Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

CISA Releases Two Advisories

The US Cybersecurity & Infrastructure Security Agency has released two advisories which should prove useful to enterprises everywhere.

The first, issued in conjunction with the NSA, addresses the recent vulnerabilities in baseboard management controllers (BMC's) discovered by Eclypsium. BMC's are buried deep within system boards and get access to the system even before the UEFI BIOS starts execution, allowing a threat actor to install bootkits, or disable the TPM and UEFI secure boot process. In fact, the BMC remains active even when a server is powered down.

The CISA/NSA hardening guide lists a number of recommended actions, including updating BMC credentials, using VLAN segmentation to isolate BMC's from the other network infrastructure, performing routine update checks and other suggestions.

The other CISA advisory is one of a series on understanding ransomware threat actors, and deals specifically with the LockBit Ransomware-as-a-Service group. LockBit affiliates are probably the most active of all ransomware groups, and the advisory provides advice on the vulnerabilities they typically exploit, as well as the TTP's they use. It also provides a number of suggested mitigations.

Uncredited, CISA and NSA Release Joint Guidance on Hardening Baseboard Management Controllers (BMCs), cybersecurity advisory alert, 14 June 2023. Available online at https://www.cisa.gov/news-events/alerts/2023/06/14/cisa-and-nsa-release-joint-guidance-hardening-baseboard-management-controllers-bmcs.

Uncredited, CISA and Partners Release Joint Advisory on Understanding Ransomware Threat Actors: LockBit, cybersecurity advisory alert, 14 June 2023. Available online at https://www.cisa.gov/news-events/alerts/2023/06/14/cisa-and-partners-release-joint-advisory-understanding-ransomware-threat-actors-lockbit.

Microsoft Patches Windows Kernel Vuln, Doesn't Enable Patch

A curious situation has arisen with yesterday's updates for Windows Server  2022, Windows 10 and Windows 11: the Redmondites shipped a patch for an important kernel information disclosure vulnerability, but did not enable the fix. The vulnerability, which could allow an authenticated but unprovileged attacker to view the contents of the heap of a privileged process, was awarded a base CVSS 3.1 score of 4.7 - it would have been higher if the attack was not so complex, requiring coordination with another, privileged process.

At a guess the likely delay in enabling the fix is due to the time required to perform comprehensive regression testing; after all, everything makes use of the heap and the kernel, so there could be corner cases with applications doing strange things that a fix would break. However, users who have relatively simple installations, especially in high-threat environments, e.g. facing the Internet, may want to enable the fix, and Microsoft has released a knowledge base article providing instructions.

Enabling the patch simply involves add a registry entry, with different values for the various different affected platforms. You might want to test the effects in a lab environment before deploying this too widely, though.

Uncredited, KB5028407: How to manage the vulnerability associated with CVE-2023-32019, Windows Support knowledge base article, 13 June 2023. Available online at https://support.microsoft.com/en-gb/topic/kb5028407-how-to-manage-the-vulnerability-associated-with-cve-2023-32019-bd6ed35f-48b1-41f6-bd19-d2d97270f080.

Yet Another Sidechannel Attack - This Time Using Power LED's

In a paper to be presented at Black Hat 23, researchers from Cornell and Ben Gurion universities demonstrate a novel technique to recover cryptographic keys from a device by analyzing video footage of the device's power LED. This works because the cryptographic computations performed by the CPU change the device's power consumption, which in turn affects the brightness of the power LED.

The attack uses an ingenious technique to increase the camera's sampling rate from the normal rate of 60 frames per second, which would be too slow, to 60 thousand measurements per second by exploiting the camera's rolling shutter.

In their first demonstrations, the researchers were able to  recover a 256-bit ECDSA key from a smart card by analyzing video footage of the power LED of a smart card reader via a hijacked Internet-connected security camera located 16 meters away from the smart card reader.

The device need not even have a power LED itself, but merely be connected to something that does; in their second attack the researchers were able to recover a 378-bit SIKE key from a Samsung Galaxy S8 by analyzing video footage of the power LED of Logitech Z120 USB speakers that were connected to the same USB hub used to charge the phone. In this case, the camera was an iPhone 13 Pro Max.

I shall be interested to see whether this technique will work against the LED's of a beefy tower computer when a security key is being used as part of multi-factor authentication. If it does, I shall be disabling the LED's and adding a roll of thick black electrical tape to my travel kit.

Nassi, Ben, et. al., Video-Based Cryptanalysis: Extracting Cryptographic Keys from Video Footage of a Device’s Power LED, conference presentation, August 2023. Available online at https://www.nassiben.com/video-based-crypta.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.