Tor Vibrations | TechSNAP 190

chris

8 years ago

We’ll tell you about the VMware flaw so bad, the solution is to just turn the service off & we now have more details on a major Windows flaw.

Plus new research discovers that up to 81% of Tor users could be de-anonymized, a great batch of your networking questions & much, much more!

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

— Show Notes: —

Why the VMWare TPS flaw is a big deal

VMWare recently disclosed a vulnerability in its line of virtualization products (vSphere, ESXi, etc)
VMWare has a feature called TPS (“Transparent Page Sharing”), which basically provides deduplication of memory between virtual machines
When two or more virtual machines have an identical 4k block of memory, only 1 block of physical memory on the host is actually used
VMs may have many common blocks if they are running the same OS and Applications, especially if the VMs are clones of each other
“Experimental implementations show that using this method, it is possible to run over 50 Windows XP VMs with 1GB of RAM each on a physical machine with just 16GB of RAM”
VMWare Whitepapers of TPS for ESXi 3 and vSphere 5
The TPS feature is not new, it has shipped in VMWare since 2006, and is on by default
“Why is this a big deal? Because a virtualized architecture demands VM isolation, this is the most important security requirement for virtualization. Each VM guest running on a host must not be allowed in any way to access another VM guest. They must be kept in separate locked rooms with only the hypervisor possessing the keys to access all of them”
“VMware appears to be down-playing it as it obviously exposes a chink in their virtual armor, they have issued a KB article describing the vulnerability and giving guidance on how customers can disable TPS on their hosts. VMware doesn’t name the specific source that found the vulnerability in the KB article, they simply refer to it as “an academic paper””
THE “Academic Paper” — Wait a minute! A fast, Cross-VM attack on AES
“This work exploits resource sharing in virtualization software to build a powerful cache-based attack on AES. We demonstrate the vulnerability by mounting Cross-VM Flush+Reload cache attacks in VMware VMs to recover the AES keys of OpenSSL 1.0.1 running inside the victim VM. Furthermore, the attack works in a realistic setting where different VMs are located on separate cores. The modified flush+reload attack we present, takes only in the order of seconds to minutes to succeed in a cross-VM setting. Therefore long term co-location, as required by other fine grain attacks in the literature, are not needed. The results of this study show that there is a great security risk to OpenSSL AES implementation running on VMware cloud services when the deduplication is not disabled.”
The paper describes a technique in which an attacker with access to a VM on the same physical machine, even if it is not on the same CPU Core, could recover the SSL/TLS private key from a web server running Apache+OpenSSL in a victim VM
This would then allow the attacker to impersonate that site, possibly allowing them to successfully phish or otherwise gain sensitive information from end users
“All versions of vSphere back to VI3 are vulnerable to the exploit but VMware is only patching the 5.x versions of vSphere as the 4.x versions are no longer officially supported as of May 2014”. “Note these patches only disable TPS which is currently enable by default, they do nothing to fix the vulnerability, it will most likely take VMware some time to figure out how to make TPS work in a way that cannot be exploited”

WinShock – What that Microsoft SChannel vulnerability was

SChannel is Microsofts tool similar to OpenSSL. “SChannel is used by anything leveraging built-in SSL and TLS this includes IIS, Active Directory, OWA, Exchange, Internet Explorer, and Windows Update.”
The vulnerability allows remote code execution, so it especially severe, and users should patch immediately if they have not already done so
An attacker can send specially crafted malicious packets, which are not properly checked for validity, and the victim machine may execute commands included in that message, allowing the attacker to take full control of the machine
Rapid7 Blog: Is MS14-066 another Red alert?
Rapid7 takes pains to clarify that this is not on the same level as Heartbleed, Shellshock, Poodle, or other recent vulnerabilities of that scale, mostly because this was privately disclosed to Microsoft, and is not being actively exploited in the wild
No one knows the details of the problem yet, and there are no proof-of-concept exploits
“Details surrounding the vulnerability are vague, but Microsoft has indicated that there are no known exploits in the wild and the development of exploit code will be challenging. This vulnerability is reported to affect all Windows servers and clients, and while it’s unlikely to be exploited today, it should be patched as soon as possible given the possibility of remote code execution.”

New research discovers that up to 81% of tor users could be de-anonymized by new traffic analysis techniques

“Research undertaken between 2008 and 2014 suggests that more than 81% of Tor clients can be ‘de-anonymised’ – their originating IP addresses revealed – by exploiting the ‘Netflow’ technology that Cisco has built into its router protocols, and similar traffic analysis software running by default in the hardware of other manufacturers.”
“The technique depends on injecting a repeating traffic pattern – such as HTML files, the same kind of traffic of which most Tor browsing consists – into the TCP connection that it sees originating in the target exit node, and then comparing the server’s exit traffic for the Tor clients, as derived from the router’s flow records, to facilitate client identification.”
“To achieve acceptable quality of service, [Tor attempts] to preserve packet interarrival characteristics, such as inter-packet delay. Consequently, a powerful adversary can mount traffic analysis attacks by observing similar traffic patterns at various point
“Traffic analysis of this kind does not involve the enormous expense and infrastructural effort that the NSA put into their FoxAcid Tor redirects, but it benefits from running one or more high-bandwidth, high-performance, high-uptime Tor relays”
The technical involves getting the user to download a file, large enough that it takes a few minutes over which the flow of data can be manipulated and observed (this could be as easy as injecting an oversized images into a website, where the user does not see it)
By having the server that is sending the image modulate the bandwidth of the TCP connection in question, shifting every 20 seconds between 1 mbit (about the max you would expect to be able to get over tor), 50 kbit, 300 kbit, and then 100 kbit, it created a unique enough pattern of traffic, that tor preserved, that the same pattern could be observed on the entry node that the tor user was connected to
By collecting Netflow type data (start and end time, source and destination ip, number of packets, number of bytes), from the source (or exit node) and the entry node (or a router in front of the entry node or the end user), and correlated the data, researchers were able to identify the real ip address of the tor user that connected to their server