Adobe and Microsoft Patches for February 2015. Plus data on the GHOST vulnerability, real impact or over-hyped.

1. Patch Overview
February 2015
Wolfgang Kandek, Qualys, Inc
February 12, 2014

2. February Patches
• Adobe Flash under direct Attack in January/February
• Normal = 1 update per month. Current = 4
• January 13 – APSB14-01 – 9 critical vulnerabilities

3. February Patches
• Adobe Flash under direct Attack in January/February
• Normal = 1 update per month. Current = 4
• January 13 – APSB14-01 – 9 critical vulnerabilities

4. February Patches
• Adobe Flash under direct Attack in January/February
• Normal = 1 update per month. Current = 4
• January 13 – APSB14-01 – 9 critical vulnerabilities
• January 21 - @Kafeine detects 0-day CVE-2015-0311
• Angler Exploit Kit

5. February Patches
• Adobe Flash under direct Attack in January/February
• Normal = 1 update per month. Current = 4
• January 13 – APSB14-01 – 9 critical vulnerabilities
• January 21 - @Kafeine detects 0-day CVE-2015-0311
• Angler Exploit Kit
• January 22 – APSB14-02 for CVE-2015-0310 (no typo)
• Under attack in the wild (0-day)
• Mentions CVE-2015-0311 (sort of)
• Credits 3 Researchers, including @Kafeine

6. February Patches
• Adobe Flash under direct Attack in January/February
• Normal = 1 update per month. Current = 4
• January 13 – APSB14-01 – 9 critical vulnerabilities
• January 21 - @Kafeine detects 0-day CVE-2015-0311
• Angler Exploit Kit
• January 22 – APSB14-02 for CVE-2015-0310 (no typo)
• Under attack in the wild (0-day)
• Mentions CVE-2015-0311 (sort of)
• Credits 3 Researchers, including @Kafeine
• January 27 – APSB14-03 for CVE-2015-0311/12
• Credits 3 different Researchers, including @Kafeine

7. February Patches - 2
• Flash Attack continues in February
• February 2 - Trend Micro detects 0-day – CVE-2015-0313

8. February Patches - 3
• Flash Attack continues in February
• February 2 - Trend Micro detects 0-day – CVE-2015-0313

9. February Patches - 3
• Flash Attack continues in February
• February 2 - Trend Micro detects 0-day – CVE-2015-0313

10. February Patches - 2
• Flash Attack continues in February
• February 2 - Trend Micro detects 0-day
• February 5 – APSB14-04 – 18 critical vulnerabilities
• Including 0-day CVE-2015-0313

11. February Patches - 2
• Flash Attack continues in February
• February 2 - Trend Micro detects 0-day
• February 5 – APSB14-04 – 18 critical vulnerabilities
• Including 0-day CVE-2015-0313
• All versions of Windows attacked under IE and Firefox

12. February Patches - 2
• Flash Attack continues in February
• February 2 - Trend Micro detects 0-day
• February 5 – APSB14-04 – 18 critical vulnerabilities
• Including 0-day CVE-2015-0313
• All versions of Windows attacked under IE and Firefox
• Flash under Google Chrome not attacked
• Malwarebytes Anti Exploit neutralizes CVE-2014-310
• EMET prevents CVE-2015-0311
• Trend Micro Browser Exploit Prevention: CVE-2015-0313

13. February Patches - 3
• Microsoft February, 10: 9 bulletins – MS15-009-MS15-017
• IE, Windows, Office – 4 x Remote Code Execution
• 5 x Important, Privilege Escalation, DoS, SFP

14. February Patches - 3
• Microsoft February, 10: 9 bulletins – MS15-009-MS15-017
• IE, Windows, Office – 4 x Remote Code Execution
• 5 x Important, Privilege Escalation, DoS, SFP
• Priority 1: MS15-009 – Internet Explorer
• 41 vulnerabilities – January Rollup
• 1 publicly disclosed – ZDI 120 day limit

15. February Patches - 3
• Microsoft February, 10: 9 bulletins – MS15-009-MS15-017
• IE, Windows, Office – 4 x Remote Code Execution
• 5 x Important, Privilege Escalation, DoS, SFP
• Priority 1: MS15-009 – Internet Explorer
• 41 vulnerabilities – January Rollup
• 1 publicly disclosed – ZDI 120 day limit
• Priority 2: MS15-012 – Office (Excel/Word)

16. February Patches - 3
• Microsoft February, 10: 9 bulletins – MS15-009-MS15-017
• IE, Windows, Office – 4 x Remote Code Execution
• 5 x Important, Privilege Escalation, DoS, SFP
• Priority 1: MS15-009 – Internet Explorer
• 41 vulnerabilities – January Rollup
• 1 publicly disclosed – ZDI 120 day limit
• Priority 2: MS15-012 – Office (Excel/Word)
• Priority 3: MS15-010 – Windows
• 1 publicly disclosed - Google Project Zero 90 day limit

17. February Patches - 3
• Microsoft February, 10: 9 bulletins – MS15-009-MS15-017
• IE, Windows, Office – 4 x Remote Code Execution
• 5 x Important, Privilege Escalation, DoS, SFP
• Priority 1: MS15-009 – Internet Explorer
• 41 vulnerabilities – January Rollup
• 1 publicly disclosed – ZDI 120 day limit
• Priority 2: MS15-012 – Office (Excel/Word)
• Priority 3: MS15-010 – Windows
• 1 publicly disclosed - Google Project Zero 90 day limit
• Interesting: MS15-011 - GPO

18. GHOST
• January 27 - Qualys disclosed CVE-2015-0235 in Linux/glibc
• January 13 (first contact), January 18 (CVE)
• Critical vulnerability, about 2 months to find and exploit

19. GHOST
• January 27 - Qualys disclosed CVE-2015-0235 in Linux/glibc
• January 13 (first contact), January 18 (CVE)
• Critical vulnerability, about 2 months to find and exploit
• GHOST similar to Heartbleed and Shellshock
• GHOST = GetHOSTbyname (vulnerable function)
• Newest glibc (2.18) not vulnerable, but not very common
• Ubuntu 14.04, Fedora 20/21, SUSE 12/13, Gentoo
• glibc 2.2-2.17 vulnerable in use in many distros
• RedHat 6/7 (CentOS 6/7), SUSE Enterprise, Ubuntu 12.04

20. GHOST
• January 27 - Qualys disclosed CVE-2015-0235 in Linux/glibc
• January 13 (first contact), January 18 (CVE)
• Critical vulnerability, about 2 months to find and exploit
• GHOST similar to Heartbleed and Shellshock
• GHOST = GetHOSTbyname (vulnerable function)
• Newest glibc (2.18) not vulnerable, but not very common
• Ubuntu 14.04, Fedora 20/21, SUSE 12/13, Gentoo
• glibc 2.2-2.17 vulnerable in use in many distros
• RedHat 6/7 (CentOS 6/7), SUSE Enterprise, Ubuntu 12.04
• Verification program, source in the advisory
• Vulnerability scanner

21. GHOST - Exploitablity
• Buffer Overflow in gethostbyname()
• Hostname
• Needs to be digits and dots
• Longer than 1 KB

22. GHOST - Exploitablity
• Buffer Overflow in gethostbyname()
• Hostname
• Needs to be digits and dots
• Longer than 1 KB
• Mitigations
• Hostname can only be 255 characters long (RFC1123)
• Gethostname deprecated

23. GHOST - Exploitablity
• Buffer Overflow in gethostbyname()
• Hostname
• Needs to be digits and dots
• Longer than 1 KB
• Mitigations
• Hostname can only be 255 characters long (RFC1123)
• Gethostname deprecated
• Examples:
• ping, arping, mtr, mount.nfs – not vulnerable
• clockdiff, procmail, pppd, exim – vulnerable
• exim – (remote!) exploit POC exists

24. GHOST - Reality
• How exploitable is it really?

25. GHOST - Reality
• How exploitable is it really?
• Opinions vary

26. GHOST - Reality
• How exploitable is it really?
• Opinions vary

27. GHOST - Reality
• How exploitable is it really?
• Opinions vary
• Michael Zalewski – Yup, that is the real thing, nothing to add

28. GHOST - Reality
• How exploitable is it really?
• Opinions vary
• Michael Zalewski – Yup, that is the real thing, nothing to add

29. GHOST - Reality
• How exploitable is it really?
• Opinions vary
• Michael Zalewski – Yup, that is the real thing, nothing to add
• Robert Graham – Yes, but…

30. GHOST - Reality
• How exploitable is it really?
• Opinions vary
• Michael Zalewski – Yup, that is the real thing, nothing to add
• Robert Graham – Yes, but…
• Many – PR Stunt

31. GHOST - Reality
• How exploitable is it really?
• Opinions vary
• Michael Zalewski – Yup, that is the real thing, nothing to add
• Robert Graham – Yes, but…
• Many – PR Stunt

32. GHOST - Reality
• How exploitable is it really?
• Opinions vary
• Michael Zalewski – Yup, that is the real thing, nothing to add
• Robert Graham – Yes, but…
• Many – PR Stunt
• Sucuri – there is a problem in Wordpress/PHP - pingback

33. GHOST - Reality
• How exploitable is it really?
• Opinions vary
• Michael Zalewski – Yup, that is the real thing, nothing to add
• Robert Graham – Yes, but…
• Many – PR Stunt
• Sucuri – there is a problem in Wordpress/PHP – pingback
• Now a Metasploit check
• Veracode – there are problems in many enterprise apps
• 202 enterprise apps – 25% use gethostbyname
• 72% C/C++, 28% Java, .NET, PHP
• 64/32 bit are vulnerable – our exploit works against both 64
and 32 bit exim for example

34. GHOST – beyond Linux
• Juniper

35. GHOST – beyond Linux
• Juniper

36. GHOST – beyond Linux
• Juniper
• Cisco

37. GHOST – beyond Linux
• Juniper
• Cisco

38. GHOST – beyond Linux
• Juniper
• Cisco

39. GHOST – beyond Linux
• Juniper
• Cisco
• NetApp
• McAfee
• F-Secure
• BlueCoat
• RiverBed
• …..

40. Resources
• Microsoft - https://technet.microsoft.com/library/security/ms15-feb
• Adobe - http://blogs.adobe.com/psirt
• GHOST - http://www.openwall.com/lists/oss-security/2015/01/27/9
• Sucuri - http://blog.sucuri.net/2015/01/critical-ghost-vulnerability-
released.html
• VERACODE - https://www.sans.org/webcasts/99642?ref=174212
• Metasploit - https://github.com/rapid7/metasploit-
framework/blob/master/modules/auxiliary/scanner/http/wordpress_gh
ost_scanner.rb
• Juniper -
http://kb.juniper.net/InfoCenter/indexid=JSA10671&page=content

41. Resources 2
• Cisco –
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ci
sco-sa-20150128-ghost
• McAfee-
https://kc.mcafee.com/corporate/index?page=content&id=SB10100
• NetApp -
https://kb.netapp.com/support/index?page=content&id=9010027
• F-Secure - https://www.f-secure.com/en/web/labs_global/fsc-2015-1
• Blue Coat - https://bto.bluecoat.com/security-advisory/sa90
• Riverbed -
https://supportkb.riverbed.com/support/index?page=content&id=S258
33

42. Thank You
Wolfgang Kandek
wkandek@qualys.com
http://laws.qualys.com