Patch [FIX] Tuesday: January 2024

January Patch [FIX] Tuesday, Episode Summary

In this episode, CISO Jason Kikta and Director of Security Tom Bowyer discuss the January 2024 Patch Tuesday vulnerabilities. Along with guest, Cody Dietz (Team Lead of Security Engineering), the hosts focus on two specific vulnerabilities: CVE-2024-20674, a Windows Kerberos Security Feature Bypass vulnerability, and CVE-2024-20666, a BitLocker Security Feature Bypass vulnerability.

They highlight the danger of local exploits and the resurgence of old exploits. The hosts express concern about the lack of information and uncertainty surrounding these vulnerabilities. In this conversation, the hosts discuss the origin and complexity of the Operation Triangulation exploit, which targeted iOS and other Apple devices. They speculate on the possible origins of the exploit, considering factors such as the level of expertise required and the use of unknown hardware features.

The hosts also highlight the impressive hacking techniques used in the exploit, including the chaining together of multiple vulnerabilities. They discuss the role of fuzzing in exploit discovery and the increasing prevalence of zero-click exploits. Finally, they mention the potential vulnerabilities that may arise in future messaging protocols.

Read the January Patch [FIX] Tuesday Transcript

Tom Bowyer: Happy Patch Tuesday, everyone. First Patch Tuesday of the year 2024. Can you believe it? We made it. Made it past Christmas, made it past New Year's. Nothing too major was dropped, right? Don't necessarily think anyone ruined Christmas Eve this year. That's exciting to see. The first year in a long time, and I think I remember that.

You know, we weren't having some kind of emergency meeting like the day after Christmas where we're, you know, scrambling to purchase something that needs to be purchased in two weeks because someone did something they're not supposed to do anyway. Happy patch Tuesday. Thanks for joining us again for our third iteration of this and, you know, welcome back if you're a long-time listener to our ramblings around vulnerabilities. Again, my name is Tom Bowyer and I'm the Director of Security and IT at Automox And today I have two guests with me, Cody Dietz and Jason Kikta. You wanna introduce yourselves?

Cody: Yeah, I'm Cody. I'm the Team Lead of Security Engineering here at Automox.

Jason Kikta: I'm Jason Kikta. I'm the CISO and Senior VP of Product here at Automox.

Tom Bowyer: And if you're listening to this, not on YouTube, Jason has a serious mug that he's drinking coffee from today. Look at that thing. That is, that is a mug of mugs.

Jason Kikta: Best dad ever. And, and it's with a monster truck. This is, uh, this is pretty amazing. I don't want to brag, but this might be one of the greatest coffee mugs that I own, which is saying something.

Tom Bowyer: It's probably the best one I've ever seen. Love it. So yeah, digging through the patch notes for today, for Tuesday again. There are some good ones. There are some good ones, some surprising ones, you know, surprising to be that we're seeing them in 2024. Yeah, surprising that we're seeing them in general, honestly. But yeah, some good stuff.

You know, I think the first one we want to talk about today is CVE-2024-20674, which is a, according to the title, Windows Kerberos Security Feature Bypass vulnerability, right? Talk about a blast from the past. You know, this is definitely a this will be in a CTF one day that you'll probably run into. And.

Jason Kikta: I mean, it's a CTF right now, probably. This CTF is live and the prizes are real.

Tom Bowyer: All right. And, you know.

Jason Kikta: You could ransom a network off of this one. This is the granddaddy of CTS.

Tom Bowyer: Yeah.

Cody: That's so crazy too. Just that 2024 man in the middle.

Tom Bowyer: Right.

Jason Kikta: Yeah. So like a machine-in-the-middle attack on Kerberos is mind-boggling, mind-boggling, you know, like what, I mean, first of all, being vague and saying security feature when you're talking about Kerberos, which is at the heart of active directories, you know, like that's, that is active directory. That's, that's the authentication mechanism, but then to just be like, Oh, and you can machine in the middle of it. Whoa. Right. Like that is, that reflects a pretty fundamental breakdown and how the entire, uh, protocol is supposed to work. So I just.

I'm actually having trouble wrapping my head around it because this one is just so wildly dangerous and just, you know, so fundamental to what Kerberos does for authentication.

Tom Bowyer: Yeah. And you know, the other sentence in there or other local networking spoofing technique, right?

Jason Kikta: And you know, like, this is what, this is one of my complaints with CVSS scoring, not that there's a flaw in the system itself. I think it's, I think it's fair on the surface to say, Hey, if something is local to your network, that is less dangerous than something that is, you know, remote, you could just do this out over the internet. But I think what is lost on too many practitioners, even security practitioners is how quickly local can turn into remote because there's a secondary spoofing thing or, you know, you can, you know, depending on the complexity, uh, and I think this one has low complexity, uh, you know, the fact that you can, uh, potentially have it relayed by something else. That comes with a lot of asterisks behind it. And it really makes me nervous when I see like, no, don't worry. It's local. Like, uh, you know, big teeth suck like, is it though? Is it? And, and not to mention, you know, like that's not, you know, having something that's local, like that, that's not minor. And also, you know, like, so, so let's say for instance, that this is indeed local. You have to be no kidding local to that network. No ifs, and, or buts. You can't run this against an exchange machine that's facing the internet. And like, it's just, it's not feasible. You really are not kidding have to be with on LAN. That's still not a minor thing because that one is going to tend to be, um, because it's a local vector. It's going to get deprioritized, right?

People are going to say, okay, well, you know, what are the chances of a rogue employee or an actor already on the network versus this, but like, this thing is pure ransomware fuel. Like, oh my goodness, I can just, you know, machine the middle, anything on my network. And away I go. Bob's your uncle. You know, just, wow, this is going to be a long tail hairy. I mean, there are some shades of eternal blue in this thing. It just, when someone figures out how to pop this thing and that, that exploit code inevitably makes its way to GitHub. Like that's going to be a spicy day.

Tom Bowyer: Feels like it to me.

Cody: You know, I almost wonder if this is related to, uh, you know, LLM and R poisonings pretty popular right now. If it's just something along that line that you're just saying, Hey, I'm the Kerberos server and blasting it out on like multicast and that is like the simplest thing to do these days.

Tom Bowyer: Yeah. Right. Like that hard "or" the, in the release notes or other local network spoofing technique, right? It's like, well, you gotta be a machine in the middle. And then it's like, boom, stop dead. Or like anyone can grab Python and craft a packet and just multicast it out to your entire LAN. Yeah. It feels very, um, you know, this just feels like one of those old-school Windows AD attacks, right? Just surprising to see in 2024 given a lot of AD has moved to.

Jason Kikta: Benjamin Delpy is probably kicking himself that this isn't already in Mimikatz. He's probably just like over there in France just losing his mind of like, man, why didn't I get this one for Mimikatz? This would have been amazing.

Tom Bowyer: Yeah, exactly. And it, you know, how does this apply to whatever they're calling Azure AD now, IntraID or whatever, right? I'm sure that's not impacted, but, you know, I feel like a lot of this should be taken into consideration, right? Like if

Jason Kikta: I don't know that we can take that for granted if you're running a hybrid environment, right? If you're running a hybrid environment, you could still attack the local AD, and now you have elevated privileges. And that might get you closer to some of those SaaS and PaaS assets that may be managed by IntraID, or even by another identity provider like.

Once you sort of unlock that, you know, higher level administrative access in the network, there's not a lot that's beyond your reach at that point. So this is really, really dangerous to pretty much everything you own and control unless you have just really top notch and I'm talking world-class network segmentation and, you know, least privileged controls.

Tom Bowyer: Thank you. Yeah, you know, just you could always move to Mac, right? Cause they don't get exploited or have viruses. Ha ha ha.

Jason Kikta: You know, Cody, like, I feel like, am I, am I losing my mind or is there, has there been a run of things, not precisely like this lately, but you know, what's old is new again, it seems like, you know, people get in this mindset of like, oh, well we've, we've pretty much run this category to the ground now people are on to other things for exploitation. And so we don't have to worry about that anymore. But then it seems like they always come around again. Am I wrong on that?

Cody: No, yeah, I mean, you can see a lot of CVEs that kind of harken back to like Windows 2000 exploits nowadays. Like you said, I think a lot of it's just people are developing now in a different way, and they're so abstracted from some of the things they used to have to do. And they're trying to take for granted third-party solutions, and those third-party solutions are failing. Or the third-party library that's supposed to solve this thing, you know, they're moving to things that are too national and, you know, it's just kind of the reliving a lot of these same core bugs in the software. And yeah, it's a little hard to, it's a little hard with so many classes of exploits out there or like vulnerabilities out there. You just, there's just too much, too much to cover. So things are slowly getting deprioritized. And those are the things that I think I see a lot in forums too, right? Or on some of these, some of these discords where people are. It's like, it's like the newer generation of people getting into security for all the wrong reasons are all, you know, they're like, Hey, I read this article from 10 years ago and all of a sudden, you know, everybody's like, Oh, it'll never work again, you know, it only worked on Windows XP. And we saw last year at Blue Hat, right? Some of these kernel exploits were like the same thing from Windows ME or Windows XP.

Jason Kikta: I mean, I think that's a legitimate line of security research that is, you know, poo-pooed by some people, but, you know, people picking up, you know, an old copy of, you know, Fract or Pock or GTFO from back in the day and then looking through it and going, Hey, what might still be relevant? And, you know, it's a deprecated code that bites you when you least expected it. You know, five years ago, I think it was Microsoft who had that real bad nasty vulnerability and it was in a printer driver. And I think the code or the original code was written in 1988 or something. And in fact, that's, you know, a little bit of foreshadowing that's going to come up in our, in our third segment. Um, you know, you, you think you've deprecated something, you're not really using it anymore, but the code's still there, and then whoopsie. Uh, it turns out that an attacker can still use it.

Tom Bowyer: Yeah, I think we saw some of that too in 2023 with the, uh, like the MSQS vulnerabilities. I think we talked about it, um, maybe midsummer internally where it was just this, you know, MSQS, I think that's what it is, that old queuing system in Microsoft, right? That's meant for large-scale Windows deployments that people have moved off of, but I'm sure somewhere out there in the enterprise, there's just Windows XP still running, right?

Jason Kikta: Yep. It's that old mandatory configuration that nobody's gone back and cleaned up to turn that thing off.

Tom Bowyer: Yeah, precisely. So, you know, binary exploitation, right? In like overflows and a lot of these things that we haven't seen, at least in the modern security talk, right? Most people are moving to the cloud. Most, now most people are now moving to LLMs and explaining LLMs. And there's this whole subset of things that still exist, right? Hey, fuzzing and all these other methodologies to detect that stuff is still very important.

Cody: One of the big ones too is if you have a lot of modern developers who are assuming that buffer overflows are hard because you don't see them in the news as often anymore. But then you have all the classes of IoT devices out there that are being written by these companies that were started in the seventies, right? And they still have engineering practices from the seventies and the eighties. So, you know, and even things like FPGAs, right? Like all sorts of things, you can do on FPGAs that people in modern web development would be like, ah, that can't happen anymore. But once you connect to the internet, all sorts of things can happen.

Jason Kikta: Oh, bless your hearts. About to learn some hard lessons. Speaking of hard lessons, the second one, this bit locker woof woof. Talk about another, again, like something people consider to a solve problem until something like this comes along. You know, I remember when the number one cause of security breaches was, you know.

Tom Bowyer: Oof. This might be my favorite.

Jason Kikta: Basically employees leaving laptops in cabs and on trains and airplanes and stuff. And now here comes this one. Tom, do you want to queue this one up?

Tom Bowyer: Yeah. So what Jason's kind of talking through is CVE-2024-20666, which is a BitLocker security feature bypass vulnerability, which might be the worst description I've ever heard given the fact that BitLocker is the security feature, right? But it is like it's there's no executive summary, right? It's just

Jason Kikta: BitLocker has one security feature. It is a security feature.

Tom Bowyer: A successful attacker could bypass the BitLocker device encryption feature on the system storage device. An attacker with physical access, obviously, could exploit this vulnerability to gain access to encrypted data. And I'm just like this is just one of those evil-made things. I come in, grab the hard drive and I'm off. Got it.

Jason Kikta: Yeah, it's, again, it's where the CVSS scoring system does not well articulate the risk of, you know, now you don't hate just have to be local on the network, you have to be physically touching the machine. So that is a, you know, that's, that's a high barrier for remote ops, but. You know, it depends on what your threat profile is and, you know, attack complexity, low privileges required low user interaction, none, you know, but CIA impact confidential confidentiality, integrity, availability, high, high Wolf. So that sounds like, you know, the exploit code's unproven, but it sounds like there is a potential way to just bypass BitLocker altogether and unlock an encrypted hard drive. And again, people have become so reliant, like it's not just about the so-called evil maid attack of you leave it in a hotel room and now.

I remember the housekeeping staff comes in and plugs in a thumb drive and steals all your data or you leave it in a public place or you know, Starbucks, you can go to the bathroom and, uh, that, that sort of thing. It's, it's not just that threat to be clear because so many modern corporations that have travel laptops have hybrid or remote workforce rely on BitLocker and FileVault and all these hard drive locking technologies for the remote wipe, right? Because it's better than a remote wipe. It's reversible. So if you inadvertently, you know, issue the command to the wrong laptop, you don't wipe out the CEO's hard drive, you can say, Whoops, you know, I didn't mean to fire you, I meant to fire Jason. So like, let's, here's, you know, here's your new BitLocker key, and the CEO's back in, and you don't end up with two firings that day instead of one.

You know, this, this is critical to that. So like, this isn't a matter of like people physically penetrating your building to get in, this could be a disgruntled employee who wants to get back into their files and now they can, you know, shut off the wifi, unplug the ethernet cable at their house, boot this thing up, take all their drives off, you know, wipe the hard drive, send it back to you, like you really would not, you know, not really have a way to prove that they stole your corporate. Like this is, this blows DLP out of the water. This is a big, big deal.

Tom Bowyer: Yeah. And especially like how does this impact in the cloud, cloud hosting environments, right? Like someone walks into the data center, and grabs some hard drives. What's, what's the deal now? And how are they, how are they responding to that threat? You know,, we very much trusted BitLocker. It's almost gone. Like it's, it's gone. Like you run BitLocker, you're good. Right. You don't gotta worry about losing your laptop or any of that stuff. And I can't even remember the last time I heard about BitLocker.

You know, being BitLocker in the early 2000s, maybe like 2005, six, seven around that time, right? When there was all that drama around BitLocker. I can't remember when, but this is just, I feel like it's almost a little bit buried in here. Oops.

Jason Kikta: Yeah, this is this is very back to the future. And I think because it's been a well-solved problem for so long that a lot of people won't truly appreciate the impact this can have, and the sort of, you know, nuances of, you know, various methods of exploitation.

Tom Bowyer: Yeah, almost what's old is new again. How are they fixing this and what are the implications there, right?

Jason Kikta: Yeah, like Cody said, yeah, do you have to re-encrypt hard drives? I hope not. I really hope not.

Tom Bowyer: Right? Like, there's... Yeah, or, you know, are they changing, like, the fundamental operations within BitLocker? Right? Like, let's... And then how long's this been in here? I just feel very uneasy about this, just given, like, the lack of information, how it's kind of just put out there without much, you know workaround mitigation, there's not very much like an executive summary, and yeah just another one of those uneasy ones that I have.

Jason Kikta: Yeah. Yeah, an executive summary does not always make me nervous.

Tom Bowyer: And maybe this was like a fuzzing one. I caught it in fuzzing or, and I just don't have much information about it, but.

Jason Kikta: Yeah. I, I want to believe. I don't know, Cody, what's your, what are your thoughts on how they probably came across this or the potential impact?

Tom Bowyer: I'm spitballing now. I'm spitballing.

Cody: Oh, I really hope it's through fuzzing and not through some researcher that was like, hey, I found this simple bit you could flip and all of a sudden I've got all your data.

Jason Kikta: Funny story so all your data are belong to us

Cody: Yeah, I don't know. Having interacted with the Blue Hat research team last year, they're pretty on point for finding things. So really hopeful it was, you know, something that they just found and that, you know, quick mitigation, hopefully. But...

Jason Kikta: Yeah. That would jive with the exploit code maturity being unproven. Like that's the one glimmer of hope here, is that sounds like something that you would do for a fuzzing result rather than.

Cody: Yeah. Or that a researcher found some very inconsistent exploit, maybe. So, so.

Jason Kikta: Yeah, or hey, I have it all except for this, and if I just figure out this part that I'm in and

Cody: Yeah. Or like, you know, Hey, I found this one pointer, but you have to do it 50,000 times until you finally hit that stochastic limit or something. Okay. 5 million times. So yeah, hopefully, the exploit maturity is like when we see an exploit that comes out for it, hopefully, it's not something so very simple.

Jason Kikta: Yeah, but 50,000 times isn't very many like that sounds pretty. Yeah.

Cody: Suddenly you know you've got like Lockheed Martin and they're, you know, whatever Skunk Works project's going on right now is just gonna be on the table at Starbucks.

Tom Bowyer: Wouldn't be the first time.

Jason Kikta: That would never happen. You know who doesn't have Clownshoes Security is defense contractors.

Cody: That's not picking on them or anything.

Jason Kikta: Woo, the things I've seen, the horrors.

Tom Bowyer: The horrors. Yeah. Speaking of horrors, you know, I think that would be a good time to talk about not necessarily related to Windows or Patch Tuesday, but man, this Operation Triangulation thing is gotta be the most well-researched exploit that I've seen in a very long time.

Jason Kikta: Oh, this one is.

Cody: INSANE.

Jason Kikta: Ha ha ha!

Tom Bowyer: I think something that's really, you know, we've been following pretty closely over the last, what about really month or two months is kind of the newest zero click iMessage attack and walking through the exploit chain. It's called Operation Triangulation. So it was presented at the 37th Chaos Communication Conference. I think that's in Hamburg, right? And the researchers showed through basically, what, like six months of investigation you know, a new exploit, a new attack chain on iOS. And I think it impacted more than just iOS, right? Mac OS, probably Apple TV. I don't know who's exploiting Apple TV, but I'm sure it's all just reused all the way through and it used. Right. How many? One, what like six or seven vulnerabilities like chained together six or seven vulnerabilities with any, you know,

Cody: You remember DEF CON, bye.

Jason Kikta: Ha ha ha! As one does.

Tom Bowyer: The iOS ecosystem, right? Where we start with probably the funniest one if you can call it funny. Yeah. 2023 41990 that got fixed back, you know, mid-summer where, but you take a PDF and there's this true type font exploit, right? Then use an ROP chain. You get all the way through and then you, you know, kernel exploit.

Cody: Random true type exploited that.

Tom Bowyer: ...with JavaScript, open up Safari, do a Safari exploit, and then use that exploit to, exploit the iOS kernel, and kind of on your way to backdooring the phone, which, I mean, just reading through this thing, it's absolutely incredible. And I'm curious about your thoughts too, Cody.

Cody: Yeah, it's insane. And you know, that kernel exploit, like they have two of them that span five, I think, five different generations of processors. So yeah, it's just crazy the complexity that went into this. Or at least the research that went into this on, you know, the threat actor side. Whoever that may be.

Jason Kikta: Whoever it may be. I mean, you know, you look at it and you're like, okay, this is chaining together, uh, you know, a long series of extremely high dollar, high complexity, you know, zero-day exploits and has an extreme focus on both cleanup and targeting to make sure it's really on the right device the precise right devices and only those devices. And it kind of screams out. It screams out who it is. You know, this is, you know, I have no knowledge of this for my days in government, but like, you know, this is five eyes hacking if I've ever seen it, because it's just, you know, those are, those are there, you know, the normal priorities of the exploits.

The exploits, you know, aren't so much of a limiting factor. And you can do it in a really wild way where everything just, and I think too, the, the other piece that's just glorious here is, you know, 11,000 lines of code mainly dedicated to JavaScript core and kernel memory, parsing and manipulation. Right? Like the level of conditioning that it does on the machine to meet. The necessary conditions for the exploits to work are just phenomenal. Right. It's, this is like that, you know, kind of going back to what you were saying before Cody about, you know, Hey, we're doing fuzzing, but you know, Oh, it's just got, it's this one in 5 million chance of like, well, here's how you find one in 5 million and here's how you find one in 5 million on the fly on target. Uh, and that's pretty darned impressive. I mean, this is.

Tom Bowyer: I don't, yeah.

Jason Kikta: This is just a fantastic piece of hacking here.

Tom Bowyer: I just don't know how you, how you go about finding like, especially the true type exploit, right? That's fuzzing. That's fuzzing 100%. There's no other way around it. They're just, they're fuzzing the...

Jason Kikta: Yeah, that's been there since the 90s.

Tom Bowyer: This just screams fuzzing to me. Like there's no other way you would find it, especially this true type font exploit. And you know, usually fuzzing, you get a crash and then you investigate all these crashes and you find this, you're like, ooh, what's this? If I send this data in a certain way, you know, I get an overflow or something, and it, yeah. It all seems true. What we were talking about earlier, like I, or what you were talking about earlier, Cody, um, kind of around binary, you know, exploitation and those sorts of things where, you know, I think most of the industry has almost moved on, right? Some more practical approaches to security and there's not necessarily anyone except those with very vested interests in finding these types of vulnerabilities, you know, doing this kind of stuff, right? Like, your mom and pop's security shop is not kind of looking for crashes of this manner, investigating and contributing back to the colonel, you know, kind of to teeth... Yeah.

Cody: And your MSP sure, sure isn't either. Yeah. Like in some of this is, you know, like there were a lot of these unknown hardware features, and Apple's notorious about putting, you know, debugging points and stuff on their hardware or, uh, you know, some stack smashing. He's, he's pretty big in the Apple space and he constantly finds, you know, new things related to like the lightning chain and USB-C chain, and that just kind of screams this, right? Like you have somebody who's like spent all their life probably working at Apple and then went somewhere, not playing it did, but, and it just screams out to me that like somebody who, who had to have understood some of this debugging hardware or, you know, even just like very specialized parts of the circuits, um, you know, like, uh, one of these, uh, it's memory protection, uh, memory protection circuit, and it's not used by the firmware.

Uh, you know, like any of the Apple firmware, and it's not used by any of the hardware registers. So it's just like this unknown circuit that randomly they were able to tap into somehow. So I think.

Jason Kikta: I hope that I honestly hope that was some guy with an electron microscope who was like finally my day in the sun like I have delivered. I told you this would pay off.

Cody: Alright Larry, fire up your scope, we're going home.

Jason Kikta: That's right. This is a budget victory for somebody.

Tom Bowyer: Alright.

Yeah, no kidding, no kidding. It's just, or, you know, corporate espionage, but, you know.

Cody: Yeah, that's true too. You know, it's either somebody that had intimate Apple knowledge or they had to have gotten like some subset of Apple schematics or something that was just undocumented to the world and probably undocumented to much of the people on Apple is the way I'm reading it. So.

Tom: Tinfoil hat commence. No, but, you know, most of the CVEs that were chained together here were fixed, you know, midsummer, so mostly you're okay. But a lot of these that were released recently, the last couple of months, I think we talked about them last month, that were released by Tag. They had similar sounding, you know, exploit paths. And they sounded very similar to some of these, so I feel, and I think we talked about it last month as well. I feel like this is becoming way more common, especially in 2023. I don't think I've seen as many zero-click exploit chains in iOS as I have in the last few years. And I think they're only going to become more common as more people shift over, right? I am kind of tired of the Windows lifestyle and you don't want to give Mac a try. I can't imagine the care and feeding that went into this.

Cody: Yeah, but the next one I envision is when Apple moves away from their SMS protocol onto that new one. I'm blanking on the name.

Tom Bowyer: Yeah. The one where it co-ops with Google, right? Like it's all together. I mean, just typical SMS is pretty insecure as it is, but I feel like, um, you know, now you have kind of one protocol to fuzz and you can really do some damage. Right.

Jason Kikta: What could go wrong?

Cody: Yeah, I think that's going to be the next big one. Yeah, because at that point you're going to be able to hit, you know, a large swath of phones and every, every iPhone. So they're probably going to start chaining together that new, that new messaging service into something like this. And we're just going to see a whole new class of zero clicks through that.

Tom Bowyer: Oh yeah. Yeah, 100%.

Jason Kikta: Yeah.

Tom Bowyer: Well, that does it for us today. This wonderful first patch Tuesday of 2024. We thank you all for coming and listening to our ramblings around vulnerabilities. And we hope you all have a great 2024. And, um, again, thanks, for listening. Any parting words, Cody or Jason?

Jason Kikta: Parting words?

Cody: Fuzz your stuff.

Jason Kikta: Fuzz your stuff.

Tom Bowyer: Fuzz your stuff.