Patch Tuesday: February 2024

Episode 4   Published February 14, 202420 minute watch

Patch [FIX] Tuesday, Episode Summary

In this episode, Tom Bowyer discusses Microsoft's latest Patch Tuesday release with Jason Kikta and Seth Hoyt from the Automox team. They cover vulnerabilities in the Microsoft Jira plugin, the implications of the Jira vulnerability, the Windows SmartScreen security feature bypass vulnerability, a side channel timing issue in Mac OS Sonoma, and the importance of addressing legacy cryptography. They also discuss Apple's security reputation and updates, as well as the patching cadence of Microsoft and Apple. The episode concludes with closing remarks and a reminder to stay on top of endpoint updates.

Read the Patch [FIX] Tuesday Transcript

Tom Bowyer: Hey everybody, happy Patch Tuesday in February. We made it to February already. This year is already, you know, cruising by and some good stuff already happens this year. I guess you could call it good if you wanted to, right? Ivanti, AnyDesk, et cetera, et cetera. But anyway, thanks for tuning in. Tom Bowyer here again talking about Microsoft's latest Patch Tuesday release and with me today I have two folks from the Automox team. You want to introduce yourselves? Jason and Seth.

Jason Kikta: Hi, I'm Jason Kikta I'm the CISO and Senior VP of Product here at Automox.

Seth Hoyt: I'm Seth Hoyt and I'm one of the security analysts here at Automox.

Tom Bowyer: Cool. Welcome to the show. Now we're, what is this? Number four? Number five? I don't even know. Number too many. I feel like we've been doing this forever now, right? It's just like, yeah, I know, right? As long as they don't cancel us in marketing because we're just too good. You know, they're jealous of our amazing podcast skills.

Jason Kikta: I can't count.

Jason Kikta: All right. We get past 10 and I'm going to have to take off a shoe.

Jason Kikta: Yeah, that's right. That's right.

Jason Kikta: Ha ha.

Tom Bowyer: But yeah, February, it's been a busy year already, right? We've had some stuff coming out and I don't think February is gonna be any different. And this first vulnerability that it just starts at the very top, right? 2024- 21401, which is a Microsoft Entra Jira, the Jira plugin, SSO privilege escalation vulnerability.

And essentially what this is, anybody that hasn't updated their JIRA plugin, and I believe it's both cloud and on-premise is, you know, is subject to kind of a privilege escalation of privilege vulnerability where an attacker can basically take over your JIRA instance just by sending a, uh, specifically crafted payload. And, you know, I don't know if everyone remembers, you know, back in the summer, there was a a no auth vulnerability, right?

That I think Dscope published it. I can't remember, but it's essentially the same thing, right? There's a flaw in the AZ, Entra ID now, what they're calling it, you know, tenant infrastructure where it, you just have to change your email and you can get into pretty much anything. So quite the interesting attack vector, right? We think cloud, we think a little safer than this, but yeah, out there for the take in and, you know.

I'm curious to your thoughts on this one and, you know, given your history, right? How'd you see of a vulnerability this would be in your mind?

Jason Kikta: This is actually, it's fairly juicy on the surface because taking over any network service is a lot of fun. And I mean, this looks pretty straightforward. The attack complexity is low. The impact to Confidential.

Jason Kikta: And fortunately, it's just, you know, as far to Microsoft's knowledge, it's proof of concept only, but, um, you know, just modifying, uh, or, you know, throwing that script allows you to update the SAML metadata and, uh, change authentication of the application from, you know, your, the owners, enter ID tenant to your, you know, the attackers, uh, tenants is, is pretty juicy.

But where this really gets bad is the fact that so much sensitive data ends up in JIRA at every organization. JIRA is, obviously it's a ticketing system. It can be from the IT team, security team, engineering team, if you have engineers and developers on your staff. So wide applicability across most businesses.

You know, if you don't have really good data hygiene or really like ticketing hygiene principles to keep sensitive data out of there, then you're potentially looking at two breaches here, one to get into JIRA and one then with an actor potentially exploiting something based on what's in JIRA. So that's why this one really got my attention is that it's this implication of, you know, that sort of secondary possibility, which could be more than two, it could be quite a few out of the information in JIRA.

So this one's definitely a must to patch right away from my perspective. Seth, I don't know if, do you see it the same way? Do you think that this is sort of a larger systemic risk to an organization using JIRA or do you think it's narrowly scoped?

Seth Hoyt: No, I definitely think so as well. You know, especially, you know, the attack vector. I mean, they don't even have to be authenticated or anything. You know, so they can, you know, they can get in with that payload and, you know, relatively easy, so.

Tom Bowyer: Yeah, definitely an interesting one. And I was, you know, it's, it's funny too, cause like when vulnerabilities like this come out, there's always like, uh, you know, someone always goes on shodan and like, looks how many public Jira instances exist on the internet. Right. And you know, this is a little off topic, but I thought it was interesting. Like, you know, in, in the community, I saw a post where people were complaining about, um,

Tom Bowyer: Honeypots were like, they were, you know, adding, you know, changing the numbers. They were like, uh, there's more honeypot JIRA instances on the public-facing internet than actual ones. So like when those, you're right. So when those, like, when those numbers come out and people see them, like, oh, there are 300,000 exposed JIRA instances on the internet, right? And you know, someone's like, well, there's probably only like, you know, 5,000 and the rest are honeypots.

Jason Kikta: I saw that. It was a...

Yeah, by an order of magnitude.

Tom Bowyer: Um, you know, I just think back like as an industry that it's such a security thing.

Jason Kikta: It is, it is. And the other interesting thing is that not all of those honeypots are benevolent. So even if somebody doesn't have, you know, even if there's a bad actor out there, who's not able to figure out the particulars of this, there's value in having those because most of the time, actors are not going to take the necessary extra steps to validate.

Hey, is this Jira with Entra ID enabled? They're just going to throw it and see what happens. And, you know, a lot of that's going to get eaten up by those honey pots and if another actor has one, well, they're going to start throwing it as well and, and it becomes a, this is the sort of bug that becomes a free for all for exploitation rather quickly. So, um, you know, just don't, don't just take the CVSS 9.8 word for it. Take ours as well. This is one you want to patch right away.

Tom Bowyer: Yeah. Yeah, agreed, agreed. All right, moving on. Another one and this is, I think, the second time we've talked about SmartScreen on this show, but 2024-21351, Windows SmartScreen Security Feature Bypass Vulnerability, another one. And to me, this is just, it's another one where this one has been exploited in the wild.

Tom Bowyer: And to me, it's just like, you know, that smart screen window always pops up when someone downloads something they're not supposed to, right? Bypassing that is incredibly valuable for really anyone with various purposes. And, you know, the other way around it is like an EV cert, right? Which is much more difficult to get, especially if you're, um, you know, of suspicious origin,

But you know, a zero-day in the product itself, I think is just incredibly valuable, right? And, you know, reading the patch notes, you know, the attacker can inject code into SmartScreen itself, which, you know, I don't remember if the last one was similar. I think the last one was a direct bypass, but this one, it just screams like. somebody somewhere has been really poking at smart screen and they're finding creative solutions to bypass that prompt. And you know, Seth, I'm curious, you know, your thoughts on this from like an attacker standpoint.

Jason Kikta: So, so, Tom, maybe we should go back because this one's unproven. Landon pause. Uh, this one's unproven. Do we want to talk about it? Like it's being exploited. I thought it was, this one's not in the wild and not a zero.

Tom Bowyer: Um, so if you look at the notes.

Jason Kikta: I'm looking at the notes that we have.

Tom Bowyer: So the exploitability index underneath.

Tom Bowyer: Yeah, so if you scroll down, do you see it in the patch notes?

Jason Kikta: No, but I believe you.

Tom Bowyer: Twenty... Two one three five one. I can't fucking share my screen in this. Hahaha.

Jason Kikta: the element, let me control that for you. No, no, you're fine. I just want to make sure that we don't have to rerecord that section.

Tom Bowyer: Yeah, no, it's okay. Hit call.

Seth Hoyt: Yeah, because I see it hasn't been publicly disclosed, but it has been exploited.

Tom Bowyer: Right. In an, in the CVSS temporal metrics, it says it's the right. So there's a mismatch there. Yeah.

Jason Kikta: Oh, exploited, yes. Why are they saying that's unproven? Assholes. All right, sorry. Landon, we'll resume. Let's pick it up where you toss it over to Seth and he can just clip it in there. Sorry about that.

Tom Bowyer: All right. Three, two, one. Yeah, and Seth, I'm curious from an attacker's perspective. What are your thoughts on this?

Seth Hoyt: Right, I mean, obviously pretty big deal bypassing SmartScreen. And the method for this one being convincing a user to click on a malicious file. Let's be honest, that's not very difficult. So and once they do, they exploit that vulnerability. Therefore, bypassing SmartScreen, and from there, the possibilities are endless. So yeah, I mean, it's a.

Jason Kikta: Hahaha

Seth Hoyt: could be a pretty big deal if this one doesn't get patched soon.

Jason Kikta: Yeah, I always feel, I always feel that, uh, flaws in security products are sort of a double whammy and they're understandable to an extent that they have to do a lot of parsing and there's ample room to find bugs whenever you're parsing something, right? Most, uh, bugs come from parsing errors. And so, uh, that appears to be what's happening here, but it's a double whammy when a security product has a security vulnerability, because not only does it enable them, you know, the attacker to do something they ought not to be able to do, but it also means that you've now lost a line of defense, so you kind of get hit coming in, going with these and, and just being able to, um, you know, get in there and, uh, basically do, um, injection through.

Mark of the web is just sort of mind blowing to me. Although I, again, I can see how it ended up that way.

Tom Bowyer: Yeah. And it's, it's interesting in the patch notes where, you know, they marked it as it's been exploited, but the exploit code is unproven. So.

Jason Kikta: Yeah, I'm not really sure how that works.

Tom Bowyer: Yeah, I mean, maybe it's just, you know, one of those secrets handshake things like, Hey, this is being exploited. You better get a patch out for it. Right. Or fuzzing or some other mechanism where I don't know. I just, the attack service on windows is

Jason Kikta: That's right.

Jason Kikta: eah.

Jason Kikta: I'd make, I'd make a joke about NSA telling them, but they wouldn't be able to do it without a PR campaign. So I'm pretty sure that wasn't the case here.

Tom Bowyer: Yeah, I just, you know, you're right on the double-edged sword thing too. You know, attacking security products. I think is, can be so damaging, right? From a reputational standpoint and then, you know, from a, as a defender as well. Like, right. You start to lose trust eventually in those products, right?

Cause again and again and again you know you see these old days these campaigns exploiting it right and this tool that you use to you know try to help turns into just another piece you know that's used to attack you it gets uh

Jason Kikta: Right, right, right.

Seth Hoyt: Yeah, it gets hard to get that trust back too.

Tom Bowyer: Oh yeah, 100%. Well, enough of Microsoft. Do we want to talk about macOS 14.3, the latest release?

Jason Kikta: Absolutely.

Tom Bowyer: So, you know, I dug through the notes as well. And there's, to me, there's just one, you know, CVE-2024-23218, which is this side channel timing issue in the core crypto library of macOS Sonoma, where, you know, legacy RSA PKCS version 1.5 ciphertexts can be decrypted. without a private key, right? So really juicy that one is. And Jason, I'm curious your thoughts on it, right?

Jason Kikta: Mm-hmm.

Jason Kikta: Yeah, I mean, this, you know, 1.5 is really old, right? Like we're talking 90s era. You know, this was obsolete in 98. So you might be, you know, I think people's initial reaction when they see this sort of thing and just say, Oh, well, it's irrelevant. But then they should probably circle back around to the weight.

Why is Apple patching this in 2024? And so I don't know what they were, um, you know, using it for within core crypto library, if it was some sort of backwards compatibility module that never got removed or if it was still inactive use, um, but you know, that's, that's kind of the danger of. Cryptography over time. And I think too often people think about.

Tom Bowyer: Yeah.

Jason Kikta: You know, the instantaneous, uh, the contemporary risks of cryptography of, oh, you could break into my stream today. You could decrypt my communications today. And they don't always think about, you know, that if something doesn't, if support isn't deprecated and removed from an operating system, uh, or from a product that, uh, you know, it might inadvertently get used, uh, as, as well as, you know, sometimes you can be dealing with a time machine type situation where you have something encrypted with that, uh, that an attacker is able to now go and replay because they've developed the side channel attack.

And so, you know, I, I'm fighting my urge to dismiss this based on age simply because support was still in there. And it makes me really, really curious. Um, you know, why it was still around decades after being deprecated, uh, and what it was possibly used for even if only inadvertently.

Tom Bowyer: Yeah. And I think back to like TLS, like 1.0, 1.1, right. Where I think five or six years ago, there was this big industry push to get everyone off 1.0 and 1.1. And, you know, I think a lot of people today are still using it. And just because those RSCs are deprecated, right. It's not like those things magically go away. And even in, even some companies, you know, they turn them back on and in their OS's, right.

Jason Kikta: Yeah.

Jason Kikta: Yeah.

Jason Kikta: That's right.

Jason Kikta: I've seen products add support for deprecated protocols and you just, you sit there and you shake your head, but it's, it's real and it happens.

Tom Bowyer: Yeah, agreed. A hundred percent. It, you know, there are, there's a couple of other ones in here, right? Some kernel, you know, timing issues. Um, and in the like, right. Lots of web kit stuff. And I just feel like, you know, maybe it's just my personal opinion, but I swear like the last two years, like the last year or two years, Apple has really come under the microscope from a security standpoint.

And, you know, Seth, I'm curious if you kind of share that same viewpoint or not. Maybe I'm just being paranoid.

Seth Hoyt: Yeah, I mean, I've been hearing a lot about it. I mean, obviously, you know, in the past, it was always, you know, I'm on a Mac, I don't get viruses. And, you know, it's that whole, it's just like, you know, that may be true, but you got to look at the whole environment, you know, Windows devices versus Mac, you know, these Apple devices, like, you know.

If you're a bad actor and you're going to want to get the best bang for your buck, you're going to write, you know, viruses and malware for the majority of the people, which are, you know, Windows. You know, so now, you know, obviously, Apple and Macs have always been popular, but, you know, there's a lot of companies, you know, they're going full Mac now and

So, you know, they're getting a much bigger audience now. So, you know, that happening is forcing, you know, Apple will take security a little bit more serious and, you know, things that are coming out, you know, like you said, them being under a microscope, you know, it's they got to they got to stay on the game and keep that reputation.

Tom Bowyer: Yeah. And I think in 2023 was the first year they started doing those like security only patches. Which is a major change on how they've always operated. And I think that's just I don't know what it is, to be honest.

Jason Kikta: And, and it still seems to be a little bit in fits and starts. Like they don't quite have the process. It appears they don't quite have that process where they want it to be. Um, and I'm glad that they started it, but I really want them to get there because, you know, when you're talking about 14.3, like that's a pretty significant upgrade, but then you look in here and you see WebKit, uh, CVE

Tom Bowyer: Right.

Jason Kikta: You know, web kit processing malicious maliciously crafted web content may lead to arbitrary code execution. I would like to fix that quickly. Right. Like I don't want to have to upgrade from 14.2 to 14.3 just to get that fixed. That's something that you want to push out like right now, right now. Um, and so it's just.

Tom Bowyer: Yeah. Yeah.

Jason Kikta: It's good that they're addressing this stuff. It's good that they're finding it. It's good that they have security fixes, but now they need to kind of bring it all together and improve execution of that.

Tom Bowyer: Uh, and you know, would you, I guess my other question is, would you rather have like a, a Patch Tuesday cadence like Microsoft or, you know, I always felt that how, how Apple releases their updates, it's always like, Oh, you know, today is fine tomorrow. You have like 30 CVEs drop in your, your whole day is dedicated to, you know, updating your endpoints. Whereas, you know, Microsoft, at least we know, you know,

Jason Kikta: Right.

Tom Bowyer: the first Tuesday of the whatever Tuesday of the month, then we got to think about patching endpoints. So.

Jason Kikta: Right.

Yeah, I'm kind of both minds there. And one is, you know, I like to have it on a schedule because I can plan to a schedule. I can plan my patching and my policies around that schedule. On the other hand, um, you know, I'd rather have them as soon as they're ready to go. And if it's, you know, Delayed to meet some arbitrary schedule, that could be frustrating. I mean, the, the way to bridge that gap is to put out in stream security updates for high priority fixes, which again, Microsoft and Apple are both doing to an extent, but you know, it's just, it's got to get better. I feel like that's probably the, the way that we'll be able to, to reach that happy medium, but it's just not where it needs to be for the industry.

Tom Bowyer: Yeah, totally agree. Awesome. Do we, we can cut. Do we want to talk about anything else?

Jason Kikta: Let me let my dog out because she's like freaking out. There's mailman.

Tom Bowyer: Er, gimme that mail.

Seth Hoyt: I'm sorry.

Jason Kikta: gonna go bark at this guy let me out she's like whining at the door come on let me go get his ass

Tom Bowyer: Hmm. Anything else we want to talk about? Um, I don't know if we really talked about any desk. You know, I think there's... We're out of time.

Jason Kikta: I mean, we're at 22 minutes mice. The other seven, we're probably well over a 15 minute mark here. I'm good with cutting it off unless you too want to keep going.

Tom Bowyer: All right, well.

Tom Bowyer: No, I'm good. Cool. All right. We'll end it. Ready? Three, two, one. Well, as with any Tuesday, stay on top of it. Get your endpoints updated. Don't forget about your Mac devices. Those are becoming very juicy targets in the enterprise. And thanks Seth and Jason for coming on and rambling.

Seth Hoyt: Absolutely.

Jason Kikta: Hehehe

Tom Bowyer: about vulnerabilities and you know, happy Tuesday everyone. Have a great rest of your week.

Jason Kikta: Happy Tuesday and happy patching.

Seth Hoyt: Patch away!

Tom Bowyer: Cue awesome outro music.

Jason Kikta: BOW

Seth Hoyt: should get the guitar out.

Jason Kikta: He's gonna leave that in.

Tom Bowyer: He will, yeah. I was gonna say it in the beginning, but I forgot.