Q
Problem solve Get help with specific problems with your technologies, process and projects.

How did a Rufus software vulnerability put enterprises at risk?

A vulnerability in Rufus software put some enterprise systems at risk. Expert Judith Myerson explains the flaw and the available fixes for organizations.

Rufus, the open source software developed by Akeo Consulting, is an application used on Microsoft Windows platforms...

to create and format bootable USB flash drives. Due to a vulnerability disclosed in August 2017, Rufus failed to update itself when creating a bootable USB flash drive. What are the risks of this Rufus vulnerability? How can security teams fix the problem?

Because of this Rufus software vulnerability, an authenticated attacker could subvert the update process while creating a bootable flash drive. This made it possible for an attacker to execute arbitrary code on a vulnerable system.

Windows XP or later can be used to download bootable ISO images to boot up different operating systems -- including Windows, Linux, FreeDOS, Kubuntu and Unified Extensible Firmware Interface, which is an alternative to basic input/output systems (BIOS). If an operating system (OS) is already installed on a laptop or desktop, the bootable flash drive can be treated as a device in the BIOS system.

The order of the bootable devices -- including the CD drive -- may need to be changed in the system BIOS to ensure the OS on the flash drive boots when it is selected from a menu of multiple OSes. The bootable flash drive should have a higher priority than the CD drive.

Rufus software version 2.16 has built-in update capabilities that enable automatic retrieval of updates over HTTP. This version attempts to perform some basic signature checking of downloaded updates. One drawback, however, is the software isn't able to securely install updates over HTTP.

Because Rufus uses HTTP instead of HTTPS, there's no way to ensure the update has been signed by a trusted certificate authority that certifies the ownership of a public key by the named subject of the certificate. This could enable an attacker to self-sign his own certificate to perform arbitrary code execution on an untrusted network, such as public Wi-Fi.

The attacker needs to be on the same network as other Rufus software users to be in a position to affect network traffic. This increases the chance of a man-in-the-middle attack.

To stay ahead of attackers, organizations should use web browsers to obtain updates directly from the Rufus website and should avoid untrusted networks. The Rufus website uses HTTPS rather than HTTP, which secures communication over the internet. However, more work is necessary to fully secure Rufus software.

Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)

Next Steps

Discover more about USB man-in-the-middle attacks

Learn how to use Rufus to create a bootable VMware ESXi installer

Find out how to create a bootable Windows 7 USB drive

This was last published in November 2017

Dig Deeper on Open source security tools and software

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What do you think about the Rufus vulnerability? Was your organization affected?
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

  • CIO Trends #6: Nordics

    In this e-guide, read how the High North and Baltic Sea collaboration is about to undergo a serious and redefining makeover to ...

  • CIO Trends #6: Middle East

    In this e-guide we look at the role of information technology as the Arabian Gulf commits billions of dollars to building more ...

  • CIO Trends #6: Benelux

    In this e-guide, read about the Netherlands' coalition government's four year plan which includes the term 'cyber' no fewer than ...

Close