Cisco Firepower Threat Defense Software Signature Verification Bypass Vulnerability

A vulnerability in the Image Signature Verification feature of Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, remote attacker with administrator-level credentials to install a malicious software patch on an affected device.

The vulnerability is due to improper verification of digital signatures for patch images. An attacker could exploit this vulnerability by crafting an unsigned software patch to bypass signature checks and loading it on an affected device. A successful exploit could allow the attacker to boot a malicious software patch image.

Cisco has released software updates that address the vulnerability described in this advisory. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sigbypass-FcvPPCeP

Security Impact Rating: Medium

CVE: CVE-2020-3308

Related:

Symantec Endpoint Protection 14.2.1.1 (14.2 RU1 MP1) doesn’t patch to 14.2.2.0 (14.2 RU2)

I need a solution

Hello,

I wanted to update my Symantec 14 to 14.2 RU2. The starting version was 14.0.1 becaue I’m using Windows 10 64bit. I successively updated to newer versions which was successful till version 14.2.1.1 (14.2 RU1 MP1)  14.2.4814.1101 but when I run the patch to update to the newest version, hence, 14.2.2.0 (14.2 RU2) 14.2.5323.2000, it doesn’t work. The SEP_INST_PATCH.log shows the following output:

01/09 09:04:49.949 [ec]  SymDelta FileVersion: 14.0.0.0
 Log initialized: LogLevel=4 Log, Size=2097152, RotationCount=2
01/09 09:04:49.965 [ec]  (SymDelta::CSymDelta::invokeUnzip)  Inflating…\?C:UsersxxxAppDataLocalTemppft34D4.tmpPatch.dax
01/09 09:04:50.684 [ec]  (SymDelta::CSymDelta::invokeUnzip)     UnZipTask took (milliseconds): 703
01/09 09:04:50.684 [ec]  (SymDelta::CSymDelta::PerformApplyDelta) Performing [ XDELTA3 – Apply Delta ]
01/09 09:04:50.699 [ec]  (SymDelta::CXDeltaTool::Apply) Dir: \?C:ProgramDataSymantecSymantec Endpoint Protection14.2.4814.1101.105DataCached Installs
01/09 09:04:50.699 [ec]  (ApplyPackage) Apply package command line: “DummyXdeltaPath” -d -s %src% %patch% %out%
01/09 09:04:50.699 [121fc]  (LaunchXDeltaInternalAndWait) Launching: “DummyXdeltaPath” -d -s “\?C:ProgramDataSymantecSymantec Endpoint Protection14.2.4814.1101.105DataCached InstallsSetup.exe” “C:UsersxxxAppDataLocalTempSymDelta_65416Patch.dax.tmpSetup.exe.DIFF” “\?C:UsersxxxAppDataLocalTemppft34D4.tmpSmcLUSetup.exe”:
01/09 09:04:50.746 [121fc]  (LaunchXDeltaInternalAndWait) Launching: “DummyXdeltaPath” -d -s “\?C:ProgramDataSymantecSymantec Endpoint Protection14.2.4814.1101.105DataCached Installsdcsagent.cab” “C:UsersxxxAppDataLocalTempSymDelta_65416Patch.dax.tmpdcsagent.cab.DIFF” “\?C:UsersxxxAppDataLocalTemppft34D4.tmpSmcLUdcsagent.cab”:
01/09 09:04:50.949 [121fc]  (LaunchXDeltaInternalAndWait) Launching: “DummyXdeltaPath” -d -s “\?C:ProgramDataSymantecSymantec Endpoint Protection14.2.4814.1101.105DataCached InstallsSep64.msi” “C:UsersxxxAppDataLocalTempSymDelta_65416Patch.dax.tmpSep64.msi.DIFF” “\?C:UsersxxxAppDataLocalTemppft34D4.tmpSmcLUSep64.msi”:
01/09 09:04:51.152 [121fc]  (CDeltaApplyThread::run) 74236 \?C:ProgramDataSymantecSymantec Endpoint Protection14.2.4814.1101.105DataCached Installssep_NE.slf CRC match failed.
01/09 09:04:51.152 [ec]  (SymDelta::CXDeltaTool::Apply)     Return Code: 31
01/09 09:04:51.152 [ec]  (SymDelta::CSymDelta::processDirs) ApplyDelta Operation failed.

What’s the problem?

0

Related:

Microsoft Releases November 2019 Windows 10 Patch Which Fixes 74 Flaws

Windows Alternatives - Feature Image
  • The November Windows patch is out, and it comes with a large number of critical fixes.
  • All users are urged to update immediately, as the patch covers a wide range of software tools and products.
  • Some known minor issues accompany this update as always, but there are workarounds.

Microsoft has just released a pretty comprehensive patch for Windows 10, bringing 74 fixes, 13 of which address critical remote code execution (RCE) flaws. The software that is covered this time ranges from the OS core and the Edge browser to the Azure Stack, the Visual Studio, and the Exchange Server. All Windows 10 users will see the update on their settings menu, and everyone is advised to apply the patches as soon as possible, as they will help you stay safe and secure against a wide variety of threats.

More specifically, here are the most critical flaws that were fixed this time:

  • Hyper-V arbitrary code execution and failure to validate input from guest OSes (CVE-2019-0721, CVE-2019-1389, CVE-2019-1397, and CVE-2019-1398)
  • Microsoft Exchange RCE flaw (CVE-2019-1373)
  • SharePoint server information disclosure flaw (CVE-2019-1443)
  • Windows TCP/IP improper IPv6 packet handling (CVE-2019-1324)
  • Windows Graphics Device Interface information disclosure flaw (CVE-2019-1439)
  • Windows Graphics Component privilege elevation vulnerabilities (CVE-2019-1407 and CVE-2019-1433)
  • Microsoft Office for Mac inability to disable macros properly (CVE-2019-1457)
  • VBScript remote code execution vulnerability (CVE-2019-1390)
  • Microsoft Scripting Engine memory corruption flaws (CVE-2019-1426, CVE-2019-1427, CVE-2019-1428, and CVE-2019-1429)

The rest of the patches concern “important” level flaws, so they are also crucial in several use-case scenarios. For example, CVE-2019-1020 is a bypass vulnerability in the Windows secure boot process, allowing an attacker to load malicious software via a third-party bootloader. With the latest patch, this threat has been blocked.

Remember, if you’re using a security solution, it will get updated with new rules to cover the disclosed vulnerabilities. However, applying the OS updates should be an absolute priority in order to defend from any form of known exploitation methods. Moreover, Microsoft delivers Windows updates in a cumulative form, so you will also get other optimizations and improvements bundled with the security fixes.

Applying this update may cause a number of side-effects which Microsoft describes in their “known issues” section. For example, the Exchange Server may greet you with a “File failed to upload” error when trying to save files on a network location, and the exchange services may remain in a disabled state. OOBE (Out of Box Experience) may also be associated with problems creating a local user through IME (Input Method Editor). Finally, renaming files and folders on a CSV (Cluster Shared Volume) may fail with the following error: “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. For most of these, there are workarounds provided by Microsoft.

Are you applying these monthly patches immediately, or do you instead do it whenever you have the time? Let us know in the comments down below, or on our socials, on Facebook and Twitter.

Related:

Patch Tuesday, November 2019 Edition

Microsoft today released updates to plug security holes in its software, including patches to fix at least 74 weaknesses in various flavors of Windows and programs that run on top of it. The November updates include patches for a zero-day flaw in Internet Explorer that is currently being exploited in the wild, as well as a sneaky bug in certain versions of Office for Mac that bypasses security protections and was detailed publicly prior to today’s patches.

More than a dozen of the flaws tackled in this month’s release are rated “critical,” meaning they involve weaknesses that could be exploited to install malware without any action on the part of the user, except for perhaps browsing to a hacked or malicious Web site or opening a booby-trapped file attachment.

Perhaps the most concerning of those critical holes is a zero-day flaw in Internet Exploder Explorer (CVE-2019-1429) that has already seen active exploitation. Today’s updates also address two other critical vulnerabilities in the same Windows component that handles various scripting languages.

Microsoft also fixed a flaw in Microsoft Office for Mac (CVE-2019-1457) that could allow attackers to bypass security protections in some versions of the program that could let malicious macros through.

Macros are bits of computer code that can be embedded into Office files, and malicious macros are frequently used by malware purveyors to compromise Windows systems. Usually, this takes the form of a prompt urging the user to “enable macros” once they’ve opened a booby-trapped Office document delivered via email. Thus, Office has a feature called “disable all macros without notification.”

But Microsoft says all versions of Office still support an older type of macros that do not respect this setting, and can be used as a vector for pushing malware. Will Dornan of CERT/CC reports that while Office 2016 and 2019 for Mac will still prompt the user before executing these older macro types, Office for Mac 2011 fails to warn users before opening them.

Other Windows applications or components receiving patches for critical flaws today include Microsoft Exchange and Windows Media Player. In addition, Microsoft also patched nine vulnerabilities — five of them critical — in the Windows Hyper-V, an add-on to the Windows Server OS (and Windows 10 Pro) that allows users to create and run virtual machines (other “guest” operating systems) from within Windows.

Although Adobe typically issues patches for its Flash Player browser component on Patch Tuesday, this is the second month in a row that Adobe has not released any security updates for Flash. However, Adobe today did push security fixes for a variety of its creative software suites, including Animate, Illustrator, Media Encoder and Bridge. Also, I neglected to note last month that Adobe released a critical update for Acrobat/Reader that addressed at least 67 bugs, so if you’ve got either of these products installed, please be sure they’re patched and up to date.

Finally, Google recently fixed a zero-day flaw in its Chrome Web browser (CVE-2019-13720). If you use Chrome and see an upward-facing arrow to the right of the address bar, you have an update pending; fully closing and restarting the browser should install any available updates.

Now seems like a good time to remind all you Windows 7 end users that Microsoft will cease shipping security updates after January 2020 (this end-of-life also affects Windows Server 2008 and 2008 R2). While businesses and other volume-license purchasers will have the option to pay for further fixes after that point, all other Windows 7 users who want to stick with Windows will need to consider migrating to Windows 10 soon.

Standard heads-up: Windows 10 likes to install patches all in one go and reboot your computer on its own schedule. Microsoft doesn’t make it easy for Windows 10 users to change this setting, but it is possible. For all other Windows OS users, if you’d rather be alerted to new updates when they’re available so you can choose when to install them, there’s a setting for that in Windows Update. To get there, click the Windows key on your keyboard and type “windows update” into the box that pops up.

Keep in mind that while staying up-to-date on Windows patches is a good idea, it’s important to make sure you’re updating only after you’ve backed up your important data and files. A reliable backup means you’re probably not freaking out when the odd buggy patch causes problems booting the system. So do yourself a favor and backup your files before installing any patches.

As ever, if you experience glitches or problems installing any of these patches this month, please feel free to leave a comment about it below; there’s a decent chance other readers have experienced the same and may even chime in here with some helpful tips.

Tags: adobe, CVE-2019-1429, CVE-2019-1457, Internet Explorer zero-day, macros, microsoft, Office for Mac, Windows 7 end-of-life

This entry was posted on Tuesday, November 12th, 2019 at 5:04 pm and is filed under Time to Patch. You can follow any comments to this entry through the RSS 2.0 feed. You can skip to the end and leave a comment. Pinging is currently not allowed.

Related:

  • No Related Posts

Hypervisor Security Update

Hotfixes have been released to address these issues. Citrix recommends that affected customers install these hotfixes as their patching schedules allow. The hotfixes can be downloaded from the following locations:

Citrix Hypervisor 8.0:

CTX262555 – https://support.citrix.com/article/CTX262555

CTX258428 – https://support.citrix.com/article/CTX258428

Citrix XenServer 7.6:

CTX262554 – https://support.citrix.com/article/CTX262554

CTX258425 – https://support.citrix.com/article/CTX258425

Citrix XenServer 7.1 LTSR CU2:

CTX262553 – https://support.citrix.com/article/CTX262553

CTX258424 – https://support.citrix.com/article/CTX258424

Citrix XenServer 7.0:

CTX258417 – https://support.citrix.com/article/CTX258417

CTX258423 – https://support.citrix.com/article/CTX258423

Related:

Update Task Disabled

I need a solution

If there’s a problem in Windows that’s preventing a patch from installing, once the source of the problem is resolved, should the agent retry deployment at my preset patch times?  There was a cryptography issue with installing KB4489885 that affected a few of our desktops so checking on whether I need to take any kind of action in my SMC.

0

Related:

  • No Related Posts