Patch [FIX] Tuesday, August 2024

Summary

The Automox Security Team discusses August 2024’s Patch Tuesday, including a SmartScreen remote code execution vulnerability, a Windows kernel elevation of privilege vulnerability, and print spooler elevation vulnerabilities. They emphasize the importance of user education, keeping operating systems and software up to date, and implementing network segmentation. The conversation also touches on the need to modernize infrastructure and be aware of the services running within server stacks.

Transcript

Ryan Braunstein: 

Happy Patch Tuesday, everybody. It is August. We have made it. We are now over the halfway point in the year. And we're just kind of going over some of our CVE drops.

for today and right off the bat there are a lot of RCEs this month. Super fun. Yeah, but I'm Ryan Braunstein, I'm taking over hosting for Tom Bowyer just this week. so we're having a little fun without him. And with me is Seth Hoyt. Seth? Yeah.

Seth Hoyt: 

Yep, I'm here, the Senior Security Engineer. Done a few of these now, but yeah, look forward to diving in.

Ryan Braunstein: 

Yeah, and we've snagged someone who's done like a lot of IT work over the last few years, David van Heerden from another team within Automox to join us on this podcast. So David, give me a rundown here.

David Van Heerden: 

Yeah, I'm The technical product marketing manager for Automox, but I only snuck into that team after about 10 years of doing IT work. And don't mind my shameless product placement here of our Otto mascot and our associated Lego set that I build on my own podcast. So another shameless plug for me.

Ryan Braunstein: 

Yeah. Well, thanks for taking some time out of your day, David, to hang out with Seth and I. Yeah, so we'll just jump into it. We got CVE 38180. It's a Smart Screen prompt remote code execution vulnerability. It would be really easy to trick somebody into

you know, engaging with this on their machine. can, you know, either be as simple as like a phishing email or a browser extension. And it looks like, yeah, the file could easily be disguised as some kind of application with a launcher that requests no UI. you know, it's, think, I think this really kind of speaks to understanding the importance of like what you're running on your device to your user base and kind of

engaging with them to be aware of what comes in in the email, what browser extensions are coming in, things of that nature. I mean, that's just kind of what this speaks to me on.

David Van Heerden: 

Yeah, I think that's the scariest part of it is how prevalent it could be in the browser extension world. I know that that's something that's very challenging for a lot of IT folks, is governing what can be installed in these browsers, because they don't need admin privs to do it.

Ryan Braunstein: 

Yeah, and I definitely agree with that. I've reviewed a lot of different browsers and managed browsers over the last few months. there's a lot out there that can really help with this type of problem, at least in the browser extension world. But I swear, I always come back to education on so many things in security, just making people aware of

what can happen on their machine, you know.

David Van Heerden: 

think the simple call to action on that front is Chrome is dominant, right? So we're all very likely using that in our environments. You might not have Chrome Enterprise deployed with your Enterprise management suite via Google Workspace. But you can still control those kinds of configurations on what extensions are allowed via your plist entries, via your MDMs.

Ryan Braunstein: 

Yeah.

David Van Heerden: 

or you can use your EDR or some finer control tools (like Automox) that can modify those config files and enforce some extension controls. So definitely talk to your vendors in your existing stack and see how they can help you manage your extensions.

Seth Hoyt: 

Yep. with that, from the enterprise level, you have a little more protection, hopefully, with other AV products and other controls that are in place. But from a typical at-home user, this is specifically scary because smart screen is a big deal in a first line of defense thing, blocking.

Ryan Braunstein: 

Yeah, absolutely.

Seth Hoyt: 

know, malicious web pages and executables and things like that. So like, you know, the at home user, feel would be, you know, more at risk on their personal device than the enterprise level, because hopefully at the enterprise level, you do have that extra protection.

Ryan Braunstein: 

Yeah, I feel like people are a lot more cavalier with what they do at home, especially like just your general user. I'm not talking about like, I mean, obviously people like us, we do some pretty nuts of stuff in our home stacks just for fun. But, you know, just like your average user going into their email and maybe finding something or like, this new browser like lets you, I don't know, stream.

the Olympics or something like that from Chrome for free or something without having to get a Peacock subscription. Now, know, like next thing you know, your computer is just completely taken over by someone. But yeah, you've got a pretty interesting kernel elevation one, Seth.

David Van Heerden: 

You

Seth Hoyt: 

So CVE 38133, and this is a Windows kernel elevation of privilege vulnerability. So, as most people should know, the kernel, the Windows kernel, it's like, the core of the Windows operating system. like, that controls everything at like a system level, right? So with this one, an attacker could exploit the vulnerability by again, tricking a user.

into doing something. This time it's sending a request to a malicious server. Then once that request is completed, and that can be from a phishing email, a malicious executable, a drive-by, an advertising ad, any of these things they could bake this code into to connect to that server. Once connected, downloads that data to do arbitrary code execution.

Ryan Braunstein: 

wild.

Seth Hoyt: 

So if this whole thing is successful, they then have kernel level full system access admin privileges. again, kind of like the last one, this is phishing, malvertising, malicious executables, shady web pages, that's kind of the go-to for a lot of these vulnerabilities. So you gotta take care as usual with, you gotta watch out for those phishing emails and...

Again, don't be streaming the Olympics for free without a subscription, you know, because a lot of those sites, they'll, they'll, they got those malvertising ads baked in. So you can never be too cautious visiting those sites.

Ryan Braunstein: 

Yeah.

Yeah, absolutely.

David Van Heerden: 

Yeah, I like your note on this for keeping OS and software up to date as, kind of, cause there's that preventative action that you can do right on the defense side, which is train your users on, you know, avoiding phishing attempts and everything else as, the ingress, but to be proactive is to continually update that environment and that operating system, to kind of segue the topic over to that of the broader.

world of Microsoft and how they are managing their operating system. I know a lot of us are, you know, made that transition out of the server 2010 to 2012 and we're all bracing for impact to update to the next major version release, but it's all trending towards the new environment that like the Apple ARM world forced us into in that kernel extensions are on their way out.

There's a big kind of geopolitical thing behind it where the EU made an argument that Microsoft was being anti-consumer and monopolistic and not allowing third party apps to access the kernel. But I think all of these major kernel based vulnerabilities and incidents that we've seen lately that are all centered around kernel access.

is helping Microsoft's case of updating their operating system to restrict that kernel access more and more. So pushing us more into user land than down into the subsystem. for that, you know, it's be proactive, prepare your environments for those major OS upgrades is what you should strategize for in the next year.

Ryan Braunstein: 

Yeah, and until then, get a really solid EDR.

David Van Heerden: 

Yeah.

Ryan Braunstein: 

man, and I think our last couple vulnerabilities involve, you know, printers and print spooler elevation. Yeah, yeah. But.

David Van Heerden: 

So much fun. Love. Yeah, this one kind of nabs folks that haven't modernized their environments, which isn't kind of like a name and shame scenario that we're in. It is just kind of bearing the honesty of, all right, it's time to get rid of that old legacy tech and move to the new stuff, because we're just going to see more and more of these vulnerabilities pop up.

You know, thankfully the solutions out there are, are convenient and easy to roll out. It's just putting that manual labor in and decommissioning those, those print spooler services and servers and updating to the newer standards.

Ryan Braunstein: 

Yeah, I think that's an interesting conversation as a whole. Like the three of us have all been in these environments, like where we've come in and it's been like just this. mean, not not to say it like in a weird way, but like old and crusty like tech we've got like, you know, just non modernized like firewalls and old print servers that are like on Windows 2008 if we're lucky.

Seth Hoyt: 

Thank

Ryan Braunstein: 

And some of those things, they really rely on LPD, like to push out printing through GPOs and whatnot through an environment. A lot of times it's virtualized in the same stack as other servers. Like it makes you kind of like look at it and go, could they escape this server if they got like system level access through one of these CVEs? that's...

It really highlights the importance of kind of moving forward with our tech. I'm never saying like bleeding edge all the time, especially like we've seen plenty of regressions come in, in plenty of bleeding edge, especially Linux distros. And it's just good to keep up with the times a little bit.

David Van Heerden: 

Yeah.

Yeah.

Seth Hoyt: 

And for, for stuff like this, when you have, you know, servers like that in the stack, you know, it's also, you know, important to have that network, network segregation as well. you know, that way you, you can kind of contain it. It might hit a couple of other things, but at least it's contained or, or, or mostly contained at that point.

Ryan Braunstein: 

Yeah, segmentation is the key, yeah.

David Van Heerden: 

If I put on, yeah, if I put on my, my like big paranoid hat, you know, I think about it of, all right, I've got that little trailer office that nobody really cares about. And it's just like sitting off of its cheap internet service over there. And yeah, you got that old clunky machine sitting in the back running that LPD server service on it. Like that, that, that one roaming laptop that connects to that network once a month.

Ryan Braunstein: 

Yeah.

David Van Heerden: 

can then receive something very nasty if that system was compromised through this. Because once they get in, they sit and they listen. And you might not notice that they've found a way in through this vulnerability. So scan your environments. Do that health check to make sure, OK, we don't have this sitting around. The replacements out there are, again, easy to implement using internet printing protocol, going over HTTPS.

Ryan Braunstein: 

Yeah.

David Van Heerden: 

So you have that encrypted communication and the authentication is very already well integrated into your environment. So yeah, don't sleep on this one.

Ryan Braunstein: 

Yeah, that's such a good point. Yeah, it's such a good point because as people are transitioning, modernizing their infrastructure, services get left on, even in the more modern end of the infrastructure. So you may not be leveraging it, but it doesn't mean it's not turned on on your stack. Or God forbid you enable something like in a server feature and it turns it on for you by default and you just...

It really pays to be aware of the services running within your server stacks.

Seth Hoyt: 

Yeah, I don't know if it's been mentioned yet, but just to be clear on this specific one, LPD is something that has to be enabled. It is disabled by default. Obviously, that's a requirement for those servers, but it's not like you spin up a Windows server and this is on by default.

Ryan Braunstein: 

Yeah, yeah, absolutely. Cool. Well, that's that's gonna do it for us for today. Do you all have any closing thoughts anything? Patch your stuff?

Seth Hoyt: 

Yeah, as usual stay up to date, patch, stay off their shady web pages.

David Van Heerden: 

Ha ha.

Ryan Braunstein: 

Absolutely, and don't try and stream the Olympics for free unless it's from Peacock, I guess. I don't know.

Thanks for joining us this week, everybody. Join us next month. Bye.

Seth Hoyt: 

Yeah, have a good one. See ya.

Key Takeaways

• User education is crucial in preventing vulnerabilities, such as phishing attempts and malicious executables.

• Keeping operating systems and software up to date is an important proactive measure to mitigate vulnerabilities.

• Implementing network segmentation can help contain the impact of vulnerabilities.

• Modernizing infrastructure and being aware of services running within server stacks is essential to prevent vulnerabilities.

• Using tools like EDR (Endpoint Detection and Response) can provide additional protection against vulnerabilities.