June Device Threat Report

June Device Threat Report
Subscribe to Eclypsium’s Threat Report

Establishing security at the device level is an integral part of any cybersecurity strategy. In this issue of Below The Surface, we look at the most common vulnerabilities attackers are exploiting now, review the latest security advisory from Intel, assess the impact of Thunderspy and Ripple20, and present a new white paper that helps build device security into your overall cybersecurity plan. We’ve also included a roundup of this month’s news, research, advisories and other reading related to firmware, hardware and device security.

Top10 Most Exploited Vulnerabilities – No Excuses – ‘Absolutely Critical to Patch As Soon As Possible’.
The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the broader U.S. Government published an alert on the Top 10 Routinely Exploited Vulnerabilities with data from 2016-2019 and 2020. The most commonly exploited vulnerabilities this year involve device security – including a remote code execution vulnerability in Citrix VPN appliances – CVE-2019-19781 and an arbitrary file reading vulnerability in Pulse Secure VPN servers – CVE-2019-11510. CISA and the FBI  warned that sophisticated foreign cyber attackers are routinely exploiting these vulnerabilities. Patches are available from vendors and essential for mitigation.

Intel Security Advisories – 20 New Vulnerabilities
On June 9th, Intel released a new security advisory SA-00295, which described 20 new vulnerabilities affecting the Management Engine (ME or CSME) component. Outside of mainstream end user devices, the released vulnerabilities also affect platforms with a Server Platform Module (SPS) component found in servers, and a Trusted Execution Engine (TXE) component found in low power or embedded devices. Two of the vulnerabilities are rated as Critical and another 8 are rated as High severity. Some vulnerabilities of particular interest are detailed below:

  • The two critical vulnerabilities (CVE-2020-0594 and CVE-2020-0595) rated at CVSS score 9.8 only affect an AMT provisioned ME that is configured to have IPv6 functionality. Using an out-of-bounds read and a use after free vulnerability, an unauthenticated user could mount a remote code escalation attack with just network access.
  • CVE-2020-0566, which is rated as high severity with a CVSS score of 7.3, is similar in nature to CVE-2019-0090, which was released in May of 2019 under advisory SA-00213. The similarity lies in the usage of a well-timed RS1 DMA transaction after the ME resumes from Power Gating. Unlike CVE-2019-0090, the new vulnerability utilizes the USB DbC interface (DCI) to issue the DMA transaction. Since DCI is intended for debug capability during manufacturing, the mitigation for this vulnerability involves disabling the interface once manufacturing is complete.

We’ve added support for these new vulnerabilities to the Eclypsium device protection platform, enabling customers to easily identify which devices are at risk and assess the overall health of their device fleet. The screenshot below shows a vulnerability warning on a device with improper buffer restrictions in Intel ME firmware.

Breaking Thunderbolt Protocol Security
The “Thunderspy” attack exploits flaws in the security of Thunderbolt controllers, one of which is the concept of trust in the currently flashed firmware. Thunderbolt implements a concept called “security levels” which allows the user to determine which Thunderbolt device is to be trusted and which is not. With physical presence an attacker can simply modify the contents of the Thunderbolt controller flash chip, which holds the current firmware and configurations, and disable all the security measures completely. The vulnerabilities discovered indicate that if an attacker has physical access to a device with an Intel Thunderbolt controller, they can potentially bypass existing software protections and gain access to the targeted computer. In order to detect such tampering and exploitation users would need to check the Thunderbolt firmware and configuration at every boot, or use a tool such as the Eclypsium platform.

Ripple20 Security Advisories
The JSOF research lab has publicly disclosed 19 critical vulnerabilities, dubbed “Ripple20” which impact a widely used TCP/IP software library. The software library, developed by Treck Inc. and later incorporated and used in multiple industries and device types, shows how a single element in a product implementation can have an extremely widespread effect.

According to the JSOF, impacted device vendors range from Fortune 500 to small boutique shops in various industry segments including telecom, energy, medical, transportation etc. See the Treck Inc. vulnerability response for more.

Ensuring Device Security in Federal Environments
A new white paper from Eclypsium helps you build device security into your overall cybersecurity plan with simple steps that progress from basic cyber hygiene to preventing advanced persistent threats using the Cybersecurity Maturity Model Certification (CMMC) framework as a guideline.

Read white paper >
Register for webinar >

DEVICE & FIRMWARE THREATS IN THE WILD

INDUSTRY NEWS OVERVIEW

DEVICE & FIRMWARE SECURITY ADVISORIES

Device & Firmware Security Research

ADDITIONAL READING & LISTENING

TOOLS

UPCOMING WEBINARS

  • Improve Device Security Using The CMMC Framework – John Loucaides, VP of R&D at Eclypsium, will share insights on how attackers compromise device integrity and how you can defeat them by designing device security into your cybersecurity practices. Whether you are part of the defense industry, the broader federal government or a commercial entity, you’ll benefit from this approach to securing critical devices.