Security

The most damaging software vulnerabilities of 2017, so far

A wide variety of software vulnerabilities across consumer and enterprise technology were discovered in 2017. Here are the ones that wreaked the most havoc.

It's clear that 2017 has been a year of high profile and wide reaching security vulnerabilities, with victims ranging from governments to Fortune 500 companies. While these vulnerabilities first became publicly known in 2017, they are likely to remain problems well into 2018, if not beyond.

Despite the large number of attacks, a few vulnerabilities stood out in terms of the damage they did. Here are some of most problematic software vulnerabilities of 2017.

SEE: IT leader's guide to the threat of cyberwarfare (Tech Pro Research)

KRACK vulnerability in WPA2 protocol

In October, a vulnerability was discovered in WPA2 that allowed attackers to read encrypted information transmitted over secured Wi-Fi networks. The vulnerability is a flaw in the protocol design itself—not a specific vendor implementation. When joining a network, the WPA2 four-way handshake allows for the possibility of a dropped packet before the handshake is completed. The third step of the four-way handshake—in which the encryption key is negotiated—may be rebroadcast to the client if the access point has not received an acknowledgement. As such, the client may receive the encryption key multiple times, and is expected to reinstall that key, resetting the incremental packet transit number ("nonce") and receive reply counter.

Attackers can take advantage of this behavior to replay, decrypt, or forge packets. Critically, this ability extends to TCP SYN packets, making it possible for attackers to hijack TCP connections, in functionally the same way attackers inject data on unprotected Wi-Fi networks.

Patching client devices is the highest priority in mitigating this vulnerability. Apple provided a patch for iOS devices in 11.1, and Google provided patches in the November 2017 security update, though this must be delivered as part of an Android platform update, not through Google Play services. Wireless routers and access points may require a vendor patch to protect against this vulnerability. A list of available patches for the KRACK vulnerability can be found at ZDNet.

Also see

EternalBlue and DoublePulsar

A group called the Shadow Brokers released documents and code detailing a number of vulnerabilities on April 14, 2017, after unsuccessfully attempting to auction them off to the highest bidder. These include EternalBlue, a vulnerability in Microsoft's implementation of the SMB1 protocol, allowing hackers to send maliciously coded packets which improperly grant them the ability to execute arbitrary code on a vulnerable computer. Relatedly, DoublePulsar is a tool that allows attackers kernel-level access to Windows, and is used to load other malware. The two were used together in the WannaCry ransomware attack in May.

SEE: Defending against cyberwar: How the cybersecurity elite are working to prevent a digital apocalypse (free PDF) (TechRepublic)

These exploits and the corresponding proof-of-concepts which were released by the Shadow Brokers were developed by a group identified by Kaspersky Labs as the Equation Group. An internal CIA document discussing the Kaspersky report released by Wikileaks as part of "Vault 7" claims the exploits attributed to the Equation Group were developed by the NSA Office of Tailored Access Operations and CIA Information Operations Center. Microsoft President and chief legal officer Brad Smith stated in a blog post that "This attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem... We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits."

Also see

Broadcom SoC Wi-Fi stack vulnerabilities

Broadcom's ubiquitous BCM43XX series Wi-Fi radio modules were found to "[lack] all basic exploit mitigations," according to Google Project Zero researcher Gal Beniamini. While security practices were lacking in a variety of factors, the biggest threat from "Broadpwn" was the potential for an attacker on the same Wi-Fi network to force vulnerable devices to execute arbitrary code, using a specially crafted file.

Because of the relative monoculture of Wi-Fi radio modules, affected devices include most Apple devices (though variants of the same model may use Intel Wi-Fi modules instead), as well as Google's Nexus 5, 5X, 6 and 6P phones, along with some variants of the Samsung Galaxy S7.

Also see

Silent Bob is Silent, among other Intel AMT exploits

Intel Active Management Technology (AMT) is commonly used in enterprise deployments for out-of-band management of personal computers. Because of the level of access that such a utility would require—given that it runs even during S3 sleep, it is considered Ring-3 level—AMT has become a high value target for security researchers.

SEE: Online security 101: Tips for protecting your privacy from hackers and spies (ZDNet)

In May 2017, a vulnerability was identified that allowed remote attackers to execute code inside AMT, potentially granting attackers full control of any affected system. Additionally, because of the attack vector, infections would be exceedingly difficult, if not impossible, to detect with standard security software. The vulnerability, in essence, can be exploited by sending an empty response when logging in to the admin account management system of AMT.

Additionally, the Serial-over-LAN function of AMT has been used in already compromised networks by the hacking group PLATINUM to exfiltrate documents.

Also see


hacking.jpg
Image: iStockphoto/welcomia

About James Sanders

James Sanders is a Java programmer specializing in software as a service and thin client design, and virtualizing legacy programs for modern hardware.

Editor's Picks

Free Newsletters, In your Inbox