Exploitable Vulnerabilities that need immediate attention


CVE ID

Vulnerability Name

CVE-2020-5135

SonicWall SonicOS Buffer Overflow Vulnerability

CVE-2019-1405

Microsoft Windows UPnP Service Privilege Escalation Vulnerability

CVE-2019-1322

Microsoft Windows Privilege Escalation Vulnerability

CVE-2019-1315

Microsoft Windows Error Reporting Manager Privilege Escalation Vulnerability

CVE-2019-1253

Microsoft Windows AppX Deployment Server Privilege Escalation Vulnerability

CVE-2019-1129

Microsoft Windows AppXSVC Privilege Escalation Vulnerability

CVE-2019-1069

Microsoft Task Scheduler Privilege Escalation Vulnerability

CVE-2019-1064

Microsoft Windows AppXSVC Privilege Escalation Vulnerability

CVE-2019-0841

Microsoft Windows AppXSVC Privilege Escalation Vulnerability

CVE-2019-0543

Microsoft Windows Privilege Escalation Vulnerability

CVE-2018-8120

Microsoft Win32k Privilege Escalation Vulnerability

CVE-2017-0101

Microsoft Windows Transaction Manager Privilege Escalation Vulnerability

CVE-2016-3309 

Microsoft Windows Kernel Privilege Escalation Vulnerability

CVE-2015-2546

Microsoft Win32k Memory Corruption Vulnerability

CVE-2019-1132

Microsoft Win32k Privilege Escalation Vulnerability


Protection of PII and Confidentiality Safeguards


PII is “any information about an individual maintained by an organization, including
1.     Any information to be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, biometrics records; and
2.     Any other information that is linked for linkable to an individual, such as medical records, educational, financial, and employment information.” [GAO Report 08-536/NIST-800-122]

Organizations are required to identify all PII residing within their organization or under the control of their organization. They should use a variety of techniques to identify PII. Some of the techniques to identify PII include reviewing system documentation, using Data Loss Prevention (DLP) technologies such as automatic PII network monitoring tools, or checking with system and data owners. Organization should also ensure that retired hardware no longer contains PII and that proper sanitization techniques are applied. [NIST-800-122]

Determine PII Confidentiality Impact Levels


There are several important factors that, an organization should consider to determine the impact from a loss of confidentiality of PII.  All of the relevant factors should be considered together as the impact levels may be affected. [NIST-800-122]

1.     Identifiability: Evaluate how easily PII can be used to identify specific individuals

2.     Quantity of PII: Consider how many individuals are identified in the information (such as number of records).

3.     Data Field Sensitivity: Evaluate the sensitivity of each individual PII data field. An individual’s Social Security Number, medical or financial account information is generally considered more sensitive

4.     Context of Use: Context of Use is defined as the purpose, for which PII is collected, stored, used, processed, disclose, or disseminated.

5.     Obligation to Protect Confidentiality: Many organizations are subject to laws, regulations, or other mandates governing the obligation to protect PII, such as the Privacy Act 1974, HIPAA of 1996, and GDPR etc.

6.     Access to and Location of PII: Consider the nature of authorization access to PII, whether PII is being stored on or access from outside the direct control of the organization.



Table 1: summarizes the potential impacts of security breach [FIPS-199/NIST-800-122]

Security Breach: Confidentiality, Integrity, OR Availability (CIA)
POTENTIAL IMPACTS
LOW
If the loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on organization operations, organization assets, or individuals. For example, the loss of CIA might
i.                 Cause degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is noticeably reduced
ii.               Result in minor damage to organizational assets
iii.             Result in minor financial loss
iv.             Result in minor harm to individuals

MODERATE
If the loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on organization operations, organization assets, or individuals. For example, the loss of CIA might
i.                 Cause a significant degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is noticeably reduced
ii.               Result in a significant damage to organizational assets
iii.             Result in a significant financial loss
iv.             Result in a significant harm to individuals that does not involve loss of life or serious life threatening injuries.

HIGH
If the loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organization operations, organization assets, or individuals. For example, the loss of CIA might
i.                 Cause severe degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is noticeably reduced
ii.               Result in major damage to organizational assets
iii.             Result in major financial loss
iv.             Result in severe and catastrophic harm to individuals involving loss of life or serious life threating injuries.




Safeguards for Confidentiality


PII should be protected through a combination of measures, including Operational Safeguards, privacy-specific safeguards, and Security Controls. Organization should use a risk-based approach for protecting the confidentiality of PII. [NIST-800-122]

1.     Operational Safeguards
a.      Create Policy and Procedure
                                                    i.     Access rules for PII within a system
                                                  ii.     PII retention schedules and procedures
                                                iii.     Privacy in the system development life cycle process
                                                iv.     Limitation of collection, disclosure, sharing and use of PII
                                                  v.     PII incident response and data breach notification
                                                vi.     Consequences for failure to follow privacy rules of behavior
b.     Awareness, Training, and Education
                                                    i.     The definition of PII
                                                  ii.     Applicable privacy laws, regulation, and policies
                                                iii.     Roles and responsibilities for using and protecting PII
                                                iv.     Appropriate disposal of PII
                                                  v.     Sanctions for misuse of PII
                                                vi.     Recognition of a security or privacy incident involving PII
                                               vii.     Roles and responsibilities in responding to PII-related incidents and reporting

2.     Privacy-Specific Safeguards
a.      Minimize the Use, Collection, and Retention of PII
The basic principle of privacy is the fair practice of minimizing the use, collection, and retention of PII. Organization should consider the total amount of PII used, collected, and maintained, as well as the types ad categories of PII as long as it is required for the current business purpose.
b.     Conduct Privacy Impact Assessments
PIAs are structured processes for identifying and mitigating privacy risks, PIA should address confidentiality risks at every stage of the system development life cycle (SDLC).
c.      De-Identifying Information
The term de-identified information is used to describe records that have had enough PII removed or obscured, or masked or obfuscated so that remaining PII does not identify an individual. De-identified information can be re-identified by using code, algorithms, or pseudonym that is assign to individual records.
d.     Anonymizing Information
Anonymization of information usually involves the techniques to ensure the data cannot be re-identified.

3.     Security Controls
Security Controls are often already implemented on a system to protect other type of data processed, stored, or transmitted by the system.
a.     Access Control Enforcement
Organization can control access to PII through access control policies and access enforcement mechanism.
                                                    i.     Separation of Duties
Organization can enforce separation of duties for responsibilities involving access to PII
                                                  ii.     Least Privilege
Organizations can enforce most restricted set of rights or privileges or access needed by users to perform the specified task
                                                iii.     Remote Access
Organizations can choose to prohibit or strictly limit remote access to PII. If remote access is permitted, the organization should ensure that the communications are encrypted
                                                 iv.     User-Based Collaboration and Information Sharing
Organizations can provide automated mechanism to assist users in determining whether access authorizations match access restrictions for PII
                                                   v.     Access Control for Mobile Devices
Organizations can choose to prohibit or strictly limit access to PII from portable and mobile devices, which are generally at higher risk.
b.     Auditable Events
Organizations can monitor events that affect the confidentiality of PII, such as unauthorized access to PII
                                                    i.     Audit, Review, Analysis and Reporting
Organizations can regularly review and analyze the information system’s audit records for indications of inappropriate or unusual activity affecting PII, investigate suspicious activity or suspected violations
c.      Identification and Authentication
Users can be uniquely identified, and authenticated before accessing PII. The strength requirement for the authentication mechanism depends on the impact level of the PII and the system as a whole.
d.     Media Access Protection
                                                    i.     Organizations can restrict access to information system media containing PII, including digital media and non-digital media
                                                  ii.     Organizations can be label information system media and output containing PII to indicate how it should be distributed and handled
                                                iii.     Organizations can securely store PII, both in paper and digital forms, until the media is destroyed or sanitized using approved equipment, techniques, and procedures
                                                iv.     Organizations can protect digital and non-digital media and mobile devices containing PII that is transported outside the organization’s controlled areas
                                                  v.     Organizations can sanitize digital and non-digital media containing PII before it is disposed or released for reuse
e.      Transmission Confidentiality
Organizations can protect the confidentiality of transmitted PII by encrypting the communication or by encrypting the information before it is transmitted
f.       Protection of Information at Rest
Organization can protect the confidentiality of PII at rest such as hard drives or backup tape
g.     Information System Monitoring
Organization can deploy automated tools to monitor PII internally or at network boundaries for unusual or suspicious transfer or events


Appendix


Reference and Additional information are available at https://csrc.nist.gov/publications
NIST-SP800-122 (PDF)
FIPS-199 (PDF)
NIST-SP800-53

Domain Computer rename failed with access denied


Issue:

IT Helpdesk or desktop admins are not able to rename a computer that is already a member of a domain. Similarly, they have issues in resetting the user’s password remotely.

Environment:

Windows Server 2016 Domain Controllers hardened with STIG/CIS benchmark

Reference:

The SAMRPC protocols makes it possible for a low-level or non-privileged user to query a machine on network for information. Generally, a user can use SAMRPC to enumerate users, including privileged accounts such as local or domain administrators, or to enumerate groups and group membership from local SAM and Active Directory. An attacker can use this information as starting point to compromise a domain or network.

To mitigate this risk, configure ‘Network access: Restrict clients allowed to make remote calls to SAM’ security policy setting to force the security account manager (SAM) to do an access check against remote calls.

By default security descriptor on computers beginning with Windows 10 version 1607 and Windows Server 2016 allows only the local (Built-in) Administrators group remote access to SAM on member servers, and allow Everyone access to domain controllers.
CIS Benchmark also recommend allowing only Administrators on MS only.

Problem start with if the Domain Controllers are also configured with same security policy setting.

Solution:

This security policy setting can be configured to allow low-level or non-privileged account either through group policy or registry setting on each DC.

Security Consideration:

The SAMRPC protocol has a default security posture that makes it possible for low-privileged attackers to query a machine on the network for data that is critical to their further hacking and penetration plans.

The following example illustrates how an attacker might exploit remote SAM enumeration:
1.      A low-privileged attacker gains a foothold on a network.
2.      The attacker then queries all machines on the network to determine which ones have a highly privileged domain user configured as a local administrator on that machine.
3.      If the attacker can then find any other vulnerability on that machine that allows taking it over, the attacker can then squat on the machine waiting for the high-privileged user to logon and then steal or impersonate those credentials.

Countermeasure

You can mitigate this vulnerability by enabling the Network access: Restrict clients allowed to make remote calls to SAM security policy setting and configuring the SDDL for only those accounts that are explicitly allowed access.

Active Directory Security: Leverage AdminSDHolder for persistent backdoor in AD


Leverage AdminSDHolder for persistent backdoor in AD

Each domain in Active Directory contains an AdminSDHolder object which resides in System partition of a domain. Distinguished Name (DN) of this object is “CN=AdminSDHolder, CN=System, DC=PENLAB, DC=LOCAL”.  Active Directory Domain Services uses this object, protected groups and SDPROP to secure privileged users and groups from unintentional modification. The AdminSDHolder object has unique set of Access Control List (ACL) which is used to control the permission of security principals that are member of built-in privileged Active Directory groups. Each time the process runs on PDC Emulator operation master role, it compare the ACL on all security principals (users, groups, and computers) that belong to protected groups against the ACL of AdminSDHolder object.

Protected Objected

 Listed groups and their members are protected by AdminSDHolder object. Look for the AdminCount attribute in Active Directory with value set to 1. AdminCount value never set back to 0 even though account is removed from the protected groups. This is by design as per Microsft.
  •          Account Operators
  •         Administrators
  •         Administrator
  •         Backup Operators
  •         Domain Admins
  •         Domain Controllers
  •         Enterprise Admins
  •         Schema Admins
  •         Krbtgt
  •        Print Operators
  •         Read-only Domain Controllers
  •          Server Operators
  •         Replicators

Default AdminSDHolder object ACL

  •         Authenticated Users: Read
  •         SYSTEM: Full Control
  •         Administrators: Modify
  •         Domain Admins: Modify
  •         Enterprise Admins: Modify

SDPROP process runs every 60 minutes and reset the ACL as per AdminSDHolder object if found modified. This process can be run manually.

AdminSDHolder object

An attacker can use AdminSDHolder object to grant the ability to modify the privileged groups in Active Directory by leveraging a key security component. This will provide an attacker, persist way of exploiting the Active Directory.  Even the system administrator or Active Directory Administrator changed the protected group or user, SDPROP will change the security ACL as per of the AdminSDHolder.

1. Open AdminSDHolder object and check the default permission
2. Add domain account penlab\pentest1 to AdminSDHolder object permission and grant Full Control.


3. Verify the user pentest1 is only Domain Users group member


4   Run the SDPROP manually or just wait for next cycle of the process
5   Open the Domain Admins group property and see that penlab\pentest1 is added to security permission with full control


6   Logon with penlab\pentest1 account to a member server or workstation and open Active Directory snap-in. Since this user have full access to object, add the pentest1 account to Domain Admins or Enterprise Admin


 Add pentest1 account to Domain Admins group




7    Now the penlab\pentest1 become the Domain Admins
8    Penlab\pentest1 user account now is able to manipulate not only high privileged group but also all the privileged user accounts, like enable, disable, deletion, creation and a lot

Detection and Control

It is now so important to monitor the ACLs configured on the AdminSDHolder object. It is recommended to keep the default ACL unless there is an absolute requirement to add a group or user. Monitor the users and groups with attribute AdminCount set to 1 to identify accounts with ACLs set by SDPROP

GDPR - Individual Rights on Privacy


GDPR - Individual Rights 

The GDPR is more specific about the information that need to be provided to people about what the organizations do with their personal data. Organizations must actively provide this information to individuals in a way that is easy to access, read and understand.
When an organization collect personal data from the individual it relates to, or personal data is collected from a source other than the individual it relates to it must provide them with privacy information at the time their data is collected as per below:
  • ·         Within a reasonable period of obtaining the personal data and no later than a month;
  • ·         If organization use data to communicate with the individual, at the latest, when the first communication takes place; or
  • ·         If organizations envisage disclosure to someone else, at the latest, when they disclose the data.

Organizations must actively provide privacy information to individuals. Organizations can meet this requirement by putting the information on company’s website, but must make individuals aware of it and give them an easy way to access it.
When obtaining personal data from other sources, organizations do not need to provide individuals with privacy information if:
  • ·         the individual already has the information;
  • ·         providing the information to the individual would be impossible;
  • ·         providing the information to the individual would involve a disproportionate effort;
  • ·         providing the information to the individual would render impossible or seriously impair the achievement of the objectives of the processing;
  • ·         organizations are required by law to obtain or disclose the personal data; or
  • ·         organizations are subject to an obligation of professional secrecy regulated by law that covers the personal data.

Individual Rights on Privacy

The GDPR is more specific about the information you need to provide to people about that what the organizations do with the personal data. I have summarized some of the key elements of the individual’s right on privacy to understand it concisely. The GDPR provides the following rights for individuals:

The Right to be Informed

The right to be informed covers some of the key transparency requirement of the GDPR. It is about providing individuals with clear and concise information about their personal data collection and uses. Article 13 and 14 of the GDPR specify what individuals have the right to be informed about. Below are some of the points:
  • ·         Individual have the right to be informed about the collection and use of their personal data. This is the key transparency requirement under the GDPR.
  • ·         Organizations must provide individuals with ‘privacy information’ including purpose for processing personal data, retention period of that personal data, and who it will be shared with.
  • ·         Organizations must provide privacy information to individuals at the time of collection of their personal data from them.
  • ·         If the organizations collect personal data from other sources (such as publicly accessible sources), they must provide individuals with privacy information with a reasonable period and no later than a month.
  • ·         Organizations must provide privacy information to individuals which is concise, transparent, intelligible, easily accessible, and must use clear and plain language.
  • ·         Organizations must regularly review, and where necessary, update the privacy information. They must bring any new uses of an individual’s personal data to their attention before you start the processing.
  • ·         If organizations apply AI (Artificial Intelligence) to personal data, must be upfront about it and explain your purposes for using AI.

The Right of Access

The right of access gives individuals the right to obtain a copy of their personal data as well as other supplementary information. It helps individuals to understand how and why they are using their data and check that they are doing it lawfully. An individual is entitled to:
  • ·         Get confirmation that the organization is processing their personal data
  • ·         Get a copy of their personal data and other supplementary information
  • ·         Organizations have one-month time to respond to the request and cannot charge a fee in most of the circumstances

In addition to a copy of their personal data, organizations also have to provide individuals with the following information:
  • ·         The purpose of data processing
  • ·         The categories of personal data concerned
  • ·         The recipients or categories of recipient organization disclose the personal data to
  • ·         Retention period for sorting the personal data or, where this is not possible, the criteria for determining how long data will be stored
  • ·         The existence of individuals rights to request rectification, erasure or restriction or to object to such processing
  • ·         The right to file a complaint with the supervisory authority
  • ·         Information about the source of the data, where it was not obtained directly from the individual
  • ·         The existence of automated decision-making (including profiling)
  • ·         The safeguards organization provide if personal data is transferred to a third country or international organization

The Right to Rectification

Under Article 16 of the DGPR, individuals have the right to have inaccurate or misleading personal data be rectified. Although organizations may have already taken steps to ensure that the personal data was accurate when they collected it, this right imposes a specific obligation to reconsider the accuracy upon request.
  • ·         An individual can make a request for rectification verbally or in writing
  • ·         An individual has a right to have inaccurate personal data be rectified, or completed if it is incomplete.
  • ·         Organizations have one calendar month to respond to a request

Organizations can refuse to comply with request for rectification if they consider that a request is manifestly unfounded or excessive, considering whether the request if repetitive in nature. In such case organization can request a ‘reasonable fee’ to deal with the request; or refuse to deal with the request.
The GDPR does not give a definition of the term accuracy. However, the Data Protection Act 2018 (DPA 2018) states that personal data is inaccurate if it is incorrect or misleading as to any matter of fact.

The Right to Erasure

Under the Article 17 of the GDPR, individuals have the right to have personal data erased. This is also known as the ‘Right to be Forgotten’. This right is not absolute and only applies in certain circumstances.
  • ·         The personal data is no longer necessary for the purpose for which the organizations originally collected.
  • ·         Organizations are replying on consent as their lawful basis for holding the data, and the individuals withdraw their consent
  • ·         An individual object to processing their data, and there is no overriding legitimate interest to continue this processing
  • ·          Organizations are processing the personal data for direct marketing purposes and the individual objects to that processing
  • ·         Organizations are processing the data unlawfully

There is an emphasis on the right to have personal data erased if the request related to data collected from the children. This reflects the enhanced protection of children’s information, especially in online environments, under the GDPR.
If organization process data collected from children, they should provide particular weight to any request for erasure if the processing of data is based upon consent given by a child especially any data processing of their personal data on the internet. This is still the case when the data subject is no longer a child, because a child may not have been fully aware of the risks involved in the processing at the time of consent.

The Right to Restrict Processing

Under Article 18 of the GDPR, individuals have right to restrict the processing of their personal data where they have a reason for wanting the restriction. This maybe because they have issue with the content of the information, an organization hold. Individual have the right to request the organization to restrict the processing of their personal data in the following circumstances:
  • ·         Individual contests the accuracy of their personal data and organization are verifying the accuracy of the data
  • ·         The data has been unlawfully processed and the individual opposes erasure and request restriction instead
  • ·         The individual has objected to organization their data under Article 21(1), and organizations are considering whether their legitimate grounds override those of the individual
  • ·         If an individual has challenged the accuracy of their data and asked organization to rectify it, they also have a right t request to restrict the processing while rectification request is pending
  • ·         an individual exercise their right to object under Article 21(1), they also have a right to request to restrict the processing, while their objection request is under consideration
  • ·         Individual have the right to request the restriction or suppression of their personal data
  • ·         When processing is restricted, organizations are permitted to store the personal data but not use it
  • ·         An individual can make a request for restriction verbally or in writing

Organizations must not process the restricted data in any way except to store it unless:
  • ·         Organizations have the individual’s consent
  • ·         It is for the establishment, exercise or defense of legal claims
  • ·         It is for the protection of the rights of another person
  • ·         It is for reasons of important public interest

Organizations must inform the individual before listing the restriction.

The Right to Data Portability

The right to data portability gives individuals the right to receive personal data they have provided to a controller in a structured, commonly used and machine-readable format. It also gives them the right to request that a controller transmits this data directly to another controller.
  • ·         The right to data portability allows individual to obtain and reuse their personal data for their own purposes across different services
  • ·         It allows individuals to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability
  • ·         The right only applies to information an individual has provided to a controller
  • ·         This enables individuals to take advantage of applications and services that can use this data to find them a better deal or help them understand their spending habits

The right to data portability only applied when: organization’s lawful basis for processing this information is consent or the performance of a contract; and organizations are carrying out the processing by automated means.

The Right to Object

Under Article 21 of the GDPR, individuals have the right to object to the processing of their personal data. This effectively allows individuals to ask you to stop processing their personal data. Individuals have the absolute right to object to processing of their personal data if it is for direct marketing purposes. Individuals can also object if the processing is for:
  • ·         A task carried out in the public interest
  • ·         The exercise of official authority vested in organization
  • ·         Organization’s legitimate interests or those of a third party

The right to object only applies in certain circumstances. Whether it applies depends on organization’s purposes for processing and its lawful basis for processing.
If the organizations are processing data for scientific or historical research, or statistical purposes, the right to object is more limited.

Rights in relation to Automated decision-making and Profiling

Organizations obtain personal information about individuals from a variety of different sources. Internet searches, buying habits, lifestyle and behavior data gathering from mobile phones, social networks, video surveillance systems and the Internet of Things are examples of the types of data organizations might collect.
The GDPR has provisions on:
  • ·         Automated individual decision-making (making a decision solely by automated means without any human involvement)
  • ·         Profiling (automated processing of personal data evaluates certain things about an individual). Profiling can be part of an automated decision-making process.

The GDPR applies to all automated individual decision-making and profiling. Article 22 of the GDPR has additional rules to protect individuals if organizations are carrying out solely automated decision-making that has legal or similarly significant effect on them
Organizations can only carry out this types of decision-making where the decision is:
  • ·         Necessary for the entry into or performance of a contract; or
  • ·         Automated by Union or Member state law applicable to the controller: or
  • ·         Based on the individual’s explicit consent

Organizations must identity whether any of their processing falls under Article 22 and, if so, make sure that they:
  • ·         Give individuals information about the processing;
  • ·         Introduce simple ways for them to request human intervention or challenge a decision;
  • ·         Carry out regular checks to make sure that organization’s systems are working as intended.

Automated individual decision-making and profiling can lead to quicker and more consistent decisions. But if they are used irresponsibly there are significant risks for individuals. The GDPR provisions are designed to address these risks.

References: