June 2024 [A Doozy of a Patch Tuesday], E08

Episode 8   Published June 11, 202434 minute watch

Summary

In this conversation, the hosts discuss the Patch Tuesday updates for June, highlighting some interesting vulnerabilities. They start by joking about their YouTube thumbnail and then dive into the patch notes. They discuss a Windows Wi-Fi driver vulnerability that allows remote code execution, the dangers of close access bugs, and the need for mitigations and monitoring. They also talk about kernel elevation of privilege vulnerabilities and the importance of container security. The conversation then shifts to the risks of phishing and the implications of Microsoft's Recall feature. They also touch on the high number of CVEs published in a single month and the need for a proactive mindset in cybersecurity. The hosts conclude by discussing a remote code execution vulnerability in Microsoft trace files and the potential risks associated with it.

Transcript

Tom Bowyer: Happy Patch Tuesday, everybody. We made it to June. And man, this one is a doozy of a Patch Tuesday. To say the least, there are some very, very interesting vulns in the patch notes that we've been reading today on this beautiful June Tuesday. To think that it's already June is crazy, you know, and it...

Jason Kikta: So good.

Tom Bowyer: is just a kind of time machine in this industry. So yeah, welcome. Thank you all for your continued support of our podcasts. If you're not aware, we have many other podcasts that we produce here at Automox. There is the CISO IT podcast led by Jason, and it is a great addition to your monthly listen. If you are interested, please go check it out. And we have some other product and...

IT related podcasts as well. So they are well worth the lesson if you have the time. So thanks again for your continued support. And yeah, we look forward to you spending a little bit of time today with us as we ramble through these patch notes, like we typically do. And the first one that we saw that's really got us laughing honestly is CVE 2024 30078.

which is a Windows WiFi driver, remote code execution vulnerability. And it reads, right? It reads, an unauthenticated attacker could send a malicious networking packet to an adjacent system that is employing a WiFi networking adapter, which could enable remote code execution. Now this to me feels like some...

Jason Kikta: R -C -E.

Tom Bowyer: late 90s security if I have ever seen it and man is this just not one of those like shaking your head type vulnerabilities.

Jason Kikta: It's pretty amazing. I mean, I would have definitely had some fun with this in my younger days. I just, yeah. And it's only a CVSS of 8.8, but that's because you have to have close access. And I was happy to see it's at least not publicly disclosed or publicly known.

Tom Bowyer: Hahaha.

Jason Kikta: exploitation of the wild, but wow, just wildly damaging. And depending on the particulars of how the exploitation path looks, this could be something where, you know, you could really snap up a lot of systems. I mean, this is bugs of this nature, while rare are very dangerous and they're dangerous because.

the danger comes from a different access to which people are used to. And what I mean by that is, you know, this isn't great for exploiting somebody across the internet, you know, and, and I am in Russia and I want to exploit a bunch of systems inside the United States. This is not the bug for you, but you know, if you're

look into, you know, slap the WiFi magnetic antenna on the roof of your Nissan Sentra and go like cruising around through some, the burbs and build you a little button. It, you know, this, this thing's got your back and it can a bug of this nature. I mean, this could get corporate machines that are sitting there and, you know, if, if you have people who are working from home, I mean, this is why I hardwire in my corporate machine and disable the WiFi.

is that I live in fear of bugs like this from my younger days. But you know, you can also you also get lots of personal machines and God, this would be a fun one for for Black Hat and Defcon this year. Matter of fact, I'm I'm sure there are people who are probably disappointed that this this didn't come out after Defcon because this would have been a blast there and probably still will be because.

Henry Smith: Yes.

Jason Kikta: Yeah, right. Yeah, Henry, right. Like it's June and that's not a lot of time to the beginning of August.

Mat Lee: Yeah, that reminds me of last year at Defcon where as we were walking around the conference, a few of us started getting spammed with, hey, do you want to connect to this Apple TV? It was over and over and over. And at first we were like, is there just some app? Is there an Apple TV around or what is what is going on here? And

One of our cohorts actually accidentally clicked like yes, because it was just spamming and spamming. He was going to try to go to his messages. Well, it popped up on the bottom there. He hit continue. Nothing really happened, but then he was like, I think I'm going to wipe my phone just to be safe. And we later found out there was a researcher that posted on Twitter that. They were just walking around with this Raspberry Pi and it was just.

Jason Kikta: Ha ha ha ha ha ha!

Mat Lee: spamming BLE packets with this to every single iPhone. And I think some of the ramifications were that if you accepted, it would send some iCloud tokens or something because you need those to connect to devices in the network. So the possibilities seem sort of endless for this one too in like a physical setting.

Henry Smith: and that individual will never go to Defcon again with Bluetooth enabled.

Mat Lee: Yep, well, the. The scary part about that was even if it was on airplane mode, it would still spam so like you would have to go physically turn off Bluetooth because airplane mode didn't technically turn off Bluetooth. So that was another thing I found out.

Henry Smith: But yeah, I'm... go ahead.

This one is just absolutely wild. I'm kind of thinking of like war driving, but instead of looking for just unsecured networks, you're just trying to get an RCE. I'm just picturing someone sitting in like a white van outside of an office just spamming, praying that they get some kind of RCE. So this is definitely one for the books.

Jason Kikta: Yeah, well, in close access bugs like this, you know, because you have full remote access, far side of the internet, you have physical access, I can touch the machine, I can plug something in. And then you have close access, which is, you know, I'm within, you know, pretty standard RF range of my target. And close access bugs are rare, especially one that'll give you RCE on the victim system. But...

Man, are they just, they're, they're wildly valuable. And this takes me back to my Cyber Command days where, you know, we'd be doing an exercise or something and some very serious Air Force guy would come in, lay down a target package and be like, okay, you know, here's a simulated like building in Russia or wherever. And like, you know, like, what are you guys going to do to this building? Like, how are you going going cyber it? And look look him like, okay, buddy, that's not how any of this works because I have no, like you've given me

map coordinates on a grid, but like, just because you know where the building is, or we could get close to the building, doesn't give me any ability to access their networks, right? I need to find where they are on the internet. I need to characterize their IP space. I needed to see what options I have to get in there because that's how the majority of exploitation works. But with a bug like this, you know, something like that.

is in the realm of feasible where you could, you know, fly by or drive by or go by in a boat from a distance with a, you know, an antenna that's a very expensive version of a Pringles can purchased by Uncle Sam and point at the building and actually exploit into that place because that place controls the thing that you're interested in or, or whatever. You know, these, these sorts of bugs are not science fiction. They're just rare, but, but.

That's what makes them so interesting, I think, because they really change people's threat models very quickly, because it adds that aspect that's most of the time just reserved for science fiction and bad TV shows.

Henry Smith: I know we're not supposed to hang on to the topic for too long, but I'm curious, honestly, if someone can't patch this, what realistic mitigations do they have?

Jason Kikta: Yeah, I mean, it's hard if they, you know, and if you look at the operating systems that are affected, it's all of Windows 10, all of Windows 11, Server 2008, 2012, 2016, 2019, 2022. So that's probably, that means it probably goes even back into like, I'd be a little bit surprised if this isn't in Windows 8.1, Windows 7, XP, like this, this,

probably runs the full gamut. And if you don't have extended service on those, you're in some real trouble there. So your obvious mitigation is to wire in with ethernet and disable the WiFi driver. But that's not always feasible for people. Some links, your only option really is WiFi. And so, yeah, you don't really have a good option there.

Tom Bowyer: Yeah.

Henry Smith: or have logging enabled?

Tom Bowyer: You

Henry Smith: All you can really do is monitor for that activity, right? I mean...

Jason Kikta: Right, right. And again, you know, are we talking about a corporate system or a personal system? But you know, like this is, this is a reason of like, especially if you live in a population dense area or God forbid you live around college students, you know, might be time to upgrade that old gaming system that's still link, you know, or, or testing toy system sitting in the corner that's still limping along on some old OS that doesn't get patches because,

You know, or, or finally run the Cat5 over there, even if it's ugly and you don't have a good way because you know, that thing is now a serious liability.

Tom Bowyer: Yeah, absolutely. And it's just, you know, typically the, the WiFi kind of attack service was always focused around like the cryptography of WiFi. Right. I think back to like 2017 or 2018 and the crack attacks, right. And WPA2 where you were able to like read encrypted messages. If you were in range of somebody, you were able to do like that, that attack, that crack attack and it.

Jason Kikta: Mm -hmm.

Tom Bowyer: Moving from that to RCE, I think is just such a shock for a lot of people these days because WiFi is almost forgotten now because most people just take it for granted these days. Like it's safe, no one's going to do anything with it. And I kind of moved on.

Jason Kikta: Yeah.

Yeah, but it was always about coexisting on the land and taking advantage of coexisting on the land. Not, I'm just going to fire RCE straight at your system. Easy peasy. One fell swoop. Like that's whole new level of danger.

Tom Bowyer: Right. Yeah, exactly. Yeah. So if you're bringing your laptop to Defcon or Black Hat this year, just don't. That would probably be the best, especially if it's a Windows device, you know? But, yeah, I'm really curious how this one plays out, the rest of today and the rest of really this month, because I feel like this is just...

Mat Lee: Just don't.

Jason Kikta: Just don't.

Tom Bowyer: It's going to be a news cycle, right? Like the, one of those news cycle bones that kind of puts us all paranoid about WiFi attacks now and all those vendors that were selling those WiFi protection suites, you know, they're going to be spinning back up and.

Jason Kikta: Yeah.

Henry Smith: Yum.

Yup, I was just thinking that vendors are gonna start coming out of the woodwork like, hey, I have a solution for that.

Tom Bowyer: You

Jason Kikta: Can't wait for the pew pew maps on this one.

Tom Bowyer:  like all the rogue access point detection stuff that like 10 years ago everyone was really hell-bent on because of those attacks and it's all slowed down now. All this stuff will, you know, reinvigorate all that.

Good times, for sure, with this one.

Henry Smith:  just thinking like with an MSP hat, you know, I don't know that I would really be, I mean, sure, my SSID, I've got everything password protected. I would just kind of move on from there. I wouldn't even think that this would be possible. And then lo-and-behold, here we are.

Jason Kikta: Yeah. And you know, there's going to be a gold rush to figure this bug out too. And, and there's gonna be so many dazzling flavors of this on GitHub and people are going to be putting modules in Metasploit. Like, yep. Learn, yeah. Learn the, learn, learn, what is this? CVE 2024 30078 learn it. Cause, we're going to be, you're going to hear this one for a while.

Henry Smith: Can't wait.

Tom Bowyer: Yeah, absolutely.

Yeah.

Henry Smith:  like a CTF or a hack-the-box eventually.

Tom Bowyer: goodness. Yeah. It'll, yeah. Capture the packet type attack, right?

Jason Kikta: I mean, I would be disappointed if it's not.

Mm -hmm.

Tom Bowyer: Well, there's some other good ones too in the patch notes. So, you know, the next ones, the next few that really caught our eye are around Windows, the Windows kernel and, you know, 2024 30064 and 30068, which are pretty standard if you could call them standard, you know, kernel elevation of privileged vulnerabilities.

coming out this Tuesday, so it is Yeah, more to worry about. Mat, I'm really curious your take on a couple of these

Mat Lee: Yeah, so I think they're pretty similar. I think they both take advantage of these app containers that Windows has. One of them, 30068, is basically you can gain system privileges. The other, 30064, is you basically gain privileges of the running process that this exploits. So running inside the app container.

and, you know, I think, I don't think app containers are your typical, like Docker containers, but they are a way to isolate workloads, from the host and a sort of sandboxed, if you want to call that environment. and it just highlights, you know, that any container, whether it's an app container or a Docker container, anything you might want to think of as a container or not. you know, I mean, there was one the other week with that,

whatever that confidential computer container stuff too, where even though they are sandboxed, I think you still have to be careful of what you're running them, the security behind them, especially with 30064, running that process is not system because if you can exploit that and that process for some reason is running a system, it can be system on the host. So just more, I guess, container security.

that has come out from, from these. So, yeah, just always follow the best practices. and, yeah, don't run your containers as root or system.

Tom Bowyer: Yeah.

Yeah. And I think that's kind of the general consensus in the industry right now. It was like, at least from what I've seen, you know, there's kind of like this really bad excuse that people have like it's running in the container. I don't need to worry about anything. Right. And it's like, well, okay. Maybe, well, your network is isolated or your, your credentials are isolated or something, but like breakouts are probably more common than people imagine. And this, this really just shows that. Right.

Jason Kikta: Mm -hmm.

Tom Bowyer: Like you still should follow best practices, even if you're running things in an application container or your traditional Docker container, or even like a LXC container in Linux, right? Like those namespaces can be breached. Those things can be escaped. And it's very, very common to have these type of kind of breakouts.

Jason Kikta: I mean.

Yeah. And I think it's like, there's a certain level of hubris involved to say, I'm going to have a sandbox inside a container inside an operating system inside a hypervisor, you know, and like, you know, rows of, you know, walls will protect me and not, not wanting to pair that with other best practices, like not running it as system, but, but it's just simply.

I think it's foolish. And I understand that some of those things are still around because of legacy setups that take a while to migrate. But if the steady stream of container escapes that we've seen, I mean, because I remember if we talked about this last month or the month before, but one of them had quite a few container escapes as well. And so these are serious and they need to be treated seriously. And.

And it's not just simply the matter of patching them in a timely manner. It's a matter of, you know, you need to assume some level of escape that escape is possible and build mitigations around that as well along with detection, you know, and.

Tom Bowyer: Yeah, I'm always so paranoid too, because a lot of this stuff, containers in general, obviously not the containers mentioned in this one, but just containers in general are always multi -tenant, right? Where you're sharing tenancy with another customer, and you might not necessarily have control over what that other person is doing or how they're using their kind of virtualized environment. So it...

Mat Lee: And.

Tom Bowyer: You know, that the kind of industry thought around, well, it's running in the container. I don't need to worry about the hosts has always kind of irked me the wrong way because like, yes, it's containerized. Yes, it's virtualized, but there's still that underlying host that needs protection, that needs monitoring, that needs watch because these breakouts are common enough that it makes me extremely paranoid. You know?

Mat Lee: Yeah, and I think always check your defaults, right? Like things are not always secure by default. Like as an example, in your Docker file, like if you don't specify a user, that thing runs as root. So it's little gotchas like that, right? Where, you know, using something like semgrap to, you know, pre-commit, like scan your Docker file, make sure that you've got your defaults there.

all set because there's a lot of gotchas that if you don't specify something, it will have unintended cons, unintended consequences, which it's not the case all the time, but, it is good to audit that.

Tom Bowyer: Absolutely, absolutely. Speaking of unintended consequences, right?

Henry Smith: Enough.

Jason Kikta: Well, but before we go on though, like I, I think, sorry. And now, now I'm pulling a Henry, but I think this is a, this discussion is a great segue to something that was, that was originally intending to bring up at the end of the podcast. But I think it's now is very timely that, you know, we saw, I think back on June 2nd, someone posted the statistic that for the first time ever, there were over 5 ,000 CVEs.

Tom Bowyer: Hehehehe

Jason Kikta: published in a single month, right? And that was in April, right? So an average of 164 CVEs per day and nearly double the 2023 publishing average. So that milestone isn't, I don't think that that tells us on its face whether or not things are getting more or less dangerous, right? 5 ,000 CVEs could be.

We're making less secure software could also mean that we as an industry, in a community are getting much better at detecting issues and creating CVEs and maybe, and hopefully getting them solved in a timely manner. But the point is, is that, you know, the number of vulnerabilities is on its face high. And so, you know, this is a great example of, of an area where you need to have that broader mindset beyond just.

all patches of vulnerabilities as they come along, you need to have that sort of secondary methodology in place to prevent or restrict damage and also to detect when things have gone awry.

Tom Bowyer: Yeah. And I'll probably get dragged for this, but I think partly in the last five to 10 years, a lot of it is based around the usage of open source where we have developers that will kind of, you know, just pull packages from really anywhere. And that it leads to a lot of this like vulnerability debt within, within products.

Jason Kikta: Mm -hmm.

Tom Bowyer: And, you know, pinning packages obviously is the best thing to do, but I often find that those packages really never get updated and they just consistently collect these vulnerabilities over the months and months and years. And now you have 10, 20, 50 millions of vulnerabilities in your product. And you're, how do I get to, how do I even start here? Right.

Mat Lee: Yeah. And I think he is, kind of going along with that proactive mindset is, you know, trying to stop those CVEs in the CI/CD pipeline. Or even as me being a Kubernetes shill is, you can set up an admission controller, right? To scan your images pod, like the images within your containers, within your pods.

And if any like critical CVEs come up, whether they're recent or old, it won't allow those pods to be scheduled in your cluster. So as an example of things you can proactively do in deployment and continuous integration is like put those checks in place so that you stop those before they actually enter your environment.

Jason Kikta: All right, let's make Henry really happy and talk about the big pile of phishing fuel that we see this month. Henry, you want to start us off on this one?

Tom Bowyer: hahaha gonna go. go.

Henry Smith: even know where to begin. Let's see.

Jason Kikta: I mean, 11 is a lot.

Henry Smith: Yeah, I was just going to count them. Yeah, I was going through everything. I think I counted 11 CVEs that somehow like there's some aspect of like phishing or like, I guess, tricking a user into executing something or opening something. And I think, you know, this Patch Tuesday is really kind of eye opening about why you should.

be concerned about the real risk of phishing in your organization. And I mean, these vulnerabilities are even more critical with Microsoft's Recall. Screenshots of everything you've looked at, plain text database of everything a user's done, that whole concept of, hey, my machine is safe because it's only just a window to the cloud, like the stuff we have living in the cloud, everything's fine. Well, with Recall, all that kind of goes right out the window.

Jason Kikta: Yes.

Yeah. And, and I was planning on dragging Recall pretty good. And I was very happy to see that on, I believe it was Friday, Microsoft, you know, release updated guidance saying, Hey, it's now going to be opt in. You're going to need to use Microsoft Hello to enable it. You're going to need to use Microsoft Hello to access it. And when Hello has not been used to access it, it will be encrypted at rest. Like those are very positive changes from what had originally been proposed.

But as with all things in security, the devil is in the details. And so how are they going to do a hello prompt per query? That seems unlikely to me, right? So OK, it unlocks. How long does it unlock for? 5 minutes, 10 minutes, 15 minutes. And if I have remote code execution on a system, that just makes it like the.

The chance that that's unlocked, which has now become a chance, not a certainty, but still the chance that that's unlocked really reduces the amount of dwell time I need on an individual system to capture the information that I'm looking for. And so like, that's what makes it very, very dangerous. Cause they didn't put in anything about their, about, we're going to recognize passwords. And, you know, sometimes users have very complex bank passwords and they turn on the visibility so they can.

you know, spell check it before they hit enter, right? Cause not everyone's using a password manager. Like sensitive things are not always masked and having a database that has images and also, you know, text representation of those images that's easily searchable means that I can dwell for a very minor amount of time on that system and really get a lot of bang for my buck rather than having to watch and wait for you to then go and access those things. I've got this.

machine that I can go into and just have a have a run through that.

Mat Lee: shout out to John Hammond. I watched his video yesterday or Saturday night. I think that was a really good walkthrough of like how dangerous this actually was. He went and looked at all the screenshots and went through that SQL database. And it is, it's a lot of stuff that's just sitting there. Kind of right in the open. and he was, it was more, it felt, it felt more exploratory for him.

but I think the way he presented it was really easy to digest. I mean, it's probably easy to digest in general, but his walkthrough was pretty cool. So, if you have time.

Jason Kikta: Yeah, John Hammond and Kevin Beaumont have really been doing a fantastic job of laying out the danger here. And it's an interesting capability. I think it has some utility, but this is, you know, we're very much, it very much feels like a Jurassic Park thing of we got a little too focused of if we could and didn't think about if we should.

Mat Lee: Yeah, and I think there was that tool, Total Recall, that came out, I don't know, a day after or something, that nicely packaged all the stuff up for you and then ready for Exfil. So...

Jason Kikta: Yep.

Yeah. And yeah, and I always have mixed feelings of those things. Like I see that some of that stuff and I want to be like, like that's so dangerous because now the knowledge level needed to take advantage of this just dropped through the floor. But on the flip side, without people like, Kevin and John raising awareness and without somebody creating Total Recall when Microsoft had changed their policy, because there is just so much pressure in the industry right now to like,

build in AI, build in more AI at any cost. And it feels like many vendors out there are just throwing anything they can at the wall to see what sticks with consumers and what they like and what they want to use that there's a lot of an elevated danger over normal product cycles.

Tom Bowyer: Yeah, I saw some argument on LinkedIn last week about something similar to where, you know, people are arguing that like, you don't even have to care about vulnerabilities unless it has a Metasploit module, right? It just reminded me of that, you know?

Jason Kikta: Right.

Cause that's a mentality that some people have. And so, you know, the people who create modules for Metasploit aren't entirely wrong when they say that, you know, their work helps get attention on bugs. It helps get issues resolved and fixed because otherwise, you know, people won't move on them. Either vendors won't move to create a patch or the, you know, the, the customers won't move to patch it.

Tom Bowyer: Yeah.

Mat Lee: Yay.

Tom Bowyer: Yeah, absolutely. And another one that popped in my mind was, you know, 2024 30072, which is remote code execution when you're parsing Microsoft trace files, right? I'm curious, Henry, your thoughts here on this one.

Henry Smith: of that impactor.

Jason Kikta: the

Yeah.

Henry Smith: Yeah, again, I'm just kind of putting on like my MSP hat, you know, coming from the MSP space or maybe even the support space, you know, you might need to view these files as part of your troubleshooting. And I could, I could definitely see this as an attack vector, like, hey, support, I really need help. Like, can you help me figure out this problem? And here's this trace file. Can you open it up and just see if there's anything pops out at you? And next thing you know, they have, what is it, RCE'd

your system. So, this is one that has definitely caught my eye just from like an IT perspective.

Tom Bowyer: Yeah, you know, because threat actors would never ever pretend to be IT support or... How dare you say that? Yeah, but...

Jason Kikta: Never.

Mat Lee: You say people lie on the internet?

Jason Kikta: It's just that's hurtful, Tom, how could you?

Henry Smith: And those, you know, IT employees typically have high privileges too. So it's, if you're getting, if you're getting RCE on their system, you probably, you're going to make out pretty good.

Tom Bowyer: fast.

Yeah, I'm definitely with Henry on this one. This is one of those like, you know, I know the scattered spiders of the world are targeting kind of the Okta environment, but I feel like this is something where it's kind of right in that wheelhouse, you know, like here's look at my trace file and you just double click it and that's it, you know, easy.

Henry Smith: I can't even see someone posting it on like a public like Stack Overflow or something like, like, hey, I'm having problems like, like, I can't figure this out guy, help me. Yeah.

Tom Bowyer: That's true, that's true.

Jason Kikta: Yeah! Whoa! Whoa! That's a spicy one.

Tom Bowyer: That's a good one. Yeah, that's good. No, absolutely. You know, that's that kind of information sharing is really common. You know, we kind of blindly trust strangers on the Internet probably more often than not. And, you know, let me just look at this random trace file. You know, I'm always paranoid about PDFs nowadays, too.

after some of that, after all those overflows and Apple, like every time I see a PDF, I'm like, do I really have to open this thing? Right. Cause it just feels like another one of those things, like the WiFi module thing where it's just like, you've just been blindly trusting the systems for so long. And now like, I have these second thoughts around.

Jason Kikta: Right.

Tom Bowyer: those things. It's just... Yeah, real paranoid. Anything else we want to chat about today?

Jason Kikta: I think that's it.

Henry Smith: I'm pretty tired after this.

Tom Bowyer:  going for a while. Awesome. Well, thanks everybody for listening. We appreciate your continued support. Like I said, we're up over, I think 18,000 subscribers now on YouTube. So if you enjoyed listening to us ramble today, we would love if you would like and subscribe and check out all the other. I had to say it. I said it.

Jason Kikta: You said it.

Mat Lee: He said it. You see that little bell icon? Hit that thing too.

Tom Bowyer: I'm practicing for my streaming, my streaming career, you know?

Jason Kikta: I'm waiting for my middle schooler to just appear at my office or to be heard the magic words.

Tom Bowyer: And if you're looking for a certification, Automox just released our Level 3 Pro certs. So check out the Automox University. If you have time, it is well worth it. We have free trials. So you can go ahead and get yourself signed up and go about testing out our wonderful platform we have here. But thank you all for listening. And I hope everyone has a great June and a wonderful rest of your Tuesday.

Takeaways

  • Close access bugs can be very dangerous and require additional mitigations and monitoring

  • Container security is crucial, and best practices should be followed to prevent vulnerabilities

  • Phishing remains a significant risk, and organizations should be vigilant in protecting against it

  • The high number of CVEs published highlights the need for a proactive approach to cybersecurity

  • The Microsoft Recall feature has raised concerns about privacy and data security