These newly disclosed vulnerabilities in tcpip.sys are a really interesting case study in why holistic security matters. Sure you should still be patching, but are your firewalls and IPs systems properly configured? If so, these probably aren't an issue 1/
msrc-blog.microsoft.com/2021/02/09/mul…
First, let's look at CVE-2021-24094/24086. Both involve the reassembly of packet fragments. If you've never dealt with issues IP fragmentation and never had to worry about the MTU across the network path, that's okay. It was a common thing many moons ago, but not much today. 2/
In IPv4 there are lots of variations in how fragments are handled, particularly for out of order delivery. It turns out the original standards weren't very clear on this so everybody did what was easy. But as IPv6 was being built, the standard is clear: no overlaps. 3/
We still have an issue of how long to keep IPv6 packet fragments in memory for. It turns out this is where the vuln is at. By sending too many packet fragments out of order, they must be stored somewhere pending reassembly at a later time (when all fragments are present). 4/
But here's the rub: you likely aren't seeing legitimate IPv6 fragmentation at all (if so I'd be REALLY interested to know what the use case is).

Take a look at your packet capture and determine "do I have these?" If not, block them from transiting network devices. 5/
Now on to CVE-2021-24074. This deals with IPv4 source routing, another blast from the past. Back in the day, some engineer thought "we need a way to specify in the IP header that we are smarter than the routers handling our packets." I'm sure it solved some problem at the time 6/
But in all of recent history (like 2+ decades), source routing has only been used maliciously. Microsoft even notes that Windows blocks source routing, but still processes the packets to send an ICMP error message back to the sender because that's part of the standard (🤷). 7/ Image
So again, these packets have no place in your network in the first place. Block (and log) them at every network device that supports it and this was never an issue.

Now that we've touched on those two specific examples, let's back up a bit. 8/
I know zero-trust (ZTNA) is a huge buzzword right now (and shame on you, vendors who are abusing it). But I'm here to tell you that it works.

The core principle of ZTNA is "deny all, permit by exception." Most orgs take this to mean "learn IPs and ports in use and act there." 9/
But I suggest you take it a step further. Learn about core protocols (like IP) and block the heck out of anything you don't expect to see.

The TCP/IP stack is amazingly complex. I'm here to tell you that it is a HUGE attack surface in IoT devices. Want to be ready? Act now. 10/
Why don't more people do this? Because deep diving into protocol implementations isn't sexy. But it IS how the community keeps finding vulnerabilities like CRACK (WPA2), these, and countless others.

How many times have I said "back to basics?" I feel like a broken record. /FIN

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Jake Williams

Jake Williams Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @MalwareJake

10 Jan
For those having to explain to confused family members/coworkers why Twitter/Facebook/etc haven’t “violated the First Amendment,” try this tactic.

Suppose their church runs a “prayer board” where people can leave prayer requests and messages of support (this is common). 1/
What if I posted a link to my OnlyFans. Would they be violating my First Amendment rights by removing it or disabling my account?

Don’t like the church example? What about posting ads for selling black market Fentanyl on an opiate addiction support forum. 2/
“But that’s illegal!” Oh, I hear you. So is inciting an insurrection, but let’s continue.

What about advertising abortion on a Christian message board?

Conversion therapy on an LGBTQ forum?

Good, so why is it okay to remove any of these messages? 3/
Read 8 tweets
8 Jan
As I continue to interact with folks dealing with the aftermath of the NYT JetBrains story, I'm calling it - the story was irresponsibly released.

The story lacks any actionable details and has collectively cost overworked security teams *thousands* of hours in response. 1/4
One defender I know called it "the NYT denial of service." I'm sorry if that hurts the author's feelings, but perspective and all...

"Officials are investigating" is hardly enough with something this big. The impact of speculation like this is HUGE for network defenders. 2/4
I get why executives are hammering security teams for assessments though.

Look at the wording used. We pivot from "officials are investigating" to "the company is unaware of any investigation/compromise" to "officials are not certain how THE compromise" (as if confirmed). 3/4
Read 6 tweets
31 Dec 20
This story is getting a lot of attention. Let me quickly break down for followers not in offensive security what it means.

This is not great, but *the sky isn't falling*. Anyone who says this will immediately result in {thing} is uninformed (or worse) 1/
reuters.com/article/us-glo…
First, we need to take the MSFT information at face value. MSFT says attackers could *view* some code (not sure how much/what) but specifically notes that the attackers could not modify anything.

Claiming "well there's risk they had write access" is unproductive in every way. 2/
As MSFT notes in their blog post, they have embraced an open source threat modeling approach - assume the code will become open and don't tie security to secrecy.

With some companies, you might hear that and call BS. Don't do that here. 3/
msrc-blog.microsoft.com/2020/12/31/mic…
Read 13 tweets
29 Dec 20
Quick thread 🍸:
I’m a gen-X kid. I grew up in an age where I was told that nobody cared what you got a degree in, as long as you had a degree “they would know you can be trained.”

WTAF did that mean, anyway? Why did I need a college degree for that? 1/
But hey, I failed out of college. It was the best thing that ever happened to me. It took me out of medicine (I’d have been a practitioner, not a researcher) and put me on a track for something else. Of course it took a TBI along the way to get me here, but fate and all... 2/
Now I have degrees that are barely worth the paper they’re printed on. Lots of my friends do too. Most of them aren’t doing as well. The vast majority work in fields outside of their study.

But hey, you can still succeed. I come from food stamps, not generational wealth. 3/
Read 10 tweets
24 Dec 20
Twas the night before Christmas and all over the ‘net,
Not a creature was stirring except a few cyber threats
The firewalls were configured at the egress with care,
But that wouldn’t stop us from being hit by ransomware. 1/
The children were nestled all snug in their beds,
While attackers hit the web server and established a beachhead
Mama with her EDR and I with my IDS
Were ready to tackle this hot infosec mess. /2
Down in the SOC there arose such a clatter,
I logged into my dashboard to see what was the matter.
This thing had better work, it cost so much cash.
How in 2020 can this thing STILL require Flash?! 3/
Read 16 tweets
24 Dec 20
Alrighty - here's my $.02 on the topic (was trying not to poison the well, but will also use this thread to collect my thoughts).

First, it's important to note that Facebook not is suing NSO just because it created and sold an exploit. That's lost in so much of the discussion 1/
Now governments have sovereign immunity in most matters under international law. Mercenaries, not so much (IANAL, talk to yours).

But certainly suppliers of weapons to a government wouldn't be held liable if they are used against another nation, right? 2/
That's what NSO is arguing - they are just a provider of weapons. The problem is that NSO went far beyond "just providing the exploit." It appears that in most (if not all) cases they delivered the exploit and managed collection from targets as well. 3/
Read 10 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!