Archives: Bulletins

On Tuesday, October 1, ITS will decommission clock0, an appliance that worked to synchronize information received from GPS to provide clock information.

Impact on users: If you are using clock0.gmu.edu, also known as AQUI-03-A-TS01.gmu.edu (device address: 129.174.56.17), you will need to update your system configurations to use the other three servers on campus and test that access to these servers works properly: clock1.gmu.edu; clock2.gmu.edu; or, clock3.gmu.edu. Due to firewall settings, ITS will be unable to redirect clock0.gmu.edu to the ­­­­­­­­­other three servers. You may need to coordinate with ITS to open firewall rules.

If you need assistance, please submit a firewall change request.

Vulnerability Summaries

Microsoft CTF protocol- Elevation of Privilege Vulnerability (CVE-2019-1162)

On August 13, 2019, a critical vulnerability was publicly disclosed for Microsoft’s CTF protocol. CTF is part of the Windows Text Services Framework (TSF), the system that manages the text shown inside Windows and Windows applications. Any application, any user – even sandboxed processes – can connect to any CTF session. Clients are expected to report their thread ID, process ID among other information, but there is no authentication involved and you can simply lie. An attacker that hijacks another application’s CTF session can then send commands to that application, posing as the server—normally expected to be the Windows OS. Attackers can use this loophole to either steal data from other applications, or they can use it to issue commands in the name of those applications. If the applications run with high-privileges, then those actions can even allow the attacker to take full control over a victim’s computer.

What’s Vulnerable?

• Windows 10
• Windows 7
• Windows 8/8.1
• Windows Server 2008
• Windows Server 2008 R2
• Windows Server 2012
• Windows Server 2012 R2
• Windows Server 2016
• Windows Server 2019
• Windows Vista
• Windows XP

Remote Desktop Services- Remote Code Execution (RCE) vulnerabilities (CVE-2019-1181, CVE-2019-1182)

On August 13, 2019, two critical vulnerabilities were publicly disclosed for Microsoft’s Remote Desktop Services. These two vulnerabilities are also ‘wormable,’ meaning that any future malware that exploits these could propagate from vulnerable computer to vulnerable computer without user interaction. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

What’s Vulnerable?

• Windows 10
• Windows 7
• Windows 8/8.1
• Windows Server 2008 R2
• Windows Server 2012 R2
• Windows Server 2016
• Windows Server 2019

What To Do

Managed university-owned computers (MESA): ITS has patched all managed computers joined to MESA. ITS recommends restarting your computer to ensure the patches were applied.

Unmanaged computers (non-MESA): If your computer is not managed, you may be at risk for these vulnerabilities. ITS recommends that you run Windows Update on your system.

Windows Update patch information can be found here:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1162
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1181
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1182

References:

Information about the vulnerability can be found here:
https://msrc-blog.microsoft.com/2019/08/13/patch-new-wormable-vulnerabilities-in-remote-desktop-services-cve-2019-1181-1182/

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1162

Information Technology Service (ITS) has replaced its ticketing system for tracking and managing requests for IT services and support with a new and improved system. The new system is in place as of Monday, August 12. Users will continue to use the ITS Service Catalog to locate and request services; however, may notice some cosmetic differences in the forms.

Contact the ITS Support Center with questions.

Mason is upgrading Lynda.com to LinkedIn Learning!

LinkedIn Learning has the same great content as Lynda.com and will provide a more personalized experience. Accounts will be upgraded on Wednesday, August 7, 2019. All user learning activity and history will be seamlessly transferred to LinkedIn Learning. Once the upgrade is complete, lynda.gmu.edu will be redirected to lil.gmu.edu. Users will receive an email to activate their LinkedIn Learning accounts.

• For more information about upgrading to LinkedIn Learning: https://lil.gmu.edu/lilupgrade/
• For information on logging in to LinkedIn Learning: https://lil.gmu.edu/login/

Effective Tuesday, July 23, 2019, Mason is changing the way new users of Two-Factor Authentication (2FA) verify their identity with PatriotWeb and other applications that use 2FA.

New enrollees in Mason’s 2FA environment, including faculty, staff, and students, will no longer be able to use text messages and/or phone calls to verify their identities. To verify identities, new users can:

• Get a Duo Push or Passcode through the Duo Mobile app on their smartphone or devices
• Get a Passcode from a Yubikey (Available for purchase at Patriot Tech)
• Get 10 one-time Passcodes via Mason’s 2FA site

Mason is transitioning to improved policies and standards to follow national guidelines for online security and safety. Using these methods to verify identities is safer and lessens the risks to users.

For more information on supported 2FA methods, see the List of 2FA Authentication Options.

The Duo Mobile app is available for free in the app store on smartphones or other mobile devices. Instructions for both setting up the app or Yubikey and generating a list of one-time Passcodes are available in the ITS Knowledge Base.

If you have questions or need more information, please contact the ITS Support Center.