Open Mobile Menu


Zero-day Attacks in 2014

Views: 4235

Written By: Cindee Tran January 16, 2015

2014 was a rough year for system administrators, working around the clock to protect the security of their servers. There have been many zero-days that have required IT personnel to scramble to install patches before attackers could begin exploiting the issues.


GoTo Fail

In February, Apple released iOS 7.0.6 and iOS 6.1.6 updates to address a serious flaw that was originally shipped to Apple devices in September of 2012 – CVE-2014-1266.  This security issue was corrected in the SSLVerifySignedServerKeyExchange function in the libsecurity_ssl/lib/sslKeyExchange.c class for the Secure Transport feature within the Data Security component of several versions of Apple iOS, Apple TV, and Apple OSX.  The issue was that there were two consecutive ‘goto fail;’ statements within the SSLVerifySignedServerKeyExchange function, which caused the failure to check the signature in a TLS Server Key Exchange message.  This resulted in potential MitM (Man-in-the-Middle) attacks by spoofing SSL servers by either using an arbitrary private key for the signing step or omitting the signing step altogether.  Within a day of Apple’s patch release, a PoC (Proof-of-Concept) was released showcasing full transparent interception of HTTPS traffic on both IOS (prior to 7.0.6) and OSX Mavericks.



In April, it was discovered that the OpenSSL cryptographic library was vulnerable to the Heartbleed bug - CVE-2014-0160.  This weakness can allow remote attackers to obtain sensitive information from a vulnerable server, such as session tokens, website user passwords, and encryption keys that could allow access to usernames, passwords, and other data that are typically encrypted . This was a massive exploit that required organizations to identify their vulnerable systems an install the latest patches in haste. Unfortunately, not every system that handles sensitive information was patched before attackers could get to it. Four months after the bug was released, it was reported that hackers exploiting the Heartbleed bug stole 4.5 million patient records.   It's been 8 months since it was discovered, but it is likely that there are still many systems that are not yet patched, or will never be patched, such as some Android smartphones.



In September, it was announced that the bash command shell, used in many Unix-like systems, including Linux-based systems, Apple MacOS X, and Cygwin (runs on Windows) is vulnerable to an attack dubbed Shellshock - CVE-2014-6271. This vulnerability allows remote attackers to execute arbitrary code by concatenating commands at the end of function definitions stored in the values of environment variables.  Within hours of the release of this bug to the general public, attackers reportedly exploited this vulnerability to create botnets on compromised computers to perform DDos (distributed denial-of-service) and vulnerability scanning. Shellshock has been compared to Heartbleed bug in terms of severity level.



In October of this year, another zero-day became known to the public, called Sandworm - CVE-2014-4114. Prior to the release of the patch, all versions of Microsoft Windows and Windows Server 2008 and 2012 were affected.  The Sandworm flaw exists in the OLE (Object Linking and Embedding) proprietary technology developed by Microsoft to allow applications to embed and link documents to other objects, such as embedding an Excel spreadsheet into a Word document.  This attack requires that the end user be tricked into clicking on a file (such as a PowerPoint presentation file), which causes a well-crafted script created by the attacker to be executed, allowing the attacker to gain access to the internal network of the victim and gain the same user rights as the current user.  If the current user is an administrator, then the attacker could take complete control of the affected system.  Interestingly, this vulnerability was being used in a Russian cyber-espionage campaign targeting NATO, European Union, Telecommunications and Energy sectors when it was discovered.


Drupal 7 Pre-auth SQLi

Within the same month that Sandworm became publicly known, Drupal released a security patch that addresses a pre-authenticated SQL Injection vulnerability that affects all versions of Drupal 7 before 7.32.  This vulnerability allows attackers to send specially crafted requests resulting in arbitrary SQL execution, which can lead to privilege escalation, arbitrary PHP execution and other attacks.  In our experience here at AppSec Consulting, we are still regularly identifying SQL Injection vulnerabilities, and in some cases they affect widely deployed applications, such as Drupal. 



The POODLE (Padding Oracle On Downgraded Legacy Encryption - CVE-2014-3566) attack was also reported in October.  When first reported, the POODLE attack was known to affect CBC-mode cipher suites in SSLv3, an SSL implementation that could be used to encrypt browser traffic and user's email client and mail servers.  This vulnerability could allow attackers to hijack and decrypt session cookies from all the various websites that end-users browse and log into.  Once compromised, these session cookies can be used by attackers to impersonate the victim and access all the functionality that the victim has access to.  In order to exploit this vulnerability, the attacker must be on the same network as the victim and be able to inject JavaScript to initiate the attack. In response to the POODLE attack, the latest version of FireFox (version 34, released Dec. 1st) has removed SSLv3 support, and the current version of Chrome (39) has removed fallback to SSLv3 with plans for the next release (Chrome 40) to remove SSLv3 completely. Microsoft released a Fix It tool which allows customers to disable SSLv3 in all supported versions of Internet Explorer. They are working to disable fallback to SSLv3 and disable SSLv3 altogether by default in the coming months.

It was initially thought that the POODLE attack only affected SSLv3, however, more recently, there have been reports of the POODLE attack also affecting TLS 1.0 and 1.1. The root of the problem for SSLv3 was that the specification did not state what the padding bytes should be, so implementations couldn't check for them, which opened SSLv3 to an oracle attack.  TLS 1.0 and 1.1 are actually very strict about how the padding is formatted, however, some TLS implementations, such as F5 Networks and A10 Networks, neglect to check the padding structure after decryption, resulting in the same weakness that allowed for POODLE attacks. The difference is that the attack is now easier to exploit, as the attacker no longer needs to downgrade the client to SSLv3 prior to exploiting POODLE. Both F5 Networks and A10 Networks have issued patches to protect against the POODLE attack.


Should you be worried?

The main difference between the POODLE attack and Heartbleed, Shellshock, and Sandworm attacks is that the POODLE attack targets clients and Heartbleed, Shellshock, and Sandworm allow the attacker to compromise the server.  All of these attacks have exploit code that can be used by any attacker to infiltrate and potentially compromise the vulnerable servers and steal sensitive information.  Either Metasploit modules or PoCs exist for every attack mentioned in this blog article, which makes it trivial for the attacker to exploit these issues. This is why it is imperative that all vulnerable systems be patched as soon as vulnerabilities are discovered.  One way for end-users to mitigate the risk from Heartbleed and other serious server-side attacks mentioned in this blog post is to use a password manager tool, such as LastPass to generate a strong, unique password for each website.  The tool can then be configured to warn end users when a website may have been compromised so that they can quickly change their password. End-users can also protect themselves from POODLE attacks by upgrading their browsers - but, currently, even in this case, modern browsers are not protected from POODLE attacks on TLS 1.0 and 1.1.  To prevent Sandworm exploits, end-users can avoid opening up files from unknown resources, such as PowerPoint presentations.

All these high-profile zero-days that came to light in 2014 made it quite a challenge for system administrators to maintain and secure their networks as quickly as these attacks were released, since many websites and networks were attacked hours after the release of these exploits. AppSec Consulting has been testing for all these vulnerabilities since the first day that they were discovered and known to the public. In addition, prior to learning of the POODLE attacks, AppSec Consulting had already been recommending that all of our clients disable SSLv3, as it is an obsolete and insecure protocol and has been superseded by TLS long ago.  This recommendation was effective in protecting some customers from the POODLE attacks even before the initial release of the exploit.

Cindee Tran

Cindee Tran is a Senior Security Consultant at AppSec Consulting.  She has spent the past 5 years performing black-box and white-box style testing for a wide variety of projects of different sizes and requirements, including large scale web applications, web services, and IOS/Android/Windows Mobile applications.  Cindee is an outside-the-box thinker who excels in identifying and documenting unique vulnerabilities that would only be found by an experienced human tester, such as logical issues, clever ways win game battles, and techniques for bypassing various input validation filters.  She has a deep understanding of mobile privacy threats, and enjoys spending time researching and identifying vulnerabilities that can lead to leakage of user data.  She has identified and responsibly disclosed many vulnerabilities within mobile and web applications. 


Cindee obtained a Bachelor’s degree in Computer Science at Stevens Henager College and has over 10 years of IT experience.  Prior to joining AppSec Consulting, she worked as a DBA and .NET Software Developer building and maintaining highly sensitive web applications for Fortune 500 companies that required strict adherence with Sarbanes-Oxley. 

read more articles by Cindee Tran