publishing temporary mitigations in December, with subsequent permanent patches being available in January 2020. We took that step because of a high likelihood an exploit was “in the wild” and temporary mitigations gave our customers a chance to protect themselves. That is in stark contrast to the current situation: with the vulnerabilities in CTX276688, at the time of this publication, we know of no malicious exploits and have published patches that fully resolve the issues.

Citrix SD-WAN WANOP

Customers on Citrix SD-WAN WANOP should also pay heed to the advisory just released as ADC is a component within the SD-WAN WANOP deployment. Fixes are available at https://www.citrix.com/downloads/citrix-sd-wan/

Protecting Our Customers

We are limiting the public disclosure of many of the technical details of the vulnerabilities and the patches to further protect our customers. Across the industry, today’s sophisticated malicious actors are using the details and patches to reverse engineer exploits. As such, we are taking steps to advise and help our customers but also do what we can to shield intelligence from malicious actors.

Related, we have added staff to our technical support call centers and are prepared to assist our customers. We’ve built and tested our patches to high standards, both to ensure effectiveness but also with the ease of implementation in mind.

Bottom line: patches are available, and we encourage our customers to apply them to reduce risk.

You can use Citrix ADM Service for simplified and bulk upgrade of all your Citrix ADC instances. Please refer to this documentation to learn more. Citrix ADM Service is a SaaS solution available on Citrix Cloud to help manage, monitor, analyze, and troubleshoot your global hybrid multi-cloud application delivery infrastructure from a single touchpoint. It helps with faster time to value and brings in operational efficiency. Here is a video to help get you onboarded to Citrix ADM Service. You can also view our documentation here.

Also of note, we remain committed to incorporating feedback from our customers and adapting our communication and customer support offerings as needed.

As noted in this blog, we recently updated our vulnerability processes, and we published those updates on the Citrix Trust Center website. These updates include enhancements in our processes around international standard ISO/IEC 29147:2018; an opportunity to apply for pre-notification of security bulletins; and the Hall of Fame honoring those third parties that work collaboratively and responsibly with us to improve the security of our products.

CVE ID	Vulnerability Type	Affected Products	Attacker Privileges	Pre-conditions
CVE-2019-18177	Information disclosure	Citrix ADC, Citrix Gateway	Authenticated VPN user	Requires a configured SSL VPN endpoint
CVE-2020-8187	Denial of service	Citrix ADC, Citrix Gateway 12.0 and 11.1 only	Unauthenticated remote user	Requires a configured SSL VPN or AAA endpoint
CVE-2020-8190	Local elevation of privileges	Citrix ADC, Citrix Gateway	Authenticated user on the NSIP	This issue cannot be exploited directly. An attacker must first obtain nobody privileges using another exploit
CVE-2020-8191	Reflected Cross Site Scripting (XSS)	Citrix ADC, Citrix Gateway, Citrix SDWAN WANOP	Unauthenticated remote user	Requires a victim who must open an attacker-controlled link in the browser while being on a network with connectivity to the NSIP
CVE-2020-8193	Authorization bypass	Citrix ADC, Citrix Gateway, Citrix SDWAN WANOP	Unauthenticated user with access to the NSIP	Attacker must be able to access the NSIP
CVE-2020-8194	Code Injection	Citrix ADC, Citrix Gateway, Citrix SDWAN WANOP	Unauthenticated remote user	Requires a victim who must download and execute a malicious binary from the NSIP
CVE-2020-8195	Information disclosure	Citrix ADC, Citrix Gateway, Citrix SDWAN WANOP	Authenticated user on the NSIP	–
CVE-2020-8196	Information disclosure	Citrix ADC, Citrix Gateway, Citrix SDWAN WANOP	Authenticated user on the NSIP	–
CVE-2020-8197	Elevation of privileges	Citrix ADC, Citrix Gateway	Authenticated user on the NSIP	–
CVE-2020-8198	Stored Cross Site Scripting (XSS)	Citrix ADC, Citrix Gateway, Citrix SDWAN WANOP	Unauthenticated remote user	Requires a victim who must be logged in as an administrator (nsroot) on the NSIP
CVE-2020-8199	Local elevation of privileges	Citrix Gateway Plug-in for Linux	Local user on the Linux computer running Citrix Gateway Plug-in	A pre-installed version of Citrix Gateway Plug-in for Linux must be running

USCYBERCOM urgently recommends F5 customers to patch CVE-2020-5902 and 5903 NOW

July 6, 2020 By William Knowles

InfoSec News

By William Knowles @c4i
Senior Editor
InfoSec News
July 6, 2020

Just in case you accidentally had your work phone and duty pager in a Faraday bag all July 4th holiday weekend long, you have one heckuva surprise waiting for you!

As F5 reminds everyone that 48 of Fortune 50 companies are F5 customers, F5 has published a security advisory warning to their customers to patch a critical flaw in their BIG-IP product and proof-of-concept attacks are already starting to show up on Twitter.

The Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages. (CVE-2020-5902)

Impact

This vulnerability allows for unauthenticated attackers, or authenticated users, with network access to the TMUI, through the BIG-IP management port and/or Self IPs, to execute arbitrary system commands, create or delete files, disable services, and/or execute arbitrary Java code. This vulnerability may result in complete system compromise. The BIG-IP system in Appliance mode is also vulnerable. This issue is not exposed on the data plane; only the control plane is affected.

Security Advisory Status

F5 Product Development has assigned IDs 895525, 900757, 895981, and 895993 (BIG-IP) to this vulnerability. To determine if your product and version have been evaluated for this vulnerability, refer to the Applies to (see versions) box. To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases, point releases, or hotfixes that address the vulnerability, refer to the following table. For more information about security advisory versioning, refer to K51812227: Understanding Security Advisory versioning.

Product	Branch	Versions known to be vulnerable	Fixes introduced in	Severity	CVSSv3 score¹	Vulnerable component or feature
BIG-IP (LTM, AAM, AFM, Analytics, APM, ASM, DNS, FPS, GTM, Link Controller, PEM)	15.x	15.1.0	15.1.0.4	Critical	10.0	TMUI/Configuration utility
	15.x	15.0.0	None
	14.x	14.1.0 – 14.1.2	14.1.2.6
	13.x	13.1.0 – 13.1.3	13.1.3.4
	12.x	12.1.0 – 12.1.5	12.1.5.2
	11.x	11.6.1 – 11.6.5	11.6.5.2
BIG-IQ Centralized Management	7.x	None	Not applicable	Not vulnerable	None	None
	6.x	None	Not applicable
	5.x	None	Not applicable
Traffix SDC	5.x	None	Not applicable	Not vulnerable	None	None

¹The CVSSv3 score link takes you to a resource outside of AskF5, and it is possible that the document may be removed without our knowledge.

Security Advisory Recommended Actions

If you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by upgrading to a version listed in the Fixes introduced in column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists. Mitigation F5 recommends upgrading to a fixed software version to fully mitigate this vulnerability. If you are leveraging public cloud marketplaces (AWS, Azure, GCP, and Alibaba) to deploy BIG-IP Virtual Edition (VE), F5 recommends upgrading to the latest releases of BIG-IP versions listed in the Fixes introduced in column subject to their availability on those marketplaces. If it is not possible to upgrade at this time, you can use the following sections as temporary mitigations:

All network interfaces To eliminate the ability for unauthenticated attackers to exploit this vulnerability, add a LocationMatch configuration element to httpd. To do so perform the following procedure: Note: Authenticated users will still be able to exploit the vulnerability, independent of their privilege level. Impact of workaround: Performing the following procedure should not have a negative impact on your system.

Log in to the TMOS Shell (tmsh) by entering the following command:tmsh
Edit the httpd properties by entering the following command:edit /sys httpd all-properties
Locate the include section and add the following:include ‘ <LocationMatch “.*\.\.;.*”> Redirect 404 / </LocationMatch> ‘
Write and save the changes to the configuration file by entering the following commands:Esc :wq!
Save the configuration by entering the following command:save /sys config
Restart the httpd service by entering the following command:restart sys service httpd

Self IPs Block all access to the TMUI of your BIG-IP system via Self IPs. To do so, you can change the Port Lockdown setting to Allow None for each Self IP in the system. If you must open any ports, you should use Allow Custom, taking care to disallow access to TMUI. By default, TMUI listens on TCP port 443; however, beginning in BIG-IP 13.0.0, Single-NIC BIG-IP VE deployments use TCP port 8443. Alternatively, a custom port may be configured. Note: This prevents all access to the TMUI/Configuration utility via the Self IP. These changes may also impact other services. Before making changes to the configuration of your Self IPs, refer to the following:

Management interface To mitigate this vulnerability for affected F5 products, you should only permit management access to F5 products over a secure network. For more information about securing access to BIG-IP systems, refer to K13309: Restricting access to the Configuration utility by source IP address (11.x – 15.x) and K13092: Overview of securing access to the BIG-IP system. Note: Authenticated users accessing TMUI will always be able to exploit this vulnerability until a fixed release is installed.

Acknowledgements

F5 would like to acknowledge Mikhail Klyuchnikov of Positive Technologies for bringing this issue to our attention and for following the highest standards of coordinated disclosure.

Supplemental Information

Cyber criminals cook up another data breach of 8 million Home Chef customers

May 21, 2020 By William Knowles

By William Knowles @c4i
Senior Editor
InfoSec News
May 21, 2020

Just as Chicago can’t go a whole week without a gang-related shooting, there’s another data breach in the news, sadly this data breach happened down the road from InfoSec News’ office in Chicago Illinois.

In a security alert posted on Home Chef’s website on Wednesday, May 20th, the Chicago-based, Kroger owned meal company had learned of a data breach and the following was stolen, email address, name and phone number, encrypted passwords, The last four digits of credit card numbers and other account information such as frequency of deliveries and mailing address may also have been compromised in the data breach.

Home Chef reports that it does not store complete credit or debit card information and “Protection of customer data is a top priority for Home Chef, and we work hard to safeguard our customers’ information”

The Home Chef data breach statement continues “We are taking action to investigate this situation and to strengthen our information security defenses to prevent similar incidents from happening in the future.”

In early May 2020, BleepingComputer reported a hacking group known as Shiny Hunters were selling over 70 million user records from eleven different companies on a dark web hacking marketplace which included eight million records for Home Chef, the asking price for Home Chef’s list was a mere $2,500.00

While the Home Chef passwords were encrypted, Home Chef recommends their users to change their password in an abundance of caution. InfoSec News recommends all users to seriously consider purchasing and using a password manager like KeePass, LassPass or 1Password to both safely store and create long, complex, hard to crack passwords.

Home Chef was founded in the summer of 2013 by Pat Vihtelic (Now Home Chef’s CEO) who taught himself to code, built a website, and quit his job as an investment banker. Last year, Home Chef delivered over 10 million meals and expanded its delivery to cover more than 97% of the U.S. population.

In May 2018, Cincinnati-based Kroger (NYSE: KR), the nation’s largest operator of traditional supermarkets, agreed to buy Chicago-based Home Chef in a deal worth as much as $700 million.

DEF CON 28 in-person conference is CANCELLED

May 8, 2020 By William Knowles

By William Knowles @c4i
Senior Editor
InfoSec News
May 8, 2020

(Via Jeff Moss / The Dark Tangent)

Why? It is not safe for people to gather in large groups for conferences, sports ball events, or clubbing now or in the foreseeable future this year.

To commemorate this (hopefully) once in a lifetime event we, of course, made shirts.

When I wrote my DEF CON vs. COVID-19 blog post-March 12th 2020 I was optimistic that social distancing, sheltering, a robust medical response with wide-scale testing would make it safe to gather in early August. I no longer believe that.

Even if a vaccine were to be discovered tomorrow it would not be soon enough to test, manufacture, distribute, and administer in time for people to safely travel by August.

Too many States have stayed open or are re-opening, people partied for far too long, and the lack of Federal coordination gives me no hope that things will get back to normal this year. I also worry that the conferences that postponed to later this year will be caught up in the “second wave” after restrictions start to ease and they will end up having to cancel. Because of this, postponing for DEF CON was not an option.

The theme for DEF CON 28 is “Discovery,” and 2020 has not disappointed.

While I made the decision to cancel the in-person conference almost a month ago on April 11th, the delay in announcing has been due to learning how to actually cancel. It has taken weeks of working with staff, lawyers, accountants, and Caesars. I didn’t want to endanger the future of the con by tweeting that we were canceling before we understood and were confident we could navigate the process.

Even though our in-person Las Vegas event is canceled, we will run DEF CON 28 Safe Mode August 7-9 (Friday through Sunday) with 101 orientation Thursday – all of it remote. We will use the DEF CON Forums to coordinate all the various ways you to participate. That is where everyone can announce their plans, do signups, post pictures, and videos, and get people involved.

Then on August 6th, we will open the DEF CON discord.io/dc server up for everyone to join and start their con experience!

Expect events like a new on-line Mystery Challenge, a DEF CON is Canceled music album, remote CTFs like Hack-a-Sat, Villages like the Packet Hacking Village, contests like the TeleChallenge, Ham Exams, and more. We are also planning a remote movie night and drink-up.

There are too many different platforms for “one size fits all” so instead of us picking a winner we will act as the coordinator pointing everyone where to go with a planning calendar, links, descriptions, and music.

The good news is DEF CON will survive, and DEF CON 29 is planned for August 5-8 2021, you can reserve your rooms now.

On a personal level this has been the most stressful few months I can remember, between being on home lock-down and having to navigate the future of DEF CON it has felt like there were land mines all around me and the lights were turned off. While cancellation negotiations are still ongoing I’ve been lucky that the DEF CON Goons and community writ large have been amazing, helping me to navigate in a safe direction. I am proud that over the years we have all gotten better at self-care and supporting each other outside of Con and I can’t wait to see everyone when it is less chaotic and uncertain. Hackers do like security.

Thank you for your support and understanding,

The Dark Tangent

Leading privacy and cybersecurity law firm investigates Tandem Diabetes Care data breach

April 20, 2020 By William Knowles

By William Knowles @c4i
Senior Editor
InfoSec News
April 20, 2020

Its almost cliche at this point.

We take the privacy and confidentiality of our customers’ information very seriously and apologize for any inconvenience or concern this incident may cause our customers.

With the next sentence…

Tandem Diabetes Care, Inc. (“Tandem”) is committed to protecting the confidentiality and security of our customers’ information. Regrettably, this notice is to inform our customers of a recent phishing incident that may have involved some customer information.

Some customer information is “reputational risk management code” for only 140,781 customers.

We are continuing to invest heavily in cyber security and data protection safeguards. We are also implementing additional email security controls, strengthening our user authorization and authentication processes, and limiting the types of data permitted to be transferred via email.

On January 17, 2020, Tandem Diabetes Care learned that an unauthorized person gained access to a Tandem employee’s email account through a security incident commonly known as “phishing.”

Once we learned about the incident, we immediately secured the account and a cyber security firm was engaged to assist in our investigation. Our investigation determined that a limited number of Tandem employee email accounts may have been accessed by an unauthorized user between January 17, 2020 and January 20, 2020.

Through the investigation, Tandem Diabetes Care learned that some customers’ information may have been contained in one or more of the Tandem email accounts affected by the incident. The affected email accounts may have contained customer names, contact information, information related to those customers’ use of Tandem’s products or services, clinical data regarding their diabetes therapy, and in a few limited instances, Social Security numbers.

On LinkedIn, Tandem Diabetes Care lists some 935 employees, but only three security people (understandably some of the security team might have temporarily pulled their profiles offline) and currently Tandem is looking for a Security Analyst II and a VP, Information Technology but neither of the job descriptions mention having knowing how to perform phishing exercises.

While you would think all this bad news is terrible for Tandem Diabetes Care’s stock price, guess again, when the data breach was submitted to the U.S. Department of Health and Human Services on March 13, 2020, TNDM – Tandem Diabetes Care, Inc closed at $46.55 a share and closed on Apri 18, 2020 at $72.94 a share.

So it should come to no surprised that Stueve Siegel Hanson LLP, a small Kansas City law firm known for their eight-figure legal outcomes would explore legal options for this data breach.

KANSAS CITY, Mo., April 1, 2020 /PRNewswire-PRWeb/ — Stueve Siegel Hanson LLP, a national leader in privacy and cybersecurity litigation, is investigating the data breach at Tandem Diabetes Care, Inc. that compromised the sensitive personal information of 140,000 patients, the firm announced today.

On January 17, Tandem discovered its email system had been hacked through a “phishing” scheme. An internal investigation showed several employee email accounts were compromised for three days between January 17 and January 20. The compromised information included names, email addresses, contact information, Social Security numbers and a range of patient data, including details related to customers’ use of Tandem products or services, and clinical data about diabetes therapy.

Tandem announced the data breach on March 16 and said it would notify affected customers. Individuals who receive these notifications can contact Stueve Siegel Hanson at 816.714.7105 or online to discuss their legal options.

Recognized by Law360 as “Cybersecurity & Privacy Group of the Year,” Stueve Siegel Hanson has prosecuted cases involving the largest data breaches in U.S. history, securing billions of dollars for affected customers. In 2019, the firm’s work included:

Securing final approval of a $1.5 billion settlement with Equifax in a nationwide class action resulting from its massive 2017 data breach;
Obtaining a $3.25 million settlement in a class action by optometrists following a data breach at the national testing organization for new eye doctors;
Serving as co-lead counsel against Capital One following a data breach affecting 106 million credit applicants; and
Pursuing a consumer lawsuit accusing Facebook of tracking users’ location information even after they opt-out of Location History features.