• CVE-2022-26925/Incomplete Reportage

    Author
    Topic
    #2445921

    This CVE has been splashed all over as being exploited in the wild, but as is so often the case, the extent of the spread, the actual vulnerability of individual workstations and the vulnerability of personal machines and workstations vs. servers has not been in the reportage, along with a lot of badly needed details.

    According to 0Patch’s Mitja:

    Mitja Kolsek (0patch Help Center)

    May 11, 2022, 15:34 GMT+2

    “It is likely that this is a re-spawn of the original PetitPotam vulnerability, based on the original researcher’s tweet (https://twitter.com/raphajohnsec/status/1524088436809940995). We’re gathering more information but if the vulnerability is indeed the same, our micropatches for PetitPotam already block the attack on Windows 7 and Server 2008 R2 (PetitPotam is only realistically exploitable against servers, not workstations). 

    “Otherwise, we’ll prepare a patch as soon as we get a POC.”

    OK, this is what we need when there’s something serious afoot: The Who, What, Where, When, How, and Why of it all.

    Far too often everyone is sent into a needless panic by poorly-written click bait eye grabbing articles in the security press that offer only partial info as to exactly who is threatened, where the outbreaks are, how many there are, how severe, what part of the globe, etc, etc.

    I’ve always read this sort of thing with a grain of salt (while grinding it in my teeth), but yesterday a usually excellent source coughed out an article that was way below his usual standard, and was as bare of detail as the surface of Io.

    People, we don’t need this kind of thing, and we ought to start kicking to the writers of it. Don’t send your readers into a panic with scantily-documented and badly sourced data; all it does is cause people who have no cause for alarm to do the Chicken Little thing, which is helpful to nobody. If they don’t have the info, they should say so, clearly and distinctly, right along with what they DO know.

    / close soapbox mode /close safety valve

    Win7 Pro SP1 64-bit, Dell Latitude E6330, Intel CORE i5 "Ivy Bridge", 12GB RAM, Group "0Patch", Multiple Air-Gapped backup drives in different locations. Linux Mint Greenhorn
    --
    "Sure I had a plan; Everybody's got a plan until you get hit in the teeth."

    -A Very Famous Boxer

    1 user thanked author for this post.
    Viewing 1 reply thread
    Author
    Replies
    • #2446003

      Individual workstations in a peer to peer setting would not be at risk.

      This is an active directory/network/domain/business only risk.

      ” An unauthenticated attacker could call a method on the LSARPC interface and coerce the domain controller  to authenticate to the attacker using NTLM. This security update detects anonymous connection attempts in LSARPC and disallows it.”

      Translation:  If you are a standalone workstation, you don’t use LSARPC.  If you are peer to peer you have no domain controller.  This is businesses risk only for those that have something called a domain controller set up.

      Home and consumers – ignore the headlines, you will not be at risk for this.  Peer to peer – again – not at risk.

       

      Susan Bradley Patch Lady

      4 users thanked author for this post.
      • #2447045

        Susan:

        As it says in Wikipedia, “A workstation is a special computer designed for technical or scientific applications.[1] Intended primarily to be used by a single user,[1] they are commonly connected to a local area network and run multi-user operating systems. The term workstation has also been used loosely to refer to everything from a mainframe computer terminal to a PC connected to a network, but the most common form refers to the class of hardware offered by several current and defunct companies such as Sun Microsystems,[2] Silicon Graphics, Apollo Computer,[3] DEC, HP, NeXT and IBM which opened the door for the 3D graphics animation revolution of the late 1990s.[4]”

        https://en.wikipedia.org/wiki/Workstation

        I have a very beefy PC/Workstation for high end graphics and 3D animation custom built to my specs (it’s now in storage, sniff…), but it was networked in a home office setting when it was in use.

        The term “Workstation” has gotten rather elastic. Usages change.

        What would you call a Workstation that was part of a home network but behind a modem, router/WiFi Gateway, and software firewall?

        Just  curious. (And sorry for the tardy inquiry…been under the weather.)

        Win7 Pro SP1 64-bit, Dell Latitude E6330, Intel CORE i5 "Ivy Bridge", 12GB RAM, Group "0Patch", Multiple Air-Gapped backup drives in different locations. Linux Mint Greenhorn
        --
        "Sure I had a plan; Everybody's got a plan until you get hit in the teeth."

        -A Very Famous Boxer

        • #2447047

          That’s why I used the description of “standalone”  or “individual”  and talk about a Peer to peer network.  At home you typically do not have an Active Directory domain controller installed. I still call it a workstation, but unless you have a server installed at home with the domain controller roles installed, you aren’t vulnerable.

          Susan Bradley Patch Lady

          1 user thanked author for this post.
        • #2447050

          NTDBD: If a powerful personal computer at home, whether running macOS, Linux, Windows, or any other OS, connected to other machines or not, is used mainly to do work such as scientific data analysis, software development, testing and debugging, engineering design, accounting work; or more “creative” work, for example writing stories or making animated movies and, besides all that, also for taking care of business by email and online — while in one’s free time and duly protected from the more usual malignant outside threats and with the user keeping a vigilant, defensive attitude, it is used to do personal email, browse the Web, listen to music, watch videos, etc. I would consider it to be mainly a workstation. That is pretty much how I use mine.

          So I would call it “mainly a workstation.”

          Ex Windows user (Win. 98, XP, 7) since mid-2020. Now: running macOS Big Sur 11.6 & sometimes, Linux (Mint)

          MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
          Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
          macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV and Malwarebytes for Macs.

    • #2446066

      NTDBD: Unlike what your name indicates about your present condition, I have only a minor nibble for you (*). Otherwise, your comment that starts this thread is absolutely on point!

      Why does this type of IT Security alarm-mongering even exists? Well, among other reasons, it might be because the alarmists are insecure people seeking the attention of others, or are trying to grab, somehow, points to promote their own careers, or because they are inexperienced, or because they are just plain lazy, or because several, or all of the above apply. But it can do damage, this irresponsible way of metaphorically crying fire in a crowded place.

      (*) “but yesterday a usually excellent source coughed out an article that was way below his usual standard, and was as bare of detail as the surface of Io.” Io’s surface is one of the most full of detail and colorful of all the moons in the whole Solar system: what it looks like in photographs from space probes has been compared, quite appropriately, to a provolone pizza.

      Ex Windows user (Win. 98, XP, 7) since mid-2020. Now: running macOS Big Sur 11.6 & sometimes, Linux (Mint)

      MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
      Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
      macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV and Malwarebytes for Macs.

      1 user thanked author for this post.
    Viewing 1 reply thread
    Reply To: CVE-2022-26925/Incomplete Reportage

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.