SOFTWARE SECURITY
UPDATES

Published: July 29, 2020
Updated: September 10, 2020

VULNERABILITY SUMMARY

Eclypsium researchers have discovered a vulnerability — dubbed “BootHole” — in the GRUB2 bootloader configuration file utilized by most Linux systems that can be used to gain arbitrary code execution during the boot process, even when Secure Boot is enabled. Attackers exploiting this vulnerability can install persistent and stealthy bootkits or malicious bootloaders that could give them near-total control over the victim device.

This configuration file is an external file commonly located in the EFI System Partition and can therefore be modified by an attacker with administrator privileges without altering the integrity of the signed vendor shim and GRUB2 boot loader executables. This could allow an authenticated, local attacker to modify the contents of the GRUB2 configuration file to ensure that the attacker’s chosen code is run before the operating system is loaded.

The vulnerability affects systems using Secure Boot, even if they are not using GRUB2. Almost all signed versions of GRUB2 are vulnerable, meaning virtually every Linux distribution is affected. In addition, GRUB2 supports other operating systems, kernels and hypervisors. The problem also extends to any Windows device that uses Secure Boot with the standard Microsoft Third Party UEFI Certificate Authority. Thus the majority of laptops, desktops, servers and workstations are affected.

Vital Images is investigating this broad reaching vulnerability to define the scope of products affected and to determine a list of vendors providing relevant updates.

REFERENCES AND SERVICES:

System patching and mitigation guidance is provided by the following vendors:

HPE Servers:

HPE Security Bulletin: https://www.hpe.com/us/en/services/security-vulnerability.html

Impact statement: https://techhub.hpe.com/eginfolib/securityalerts/Boot_Hole/boot_hole.html

• A number of items need updating that are listed within the Impact statement. Such as firmware updates for HPE Service Pack for ProLiant (SPP) and HPE Intelligent Provisioning.

Secure Boot DBX Updater for Windows and UEFI: https://support.hpe.com/hpesc/public/docDisplay?docId=emr_na-a00105191en_us

HP Workstations:

HP Workstations Security Bulletin: https://support.hp.com/us-en/document/c06655639

HP Workstations Security Bulletin:  https://support.hp.com/us-en/document/c06707446

VMware:

VMware Bulletin: https://kb.vmware.com/s/article/80181

Dell Workstations:

Dell Security Bulletin:

https://www.dell.com/support/article/en-us/sln322283/dell-response-to-grub2-vulnerabilities-which-may-allow-secure-boot-bypass?lang=en

Additional Information:

https://www.dell.com/support/article/en-us/sln322287/additional-information-regarding-the-boothole-grub-vulnerability?lang=en

For more information and updates on the GRUB2 vulnerability, visit

NVD

https://nvd.nist.gov/vuln/detail/CVE-2020-10713

Carnegie Mellon

https://www.kb.cert.org/vuls/id/174059

RESOLUTION

Vital Images recommends installing the applicable patches related to your deployment as soon as possible.

Disclaimer: When following any of the links provided you will be leaving Vital Images’ website. Vital Images is not responsible for the content, security or availability of linked sites.

If you have any questions, please contact Vital Customer Success.

Published: August 11, 2020

Microsoft Corporation has announced an elevation of privilege vulnerability that exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol.

VULNERABILITY SUMMARY

CVE-2020-1472 is an elevation of privilege vulnerability that exsists in Windows’ Netlogon. An unauthenticated user could use MS-NRPC to connect to a domain controller as a domain administrator. An attacker who successfully exploits the vulnerability can run a specially crafted application on a device on the network.

Microsoft adds an important note to their advisory that this patch is the first of two patches to fix this vulnerability. The second patch is slated to be released in Q1 2021.

NOTE: Vital Images is aware of this critical vulnerability and we are in the process of testing our products in the context of the Phase 1 patch.

REFERENCES AND SERVICES:

Microsoft encourages administrators to review the following resource(s) and apply the necessary patches to affected systems for Phase 1 of the update:

Microsoft CVE-2020-1472

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472

RESOLUTION
Vital Images strongly recommends installing vendor patches and updates as soon as possible.

Patches for all impacted versions can be found at the links in the References section above.

Disclaimer: When following any of the links provided you will be leaving Vital Images’ website. Vital Images is not responsible for the content, security or availability of linked sites.

If you have any questions, please contact Vital Customer Success.

Published: June 16, 2020

The Department of Homeland Security and CISA ICS-CERT issued a critical security advisory warning covering multiple newly discovered vulnerabilities affecting Internet-connected devices manufactured by multiple vendors.

VULNERABILITY SUMMARY

A networking stack is a software component that provides network connectivity over the standard internet protocols. In this specific case these protocols include ARP, IP (versions 4 and 6), ICMPv4, UDP and TCP communications protocols. The Treck networking stack is used across a broad range of industries (medical, government, academia, utilities, etc.), from a broad range of device manufacturers – a fact which enhances their impact and scope, as each manufacturer needs to push an update for their devices independently of all others.

The impact of these vulnerabilities will vary due to the combination of build and runtime options used while developing different embedded systems. This diversity of implementations and the lack of supply chain visibility has exasperated the problem of accurately assessing the impact of these vulnerabilities. In summary, a remote, unauthenticated attacker may be able to use specially-crafted network packets to cause a denial of service, disclose information, or execute arbitrary code.

NOTE: This is a hardware-centric suite of vulnerabilities. The “Ripple20” is not specific to Vital Images software.

NOTE: Vital Images has discovered that related vendor patching for this attack vector has extended beyond the 19 vulnerabilities identified in the original “Ripple 20” announcement by JSOF (see below).

REFERENCES AND SERVICES:

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and users and administrators to review the following resources and apply the necessary updates to affected systems:

JSOF’s original “Ripple 20” write up:

https://www.jsof-tech.com/ripple20/

Intel® CSME, SPS, TXE, AMT, ISM and DAL Advisory:

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00295.html

Workstations:

The vulnerabilities in the Intel product flow downhill to the HP Inc and Dell workstations via the Intel Chipsets. Affected products can be found at the following locations:

HP Inc:

https://support.hp.com/us-en/document/c06655639

Dell Inc:

https://www.dell.com/support/article/en-us/sln321836/dell-response-to-the-ripple20-vulnerabilities?lang=en

https://www.dell.com/support/article/en-us/sln321723/june-2020-intel-platform-update-ipu-2020-1-impact-on-dell-and-dell-emc-products?lang=en

https://www.dell.com/support/article/en-us/sln321727/dsa-2020-143-dell-client-platform-security-update-for-intel-platform-updates-2020-1?lang=en

Servers:

HPE:

https://techhub.hpe.com/eginfolib/securityalerts/Ripple20/Ripple20.html

HPE – ProLiant Gen10 iLO 5 vulnerabilities.

https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=hpesbhf04012en_us

No other hardware supported by Vital Images has been determined affected.

RESOLUTION
Vital Images strongly recommends installing the vendor patches and updates as soon as possible.

Patches for all impacted versions can be found at the links in the References section above.

Disclaimer: When following any of the links provided you will be leaving Vital Images’ website. Vital Images is not responsible for the content, security or availability of linked sites.

If you have any questions, please contact Vital Customer Success.

Published: March 11, 2020

Updated: March 12, 2020

Microsoft has released a security advisory ADV200005 and has published an update that includes the affected software versions as well as an appropriate patch for each.

Patches and affected software mapping can be found here CVE-2020-0796. You may also install the patch by running Windows Update.

VULNERABILITY SUMMARY

Microsoft is aware of a remote code execution vulnerability in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target SMB Server or SMB Client.

To exploit the vulnerability against an SMB Server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 Server. To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it.

Microsoft will update its advisory listed above when further updates are available.

REFERENCES

MITRE is tracking this vulnerability as CVE-2020-0796.

RESOLUTION

Vital Images strongly recommends installing this patch as well as all security patches provided by Microsoft.

Disclaimer: When following any of the links provided you will be leaving Vital Images’ website. Vital Images is not responsible for the content, security or availability of linked sites.

If you have any questions, please contact Vital Customer Success.

Published: January 19, 2020

Microsoft has released a security advisory (ADV200001) that currently only includes workarounds and mitigations that can be applied in order to safeguard vulnerable systems from attacks. At the time of writing, there is no patch yet available for this issue. Microsoft said it is working on a fix, to be released at a later date.

While Microsoft said it was aware that the IE zero-day was being exploited in the wild, the company described these as “limited targeted attacks,” suggesting the zero-day was not broadly exploited, but rather that it was part of attacks aimed at a small number of users. These limited IE zero-day attacks are believed to be part of a larger hacking campaign, which also involves attacks against Firefox users.

VULNERABILITY SUMMARY

A remote code execution (RCE) vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website, for example, by sending an email.

REFERENCES

This IE RCE zero-day is also tracked as CVE-2020-0674

RESOLUTION

While this vulnerability and its current Microsoft-provided workaround is not anticipated to directly affect Vital Images Products, deployments of said products include the affected Internet Explorer file(s) listed in the advisory. Corporations should follow their company policies when considering the configuration mitigations provided in the Microsoft Advisory ADV200001 linked above.

Vital Images will continue to monitor announcements and progress regarding future patching for this vulnerability and will distribute updated communication as needed.

Vital Images recommends installing the Microsoft Monthly Roll-up Updates.

Disclaimer: When following any of the links provided you will be leaving Vital Images’ website. Vital Images is not responsible for the content, security or availability of linked sites.

If you have any questions, please contact Vital Customer Success.

Published: January 14, 2020

Microsoft has released security updates to address multiple critical remote code execution vulnerabilities, CVE-2020-0609, CVE-2020-0610 and CVE-2020-0611.

VULNERABILITY SUMMARIES

Windows Remote Desktop Server Vulnerabilities – CVE-2020-0609/CVE-2020-0610

A remote code execution vulnerability exists in Windows Remote Desktop Gateway (RD Gateway) when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

To exploit this vulnerability, an attacker would need to send a specially crafted request to the target systems RD Gateway via RDP.

The update addresses the vulnerability by correcting how RD Gateway handles connection requests.

CVE-2020-0609/CVE-2020-0610:

• Affects all supported Windows Server versions (Server 2012 and newer; support for Server 2008 ends January 14, 2020);
• Occurs pre-authentication; and
• Requires no user interaction to perform.

The Microsoft Security Advisories for CVE-2020-0609 and CVE-2020-0610 address these vulnerabilities.

Windows Remote Desktop Client Vulnerability – CVE-2020-0611

A remote code execution vulnerability exists in the Windows Remote Desktop Client when a user connects to a malicious server. An attacker who successfully exploited this vulnerability could execute arbitrary code on the computer of the connecting client. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

To exploit this vulnerability, an attacker would need to have control of a server and then convince a user to connect to it. An attacker would need to trick the user into connecting via social engineering, DNS poisoning or using a Man in the Middle (MITM) technique. An attacker could also compromise a legitimate server, host malicious code on it, and wait for the user to connect.

The update addresses the vulnerability by correcting how the Windows Remote Desktop Client handles connection requests.

CVE-2020-0611:

• Affects all supported Windows Server and Workstation versions (Support for Server 2008 and Windows 7 ends January 14, 2020)

The Microsoft Security Advisory for CVE-2020-0611 addresses this vulnerability.

RESOLUTION
Microsoft strongly recommends installing the Windows Updates as soon as possible.

Patches for all impacted versions can be found at the specific CVE links in the summary sections above.

Vital Images recommends installing the Microsoft Monthly Roll-up Updates.

Disclaimer: When following any of the links provided you will be leaving Vital Images’ website. Vital Images is not responsible for the content, security or availability of linked sites.

If you have any questions, please contact Vital Customer Success.

Published: October 31st, 2019

Google has released Chrome version 78.0.3904.87 for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker could exploit to take control of an affected system. One of these vulnerabilities (CVE-2019-13720) was detected in exploits in the wild.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Chrome Release and apply the necessary updates.

VULNERABILITY SUMMARY:

Google is currently not publishing a summary of the vulnerability.

The following is an announcement from the link provided above:

“Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.”

REFERENCES:

• MITRE Advisory

RESOLUTION:
Vital Images recommends checking  your Chrome browser Help->About Google Chrome and confirming that you’re on the latest Chrome update 78.0.3904.87.

Disclaimer: When following any of the links provided you will be leaving Vital Images’ website. Vital Images is not responsible for the content, security or availability of linked sites.

If you have any questions, please contact Vital Customer Success.

Published: September 23, 2019

Microsoft has released an out of band security updates to address a scripting engine memory corruption vulnerability, CVE-2019-1367 for the following version of Internet Explorer:

• Internet Explorer 11

VULNERABILITY SUMMARY:

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website, for example, by sending an email.

The security update addresses the vulnerability by modifying how the scripting engine handles objects in memory.

REFERENCES:

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and users and administrators to review the following resources and apply the necessary updates:

• Microsoft Security Vulnerability Information for  CVE-2019-1367

Other useful references:

• MITRE Advisory
• National Vulnerability Database

RESOLUTION:
Microsoft strongly recommends installing the Windows Update as soon as possible.

There is a vulnerability that is being actively exploited in the wild.

Vital Images recommends installing the Microsoft patches as they are released.

Disclaimer: When following any of the links provided you will be leaving Vital Images’ website. Vital Images is not responsible for the content, security or availability of linked sites.=

If you have any questions, please contact Vital Customer Success.

Published: August 14, 2019

Microsoft has released security updates to address two remote code execution vulnerabilities, CVE-2019-1181 and CVE-2019-1182, in the following operating systems:

• Windows 7 SP1
• Windows Server 2008 R2 SP1
• Windows Server 2012
• Windows 8.1
• Windows Server 2012 R2
• Windows 10

VULNERABILITY SUMMARY:

An attacker could exploit these vulnerabilities to take control of an affected system. Similar to CVE-2019-0708 – dubbed BlueKeep and announced in June 2019 – these vulnerabilities are considered “wormable” because malware exploiting these vulnerabilities on a system could propagate to other vulnerable systems.

REFERENCES:

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and users and administrators to review the following resources and apply the necessary updates:

• Microsoft Security Vulnerability Information for  CVE-2019-1181
• Microsoft Security Vulnerability Information for CVE-2019-1182

Other useful references:

• Microsoft Security Blog Post: Protect Against BlueKeep
• Microsoft Customer Guidance for CVE-2019-0708
• Microsoft Security Blog Post: Patch New Wormable Vulnerabilities in Remote Desktop Services (CVE-2019-1181/1182)

RESOLUTION:
Microsoft strongly recommends installing the Windows Update as soon as possible.

Both patches for all impacted versions can be found at the specific CVE links in the References section above.

Vital Images recommends installing the Microsoft Monthly Roll-up Updates.

Disclaimer: When following any of the links provided you will be leaving Vital Images’ website. Vital Images is not responsible for the content, security or availability of linked sites.

If you have any questions, please contact Vital Customer Success.

Published: July 19, 2019

DICOM.org has reported the following Security Advisory:

VULNERABILITY SUMMARY

The DICOM Standards Organization has reported a data validation vulnerability in the preamble defined by the DICOM File format. According to this report, the vulnerability is exploitable by embedding executable code into the 128-byte preamble. A malicious actor could modify a DICOM file preamble so that it is treated as both an executable program and as a DICOM file. A user might be somehow convinced to execute the file.

Note:

The DICOM Network Communications protocol between modalities, PACS, and display systems does not transmit a preamble and is not subject to this vulnerability.

References:

DICOM FAQ Response to 128-byte preamble vulnerability

RESOLUTION

Review link provided above for details and vulnerability scenarios.

For Vital Images customers, always exercise caution by reviewing or AV (Antivirus)  scanning the contents of any portable media (CDs, USBs, etc.) to determine that all files are legitimate DICOM files. Vital recommends that affected users reach out to their specific AV vendor to determine if their solution properly scans for the affected file type. In the situation where an AV solution cannot be installed, affected users should take steps to make sure that they have processes and procedures in place to scan portable/removable media for suspicious files before introducing the media into their medical networks.

Disclaimer: When following any of the links provided you will be leaving Vital Images’ website. Vital Images is not responsible for the content, security or availability of linked sites.

If you have any questions, please contact Vital Customer Success.

Published: June 20, 2019

Microsoft® has provided the following Security Bulletin for the Remote Desktop Services Remote Code Execution Vulnerability (a.k.a. BlueKeep) Vulnerability CVE-2019-0708:

VULNERABILITY SUMMARY
A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

To exploit this vulnerability, an attacker would need to send a specially crafted request to the target systems Remote Desktop Service via RDP.

The update addresses the vulnerability by correcting how Remote Desktop Services handles connection requests.

References:

• CVE-2019-0708 – From the National Vulnerability Database
• CVE-2019-0708 – Microsoft Security Announcement

Only impacted versions are listed:

• Windows 7 for X64-based Systems Service Pack 1 for Vitrea 6.x and Vitrea 7.x
• Windows Server 2008 R2 for x64-based Systems Service Pack 1 for Vitrea 6.x

RESOLUTION
Microsoft strongly recommends taking the Windows Update as soon as possible.

The required patches for all impacted versions can be found here.

Vital Images recommends taking the Microsoft Monthly Updates.

Disclaimer: When following any of the links provided you will be leaving Vital Images’ website. Vital Images is not responsible for the content, security or availability of linked sites.

If you have any questions, please contact Vital Customer Success.

Published: June 17, 2019

Hewlett Packard Enterprise has provided the following Security Bulletin:

VULNERABILITY SUMMARY
Vulnerabilities discovered in HPE Integrated Lights-Out 4 (iLO 4) for Gen9 servers and Integrated Lights-Out 5 (iLO 5) for Gen10 Servers could be exploited remotely to allow Cross-Site Scripting (XSS), Unauthorized Data Injection, and Buffer Overflow.

References:

• CVE-2019-11982 – Cross-Site Scripting (XSS)
• CVE-2019-11983 – Buffer overflow in CLI
• CVE-2018-7117 – Cross-Site Scripting (XSS)

Only impacted versions are listed:

• HPE Integrated Lights-Out 5 (iLO 5) for HPE Gen10 Servers 1.39 and earlier
• HPE Integrated Lights-Out 4 (iLO 4) 2.61b and earlier

RESOLUTION
HPE has provided updated firmware for Integrated Lights-Out 4 (iLO 4) for Gen9 servers and Integrated Lights-Out 5 (iLO 5) for Gen10 to resolve these issues.

• For iLO 4 (GEN 9), acquire firmware version 2.70 (or later) here and install it
• For iLO 5 (GEN 10), acquire firmware version 1.40 (or later) here and install it

Hewlett Packard Enterprise strongly recommends the information in this Security Bulletin should be acted upon as soon as possible.

Vital Images recommends subscribing to the Hewlett Packard Enterprise Security Bulletins for future security updates.

Disclaimer: When following any of the links provided you will be leaving Vital Images’ website. Vital Images is not responsible for the content, security or availability of linked sites.

If you have any questions, please contact Vital Customer Success.

Published: June 3, 2019

HPE has provided the following Security Announcement:

On May 14, 2019, Intel and other industry partners shared details and information about a new group of vulnerabilities collectively called Microarchitectural Data Sampling (MDS).  These security vulnerabilities in CPUs may allow information disclosure. Intel is releasing microcode updates (MCU) to mitigate these potential vulnerabilities. These are coupled with corresponding updates to operating system and hypervisor software.

More details are available through CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091, and the Intel Security Advisory.

Impact assessment for HPE Products is available here.

Additional details on HPE Support Center.

Disclaimer: If you follow the any of the links provided you will be leaving Vital Images’ website. Vital Images is not responsible for the content, security or availability of linked sites.

If you have any questions please contact Vital Customer Success.

Published: June 4, 2018

Microsoft has recently released a security update for a vulnerability in Remote Desktop Services(RDS). It has been reported that if two machines do not have the same RDS patch install level, an incompatibility issue between them can prevent log in.

This RDS update has been released through the standard Windows Update distribution channels and will be installed to those machines taking the standard monthly Windows Updates.

The RDS security update details are here: