Patch Tuesday: November 2023

Read the November Patch [FIX] Tuesday Transcript

Tom Bowyer: Happy Tuesday, everyone, and welcome to our first-ever episode. First ever. Fix Tuesday at Automox. Now we threw this podcast together to just discuss Microsoft's latest Patch Tuesday release, kind of go over vulnerabilities that we found interesting, and have a little discussion about those. My name is Tom Bowyer and I'm the Director of Security at Automox there is one more with me and I'll let him introduce himself.

Jason Kikta: Hi, I'm Jason Kikta and I'm the SISO here at Automox and really excited to be starting this off with Tom.

Tom Bowyer: Super excited. So, November is actually pretty late on vulnerabilities this time, but there are a couple worth discussing.

Jason Kikta: November's that are light on vulnerabilities. they always make me paranoid because I assume it's just the calm before the storm because they just want to like really wreck the holidays it's, uh, you know, it's one of those things that, that like, you want to take it at face value, but you know, the set natural security paranoia, uh, always, always makes you wonder like, okay, well, what's coming next.

Tom Bowyer: Right. Like, who's ruining Christmas this year? Right? Is it Microsoft? Is it Cisco? Like, who's gonna ruin Christmas?

Jason Kikta: Yeah, yeah. You know, really. So many quality candidates for the holiday destruction operation Deny Christmas that, you know, it's hard to pick a favorite, but someone will figure it out.

Tom Bowyer: Yeah, like if we, you know, if the Threat Actors could just like take a break for those couple weeks, that'd be much appreciated

Jason Kikta: So this first one here is smart screen, Tom.

Tom Bowyer: Smart screen, another bypass feature, security bypass, and smart screen. It's a, you know, almost a year to the day of the last bypass and smart screen. And obviously this to me feels very nation-state right? For those that don't know what smart screen is, it's basically like a reputation-based system and Windows Defender that if you run some kind of weird binary typically on your desktop, a little pop-up comes up that says like, you know, this is not very safe. Are you sure you wanna run this? Right? Obviously, lots of people pick yes, but a bypass there is quite interesting because, you know, fun fact, if you sign your binary with an EV certificate, like an EV code signing certificate, it automatically bypasses or gains like full reputation in Windows.

Jason Kikta: Oh yeah, this is the kind of thing that threat actors live for especially state-sponsored ones. They really enjoy things that, you know, bypassing security mechanisms is nice. Leveraging a security mechanism to do your dirty work for you is even better because you, appear normal to the system and you escape a lot of scrutiny. You know, you don't get logged or if you get logged, you look innocuous and normal or even like, you know, a security positive rather than a negative. So like nothing but goodness for them there. I think another interesting aspect of this is, you know, this shows the danger of transitory assumptions because, you know, starting with the EV certificates themselves, you know, certificate signing authorities were never meant to, you know, provide a certain level of assurance that, you know, the, the assurance is that domain belongs to that certificate provider. It doesn't give a lot of assurance about the identity. EV certificates were meant to overcome some of that by requiring paperwork, but what people didn't consider is what a, you know, major US or British certificate authority can do in terms of verification and validation for a major corporation does not extend down to, you know, smaller certificate authorities, certificate authorities that have less resources in developing parts of the world. You know, writing certificates for, you know, at scale for, a number of companies who have stuff in cloud providers, like there's a lot of challenges there of just scale and scope that made, made it so that in order to keep issuing EV certificates, they kept having to water down the standards. And, you know, eventually got to the point where like EV certificates became more dangerous in many ways than regular certificates. And then, and then to, you know, Microsoft made what was probably a good faith decision that, you know, Hey, these are inherently more trustworthy at the time when they were rolled out that, you know, we will, um, you know, not let it slow down this security check, uh, probably a reasonable decision, but it was, you know, some of this transitory decision-making of they're doing this level of diligence. Therefore this is safe. Therefore we will, it can bypass a security check.

Tom Bowyer: Right.

Jason Kikta: Then that level of diligence changed, but that bypass didn't change. Uh, and you know, it just, it never got circled back to, to get repaired until, you know, it became a problem. And this one is a problem because it's on the CISA kev it's on the known exploited vulnerability database that the, that CISA maintains for the U S government and they, you know, in order for something to get on that list, that means they have to see ongoing exploitation in the wild.

And as you pointed out, it is most likely a state actor. So definitely concerning, definitely something that needs to be patched and addressed. And hopefully, anyone impacted by this will give it the due attention to make sure it gets fixed right away.

Tom Bowyer: Right? Agreed. So, you know, get it fixed. It seems very scary. So, I would say prioritize this one, I think, over all the other ones from this release.

Jason Kikta: My ultimate horror experience now. Hey Siri, stop. When you know it right, right in the middle of recording this.

Tom Bowyer: Hehehehe. Hahaha. So moving on to my probably favorite one, you know, I'm always a big fan, if you could be a fan of the breakouts, the hypervisor breakouts and you know, this patch Tuesday came with one, you know, 2023-36400 which is a Hyper-V breakout.

And it, you know, we trust our hypervisors to be safe. And I feel like any breakout is going to be kind of big news. And this one in particular, I find it to be quite interesting, right? Low privilege guest on the hypervisor, just whatever OS running. Obviously, as an attacker, I got to get on there first, but you know, having a binary that can break out into the system is absolutely incredible. I find it.

Jason Kikta: Yeah, I think that you know, for a little bit of context here, it's, it's important to understand that what's changed, and there's really been two trends driving the increase in interest in hypervisor breakouts. And the first is, you know, obviously increased use of hypervisors, right? We use a lot more virtualization than we did even five years ago, let alone 10 years ago. So it's somewhat ubiquitous in most corporate environments.

The second thing is that privilege escalation, used to be a very bread-and-butter technique and people paid less attention to it on the security side of things because they were, more worried about those initial entry vectors and trying to shut those down. And those, those ought to be the priority, but you know, there's a lot of ways around that. It could be as simple as phishing. And so once they're on, escalating privilege is extremely important to be able to either exploit that box individually or move laterally within the network. And there as a result has been a lot of hardening around privilege escalation. There's been increased and improved detection around privilege escalation. And so those have driven those two factors together have driven threat actors, both the state and criminal to look more at hypervisor breakout, right? It's instant privilege escalation. Because you're coming in as the hypervisor self essentially as the underlying hardware. And it also doesn't force you to deal with all those new safety checks and guards and detections around privilege escalation. So extremely valuable as a class of vulnerability. And this one happens to be for Hyper-V, but as a class, this is where a real sweet spot is in current exploitation techniques. And the other thing to keep in mind is that when you see a vulnerability like this and a patch for it. Actors will take a close look at that. If this wasn't their technique, especially to see if they can extrapolate something from this to use on a competitor hypervisor, see if that technique will work. So don't be surprised if, in a few weeks, we see similar patches from other hypervisor vendors guarding against it, if the specifics line up.

Tom Bowyer: Yeah, exactly. And to me, it's like, you know, when people think about hypervisor breakouts, they think of cloud environments, Azure, AWS, Google, right? But this one in particular, it feels very much like I'm running a large-scale internal network of assets, right? Because in the cloud, you don't necessarily know who your neighbors are per se, but you know, breaking out there, although dangerous.

You know, you're not necessarily targeting another customer, right? But, you know, if I'm already in the network and I have a breakout to the hypervisor, right, there could be just a low-privilege host running on the same hypervisor as, um, you know, like yours, your domain controller, right? So instant access, right? Take a snapshot, and turn it on somewhere else. Then I'm in there.

Jason Kikta: You may have this running as some sandbox testing environment for customers or demo environment that maybe has no real important data on it. It's a very low privilege, but the breakout allows them to either move into a more important system under the same hypervisor, move to that other more important virtual machine, maybe a virtual machine that's not also not important, or maybe a virtual machine that's not also important itself but has the necessary clues to be able to move laterally within that network and get into that management plane so you can get over to the systems that are really critical. So, you know, several different paths to danger there which is why this is something that we wanted to highlight forever.

So another one that we want to talk about is CVE 2023.364.22. This is a privilege escalation vulnerability in Microsoft Windows Defender. The CVE has a CVSS base score of 7.8, which sounds a little on the low side. But this one's actually somewhat concerning. The attacked vector is local. because it's a privilege escalation, that makes sense. But the complexity is low, the privileges required are low, and no user interaction is required.

Again, as we talked about with smart screens, leveraging a security product or a security mechanism is extremely helpful to actors. And it's a valuable path to get what they want to get. So this one will have a lot of interest. And if it remains unpatched, it'll be in use very quickly.

Tom Bowyer: Yeah. I mean, it's not like you can just remove Defender from your endpoints, right?

Jason Kikta: Right. Yeah. That's a pretty important one to keep. I mean, I think the only thing that keeps us from being, you know, more on fire is that, um, the list, the exploit code maturity is unproven. So, you know, the fortunate thing is there's a little bit of time with this one, but it could be a rather high-impact

Most likely it is by defender scanning something that you'll get privilege escalation, which means if you can get privilege escalation as part of that parsing process, then you're also presumably not going to get marked as malicious because you can just bypass that right away as you go to system-level privileges. So it's really kind of a twofer when you go after the actual AV or EDR itself. That's why I'd be worried about it. And these are hard to do to write. Part of the problem is parsers are hard. Parsers are what gets so many people, uh, so many products in security trouble. And, you know, the defender by its very nature has to do a lot of parsing. It's just, that it is inherent to its job. So, um, you know, not surprised to see these kinds of vulnerabilities, but these are definitely ones to prioritize.

Tom Bowyer: Doh. Great. Yeah.

Well, cool. You know, we appreciate everyone listening and hanging out with us today. We hope you enjoyed our very first iteration of Audemars' Fixed Tuesday, and we hope we enlightened you with some of the vulnerabilities we're thinking about and some of the things that keep us up at night.

Jason Kikta: Thanks so much and we'll see you all in December.

Tom Bowyer: See ya! Outro music! Bum bum bum! Yeah! Alright, let me stop. I know. Let me stop this. Alright, let me stop. I know. Let me stop this.

Jason Kikta: It's gonna be something dorky.

November Patch [FIX] Tuesday Takeaways

• Windows Smart Screen has a new bypass vulnerability, which can be concerning as it is a reputation-based system in Windows Defender.

• Hypervisor breakouts are a growing concern due to the increased use of virtualization and the need for privilege escalation.

• A privilege escalation vulnerability in Windows Defender highlights the risks associated with security products and the challenges of patching them.

• It is important to prioritize patching and addressing vulnerabilities to mitigate potential risks and attacks.