Company
Advisories
Here we publish the descriptions of vulnerabilities that Deutsche Telekom’s pentesters have found in the context of tests of solutions Deutsche Telekom uses. All weaknesses are only published with the consent of the affected parties after the vulnerability has been corrected (Responsible Disclosure). We also publish technical comments and important CERT Advisories.
Remote buffer overflow vulnerability in SharkSSL TLS Client Key Exchange handshake processing
November 04, 2024
A new remote buffer overflow vulnerability (CVE-2024-48075) was discovered in the latest version of the SharkSSL library from 09.09.2024 (https://github.com/RealTimeLogic/SharkSSL) by security evaluators of Deutsche Telekom Security GmbH and Deutsche Telekom AG with modern fuzzing methods.
Critical remote denial of service vulnerability in matrixssl TLSv1.3 server pre-shared-key parsing
December 15, 2023
A new critical DoS vulnerability (CVE-2023-24609) was discovered in the matrixssl library (versions 4.6.0-4.0.0, github.com/matrixssl/matrixssl) by Security Evaluators of Telekom Security with modern fuzzing methods.
Critical DNS leakage vulnerability in Strongswan mobile VPN client
December 1, 2023
A new critical leakage vulnerability (CVE-2023-##) was discovered in the Strongswan mobile VPN client (versions2.4.2–2.3.3), https://docs.strongswan.org/docs/5.9/os/androidVpnClient.html) by Security Evaluators of Telekom Security with modern fuzzing methods.
Critical remote buffer overflow vulnerability in matrixssl TLSv1.3 server message processing
January 9, 2023
A new critical remote buffer overflow vulnerability (CVE-2022-43974) was discovered in the matrixssl library (versions 4.5.1- 4.0.0, https://github.com/matrixssl/matrixssl) by Security Evaluators of Telekom Security with modern fuzzing methods.
Critical DoS vulnerability in SQLCipher SQL command processing
March 8, 2021
A new critical denial-of-service vulnerability (CVE-2021-3119) in the SQLCipher SQL command processing of the master branch was discovered with a self-developed SQLCipher-FAST (Fast Automated Software Testing) framework.
Denial of service vulnerability in SQLCipher SQL command processing
November 12, 2020
A new critical denial of service vulnerability (Use CVE-2020-27207) in the SQLCipher SQL command processing of the master branch (https://github.com/sqlcipher) was discovered with a self-developed SQLCipher-FAST (Fast Automated Software Testing) framework.
November 21, 2019
Attackers are able to allocate significant amount of memory and processor time. So the availability of a service may be disturbed. This kind of attack is called denial of service (DoS). Therefore, this vulnerability is security-critical, if any security relevant process depends on remote availability.
November 21, 2019
This vulnerability may be used to perform a remote denial of service attack. The goal of a denial of service attack is to disturb the availability of a remote service or server, e.g. any access axTLS library. Hence, this vulnerability is security-critical, if any security relevant process depends on remote availability.
May 15, 2019
Attackers are able to overwrite a large part of the RAM of a wolfSSL server. Security evaluators of Telekom Security discovered this vulnerability using modern fuzzing methods.
CVSS Score 9.8 CRITICAL
March 22, 2019
A new critical remote buffer overflow vulnerability (CVE -2019 -8981) in the axTLS library for embedded devices (version 2.1.4, http://axtls.sourceforge.net) was discovered on 2019 February 20 with modern fuzzing methods, which possibly allows remote code executions. A new fixed version (2.1.5) countering this is now available for download.
CVSS Score 9.8 CRITICAL
July 31, 2018
The Now Platform delivers a System of Action for the enterprise. Using a single data model, it’s easy to create contextual workflows and automate any business process. Anyone, from the business user to the professional developer, can easily build applications at lightspeed.
Any application user on the Now Platform can make requests through service catalogs, find information in common knowledge bases, and be notified about the actions and information they care about the most.
Variant of Satori/Mirai detected attacking public available ADB shells
10 July 2018
On the 10th of July at 23:30 UTC we noticed an increased traffic on our blackhole monitoring on TCP port 5555. Upon further analyzation, we saw a big chunk of this traffic coming from China, USA and the Dominican Republic. In total we gathered 246.434 packets from 68.361 unique IPs. Based on the packet details we gathered, we can assume that the packets were generated by a lot of different devices. In addition, the traffic behavior on port 555 matches the typicall scan behavior of botnets.
Dangers of Dynamic Data Exchange (Windows)
11 May 2018
A small feature in MS Office apps can be used to install malware. See Microsoft Security Advisory 4053440 details how to disable DDE completely, or at least how to minimize the effect of malicious documents.
Kaltura Video Platform - Pre-Auth Remote Code Execution (and XSS)
12 Sep 2017
During an interal pentest several critical vulnerabilities could be identified in the latest version of Kaltura Community and Enterprise. The vulnerabilities were fixed in the latest release 13.2.0.
A proof of concept exploit may be released later, giving time for users to patch.
5 Jan 2018
By misuse of several processor bugs it is possible to break up the separation between the kernel and user space.
Deutsche Telekom CERT Assessment
On Intel CPU driven platforms, it is possible for normal user programs to gather information about protected kernel memory areas (“Meltdown attack”, CVE-2017-5754) [1] [2]. This results in an information leakage between kernel and user space.
This vulnerability affects every Intel CPU produced in the past decade (CPUs since 1995 except Itanium and pre-2013 Atoms). The in [3] listed ARM cores are also affected by this vulnerability.
A further issue is described in the “Spectre attack” (CVE-2017-5753 and CVE-2017-5715). Spectre allows a user-mode application to extract information from other processes or VMs to access memory of other VMs. This vulnerability affects all listed Intel CPUs, as well as AMD’s Ryzen, FX and Pro families and several ARM Cortex cores listed in [3].
Official disclosure for Spectre and Meltdown took place on 2018-01-04 [10].
To exploit both vulnerabilities an attacker needs to be able to execute code on the target machine.
Thus, up to now network components like routers, switches, firewalls, mobiles or CPEs don’t provide enough attack surface for exploitation even if they are affected. On most network components it is very difficult to run attacker crafted code because they’ve never been designed to run custom code.
Recommendations
- Apply patches as soon as they are available from the respective supplier
(for Microsoft desktop systems check availability with AV vendors [13]) - Top priority should be patching of (see timeline below)
o hypervisors of cloud systems
o operating systems of desktop clients and virtual/remote desktop systems
o operating systems of hosting platforms - On XEN hypervisors:
o Enable “supervisor mode execute protection” if possible
o Evaluate if XEN VMs can be run in HVM or PVM mode (only PV hosting hypervisors are affected) - For network components
o Even if an attack is unlikely ask your vendor if your device is vulnerable and needs patching
Patch Prioritization
In general high priority patching is advised for every machine which runs untrusted code from third parties. On shared and exclusive private clouds there is less risk because these platforms are dedicated to trusted customers. On all other servers it is unlikely that an attacker is able to run arbitrary code. Patch your system based on local patch cycles.
Due to the complexity of the attack it is unlikely that smartphones get exploited.
Patch Availability
- Microsoft Windows 7 SP1, 8.1, 10 [5]
o McAfee is now patch compatible [12]
o Further AV vendors can be found in [13]
o A registry key has to be set. Without the key the client doesn’t fetch the update. See [5]. - Microsoft Windows Server 2008 R2, Server 2012 R2, Server 2016, Server Version 1709 Attention: The mitigation has to be enabled via registry [6]
- Mac OS X 10.13.1 (10.13.2 isn’t vulnerable)
- Several Suse Linux and RHEL distributions [7] [8]
- VMware ESXi 5.5 to 6.5, Workstation 12.X and 14.X, Fusion 8.X [9]
- Android (patchlevel 2018-01-05)
- iOS (patchlevel 11.2)
Linux Kernel patches will be most probably available on 2018-01-09.
IBM AIX patches will be most probably available on 2018-01-12 [11].
There is no announcement for a SOLARIS patch, we are in touch with Oracle.
Further Information
References:
[1] https://www.theregister.co.uk/2018/01/02/intel_cpu_design_flaw/
[2] http://www.cs.vu.nl/~herbertb/download/papers/anc_ndss17.pdf
[3] https://developer.arm.com/support/security-update
[4] https://xenbits.xen.org/xsa/advisory-254.html
[7] https://www.suse.com/de-de/security/cve/CVE-2017-5754/
[8] https://access.redhat.com/security/vulnerabilities/speculativeexecution
[9] https://www.vmware.com/us/security/advisories/VMSA-2018-0002.html
[10] https://spectreattack.com/
[11] https://www.ibm.com/blogs/psirt/potential-impact-processors-power-family/
[12] https://kc.mcafee.com/corporate/index?page=content&id=KB90167
About Telekom Security: Telekom Security is the security provider for Deutsche Telekom and Deutsche Telekom customers.
https://security.telekom.com
https://telekomsecurity.github.io
http://www.sicherheitstacho.eu