It’s clear that 2017 has been a year of high profile and wide reaching security vulnerabilities, with victims ranging from governments to Fortune 500 companies. While these vulnerabilities first became publicly known in 2017, they are likely to remain problems well into 2018, if not beyond.
Despite the large number of attacks, a few vulnerabilities stood out in terms of the damage they did. Here are some of most problematic software vulnerabilities of 2017.
SEE: IT leader’s guide to the threat of cyberwarfare (Tech Pro Research)
KRACK vulnerability in WPA2 protocol
In October, a vulnerability was discovered in WPA2 that allowed attackers to read encrypted information transmitted over secured Wi-Fi networks. The vulnerability is a flaw in the protocol design itself–not a specific vendor implementation. When joining a network, the WPA2 four-way handshake allows for the possibility of a dropped packet before the handshake is completed. The third step of the four-way handshake–in which the encryption key is negotiated–may be rebroadcast to the client if the access point has not received an acknowledgement. As such, the client may receive the encryption key multiple times, and is expected to reinstall that key, resetting the incremental packet transit number (“nonce”) and receive reply counter.
Attackers can take advantage of this behavior to replay, decrypt, or forge packets. Critically, this ability extends to TCP SYN packets, making it possible for attackers to hijack TCP connections, in functionally the same way attackers inject data on unprotected Wi-Fi networks.
Patching client devices is the highest priority in mitigating this vulnerability. Apple provided a patch for iOS devices in 11.1, and Google provided patches in the November 2017 security update, though this must be delivered as part of an Android platform update, not through Google Play services. Wireless routers and access points may require a vendor patch to protect against this vulnerability. A list of available patches for the KRACK vulnerability can be found at ZDNet.
- KRACK WPA2 protocol Wi-Fi attack: How it works and who’s at risk (TechRepublic)
- NSA won’t say if it knew about KRACK, but don’t look to this leaked doc for answers (ZDNet)
- Google fixes KRACK vulnerability in Android (ZDNet)
- Apple fixes KRACK attack in iOS 11.1 update (ZDNet)
EternalBlue and DoublePulsar
A group called the Shadow Brokers released documents and code detailing a number of vulnerabilities on April 14, 2017, after unsuccessfully attempting to auction them off to the highest bidder. These include EternalBlue, a vulnerability in Microsoft’s implementation of the SMB1 protocol, allowing hackers to send maliciously coded packets which improperly grant them the ability to execute arbitrary code on a vulnerable computer. Relatedly, DoublePulsar is a tool that allows attackers kernel-level access to Windows, and is used to load other malware. The two were used together in the WannaCry ransomware attack in May.
These exploits and the corresponding proof-of-concepts which were released by the Shadow Brokers were developed by a group identified by Kaspersky Labs as the Equation Group. An internal CIA document discussing the Kaspersky report released by Wikileaks as part of “Vault 7” claims the exploits attributed to the Equation Group were developed by the NSA Office of Tailored Access Operations and CIA Information Operations Center. Microsoft President and chief legal officer Brad Smith stated in a blog post that “This attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem… We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits.”
- Leaked NSA hacking exploit used in WannaCry ransomware is now powering Trojan malware (ZDNet)
- Windows ransomware: WannaCrypt shows why NSA shouldn’t stockpile exploits, says Microsoft (ZDNet)
- Microsoft patches Shadow Broker exploits: Make sure you apply these updates (TechRepublic)
- Why antivirus programs have become the problem, not the solution (TechRepublic)
Broadcom SoC Wi-Fi stack vulnerabilities
Broadcom’s ubiquitous BCM43XX series Wi-Fi radio modules were found to “[lack] all basic exploit mitigations,” according to Google Project Zero researcher Gal Beniamini. While security practices were lacking in a variety of factors, the biggest threat from “Broadpwn” was the potential for an attacker on the same Wi-Fi network to force vulnerable devices to execute arbitrary code, using a specially crafted file.
Because of the relative monoculture of Wi-Fi radio modules, affected devices include most Apple devices (though variants of the same model may use Intel Wi-Fi modules instead), as well as Google’s Nexus 5, 5X, 6 and 6P phones, along with some variants of the Samsung Galaxy S7.
- Mobile devices with Broadcom chipsets may be vulnerable to Wi-Fi hijacking (TechRepublic)
- Every iOS user should update to 10.3.3 now to avoid this Wi-Fi hack (TechRepublic)
- iPhone, Android hit by Broadcom Wi-Fi chip bugs: Now Apple, Google plug flaws (ZDNet)
- Android security: Google patches dozens of dangerous bugs, including some in Oreo (ZDNet)
Silent Bob is Silent, among other Intel AMT exploits
Intel Active Management Technology (AMT) is commonly used in enterprise deployments for out-of-band management of personal computers. Because of the level of access that such a utility would require–given that it runs even during S3 sleep, it is considered Ring-3 level–AMT has become a high value target for security researchers.
In May 2017, a vulnerability was identified that allowed remote attackers to execute code inside AMT, potentially granting attackers full control of any affected system. Additionally, because of the attack vector, infections would be exceedingly difficult, if not impossible, to detect with standard security software. The vulnerability, in essence, can be exploited by sending an empty response when logging in to the admin account management system of AMT.
Additionally, the Serial-over-LAN function of AMT has been used in already compromised networks by the hacking group PLATINUM to exfiltrate documents.
- Intel AMT vulnerability hits business chips from 2008 onwards (ZDNet)
- Intel chip vulnerability lets hackers easily hijack fleets of PCs (ZDNet)
- Windows firewall dodged by ‘hot-patching’ spies using Intel AMT, says Microsoft (ZDNet)
- Researchers say Intel’s Management Engine feature can be switched off (ZDNet)