SN 987: Rethinking Revocation - SinkClose, IsBootSecure, Another Bad RCE

The security landscape continues to evolve with new vulnerabilities and attacks emerging, requiring constant vigilance and adaptation. In this episode of Security Now, Steve Gibson discussed various security issues, including the "sitting duck" attack affecting over a million domains, a critical microcode bug in AMD chips, and Microsoft's decision not to fix a simple Windows bug. Additionally, the topic of certificate revocation and the industry's approach to it was explored. The show highlighted the importance of staying informed and taking necessary actions to protect against these threats. Furthermore, the benefits of using services like DeleteMe to help manage and protect personal information online were emphasized. Overall, the episode underscored the importance of staying informed and proactive in maintaining security and privacy in the digital age.

Many companies and organizations continue to collect vast amounts of personal data on individuals, despite promises to delete it. Meanwhile, in the digital world, simple security oversights can lead to major vulnerabilities. For instance, misconfigured DNS settings can result in domains being taken over by threat actors, potentially leading to malware delivery, phishing, brand impersonation, and data exfiltration. This issue, which has been discovered multiple times over the years, affects numerous DNS providers and can result in hundreds of thousands of exploitable domains. It's important for individuals and organizations to take steps to protect their privacy and secure their digital assets. In the case of personal data, consider using services like DeleteMe to help remove your information from data brokers. And when it comes to digital security, always double-check DNS settings and verify ownership of domains to prevent unauthorized takeovers.

Improper management of domain name servers can lead to serious security vulnerabilities. In 2016, Matthew Hickey discovered that he could take over abandoned domains hosted on Rackspace by simply adding them to his account through their cloud DNS service. Rackspace, unlike other providers, did not seem concerned about this issue. The process was as easy as creating a domain and adding desired DNS records. This issue affected around 44,000 domains under Rackspace. Other providers, such as Amazon Web Services and Digital Ocean, addressed the problem when it was brought to their attention. To avoid such risks, it's recommended to ensure that your domain registration and DNS services are with the same provider or that you properly manage the re-pointing of your registration when changing DNS providers. This incident serves as a reminder of the importance of proper domain management and the potential risks associated with shared DNS environments.

It's crucial to secure your Microsoft Windows servers, especially those with the Remote Desktop Licensing Service (RDL) exposed, as they are susceptible to a recently disclosed zero-click remote code execution vulnerability, CVE-2024-38077 or "MAD license." This vulnerability, which affects all Windows Server versions from 2000 to 2025, can be exploited without user interaction, giving attackers complete control over the targeted server. The vulnerability arises from a heap overflow, and the latest Windows Server 2025 has advanced protection mitigations, but they are bypassed by the exploit. It's essential to secure these servers by implementing protection measures such as VPNs, extra filtering, or port knocking to limit their exposure. The vulnerability has already affected many organizations, with over 170,000 RDL services identified as directly exposed to the internet.

A newly discovered vulnerability in AMD processors, known as sink close, allows hackers to bypass secure boot and gain deep access to a computer's system, potentially making it nearly undetectable and unpatchable. This flaw affects virtually all AMD chips dating back to 2006 and could allow malware to evade antivirus tools and even survive a reinstallation of the operating system. While exploiting the bug requires already having deep access to the system, the consequences could be severe. AMD has acknowledged the finding and released mitigation options for some of its products, but details on a fix for the sink close vulnerability are still unclear. Users are advised to apply available patches and secure their systems as best they can.

Sophisticated hackers can exploit obscure features in computer systems to gain highly privileged access, bypassing crucial safeguards. Researchers Nissim and Okubsky discovered such a vulnerability in AMD's T-close feature, which allows computers to remain compatible with older devices but leaves a part of memory inaccessible once remapped. They found a way to trick the system management mode code into fetching tampered data, allowing them to redirect the processor and execute their own code at the same privileged level. This complex bug, named Sync Clothes, could potentially impact a wide range of AMD-based systems, including Windows, servers, embedded systems, and Linux machines. AMD was alerted to the flaw back in October 2022, and users are advised to patch as soon as possible, as sophisticated hackers may already have discovered this technique. Microsoft, in particular, has been criticized for not addressing a similar issue in the Common Log File System driver, which allows anyone to maliciously crash any recent and fully patched Windows system. Despite the potential severity of these vulnerabilities, some companies may not prioritize fixing them, leaving users vulnerable.

A vulnerability in the Windows operating system, specifically in the CLFS (Continuous Log File System) driver, can be exploited through maliciously crafted metadata files (BLFs) to trigger a blue screen of death (BSOD). This vulnerability, CVE-2024-6768, is rated as a medium severity issue with a potential impact on business operations due to system disruptions or data loss. Attackers can potentially pair this exploit with others for greater effect, and it could be used to hide malicious activity. Despite being reported to Microsoft back in December 2023, no patch or acknowledgement of the vulnerability has been issued as of July 12, 2024. Organizations are left with limited options, such as running Windows Defender and avoiding running suspicious binaries, until a patch is released. Microsoft has not responded to Dark Reading's request for comment.

Traditional security solutions like Identity and Access Management (IAM) and Mobile Device Management (MDM) are not sufficient in today's work environment where employees use unmanaged devices and apps, also known as shadow IT. To address this issue, One Password's Extended Access Management offers a solution that brings all unmanaged devices, apps, and identities under a company's control while not impinging on user productivity. This solution ensures every user credential is strong and protected, every device is known and healthy, and every app is visible. It solves problems that traditional IAM and MDM can't touch. In the world of remote work, One Password's Extended Access Management is available to companies using Okta, with plans to expand to Google Workspace and Microsoft Enterprisе later this year. A recent example of the importance of this solution is the DigiCert certificate revocation incident, where a certificate was revoked but still being displayed as valid due to OCSP stapling. This highlights the need for a security solution that can manage unmanaged devices and apps, as they are often the source of security vulnerabilities. One Password's Extended Access Management is designed to address these issues and provide comprehensive security for the way people actually work.

While OCSP stapling is an effective solution to the issues of real-time certificate verification and privacy concerns, it's important to note that the "much more recent" OCSP responses provided by certificate authorities may not always be as recent as expected. These responses have a seven-day lifetime, which is a compromise necessary for the practical functioning of the system. Ten years ago, when OCSP stapling was first introduced, the world had not yet fully transitioned to HTTPS for all connections. Today, however, with the widespread use of HTTPS, every connection returns a certificate, and without some reasonable caching of previously received and unexpired OCSP responses, every certificate would need to be checked against its respective certificate authority's OCSP server each time it's received. This would result in a significant amount of traffic and a less efficient browsing experience. Both web servers and clients cache OCSP responses, and without this caching, the entire world would be continuously querying certificate authorities' OCSP services for the latest status of every certificate. Stapling simply moves the problem to the server side. Therefore, the caching of OCSP status is crucial for the survival of the system.

Online Certificate Status Protocol (OCSP) and Certificate Revocation Lists (CRLs) are two methods used by Certificate Authorities (CAs) to communicate certificate revocation information. However, each method has its advantages and disadvantages. OCSP allows for real-time revocation checking, but it can pose privacy concerns as the CA becomes aware of which website is being visited from a specific IP address. On the other hand, CRLs do not have this issue, but they can be large and inefficient for browsers to download. Let's Encrypt, a significant CA, recently announced its intent to end OCSP support in favor of CRLs due to privacy concerns and resource efficiency. This change will not affect website visitors but may impact non-browser software. The transition is expected to occur within the next three to six months. Overall, while OCSP and CRLs both aim to address certificate revocation, their implementation and implications for privacy and efficiency differ.

The current certificate revocation systems, specifically Certificate Revocation Lists (CRLs) and Online Certificate Status Protocol (OCSP), have significant inefficiencies and reliability issues. To address these problems, the idea of proprietary browser-specific CRLs has emerged, where browser vendors download and process CRLs centrally, then push updates to all installed browser instances. This approach allows for faster and more efficient revocation checks, keeping them local, and preventing the worst issues with OCSP. Both Mozilla and Apple have mandated that CA's begin issuing CRLs by October 1, 2022, and Let's Encrypt, which initially opted out of producing CRLs, has since developed infrastructure to comply with these requirements. The move towards browser-submarized CRLs is a significant shift in the industry, as it requires continuous collection and merging of individual CRLs from various sources. Despite the challenges, this approach has the potential to make revocation checking more private, reliable, and efficient for everyone. However, it's important to note that there are still privacy concerns around OCSP that won't be fully mitigated until all clients stop relying on it. Additionally, good ways for non-browser clients to reliably check revocation information still need to be developed. The industry continues to work towards improving the certificate revocation system, and the shift back to CRLs is a step in that direction.

Certificate revocation and validation plays a crucial role in maintaining the security of encrypted communications on the internet. However, the process of checking certificate revocation status can be resource-intensive and complex. During the discussion, it was mentioned that if a large number of certificates needed to be revoked at once, it could result in a significant amount of data that needs to be handled. To mitigate this, local Certificate Revocation Lists (CRLs) and Online Certificate Status Protocol (OCSP) servers are used. The speakers also suggested some methods to test browser behavior when stapling is suppressed. It's important to note that certificate security is an ongoing process, and it's crucial to stay informed about the latest developments and best practices. For more information, listeners can check out Steve Gibson's website, GRC.com, where they can find various tools and resources related to certificate security and other tech-related topics.