create account

The New Vulnerability that Creates a Dangerous Watering Hole in Your Network by capehost

View this thread on: hive.blogpeakd.comecency.com
tech · @capehost ·
The New Vulnerability that Creates a Dangerous Watering Hole in Your Network
http://i64.tinypic.com/ncmwk7.jpg

Security researchers with Vectra Threat Labs recently uncovered a critical vulnerability affecting all versions of Microsoft Windows reaching all the way back to Windows 95. The vulnerability allows an attacker to execute code at system level either over a local network or the Internet. As a result, attackers could use this vulnerability both to infect an end-user from the Internet, and then spread through the internal network.

Vectra and Microsoft collaborated during the investigation of this issue, and Microsoft has delivered a fix as part of Security Bulletin MS16-087, which is available here.

The vulnerabilities, CVE-2016-3238 (MS16-087), and CVE-2016-3239, stem from the way users connect to printers in the office and over the Internet. This vulnerability could enable a relatively unsophisticated attacker to incorporate IoT devices as part of an attack and quickly infiltrate and spread through a network without detection. While this blog provides an overview of the vulnerability, you can read the in-depth technical analysis here. In addition, a video summary of the vulnerability is available here.

The vulnerability in question centers around the ways that network users find and use printers on a network. Needless to say, modern organizations often have many users, and likewise often have many different makes and models of printers. Users expect to connect to and use whatever printer is most convenient, and likewise, mobile users expect to be able to come in to the office and print.

To serve these users, organizations needs a way to deliver the necessary printer drivers to the users who need them. Instead of pushing every possible driver to all users, many networks use the Microsoft Web Point-and-Print (MS-WPRN) approach that allows a user to connect to any printer on the network, and have the printer or print server deliver the appropriate driver on demand. To make this as easy and seamless as possible, these drivers are often delivered without a warning or triggering User Account Controls (UAC).

The problem is that these drivers are system-level drivers and they are housed on printers, which themselves are not typically well-secured. So if we put it all together we have a weakly secured device that talks to nearly every Windows end-user device, and is trusted to deliver a system-level driver without checks or warnings. If the hair on the back of your neck isn’t starting to stand up, it should.

A local attacker on the network could easily replace the valid driver with a malicious file. When a new user tries to connect to the printer, the malicious file is delivered and run with system-level permissions, effectively handing over control of the machine to the attacker. This process could be repeated indefinitely, infecting each new user that visits the watering hole of the printer.

So how would an attacker get the malicious file in question on the printer? Well she would have multiple options. Printers often have many services enabled and typically aren’t fastidiously patched, so finding a vulnerability to exploit is reasonably easy for a skilled attacker. However, an even easier approach would simply to try default login credentials such as admin/admin, which could allow the attacker to log in to the printer directly. Alternatively, an attacker could create a fake printer to advertise on the network.

Thus far, you may be feeling relatively safe because all of this supposes that the attacker is already on your network. However, the same mechanism works over the Internet using the Internet Printing Protocol and webPointNPrint. This opens the door to infections being delivered over the Internet via normal Web-based vectors such as compromised websites or ads. A bit of javascript in an advertisement could easily trigger a request to a remote “printer” that would then deliver the malicious driver to the victim. Using both of these approaches, an attacker could both infect a user from the outside and then use his newly gained internal position to spread laterally within the network.

 

As of 12 July 2016, Microsoft has provided a patch for this vulnerability as part of Security Bulletin MS16-087 and it is highly recommended that organizations apply the patch as soon as possible. It is also an example of the important role that IoT devices play in the security posture of the network. These devices can be hard to patch, hard to monitor and can quickly become a persistent blind-spot for security operations. This is a good reason to monitor all of your internal traffic regardless of the device type.
👍  
properties (23)
authorcapehost
permlinkthe-new-vulnerability-that-creates-a-dangerous-watering-hole-in-your-network
categorytech
json_metadata{"tags":["tech","vulnerability"],"image":["http://i64.tinypic.com/ncmwk7.jpg"]}
created2016-08-16 08:19:45
last_update2016-08-16 08:19:45
depth0
children4
last_payout2016-09-16 08:31:03
cashout_time1969-12-31 23:59:59
total_payout_value0.000 HBD
curator_payout_value0.000 HBD
pending_payout_value0.000 HBD
promoted0.000 HBD
body_length4,621
author_reputation9,570,070,658
root_title"The New Vulnerability that Creates a Dangerous Watering Hole in Your Network"
beneficiaries[]
max_accepted_payout1,000,000.000 HBD
percent_hbd10,000
post_id830,997
net_rshares10,809,681,958
author_curate_reward""
vote details (1)
@cheetah · 
Hi! I am a content-detection robot. This post is to help manual curators; I have NOT flagged you.
Here is similar content:
https://www.cybrary.it/channelcontent/new-vulnerability-creates-dangerous-watering-hole-network/
👍  , , , , ,
properties (23)
authorcheetah
permlinkre-the-new-vulnerability-that-creates-a-dangerous-watering-hole-in-your-network-20160816t082040
categorytech
json_metadata""
created2016-08-16 08:20:48
last_update2016-08-16 08:20:48
depth1
children0
last_payout2016-09-16 08:31:03
cashout_time1969-12-31 23:59:59
total_payout_value0.000 HBD
curator_payout_value0.000 HBD
pending_payout_value0.000 HBD
promoted0.000 HBD
body_length219
author_reputation942,693,160,055,713
root_title"The New Vulnerability that Creates a Dangerous Watering Hole in Your Network"
beneficiaries[]
max_accepted_payout1,000,000.000 HBD
percent_hbd10,000
post_id831,008
net_rshares29,564,178,820
author_curate_reward""
vote details (6)
@steemitboard · 
Congratulations @capehost! You have received a personal award!

[![](https://steemitimages.com/70x70/http://steemitboard.com/@capehost/birthday1.png)](http://steemitboard.com/@capehost)  Happy Birthday - 1 Year on Steemit Happy Birthday - 1 Year on Steemit
Click on the badge to view your own Board of Honor on SteemitBoard.

For more information about this award, click [here](https://steemit.com/steemitboard/@steemitboard/steemitboard-update-8-happy-birthday)
> By upvoting this notification, you can help all Steemit users. Learn how [here](https://steemit.com/steemitboard/@steemitboard/http-i-cubeupload-com-7ciqeo-png)!
properties (22)
authorsteemitboard
permlinksteemitboard-notify-capehost-20170805t110232000z
categorytech
json_metadata{"image":["https://steemitboard.com/img/notifications.png"]}
created2017-08-05 11:02:30
last_update2017-08-05 11:02:30
depth1
children0
last_payout2017-08-12 11:02:30
cashout_time1969-12-31 23:59:59
total_payout_value0.000 HBD
curator_payout_value0.000 HBD
pending_payout_value0.000 HBD
promoted0.000 HBD
body_length626
author_reputation38,975,615,169,260
root_title"The New Vulnerability that Creates a Dangerous Watering Hole in Your Network"
beneficiaries[]
max_accepted_payout1,000,000.000 HBD
percent_hbd10,000
post_id10,839,789
net_rshares0
@steemitboard · 
Congratulations @capehost! You have received a personal award!

[![](https://steemitimages.com/70x70/http://steemitboard.com/@capehost/birthday2.png)](http://steemitboard.com/@capehost)  2 Years on Steemit
<sub>_Click on the badge to view your Board of Honor._</sub>


> Do you like [SteemitBoard's project](https://steemit.com/@steemitboard)? Then **[Vote for its witness](https://v2.steemconnect.com/sign/account-witness-vote?witness=steemitboard&approve=1)** and **get one more award**!
properties (22)
authorsteemitboard
permlinksteemitboard-notify-capehost-20180805t125017000z
categorytech
json_metadata{"image":["https://steemitboard.com/img/notify.png"]}
created2018-08-05 12:50:15
last_update2018-08-05 12:50:15
depth1
children0
last_payout2018-08-12 12:50:15
cashout_time1969-12-31 23:59:59
total_payout_value0.000 HBD
curator_payout_value0.000 HBD
pending_payout_value0.000 HBD
promoted0.000 HBD
body_length489
author_reputation38,975,615,169,260
root_title"The New Vulnerability that Creates a Dangerous Watering Hole in Your Network"
beneficiaries[]
max_accepted_payout1,000,000.000 HBD
percent_hbd10,000
post_id67,187,467
net_rshares0
@steemitboard · 
Congratulations @capehost! You received a personal award!

<table><tr><td>https://steemitimages.com/70x70/http://steemitboard.com/@capehost/birthday3.png</td><td>Happy Birthday! - You are on the Steem blockchain for 3 years!</td></tr></table>

<sub>_You can view [your badges on your Steem Board](https://steemitboard.com/@capehost) and compare to others on the [Steem Ranking](https://steemitboard.com/ranking/index.php?name=capehost)_</sub>


###### [Vote for @Steemitboard as a witness](https://v2.steemconnect.com/sign/account-witness-vote?witness=steemitboard&approve=1) to get one more award and increased upvotes!
properties (22)
authorsteemitboard
permlinksteemitboard-notify-capehost-20190805t113556000z
categorytech
json_metadata{"image":["https://steemitboard.com/img/notify.png"]}
created2019-08-05 11:35:57
last_update2019-08-05 11:35:57
depth1
children0
last_payout2019-08-12 11:35:57
cashout_time1969-12-31 23:59:59
total_payout_value0.000 HBD
curator_payout_value0.000 HBD
pending_payout_value0.000 HBD
promoted0.000 HBD
body_length620
author_reputation38,975,615,169,260
root_title"The New Vulnerability that Creates a Dangerous Watering Hole in Your Network"
beneficiaries[]
max_accepted_payout1,000,000.000 HBD
percent_hbd10,000
post_id89,167,495
net_rshares0
Help/Feedback