Summary
In this episode, the hosts discuss the critical vulnerabilities released in October's Patch Tuesday, focusing on notable CVEs, including a Windows Netlogon elevation of privilege vulnerability and an RCE in the remote desktop client. They also address the CUPS vulnerability affecting Linux servers and the implications of Apple's recent updates that have disrupted security tools.
Transcript
Tom Bowyer:
Good morning, good evening, or good afternoon wherever you are located in this fine world, and welcome to our October kind of almost spooky edition of Fix Tuesday here at Automox. We thank everybody for your continued support of our podcast and we hope you enjoy our wonderful banter and
Awesome CVEs that we talk about every. Patch Tuesday that Microsoft releases. So yeah, thanks for tuning in and we're happy you're following along on this almost Halloween edition of Fix Tuesday. So yeah, we've been looking at the notes and there are some very very interesting ones this October.
Lots of RCEs in the wild, but a few stuck out to us this month, particularly 2024-38124, which is this crazy Windows Netlogon elevation of privilege vulnerability. And it's not just an elevation of privilege, it’s basically- you can impersonate the domain controller and you know, reading it.
I'm a little confused, a little shocked, a little just mind-blown that this kind of thing is possible. And, you know, was curious about your thoughts as well, Seth, of, how you would exploit something like this. And if you don't, yeah.
Seth Hoyt:
Yeah, so this one is interesting. Again, you can potentially gain administrator or domain admin privileges. How you go about exploiting can be kind of difficult, but from what I understand so far, the authenticated attacker could exploit this vulnerability with LAN access. So it seems like you do have to have a specific level of access.
Tom Bowyer:
Yeah.
Seth Hoyt:
In doing so, if you get domain admin on a network, obviously at that point, you're gone. And so some of the concerning things about this and how it's done is they would have to predict the name of a new domain controller and rename their computer to match it. Then they would establish the secure channel, and rename their computer back to its original name.
Tom Bowyer:
That's it. Game over, man.
Seth Hoyt:
Then you can stand up your own domain controller at that point and impersonate the existing domain controller. So once you do that, you have access to a company's entire network, their entire AD structure, access to servers, all of the information, anything. So that being said, how do we prevent it? Try not to use conventional naming or anything that's predictable.
You can use secure channel validation and enhanced authentication mechanisms. These will help not make it easy for an attacker to exploit a vulnerability like this. So again, with this one, full domain admin, I can't stress that enough. mean, that's a huge deal.
Tom Bowyer:
...
Seth Hoyt:
I'm sure everybody in IT, that's their worst nightmare. Somebody gets in, they got full domain admin. At that point, they could probably sit and wait and then strike whenever they want to strike. It can do all of the intelligence gathering, kind of lay quiet, wait in the weeds, get everything you want, and then exfil. At that point, the company's host. So yeah, this one’s a pretty big deal to me.
Tom Bowyer:
Yeah, absolutely. And I know I said it a few times on this podcast before, but this, this one to me feels like one of those. It'll be in a CTF later, whether it's going to be, you know, it, just feels like one of those CVEs. I mean, if they get a POC working, that's somewhat reliable. It'll be in a CTF somewhere, or maybe on some, you know, cyber range that you need to exploit. You have access to a host and you have LAN access.
Now you have to elevate your privileges to domain admin. How do we go about doing that? Right? This to me feels like one of those vulnerabilities in my mind. Yeah. So absolutely. I don't know. It feels just ridiculous. Just reading it, right? It's just, that I don't even know what to say, to be honest. And it doesn't stop there, right? 2024-43468
Seth Hoyt:
Mm-hmm.
Tom Bowyer:
which is another critical vulnerability in, you know, config manager. It's an RCE where an unauthenticated attacker can craft the packet and send it to the target environment. And then it's processed in a quote-unquote unsafe manner. And then it enables the attacker to execute remote commands. And in my mind, this screams either
You know, like some kind of overflow or they're not doing any input validation on this specific packet request. It's just that that's what it feels to me and Cody, I don't know if you've had a chance to take a look at this one or had any thoughts on this specific vulnerability yourself, but that's how I read it, right? Microsoft input validation not happening. Have the specific packet in. We're just sending it.
Cody
Yeah.
Tom Bowyer:
Right.
Seth Hoyt:
We'll said.
Cody
Yeah,
That is basically how it reads. There's no POC for this one either, is there?
Tom Bowyer:
No, no, I didn't see it. I didn't see that I was exploited or not.
in the notes, but they're pretty confident in it being vulnerable, right? And the only workaround is updating config manager, right? So.
Good luck. But yeah, just another one of those. I feel like just these deep code vulnerabilities. And I don't know what config manager is written in the language underneath honestly, but like I said, it feels like there are memory safety implications here, right? Like some kind of out-of-bands read or write or some kind of buffer overflow when you have this specific packet. It's such another interesting CVE. And I feel like config manager has been targeted a lot lately. The last few.
patch notes that we read over the last couple months that they've been in there. I mean, I haven't seen them land in the news very much. I haven't seen many POCs for them, but I know they've been in there. So yeah, if you have config manager, make sure you update as soon as possible because this one feels a little dangerous.
Seth Hoyt:
Yeah, it looks like there are three different versions that are vulnerable to this. So yeah, definitely important to update as always.
Cody
Not just update, but it also says that they're recommending an alternate service account instead of the computer account. So I'm guessing.
Tom Bowyer:
Interesting.
So run you so run it as a different user. Yeah.
Cody
Yeah. And that makes me wonder if the escalation is around. Configuration manager being tied to the computer account.
Tom Bowyer:
Yeah,
Definitely a spicy one for October.
This next one though, I think is my favorite out of all of them, even though it's, I think would be not so valuable as some of the other ones, but 2024-43533 which is a RCE and the remote desktop client, not the server, the client. And you know, my, my kind of hack hack them back mindset, right? This one to me feels like.
You can create your own remote desktop server and all those opportunistic scanners out there that are always scanning for RDP sessions. You could, you know, kind of cause a little damage the other way. It's such an interesting attack path there, right? I'm just, I was a little blown away by reading it because it
It's not common to see these, these ones, going the other way, right? Like when most people think about vulnerabilities and RDP, they think about stuff in the, you know, RDP server and not in the client itself. So I felt like this one was very, very interesting and it had some kind of, I don't know, nation-state implications. If you could leverage a.
RDP server and you know those people scanning your infrastructure you could potentially disrupt their scanning mechanisms right like that's where my head went when I when I read this and You know, I was just curious what you all thought about this one specifically
Cody
Yeah, I think that'll be interesting. Like you said, especially around nation-state stuff, because they're constantly scanning everything and the moment they find anything, you know, it's, it's a game of connect as fast as you can and get as much intel as you can. And now it's, well, you connected. So what intel do you have for me?
Tom Bowyer:
Yeah.
Seth Hoyt:
Yeah.
Tom Bowyer:
Yeah, exactly. Careful what you're connecting to because,
Cody
Yeah. I mean, that's probably huge too, because a lot of those services are probably like, they're not expecting that back, like that back connection attack. Right. So that's probably able to drop you into a lot of those scanning companies, not even just nation states, but just any, but any company that's scanning, now you might have a, you might have a pretty good in to something they thought was safe.
Tom Bowyer:
Mm-hmm.
yeah.
Yeah, true. Like the Censys' or the Shodan's of the world where they're scanning RDP. don't know if they're, I mean, I know they do screenshotting. Now I don't know if that's an RDP initiation or not, but I didn't even think about that. There's a, there's a potential there for those companies that, yeah, good call. Definitely good call.
Cody
Yeah.
Seth Hoyt:
Mm-hmm.
Yep.
Tom Bowyer:
All right. And some other interesting news in the industry. The CUPS vulnerability, I feel like has gotten a lot of attention lately and I wanted to just briefly talk about it because, you know, initially people were underwhelmed, but I think it is worth addressing if you are running Linux instances and have CUPS exposed to the internet.
You should absolutely be patching that. And a lot of people didn't realize that CUPS was on by default in a lot of these distributions. So people are just doing what they do, right? They turn on servers, they zero, zero, zero, zero slash zero them to the world and let in all traffic because they're trying to SSH and they're confused on how security groups work or something. I don't know.
Seth Hoyt:
Yep.
Tom Bowyer:
But I feel like that's a lot of the misconfigurations nowadays. It's, it's mostly just laziness and not necessarily anything else because this stuff isn't turned on right by default in say AWS. Like you have to set a security group open to the world, both TCP and UDP. Right. Like what are we doing here? was my thoughts when this came out, why are there so many, you know, potentially
hundreds of thousands of servers with a print daemon exposed to the internet. But yeah, curious to hear your thoughts on that.
Seth Hoyt:
Yeah, just like Windows print servers getting turned on and stuff, know, it's just on the Linux side instead.
Cody
Yeah, not hard to make yourself look like a printer either, since all you have to do. This one, there's just a UDP, right? You just have to send a packet that says, yes, I am printer, print on me.
Tom Bowyer:
Yeah.
Seth Hoyt:
Yeah. Basically it. You're in.
Cody
And, you know, server happily obliges for some reason, even though it doesn't need to print anything in 2024.
Tom Bowyer:
Wasn't there like 10 years ago or something, wasn't there, or 15 years ago there was this like 4chan troll and they were like sending all these images to these printers? Wasn't something like that happen like 10 or 15 years ago?
And it feels like the same. mean, I don't know. I didn't read too much into the mechanisms of like what, what exactly happens, but it feels a lot of the same where all these printers were exposed to the internet, like actual printers. And these kids were trolling these companies by sending like thousands of images for them to print, right? Like on their printers. But
Cody
haha
Tom Bowyer:
Obviously this one's a little bit more dangerous because of the RCE implications, but when I first read it, I instantly thought of that from like 10, 15 years ago. Like, weren't all those kids sending pictures to printers to troll? A lot of the very same stuff we talk about here on this podcast, over and over and over again.
Cody
Yeah.
I think the more dangerous aspect of this is so they all have CUPS exposed, right? It's not just external to the world either. So you get into one of these servers that you just need that one server as an ingress point. get, you get on the it and then all of sudden you have access to all the other servers that are running CUPS or all the other workstations because they're all doing it by default. So you suddenly have this really good worm potential to just blow through a network.
Tom Bowyer:
Yeah. Yeah, absolutely. Very interesting. Yeah, because a lot of them are, I assume are built on like golden images, right? And they're just pulling down like these insecure golden images with UDP CUPS turned on by default and they thought none the wiser and they accidentally expose it to the internet and kind of game over after that, right?
Cody
Yeah.
Seth Hoyt:
Yep, probably.
Cody
Yeah, it's crazy. think you just need one, you just need one bad security group. And then all of a sudden it has access to everything else on that VPC or whatever.
Seth Hoyt:
Yes.
Tom Bowyer:
Thank
Yeah. And as we know, people, they, they're in a hurry to get things done. they, they don't ask for help and just expose everything to the world. Right. So I can see why. Right. And they never go back and update the image and yeah, it makes sense. Right. Like we all know how this stuff can happen and how it can be so problematic in the industry. So.
Cody
Hmm.
Seth Hoyt:
Spin up a new one with the image!
Cody
Speaking of problems in the industry.
Tom Bowyer:
What, Apple? And how they broke a bunch of stuff?
Cody
Yeah,
Seth Hoyt:
Yeah, might have broke a thing or two.
Tom Bowyer:
Sequoia. Broke a thing or two. you know, they, they, Apple released 15, what? 15.01 just a few days ago. And I didn't see any notes whatsoever about what they updated, but I feel like the timing is awfully suspicious to me. Maybe they had an oopsie and they were going to fix the oopsie.
Yeah. But for those of you who are not aware, if you updated to Sequoia, there is an issue on 15.0 that Apple is breaking a lot of security tools. just be aware that, yeah, those tools may or may not be working to the fullest extent and try updating to 15.01 and seeing if that helps. But yeah, It's funny to me that a lot of that stuff showed up on like the InfoSec community sphere and there was no communication whatsoever by Apple that I saw. just, yeah. And Apple makes it so difficult to roll back as well. Like, you know, once you're on a major OS, there's no turning back. Like you got to wipe and reconfigure. So you, you just got to full send it basically. There's no recourse
Seth Hoyt:
deal with it.
Tom Bowyer:
to updating on Mac and I find it funny. think it's, I don't know if it's helpful or not. I respect their forward thinking, but I feel like sometimes, especially something like this, it'd be nice if you could just easily roll back and not have to worry about it for the time being. But Apple thinks that once you update, you update, it's good enough. So sometimes you just gotta send it, I guess.
cool.
Seth Hoyt:
This is why logging in security is so important. If, you know, they're not going to tell you something's broken, you can always check your logs, see what's coming in, make sure it's not broken.
Tom Bowyer:
Yeah, no kidding.
Yeah.
Cody
It's also a good reminder not to jump on the bandwagon immediately.
Tom Bowyer:
Yeah. And your users as well, right? Sometimes they just update by themselves without being prompted. You know, if your IT team doesn't have the bandwidth to shut down new updates, know, the Apple ecosystem is a little more difficult to control those updates. So yeah, it, interesting to see how I think Apple plays out in the enterprise over
Over the next few years, because I feel like they've gotten a lot, a lot more traction these, these last couple of years, especially with the push for machine learning on the end point. And I'm curious if they're ever going to go to like a more Windows centric model for releasing updates, because there's no pre warning on any of it. They just, the next day you got an update, right? There's no.
Patch Tuesday, there's no pre-warning, there's no nothing. It's just like, good luck, man. Yeah. Awesome. Well.
Cody
Thank
Seth Hoyt:
I wake up and iTerm is holding on for dear life, not letting my computer boot.
Tom Bowyer:
Yeah. Yeah, iTerm the real savior to that. So to Apple patching. Cool. Well, anyway, happy October. I can't believe we're already in October. It's almost Halloween. Spooky season is upon us. And yeah, thanks, everybody, for tuning in. We appreciate your continued support.
Seth Hoyt:
Yeah.
Tom Bowyer:
There are other great podcasts here at Automox that we've produced that you listen to. Our CISO Jason puts together a great one. So if you have time, feel free to check it out. If not, we wish you all a happy October and good luck in your patching escapades. See ya.
Seth Hoyt:
All see you.
Cody
See ya.
Start your free trial now.
By submitting this form you agree to our Master Services Agreement and Privacy Policy
