A high severity flaw has been identified in Capsule Technologies SmartLinx Neuron 2 medical information collection devices running version 6.9.1 of the software. SmartLinx Neuron 2 is a bedside mobile clinical computer that automatically collects vital signs data and connects to hospitals’ medical device information systems.

The flaw, tracked as CVE-2019-5024, is a restricted environment escape vulnerability due to the failure of a protection mechanism in kiosk mode. The flaw is present in all versions of Capsule Technologies SmartLinx Neuron 2 prior to version 9.0.

Kiosk mode is a restricted environment that prevents users from exiting the running applications and accessing the underlying operating system. By exploiting the flaw, an attacker can exit kiosk mode and access the underlying operating system with full administrative rights. That could allow the attacker to gain full control of a trusted device on the hospital’s internal network.

To exploit the flaw an attacker would need to have physical access to the device. The flaw could be exploited by connecting to the device though a USB port using a keyboard or other HID device. The flaw can be triggered using a specific series of keyboard inputs or, alternatively, by programming a USB Rubber Ducky with code that mimics human keyboard input.

The flaw was identified by Patrick DeSantis of Cisco Talos who reported the vulnerability to Capsule Technologies. The flaw requires a low level of skill to exploit and public exploits for the flaw are in the public domain. The flaw has been assigned a CVSS v3 base score of 7.6 out of 10.

The flaw was identified in an unsupported version of the software, but that version is currently in use in many hospitals. Capsule Technologies has corrected the flaw in version 9.0 and above – the current version is 10.1.

All users of the devices have been advised to update to supported versions of the software – version 9.0 or a later version. Physical access to the devices should be restricted as far as is possible and they should remain outside of the organization’s security perimeter. It is also important to ensure that the devices are not implicitly trusted by internal systems. If possible, the USB ports should be disabled or obstructed, and logs should be checked to identify the use of any unauthorized peripherals on vulnerable devices.

The post Vulnerability Identified in Capsule Technologies SmartLinx Neuron 2 Medical Information Collection Devices appeared first on HIPAA Journal.

Microsoft has released a patch to correct a 17-year old wormable remote code execution vulnerability in Windows DNS Server. The flaw can be exploited remotely, requires little skill to exploit, and could allow an attacker to take full control of an organization’s entire IT infrastructure.

The vulnerability, CVE-2020-1350, was discovered by security researchers at Check Point who named the flaw SIGRed. The vulnerability is present on all Windows Server versions from 2003 to 2019 and has been assigned the maximum CVSS v3 score of 10 out of 10. The flaw is wormable, which means an attacker could exploit the vulnerability on all vulnerable servers on the network after an initial attack, with no user interaction required.

The flaw is due to how the Windows Domain Name System servers handle requests and affects all Windows servers that have been configured as DNS servers. The flaw can be exploited remotely by sending a specially crafted request to the Windows DNS Server.

The DNS serves as a phone book for the internet and is used to link an IP address to a domain name, which allows that resource to be located. When a query is sent to the Windows DNS Server, if the query cannot be answered it is forwarded to one of 13 root DNS servers that have the information to answer the query and locate the resource.

The Check Point researchers demonstrated they could change the DNS server to which the query is sent and get the vulnerable Windows DNS server to parse responses from a name server under their control. They then sent a response that allowed them to exploit the vulnerability – sending a DNS response that contained a larger than expected SIG record. By doing so, they were able to trigger a heap-based buffer overflow and gain domain administrator rights over the server, which would allow a full takeover of the organization’s IT infrastructure.

In their demonstration, the researchers demonstrated how a local attack could be performed by convincing a user to click a link in a phishing email. They were also able to replicate the attack remotely by smuggling DNS inside HTTP requests using Microsoft Explorer and Microsoft Edge browsers.

While there are currently no known cases of exploitation of the flaw in the wild, the vulnerability will be attractive for hackers given the number of organizations affected and the severity of the flaw. An attacker would be able to run arbitrary code in the context of the local system account and take full control of the server, then use it as a distribution point to attack all other vulnerable servers and spread malware. Exploitation of the vulnerable is therefore likely so immediate patching is required.

If it is not possible to apply the patch immediately, a workaround is available that will prevent the flaw from being exploited until the patch can be applied. This involves making a change to the registry which will prevent the Windows DNS Server from responding to inbound TCP-based DNS response packets above the maximum allowed size, thus preventing exploitation of the vulnerability.

The post Microsoft Releases Patch to Correct Critical Wormable Windows DNS Server Vulnerability appeared first on HIPAA Journal.

A joint alert was recently issued by the FBI and the DHS’ Cybersecurity Infrastructure Security Agency (CISA) regarding cybercriminals’ use of The Onion Router (Tor) in cyberattacks.

Tor is free, open source software that was developed by the U.S. Navy in the mid-1990s. Today, Tor is used to browse the internet anonymously. When using Tor, internet traffic is encrypted multiple times and a user is passed through a series of nodes in a random path to a destination server. When a user is connected to the Tor network, their online activity cannot easily be traced back to their IP address. When a Tor user accesses a website, rather than their own IP address being recorded, the IP address of the exit node is recorded.

Unsurprisingly, given the level of anonymity provided by Tor, it has been adopted by many threat actors to hide their location and IP address and conduct cyberattacks and other malicious activities anonymously. Cybercriminals are using Tor to perform reconnaissance on targets, conduct cyberattacks, view and exfiltrate data, and deploy malware, ransomware, and conduct Denial of Service (DoS) attacks. According to the alert, cybercriminals are also using Tor to relay commands to malware and ransomware through their command and control servers (C2).

Since malicious activities can be conducted anonymously, it is hard for network defenders to respond to attacks and perform system recovery. CISA and the FBI recommend that organizations conduct a risk assessment to identify their risk of compromise via Tor. The risk related to Tor will be different for each organization so an assessment should determine the likelihood of an attack via Tor, and the probability of success given the mitigations and security controls that have been put in place. Before a decision can be made about whether to block Tor traffic, it is important to assess the reasons why legitimate users may be choosing to use Tor to access the network. Blocking Tor traffic will improve security but will also block legitimate users of Tor from accessing the network.

CISA and the FBI warn that Tor has been used in the past by a range of different threat actors, from nation-state sponsored Advanced Persistent Threat (APT) actors to individual, low skill hackers. Organizations that do not take steps to either block inbound and outbound traffic via Tor, or monitor traffic from Tor nodes closely, will be at a heightened risk of being attacked.

In these attacks, reconnaissance is conducted, targets are selected, and active and passive scans are performed to identify vulnerabilities in public facing applications which can be exploited in anonymous attacks. Standard security tools are not sufficient to detect and block attacks, instead a range of security solutions need to be implemented and logging should be enabled to allow analysis of potentially malicious activity using both indicator and behavior-based analyses.

“Using an indicator-based approach, network defenders can leverage security information and event management (SIEM) tools and other log analysis platforms to flag suspicious activities involving the IP addresses of Tor exit nodes,” according to the report. A list of all Tor exit node IP addresses is maintained by the Tor Project’s Exit List Service, and these can be downloaded. Security teams can use the list to identify any substantial transactions associated with those IP addresses by analyzing their netflow, packet capture (PCAP), and web server logs. 

“Using a behavior-based approach, network defenders can uncover suspicious Tor activity by searching for the operational patterns of Tor client software and protocols,” such as Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) ports.

“Organizations should research and enable the pre-existing Tor detection and mitigation capabilities within their existing endpoint and network security solutions, as these often employ effective detection logic. Solutions such as web application firewalls, router firewalls, and host/network intrusion detection systems may already provide some level of Tor detection capability,” suggest the FBI and CISA.

While it is possible to reduce risk by blocking all Tor web traffic, this highly restrictive approach will not totally eliminate risk as additional Tor network access points are not all listed publicly. This approach will also block legitimate Tor traffic. Tailor monitoring, analysis, and blocking of web traffic to and from public Tor entry and exit nodes may be a better solution, although this approach is likely to be resource intensive.

Details of how to block, monitor and analyze Tor traffic are provided in the alert, a PDF copy of which is available for download here.

The post FBI and CISA Issue Joint Alert About Threat of Malicious Cyber Activity Through Tor appeared first on HIPAA Journal.

The U.S. National Security Agency (NSA) has issued guidance to help organizations secure IP Security (IPsec) Virtual Private Networks (VPNs), which are used to allow employees to securely connect to corporate networks to support remote working.

While IPsec VPNs can ensure sensitive data in traffic is protected against unauthorized access through the use of cryptography, if IPsec VPNs are not correctly configured they can be vulnerable to attack. During the pandemic, many organizations have turned to VPNs to support their remote workforce and the large number of employees working remotely has made VPNs a key target for cybercriminals. Many attacks have been performed on vulnerable VPNs and flaws and misconfigurations have been exploited to gain access to corporate networks to steal sensitive information and deploy malware and ransomware.

The NSA warns that maintaining a secure VPN tunnel can be complex and regular maintenance is required. As with all software, regular software updates are required. Patches should be applied on VPN gateways and clients as soon as possible to prevent exploitation. It is also important for default VPN settings to be changed. Default credentials are publicly available and can be used by malicious actors to login and gain a foothold in the network.

Admins need to take steps to reduce the VPN gateway attack surface. Since VPNs are often accessible from the internet, they can be prone to brute force attacks, network scanning, and zero-day vulnerabilities. To reduce risk, admins should apply filtering rules to restrict ports, protocols, and IP addresses of network traffic to VPN devices. If it is not possible to restrict access, an intrusion prevention system should be implemented in front of the gateway to monitor for malicious traffic and inspect IPsec session negotiations.

IPsec VPN configurations require the Internet Security Association and Key Management Protocol (ISAKMP) or Internet Key Exchange (IKE) policy, along with an IPsec policy. It is important that SAKMP/IKE and IPsec policies do not allow obsolete cryptographic algorithms. If these weak algorithms are permitted, it could place the VPN at risk. A downgrade attack could be performed where the VPN is forced into using non-compliant or weak cryptography suites. The NSA notes that extra SAKMP/IKE and IPsec policies are often incorporated by default.

Organizations should check CNSSP and NIST guidance on the latest cryptographic requirements and standards and ensure that these cryptographic algorithms are being used.

The NSA guidance on securing IPsec VPNs can be found here.

The post NSA Issues Guidance on Securing IPsec Virtual Private Networks appeared first on HIPAA Journal.

Several vulnerabilities have been identified in the remote access system, Apache Guacamole.  Apache Guacamole has been adopted by many companies to allow administrators and employees to access Windows and Linux devices remotely. The system has proven popular during the COVID-19 pandemic for allowing employees to work from home and connect to the corporate network. Apache Guacamole is also embedded into many network accessibility and security products such as Fortress, Quali, and Fortigate and is one of the most prominent tools on the market with more than 10 million Docker downloads.

Apache Guacamole is a clientless solution, meaning remote workers do not need to install any software on their devices. They can simply use a web browser to access their corporate device. System administrators only need to install the software on a server. Depending on how the system is configured, a connection is made using SSH or RDP with Guacamole acting as an intermediary between the browser and the device the user wants to connect to, relaying communications between the two.

Check Point Research evaluated Apache Guacamole and found several reverse RDP vulnerabilities in Apache Guacamole 1.1.0 and earlier versions, and a similar vulnerability in FreeRDP, Apache’s free implementation of RDP. The vulnerabilities could be exploited by remote attackers to achieve code execution, allowing them to hijack servers and intercept sensitive data by eavesdropping on conversations on remote sessions. The researchers note that in a situation where virtually all employees are working remotely, exploitation of these vulnerabilities would be akin to gaining full control of the entire organizational network.

According to Check Point Research, the flaws could be exploited in two ways. If an attacker already has a foothold in the network and has compromised a desktop computer, the vulnerabilities could be exploited to attack the Guacamole gateway when a remote worker attempts to login and access the device. The attacker could then take full control of the gateway and any remote connections. The flaws could also be exploited by a malicious insider to gain access to the computers of other workers in the organziation.

The vulnerabilities could allow Heartbleed-style information disclosure, as was demonstrated by the researchers, and also allow read and write access to the vulnerable server. The researchers chained the vulnerabilities together, elevated privileges to admin, then achieved remote code execution. The vulnerabilities, grouped together under the CVEs CVE-2020-9497 and CVE-2020-9498, were reported to the Apache Software Foundation and patches were released on June 28, 2020.

The researchers also found the vulnerability CVE-2018-8786 in FreeRDP could also be exploited to take control of the gateway. All versions of FreeRDP prior to January 2020 – version 2.0.0-rc4 – are using vulnerable versions of FreeRDP with the CVE-2020-9498 vulnerability.

All organizations that have adopted Apache Guacamole should ensure they have the latest version of Apache Guacamole installed on their servers.

The post Serious Vulnerabilities Identified in Apache Guacamole Remote Access Software appeared first on HIPAA Journal.

12 vulnerabilities have been identified in the open source integrated hospital information management system, OpenClinic GA.

OpenClinic GA is used by many hospitals and clinics for the management of administrative, financial, clinical, lab and pharmacy workflows, and is used for bed management, medical billing, ward management, in-patient and out-patient management, and other hospital management functions.

Brian D. Hysell has been credited with finding the vulnerabilities, three of which are rated critical and 6 are rated high severity. Exploitation of the vulnerabilities could allow an attacker to bypass authentication, gain access to restricted information, view or manipulate database information, and remotely execute malicious code.

The vulnerabilities require a low level of skill to exploit, several can be exploited remotely, and there are public exploits for some of the flaws. The vulnerabilities have been assigned CVSS v3 base codes ranging from 5.4 to 9.8.

The flaws were identified in OpenClinic GA Versions 5.09.02 and 5.89.05b.

The most serious flaws include:

CVE-2020-14495 – The use of third-party components that have reached end of life and contain known vulnerabilities that could potentially lead to remote execution of arbitrary code – CVSS v3 – 9.8 – Critical

CVE-2020-14487 – Hidden default user account could be used by an attacker to login to the system and execute arbitrary commands, unless the account has been expressly turned off by an administrator – CVSS v3 – 9.4 – Critical

CVE-2020-14485 – Client-side access controls could be bypassed to initiate a session with limited functionality, which could allow admin functions to such as SQL commands to be executed – CVSS v3 9.4 – Critical

CVE-2020-14493 – Low privileged users could use SQL syntax to write arbitrary files to the server and execute arbitrary commands – CVSS v3 8.8 – High Severity

CVE-2020-14488 – A lack of verification of uploaded files could allow a low privilege user to upload and execute arbitrary files on the system – CVSS-v3 8.8 – High Severity

Further information on the vulnerabilities can be found in the CISA medical advisory.

OpenClinic GA has been made aware of the vulnerabilities and steps are being taken to correct the flaws, but no confirmation has been issued as to whether the flaws have been corrected.

All healthcare organizations that use OpenClinic GA have been advised to ensure that the software is updated to the latest version to reduce the risk of exploitation and to ensure the software is kept up to date.

CISA recommends applying the principle of least privilege, minimizing network exposure for control system devices/systems, and ensuring the system is not accessible over the internet. All systems should be located behind a firewall, and if remote access is required, access should require a VPN. VPNs should be updated to the latest version and patches applied promptly.

The post Serious Vulnerabilities identified in the OpenClinic GA Integrated Hospital Information Management System appeared first on HIPAA Journal.